idnits 2.17.1 draft-ietf-pim-sm-bsr-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1737. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1748. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1755. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1761. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 127 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (3 March 2006) is 6622 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-pim-sm-v2-new-11 == Outdated reference: A later version (-09) exists of draft-ietf-pim-bidir-08 -- Obsolete informational reference (is this intentional?): RFC 2362 (ref. '9') (Obsoleted by RFC 4601, RFC 5059) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force PIM WG 2 INTERNET-DRAFT Nidhi Bhaskar/Cisco 3 draft-ietf-pim-sm-bsr-07.txt Alexander Gall/SWITCH 4 James Lingard 5 Stig Venaas/UNINETT 6 3 March 2006 7 Expires: September 2006 9 Bootstrap Router (BSR) Mechanism for PIM 11 Status of this Document 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware have 15 been or will be disclosed, and any of which he or she becomes aware will 16 be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering Task 19 Force (IETF), its areas, and its working groups. Note that other groups 20 may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference material 25 or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/1id-abstracts.html 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 This document is a product of the IETF PIM WG. Comments should be 34 addressed to the authors, or the WG's mailing list at pim@ietf.org. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This document specifies the Bootstrap Router (BSR) mechanism 43 for the class of multicast routing protocols in the PIM 44 (Protocol Independent Multicast) family that use the concept 45 of a Rendezvous Point as a means for receivers to discover the 46 sources that send to a particular multicast group. BSR is one 47 way that a multicast router can learn the set of group-to-RP 48 mappings required in order to function. The mechanism is 49 dynamic, largely self-configuring, and robust to router 50 failure. 52 Table of Contents 54 1. Introduction. . . . . . . . . . . . . . . . . . . . . . 4 55 1.1. Background . . . . . . . . . . . . . . . . . . . . . 4 56 1.2. Protocol Overview. . . . . . . . . . . . . . . . . . 6 57 1.3. Administrative Scoping and BSR . . . . . . . . . . . 7 58 2. BSR State and Timers. . . . . . . . . . . . . . . . . . 9 59 3. Bootstrap Router Election and RP-Set 60 Distribution. . . . . . . . . . . . . . . . . . . . . . 9 61 3.1. Bootstrap Router Election. . . . . . . . . . . . . . 9 62 3.1.1. Per-Scope-Zone Candidate-BSR State 63 Machine . . . . . . . . . . . . . . . . . . . . . 10 64 3.1.2. Per-Scope-Zone State Machine for Non- 65 Candidate-BSR Routers . . . . . . . . . . . . . . 12 66 3.1.3. Bootstrap Message Processing Checks . . . . . . . 14 67 3.1.4. State Machine Transition Events . . . . . . . . . 14 68 3.1.5. State Machine Actions . . . . . . . . . . . . . . 15 69 3.2. Sending Candidate-RP-Advertisement Messages. . . . . 17 70 3.3. Creating the RP-Set at the BSR . . . . . . . . . . . 18 71 3.4. Forwarding Bootstrap Messages. . . . . . . . . . . . 20 72 3.5. Unicasting Bootstrap Messages to New and 73 Rebooting Routers. . . . . . . . . . . . . . . . . . 21 74 3.6. Receiving and Using the RP-Set . . . . . . . . . . . 22 75 4. Message Formats . . . . . . . . . . . . . . . . . . . . 22 76 4.1. Bootstrap Message Format . . . . . . . . . . . . . . 24 77 4.1.1. Semantic Fragmentation of BSMs. . . . . . . . . . 28 78 4.2. Candidate-RP-Advertisement Message Format. . . . . . 29 79 5. Timers and Timer Values . . . . . . . . . . . . . . . . 31 80 6. Security Considerations . . . . . . . . . . . . . . . . 34 81 6.1. Possible Threats . . . . . . . . . . . . . . . . . . 34 82 6.2. Limiting Third-Party DoS Attacks . . . . . . . . . . 34 83 6.3. Bootstrap Message Security . . . . . . . . . . . . . 35 84 6.3.1. Rejecting Unicast Bootstrap Messages. . . . . . . 35 85 6.3.2. Rejecting Bootstrap Messages from Invalid 86 Neighbors . . . . . . . . . . . . . . . . . . . . 36 87 6.4. Candidate-RP-Advertisement Message Security. . . . . 36 88 6.4.1. Non-Cryptographic Security of C-RP-Adv 89 Messages. . . . . . . . . . . . . . . . . . . . . 