To ensure that multicast services are correctly transmitted on networks, PIM security is implemented to limit the valid BSR and C-RP address ranges, filter packets, and check PIM neighbors.
Table 1 lists the security features supported by PIM-SM.
PIM-SM Security Feature |
Purpose |
Principle |
Applicable Device |
Protected Device |
|---|---|---|---|---|
Limit on the BootStrap router (BSR) address range |
Any router on a PIM-SM network that uses the BSR mechanism can be configured as a Candidate-BSR (C-BSR) and participate in a BSR election. The winner of the BSR election is responsible for advertising Rendezvous Point (RP) information on the network. This function is used to guarantee BSR security by preventing BSR spoofing and malicious hosts from replacing valid BSRs. |
An ACL and filtering rules can be configured to limit the range of valid BSR addresses. Consequently, devices will discard BSR packets carrying BSR addresses outside the valid address range. |
All multicast devices on a network |
BSR |
Limit on the Candidate-RP (C-RP) address range |
Any router on a PIM-SM network that uses the BSR mechanism can be configured as a C-RP and serve multicast groups in a specified range. Each C-RP unicasts an Advertisement message to the BSR. The BSR collects all received C-RP information and summarizes it as the RP-set, and floods the RP-set on the entire network using Bootstrap messages. Based on the RP-set, routers on the network can calculate out the RP to which a multicast group in a specific range corresponds. This function is used to guarantee C-RP security by preventing C-RP spoofing and malicious hosts from replacing valid C-RPs. With this function, an RP can be correctly elected. |
An ACL and filtering rules can be configured to limit the range of valid C-RP addresses and the range of multicast groups that each C-RP serves. Then the BSR will discard Advertisement messages carrying C-RP addresses outside the valid C-RP address range. |
C-BSR |
RP |
Register message filtering |
Any new multicast source on a PIM-SM network must initially register with the RP. The RP forwards multicast data sent by a multicast source to group members after receiving a Register message from the multicast source's Designated router (DR). This function is used to protect the network against invalid Register messages from malicious devices. With this function, multicast forwarding trees can be correctly set up so that multicast data can be correctly sent to receivers. |
An ACL and filtering rules can be configured to enable the RP to filter Register messages received from the multicast source's DR. |
RP |
RP |
PIM neighbor filtering |
Some unknown devices on a network may set up PIM neighbor relationships with a multicast router and prevent the multicast router from functioning as a DR. This function is used to prevent a multicast router from setting up PIM neighbor relationships with unknown devices and prevent an unknown router from becoming a DR. |
An ACL and filtering rules can be configured to enable interfaces to set up neighbor relationships only interfaces with valid addresses and to delete neighbors with invalid addresses. |
All multicast devices on a network |
All multicast devices on a network |
Join information filtering |
A Join/Prune message received by an interface contains both join and prune information. This function is used to filter join information to prevent unauthorized users from joining multicast groups. |
An ACL and filtering rules can be configured to filter join information. Devices create PIM entries based on valid Join information. |
All multicast devices on a network |
All multicast devices on a network |
Source address-based filtering |
This function enables a device to filter multicast data packets based on source or source/group addresses, ensuring the security of multicast data packets. |
An ACL and filtering rules can be configured to enable devices to forward multicast packets carrying source or source/group addresses within the valid source or source/group address range. |
All multicast devices on a network |
All multicast devices on a network |
PIM neighbor check |
This function guarantees the security of Join/Prune or Assert messages received or sent by devices. |
When receiving or sending Join/Prune or Assert messages, a device checks whether the messages are sent to or received from a PIM neighbor. If these messages are not sent to or received from a PIM neighbor, these messages will be discarded. |
All multicast devices on a network |
All multicast devices on a network |
PIM silent |
If PIM-SM is enabled on the interface directly connecting a multicast device to user hosts, this interface can set up PIM neighbor relationships and process PIM packets. If a malicious host sends pseudo PIM Hello packets to the multicast device, the multicast device may break down. This function is used to protect interfaces of PIM-SM devices against pseudo PIM Hello packets. |
The interface is not allowed to receive or forward any PIM packets and all PIM neighbor relationships established by this interface are deleted. |
Interface directly connected to the user host network segment that is connected to only one PIM device. |
PIM devices directly connected to user host network segments. |