From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc5059.txt | 2355 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2355 insertions(+) create mode 100644 doc/rfc/rfc5059.txt (limited to 'doc/rfc/rfc5059.txt') diff --git a/doc/rfc/rfc5059.txt b/doc/rfc/rfc5059.txt new file mode 100644 index 0000000..9669944 --- /dev/null +++ b/doc/rfc/rfc5059.txt @@ -0,0 +1,2355 @@ + + + + + + +Network Working Group N. Bhaskar +Request for Comments: 5059 Arastra +Obsoletes: 2362 A. Gall +Updates: 4601 SWITCH +Category: Standards Track J. Lingard + Arastra + S. Venaas + UNINETT + January 2008 + + + Bootstrap Router (BSR) Mechanism + for Protocol Independent Multicast (PIM) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Abstract + + This document specifies the Bootstrap Router (BSR) mechanism for the + class of multicast routing protocols in the PIM (Protocol Independent + Multicast) family that use the concept of a Rendezvous Point as a + means for receivers to discover the sources that send to a particular + multicast group. BSR is one way that a multicast router can learn + the set of group-to-RP mappings required in order to function. The + mechanism is dynamic, largely self-configuring, and robust to router + failure. + + + + + + + + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 1] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Background .................................................3 + 1.2. Protocol Overview ..........................................5 + 1.3. Administrative Scoping and BSR .............................6 + 2. BSR State and Timers ............................................8 + 3. Bootstrap Router Election and RP-Set Distribution ...............9 + 3.1. Bootstrap Router Election ..................................9 + 3.1.1. Per-Scope-Zone Candidate-BSR State Machine .........10 + 3.1.2. Per-Scope-Zone State Machine for + Non-Candidate-BSR Routers ..........................11 + 3.1.3. Bootstrap Message Processing Checks ................13 + 3.1.4. State Machine Transition Events ....................14 + 3.1.5. State Machine Actions ..............................15 + 3.2. Sending Candidate-RP-Advertisement Messages ...............17 + 3.3. Creating the RP-Set at the BSR ............................18 + 3.4. Forwarding Bootstrap Messages .............................21 + 3.5. Bootstrap Messages to New and Rebooting Routers ...........22 + 3.5.1. No-Forward Bootstrap Messages ......................23 + 3.5.2. Unicasting Bootstrap Messages ......................23 + 3.6. Receiving and Using the RP-Set ............................23 + 4. Message Formats ................................................24 + 4.1. Bootstrap Message Format ..................................26 + 4.1.1. Semantic Fragmentation of BSMs .....................30 + 4.2. Candidate-RP-Advertisement Message Format .................31 + 5. Timers and Timer Values ........................................33 + 6. Security Considerations ........................................36 + 6.1. Possible Threats ..........................................36 + 6.2. Limiting Third-Party DoS Attacks ..........................36 + 6.3. Bootstrap Message Security ................................37 + 6.3.1. Unicast Bootstrap Messages .........................37 + 6.3.2. Multi-Access Subnets ...............................38 + 6.4. Candidate-RP-Advertisement Message Security ...............38 + 6.4.1. Non-Cryptographic Security of C-RP-Adv Messages ....38 + 6.4.2. Cryptographic Security of C-RP-Adv Messages ........39 + 6.5. Denial of Service using IPsec .............................39 + 7. Contributors ...................................................40 + 8. Acknowledgments ................................................40 + 9. Normative References ...........................................40 + 10. Informative References ........................................41 + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 2] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +1. Introduction + + This document assumes some familiarity with the concepts of Protocol + Independent Multicast - Sparse Mode (PIM-SM) [1] and Bidirectional + Protocol Independent Multicast (BIDIR-PIM) [2], as well as with + Administratively Scoped IP Multicast [3] and the IPv6 Scoped Address + Architecture [4]. + + For correct operation, every multicast router within a PIM domain + must be able to map a particular multicast group address to the same + Rendezvous Point (RP). The PIM specifications do not mandate the use + of a single mechanism to provide routers with the information to + perform this group-to-RP mapping. + + This document describes the PIM Bootstrap Router (BSR) mechanism. + BSR is one way that a multicast router can learn the information + required to perform the group-to-RP mapping. The mechanism is + dynamic, largely self-configuring, and robust to router failure. + + BSR was first defined in RFC 2362 [7] as part of the original PIM-SM + specification, which has been obsoleted by RFC 4601 [1]. This + document provides an updated specification of the BSR mechanism from + RFC 2362, and also extends it to cope with administratively scoped + region boundaries and different flavors of routing protocols. + + Throughout the document, any reference to the PIM protocol family is + restricted to the subset of RP-based protocols, namely PIM-SM and + BIDIR-PIM, unless stated otherwise. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [6]. + +1.1. Background + + A PIM domain is a contiguous set of routers that all implement PIM + and are configured to operate within a common boundary defined by PIM + Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to + the rest of the Internet. + + Every PIM multicast group needs to be associated with the IP address + of a Rendezvous Point (RP). This address is used as the root of a + group-specific distribution tree whose branches extend to all nodes + in the domain that want to receive traffic sent to the group. + Senders inject packets into the tree in such a manner that they reach + all connected receivers. How this is done and how the packets are + forwarded along the distribution tree depends on the particular + routing protocol. + + + +Bhaskar, et al. Standards Track [Page 3] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + For all senders to reach all receivers, it is crucial that all + routers in the domain use the same mappings of group addresses to RP + addresses. + + An exception to the above is where a PIM domain has been broken up + into multiple administrative scope regions. These are regions where + a border has been configured so that a set of multicast groups will + not be forwarded across that border. In this case, all PIM routers + within the same scope region must map a particular scoped group to + the same RP within that region. + + In order to determine the RP for a multicast group, a PIM router + maintains a collection of group-to-RP mappings, called the RP-Set. A + group-to-RP mapping contains the following elements. + + o Multicast group range, expressed as an address and prefix + length + + o RP priority + + o RP address + + o Hash mask length + + o SM / BIDIR flag + + In general, the group ranges of these group-to-RP mappings may + overlap in arbitrary ways; hence, a particular multicast group may be + covered by multiple group-to-RP mappings. When this is the case, the + router chooses only one of the RPs by applying a deterministic + algorithm so that all routers in the domain make the same choice. It + is important to note that this algorithm is part of the specification + of the individual routing protocols (and may differ among them), not + of the BSR specification. For example, PIM-SM [1] defines one such + algorithm. It makes use of a hash function for the case where a + group range has multiple RPs with the same priority. The hash mask + length is used by this function. + + There are a number of ways in which such group-to-RP mappings can be + established. The simplest solution is for all the routers in the + domain to be statically configured with the same information. + However, static configuration generally doesn't scale well, and, + except when used in conjunction with Anycast-RP (see [8] and [9]), + does not dynamically adapt to route around router or link failures. + + The BSR mechanism provides a way in which viable group-to-RP mappings + can be created and rapidly distributed to all the PIM routers in a + domain. It is adaptive, in that if an RP becomes unreachable, this + + + +Bhaskar, et al. Standards Track [Page 4] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + will be detected and the RP-Sets will be modified so that the + unreachable RP is no longer used. + +1.2. Protocol Overview + + In this section we give an informal and non-definitive overview of + the BSR mechanism. The definitive specification begins in section 2. + + The general idea behind the BSR mechanism is that some of the PIM + routers within a PIM domain are configured to be potential RPs for + the domain. These are known as Candidate-RPs (C-RPs). A subset of + the C-RPs will eventually be used as the actual RPs for the domain. + In addition, some of the PIM routers in the domain are configured to + be candidate bootstrap routers, or Candidate-BSRs (C-BSRs). One of + these C-BSRs will be elected to be the bootstrap router (BSR) for the + domain, and all the PIM routers in the domain will learn the result + of this election through Bootstrap messages. The C-RPs will then + report their candidacy to the elected BSR, which chooses a subset of + these C-RPs and distributes corresponding group-to-RP mappings to all + the routers in the domain through Bootstrap messages. + + In more detail, the BSR mechanism works as follows. There are four + basic phases (although in practice, all phases may be occurring + simultaneously): + + 1. BSR Election. Each Candidate-BSR originates Bootstrap messages + (BSMs). Every BSM contains a BSR Priority field. Routers within + the domain flood the BSMs throughout the domain. A C-BSR that + hears about a higher-priority C-BSR than itself suppresses its + sending of further BSMs for some period of time. The single + remaining C-BSR becomes the elected BSR, and its BSMs inform all + the other routers in the domain that it is the elected BSR. + + 2. C-RP Advertisement. Each Candidate-RP within a domain sends + periodic Candidate-RP-Advertisement (C-RP-Adv) messages to the + elected BSR. A C-RP-Adv message includes the priority of the + advertising C-RP, as well as a list of group ranges for which the + candidacy is advertised. In this way, the BSR learns about + possible RPs that are currently up and reachable. + + 3. RP-Set Formation. The BSR selects a subset of the