36 90 6.4.2. Cryptographic Security of C-RP-Adv 91 Messages. . . . . . . . . . . . . . . . . . . . . 37 92 6.5. Denial of Service using IPsec. . . . . . . . . . . . 37 93 7. Contributors. . . . . . . . . . . . . . . . . . . . . . 38 94 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . 38 95 9. IANA Considerations . . . . . . . . . . . . . . . . . . 38 96 10. Normative References . . . . . . . . . . . . . . . . . 38 97 11. Informative References . . . . . . . . . . . . . . . . 39 99 1. Introduction 101 This document assumes some familiarity with the concepts of Protocol 102 Independent Multicast - Sparse Mode (PIM-SM), as defined in [1], and Bi- 103 directional Protocol Independent Multicast (BIDIR-PIM), as defined in 104 [2], as well as with Administratively Scoped IP Multicast, as described 105 in [3], and the IPv6 Scoped Address Architecture, described in [4]. 107 For correct operation, every multicast router within a PIM domain must 108 be able to map a particular multicast group address to the same 109 Rendezvous Point (RP). The PIM specifications do not mandate the use of 110 a single mechanism to provide routers with the information to perform 111 this group-to-RP mapping. 113 This document describes the PIM Bootstrap Router (BSR) mechanism. BSR 114 is one way that a multicast router can learn the information required to 115 perform the group-to-RP mapping. The mechanism is dynamic, largely 116 self-configuring, and robust to router failure. 118 BSR was first defined in RFC 2362 [9], which has since been obsoleted. 119 This document provides an updated specification of the BSR mechanism 120 from RFC 2362, and also extends it to cope with administratively scoped 121 region boundaries and different flavors of routing protocols. 123 Throughout the document, any reference to the PIM protocol family is 124 restricted to the subset of RP-based protocols, namely PIM-SM and BIDIR- 125 PIM, unless stated otherwise. 127 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 128 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 129 document are to be interpreted as described in RFC 2119 [6]. 131 1.1. Background 133 A PIM domain is a contiguous set of routers that all implement PIM and 134 are configured to operate within a common boundary defined by PIM 135 Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the 136 rest of the internet. 138 Every PIM multicast group needs to be associated with the IP address of 139 a Rendezvous Point (RP). This address is used as the root of a group- 140 specific distribution tree whose branches extend to all nodes in the 141 domain that want to receive traffic sent to the group. Senders inject 142 packets into the tree in such a manner that they reach all connected 143 receivers. How this is done and how the packets are forwarded along the 144 distribution tree depends on the particular routing protocol. 146 For all senders to reach all receivers, it is crucial that all routers 147 in the domain use the same mappings of group addresses to RP addresses. 149 An exception to the above is where a PIM domain has been broken up into 150 multiple administrative scope regions. These are regions where a border 151 has been configured so that a set of multicast groups will not be 152 forwarded across that border. In this case, all PIM routers within the 153 same scope region must map a particular scoped group to the same RP 154 within that region. 156 In order to determine the RP for a multicast group, a PIM router 157 maintains a collection of group-to-RP mappings, called the RP-Set. A 158 group-to-RP mapping contains the following elements. 160 o Multicast group range, expressed as an address and prefix length 162 o RP priority 164 o RP address 166 o Hash mask length 168 o SM / BIDIR flag 170 In general, the group ranges of these group-to-RP mappings may overlap 171 in arbitrary ways; hence a particular multicast group may be covered by 172 multiple group-to-RP mappings. When this is the case, the router 173 chooses only one of the RPs by applying a deterministic algorithm so 174 that all routers in the domain make the same choice. It is important to 175 note that this algorithm is part of the specification of the individual 176 routing protocols (and may differ among them), not of the BSR 177 specification. E.g. PIM-SM [1] defines one such algorithm. It makes 178 use of a hash function for the case where a group range has multiple RPs 179 with the same priority. The hash mask length is used by this function. 