Protecting Multicast- Enabled Networks Matthew Davy Indiana University Matthew Davy Indiana University.

Slides:

Advertisements

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Advertisements

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

1April 16, 2002 Layer 3 Multicast Addressing IP group addresses – “Class D” addresses = high order bits of “1110” Special reserved.

Computer Networking A Top-Down Approach Chapter 4.7.

Computer Science 6390 – Advanced Computer Networks Dr. Jorge A. Cobb How to provide Inter-domain multicast routing? PIM-SM MSDP MBGP.

1 Internet Networking Spring 2004 Tutorial 7 Multicast Routing Protocols.

TDC375 Winter 2002John Kristoff - DePaul University1 Network Protocols IP Multicast.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Internet Networking Spring 2002

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Multicast.

EE689 Lecture 12 Review of last lecture Multicast basics.

Multicast Routing Wed. 28 MAY Introduction based on number of receivers of the packet or massage: “A technique for the efficient distribution of.

IPv6 Multicast Δημήτριος Α Αδάμος ΑΠΘ - ΕΔΕΤ 107 NW’

MULTICASTING Network Security.

IP Multicast Angelos Vassiliou HMY 654. Overview Definitions Multicast routing Concepts IP Multicast Protocols.

© J. Liebeherr, All rights reserved 1 IP Multicasting.

CS 6401 Efficient Addressing Outline Addressing Subnetting Supernetting.

1 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 4 Advanced Internetworking Computer Networks, 5th Edition.

Building a massively scalable serverless VPN using Any Source Multicast Athanasios Douitsis Dimitrios Kalogeras National Technical University of Athens.

1 Computer Networks IP Multicast. 2 Recall Unicast Broadcast Multicast sends to a specific group.

Speaker 2006/XX/XX Speaker 2007/XX/XX IGMP Snooping CK NG Technical Marketing.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

– Chapter 4 – Secure Routing

Chapter 4: Managing LAN Traffic

Inter-domain ASM Multicast Networking Michael P. O’Connor August 13, 2007 Energy Sciences Network Lawrence Berkeley National Laboratory Networking.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Multicast routing.

IPv6 Multicast 6DEPLOY. IPv6 Deployment and Support.

Multicast Routing Protocols NETE0514 Presented by Dr.Apichan Kanjanavapastit.

Routing and Routing Protocols Routing Protocols Overview.

– Chapter 5 – Secure LAN Switching

UKERNA IP Multicast Mini Workshop Intra-domain Multicast Hands-on Lab Exercises Networkshop 2006.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Advances in Multicast - The Promise of Single Source Multicast (SSM) (with a little on multicast DOS) Marshall Eubanks Multicast Technologies

Engineering Workshops 262 Best Current Practices.

Chapter 18 IP: Internet Protocol Addresses

Ethernet Basics - 5 IGMP. The Internet Group Management Protocol (IGMP) is an Internet protocol that provides a way for an Internet computer to report.

Chapter 22 Network Layer: Delivery, Forwarding, and Routing Part 5 Multicasting protocol.

25-Oct-15Network Layer Connecting Devices Networks do not normally operate in isolation.They are connected to one another using connecting devices. The.

Computer Science 6390 – Advanced Computer Networks Dr. Jorge A. Cobb Deering, Estrin, Farinacci, Jacobson, Liu, Wei SIGCOMM 94 An Architecture for Wide-Area.

Multicast Routing Protocols. The Need for Multicast Routing n Routing based on member information –Whenever a multicast router receives a multicast packet.

An IP Multicast DOS attack

© J. Liebeherr, All rights reserved 1 Multicast Routing.

Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.

Interdomain IPv6 multicast Stig Venaas UNINETT. PIM-SM and Rendezvous Points Interdomain multicast routing is usually done with a protocol called PIM-SM.

CS 4396 Computer Networks Lab IP Multicast - Fundamentals.

FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL

Björn Landfeldt School of Information Technologies NETS 3303 Networked Systems Multicast.

Multicast “Better” Common Practices Caren Litvanyi Most work by Matt Davy, Joint Techs Meeting Burnaby, BC 17 July.

© J. Liebeherr, All rights reserved 1 IP Multicasting.

1 © 2000, Cisco Systems, Inc _05_2000_c2 Server Router Unicast Server Router Multicast Unicast vs. Multicast.

Fundamentals of IP Multicast

Bill Nickless IETF-55 MBONED draft-ietf-mboned-iesg-gap-analysis-00.txt Internet Multicast Gap Analysis From the MBONED Working Group For the IESG.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 7 Spanning Tree Protocol.