C-RPs that it + has received C-RP-Adv messages from to form the RP-Set. In + general, it should do this in such a way that the RP-Set is + neither so large that all the routers in the domain cannot be + informed about it, nor so small that the load is overly + concentrated on some RPs. It should also attempt to produce an + RP-Set that does not change frequently. + + + + +Bhaskar, et al. Standards Track [Page 5] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + 4. RP-Set Flooding. In future Bootstrap messages, the BSR includes + the RP-Set information. Bootstrap messages are flooded through + the domain, which ensures that the RP-Set rapidly reaches all the + routers in the domain. BSMs are originated periodically to + ensure consistency after failure restoration. + + When a PIM router receives a Bootstrap message, it adds the + group-to-RP mappings contained therein to its pool of mappings + obtained from other sources (e.g., static configuration). It + calculates the final mappings of group addresses to RP addresses + from this pool according to rules specific to the particular + routing protocol and uses that information to construct multicast + distribution trees. + + If a PIM domain becomes partitioned, each area separated from the old + BSR will elect its own BSR, which will distribute an RP-Set + containing RPs that are reachable within that partition. When the + partition heals, another election will occur automatically and only + one of the BSRs will continue to send out Bootstrap messages. As is + expected at the time of a partition or healing, some disruption in + packet delivery may occur. The duration of the disruption period + will be on the order of the region's round-trip time and the + BS_Timeout value. + +1.3. Administrative Scoping and BSR + + The mechanism described in the previous section does not work when + the PIM domain is divided into administratively scoped regions. To + handle this situation, we use the protocol modifications described in + this section. + + In the remainder of this document, we will use the term scope zone, + or simply zone, when we are talking about a connected region of + topology of a given scope. For a more precise definition of scope + zones, see [4], which emphasizes that the scope zones are + administratively configured. + + Administrative scoping permits a PIM domain to be divided into + multiple admin-scope zones. Each admin-scope zone is a convex + connected set of PIM routers and is associated with a set of group + addresses. The boundary of the admin-scope zone is formed by Zone + Border Routers (ZBRs). ZBRs are configured not to forward traffic + for any of the scoped group addresses into or out of the scoped zone. + It is important to note that a given scope boundary always creates at + least two scoped zones: one on either side of the boundary. + + + + + + +Bhaskar, et al. Standards Track [Page 6] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + In IPv4, administratively scoped zones are associated with a set of + addresses given by an address and a prefix length. In IPv6, + administratively scoped zones are associated with a set of addresses + given by a single scope ID value. The set of addresses corresponding + to a given scope ID value is defined in [5]. For example, a scope ID + of 5 maps to the 16 IPv6 address ranges ff[0-f]5::/16. + + There are certain topological restrictions on admin-scope zones. The + scope zone border must be complete and convex. By this we mean that + there must be no path from the inside to the outside of the scoped + zone that does not pass through a configured scope border router, and + that the multicast capable path between any arbitrary pair of + multicast routers in the scope zone must remain in the zone. + + Administrative scoping complicates BSR because we do not want a PIM + router within the scoped zone to use an RP outside the scoped zone. + Thus we need to modify the basic mechanism to ensure that this + doesn't happen. + + This is done by running a separate copy of the basic BSR mechanism, + as described in the previous section, within each admin-scope zone of + a PIM domain. Thus a separate BSR election takes place for each + admin-scope zone, a C-RP typically registers to the BSR of every + admin-scope zone it is in, and every PIM router receives Bootstrap + messages for every scope zone it is in. The Bootstrap messages sent + by the BSR for a particular scope zone contain information about the + RPs that should be used for the set of addresses associated with that + scope zone. + + Bootstrap messages are marked to indicate which scope zone they + belong to. Such admin-scoped Bootstrap messages are flooded in the + normal way, but will not be forwarded by a ZBR across the boundary + for that scope zone. + + For the BSR mechanism to function correctly with admin scoping, there + must be at least one C-BSR within each admin-scope zone, and there + must be at least one C-RP that is configured to be a C-RP for the set + of group addresses associated with the scoped zone. + + Even when administrative scoping is used, a copy of the BSR mechanism + is still used across the entire PIM domain in order to distribute RP + information for groups that are not administratively scoped. We call + this copy of the mechanism non-scoped BSR. The copies of the + mechanism run for each admin-scope zone are called scoped BSR. + + Only the C-BSRs and the ZBRs need to be configured to know about the + existence of the scope zones. Other routers, including the C-RPs, + learn of their existence from Bootstrap messages. + + + +Bhaskar, et al. Standards Track [Page 7] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + All PIM routers within a PIM bootstrap domain where admin-scope + ranges are in use must be capable of receiving Bootstrap messages and + storing the winning BSR and RP-Set for all admin-scope zones that + apply. Thus, PIM routers that only implement RFC 2362 or non-scoped + BSR (which only allows one BSR per domain) cannot be used within the + admin-scope zones of a PIM domain. + +2. BSR State and Timers + + A PIM router implementing BSR holds the following state. + + RP-Set + + Per Configured or Learned Scope Zone (Z): + + At all routers: + + Current Bootstrap Router's IP Address + + Current Bootstrap Router's BSR Priority + + Last BSM received from current BSR + + Bootstrap Timer (BST(Z)) + + Per group-to-RP mapping (M): + + Group-to-RP mapping Expiry Timer (GET(M,Z)) + + At a Candidate-BSR for Z: + + My state: One of "Candidate-BSR", "Pending-BSR", + "Elected-BSR" + + At a router that is not a Candidate-BSR for Z: + + My state: One of "Accept Any", "Accept Preferred" + + Scope-Zone Expiry Timer (SZT(Z)) + + At the current Bootstrap Router for Z only: + + Per group-to-C-RP mapping (M): + + Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) + + + + + + +Bhaskar, et al. Standards Track [Page 8] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + At a C-RP only: + + C-RP Advertisement Timer (CRPT) + +3. Bootstrap Router Election and RP-Set Distribution + +3.1. Bootstrap Router Election + + For simplicity, Bootstrap messages are used in both the BSR election + and the RP-Set distribution mechanisms. + + Each Bootstrap message indicates the scope to which it belongs. If + the Admin Scope Zone bit is set in the first group range in the + Bootstrap message, the message is called a scoped BSM. If the Admin + Scope Zone bit is not set in the first group range in the Bootstrap + message, the message is called a non-scoped BSM. + + In a scoped IPv4 BSM, the scope of the message is given by the first + group range in the message, which can be any sub-range of 224/4. In + a scoped IPv6 BSM, the scope of the message is given by the scope ID + of the first group range in the message, which must have a mask + length of at least 16. For example, a group range of ff05::/16 with + the Admin Scope Zone bit set indicates that the Bootstrap message is + for the scope with scope ID 5. If the mask length of the first group + range in a scoped IPv6 BSM is less than 16, the message MUST be + dropped and a warning SHOULD be logged. + + The state machine for Bootstrap messages depends on whether or not a + router has been configured to be a Candidate-BSR for a particular + scope zone. The per-scope-zone state machine for a C-BSR is given + below, followed by the state machine for a router that is not + configured to be a C-BSR. + + A key part of the election mechanism is that we associate a weight + with each BSR. The weight of a BSR is defined to be the + concatenation in fixed-precision unsigned arithmetic of the BSR + Priority field from the Bootstrap message and the IP address of the + BSR from the Bootstrap message (with the BSR Priority taking the + most-significant bits and the IP address taking the least-significant + bits). + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 9] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +3.1.1. Per-Scope-Zone Candidate-BSR State Machine + + +-------------------------------------------------------------------+ + | When in C-BSR state | + +----------+-----------------+-------------------+------------------+ + | Event | Receive | Bootstrap | Receive Non- | + | | Preferred BSM | Timer Expires | preferred BSM | + | | | | from Elected | + | | | | BSR | + +----------+-----------------+-------------------+------------------+ + | | -> C-BSR state | -> P-BSR state | -> P-BSR state | + | | Forward BSM; | Set Bootstrap | Forward BSM; | + | Action | Store RP-Set; | Timer to | Set Bootstrap | + | | Set Bootstrap | BS_Rand_Override | Timer to | + | | Timer to | | BS_Rand_Override | + | | BS_Timeout | | | + +----------+-----------------+-------------------+------------------+ + + +-------------------------------------------------------------------+ + | When in P-BSR state | + +-----------+------------------+------------------+-----------------+ + | Event | Receive | Bootstrap | Receive Non- | + | | Preferred BSM | Timer Expires | preferred BSM | + +-----------+------------------+------------------+-----------------+ + | | -> C-BSR state | -> E-BSR state | -> P-BSR state | + | | Forward BSM; | Originate BSM; | Forward BSM | + | Action | Store RP-Set; | Set Bootstrap | | + | | Set Bootstrap | Timer to | | + | | Timer to | BS_Period | | + | | BS_Timeout | | | + +-----------+------------------+------------------+-----------------+ + + +-------------------------------------------------------------------+ + | When in E-BSR state | + +-----------+------------------+------------------+-----------------+ + | Event | Receive | Bootstrap | Receive Non- | + | | Preferred BSM | Timer Expires | preferred BSM | + +-----------+------------------+------------------+-----------------+ + | | -> C-BSR state | -> E-BSR state | -> E-BSR state | + | | Forward BSM; | Originate BSM; | Originate BSM; | + | Action | Store RP-Set; | Set Bootstrap | Set Bootstrap | + | | Set Bootstrap | Timer to | Timer to | + | | Timer to | BS_Period | BS_Period | + | | BS_Timeout | | | + +-----------+------------------+------------------+-----------------+ + + + + + + +Bhaskar, et al. Standards Track [Page 10] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + A Candidate-BSR may be in one of three states for a particular scope + zone: + + Candidate-BSR (C-BSR) + The router is a candidate to be the BSR for the scope zone, but + currently another router is the preferred BSR. + + Pending-BSR (P-BSR) + The router is a candidate to be the BSR for the scope zone. + Currently, no other router is the preferred BSR, but this router + is not yet the elected BSR. This is a temporary state that + prevents rapid thrashing of the choice of BSR during BSR + election. + + Elected-BSR (E-BSR) + The router is the elected BSR for the scope zone and it must + perform all the BSR functions. + + In addition to the three states, there is one timer: + + o The Bootstrap Timer (BST) - used to time out old bootstrap router + information, and used in the election process to terminate P-BSR + state. + + The initial state for this configured scope zone is "Pending-BSR"; + the Bootstrap Timer is initialized to BS_Rand_Override. This is the + case both if the router is a Candidate-BSR at startup, and if it is + reconfigured to become one later. + +3.1.2. Per-Scope-Zone State Machine for Non-Candidate-BSR Routers + + The following state machine is used for scope zones that are + discovered by the router from bootstrap messages. A simplified state + machine is used for scope zones that are explicitly configured on the + router and for the global zone. The differences are listed at the + end of this section. + + +-------------------------------------------------------------------+ + | When in NoInfo state | + +--------------+----------------------------------------------------+ + | Event | Receive BSM | + +--------------+----------------------------------------------------+ + | | -> AP state | + | Action | Forward BSM; Store RP-Set; | + | | Set Bootstrap Timer to BS_Timeout | + +--------------+----------------------------------------------------+ + + + + + +Bhaskar, et al. Standards Track [Page 11] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + +-------------------------------------------------------------------+ + | When in Accept Any state | + +-------------+---------------------------+-------------------------+ + | Event | Receive BSM | Scope-Zone Expiry | + | | | Timer Expires | + +-------------+---------------------------+-------------------------+ + | | -> AP state | -> NoInfo state | + | | Forward BSM; Store | Remove scope zone | + | Action | RP-Set; Set | state | + | | Bootstrap Timer to | | + | | BS_Timeout | | + +-------------+---------------------------+-------------------------+ + + +-------------------------------------------------------------------+ + | When in Accept Preferred state | + +---------+---------------------+------------------+----------------+ + | Event | Receive Preferred | Bootstrap | Receive Non- | + | | BSM | Timer Expires | preferred BSM | + +---------+---------------------+------------------+----------------+ + | | -> AP state | -> AA state | -> AP state | + | | Forward BSM; Store | Refresh RP- | | + | Action | RP-Set; Set | Set; Remove | | + | | Bootstrap Timer to | BSR state; Set | | + | | BS_Timeout | SZT to | | + | | | SZ_Timeout | | + +---------+---------------------+------------------+----------------+ + + A router that is not a Candidate-BSR may be in one of three states: + + NoInfo + The router has no information about this scope zone. When in + this state, no state information is held and no timers (that + refer to this scope zone) run. Conceptually, the state machine + is only instantiated when the router receives a scoped BSM for a + scope about which it has no prior knowledge. However, because + the router immediately transitions to the AA state + unconditionally, the NoInfo state can be considered to be + virtual in a certain sense. For this reason, it is omitted from + the description in section 2. + + Accept Any (AA) + The router does not know of an active BSR, and will accept the + first Bootstrap message it sees as giving the new BSR's identity + and the RP-Set. + + + + + + + +Bhaskar, et al. Standards Track [Page 12] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Accept Preferred (AP) + The router knows the identity of the current BSR, and is using + the RP-Set provided by that BSR. Only Bootstrap messages from + that BSR or from a C-BSR with higher weight than the current BSR + will be accepted. + + In addition to the three states, there are two timers: + + o The Bootstrap Timer (BST) - used to time out old bootstrap router + information. + + o The Scope-Zone Expiry Timer (SZT) - used to time out the scope + zone itself if Bootstrap messages specifying this scope zone stop + arriving. + + The initial state for scope zones about which the router has no + knowledge is "NoInfo". + + The state machine used for scopes that have been configured + explicitly on the router and for the global scope (which always + exists) differs from the state machine above as follows. + + o The "NoInfo" state doesn't exist. + + o No SZT is maintained. Hence, the event "Scope-Zone Expiry Timer + Expires" does not exist and no actions with regard to this timer + are executed. + + The initial state for this state machine is "Accept Any". + +3.1.3. Bootstrap Message Processing Checks + + When a Bootstrap message is received, the following initial checks + must be performed: + + if ((DirectlyConnected(BSM.src_ip_address) == FALSE) OR + (we have no Hello state for BSM.src_ip_address)) { + drop the Bootstrap message silently + } + + if (BSM.dst_ip_address == ALL-PIM-ROUTERS) { + if (BSM.no_forward_bit == 0) { + if (BSM.src_ip_address != RPF_neighbor(BSM.BSR_ip_address)) { + drop the Bootstrap message silently + } + } else if ((any previous BSM for this scope has been accepted) OR + (more than BS_Period has elapsed since startup)) { + + + + +Bhaskar, et al. Standards Track [Page 13] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + #only accept no-forward BSM if quick refresh on startup + drop the Bootstrap message silently + } + } else if ((Unicast BSM support enabled) AND + (BSM.dst_ip_address is one of my addresses)) { + if ((any previous BSM for this scope has been accepted) OR + (more than BS_Period has elapsed since startup)) { + #the packet was unicast, but this wasn't + #a quick refresh on startup + drop the Bootstrap message silently + } + } else { + drop the Bootstrap message silently + } + + if (the interface the message arrived on is an admin scope + border for the BSM.first_group_address) { + drop the Bootstrap message silently + } + + Basically, the packet must have come from a directly connected + neighbor for which we have active Hello state. It must have been + sent to the ALL-PIM-ROUTERS group, and unless it is a No-Forward BSM, + it must have been sent by the correct upstream router towards the BSR + that originated the Bootstrap message; or, if it is a No-Forward BSM, + we must have recently restarted and have no BSR state for that admin + scope. Also, if unicast BSM support is enabled, a unicast BSM is + accepted if it is addressed to us, we have recently restarted, and we + have no BSR state for that admin scope. In addition, it must not + have arrived on an interface that is a configured admin-scope border + for the first group address contained in the Bootstrap message. + +3.1.4. State Machine Transition Events + + If the Bootstrap message passes the initial checks above without + being discarded, then it may cause a state transition event in one of + the above state machines. For both candidate and non-candidate BSRs, + the following transition events are defined: + + Receive Preferred BSM + A Bootstrap message is received from a BSR that has weight + higher than or equal to that of the current BSR. If a router + is in P-BSR state, then it uses its own weight as that of the + current BSR. + + A Bootstrap message is also preferred if it is from the + current BSR with a lower weight than the previous BSM it sent, + provided that if the router is a Candidate-BSR the current BSR + + + +Bhaskar, et al. Standards Track [Page 14] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + still has a weight higher than or equal to that of the router + itself. In this case, the "Current Bootstrap Router's BSR + Priority" state must be updated. (For lower weight, see Non- + preferred BSM from Elected BSR case.) + + Receive Non-preferred BSM + A Bootstrap message is received from a BSR other than the + current BSR that has lower weight than that of the current + BSR. If a router is in P-BSR state, then it uses its own + weight as that of the current BSR. + + Receive Non-preferred BSM from Elected BSR + A Bootstrap message is received from the elected BSR, but the + BSR Priority field in the received message has changed, so + that now the currently elected BSR has lower weight than that + of the router itself. + + Receive BSM + A Bootstrap message is received, regardless of BSR weight. + + In addition to state machine transitions caused by the receipt of + Bootstrap messages, a state machine transition takes place each time + the Bootstrap Timer or Scope-Zone Expiry Timer expires. + +3.1.5. State Machine Actions + + The state machines specify actions that include setting the Bootstrap + Timer and the Scope-Zone Expiry Timer to various values. These + values are defined in section 5. + + In addition to setting and cancelling the timers, the following + actions may be triggered by state changes in the state machines: + + Forward BSM + A multicast Bootstrap message with No-Forward bit cleared that + passes the Bootstrap Message Processing Checks is forwarded + out of all interfaces with PIM neighbors (including the + interface it is received on), except where this would cause + the BSM to cross an admin-scope boundary for the scope zone + indicated in the message. For details, see section 3.4. + + Originate BSM + A new Bootstrap message is constructed by the BSR, giving the + BSR's address and BSR priority, and containing the BSR's + chosen RP-Set. The message is forwarded out of all interfaces + on which PIM neighbors exist, except where this would cause + the BSM to cross an admin-scope boundary for the scope zone + indicated in the message. + + + +Bhaskar, et al. Standards Track [Page 15] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Store RP-Set + The router uses the group-to-RP mappings contained in a BSM to + update