181 There are a number of ways in which such group-to-RP mappings can be 182 established. The simplest solution is for all the routers in the domain 183 to be statically configured with the same information. However, static 184 configuration generally doesn't scale well, and, except when used in 185 conjunction with Anycast-RP (see [10] and [11]), does not dynamically 186 adapt to route around router or link failures. 188 The BSR mechanism provides a way in which viable group-to-RP mappings 189 can be created and rapidly distributed to all the PIM routers in a 190 domain. It is adaptive, in that if an RP becomes unreachable, this will 191 be detected and the RP-Sets will be modified so that the unreachable RP 192 is no longer used. 194 1.2. Protocol Overview 196 In this section we give an informal and non-definitive overview of the 197 BSR mechanism. The definitive specification begins in section 2. 199 The general idea behind the BSR mechanism is that some of the PIM 200 routers within a PIM domain are configured to be potential RPs for the 201 domain. These are known as Candidate-RPs (C-RPs). A subset of the C- 202 RPs will eventually be used as the actual RPs for the domain. In 203 addition, some of the PIM routers in the domain are configured to be 204 candidate bootstrap routers, or Candidate-BSRs (C-BSRs). One of these 205 C-BSRs will be elected to be the bootstrap router (BSR) for the domain, 206 and all the PIM routers in the domain will learn the result of this 207 election through Bootstrap messages. The C-RPs will then report their 208 candidacy to the elected BSR, which chooses a subset of these C-RPs and 209 distributes corresponding group-to-RP mappings to all the routers in the 210 domain through Bootstrap messages. 212 In more detail, the BSR mechanism works as follows. There are four 213 basic phases (although in practice all phases may be occurring 214 simultaneously): 216 1. BSR Election. Each Candidate-BSR originates Bootstrap messages 217 (BSMs). Every BSM contains a BSR Priority field. Routers within 218 the domain flood the BSMs throughout the domain. A C-BSR that 219 hears about a higher-priority C-BSR than itself then suppresses its 220 sending of further BSMs for some period of time. The single 221 remaining C-BSR becomes the elected BSR, and its BSMs inform all 222 the other routers in the domain that it is the elected BSR. 224 2. C-RP Advertisement. Each Candidate-RP within a domain sends 225 periodic Candidate-RP-Advertisement (C-RP-Adv) messages to the 226 elected BSR. A C-RP-Adv message includes the priority of the 227 advertising C-RP, as well as a list of group ranges for which the 228 candidacy is advertised. In this way, the BSR learns about 229 possible RPs that are currently up and reachable. 231 3. RP-Set Formation. The BSR selects a subset of the C-RPs that it 232 has received C-RP-Adv messages from to form the RP-Set. In general 233 it should do this in such a way that the RP-Set is neither too 234 large to inform all the routers in the domain about, nor too small 235 so that load is overly concentrated on some RPs. It should also 236 attempt to produce an RP-Set that does not change frequently. 238 4. RP-Set Flooding. In future Bootstrap messages, the BSR includes 239 the RP-Set information. Bootstrap messages are flooded through the 240 domain, which ensures that the RP-Set rapidly reaches all the 241 routers in the domain. BSMs are originated periodically to ensure 242 consistency after failure restoration. 244 When a PIM router receives a Bootstrap message, it adds the group- 245 to-RP mappings contained therein to its pool of mappings obtained 246 from other sources (e.g. static configuration). It calculates the 247 final mappings of group addresses to RP addresses from this pool 248 according to rules specific to the particular routing protocol and 249 uses that information to construct multicast distribution trees. 