Document 7891849

Download Report

Transcript Document 7891849

Protecting Multicast Enabled Networks

Matthew Davy Indiana University

outline

• overview • vulnerabilities • sender-based • receiver-based • short-term protection options • possible long-term solutions

what’s unique about multicast ?

• by simply sending an IP packet, any host can...

• create control plane state in routers & switches • force routers & switches to generate & process protocol packets • flood a large number of hosts with a large traffic stream

why is this a problem ?

• hosts can intentionally or unintentionally generate a DoS attack on multicast enabled routers & switches by overloading the control plane • worms which scan 224/4 are the most common problem • several worms have unintentionally disrupted many multicast enabled networks (ramen, slammer, etc)

sender-based vulnerabilities

• address • the first router (aka the PIM DR)...

• creates a multicast route (s,g) • result = memory allocation on RP/RE (rib) and forwarding hardware (fib) potential for memory exhaustion • encap. data packet inside PIM register and sends to RP • result = processor cycles on the DR & RP - potential for CPU exhaustion

sender-based vulnerabilities {ASM}

• the PIM RP...

• receives PIM Register [processor] • creates (s,g) state [memory] • deencap. the data packets [processor] • forwards the packets down the shared tree [processor] • sends PIM join towards source [processor]

sender-based vulnerabilities {ASM}

• if it’s also an MSDP speaker, the RP...

• creates MSDP SA state [memory] • sends MSDP SA w/encap. data to all MSDP peers [processor] • Note: MSDP SAs are flooded to every MSDP speaker on the Internet !

sender-based vulnerabilities {ASM}

• every MSDP speaker on the Internet...

• receives the MSDP SA and deencap. the data packet [processor] • creates MSDP SA state and forwarding state [memory] • forwards the data packet down shared tree [processor]

does ssm solve this

problem ?

SSM does not have sender-based vulnerabilities !

• first hop router simply drops pkts if no forwarding state (hopefully in ASIC) • no PIM Registers = no data packets inside control plane packets • no MSDP = packets can’t reach all MSDP speakers & no data packets inside control plane packets • SSM still has receiver-based vulnerabilities

receiver-based

• •

vulnerabilities

{SSM & ASM} when a host joins a multicast group, it sends an IGMP host report packet to a mcast group • ethernet switches often snoop IGMP packets [memory & processor] the first hop router...

• creates (*,g) and/or (s,g) state if necessary [memory] • sends PIM join towards RP (ASM) or towards source (SSM) [processor]

receiver-based vulnerabilities

{SSM & ASM} • every router in the path...

• receives a PIM join packet [processor] • creates forwarding state as necessary [memory] • unintentional receiver-based attacks are unlikely

protection options

{sender-based} • on first hop routers, filter mcast packets to “unusable” groups • see http://www.iana.org/assignments/multicast addresses • see http://www-fp.mcs.anl.gov/~nickless/draft nickless-ipv4-mcast-unusable-02.txt

• prevents creation of forwarding state and PIM register processing for unusable groups

a bit on “unusable” groups

• ethernet mac overlaps with 224.0.0.0/24 (225.0.0.0/24, 225.128.0.0/24, etc) • should not use, but a few people are • what about “reserved” addresses ?

• • • 224.3.0.64 - 224.251.255.255

225.0.0.0-231.255.255.255

234.0.0.0-238.255.255.255

• might reduce impact of worms significantly by eliminating use of this address space

protection options

{sender-based} • on PIM RP, filter register packets. only allow packets from your source addresses and “usable” group addresses • this prevents unnecessary register processing and forwarding state creation on the RP • redundant if all DRs have same filters, but...

protection options

{sender-based} • on all MSDP speakers...

• filter SAs by source, group, & RP as appropriate (see “unusable” addresses) • only allow your GLOP space going out; block your GLOP space coming in • set limits on total SAs from each peer

protection options

{sender-based} • on all MSDP speakers...

• set per-source SA limits (juniper); cool feature. need per-source PIM Register limits too • set per-instance SA limits • rate-limit all MSDP traffic destined to router • turn off data encap for msdp ?

protection options

{sender-based} • on all multicast routers...

• rate-limit total PIM traffic to the router • rate-limit all 224/4 traffic to the router • block mcast packets to “unusable” groups

protection options {sender-based}

• on all multicast routers...

• only allow udp to 224/4; exceptions for pim, ospf, etc • disable sdr/sap • set forwarding table limits (juniper) • ‘set routing-options multicast forwarding cache’

protection-options

{receiver-based} • on all multicast routers...

• rate-limit PIM and IGMP packets • per interface multicast route limits would be useful • per-port mac limits in switches; not sure if this applies to igmp snooping. if it doesn’t, it should

summary

• SSM solves sender-based vulnerabilities. will ASM cease to be supported for inter domain ?

• blocking reserved groups would help a lot • so would turning off data encap for msdp • so would per-source pim and msdp limits • more features from vendors to protect multicast enabled routers & switches