datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Host Threats to Protocol Independent Multicast (PIM)
RFC 5294

Network Working Group                                          P. Savola
Request for Comments: 5294                                     CSC/FUNET
Category: Informational                                       J. Lingard
                                                                 Arastra
                                                             August 2008

          Host Threats to Protocol Independent Multicast (PIM)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This memo complements the list of multicast infrastructure security
   threat analysis documents by describing Protocol Independent
   Multicast (PIM) threats specific to router interfaces connecting
   hosts.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Host-Interface PIM Vulnerabilities . . . . . . . . . . . . . .  2
     2.1.  Nodes May Send Illegitimate PIM Register Messages  . . . .  3
     2.2.  Nodes May Become Illegitimate PIM Neighbors  . . . . . . .  3
     2.3.  Routers May Accept PIM Messages from Non-Neighbors . . . .  3
     2.4.  An Illegitimate Node May Be Elected as the PIM DR or DF  .  3
       2.4.1.  PIM-SM Designated Router Election  . . . . . . . . . .  3
       2.4.2.  BIDIR-PIM Designated Forwarder Election  . . . . . . .  4
     2.5.  A Node May Become an Illegitimate PIM Asserted
           Forwarder  . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.6.  BIDIR-PIM Does Not Use RPF Check . . . . . . . . . . . . .  4
   3.  On-Link Threats  . . . . . . . . . . . . . . . . . . . . . . .  5
     3.1.  Denial-of-Service Attack on the Link . . . . . . . . . . .  5
     3.2.  Denial-of-Service Attack on the Outside  . . . . . . . . .  6
     3.3.  Confidentiality, Integrity, or Authorization Violations  .  6
   4.  Mitigation Methods . . . . . . . . . . . . . . . . . . . . . .  7
     4.1.  Passive Mode for PIM . . . . . . . . . . . . . . . . . . .  7
     4.2.  Use of IPsec among PIM Routers . . . . . . . . . . . . . .  7
     4.3.  IP Filtering PIM Messages  . . . . . . . . . . . . . . . .  8
     4.4.  Summary of Vulnerabilities and Mitigation Methods  . . . .  8
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 10

Savola & Lingard             Informational                      [Page 1]
RFC 5294                  Host Threats to PIM                August 2008

1.  Introduction

   There has been some analysis of the security threats to the multicast
   routing infrastructures [RFC4609], some work on implementing
   confidentiality, integrity, and authorization in the multicast
   payload [RFC3740], and also some analysis of security threats in
   Internet Group Management Protocol/Multicast Listener Discovery
   (IGMP/MLD) [DALEY-MAGMA], but no comprehensive analysis of security
   threats to PIM at the host-connecting (typically "Local Area
   Network") links.

   We define these PIM host threats to include:

   o  Nodes using PIM to attack or deny service to hosts on the same
      link,

   o  Nodes using PIM to attack or deny service to valid multicast
      routers on the link, or

   o  Nodes using PIM (Register messages) to bypass the controls of
      multicast routers on the link.

   The attacking node is typically a host or a host acting as an
   illegitimate router.

   A node originating multicast data can disturb existing receivers of
   the group on the same link, but this issue is not PIM-specific so it
   is out of scope.  Subverting legitimate routers is out of scope.
   Security implications on multicast routing infrastructure are
   described in [RFC4609].

   This document analyzes the PIM host-interface vulnerabilities,
   formulates a few specific threats, proposes some potential ways to
   mitigate these problems, and analyzes how well those methods
   accomplish fixing the issues.

   It is assumed that the reader is familiar with the basic concepts of
   PIM.

   Analysis of PIM-DM [RFC3973] is out of scope of this document.

2.  Host-Interface PIM Vulnerabilities

   This section briefly describes the main attacks against host-
   interface PIM signaling, before we get to the actual threats and
   mitigation methods in the next sections.

Savola & Lingard             Informational                      [Page 2]
RFC 5294                  Host Threats to PIM                August 2008

[include full document text]