1 IP Multicasting Relates to Lab 10. It covers IP multicasting, including multicast addressing, IGMP, and multicast routing.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Multicasting within UCS Qiese Dides.

Spring 2006CS 3321 Multicast Outline Link-state Multicast Distance-vector Multicast Protocol Independent Multicast.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.

Engineering Workshops 136 Inter-domain Multicast.

Unnecessary Multicast Flooding Problem Statement

Campus Planning for Multicast Frank Aversa, NJIT Jim Stankiewicz, Verizon Business.

Engineering Workshops 96 ASM. Engineering Workshops 97 ASM Allows SPTs and RPTs RP: –Matches senders with receivers –Provides network source discovery.

1 CMPT 471 Networking II Multicasting © Janice Regan,

DMET 602: Networks and Media Lab

Multicast Listener Discovery

Chapter 2: Static Routing

What’s “Inside” a Router?

Networking for the Future of Science

IP Multicast COSC /5/2019.

Implementing Multicast

Multicasting Unicast.

Presentation transcript:

Protecting Multicast- Enabled Networks Matthew Davy Indiana University Matthew Davy Indiana University

outline overview vulnerabilities sender-based receiver-based short-term protection options possible long-term solutions overview vulnerabilities sender-based receiver-based short-term protection options possible long-term solutions

what’s unique about multicast ? by simply sending an IP packet, any host can... create control plane state in routers & switches force routers & switches to generate & process protocol packets flood a large number of hosts with a large traffic stream by simply sending an IP packet, any host can... create control plane state in routers & switches force routers & switches to generate & process protocol packets flood a large number of hosts with a large traffic stream

why is this a problem ? hosts can intentionally or unintentionally generate a DoS attack on multicast enabled routers & switches by overloading the control plane worms which scan 224/4 are the most common problem several worms have unintentionally disrupted many multicast enabled networks (ramen, slammer, etc) hosts can intentionally or unintentionally generate a DoS attack on multicast enabled routers & switches by overloading the control plane worms which scan 224/4 are the most common problem several worms have unintentionally disrupted many multicast enabled networks (ramen, slammer, etc)

sender-based vulnerabilities {ASM} when host sends a packet to a 224/4 address the first router (aka the PIM DR)... creates a multicast route (s,g) result = memory allocation on RP/RE (rib) and forwarding hardware (fib) - potential for memory exhaustion encap. data packet inside PIM register and sends to RP result = processor cycles on the DR & RP - potential for CPU exhaustion when host sends a packet to a 224/4 address the first router (aka the PIM DR)... creates a multicast route (s,g) result = memory allocation on RP/RE (rib) and forwarding hardware (fib) - potential for memory exhaustion encap. data packet inside PIM register and sends to RP result = processor cycles on the DR & RP - potential for CPU exhaustion

sender-based vulnerabilities {ASM} the PIM RP... receives PIM Register [processor] creates (s,g) state [memory] deencap. the data packets [processor] forwards the packets down the shared tree [processor] sends PIM join towards source [processor] the PIM RP... receives PIM Register [processor] creates (s,g) state [memory] deencap. the data packets [processor] forwards the packets down the shared tree [processor] sends PIM join towards source [processor]

sender-based vulnerabilities {ASM} if it’s also an MSDP speaker, the RP... creates MSDP SA state [memory] sends MSDP SA w/encap. data to all MSDP peers [processor] Note: MSDP SAs are flooded to every MSDP speaker on the Internet ! if it’s also an MSDP speaker, the RP... creates MSDP SA state [memory] sends MSDP SA w/encap. data to all MSDP peers [processor] Note: MSDP SAs are flooded to every MSDP speaker on the Internet !

sender-based vulnerabilities {ASM} every MSDP speaker on the Internet... receives the MSDP SA and deencap. the data packet [processor] creates MSDP SA state and forwarding state [memory] forwards the data packet down shared tree [processor] every MSDP speaker on the Internet... receives the MSDP SA and deencap. the data packet [processor] creates MSDP SA state and forwarding state [memory] forwards the data packet down shared tree [processor]

does ssm solve this problem ? SSM does not have sender-based vulnerabilities ! first hop router simply drops pkts if no forwarding state (hopefully in ASIC) no PIM Registers = no data packets inside control plane packets no MSDP = packets can’t reach all MSDP speakers & no data packets inside control plane packets SSM still has receiver-based vulnerabilities SSM does not have sender-based vulnerabilities ! first hop router simply drops pkts if no forwarding state (hopefully in ASIC) no PIM Registers = no data packets inside control plane packets no MSDP = packets can’t reach all MSDP speakers & no data packets inside control plane packets SSM still has receiver-based vulnerabilities

