PIM Security

To ensure that multicast services are correctly transmitted on networks, PIM security is implemented to limit the valid BSR and C-RP address ranges, filter packets, and check PIM neighbors.

Table 1 PIM security features

PIM Security Feature

Applicable Protocol

Purpose

Principle

Applicable Device

Protected Device

Limit on the BSR address range

IPv4 PIM-SM

IPv6 PIM-SM

Any router on a PIM-SM network that uses the BootStrap router (BSR) mechanism can be configured as a Candidate-BootStrap Router (C-BSR) and participate in a BSR election. The winner of the BSR election is responsible for advertising rendezvous point (RP) information.

This function is used to guarantee BSR security by preventing BSR spoofing and malicious hosts from replacing valid BSRs.

An ACL and filtering rules can be configured to limit the range of valid BSR addresses. Consequently, devices will discard BSR packets carrying BSR addresses outside the valid address range.

All multicast devices on a network

BSR

Limit on the C-RP address range

IPv4 PIM-SM

IPv6 PIM-SM

Any router on a PIM-SM network that uses the BSR mechanism can be configured as a Candidate-Rendezvous Point (C-RP) and serve multicast groups in a specified range. Each C-RP unicasts an Advertisement message to the BSR. The BSR collects all received C-RP information and summarizes it as the RP-Set, and floods the RP-Set over the entire network using Bootstrap messages. Based on the RP-Set, routers on the network can calculate out the RP to which a multicast group in a specific range corresponds.

This function is used to guarantee C-RP security by preventing C-RP spoofing and malicious hosts from replacing valid C-RPs. With this function, an RP can be correctly elected.

An ACL and filtering rules can be configured to limit the range of valid C-RP addresses and the range of multicast groups that each C-RP serves. Then the BSR will discard Advertisement messages carrying C-RP addresses outside the valid C-RP address range.

C-BSR

RP

Limit on the number of PIM entries

IPv4 PIM-SM

IPv4 PIM-SSM

This feature is used to limit the number of PIM-SM/PIM-SSM entries to prevent a device from generating excessive multicast routing entries when attackers send numerous multicast data or IGMP/PIM protocol messages. Therefore, this feature helps prevent high memory and CPU usage and improve multicast service security.

A PIM entry number limit can be configured globally to restrict the maximum number of PIM-SM/PIM-SSM entries that can be created. After the specified limit is reached, the device will not create new PIM-SM/PIM-SSM entries.

PIM (*, G) and (S, G) entries are limited separately.

  • After the specified limit for PIM (*, G) entries is reached, the device will stop creating PIM-SM (*, G) entries.
  • After the specified limit for PIM (S, G) entries is reached, the device will stop creating PIM-SM/PIM-SSM (*, G) entries.

All PIM devices on a network.

All PIM devices on a network.

Register message filtering

IPv4 PIM-SM

IPv6 PIM-SM

Any new multicast source on a PIM-SM network must initially register with the RP. The RP forwards multicast data sent by a multicast source to group members after receiving a Register message from the multicast source's designated router (DR).

This function is used to protect the network against invalid Register messages from malicious devices. With this function, multicast forwarding trees can be correctly set up so that multicast data can be correctly sent to receivers.

An ACL and filtering rules can be configured to enable the RP to filter Register messages received from the multicast source's DR.

RP

RP

PIM neighbor filtering

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

Some unknown devices on a network may set up PIM neighbor relationships with a multicast router and prevent the multicast router from functioning as a DR.

This function is used to prevent a multicast router from setting up PIM neighbor relationships with unknown devices and prevent an unknown router from becoming a DR.

An ACL and filtering rules can be configured to enable interfaces to set up neighbor relationships only with interfaces with valid addresses and to delete neighbors with invalid addresses.

All multicast devices on a network

All multicast devices on a network

Join information filtering

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

A Join/Prune message received by an interface contains both join and prune information.

This function is used to filter join information to prevent unauthorized users from joining multicast groups.

An ACL and filtering rules can be configured to filter join information. Devices create PIM entries based on valid Join information.

All multicast devices on a network

All multicast devices on a network

Source address-based filtering

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

This function enables a device to filter multicast data packets based on source or source/group addresses, ensuring the security of multicast data packets.

An ACL and filtering rules can be configured to enable devices to forward multicast packets carrying source or source/group addresses within the valid source or source/group address range.

All multicast devices on a network

All multicast devices on a network

PIM neighbor check

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

This function guarantees the security of Join/Prune or Assert messages received or sent by devices.

When receiving or sending Join/Prune or Assert messages, a device checks whether the messages are sent to or received from a PIM neighbor. If these messages are not sent to or received from a PIM neighbor, these messages will be discarded.

All multicast devices on a network

All multicast devices on a network

PIM silent

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

If PIM-SM is enabled on the interface directly connecting a multicast device to user hosts, this interface can set up PIM neighbor relationships and process PIM packets. If a malicious host sends pseudo PIM Hello packets to the multicast device, the multicast device may break down.

This function is used to protect interfaces of PIM-SM devices against pseudo PIM Hello packets.

The interface is not allowed to receive or forward any PIM packets and all PIM neighbor relationships established by this interface are deleted.

Interface directly connected to the user host network segment that has only one PIM device

PIM devices directly connected to user host network segments.

PIM IPsec

IPv4 PIM-SM

IPv6 PIM-SM

IPv4 PIM-SSM

IPv6 PIM-SSM

This function is used to authenticate PIM packets to prevent bogus PIM protocol packet attacks or denial of service (DoS) attacks, improving multicast service security.
PIM IPsec uses security association (SA) to authenticate sent and received PIM packets. The PIM IPsec implementation process is as follows:
  • Before an interface sends out a PIM protocol packet, IPsec adds a protocol header to the packet.
  • After an interface receives a PIM protocol packet, IPsec uses a protocol header to authenticate the protocol header in the packet. If the is authentication is successful, the packet is forwarded. Otherwise, the packet is discarded.
PIM IPsec can authenticate the following types of PIM packets:
  • PIM multicast protocol packets, such as Hello and Join/Prune packets.
  • PIM unicast protocol packets, such as Register and Register-Stop packets.
NOTE:
For IPsec feature description, see IPsec.

All PIM devices on a network.

All PIM devices on a network.
Parent Topic: Understanding PIM
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >