[nsp-sec] Limiting IGMP messages
John Kristoff
jtk at cymru.com
Fri Oct 3 12:15:33 EDT 2014
TLP: Amber
<https://en.wikipedia.org/wiki/Traffic_Light_Protocol>
Friends,
I wanted to call your attention to what should be a best practice with
IGMP messages on any internetwork. For almost all uses of the
protocol, IGMP messages should never leave the local network from which
they are originated.
In other words IGMP messages generally should not be transiting your
routers. Note however, routers may very well source and originate IGMP
messages to hosts on locally connected networks, functionality which
may be vital to ensure correct operation of any IP multicast enabled
network and associated IP multicast applications. So this is not to
suggest IGMP messages should be completely discarded anywhere and
everywhere.
I will have more to say about this early next week and I'll post a
follow up with additional details. For now, I'll provide configuration
templates that help address the specific issue with which you may want
to review and consider applying if you haven't already implemented
something like this:
Cisco
-----
As documented in:
<http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html#20>
! global command examples
ip multicast mrinfo-filter 52
access-list 52 deny any
Juniper
-------
Add the following firewall filter to the loopback interface:
filter igmp {
term igmp_accept {
from {
destination-address {
224.0.0.0/4;
}
protocol igmp;
}
then accept;
}
term igmp_drop {
from {
protocol igmp;
}
then {
discard;
}
}
}
John
More information about the nsp-security
mailing list