receiver-based vulnerabilities {SSM & ASM} when a host joins a multicast group, it sends an IGMP host report packet to a mcast group ethernet switches often snoop IGMP packets [memory & processor] the first hop router... creates (*,g) and/or (s,g) state if necessary [memory] sends PIM join towards RP (ASM) or towards source (SSM) [processor] when a host joins a multicast group, it sends an IGMP host report packet to a mcast group ethernet switches often snoop IGMP packets [memory & processor] the first hop router... creates (*,g) and/or (s,g) state if necessary [memory] sends PIM join towards RP (ASM) or towards source (SSM) [processor]

receiver-based vulnerabilities {SSM & ASM} every router in the path... receives a PIM join packet [processor] creates forwarding state as necessary [memory] unintentional receiver-based attacks are unlikely every router in the path... receives a PIM join packet [processor] creates forwarding state as necessary [memory] unintentional receiver-based attacks are unlikely

protection options {sender-based} on first hop routers, filter mcast packets to “unusable” groups see addresses see nickless-ipv4-mcast-unusable-02.txt prevents creation of forwarding state and PIM register processing for unusable groups on first hop routers, filter mcast packets to “unusable” groups see addresses see nickless-ipv4-mcast-unusable-02.txt prevents creation of forwarding state and PIM register processing for unusable groups

a bit on “unusable” groups ethernet mac overlaps with /24 ( /24, /24, etc) should not use, but a few people are what about “reserved” addresses ? might reduce impact of worms significantly by eliminating use of this address space ethernet mac overlaps with /24 ( /24, /24, etc) should not use, but a few people are what about “reserved” addresses ? might reduce impact of worms significantly by eliminating use of this address space

protection options {sender-based} on PIM RP, filter register packets. only allow packets from your source addresses and “usable” group addresses this prevents unnecessary register processing and forwarding state creation on the RP redundant if all DRs have same filters, but... on PIM RP, filter register packets. only allow packets from your source addresses and “usable” group addresses this prevents unnecessary register processing and forwarding state creation on the RP redundant if all DRs have same filters, but...

protection options {sender-based} on all MSDP speakers... filter SAs by source, group, & RP as appropriate (see “unusable” addresses) only allow your GLOP space going out; block your GLOP space coming in set limits on total SAs from each peer on all MSDP speakers... filter SAs by source, group, & RP as appropriate (see “unusable” addresses) only allow your GLOP space going out; block your GLOP space coming in set limits on total SAs from each peer

protection options {sender-based} on all MSDP speakers... set per-source SA limits (juniper); cool feature. need per-source PIM Register limits too set per-instance SA limits rate-limit all MSDP traffic destined to router turn off data encap for msdp ? on all MSDP speakers... set per-source SA limits (juniper); cool feature. need per-source PIM Register limits too set per-instance SA limits rate-limit all MSDP traffic destined to router turn off data encap for msdp ?

protection options {sender-based} on all multicast routers... rate-limit total PIM traffic to the router rate-limit all 224/4 traffic to the router block mcast packets to “unusable” groups on all multicast routers... rate-limit total PIM traffic to the router rate-limit all 224/4 traffic to the router block mcast packets to “unusable” groups

protection options {sender-based} on all multicast routers... only allow udp to 224/4; exceptions for pim, ospf, etc disable sdr/sap set forwarding table limits (juniper) ‘set routing-options multicast forwarding-cache’ on all multicast routers... only allow udp to 224/4; exceptions for pim, ospf, etc disable sdr/sap set forwarding table limits (juniper) ‘set routing-options multicast forwarding-cache’

protection-options {receiver-based} on all multicast routers... rate-limit PIM and IGMP packets per interface multicast route limits would be useful per-port mac limits in switches; not sure if this applies to igmp snooping. if it doesn’t, it should on all multicast routers... rate-limit PIM and IGMP packets per interface multicast route limits would be useful per-port mac limits in switches; not sure if this applies to igmp snooping. if it doesn’t, it should

summary SSM solves sender-based vulnerabilities. will ASM cease to be supported for interdomain ? blocking reserved groups would help a lot so would turning off data encap for msdp so would per-source pim and msdp limits more features from vendors to protect multicast enabled routers & switches SSM solves sender-based vulnerabilities. will ASM cease to be supported for interdomain ? blocking reserved groups would help a lot so would turning off data encap for msdp so would per-source pim and msdp limits more features from vendors to protect multicast enabled routers & switches