251 If a PIM domain becomes partitioned, each area separated from the old 252 BSR will elect its own BSR, which will distribute an RP-Set containing 253 RPs that are reachable within that partition. When the partition heals, 254 another election will occur automatically and only one of the BSRs will 255 continue to send out Bootstrap messages. As is expected at the time of 256 a partition or healing, some disruption in packet delivery may occur. 257 This time will be on the order of the region's round-trip time and the 258 BS_Timeout value. 260 1.3. Administrative Scoping and BSR 262 The mechanism described in the previous section does not work when the 263 PIM domain is divided into administratively scoped regions. To handle 264 this situation, we use the protocol modifications described in this 265 section. 267 Administrative scoping permits a PIM domain to be divided into multiple 268 admin-scope regions. Each admin-scope region is a convex connected set 269 of PIM routers, and is associated with a set of group addresses. The 270 boundary of the admin-scope region is formed by Zone Border Routers 271 (ZBRs). ZBRs are configured not to forward traffic for any of the 272 scoped group addresses into or out of the scoped region. It is 273 important to note that a given scope boundary always creates at least 274 two scoped regions: one on either side of the boundary. 276 In IPv4, administratively scoped regions are associated with a set of 277 addresses given by an address and a prefix length. In IPv6, 278 administratively scoped regions are associated with a set of addresses 279 given by a single scope ID value. The set of addresses corresponding to 280 a given scope ID value is defined in [5]. For example, a scope ID of 5 281 maps to the 16 IPv6 address ranges ff[0-f]5::/16. 283 There are certain topological restrictions on admin-scope regions. 284 Firstly, the scope zone border must be complete and convex. By this we 285 mean that there must be no path from inside the scoped zone to outside 286 it that does not pass through a configured scope border router, and that 287 the multicast capable path between any arbitrary pair of multicast 288 routers in the scope zone must remain in the zone. In addition, a 289 boundary for one scope must always be a boundary for all smaller scopes, 290 where a smaller scope for IPv4 is one whose address range is contained 291 within the other address range, and for IPv6 is one whose scope ID is 292 less than the other scope ID. 294 Administrative scoping complicates BSR because we do not want a PIM 295 router within the scoped region to use an RP outside the scoped region. 296 Thus we need to modify the basic mechanism to ensure that this doesn't 297 happen. 299 This is done by running a separate copy of the basic BSR mechanism, as 300 described in the previous section, within each admin scope region of a 301 PIM domain. Thus a separate BSR election takes place for each admin- 302 scope region, a C-RP typically registers to the BSR of every admin scope 303 zone it is in, and every PIM router receives Bootstrap messages for 304 every scope zone it is in. The Bootstrap messages sent by the BSR for a 305 particular scope zone contain information about the RPs that should be 306 used for the set of addresses associated with that scope zone. 308 Bootstrap messages are marked to indicate which scope zone they belong 309 to. Such admin scoped Bootstrap messages are flooded in the normal way, 310 but will not be forwarded by a ZBR across the boundary for that scope 311 zone. 313 For the BSR mechanism to function correctly with admin scoping, within 314 each admin scope region there must be at least one C-BSR, and at least 315 one C-RP that is configured to be a C-RP for the set of group addresses 316 associated with the scoped region. 318 Even when administrative scoping is used, a copy of the BSR mechanism is 319 still used across the entire PIM domain, in order to distribute RP 320 information for groups that are not administratively scoped. We call 321 this copy of the mechanism Non-Scoped BSR. The copies of the mechanism 322 run for each admin-scope region are called Scoped BSR. 324 Only the C-BSRs and the ZBRs need to be configured to know about the 325 existence of the scope zones. Other routers, including the C-RPs, learn 326 of their existence from Bootstrap messages. 