its local RP-Set. + + This action is skipped for an empty BSM. A BSM is empty if it + contains no group ranges, or if it only contains a single + group range where that group range has the Admin Scope Zone + bit set (a scoped BSM) and an RP count of zero. + + If a mapping does not yet exist, it is created and the + associated Group-to-RP mapping Expiry Timer (GET) is + initialized with the holdtime from the BSM. + + If a mapping already exists, its GET is set to the holdtime + from the BSM. If the holdtime is zero, the mapping is removed + immediately. Note that for an existing mapping, the RP + priority must be updated if changed. + + Mappings for a group range are also to be immediately removed + if they are not present in the received group range. This + means that if there are any existing group-to-RP mappings for + a range where the respective RPs are not in the received + range, then those mappings must be removed. + + All RP mappings associated with the scope zone of the BSM are + updated with the new hash mask length from the received BSM. + This includes RP mappings for all group ranges learned for + this zone, not just the ranges in this particular BSM. + + In addition, the entire BSM is stored for use in the action + Refresh RP-Set and to prime a new PIM neighbor as described + below. + + Refresh RP-Set + When the Bootstrap Timer expires, the router uses the copy of + the last BSM that it has received to refresh its RP-Set + according to the action Store RP-Set as if it had just + received it. This will increase the chance that the group-to- + RP mappings will not expire during the election of the new + BSR. + + Remove BSR state + When the Bootstrap Timer expires, all state associated with + the current BSR is removed (address, priority, BST, and saved + last BSM; see section 2). Note that this does not include any + group-to-RP mappings. + + + + + +Bhaskar, et al. Standards Track [Page 16] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Remove scope zone state + When the Scope-Zone Expiry Timer expires, all state associated + with the scope zone is removed (see section 2). + +3.2. Sending Candidate-RP-Advertisement Messages + + Every C-RP periodically unicasts a C-RP-Adv message to the BSR for + each scope zone for which it has state, to inform the BSR of the + C-RP's willingness to function as an RP. These messages are sent + with an interval of C_RP_Adv_Period, except when a new BSR is + elected; see below. + + When a new BSR is elected, the C-RP MUST send one to three C-RP-Adv + messages and wait a small randomized period C_RP_Adv_Backoff before + sending each message. We recommend sending three messages because it + is important that the BSR quickly learns which RPs are active, and + some packet loss may occur when a new BSR is elected due to changes + in the network. One way of implementing this is to set the CRPT to + C_RP_Adv_Backoff when the new BSR is elected, as well as setting a + counter to 2. Whenever the CRPT expires, we first send a C-RP-Adv + message as usual. Next, if the counter is non-zero, it is + decremented and the CRPT is again set to C_RP_Adv_Backoff instead of + C_RP_Adv_Period. + + The Priority field in these messages is used by the BSR to select + which C-RPs to include in the RP-Set. Note that lower values of this + field indicate higher priorities, so that a value of zero is the + highest possible priority. C-RPs should, by default, send C-RP-Adv + messages with the Priority field set to 192. + + When a C-RP is being shut down, it SHOULD immediately send a C-RP-Adv + message to the BSR for each scope zone for which it is currently + serving as an RP; the Holdtime in this C-RP-Adv message should be + zero. The BSR will then immediately time out the C-RP and generate a + new Bootstrap message with the shut down RP holdtime set to 0. + + A C-RP-Adv message carries a list of group address and group mask + field pairs. This enables the C-RP to specify the group ranges for + which it is willing to be the RP. If the C-RP becomes an RP, it may + enforce this scope acceptance when receiving Register or Join/Prune + messages. + + A C-RP is configured with a list of group ranges for which it should + advertise itself as the C-RP. A C-RP uses the following algorithm to + determine which ranges to send to a given BSR. + + + + + + +Bhaskar, et al. Standards Track [Page 17] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + For each group range R in the list, the C-RP advertises that range to + the scoped BSR for the smallest scope that "contains" R. For IPv6, + the containing scope is determined by matching the scope identifier + of the group range with the scope of the BSR. For IPv4, it is the + longest-prefix match for R, amongst the known admin-scope ranges. If + no scope is found to contain the group range, the C-RP includes it in + the C-RP-Adv sent to the non-scoped BSR. If a non-scoped BSR is not + known, the range is not included in any C-RP-Adv. + + In addition, for each IPv4 group range R in the list, for each scoped + BSR whose scope range is strictly contained within R, the C-RP SHOULD + by default advertise that BSR's scope range to that BSR. And for + each IPv6 group range R in the list with prefix length < 16, the C-RP + SHOULD by default advertise each sub-range of prefix length 16 to the + scoped BSR with the corresponding scope ID. An implementation MAY + supply a configuration option to prevent the behavior described in + this paragraph, but such an option SHOULD be disabled by default. + + For IPv6, the mask length of all group ranges included in the + C-RP-Adv message sent to a scoped BSR MUST be >= 16. + + If the above algorithm determines that there are no group ranges to + advertise to the BSR for a particular scope zone, a C-RP-Adv message + MUST NOT be sent to that BSR. A C-RP MUST NOT send a C-RP-Adv + message with no group ranges in it. + + If the same router is the BSR for more than one scope zone, the + C-RP-Adv messages for these scope zones MAY be combined into a single + message. + + If the C-RP is a ZBR for an admin-scope zone, then the Admin Scope + Zone bit MUST be set in the C-RP-Adv messages it sends for that scope + zone; otherwise this bit MUST NOT be set. This information is + currently only used for logging purposes by the BSR, but might allow + for future extensions of the protocol. + +3.3. Creating the RP-Set at the BSR + + Upon receiving a C-RP-Adv message, the router needs to decide whether + or not to accept each of the group ranges included in the message. + For each group range in the message, the router checks to see if it + is the elected BSR for any scope zone that contains the group range, + or if it is elected as the non-scoped BSR. If so, the group range is + accepted; if not, the group range is ignored. + + + + + + + +Bhaskar, et al. Standards Track [Page 18] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + For security reasons, we recommend that implementations have a way of + restricting which IP addresses the BSR accepts C-RP-Adv messages + from, e.g., access lists. For use of scoped BSR, it may also be + useful to specify which group ranges should be accepted. + + If the group range is accepted, a group-to-C-RP mapping is created + for this group range and the RP Address from the C-RP-Adv message. + + If the mapping is not already part of the C-RP-Set, it is added to + the C-RP-Set and the associated Group-to-C-RP mapping Expiry Timer + (CGET) is initialized to the holdtime from the C-RP-Adv message. Its + priority is set to the Priority from the C-RP-Adv message. + + If the mapping is already part of the C-RP-Set, it is updated with + the Priority from the C-RP-Adv message, and its associated CGET is + reset to the holdtime from the C-RP-Adv message. If the holdtime is + zero, the mapping is immediately removed from the C-RP-Set. + + The hash mask length is a global property of the BSR and is therefore + the same for all mappings managed by the BSR. + + For compatibility with the previous version of the BSR specification, + a C-RP-Adv message with no group ranges SHOULD be treated as though + it contained the single group range ff00::/8 or 224/4. Therefore, + according to the rule above, this group range will be accepted if and + only if the router is elected as the non-scoped BSR. + + When a CGET expires, the corresponding group-to-C-RP mapping is + removed from the C-RP-Set. + + The BSR constructs the RP-Set from the C-RP-Set. It may apply a + local policy to limit the number of Candidate-RPs included in the + RP-Set. The BSR may override the range indicated in a C-RP-Adv + message unless the 'Priority' field from the C-RP-Adv message is less + than 128. + + If the BSR learns of both BIDIR and PIM-SM Candidate-RPs for the same + group range, the BSR MUST only include RPs for one of the protocols + in the BSMs. The default behavior SHOULD be to prefer BIDIR. + + For inclusion in a BSM, the RP-Set is subdivided into sets of {group- + range, RP-Count, RP-addresses}. For each RP-address, the + "RP-Holdtime" field is set to the Holdtime from the C-RP-Set, subject + to the constraint that it MUST be larger than BS_Period and SHOULD be + larger than 2.5 times BS_Period to allow for some Bootstrap messages + getting lost. If some holdtimes from the C-RP-Sets do not satisfy + + + + + +Bhaskar, et al. Standards Track [Page 19] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + this constraint, the BSR MUST replace those holdtimes with a value + satisfying the constraint. An exception to this is the holdtime of + zero, which is used to immediately withdraw mappings. + + The format of the Bootstrap message allows 'semantic fragmentation', + if the length of the original Bootstrap message exceeds the packet + maximum boundaries. However, to reduce the semantic fragmentation + required, we recommend against configuring a large number of routers + as C-RPs. + + In general, BSMs are originated at regular intervals according to the + BS_Period timer. We do recommend that a BSM is also originated + whenever the RP-set to be announced in the BSMs changes. This will + usually happen when receiving C-RP advertisements from a new C-RP, or + when a C-RP is shut down (C-RP advertisement with a holdtime of + zero). There MUST however be a minimum of BS_Min_Interval between + each time a BSM is sent. In particular, when a new BSR is elected, + it will first send one BSM (which is likely to be empty since it has + not yet received any C-RP advertisements), and then wait at least + BS_Min_Interval before sending a new one. During that time, it is + likely to have received C-RP advertisements from all usable C-RPs + (since we say that a C-RP should send one or more advertisements with + small random delays of C_RP_Adv_Backoff when