idnits 2.17.1 draft-ietf-pim-sm-bsr-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1725. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1736. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1743. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1749. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 127 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (23 October 2005) is 6760 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-pim-sm-v2-new-11 == Outdated reference: A later version (-09) exists of draft-ietf-pim-bidir-07 ** Obsolete normative reference: RFC 3513 (ref. '5') (Obsoleted by RFC 4291) -- Obsolete informational reference (is this intentional?): RFC 2362 (ref. '7') (Obsoleted by RFC 4601, RFC 5059) == Outdated reference: A later version (-07) exists of draft-ietf-pim-anycast-rp-04 Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force PIM WG 2 INTERNET-DRAFT Nidhi Bhaskar/Cisco 3 draft-ietf-pim-sm-bsr-06.txt Alexander Gall/SWITCH 4 James Lingard 5 Stig Venaas/UNINETT 6 23 October 2005 7 Expires: April 2006 9 Bootstrap Router (BSR) Mechanism for PIM 11 Status of this Document 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware have 15 been or will be disclosed, and any of which he or she becomes aware will 16 be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering Task 19 Force (IETF), its areas, and its working groups. Note that other groups 20 may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference material 25 or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/1id-abstracts.html 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 This document is a product of the IETF PIM WG. Comments should be 34 addressed to the authors, or the WG's mailing list at pim@ietf.org. 36 Copyright Notice 38 Copyright (C) The Internet Society (2005). 40 Abstract 42 This document specifies the Bootstrap Router (BSR) mechanism 43 for the class of multicast routing protocols in the PIM 44 (Protocol Independent Multicast) family that use the concept 45 of a Rendezvous Point as a means for receivers to discover the 46 sources that send to a particular multicast group. BSR is one 47 way that a multicast router can learn the set of group-to-RP 48 mappings required in order to function. The mechanism is 49 dynamic, largely self-configuring, and robust to router 50 failure. 52 Table of Contents 54 1. Introduction. . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Background . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Protocol Overview. . . . . . . . . . . . . . . . . . 7 57 1.3. Administrative Scoping and BSR . . . . . . . . . . . 8 58 2. BSR State and Timers. . . . . . . . . . . . . . . . . . 10 59 3. Bootstrap Router Election and RP-Set 60 Distribution. . . . . . . . . . . . . . . . . . . . . . 10 61 3.1. Bootstrap Router Election. . . . . . . . . . . . . . 10 62 3.1.1. Per-Scope-Zone Candidate-BSR State 63 Machine . . . . . . . . . . . . . . . . . . . . . 11 64 3.1.2. Per-Scope-Zone State Machine for Non- 65 Candidate-BSR Routers . . . . . . . . . . . . . . 13 66 3.1.3. Bootstrap Message Processing Checks . . . . . . . 15 67 3.1.4. State Machine Transition Events . . . . . . . . . 15 68 3.1.5. State Machine Actions . . . . . . . . . . . . . . 16 69 3.2. Sending Candidate-RP-Advertisement Messages. . . . . 18 70 3.3. Creating the RP-Set at the BSR . . . . . . . . . . . 19 71 3.4. Forwarding Bootstrap Messages. . . . . . . . . . . . 22 72 3.5. Unicasting Bootstrap Messages to New and 73 Rebooting Routers. . . . . . . . . . . . . . . . . . 22 74 3.6. Receiving and Using the RP-Set . . . . . . . . . . . 23 75 4. Message Formats . . . . . . . . . . . . . . . . . . . . 23 76 4.1. Bootstrap Message Format . . . . . . . . . . . . . . 25 77 4.1.1. Semantic Fragmentation of BSMs. . . . . . . . . . 29 78 4.2. Candidate-RP-Advertisement Message Format. . . . . . 30 79 5. Timers and Timer Values . . . . . . . . . . . . . . . . 32 80 6. Security Considerations . . . . . . . . . . . . . . . . 35 81 6.1. Possible Threats . . . . . . . . . . . . . . . . . . 35 82 6.2. Limiting Third-Party DoS Attacks . . . . . . . . . . 35 83 6.3. Bootstrap Message Security . . . . . . . . . . . . . 36 84 6.3.1. Rejecting Unicast Bootstrap Messages. . . . . . . 36 85 6.3.2. Rejecting Bootstrap Messages from Invalid 86 Neighbors . . . . . . . . . . . . . . . . . . . . 37 87 6.4. Candidate-RP-Advertisement Message Security. . . . . 37 88 6.4.1. Non-Cryptographic Security of C-RP-Adv 89 Messages. . . . . . . . . . . . . . . . . . . . . 37 90 6.4.2. Cryptographic Security of C-RP-Adv 91 Messages. . . . . . . . . . . . . . . . . . . . . 38 92 6.5. Denial of Service using IPsec. . . . . . . . . . . . 38 93 7. Contributors. . . . . . . . . . . . . . . . . . . . . . 39 94 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . 39 95 9. IANA Considerations . . . . . . . . . . . . . . . . . . 39 96 10. Normative References . . . . . . . . . . . . . . . . . 39 97 11. Informative References . . . . . . . . . . . . . . . . 40 99 1. Introduction 101 This document assumes some familiarity with the concepts of Protocol 102 Independent Multicast - Sparse Mode (PIM-SM), as defined in [1], and Bi- 103 directional Protocol Independent Multicast (BIDIR-PIM), as defined in 104 [2], as well as with Administratively Scoped IP Multicast, as described 105 in [3], and the IPv6 Scoped Address Architecture, described in [4]. 107 For correct operation, every multicast router within a PIM domain must 108 be able to map a particular multicast group address to the same 109 Rendezvous Point (RP). The PIM specifications do not mandate the use of 110 a single mechanism to provide routers with the information to perform 111 this group-to-RP mapping. 113 This document describes the PIM Bootstrap Router (BSR) mechanism. BSR 114 is one way that a multicast router can learn the information required to 115 perform the group-to-RP mapping. The mechanism is dynamic, largely 116 self-configuring, and robust to router failure. 118 BSR was first defined in RFC 2362 [7], which has since been obsoleted. 119 This document provides an updated specification of the BSR mechanism 120 from RFC 2362, and also extends it to cope with administratively scoped 121 region boundaries and different flavours of routing protocols. 123 Throughout the document, any reference to the PIM protocol family is 124 restricted to the subset of RP-based protocols, namely PIM-SM and BIDIR- 125 PIM, unless stated otherwise. 127 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 128 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 129 document are to be interpreted as described in RFC 2119 [6]. 131 1.1. Background 133 A PIM domain is a contiguous set of routers that all implement PIM and 134 are configured to operate within a common boundary defined by PIM 135 Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the 136 rest of the internet. 138 Every PIM multicast group needs to be associated with the IP address of 139 a Rendezvous Point (RP). This address is used as the root of a group- 140 specific distribution tree whose branches extend to all nodes in the 141 domain that want to receive traffic sent to the group. Senders inject 142 packets into the tree in such a manner that they reach all connected 143 receivers. How this is done and how the packets are forwarded along the 144 distribution tree depends on the particular routing protocol. 146 For all senders to reach all receivers, it is crucial that all routers 147 in the domain use the same mappings of group addresses to RP addresses. 149 An exception to the above is where a PIM domain has been broken up into 150 multiple administrative scope regions. These are regions where a border 151 has been configured so that a set of multicast groups will not be 152 forwarded across that border. In this case, all PIM routers within the 153 same scope region must map a particular scoped group to the same RP 154 within that region. 156 In order to determine the RP for a multicast group, a PIM router 157 maintains a collection of group-to-RP mappings, called the RP-Set. A 158 group-to-RP mapping contains the following elements. 160 o Multicast group range, expressed as an address and prefix length 162 o RP priority 164 o RP address 166 o Hash mask length 168 o SM / BIDIR flag 170 In general, the group ranges of these group-to-RP mappings may overlap 171 in arbitrary ways; hence a particular multicast group may be covered by 172 multiple group-to-RP mappings. When this is the case, the router 173 chooses only one of the RPs by applying a deterministic algorithm so 174 that all routers in the domain make the same choice. It is important to 175 note that this algorithm is part of the specification of the individual 176 routing protocols (and may differ among them), not of the BSR 177 specification. 179 There are a number of ways in which such group-to-RP mappings can be 180 established. The simplest solution is for all the routers in the domain 181 to be statically configured with the same information. However, static 182 configuration generally doesn't scale well, and, except when used in 183 conjunction with Anycast-RP (see [8] and [9]), does not dynamically 184 adapt to route around router or link failures. 186 The BSR mechanism provides a way in which viable group-to-RP mappings 187 can be created and rapidly distributed to all the PIM routers in a 188 domain. It is adaptive, in that if an RP becomes unreachable, this will 189 be detected and the RP-Sets will be modified so that the unreachable RP 190 is no longer used. 192 1.2. Protocol Overview 194 In this section we give an informal and non-definitive overview of the 195 BSR mechanism. The definitive specification begins in section 2. 197 The general idea behind the BSR mechanism is that some of the PIM 198 routers within a PIM domain are configured to be potential RPs for the 199 domain. These are known as Candidate-RPs (C-RPs). A subset of the C- 200 RPs will eventually be used as the actual RPs for the domain. In 201 addition, some of the PIM routers in the domain are configured to be 202 candidate bootstrap routers, or Candidate-BSRs (C-BSRs). One of these 203 C-BSRs will be elected to be the bootstrap router (BSR) for the domain, 204 and all the PIM routers in the domain will learn the result of this 205 election through Bootstrap messages. The C-RPs will then report their 206 candidacy to the elected BSR, which chooses a subset of these C-RPs and 207 distributes corresponding group-to-RP mappings to all the routers in the 208 domain through Bootstrap messages. 210 In more detail, the BSR mechanism works as follows. There are four 211 basic phases (although in practice all phases may be occurring 212 simultaneously): 214 1. BSR Election. Each Candidate-BSR originates Bootstrap messages 215 (BSMs). Every BSM contains a BSR Priority field. Routers within 216 the domain flood the BSMs throughout the domain. A C-BSR that 217 hears about a higher-priority C-BSR than itself then suppresses its 218 sending of further BSMs for some period of time. The single 219 remaining C-BSR becomes the elected BSR, and its BSMs inform all 220 the other routers in the domain that it is the elected BSR. 222 2. C-RP Advertisement. Each Candidate-RP within a domain sends 223 periodic Candidate-RP-Advertisement (C-RP-Adv) messages to the 224 elected BSR. A C-RP-Adv message includes the priority of the 225 advertising C-RP, as well as a list of group ranges for which the 226 candidacy is advertised. In this way, the BSR learns about 227 possible RPs that are currently up and reachable. 229 3. RP-Set Formation. The BSR selects a subset of the C-RPs that it 230 has received C-RP-Adv messages from to form the RP-Set. In general 231 it should do this in such a way that the RP-Set is neither too 232 large to inform all the routers in the domain about, nor too small 233 so that load is overly concentrated on some RPs. It should also 234 attempt to produce an RP-Set that does not change frequently. 236 4. RP-Set Flooding. In future Bootstrap messages, the BSR includes 237 the RP-Set information. Bootstrap messages are flooded through the 238 domain, which ensures that the RP-Set rapidly reaches all the 239 routers in the domain. BSMs are originated periodically to ensure 240 consistency after failure restoration. 242 When a PIM router receives a Bootstrap message, it adds the group- 243 to-RP mappings contained therein to its pool of mappings obtained 244 from other sources (e.g. static configuration). It calculates the 245 final mappings of group addresses to RP addresses from this pool 246 according to rules specific to the particular routing protocol and 247 uses that information to construct multicast distribution trees. 249 If a PIM domain becomes partitioned, each area separated from the old 250 BSR will elect its own BSR, which will distribute an RP-Set containing 251 RPs that are reachable within that partition. When the partition heals, 252 another election will occur automatically and only one of the BSRs will 253 continue to send out Bootstrap messages. As is expected at the time of 254 a partition or healing, some disruption in packet delivery may occur. 255 This time will be on the order of the region's round-trip time and the 256 BS_Timeout value. 258 1.3. Administrative Scoping and BSR 260 The mechanism described in the previous section does not work when the 261 PIM domain is divided into administratively scoped regions. To handle 262 this situation, we use the protocol modifications described in this 263 section. 265 Administrative scoping permits a PIM domain to be divided into multiple 266 admin-scope regions. Each admin-scope region is a convex connected set 267 of PIM routers, and is associated with a set of group addresses. The 268 boundary of the admin-scope region is formed by Zone Border Routers 269 (ZBRs). ZBRs are configured not to forward traffic for any of the 270 scoped group addresses into or out of the scoped region. It is 271 important to note that a given scope boundary always creates at least 272 two scoped regions: one on either side of the boundary. 274 In IPv4, administratively scoped regions are associated with a set of 275 addresses given by an address and a prefix length. In IPv6, 276 administratively scoped regions are associated with a set of addresses 277 given by a single scope ID value. The set of addresses corresponding to 278 a given scope ID value is defined in [5]. For example, a scope ID of 5 279 maps to the 16 IPv6 address ranges ff[0-f]5::/16. 281 There are certain topological restrictions on admin-scope regions. 282 Firstly, the scope zone border must be complete and convex. By this we 283 mean that there must be no path from inside the scoped zone to outside 284 it that does not pass through a configured scope border router, and that 285 the multicast capable path between any arbitrary pair of multicast 286 routers in the scope zone must remain in the zone. In addition, a 287 boundary for one scope must always be a boundary for all smaller scopes, 288 where a smaller scope for IPv4 is one whose address range is contained 289 within the other address range, and for IPv6 is one whose scope ID is 290 less than the other scope ID. 292 Administrative scoping complicates BSR because we do not want a PIM 293 router within the scoped region to use an RP outside the scoped region. 294 Thus we need to modify the basic mechanism to ensure that this doesn't 295 happen. 297 This is done by running a separate copy of the basic BSR mechanism, as 298 described in the previous section, within each admin scope region of a 299 PIM domain. Thus a separate BSR election takes place for each admin- 300 scope region, a C-RP typically registers to the BSR of every admin scope 301 zone it is in, and every PIM router receives Bootstrap messages for 302 every scope zone it is in. The Bootstrap messages sent by the BSR for a 303 particular scope zone contain information about the RPs that should be 304 used for the set of addresses associated with that scope zone. 306 Bootstrap messages are marked to indicate which scope zone they belong 307 to. Such admin scoped Bootstrap messages are flooded in the normal way, 308 but will not be forwarded by a ZBR across the boundary for that scope 309 zone. 311 For the BSR mechanism to function correctly with admin scoping, within 312 each admin scope region there must be at least one C-BSR, and at least 313 one C-RP that is configured to be a C-RP for the set of group addresses 314 associated with the scoped region. 316 Even when administrative scoping is used, a copy of the BSR mechanism is 317 still used across the entire PIM domain, in order to distribute RP 318 information for groups that are not administratively scoped. We call 319 this copy of the mechanism Non-Scoped BSR. The copies of the mechanism 320 run for each admin-scope region are called Scoped BSR. 322 Only the C-BSRs and the ZBRs need to be configured to know about the 323 existence of the scope zones. Other routers, including the C-RPs, learn 324 of their existence from Bootstrap messages. 326 All PIM routers within a PIM bootstrap domain where admin scope ranges 327 are in use must be capable of receiving Bootstrap messages and storing 328 the winning BSR and RP-Set for all admin scope zones that apply. Thus 329 PIM routers that only implement RFC 2362 or Non-Scoped BSR (which only 330 allows one BSR per domain) cannot be used within the admin-scope regions 331 of a PIM domain. 333 2. BSR State and Timers 335 A PIM router implementing BSR holds the following state. 337 RP-Set 339 Per Configured or Learned Scope Zone (Z): 341 At all routers: 343 Current Bootstrap Router's IP Address 345 Current Bootstrap Router's BSR Priority 347 Last BSM received from current BSR 349 Bootstrap Timer (BST(Z)) 351 Per group-to-RP mapping (M): 353 Group-to-RP mapping Expiry Timer (GET(M,Z)) 355 At a Candidate-BSR for Z: 357 My state: One of "Candidate-BSR", "Pending-BSR", 358 "Elected-BSR" 360 At a router that is not a Candidate-BSR for Z: 362 My state: One of "Accept Any", "Accept Preferred" 364 Scope-Zone Expiry Timer (SZT(Z)) 366 At the current Bootstrap Router for Z only: 368 Per group-to-C-RP mapping (M): 370 Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 372 At a C-RP only: 374 C-RP Advertisement Timer (CRPT) 376 3. Bootstrap Router Election and RP-Set Distribution 378 3.1. Bootstrap Router Election 380 For simplicity, Bootstrap messages are used in both the BSR election and 381 the RP-Set distribution mechanisms. 383 Each Bootstrap message indicates the scope that it belongs to. If the 384 Admin Scope Zone bit is set in the first group range in the Bootstrap 385 message, the message is called a scoped BSM. If the Admin Scope Zone 386 bit is not set in the first group range in the Bootstrap message, the 387 message is called a non-scoped BSM. 389 In a scoped IPv4 BSM, the scope of the message is given by the first 390 group range in the message, which can be any sub-range of 224/4. In a 391 scoped IPv6 BSM, the scope of the message is given by the scope ID of 392 the first group range in the message, which must have a mask length of 393 at least 16. For example, a group range of ff05::/16 with the Admin 394 Scope Zone bit set indicates that the Bootstrap message is for the scope 395 with scope ID 5. If the mask length of the first group range in a 396 scoped IPv6 BSM is less than 16, the message MUST be dropped and a 397 warning SHOULD be logged. 399 The state machine for Bootstrap messages depends on whether or not a 400 router has been configured to be a Candidate-BSR for a particular scope 401 zone. The per-scope-zone state machine for a C-BSR is given below, 402 followed by the state machine for a router that is not configured to be 403 a C-BSR. 405 3.1.1. Per-Scope-Zone Candidate-BSR State Machine 407 +-----------------------------------------------------------------------+ 408 | When in C-BSR state | 409 +-----------+------------------+--------------------+-------------------+ 410 | Event | Receive | Bootstrap | Receive Non- | 411 | | Preferred BSM | Timer Expires | preferred BSM | 412 | | | | from Elected | 413 | | | | BSR | 414 +-----------+------------------+--------------------+-------------------+ 415 | | -> C-BSR state | -> P-BSR state | -> P-BSR state | 416 | | Forward BSM; | Set Bootstrap | Set Bootstrap | 417 | Action | Store RP-Set; | Timer to | Timer to | 418 | | Set Bootstrap | BS_Rand_Override | BS_Rand_Override | 419 | | Timer to | | | 420 | | BS_Timeout | | | 421 +-----------+------------------+--------------------+-------------------+ 422 +-----------------------------------------------------------------------+ 423 | When in P-BSR state | 424 +------------+-------------------+-------------------+------------------+ 425 | Event | Receive | Bootstrap | Receive Non- | 426 | | Preferred BSM | Timer Expires | preferred BSM | 427 +------------+-------------------+-------------------+------------------+ 428 | | -> C-BSR state | -> E-BSR state | -> P-BSR state | 429 | | Forward BSM; | Originate BSM; | | 430 | Action | Store RP-Set; | Set Bootstrap | | 431 | | Set Bootstrap | Timer to | | 432 | | Timer to | BS_Period | | 433 | | BS_Timeout | | | 434 +------------+-------------------+-------------------+------------------+ 436 +-----------------------------------------------------------------------+ 437 | When in E-BSR state | 438 +------------+-------------------+-------------------+------------------+ 439 | Event | Receive | Bootstrap | Receive Non- | 440 | | Preferred BSM | Timer Expires | preferred BSM | 441 +------------+-------------------+-------------------+------------------+ 442 | | -> C-BSR state | -> E-BSR state | -> E-BSR state | 443 | | Forward BSM; | Originate BSM; | Originate BSM; | 444 | Action | Store RP-Set; | Set Bootstrap | Set Bootstrap | 445 | | Set Bootstrap | Timer to | Timer to | 446 | | Timer to | BS_Period | BS_Period | 447 | | BS_Timeout | | | 448 +------------+-------------------+-------------------+------------------+ 450 A Candidate-BSR may be in one of three states for a particular scope 451 zone: 453 Candidate-BSR (C-BSR) 454 The router is a candidate to be the BSR for the scope zone, but 455 currently another router is the preferred BSR. 457 Pending-BSR (P-BSR) 458 The router is a candidate to be the BSR for the scope zone. 459 Currently no other router is the preferred BSR, but this router is 460 not yet the elected BSR. This is a temporary state that prevents 461 rapid thrashing of the choice of BSR during BSR election. 463 Elected-BSR (E-BSR) 464 The router is the elected BSR for the scope zone and it must 465 perform all the BSR functions. 467 In addition to the three states, there is one timer: 469 o The Bootstrap Timer (BST) - used to time out old bootstrap router 470 information, and used in the election process to terminate P-BSR 471 state. 473 On startup, the initial state for this configured scope zone is 474 "Pending-BSR"; the Bootstrap Timer is initialized to BS_Rand_Override. 476 3.1.2. Per-Scope-Zone State Machine for Non-Candidate-BSR Routers 478 +-----------------------------------------------------------------------+ 479 | When in NoInfo state | 480 +---------------------+-------------------------------------------------+ 481 | Event | Receive BSM | 482 +---------------------+-------------------------------------------------+ 483 | | -> AP state | 484 | Action | Forward BSM; Store RP-Set; | 485 | | Set Bootstrap Timer to BS_Timeout; | 486 | | Set SZT to SZ_Timeout | 487 +---------------------+-------------------------------------------------+ 489 +-----------------------------------------------------------------------+ 490 | When in Accept Any state | 491 +---------------+----------------------------+--------------------------+ 492 | Event | Receive BSM | Scope-Zone Expiry | 493 | | | Timer Expires | 494 +---------------+----------------------------+--------------------------+ 495 | | -> AP state | -> NoInfo state | 496 | | Forward BSM; Store | Cancel timers; | 497 | Action | RP-Set; Set | Clear state | 498 | | Bootstrap Timer to | | 499 | | BS_Timeout; Set | | 500 | | SZT to SZ_Timeout | | 501 +---------------+----------------------------+--------------------------+ 502 +-----------------------------------------------------------------------+ 503 | When in Accept Preferred state | 504 +----------+-----------------------+------------------+-----------------+ 505 | Event | Receive Preferred | Bootstrap | Receive Non- | 506 | | BSM | Timer Expires | preferred BSM | 507 +----------+-----------------------+------------------+-----------------+ 508 | | -> AP state | -> AA state | -> AP state | 509 | | Forward BSM; Store | Refresh RP- | | 510 | Action | RP-Set; Set | Set; Remove | | 511 | | Bootstrap Timer to | BSR state | | 512 | | BS_Timeout; Set SZT | | | 513 | | to SZ_Timeout | | | 514 +----------+-----------------------+------------------+-----------------+ 515 A router that is not a Candidate-BSR may be in one of three states: 517 NoInfo 518 The router has no information about this scope zone. This state 519 does not apply if the router is configured to know about this scope 520 zone, or for the global scope zone. When in this state, no state 521 information is held and no timers run that refer to this scope 522 zone. 524 Accept Any (AA) 525 The router does not know of an active BSR, and will accept the 526 first Bootstrap message it sees as giving the new BSR's identity 527 and the RP-Set. 529 Accept Preferred (AP) 530 The router knows the identity of the current BSR, and is using the 531 RP-Set provided by that BSR. Only Bootstrap messages from that BSR 532 or from a C-BSR with higher weight than the current BSR will be 533 accepted. 535 In addition to the three states, there are two timers: 537 o The Bootstrap Timer (BST) - used to time out old bootstrap router 538 information. 540 o The Scope-Zone Expiry Timer (SZT) - used to time out the scope zone 541 itself if Bootstrap messages specifying this scope zone stop arriving. 543 On startup, the initial state for this scope zone is "Accept Any" for 544 routers that know about this scope zone, either through configuration or 545 because the scope zone is the global scope which always exists; the 546 Scope-Zone Expiry Timer is considered to be always running for such 547 scope zones. For routers that do not know about a particular scope 548 zone, the initial state is NoInfo; no timers exist for the scope zone. 550 3.1.3. Bootstrap Message Processing Checks 552 When a Bootstrap message is received, the following initial checks must 553 be performed: 555 if ((DirectlyConnected(BSM.src_ip_address) == FALSE) OR 556 (we have no Hello state for BSM.src_ip_address)) { 557 drop the Bootstrap message silently 558 } 560 if (BSM.dst_ip_address == ALL-PIM-ROUTERS) { 561 if (BSM.src_ip_address != RPF_neighbor(BSM.BSR_ip_address)) { 562 drop the Bootstrap message silently 563 } 564 } else if (BSM.dst_ip_address is one of my addresses) { 565 if ((any previous BSM for this scope has been accepted) OR 566 (more than BS_Period has elapsed since startup)) { 567 #the packet was unicast, but this wasn't 568 #a quick refresh on startup 569 drop the Bootstrap message silently 570 } 571 } else { 572 drop the Bootstrap message silently 573 } 575 if (the interface the message arrived on is an Admin Scope 576 border for the BSM.first_group_address) { 577 drop the Bootstrap message silently 578 } 580 Basically, the packet must have come from a directly connected neighbor 581 for which we have active Hello state. It must have been sent to the 582 ALL-PIM-ROUTERS group by the correct upstream router towards the BSR 583 that originated the Bootstrap message, or the router must have recently 584 restarted, have no BSR state for that admin scope and have received the 585 Bootstrap message by unicast. In addition it must not have arrived on 586 an interface that is a configured admin scope border for the first group 587 address contained in the Bootstrap message. 589 3.1.4. State Machine Transition Events 591 If the Bootstrap message passes the initial checks above without being 592 discarded, then it may cause a state transition event in one of the 593 above state machines. For both candidate and non-candidate BSRs, the 594 following transition events are defined: 596 Receive Preferred BSM 597 A Bootstrap message is received from a BSR that has higher or 598 equal weight than the current BSR. If a router is in P-BSR 599 state, then it uses its own weight as that of the current BSR. 601 A Bootstrap message is also preferred if it is from the 602 current BSR with a lower weight than the previous BSM it sent, 603 provided that if the router is a Candidate BSR the current BSR 604 still has a weight higher or equal than the router itself. In 605 this case, the "Current Bootstrap Router's BSR Priority" state 606 must be updated. (For lower weight, see Non-preferred BSM from 607 Elected BSR case.) 609 The weight of a BSR is defined to be the concatenation in 610 fixed-precision unsigned arithmetic of the BSR Priority field 611 from the Bootstrap message and the IP address of the BSR from 612 the Bootstrap message (with the BSR Priority taking the most- 613 significant bits and the IP address taking the least 614 significant bits). 616 Receive Non-preferred BSM 617 A Bootstrap message is received from a BSR that has lower 618 weight than the current BSR. If a router is in P-BSR state, 619 then it uses its own weight as that of the current BSR. 621 Receive Non-preferred BSM from Elected BSR 622 A Bootstrap message is received from the elected BSR, but the 623 BSR Priority field in the received message has changed, so 624 that now the currently elected BSR has lower weight that the 625 router itself. 627 Receive BSM 628 A Bootstrap message is received, regardless of BSR weight. 630 In addition to state machine transitions caused by the receipt of 631 Bootstrap messages, a state machine transition takes place each time the 632 Bootstrap Timer or Scope-Zone Expiry Timer expires. 634 3.1.5. State Machine Actions 636 The state machines specify actions that include setting the Bootstrap 637 Timer and the Scope-Zone Expiry Timer to various values. These values 638 are defined in Section 5. 640 In addition to setting and cancelling the timers, the following actions 641 may be triggered by state changes in the state machines: 643 Forward BSM 644 A Bootstrap message that passes the Bootstrap Message 645 Processing Checks is forwarded out of all interfaces with PIM 646 neighbors (including the interface it is received on), except 647 where this would cause the BSM to cross an admin-scope 648 boundary for the scope zone indicated in the message. For 649 details, see section 3.4. 651 Originate BSM 652 A new Bootstrap message is constructed by the BSR, giving the 653 BSR's address and BSR priority, and containing the BSR's 654 chosen RP-Set. The message is forwarded out of all interfaces 655 on which PIM neighbors exist, except where this would cause 656 the BSM to cross an admin-scope boundary for the scope zone 657 indicated in the message. 659 Store RP-Set 660 The router uses the group-to-RP mappings contained in a BSM to 661 update its local RP-Set. 663 This action is skipped for an empty BSM. A BSM is empty if it 664 contains no group ranges, or if it only contains a single 665 group range where that group range has the Admin Scope Zone 666 bit set (a scoped BSM) and an RP count of zero. 668 If a mapping does not yet exist, it is created and the 669 associated Group-to-RP mapping Expiry Timer (GET) is 670 initialized with the holdtime from the BSM. 672 If a mapping already exists, its GET is set to the holdtime 673 from the BSM. If the holdtime is zero, the mapping is removed 674 immediately. Note that for an existing mapping, the RP 675 priority must be updated if changed. 677 Mappings for a group range are also to be immediately removed 678 if they are not present in the received group range. This 679 means that if there are any existing Group-to-RP mappings for 680 a range where the respective RPs are not in the received 681 range, then those mappings must be removed. 683 All RP mappings associated with the scope zone of the BSM are 684 updated with the new hash mask length from the received BSM. 685 This includes any RP mappings learned from the current BSR but 686 not contained in the received BSM, as well as any RP mappings 687 learned from any previous BSR for the scope zone. 689 In addition, the entire BSM is stored for use in the action 690 Refresh RP-Set and to prime a new PIM neighbor as described 691 below. 693 Refresh RP-Set 694 When the Bootstrap Timer expires, the router uses the copy of 695 the last BSM that it has received to refresh its RP-Set 696 according to the action Store RP-Set as if it had just 697 received it. This will increase the chance that the group-to- 698 RP mappings will not expire during the election of the new 699 BSR. 701 Remove BSR state 702 When the Bootstrap Timer expires, all state associated with 703 the current BSR is removed (see section 2). Note that this 704 does not include any group-to-RP mappings. 706 3.2. Sending Candidate-RP-Advertisement Messages 708 Every C-RP periodically unicasts a C-RP-Adv message to the BSR for each 709 scope zone for which it has state, to inform the BSR of the C-RP's 710 willingness to function as an RP. These messages are sent with an 711 interval of C_RP_Adv_Period, except when a new BSR is elected, see 712 below. 714 When a new BSR is elected, the C-RP SHOULD send one to three C-RP-Adv 715 messages, waiting a randomized amount of 0-3 seconds before sending each 716 message. We recommend sending three messages because it is important 717 that the BSR quickly learns which RPs are active, and some packet loss 718 may occur when a new BSR is elected due to changes in the network. One 719 way of implementing this is to set the CRPT to 0-3 seconds when the new 720 BSR is elected, as well as setting a counter to 2. Whenever the CRPT 721 expires, we first send a C-RP-Adv message as usual. Next, if the 722 counter is non-zero, it is decremented and the CRPT is again set to 0-3 723 seconds instead of C_RP_Adv_Period. 725 [NOTE: Add a name for this timer and counter?] 727 The Priority field in these messages is used by the BSR to select which 728 C-RPs to include in the RP-Set. Note that lower values of this field 729 indicate higher priorities, so that a value of zero is the highest 730 possible priority. C-RPs should by default send C-RP-Adv messages with 731 the Priority field set to 192. 733 When a C-RP is being shut down, it SHOULD immediately send a C-RP-Adv 734 message to the BSR for each scope zone for which it is currently serving 735 as an RP; the Holdtime in this C-RP-Adv message should be zero. The BSR 736 will then immediately time out the C-RP and generate a new Bootstrap 737 message removing the shut down RP from the RP-Set. 739 [NOTE: Should a new BSM be sent immediately when a C-RP-Adv message with 740 Holdtime of 0 is received? Need to clarify.] 741 A C-RP-Adv message carries a list of group address and group mask field 742 pairs. This enables the C-RP to specify the group prefixes for which it 743 is willing to be the RP. If the C-RP becomes an RP, it may enforce this 744 scope acceptance when receiving Register or Join/Prune messages. 746 A C-RP is configured with a list of group ranges for which it should 747 advertise itself as the C-RP. A C-RP uses the following algorithm to 748 determine which ranges to send to a given BSR. 750 For each group range R in the list, the C-RP advertises that range to 751 the scoped BSR for the smallest scope that "contains" R. For IPv6, the 752 containing scope is determined by matching the scope identifier of the 753 group range with the scope of the BSR. For IPv4, it is the longest- 754 prefix match for R, amongst the known admin-scope ranges. If no scope 755 is found to contain the group range the C-RP includes it in the C-RP-Adv 756 sent to the non-scoped BSR. If a non-scoped BSR is not known, the range 757 is not included in any C-RP-Adv. 759 In addition, for each IPv4 group range R in the list, for each scoped 760 BSR whose scope range is strictly contained within R, the C-RP SHOULD by 761 default advertise that BSR's scope range to that BSR. And for each IPv6 762 group range R in the list with prefix length < 16, the C-RP SHOULD by 763 default advertise each sub-range of prefix length 16 to the scoped BSR 764 with the corresponding scope ID. An implementation MAY supply a 765 configuration option to prevent the behavior described in this 766 paragraph, but such an option SHOULD be disabled by default. 768 For IPv6, the mask length of all group ranges included in the C-RP-Adv 769 message sent to a scoped BSR MUST be >= 16. 771 If the above algorithm determines that there are no group ranges to 772 advertise to the BSR for a particular scope zone, a C-RP-Adv message 773 MUST NOT be sent to that BSR. A C-RP MUST NOT send a C-RP-Adv message 774 with no group ranges in it. 776 If the same router is the BSR for more than one scope zone, the C-RP-Adv 777 messages for these scope zones MAY be combined into a single message. 779 If the C-RP is a ZBR for an admin scope zone, then the Admin Scope Zone 780 bit MUST be set in the C-RP-Adv messages it sends for that scope zone; 781 otherwise this bit MUST NOT be set. This information is currently only 782 used for logging purposes by the BSR, but might allow for future 783 extensions of the protocol. 785 3.3. Creating the RP-Set at the BSR 787 Upon receiving a C-RP-Adv message, the router needs to decide whether or 788 not to accept each of the group ranges included in the message. For 789 each group range in the message, the router checks to see if it is the 790 elected BSR for any scope zone that contains the group range, or if it 791 is elected as the non-scoped BSR. If so, the group range is accepted; 792 if not, the group range is ignored. 794 If the group range is accepted, a group-to-C-RP mapping is created for 795 this group range and the RP Address from the C-RP-Adv message. 797 If the mapping is not already part of the C-RP-Set, it is added to the 798 C-RP-Set and the associated Group-to-C-RP mapping Expiry Timer (CGET) is 799 initialized to the holdtime from the C-RP-Adv message. Its priority is 800 set to the Priority from the C-RP-Adv message. 802 If the mapping is already part of the C-RP-Set, it is updated with the 803 Priority from the C-RP-Adv message and its associated CGET is reset to 804 the holdtime from the C-RP-Adv message. If the holdtime is zero, the 805 mapping is immediately removed from the C-RP-Set. 807 The hash mask length is a global property of the BSR and is therefore 808 the same for all mappings managed by the BSR. 810 For compatibility with the previous version of the BSR specification, a 811 C-RP-Adv message with no group ranges SHOULD be treated as though it 812 contained the single group range ff00::/8 or 224/4. Therefore, 813 according to the rule above, this group range will be accepted if and 814 only if the router is elected as the non-scoped BSR. 816 When a CGET expires, the corresponding group-to-C-RP mapping is removed 817 from the C-RP-Set. 819 The BSR constructs the RP-Set from the C-RP-Set. It may apply a local 820 policy to limit the number of Candidate-RPs included in the RP-Set. The 821 BSR may override the prefix indicated in a C-RP-Adv message unless the 822 `Priority' field from the C-RP-Adv message is less than 128. 824 For inclusion in a BSM, the RP-Set is subdivided into sets of {group- 825 prefix, RP-Count, RP-addresses}. For each RP-address, the corresponding 826 Holdtime is included in the "RP-Holdtime" field. The format of the 827 Bootstrap message allows `semantic fragmentation', if the length of the 828 original Bootstrap message exceeds the packet maximum boundaries. 829 However, we recommend against configuring a large number of routers as 830 C-RPs, to reduce the semantic fragmentation required. 832 In general BSMs are originated at regular intervals according to the 833 BS_Period timer. We do recommend that a BSM is also originated whenever 834 the RP-set to be announced in the BSMs changes. This will usually 835 happen when receiving C-RP advertisements from a new C-RP, or when a C- 836 RP is shut down (C-RP advertisement with a holdtime of zero). There 837 MUST however be a minimum of 10 seconds between each time a BSM is sent. 838 In particular, when a new BSR is elected, it will first send one BSM 839 (which is likely to be empty since it has not yet received any C-RP 840 advertisements), and then wait at least 10 seconds before sending a new 841 one. During those 10 seconds, it is likely to have received C-RP 842 advertisements from all usable C-RPs (since we say that a C-RP should 843 send one or more advertisements with small random delays of 0-3 seconds 844 when a new BSR is elected). For this case in particular, where routers 845 may not have a usable RP-set, we recommend originating a BSM as soon as 846 those 10 seconds have passed. We suggest though that a BSR can do this 847 in general. One way of implementing this, is to decrease the Bootstrap 848 Timer to 10 seconds whenever the RP-set changes, while not changing the 849 timer if it is less or equal to 10. 851 [NOTE: Add a name for this 10s value as a function of the 0-3s random 852 delay?] 854 A BSR originates separate scoped BSMs for each scope zone for which it 855 is the elected BSR, as well as originating non-scoped BSMs if it is the 856 elected non-scoped BSR. 858 Each group-to-C-RP mapping is included in precisely one of these BSM, 859 namely the scoped BSM for the narrowest scope containing the group range 860 of the mapping, if any, or the non-scoped BSM otherwise. 862 A scoped BSM MUST have at least one group range, and the first group 863 range in a scoped BSM MUST have the "Admin Scope Zone" bit set. This 864 group range identifies the scope of the BSM. In a scoped IPv4 BSM, the 865 first group range is the range corresponding to the scope of the BSM. 866 In a scoped IPv6 BSM, the first group range may be any group range 867 subject to the general condition that all the group ranges in such a BSM 868 MUST have a mask length of at least 16 and MUST have the same scope ID 869 as the scope of the BSM. 871 RP mappings may be included in the first group range of a BSM, just as 872 for any other group range. After this group range, other group ranges 873 for which there are RP mappings appear in any order. 875 The "Admin Scope Zone" bit of all group ranges other than the first 876 SHOULD be set to 0 on origination, and MUST be ignored on receipt. 878 When an elected BSR is being shut down, it should immediately originate 879 a Bootstrap message listing its current RP-Set, but with the BSR 880 Priority field set to the lowest priority value possible. This will 881 cause the election of a new BSR to happen more quickly. 883 3.4. Forwarding Bootstrap Messages 885 Bootstrap messages originate at the BSR, and are hop-by-hop forwarded by 886 intermediate routers if they pass the Bootstrap Message Processing 887 Checks. When a Bootstrap message is forwarded, it is forwarded out of 888 every multicast-capable interface which has PIM neighbors (including the 889 one over which the message was received). The exception to this is if 890 the interface is an administrative scope boundary for the admin scope 891 zone indicated in the first group address in the Bootstrap message 892 packet. 894 As an optimization, a router MAY choose not to forward a BSM out of the 895 interface the message was received on if that interface is a point-to- 896 point interface. On interfaces with multiple PIM neighbors, a router 897 SHOULD forward an accepted BSM onto the interface that BSM was received 898 on, but if the number of PIM neighbors on that interface is large, it 899 MAY delay forwarding a BSM onto that interface by a small randomized 900 interval to prevent message implosion. A configuration option MAY be 901 provided to disable forwarding onto the interface a message was received 902 on, but we recommend that the default behavior is to forward onto that 903 interface. 905 Rationale: A BSM needs to be forwarded onto the interface the message 906 was received on (in addition to the other interfaces) because the 907 routers on a LAN may not have consistent routing information. If three 908 routers on a LAN are A, B, and C, and at router B RPF(BSR)==A and at 909 router C RPF(BSR)==B, then router A originally forwards the BSM onto the 910 LAN, but router C will only accept it when router B re-forwards the 911 message onto the LAN. If the underlying routing protocol configuration 912 guarantees that the routers have consistent routing information, then 913 forwarding onto the incoming interface may safely be disabled. 915 A ZBR constrains all BSMs which are of equal or smaller scope than the 916 configured boundary. That is, the BSMs are not accepted from, 917 originated or forwarded on the interfaces on which the boundary is 918 configured. For IPv6 the check is a comparison between the scope of the 919 first range in the scoped BSM and the scope of the configured boundary. 920 For IPv4, the first range in the scoped BSM is checked to see if it is 921 contained in or is the same as the range of the configured boundary. 923 3.5. Unicasting Bootstrap Messages to New and Rebooting Routers 925 To allow new or rebooting routers to learn the RP-Set quickly, when a 926 Hello message is received from a new neighbor, or a Hello message with a 927 new GenID is received from an existing neighbor, one router on the LAN 928 unicasts a stored copy of the Bootstrap message for each admin scope 929 zone to the new or rebooting router. 931 The router that does this is the Designated Router (DR) on the LAN, or, 932 if the new or rebooting router is the DR, the router that would be the 933 DR if the new or rebooting router were excluded from the DR election 934 process. 936 Before unicasting a Bootstrap message in this manner, the DR must wait 937 until it has sent a triggered Hello message on this interface; 938 otherwise, the new neighbor will discard the Bootstrap message. 940 3.6. Receiving and Using the RP-Set 942 The RP-Set maintained by BSR is used by RP-based multicast routing 943 protocols like PIM-SM and BIDIR-PIM. These protocols may obtain RP-Sets 944 from other sources as well. How the final group-to-RP mappings are 945 obtained from these RP-Sets is not part of the BSR specification. In 946 general, the routing protocols need to re-calculate the mappings when 947 any of their RP-Sets change. How such a change is signalled to the 948 routing protocol is also not part of the present specification. 950 Some group-to-RP mappings in the RP-Set indicate group ranges for which 951 PIM-SM should be used; others indicate group ranges for use with BIDIR- 952 PIM. Routers that only support one of these protocols MUST NOT ignore 953 ranges indicated as being for the other protocol. They MUST NOT treat 954 them as being for the protocol they support. 956 4. Message Formats 958 BSR messages are PIM messages, as defined in [1]. The values of the PIM 959 Message Type field for BSR messages are: 961 4 Bootstrap 963 8 Candidate-RP-Advertisement 965 As with all other PIM control messages, BSR messages have IP protocol 966 number 103. 968 Candidate-RP-Advertisement messages are unicast to a BSR. Usually, 969 Bootstrap messages are multicast with TTL 1 to the ALL-PIM-ROUTERS 970 group, but in some circumstances (described in section 3.5) Bootstrap 971 messages are unicast to a specific PIM neighbor. 973 The IP source address used for Candidate-RP-Advertisement messages is a 974 domain-wide reachable address. The IP source address used for Bootstrap 975 messages (regardless of whether they are being originated or forwarded) 976 is the link-local address of the interface on which the message is being 977 sent (that is, the same source address that the router uses for the 978 Hello messages it sends out that interface). 980 All Bootstrap and Candidate-RP-Advertisement messages SHOULD carry the 981 Router Alert IP option. See section 6 for information about the way in 982 which the Router Alert option is checked by receving routers. 984 The IPv4 ALL-PIM-ROUTERS group is 224.0.0.13. The IPv6 ALL-PIM-ROUTERS 985 group is ff02::d. 987 In this section we use the following terms defined in the PIM-SM 988 specification [1]: 990 o Encoded-Unicast format 992 o Encoded-Group format 994 We repeat these here to aid readability. 996 Encoded-Unicast address 998 An Encoded-Unicast address takes the following format: 1000 0 1 2 3 1001 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1003 | Addr Family | Encoding Type | Unicast Address 1004 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1006 Addr Family 1007 The PIM address family of the `Unicast Address' field of this 1008 address. 1010 Values of 0-127 are as assigned by the IANA for Internet Address 1011 Families in [10]. Values 128-250 are reserved to be assigned by 1012 the IANA for PIM-specific Address Families. Values 251 though 255 1013 are designated for private use. As there is no assignment 1014 authority for this space, collisions should be expected. 1016 Encoding Type 1017 The type of encoding used within a specific Address Family. The 1018 value `0' is reserved for this field, and represents the native 1019 encoding of the Address Family. 1021 Unicast Address 1022 The unicast address as represented by the given Address Family and 1023 Encoding Type. 1025 Encoded-Group address 1027 Encoded-Group addresses take the following format: 1029 0 1 2 3 1030 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1031 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1032 | Addr Family | Encoding Type |B| Reserved |Z| Mask Len | 1033 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1034 | Group multicast Address 1035 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1037 Addr Family 1038 described above. 1040 Encoding Type 1041 described above. 1043 [B]IDIR bit 1044 When set, all BIDIR capable PIM routers will operate the protocol 1045 described in [2] for the specified group range. 1047 Reserved 1048 Transmitted as zero. Ignored upon receipt. 1050 Admin Scope [Z]one 1051 When set, this bit indicates that this group address range is an 1052 administratively scoped range. 1054 Mask Len 1055 The Mask length field is 8 bits. The value is the number of 1056 contiguous one bits left justified used as a mask which, combined 1057 with the group address, describes a range of groups. It is less 1058 than or equal to the address length in bits for the given Address 1059 Family and Encoding Type. If the message is sent for a single 1060 group then the Mask length must equal the address length in bits 1061 for the given Address Family and Encoding Type. (e.g. 32 for IPv4 1062 native encoding and 128 for IPv6 native encoding). 1064 Group multicast Address 1065 Contains the group address. 1067 4.1. Bootstrap Message Format 1069 A Bootstrap message is divided up into `semantic fragments' if the 1070 original message exceeds the maximum packet size boundaries. Basically, 1071 a single Bootstrap message can be sent as multiple packets (semantic 1072 fragments), so long as the fragment tags of all the packets comprising 1073 the message is the same. 1075 The format of a single `fragment' is given below: 1077 0 1 2 3 1078 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1079 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1080 |PIM Ver| Type | Reserved | Checksum | 1081 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1082 | Fragment Tag | Hash Mask Len | BSR Priority | 1083 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1084 | BSR Address (Encoded-Unicast format) | 1085 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1086 | Group Address 1 (Encoded-Group format) | 1087 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1088 | RP Count 1 | Frag RP Cnt 1 | Reserved | 1089 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1090 | RP Address 1 (Encoded-Unicast format) | 1091 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1092 | RP1 Holdtime | RP1 Priority | Reserved | 1093 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1094 | RP Address 2 (Encoded-Unicast format) | 1095 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1096 | RP2 Holdtime | RP2 Priority | Reserved | 1097 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1098 | . | 1099 | . | 1100 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1101 | RP Address m (Encoded-Unicast format) | 1102 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1103 | RPm Holdtime | RPm Priority | Reserved | 1104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1105 | Group Address 2 (Encoded-Group format) | 1106 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1107 | . | 1108 | . | 1109 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1110 | Group Address n (Encoded-Group format) | 1111 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1112 | RP Count n | Frag RP Cnt n | Reserved | 1113 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1114 | RP Address 1 (Encoded-Unicast format) | 1115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1116 | RP1 Holdtime | RP1 Priority | Reserved | 1117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1118 | RP Address 2 (Encoded-Unicast format) | 1119 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1120 | RP2 Holdtime | RP2 Priority | Reserved | 1121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1122 | . | 1123 | . | 1124 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1125 | RP Address m (Encoded-Unicast format) | 1126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1127 | RPm Holdtime | RPm Priority | Reserved | 1128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1130 PIM Version, Reserved, Checksum 1131 Described in [1]. 1133 Type 1134 PIM Message Type. Value is 4 for a Bootstrap message. 1136 Fragment Tag 1137 A randomly generated number, acts to distinguish the fragments 1138 belonging to different Bootstrap messages; fragments belonging to 1139 same Bootstrap message carry the same `Fragment Tag'. 1141 Hash Mask Len 1142 The length (in bits) of the mask to use in the hash function. For 1143 IPv4 we recommend a value of 30. For IPv6 we recommend a value of 1144 126. This field SHOULD be the same for all fragments belonging to 1145 the same Bootstrap message. 1147 BSR Priority 1148 Contains the BSR priority value of the included BSR. This field is 1149 considered as a high order byte when comparing BSR addresses. Note 1150 that for historical reasons, the highest BSR priority is 255 (the 1151 higher the better), whereas the highest RP Priority (see below) is 1152 0 (the lower the better). 1154 BSR Address 1155 The address of the bootstrap router for the domain. The format for 1156 this address is given in the Encoded-Unicast address in [1]. 1158 Group Address 1..n 1159 The group prefix (address and mask) with which the Candidate-RPs 1160 are associated. Format described in [1]. In a fragment containing 1161 admin scope ranges, the first group address in the fragment MUST 1162 satisfy the following conditions: it MUST have the Admin Scope bit 1163 set; for IPv4 it MUST be the group range for the entire admin scope 1164 range (this is the case even if there are no RPs in the RP-Set for 1165 the entire admin scope range - in this case the sub-ranges for the 1166 RP-Set are specified later in the fragment along with their RPs); 1167 for IPv6 the Mask Len MUST be at least 16 and have the scope ID of 1168 the admin scope range. 1170 RP Count 1..n 1171 The number of Candidate-RP addresses included in the whole 1172 Bootstrap message for the corresponding group prefix. A router 1173 does not replace its old RP-Set for a given group prefix 1174 until/unless it receives `RP-Count' addresses for that prefix; the 1175 addresses could be carried over several fragments. If only part of 1176 the RP-Set for a given group prefix was received, the router 1177 discards it, without updating that specific group prefix's RP-Set. 1179 Frag RP Cnt 1..m 1180 The number of Candidate-RP addresses included in this fragment of 1181 the Bootstrap message, for the corresponding group prefix. The 1182 `Frag RP Cnt' field facilitates parsing of the RP-Set for a given 1183 group prefix, when carried over more than one fragment. 1185 RP address 1..m 1186 The address of the Candidate-RPs, for the corresponding group 1187 prefix. The format for these addresses is given in the Encoded- 1188 Unicast address in [1]. 1190 RP1..m Holdtime 1191 The Holdtime (in seconds) for the corresponding RP. This field is 1192 copied from the `Holdtime' field of the associated RP stored at the 1193 BSR. 1195 RP1..m Priority 1196 The `Priority' of the corresponding RP and Encoded-Group Address. 1197 This field is copied from the `Priority' field stored at the BSR 1198 when receiving a C-RP-Adv message. The highest priority is `0' 1199 (i.e. unlike BSR priority, the lower the value of the `Priority' 1200 field, the better). Note that the priority is per RP per Group 1201 Address. 1203 Within a Bootstrap message, the BSR Address, all the Group Addresses and 1204 all the RP Addresses MUST be of the same address family. In addition, 1205 the address family of the fields in the message MUST be the same as the 1206 IP source and destination addresses of the packet. This permits maximum 1207 implementation flexibility for dual-stack IPv4/IPv6 routers. 1209 4.1.1. Semantic Fragmentation of BSMs 1211 Bootstrap messages may be split over several PIM Bootstrap Message 1212 Fragment (BSMF) packets; this is known as semantic fragmentation. It is 1213 needed when the BSM would exceed the MTU of the link the packet will be 1214 forwarded over. 1216 The packet would be too large because the set of group prefixes and the 1217 RPs for each group prefix are too long to fit in one packet. The BSR 1218 will then split the BSM across several BSMF packets; each of these must 1219 be a well-formed BSMF packet in its own right. 1221 If the BSR can split up the BSM so that different group prefixes (and 1222 their RP information) can fit in different fragments, then it should do 1223 so. If one of these BSMF packets is then lost, the state from the 1224 previous BSM for the group-prefix from the missing packet will be 1225 retained. Each fragment that does arrive will update the RP information 1226 for the group-prefixes contained in that fragment, and the new group-to- 1227 RP mapping for those can be used immediately. The information from the 1228 missing fragment will be obtained when the BSM is next transmitted. In 1229 this case, whilst the Fragment Tag must be set to the same value for all 1230 BSMFs comprising a single BSM, the tag is not actually used by routers 1231 receiving the BSM. 1233 If the list of RPs for a single group-prefix is too long to fit in a 1234 single BSMF packet, then that information must be split across multiple 1235 BSMF packets. In this case, all the BSMF packets comprising the 1236 information for that group-prefix must be received before the group-to- 1237 RP mapping in use can be modified. This is the purpose of the RP Count 1238 field - a router receiving BSMF packets from the same BSM (ie that have 1239 the same fragment tag) must wait until the BSMFs providing RP Count RPs 1240 for that group-prefix have been received before the new group-to-RP 1241 mapping can be used for that group-prefix. If a single BSMF from such a 1242 large group-prefix is lost, then that entire group-prefix will have to 1243 wait until the next BSM is originated. 1245 Next we need to consider how a BSR would remove group-prefixes from the 1246 BSM. A router receiving a set of BSMFs cannot tell if a group-prefix is 1247 missing. If it has seen a group-prefix before, it must assume that that 1248 group-prefix still exists, and that the BSMF describing it has been 1249 lost. It should retain this information for BS_Timeout. Thus for a BSR 1250 to remove a group-prefix from the BSR, it should include that group- 1251 prefix, but with a RP Count of zero, and it should resend this 1252 information in each BSM for BS_Timeout. 1254 4.2. Candidate-RP-Advertisement Message Format 1256 Candidate-RP-Advertisement messages are periodically unicast from the C- 1257 RPs to the BSR. 1259 0 1 2 3 1260 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1262 |PIM Ver| Type | Reserved | Checksum | 1263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1264 | Prefix Count | Priority | Holdtime | 1265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1266 | RP Address (Encoded-Unicast format) | 1267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1268 | Group Address 1 (Encoded-Group format) | 1269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1270 | . | 1271 | . | 1272 | . | 1273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1274 | Group Address n (Encoded-Group format) | 1275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1277 PIM Version, Reserved, Checksum 1278 Described in [1]. 1280 Type 1281 PIM Message Type. Value is 8 for a Candidate-RP-Advertisement 1282 message. 1284 Prefix Count 1285 The number of encoded group addresses included in the message; 1286 indicating the group prefixes for which the C-RP is advertising. 1287 C-RPs MUST NOT send C-RP-Adv messages with a Prefix Count of `0'. 1289 Priority 1290 The `Priority' of the included RP, for the corresponding Encoded- 1291 Group Address (if any). The highest priority is `0' (i.e. the 1292 lower the value of the `Priority' field, the higher the priority). 1293 This field is stored at the BSR upon receipt along with the RP 1294 address and corresponding Encoded-Group Address. 1296 Holdtime 1297 The amount of time (in seconds) the advertisement is valid. This 1298 field allows advertisements to be aged out. This field should be 1299 set to 2.5 times C_RP_Adv_Period. 1301 RP Address 1302 The address of the interface to advertise as a Candidate RP. The 1303 format for this address is given in the Encoded-Unicast address in 1304 [1]. 