328 All PIM routers within a PIM bootstrap domain where admin scope ranges 329 are in use must be capable of receiving Bootstrap messages and storing 330 the winning BSR and RP-Set for all admin scope zones that apply. Thus 331 PIM routers that only implement RFC 2362 or Non-Scoped BSR (which only 332 allows one BSR per domain) cannot be used within the admin-scope regions 333 of a PIM domain. 335 2. BSR State and Timers 337 A PIM router implementing BSR holds the following state. 339 RP-Set 341 Per Configured or Learned Scope Zone (Z): 343 At all routers: 345 Current Bootstrap Router's IP Address 347 Current Bootstrap Router's BSR Priority 349 Last BSM received from current BSR 351 Bootstrap Timer (BST(Z)) 353 Per group-to-RP mapping (M): 355 Group-to-RP mapping Expiry Timer (GET(M,Z)) 357 At a Candidate-BSR for Z: 359 My state: One of "Candidate-BSR", "Pending-BSR", 360 "Elected-BSR" 362 At a router that is not a Candidate-BSR for Z: 364 My state: One of "Accept Any", "Accept Preferred" 366 Scope-Zone Expiry Timer (SZT(Z)) 368 At the current Bootstrap Router for Z only: 370 Per group-to-C-RP mapping (M): 372 Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 374 At a C-RP only: 376 C-RP Advertisement Timer (CRPT) 378 3. Bootstrap Router Election and RP-Set Distribution 380 3.1. Bootstrap Router Election 382 For simplicity, Bootstrap messages are used in both the BSR election and 383 the RP-Set distribution mechanisms. 385 Each Bootstrap message indicates the scope that it belongs to. If the 386 Admin Scope Zone bit is set in the first group range in the Bootstrap 387 message, the message is called a scoped BSM. If the Admin Scope Zone 388 bit is not set in the first group range in the Bootstrap message, the 389 message is called a non-scoped BSM. 391 In a scoped IPv4 BSM, the scope of the message is given by the first 392 group range in the message, which can be any sub-range of 224/4. In a 393 scoped IPv6 BSM, the scope of the message is given by the scope ID of 394 the first group range in the message, which must have a mask length of 395 at least 16. For example, a group range of ff05::/16 with the Admin 396 Scope Zone bit set indicates that the Bootstrap message is for the scope 397 with scope ID 5. If the mask length of the first group range in a 398 scoped IPv6 BSM is less than 16, the message MUST be dropped and a 399 warning SHOULD be logged. 401 The state machine for Bootstrap messages depends on whether or not a 402 router has been configured to be a Candidate-BSR for a particular scope 403 zone. The per-scope-zone state machine for a C-BSR is given below, 404 followed by the state machine for a router that is not configured to be 405 a C-BSR. 407 3.1.1. Per-Scope-Zone Candidate-BSR State Machine 409 +-----------------------------------------------------------------------+ 410 | When in C-BSR state | 411 +-----------+------------------+--------------------+-------------------+ 412 | Event | Receive | Bootstrap | Receive Non- | 413 | | Preferred BSM | Timer Expires | preferred BSM | 414 | | | | from Elected | 415 | | | | BSR | 416 +-----------+------------------+--------------------+-------------------+ 417 | | -> C-BSR state | -> P-BSR state | -> P-BSR state | 418 | | Forward BSM; | Set Bootstrap | Forward BSM; | 419 | Action | Store RP-Set; | Timer to | Set Bootstrap | 420 | | Set Bootstrap | BS_Rand_Override | Timer to | 421 | | Timer to | | BS_Rand_Override | 422 | | BS_Timeout | | | 423 +-----------+------------------+--------------------+-------------------+ 424 +-----------------------------------------------------------------------+ 425 | When in P-BSR state | 426 +------------+-------------------+-------------------+------------------+ 427 | Event | Receive | Bootstrap | Receive Non- | 428 | | Preferred BSM | Timer Expires | preferred BSM | 429 +------------+-------------------+-------------------+------------------+ 430 | | -> C-BSR state | -> E-BSR state | -> P-BSR state | 431 | | Forward BSM; | Originate BSM; | Forward BSM | 432 | Action | Store RP-Set; | Set Bootstrap | | 433 | | Set Bootstrap | Timer to | | 434 | | Timer to | BS_Period | | 435 | | BS_Timeout | | | 436 +------------+-------------------+-------------------+------------------+ 438 +-----------------------------------------------------------------------+ 439 | When in E-BSR