a new BSR is elected). + For this case in particular, where routers may not have a usable RP- + set, we recommend originating a BSM as soon as BS_Min_Interval has + passed. We suggest though that a BSR can do this in general. One + way of implementing this, is to decrease the Bootstrap Timer to + BS_Min_Interval whenever the RP-set changes, while not changing the + timer if it is less than or equal to BS_Min_Interval. + + A BSR originates separate scoped BSMs for each scope zone for which + it is the elected BSR, as well as originating non-scoped BSMs if it + is the elected non-scoped BSR. + + Each group-to-C-RP mapping is included in precisely one of these BSMs + -- namely, the scoped BSM for the narrowest scope containing the + group range of the mapping, if any, or the non-scoped BSM otherwise. + + A scoped BSM MUST have at least one group range, and the first group + range in a scoped BSM MUST have the Admin Scope Zone bit set. This + group range identifies the scope of the BSM. In a scoped IPv4 BSM, + the first group range is the range corresponding to the scope of the + BSM. In a scoped IPv6 BSM, the first group range may be any group + range subject to the general condition that all the group ranges in + such a BSM MUST have a mask length of at least 16 and MUST have the + same scope ID as the scope of the BSM. + + + + + +Bhaskar, et al. Standards Track [Page 20] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Apart from identifying the scope, the first group range in a scoped + BSM is treated like any other range with respect to RP mappings. + That is, all mappings in the RP-set for this group range, if any, + must be included in this first group range in the BSM. After this + group range, other group ranges in this scope (for which there are RP + mappings) appear in any order. + + The Admin Scope Zone bit of all group ranges other than the first + SHOULD be set to 0 on origination, and MUST be ignored on receipt. + + When an elected BSR is being shut down, it should immediately + originate a Bootstrap message listing its current RP-Set, but with + the BSR Priority field set to the lowest priority value possible. + This will cause the election of a new BSR to happen more quickly. + +3.4. Forwarding Bootstrap Messages + + Generally, bootstrap messages originate at the BSR, and are hop-by- + hop forwarded by intermediate routers if they pass the Bootstrap + Message Processing Checks. There are two exceptions to this. One is + that a bootstrap message is not forwarded if its No-Forward bit is + set; see section 3.5.1. The other is that unicast BSMs (see section + 3.5.2) are usually not forwarded. Implementers MAY, however, at + their own discretion choose to re-send a No-Forward or unicast BSM in + a multicast BSM, which MUST have the No-Forward bit cleared. It is + essential that the No-Forward bit is cleared, since no Reverse Path + Forwarding (RPF) check is performed by the receiver when it is set. + + By hop-by-hop forwarding, we mean that the Bootstrap message itself + is forwarded, not the entire IP packet. Each hop constructs an IP + packet for each of the interfaces the BSM is to be forwarded out of; + each packet contains the entire BSM that was received. + + When a Bootstrap message is forwarded, it is forwarded out of every + multicast-capable interface that has PIM neighbors (including the one + over which the message was received). The exception to this is if + the interface is an admin-scope boundary for the admin-scope zone + indicated in the first group range in the Bootstrap message packet. + + As an optimization, a router MAY choose not to forward a BSM out of + the interface the message was received on if that interface is a + point-to-point interface. On interfaces with multiple PIM neighbors, + a router SHOULD forward an accepted BSM out of the interface that BSM + was received on, but if the number of PIM neighbors on that interface + is large, it MAY delay forwarding a BSM out of that interface by a + small randomized interval to prevent message implosion. A + + + + + +Bhaskar, et al. Standards Track [Page 21] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + configuration option MAY be provided to disable forwarding out of the + interface a message was received on, but we recommend that the + default behavior is to forward out of that interface. + + Rationale: A BSM needs to be forwarded out of the interface the + message was received on (in addition to the other interfaces) because + the routers on a LAN may not have consistent routing information. If + three routers on a LAN are A, B, and C, and at router B RPF(BSR)==A + and at router C RPF(BSR)==B, then router A originally forwards the + BSM onto the LAN, but router C will only accept it when router B re- + forwards the message onto the LAN. If the underlying routing + protocol configuration guarantees that the routers have consistent + routing information, then forwarding out of the incoming interface + may safely be disabled. + + A ZBR constrains all BSMs that are of equal or smaller scope than the + configured boundary. That is, the BSMs are not accepted from, + originated, or forwarded on the interfaces on which the boundary is + configured. For IPv6, the check is a comparison between the scope of + the first range in the scoped BSM and the scope of the configured + boundary. For IPv4, the first range in the scoped BSM is checked to + see if it is contained in or is the same as the range of the + configured boundary. + +3.5. Bootstrap Messages to New and Rebooting Routers + + When a Hello message is received from a new neighbor, or a Hello + message with a new GenID is received from an existing neighbor, one + router on the LAN sends a stored copy of the Bootstrap message for + each admin-scope zone to the new or rebooting router. This allows + new or rebooting routers to learn the RP-Set quickly. + + This message SHOULD be sent as a No-Forward Bootstrap message; see + section 3.5.1. For backwards compatibility, this message MAY instead + or in addition be sent as a unicast Bootstrap message; see section + 3.5.2. These messages MUST only be accepted at startup; see section + 3.1.3. + + The router that does this is the Designated Router (DR) on the LAN, + or, if the new or rebooting router is the DR, the router that would + be the DR if the new or rebooting router were excluded from the DR + election process. + + Before sending a Bootstrap message in this manner, the router must + wait until it has sent a triggered Hello message on this interface; + otherwise, the new neighbor will discard the Bootstrap message. + + + + + +Bhaskar, et al. Standards Track [Page 22] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +3.5.1. No-Forward Bootstrap Messages + + A No-Forward Bootstrap message, is a bootstrap message that has the + No-Forward bit set. All implementations SHOULD support sending of + No-Forward Bootstrap messages, and SHOULD also accept them. The RPF + check MUST NOT be performed in the BSM processing check for a No- + Forward BSM; see section 3.1.3. The messages have the same source + and destination addresses as the usual multicast Bootstrap messages. + +3.5.2. Unicasting Bootstrap Messages + + For backwards compatibility, implementations MAY support unicast + Bootstrap messages. Whether to send unicast Bootstrap messages + instead of or in addition to No-Forward Bootstrap messages, and also + whether to accept such messages, SHOULD be configurable. This + message is unicast to the neighbor. + +3.6. Receiving and Using the RP-Set + + The RP-Set maintained by BSR is used by RP-based multicast routing + protocols like PIM-SM and BIDIR-PIM. These protocols may obtain RP- + Sets from other sources as well. How the final group-to-RP mappings + are obtained from these RP-Sets is not part of the BSR specification. + In general, the routing protocols need to re-calculate the mappings + when any of their RP-Sets change. How such a change is signalled to + the routing protocol is also not part of the present specification. + + Some group-to-RP mappings in the RP-Set indicate group ranges for + which PIM-SM should be used; others indicate group ranges for use + with BIDIR-PIM. Routers that support only one of these protocols + MUST NOT ignore ranges indicated as being for the other protocol. + They MUST NOT treat them as being for the protocol they support. + + If a mapping is not already part of the RP-Set, it is added to the + RP-Set and the associated Group-to-RP mapping Expiry Timer (GET) is + initialized to the holdtime from the Bootstrap message. Its priority + is set to the Priority from the Bootstrap message. + + If a mapping is already part of the RP-Set, it is updated with the + Priority from the Bootstrap message and its associated GET is reset + to the holdtime from the Bootstrap message. If the holdtime is zero, + the mapping is removed from the RP-Set immediately. + + + + + + + + + +Bhaskar, et al. Standards Track [Page 23] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +4. Message Formats + + BSR messages are PIM messages, as defined in [1]. The values of the + PIM Message Type field for BSR messages are: + + 4 Bootstrap + + 8 Candidate-RP-Advertisement + + As with all other PIM control messages, BSR messages have IP protocol + number 103. + + Candidate-RP-Advertisement messages are unicast to a BSR. Usually, + Bootstrap messages are multicast with TTL 1 to the ALL-PIM-ROUTERS + group, but in some circumstances (described in section 3.5.2) + Bootstrap messages may be unicast to a specific PIM neighbor. + + The IP source address used for Candidate-RP-Advertisement messages is + a domain-wide reachable address. The IP source address used for + Bootstrap messages (regardless of whether they are being originated + or forwarded) is the link-local address of the interface on which the + message is being sent (i.e., the same source address that the router + uses for the Hello messages that it sends out that interface). + + The IPv4 ALL-PIM-ROUTERS group is 224.0.0.13. The IPv6 ALL-PIM- + ROUTERS group is ff02::d. + + In this section, we use the following terms defined in the PIM-SM + specification [1]: + + o Encoded-Unicast format + + o Encoded-Group format + + We repeat these here to aid readability. + + Encoded-Unicast address + + An Encoded-Unicast address takes the following format: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Addr Family | Encoding Type | Unicast Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... + + + + + + +Bhaskar, et al. Standards Track [Page 24] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Addr Family + The PIM address family of the 'Unicast Address' field of this + address. + + Values of 0-127 are as assigned by the IANA for Internet Address + Families in [11]. Values 128-250 are reserved to be assigned by + the IANA for PIM-specific Address Families. Values 251 though + 255 are designated for private use. As there is no assignment + authority for this space, collisions should be expected. + + Encoding Type + The type of encoding used within a specific Address Family. The + value '0' is reserved for this field, and represents the native + encoding of the Address Family. + + Unicast Address + The unicast address as represented by the given Address Family + and Encoding Type. + + Encoded-Group address + + Encoded-Group addresses take the following format: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Addr Family | Encoding Type |B| Reserved |Z| Mask Len | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group multicast Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... + + Addr Family + Described above. + + Encoding Type + Described above. + + [B]IDIR bit + When set, all BIDIR-capable PIM routers will operate the + protocol described in [2] for the specified group range. + + Reserved + Transmitted as zero. Ignored upon receipt. + + Admin Scope [Z]one + When set, this bit indicates that this group range is an + administratively scoped range. + + + + +Bhaskar, et al. Standards Track [Page 25] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Mask Len + The Mask length field is 8 bits. The value is the number of + contiguous one bits that are left justified and used as a mask; + when combined with the group address, it describes a range of + groups. It is less than or equal to the address length in bits + for the given Address Family and Encoding Type. If the message + is sent for a single group, then the Mask length must equal the + address length in bits for the given Address Family and Encoding + Type (e.g., 32 for IPv4 native encoding and 128 for IPv6 native + encoding). + + Group multicast Address + Contains the group address. + +4.1. Bootstrap Message Format + + A Bootstrap message may be divided up into 'semantic fragments' if + the resulting IP datagram would exceed the maximum packet size + boundaries. Basically, a single Bootstrap message can be sent as + multiple semantic fragments (each in a separate IP datagram), so long + as the fragment tags of all the semantic fragments comprising the + message are the same. The format of a single non-fragmented message + is the same as the one used for semantic fragments. + + The format of a single 'fragment' is given below: + + + + + + + + + + + + + + + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 26] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |PIM Ver| Type |N| Reserved | Checksum | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Fragment Tag | Hash Mask Len | BSR Priority | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | BSR Address (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group Address 1 (Encoded-Group format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Count 1 | Frag RP Cnt 1 | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address 1 (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP1 Holdtime | RP1 Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address 2 (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP2 Holdtime | RP2 Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | . | + | . | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address m (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RPm Holdtime | RPm Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group Address 2 (Encoded-Group format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | . | + | . | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group Address n (Encoded-Group format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Count n | Frag RP Cnt n | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address 1 (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP1 Holdtime | RP1 Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address 2 (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP2 Holdtime | RP2 Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | . | + | . | + + + + +Bhaskar, et al. Standards Track [Page 27] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address m (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RPm Holdtime | RPm Priority | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + PIM Version, Reserved, Checksum + Described in [1]. + + Type + PIM Message Type. Value is 4 for a Bootstrap message. + + [N]o-Forward bit + When set, this bit means that the Bootstrap message fragment is + not to be forwarded. + + Fragment Tag + A randomly generated number, acts to distinguish the fragments + belonging to different Bootstrap messages; fragments belonging + to same Bootstrap message carry the same 'Fragment Tag'. + + Hash Mask Len + The length (in bits) of the mask to use in the hash function. + For IPv4, we recommend a value of 30. For IPv6, we recommend a + value of 126. + + BSR Priority + Contains the BSR priority value of the included BSR. This field + is considered as a high-order byte when comparing BSR addresses. + BSRs should by default set this field to 64. Note that for + historical reasons, the highest BSR priority is 255 (the higher + the better), whereas the highest RP Priority (see below) is 0 + (the lower the better). + + BSR Address + The address of the bootstrap router for the domain. The format + for this address is given in the Encoded-Unicast address in [1]. + + + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 28] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Group Address 1..n + The group ranges (address and mask) with which the Candidate-RPs + are associated. Format described in [1]. In a fragment + containing admin-scope ranges, the first group range in the + fragment MUST satisfy the following conditions: + + o it MUST have the Admin Scope Zone bit set; + o for IPv4, it MUST be the group range for the entire admin- + scope range (this is required even if there are no RPs in the + RP-Set for the entire admin-scope range -- in this case, the + sub-ranges for the RP-Set are specified later in the fragment + along with their RPs); + o for IPv6, the Mask Len MUST be at least 16 and have the scope + ID of the admin-scope range. + + RP Count 1..n + The number of Candidate-RP addresses included in the whole + Bootstrap message for the corresponding group range. A router + does not replace its old RP-Set for a given group range + until/unless it receives 'RP-Count' addresses for that range; + the addresses could be carried over several fragments. If only + part of the RP-Set for a given group range was received, the + router discards it without updating that specific group range's + RP-Set. + + Frag RP Cnt 1..m + The number of Candidate-RP addresses included in this fragment + of the Bootstrap message, for the corresponding group range. + The 'Frag RP Cnt' field facilitates parsing of the RP-Set for a + given group range, when carried over more than one fragment. + + RP address 1..m + The address of the Candidate-RPs, for the corresponding group + range. The format for these addresses is given in the Encoded- + Unicast address in [1]. + + RP1..m Holdtime + The Holdtime (in seconds) for the corresponding RP. This field + is copied from the 'Holdtime' field of the associated RP stored + at the BSR. + + RP1..m Priority + The 'Priority' of the corresponding RP and Encoded-Group + Address. This field is copied from the 'Priority' field stored + at the BSR when receiving a C-RP-Adv message. The highest + priority is '0' (i.e., unlike BSR priority, the lower the value + of the 'Priority' field, the better). Note that the priority is + per RP and per Group Address. + + + +Bhaskar, et al. Standards Track [Page 29] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Within a Bootstrap message, the BSR Address, all the Group Addresses, + and all the RP Addresses MUST be of the same address family. In + addition, the address family of the fields in the message MUST be the + same as the IP source and destination addresses of the packet. This + permits maximum implementation flexibility for dual-stack IPv4/IPv6 + routers. + +4.1.1. Semantic Fragmentation of BSMs + + Bootstrap messages may be split over several PIM Bootstrap Message + Fragments (BSMFs); this is known as semantic fragmentation. Each of + these must follow the above format. All fragments of a given + Bootstrap message MUST have identical values for the Type, No-Forward + bit, Fragment Tag, Hash Mask Len, BSR Priority, and BSR Address + fields. That is, only the group-to-RP mappings may differ between + fragments. + + This is useful if the BSM would otherwise exceed the MTU of the link + the message will be forwarded over. If one relies purely on IP + fragmentation, one would lose the entire message if a single fragment + is lost. By use of semantic fragmentation, a single lost IP fragment + will only cause the loss of the semantic fragment that the IP + fragment was part of. As described below, a router only needs to + receive all the RPs for a specific group range to update that range. + This means that loss of a semantic fragment, due to an IP fragment + getting lost, only affects the group ranges for which the lost + semantic fragment contains information. + + If the BSR can split up the BSM so that each group range (and all of + its RP information) can fit entirely inside one BSMF, then it should + do so. If a BSMF is lost, the state from the previous BSM for the + group ranges from the missing BSMF will be retained. Each fragment + that does arrive will update the RP information for the group ranges + contained in that fragment, and the new group-to-RP mappings for + those can be used immediately. The information from the missing + fragment will be obtained when the next BSM is transmitted. + + If the list of RPs for a single group range is long, one may split + the information across multiple BSMFs to avoid IP fragmentation. In + this case, all the BSMFs comprising the information for that group + range must be received before the group-to-RP mapping in use can be + modified. This is the purpose of the RP Count field -- a router + receiving BSMFs from the same BSM (i.e., that have the same fragment + tag) must wait until BSMFs providing RP Count RPs for that group + range have been received before the new group-to-RP mapping can be + used for that group range. If a single BSMF from such a large group + + + + + +Bhaskar, et al. Standards Track [Page 30] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + range is lost, then that entire group range will have to wait until + the next BSM is originated. Hence, in this case, the benefit of + using semantic fragmentation is dubious. + + Next we need to consider how a BSR would remove group ranges. A + router receiving a set of BSMFs cannot tell if a group range is + missing. If it has seen a group range before, it must assume that + that group range still exists, and that the BSMF describing that + group range has been lost. The router should retain this information + for BS_Timeout. Thus, for a BSR to remove a group range, it should + include that group range, but with an RP Count of zero, and it should + resend this information in each BSM for BS_Timeout. + +4.2. Candidate-RP-Advertisement Message Format + + Candidate-RP-Advertisement messages are periodically unicast from the + C-RPs to the BSR. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |PIM Ver| Type | Reserved | Checksum | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Prefix Count | Priority | Holdtime | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | RP Address (Encoded-Unicast format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group Address 1 (Encoded-Group format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | . | + | . | + | . | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Group Address n (Encoded-Group format) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + PIM Version, Reserved, Checksum + Described in [1]. + + Type + PIM Message Type. Value is 8 for a Candidate-RP-Advertisement + message. + + Prefix Count + The number of Encoded-Group Addresses included in the message; + indicating the group range for which the C-RP is advertising. + C-RPs MUST NOT send C-RP-Adv messages with a Prefix Count of + '0'. + + + +Bhaskar, et al. Standards Track [Page 31] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Priority + The 'Priority' of the included RP, for the corresponding + Encoded- Group Address (if any). The highest priority is '0' + (i.e., the lower the value of the 'Priority' field, the higher + the priority). This field is stored at the BSR upon receipt + along with the RP address and corresponding Encoded-Group + Address. + + Holdtime + The amount of time (in seconds) the advertisement is valid. + This field allows advertisements to be aged out. This field + should be set to 2.5 times C_RP_Adv_Period. + + RP Address + The address of the interface to advertise as a Candidate-RP. + The format for this address is given in the Encoded-Unicast + address in [1]. + + Group Address-1..n + The group ranges for which the C-RP is advertising. Format + described in Encoded-Group-Address in [1]. + + Within a Candidate-RP-Advertisement message, the RP Address and all + the Group Addresses MUST be of the same address family. In addition, + the address family of the fields in the message MUST be the same as + the IP source and destination addresses of the packet. This permits + maximum implementation flexibility for dual-stack IPv4/IPv6 routers. + + + + + + + + + + + + + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 32] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +5. Timers and Timer Values + + Timer Name: Bootstrap Timer (BST(Z)) + + +------------------+-------------------------+----------------------+ + | Value Name | Value | Explanation | + +------------------+-------------------------+----------------------+ + | BS_Period | Default: 60 seconds | Periodic interval | + | | | with which BSMs | + | | | are normally | + | | | originated | + +------------------+-------------------------+----------------------+ + | BS_Timeout | Default: 130 seconds | Interval after | + | | | which a BSR is | + | | | timed out if no | + | | | BSM is received | + | | | from that BSR | + +------------------+-------------------------+----------------------+ + | BS_Min_Interval | Default: 10 seconds | Minimum interval | + | | | with which BSMs | + | | | may be originated | + +------------------+-------------------------+----------------------+ + | BS_Rand_Override | see below | Randomized | + | | | interval used to | + | | | reduce control | + | | | message overhead | + | | | during BSR | + | | | election | + +------------------+-------------------------+----------------------+ + + Note that BS_Timeout MUST be larger than BS_Period, even if their + values are changed from the defaults. We recommend that BS_Timeout + is set to 2 times BS_Period plus 10 seconds. + + BS_Rand_Override is calculated using the following pseudocode, in + which all values are in units of seconds. The values of + BS_Rand_Override generated by this pseudocode are between 5 and 23 + seconds, with smaller values generated if the C-BSR has a high + bootstrap weight, and larger values generated if the C-BSR has a low + bootstrap weight. + + BS_Rand_Override = 5 + priorityDelay + addrDelay + + where priorityDelay is given by: + + priorityDelay = 2 * log_2(1 + bestPriority - myPriority) + + and addrDelay is given by the following for IPv4: + + + +Bhaskar, et al. Standards Track [Page 33] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + if (bestPriority == myPriority) { + addrDelay = log_2(1 + bestAddr - myAddr) / 16 + } else { + addrDelay = 2 - (myAddr / 2^31) + } + + and addrDelay is given by the following for IPv6: + + if (bestPriority == myPriority) { + addrDelay = log_2(1 + bestAddr - myAddr) / 64 + } else { + addrDelay = 2 - (myAddr / 2^127) + } + + and bestPriority is given by: + + bestPriority = max(storedPriority, myPriority) + + and bestAddr is given by: + + bestAddr = max(storedAddr, myAddr) + + and where myAddr is the Candidate-BSR's address, storedAddr is the + stored BSR's address, myPriority is the Candidate-BSR's configured + priority, and storedPriority is the stored BSR's priority. + + Timer Name: Scope Zone Expiry Timer (SZT(Z)) + + +---------------+---------------------------+-----------------------+ + | Value Name | Value | Explanation | + +---------------+---------------------------+-----------------------+ + | SZ_Timeout | Default: 1300 seconds | Interval after | + | | | which a scope zone | + | | | is timed out if no | + | | | BSM is received | + | | | for that scope | + | | | zone | + +---------------+---------------------------+-----------------------+ + + Note that SZ_Timeout MUST be larger than BS_Timeout, even if their + values are changed from the defaults. We recommend that SZ_Timeout + is set to 10 times BS_Timeout. + + + + + + + + + +Bhaskar, et al. Standards Track [Page 34] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + Timer Name: Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) + + +------------------------+-------------------+----------------------+ + | Value Name | Value | Explanation | + +------------------------+-------------------+----------------------+ + | C-RP Mapping Timeout | from message | Holdtime from C- | + | | | RP-Adv message | + +------------------------+-------------------+----------------------+ + + Timer Name: Group-to-RP mapping Expiry Timer (GET(M,Z)) + + +-----------------------+-------------------+-----------------------+ + | Value Name | Value | Explanation | + +-----------------------+-------------------+-----------------------+ + | RP Mapping Timeout | from message | Holdtime from BSM | + +-----------------------+-------------------+-----------------------+ + + Timer Name: C-RP Advertisement Timer (CRPT) + + +-------------------+------------------------+----------------------+ + | Value Name | Value | Explanation | + +-------------------+------------------------+----------------------+ + | C_RP_Adv_Period | Default: 60 seconds | Periodic interval | + | | | with which C-RP- | + | | | Adv messages are | + | | | sent to a BSR | + +-------------------+------------------------+----------------------+ + | C_RP_Adv_Backoff | Default: 0-3 seconds | Whenever a | + | | | triggered C_RP_Adv | + | | | is sent, a new | + | | | randomized value | + | | | between 0 and 3 | + | | | is used | + +-------------------+------------------------+----------------------+ + + + + + + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 35] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +6. Security Considerations + +6.1. Possible Threats + + Threats affecting the PIM BSR mechanism are primarily of two forms: + denial-of-service (DoS) attacks and traffic-diversion attacks. An + attacker that subverts the BSR mechanism can prevent multicast + traffic from reaching the intended recipients, can divert multicast + traffic to a place where they can monitor it, and can potentially + flood third parties with traffic. + + Traffic can be prevented from reaching the intended recipients by one + of two mechanisms: + + o Subverting a BSM, and specifying RPs that won't actually forward + traffic. + + o Registering with the BSR as a C-RP, and then not forwarding + traffic. + + Traffic can be diverted to a place where it can be monitored by both + of the above mechanisms; in this case, the RPs would forward the + traffic, but are located so as to aid monitoring or man-in-the-middle + attacks on the multicast traffic. + + A third party can be flooded by either of the above two mechanisms by + specifying the third party as the RP, and register traffic will then + be forwarded to the third party. + +6.2. Limiting Third-Party DoS Attacks + + The third-party DoS attack above can be greatly reduced if PIM + routers acting as DR do not continue to forward Register traffic to + the RP in the presence of ICMP Protocol Unreachable or ICMP Host + Unreachable responses. If a PIM router sending Register packets to + an RP receives one of these responses to a data packet it has sent, + it should rate- limit the transmission of future Register packets to + that RP for a short period of time. + + As this does not affect interoperability, the precise details are + left to the implementer to decide. However, we note that a router + implementing such rate limiting must only do so if the ICMP packet + correctly echoes part of a Register packet that was sent to the RP. + If this check were not made, then simply sending ICMP Unreachable + packets to the DR with the source address of the RP spoofed would be + sufficient to cause a denial-of-service attack on the multicast + traffic originating from that DR. + + + + +Bhaskar, et al. Standards Track [Page 36] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +6.3. Bootstrap Message Security + + If a legitimate PIM router in a domain is compromised, there is + little any security mechanism can do to prevent that router from + subverting PIM traffic in that domain. + + Implementations SHOULD provide a per-interface configuration option + where one can specify that no Bootstrap messages are to be sent out + of or accepted on the interface. This should generally be configured + on all PMBRs in order not to receive messages from neighboring + domains. This avoids receiving legitimate messages with conflicting + BSR information from other domains, and also prevents BSR attacks + from neighboring domains. This option is also useful on leaf + interfaces where there are only hosts present. However, the Security + Considerations section of [1] states that there should be a mechanism + for not accepting PIM Hello messages on leaf interfaces and that + messages should only be accepted from valid PIM neighbors. There may + however be additional issues with unicast Bootstrap messages; see + below. In addition to dropping all multicast Bootstrap messages on + PMBRs, we also recommend configuring PMBRs (both towards other + domains and on leaf interfaces) to drop all unicast PIM messages + (Bootstrap message, Candidate-RP Advertisement, PIM register, and PIM + register stop). + +6.3.1. Unicast Bootstrap Messages + + There are some possible security issues with unicast Bootstrap + messages. The Bootstrap Message Processing Checks prevent a router + from accepting a Bootstrap message from outside of the PIM Domain, as + the source address on Bootstrap messages must be an immediate PIM + neighbor. There is however a small window of time after a reboot + where a PIM router will accept a bad Bootstrap message that is + unicast from an immediate neighbor, and it might be possible to + unicast a Bootstrap message to a router during this interval from + outside the domain, using the spoofed source address of a neighbor. + The best way to protect against this is to use the above-mentioned + mechanism of configuring border and leaf interfaces to drop all + bootstrap messages, including unicast messages. This can also be + prevented if PMBRs perform source-address filtering to prevent + packets entering the PIM domain with IP source addresses that are + infrastructure addresses in the PIM domain. + + The use of unicast Bootstrap messages is for backwards compatibility + only. Due to the possible security implications, implementations + supporting unicast Bootstrap messages SHOULD provide a configuration + option for whether they are to be used. + + + + + +Bhaskar, et al. Standards Track [Page 37] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +6.3.2. Multi-Access Subnets + + As mentioned above, implementations SHOULD provide a per-interface + configuration option so that leaf interfaces and interfaces facing + other domains can be configured to drop all Bootstrap messages. In + this section, we will consider multi-access subnets where there are + both multiple PIM routers in a PIM domain and PIM routers outside the + PIM domain or non-trusted hosts. On such subnets, one should (if + possible) configure the PMBRs to drop Bootstrap messages. This is + possible provided that the routers in the PIM domain receive + Bootstrap messages on other internal subnets. That is, for each of + the routers on the multi-access subnet that are in our domain, the + RPF interface for each of the Candidate-BSR addresses must be an + internal interface (an interface not on a multi-access subnet). + There are however network topologies where this is not possible. For + such topologies, we recommend that IPsec Authentication Header (AH) + is used to protect communication between the PIM routers in the + domain, and that such routers are configured to drop and log + communication attempts from any nodes that do not pass the + authentication check. When all the PIM routers are under the same + administrative control, this authentication may use a configured + shared secret. In order to prevent replay attacks, one will need to + have one security association (SA) per sender and use the sender + address for SA lookup. The securing of interactions between PIM + neighbors is discussed in more detail in the Security Considerations + section of [1], and so we do not discuss the details further here. + The same security mechanisms that can be used to secure PIM Join, + Prune, and Assert messages should also be used to secure Bootstrap + messages. How exactly to secure PIM link-local messages is still + being worked on by the PIM working group; see [10]. + +6.4. Candidate-RP-Advertisement Message Security + + Even if it is not possible to subvert Bootstrap messages, an attacker + might be able to perform most of the same attacks by simply sending + C-RP-Adv messages to the BSR specifying the attacker's choice of RPs. + Thus, it is necessary to control the sending of C-RP-Adv messages in + essentially the same ways that we control Bootstrap messages. + However, C-RP-Adv messages are unicast and normally travel multiple + hops, so controlling them is more difficult. + +6.4.1. Non-Cryptographic Security of C-RP-Adv Messages + + We recommend that PMBRs are configured to drop C-RP-Adv messages. + One might configure the PMBRs to drop all unicast PIM messages + (Bootstrap message, Candidate-RP Advertisement, PIM register, and PIM + register stop). PMBRs may also perform source-address filtering to + prevent packets entering the PIM domain with IP source addresses that + + + +Bhaskar, et al. Standards Track [Page 38] + +RFC 5059 BSR Mechanism for PIM January 2008 + + + are infrastructure addresses in the PIM domain. We also recommend + that implementations have a way of restricting which IP addresses the + BSR accepts C-RP-Adv messages from. The BSR can then be configured + to only accept C-RP-Adv messages from infrastructure addresses or the + subset used for Candidate-RPs. + + If the unicast and multicast topologies are known to be congruent, + the following checks should be made. On interfaces that are + configured to be leaf subnets, all C-RP-Adv messages should be + dropped. On multi- access subnets with multiple PIM routers and + hosts that are not trusted, the router can at least check that the + source Media Access Control (MAC) address is that of a valid PIM + neighbor. + +6.4.2. Cryptographic Security of C-RP-Adv Messages + + For true security, we recommend that all C-RPs are configured to use + IPsec authentication. The authentication process for a C-RP-Adv + message between a C-RP and the BSR is identical to the authentication + process for PIM Register messages between a DR and the relevant RP, + except that there will normally be fewer C-RPs in a domain than there + are DRs, so key management is a little simpler. We do not describe + the details of this process further here, but refer to the Security + Considerations section of [1]. Note that the use of cryptographic + security for C-RP-Adv messages does not remove the need for the non- + cryptographic mechanisms, as explained above. + +6.5. Denial of Service using IPsec + + An additional concern is that of denial-of-service attacks caused by + sending high volumes of Bootstrap messages or C-RP-Adv messages with + invalid IPsec authentication information. It is possible that these + messages could overwhelm the CPU resources of the recipient. + + The non-cryptographic security mechanisms above restrict from where + unicast Bootstrap messages and C-RP-Adv messages are accepted. In + addition, we recommend that rate-limiting mechanisms can be + configured, to be applied on receipt of unicast PIM packets. The + rate-limiter MUST independently rate-limit different types of PIM + packets -- for example, a flood of C-RP-Adv messages MUST NOT cause a + rate limiter to drop low- rate Bootstrap messages. Such a rate- + limiter might itself be used to cause a denial-of-service attack by + causing valid packets to be dropped, but in practice this is more + likely to constrain bad PIM messages. The rate-limiter will prevent + attacks on PIM from affecting other activity on the receiving router, + such as unicast routing. + + + + + +Bhaskar, et al. Standards Track [Page 39] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +7. Contributors + + Bill Fenner, Mark Handley, Roger Kermode, and David Thaler have + contributed greatly to this document. They were authors of this + document up to version 03, and much of the current text comes from + version 03. + +8. Acknowledgments + + PIM-SM was designed over many years by a large group of people, + including ideas from Deborah Estrin, Dino Farinacci, Ahmed Helmy, + Steve Deering, Van Jacobson, C. Liu, Puneet Sharma, Liming Wei, Tom + Pusateri, Tony Ballardie, Scott Brim, Jon Crowcroft, Paul Francis, + Joel Halpern, Horst Hodel, Polly Huang, Stephen Ostrowski, Lixia + Zhang, Girish Chandranmenon, Pavlin Radoslavov, John Zwiebel, Isidor + Kouvelas, and Hugh Holbrook. This BSR specification draws heavily on + text from RFC 2362. + + Many members of the PIM Working Group have contributed comments and + corrections for this document, including Christopher Thomas Brown, + Ardas Cilingiroglu, Murthy Esakonu, Venugopal Hemige, Prashant + Jhingran, Rishabh Parekh, and Katta Sambasivarao. + +9. Normative References + + [1] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas, + "Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol + Specification (Revised)", RFC 4601, August 2006. + + [2] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, + "Bidirectional Protocol Independent Multicast (BIDIR-PIM)", RFC + 5015, October 2007. + + [3] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC + 2365, July 1998. + + [4] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and B. + Zill, "IPv6 Scoped Address Architecture", RFC 4007, March 2005. + + [5] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 4291, February 2006. + + [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + + + + + + +Bhaskar, et al. Standards Track [Page 40] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +10. Informative References + + [7] Estrin, D., et al., "Protocol Independent Multicast-Sparse Mode + (PIM-SM): Protocol Specification", RFC 2362, June 1998. + + [8] Kim, D., Meyer, D., Kilmer, H., and D. Farinacci, "Anycast + Rendevous Point (RP) mechanism using Protocol Independent + Multicast (PIM) and Multicast Source Discovery Protocol (MSDP)", + RFC 3446, January 2003. + + [9] Farinacci, D. and Y. Cai, "Anycast-RP Using Protocol Independent + Multicast (PIM)", RFC 4610, August 2006. + + [10] Atwood, W. and S. Islam, "Security Issues in PIM-SM Link-local + Messages", Work in Progress, July 2007. + + [11] IANA, "Address Family Numbers", + . + +Authors' Addresses + + Nidhi Bhaskar + Arastra, Inc. + P.O. Box 10905 + Palo Alto, CA 94303 + USA + EMail: nidhi@arastra.com + + Alexander Gall + SWITCH + P.O. Box + CH-8021 Zurich + Switzerland + EMail: alexander.gall@switch.ch + + James Lingard + Arastra, Inc. + P.O. Box 10905 + Palo Alto, CA 94303 + USA + EMail: jchl@arastra.com + + Stig Venaas + UNINETT + NO-7465 Trondheim + Norway + EMail: venaas@uninett.no + + + + +Bhaskar, et al. Standards Track [Page 41] + +RFC 5059 BSR Mechanism for PIM January 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Bhaskar, et al. Standards Track [Page 42] + -- cgit v1.2.3