1306 Group Address-1..n 1307 The group prefixes for which the C-RP is advertising. Format 1308 described in Encoded-Group-Address in [1]. 1310 Within a Candidate-RP-Advertisement message, the RP Address and all the 1311 Group Addresses MUST be of the same address family. In addition, the 1312 address family of the fields in the message MUST be the same as the IP 1313 source and destination addresses of the packet. This permits maximum 1314 implementation flexibility for dual-stack IPv4/IPv6 routers. 1316 5. Timers and Timer Values 1318 Timer Name: Bootstrap Timer (BST(Z)) 1320 +---------------------+--------------------------+----------------------+ 1321 | Value Name | Value | Explanation | 1322 +---------------------+--------------------------+----------------------+ 1323 | BS_Period | Default: 60 seconds | Periodic interval | 1324 | | | with which BSMs | 1325 | | | are normally | 1326 | | | originated | 1327 +---------------------+--------------------------+----------------------+ 1328 | BS_Timeout | Default: 130 seconds | Interval after | 1329 | | | which a BSR is | 1330 | | | timed out if no | 1331 | | | BSM is received | 1332 | | | from that BSR | 1333 +---------------------+--------------------------+----------------------+ 1334 | BS_Rand_Override | see below | Randomized | 1335 | | | interval used to | 1336 | | | reduce control | 1337 | | | message overhead | 1338 | | | during BSR | 1339 | | | election | 1340 +---------------------+--------------------------+----------------------+ 1342 Note that BS_Timeout MUST be larger than BS_Period, even if their values 1343 are changed from the defaults. We recommend that BS_Timeout is set to 2 1344 times BS_Period plus 10 seconds. 1346 BS_Rand_Override is calculated using the following pseudocode, in which 1347 all values are in units of seconds. The values of BS_Rand_Override 1348 generated by this pseudocode are between 5 and 23 seconds, with smaller 1349 values generated if the C-BSR has a high bootstrap weight, and larger 1350 values generated if the C-BSR has a low bootstrap weight. 1352 BS_Rand_Override = 5 + priorityDelay + addrDelay 1354 where priorityDelay is given by: 1356 priorityDelay = 2 * log_2(1 + bestPriority - myPriority) 1358 and addrDelay is given by the following for IPv4: 1360 if (bestPriority == myPriority) { 1361 addrDelay = log_2(1 + bestAddr - myAddr) / 16 1362 } else { 1363 addrDelay = 2 - (myAddr / 2^31) 1364 } 1366 and addrDelay is given by the following for IPv6: 1368 if (bestPriority == myPriority) { 1369 addrDelay = log_2(1 + bestAddr - myAddr) / 64 1370 } else { 1371 addrDelay = 2 - (myAddr / 2^127) 1372 } 1374 and bestPriority is given by: 1376 bestPriority = max(storedPriority, myPriority) 1378 and bestAddr is given by: 1380 bestAddr = max(storedAddr, myAddr) 1382 and where myAddr is the Candidate-BSR's address, storedAddr is the 1383 stored BSR's address, myPriority is the Candidate-BSR's configured 1384 priority, and storedPriority is the stored BSR's priority. 1386 Timer Name: Scope Zone Expiry Timer (SZT(Z)) 1388 +----------------+-----------------------------+------------------------+ 1389 | Value Name | Value | Explanation | 1390 +----------------+-----------------------------+------------------------+ 1391 | SZ_Timeout | Default: 1300 seconds | Interval after | 1392 | | | which a scope zone | 1393 | | | is timed out if no | 1394 | | | BSM is received | 1395 | | | for that scope | 1396 | | | zone | 1397 +----------------+-----------------------------+------------------------+ 1399 Note that SZ_Timeout MUST be larger than BS_Timeout, even if their 1400 values are changed from the defaults. We recommend that SZ_Timeout is 1401 set to 10 times BS_Timeout. 1403 Timer Name: Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 1405 +--------------------------+--------------------+-----------------------+ 1406 | Value Name | Value | Explanation | 1407 +--------------------------+--------------------+-----------------------+ 1408 | C-RP Mapping Timeout | from message | Holdtime from C- | 1409 | | | RP-Adv message | 1410 +--------------------------+--------------------+-----------------------+ 1412 Timer Name: Group-to-RP mapping Expiry Timer (GET(M,Z)) 1414 +-------------------------+--------------------+------------------------+ 1415 | Value Name | Value | Explanation | 1416 +-------------------------+--------------------+------------------------+ 1417 | RP Mapping Timeout | from message | Holdtime from BSM | 1418 +-------------------------+--------------------+------------------------+ 1420 Timer Name: C-RP Advertisement Timer (CRPT) 1422 +---------------------+-------------------------+-----------------------+ 1423 | Value Name | Value | Explanation | 1424 +---------------------+-------------------------+-----------------------+ 1425 | C_RP_Adv_Period | Default: 60 seconds | Periodic interval | 1426 | | | with which C-RP- | 1427 | | | Adv messages are | 1428 | | | sent to a BSR | 1429 +---------------------+-------------------------+-----------------------+ 1430 6. Security Considerations 1432 6.1. Possible Threats 1434 Threats affecting the PIM BSR mechanism are primarily of two forms: 1435 denial of service attacks, and traffic diversion attacks. An attacker 1436 that subverts the BSR mechanism can prevent multicast traffic from 1437 reaching the intended recipients, can divert multicast traffic to a 1438 place where they can monitor it, and can potentially flood third parties 1439 with traffic. 1441 Traffic can be prevented from reaching the intended recipients by one of 1442 two mechanisms: 1444 o Subverting a BSM, and specifying RPs that won't actually forward 1445 traffic. 1447 o Registering with the BSR as a C-RP, and then not forwarding 1448 traffic. 1450 Traffic can be diverted to a place where it can be monitored by both of 1451 the above mechanisms; in this case the RPs would forward the traffic, 1452 but are located so as to aid monitoring or man-in-the-middle attacks on 1453 the multicast traffic. 1455 A third party can be flooded by either of the above two mechanisms by 1456 specifying the third party as the RP, and register-encapsulated traffic 1457 will then be forwarded to them. 1459 6.2. Limiting Third-Party DoS Attacks 1461 The third party DoS attack above can be greatly reduced if PIM routers 1462 acting as DR do not continue to forward Register traffic to the RP in 1463 the presence of ICMP Protocol Unreachable or ICMP Host Unreachable 1464 responses. If a PIM router sending Register packets to an RP receives 1465 one of these responses to a data packet it has sent, it should rate- 1466 limit the transmission of future Register packets to that RP for a short 1467 period of time. 1469 As this does not affect interoperability, the precise details are left 1470 to the implementor to decide. However we note that a router 1471 implementing such rate limiting must only do so if the ICMP packet 1472 correctly echoes part of a Register packet that was sent to the RP. If 1473 this check were not made, then simply sending ICMP Unreachable packets 1474 to the DR with the source address of the RP spoofed would be sufficient 1475 to cause a denial-of-service attack on the multicast traffic originating 1476 from that DR. 1478 6.3. Bootstrap Message Security 1480 If a legitimate PIM router is compromised, there is little any security 1481 mechanism can do to prevent that router subverting PIM traffic in that 1482 domain. However we recommend that implementors provide a mechanism 1483 whereby a PIM router using the BSR mechanisms can be configured with the 1484 IP addresses of valid BSR routers, and that any Bootstrap message from 1485 any other BSR should then be dropped and logged as a security issue. We 1486 also recommend that this not be enabled by default, as it makes the 1487 initial configuration of a PIM domain problematic - it is the sort of 1488 feature that might be enabled once the configuration of a domain has 1489 stabilized. 1491 The primary security requirement for BSR (as for PIM) is that it is 1492 possible to prevent hosts that are not legitimate PIM routers, either 1493 within or outside the domain, from subverting the BSR mechanism. 1495 The Bootstrap Message Processing Checks prevent a router from accepting 1496 a Bootstrap message from outside of the PIM Domain, as the source 1497 address on Bootstrap messages must be an immediate PIM neighbor. There 1498 is however a small window of time after a reboot where a PIM router will 1499 accept a bad Bootstrap message unicast from an immediate neighbor, and 1500 it might be possible to unicast a Bootstrap message to a router during 1501 this interval from outside the domain, using the spoofed source address 1502 of a neighbor. This can be prevented if PMBRs perform source-address 1503 filtering to prevent packets entering the PIM domain with IP source 1504 addresses that are infrastructure addresses in the PIM domain. 1506 The principal threat to Bootstrap message security comes from hosts 1507 within the PIM domain that attempt to subvert the BSR mechanism. They 1508 may be able to do this by sending PIM messages to their local router, or 1509 by unicasting a Bootstrap message to another PIM router during the brief 1510 interval after it has restarted. 1512 6.3.1. Rejecting Unicast Bootstrap Messages 1514 All Bootstrap messages SHOULD carry the Router Alert IP option. If a 1515 PIM router receives a Bootstrap message that does not carry the Router 1516 Alert option, it SHOULD drop it (a configuration option should also be 1517 provided to disable this check on a per-interface basic for backward 1518 compatibility with older PIM routers). The Router Alert option allows a 1519 PIM router to perform checks on unicast packets it would otherwise 1520 blindly forward. All PIM routers should check that packets with Router 1521 Alert that are not destined for the router itself are not PIM Bootstrap 1522 messages. Any such packets should be dropped and logged as a possible 1523 security issue - it is never acceptable for a PIM Bootstrap message to 1524 travel multiple IP hops. 1526 6.3.2. Rejecting Bootstrap Messages from Invalid Neighbors 1528 Most hosts that are likely to attempt to subvert PIM BSR are likely to 1529 be located on leaf subnets. We recommend that implementors provide a 1530 configuration option that specifies an interface is a leaf subnet, and 1531 that no PIM packets are accepted on such interfaces. 1533 On multi-access subnets with multiple PIM routers and hosts that are not 1534 trusted, we recommend that IPsec AH is used to protect communication 1535 between PIM routers, and that such routers are configured to drop and 1536 log communication attempts from any host that do not pass the 1537 authentication check. When all the PIM routers are under the same 1538 administrative control, this authentication may use a configured shared 1539 secret. The securing of interactions between PIM neighbors is discussed 1540 in more detail in the Security Considerations section of [1], and so we 1541 do not discuss the details further here. The same security mechanisms 1542 that can be used to secure PIM Join, Prune and Assert messages should 1543 also be used to secure Bootstrap messages. 1545 6.4. Candidate-RP-Advertisement Message Security 1547 Even if it is not possible to subvert Bootstrap messages, an attacker 1548 might be able to perform most of the same attacks by simply sending C- 1549 RP-Adv messages to the BSR specifying the attacker's choice of RPs. 1550 Thus it is necessary to control the sending of C-RP-Adv messages in 1551 essentially the same ways that we control Bootstrap messages. However, 1552 C-RP-Adv messages are unicast and normally travel multiple hops, so 1553 controlling them is more difficult. 1555 6.4.1. Non-Cryptographic Security of C-RP-Adv Messages 1557 We specify that C-RP-Adv messages SHOULD also carry the Router Alert IP 1558 option, and that the BSR SHOULD by default drop and log C-RP-Adv 1559 messages that do not carry this option. Setting Router Alert on these 1560 packets is practical because the rate of C-RP-Adv messages should be 1561 very low, so the extra load on routers forwarding these packets will be 1562 insignificant. PIM routers forwarding such a packet may then be capable 1563 of checking whether the packet came from a valid PIM neighbor, although 1564 note that such checks are only possible if the unicast and multicast 1565 topologies in the network are congruent. If this is not the case, it is 1566 legitimate to receive a C-RP-Adv message from a router which is not a 1567 valid PIM neighbor, and therefore in this situation a PIM router MUST 1568 NOT drop C-RP-Adv messages that do not come from a valid PIM neighbor. 1570 If the unicast and multicast topologies are known to be congruent, the 1571 following checks should be made. On interfaces that are configured to 1572 be leaf subnets, all C-RP-Adv messages should be dropped. On multi- 1573 access subnets with multiple PIM routers and hosts that are not trusted, 1574 the router can at least check that the source MAC address is that of a 1575 valid PIM neighbor. PMBRs should ensure that no C-RP-Adv messages enter 1576 the domain from an external neighbor. 1578 6.4.2. Cryptographic Security of C-RP-Adv Messages 1580 For true security, we recommend that all C-RPs are configured to use 1581 IPsec authentication. The authentication process for a C-RP-Adv message 1582 between a C-RP and the BSR is identical to the authentication process 1583 for PIM Register messages between a DR and the relevant RP, except that 1584 there will normally be fewer C-RPs in a domain than there are DRs, so 1585 key management is a little simpler. We do not describe the details of 1586 this process further here, but refer to the Security Considerations 1587 section of [1]. Note that the use of cryptographic security for C-RP- 1588 Adv messages does not remove the need for the non-cryptographic 1589 mechanisms, as explained below. 1591 6.5. Denial of Service using IPsec 1593 An additional concern is that of Denial-of-Service attacks caused by 1594 sending high volumes of Bootstrap messages or C-RP-Adv messages with 1595 invalid IPsec authentication information. It is possible that these 1596 messages could overwhelm the CPU resources of the recipient. 1598 The non-cryptographic security mechanisms above prevent unicast 1599 Bootstrap messages from traveling multiple hops, and constrain who can 1600 originate such messages. However, it is obviously important that PIM 1601 messages that are required to have Router Alert checked are checked for 1602 this option before the IPsec AH is checked. Thus the remaining 1603 vulnerability primarily exists for hosts on multi-access subnets 1604 containing more than one PIM router. A PIM router receiving PIM packets 1605 with Router Alert set from such a subnet should already be checking that 1606 the source MAC address is that of a valid PIM neighbor, but this is 1607 hardly strong security. In addition, we recommend that rate-limiting 1608 mechanisms can be configured, to be applied to the forwarding of unicast 1609 PIM packets containing Router Alert options. The rate-limiter MUST 1610 independently rate-limit different types of PIM packets - for example a 1611 flood of C-RP-Adv messages MUST NOT cause a rate limiter to drop low- 1612 rate Bootstrap messages. Such a rate-limiter might itself be used to 1613 cause a denial of service attack by causing valid packets to be dropped, 1614 but in practice this is more likely to constrain bad PIM messages close 1615 to their origin. In addition, the rate limiter will prevent attacks on 1616 PIM from affecting other activity on the destination router, such as 1617 unicast routing. 1619 7. Contributors 1621 Bill Fenner, Mark Handley, Roger Kermode and David Thaler have 1622 contributed greatly to this draft. They were authors of this draft up 1623 to version 03. Most of the current text is identical to 03. 1625 8. Acknowledgments 1627 PIM-SM was designed over many years by a large group of people, 1628 including ideas from Deborah Estrin, Dino Farinacci, Ahmed Helmy, Steve 1629 Deering, Van Jacobson, C. Liu, Puneet Sharma, Liming Wei, Tom Pusateri, 1630 Tony Ballardie, Scott Brim, Jon Crowcroft, Paul Francis, Joel Halpern, 1631 Horst Hodel, Polly Huang, Stephen Ostrowski, Lixia Zhang, Girish 1632 Chandranmenon, Pavlin Radoslavov, John Zwiebel, Isidor Kouvelas and Hugh 1633 Holbrook. This BSR specification draws heavily on text from RFC 2362. 1635 Many members of the PIM Working Group have contributed comments and 1636 corrections for this document, including Christopher Thomas Brown, Ardas 1637 Cilingiroglu, Murthy Esakonu, Venugopal Hemige, Prashant Jhingran, 1638 Rishabh Parekh and Katta Sambasivarao. 1640 9. IANA Considerations 1642 This document has no actions for IANA. 1644 10. Normative References 1646 [1] W. Fenner, M. Handley, H. Holbrook, I. Kouvelas, "Protocol 1647 Independent Multicast - Sparse Mode (PIM-SM): Protocol 1648 Specification (Revised)", Internet Draft draft-ietf-pim-sm- 1649 v2-new-11.txt 1651 [2] M. Handley, I. Kouvelas, T. Speakman, L. Vicisano, "Bi-directional 1652 Protocol Independent Multicast (BIDIR-PIM)", Internet Draft draft- 1653 ietf-pim-bidir-07.txt 1655 [3] D. Meyer, "Administratively Scoped IP Multicast", RFC 2365, Jul 1656 1998. 1658 [4] S. Deering, B. Haberman, T. Jinmei, E. Nordmark, B. Zill, "IPv6 1659 Scoped Address Architecture", RFC 4007, Mar 2005. 1661 [5] R. Hinden, S. Deering, "Internet Protocol Version 6 (IPv6) 1662 Addressing Architecture", RFC 3513, Apr 2003. 1664 [6] S. Bradner, "Key words for use in RFCs to Indicate Requirement 1665 Levels", BCP 14, RFC 2119, Mar 1997. 1667 11. Informative References 1669 [7] D. Estrin et al., "Protocol Independent Multicast - Sparse Mode 1670 (PIM-SM): Protocol Specification", RFC 2362, June 1998 (now 1671 obsolete). 1673 [8] D. Kim, D. Meyer, H. Kilmer, D. Farinacci, "Anycast Rendevous Point 1674 (RP) mechanism using Protocol Independent Multicast (PIM) and 1675 Multicast Source Discovery Protocol (MSDP)", RFC 3446, Jan 2003. 1677 [9] D. Farinacci, Y. Cai, "Anycast-RP using PIM", Internet Draft draft- 1678 ietf-pim-anycast-rp-04.txt 1680 [10] IANA, "Address Family Numbers", linked from 1681 http://www.iana.org/numbers.html 1683 Authors' Addresses 1685 Nidhi Bhaskar 1686 Cisco Systems 1687 170 W. Tasman Drive 1688 San Jose, CA 95134 1689 USA 1690 nbhaskar@cisco.com 1692 Alexander Gall 1693 SWITCH 1694 Limmatquai 138 1695 P.O. Box 1696 CH-8021 Zurich 1697 Switzerland 1698 gall@switch.ch 1700 James Lingard 1701 Data Connection Ltd 1702 100 Church Street 1703 Enfield 1704 EN2 6BQ 1705 United Kingdom 1706 james@lingard.com 1707 Stig Venaas 1708 UNINETT 1709 NO-7465 Trondheim 1710 Norway 1711 venaas@uninett.no 1713 Copyright Statement 1715 Copyright (C) The Internet Society (2005). This document is subject to 1716 the rights, licenses and restrictions contained in BCP 78, and except as 1717 set forth therein, the authors retain all their rights. 1719 This document and the information contained herein are provided on an 1720 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR 1721 IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1722 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1723 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1724 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1725 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1727 Intellectual Property 1729 The IETF takes no position regarding the validity or scope of any 1730 Intellectual Property Rights or other rights that might be claimed to 1731 pertain to the implementation or use of the technology described in this 1732 document or the extent to which any license under such rights might or 1733 might not be available; nor does it represent that it has made any 1734 independent effort to identify any such rights. Information on the 1735 procedures with respect to rights in RFC documents can be found in BCP 1736 78 and BCP 79. 1738 Copies of IPR disclosures made to the IETF Secretariat and any 1739 assurances of licenses to be made available, or the result of an attempt 1740 made to obtain a general license or permission for the use of such 1741 proprietary rights by implementers or users of this specification can be 1742 obtained from the IETF on-line IPR repository at 1743 http://www.ietf.org/ipr. 1745 The IETF invites any interested party to bring to its attention any 1746 copyrights, patents or patent applications, or other proprietary rights 1747 that may cover technology that may be required to implement this 1748 standard. Please address the information to the IETF at ietf- 1749 ipr@ietf.org.