state | 440 +------------+-------------------+-------------------+------------------+ 441 | Event | Receive | Bootstrap | Receive Non- | 442 | | Preferred BSM | Timer Expires | preferred BSM | 443 +------------+-------------------+-------------------+------------------+ 444 | | -> C-BSR state | -> E-BSR state | -> E-BSR state | 445 | | Forward BSM; | Originate BSM; | Originate BSM; | 446 | Action | Store RP-Set; | Set Bootstrap | Set Bootstrap | 447 | | Set Bootstrap | Timer to | Timer to | 448 | | Timer to | BS_Period | BS_Period | 449 | | BS_Timeout | | | 450 +------------+-------------------+-------------------+------------------+ 452 A Candidate-BSR may be in one of three states for a particular scope 453 zone: 455 Candidate-BSR (C-BSR) 456 The router is a candidate to be the BSR for the scope zone, but 457 currently another router is the preferred BSR. 459 Pending-BSR (P-BSR) 460 The router is a candidate to be the BSR for the scope zone. 461 Currently no other router is the preferred BSR, but this router is 462 not yet the elected BSR. This is a temporary state that prevents 463 rapid thrashing of the choice of BSR during BSR election. 465 Elected-BSR (E-BSR) 466 The router is the elected BSR for the scope zone and it must 467 perform all the BSR functions. 469 In addition to the three states, there is one timer: 471 o The Bootstrap Timer (BST) - used to time out old bootstrap router 472 information, and used in the election process to terminate P-BSR 473 state. 475 On startup, the initial state for this configured scope zone is 476 "Pending-BSR"; the Bootstrap Timer is initialized to BS_Rand_Override. 478 3.1.2. Per-Scope-Zone State Machine for Non-Candidate-BSR Routers 480 +-----------------------------------------------------------------------+ 481 | When in NoInfo state | 482 +---------------------+-------------------------------------------------+ 483 | Event | Receive BSM | 484 +---------------------+-------------------------------------------------+ 485 | | -> AP state | 486 | Action | Forward BSM; Store RP-Set; | 487 | | Set Bootstrap Timer to BS_Timeout; | 488 | | Set SZT to SZ_Timeout | 489 +---------------------+-------------------------------------------------+ 491 +-----------------------------------------------------------------------+ 492 | When in Accept Any state | 493 +---------------+----------------------------+--------------------------+ 494 | Event | Receive BSM | Scope-Zone Expiry | 495 | | | Timer Expires | 496 +---------------+----------------------------+--------------------------+ 497 | | -> AP state | -> NoInfo state | 498 | | Forward BSM; Store | Cancel timers; | 499 | Action | RP-Set; Set | Clear state | 500 | | Bootstrap Timer to | | 501 | | BS_Timeout; Set | | 502 | | SZT to SZ_Timeout | | 503 +---------------+----------------------------+--------------------------+ 504 +-----------------------------------------------------------------------+ 505 | When in Accept Preferred state | 506 +----------+-----------------------+------------------+-----------------+ 507 | Event | Receive Preferred | Bootstrap | Receive Non- | 508 | | BSM | Timer Expires | preferred BSM | 509 +----------+-----------------------+------------------+-----------------+ 510 | | -> AP state | -> AA state | -> AP state | 511 | | Forward BSM; Store | Refresh RP- | | 512 | Action | RP-Set; Set | Set; Remove | | 513 | | Bootstrap Timer to | BSR state | | 514 | | BS_Timeout; Set SZT | | | 515 | | to SZ_Timeout | | | 516 +----------+-----------------------+------------------+-----------------+ 517 A router that is not a Candidate-BSR may be in one of three states: 519 NoInfo 520 The router has no information about this scope zone. This state 521 does not apply if the router is configured to know about this scope 522 zone, or for the global scope zone. When in this state, no state 523 information is held and no timers run that refer to this scope 524 zone. 526 Accept Any (AA) 527 The router does not know of an active BSR, and will accept the 528 first Bootstrap message it sees as giving the new BSR's identity 529 and the RP-Set. 531 Accept Preferred (AP) 532 The router knows the identity of the current BSR, and is using the 533 RP-Set provided by that BSR. Only Bootstrap messages from that BSR 534 or from a C-BSR with higher weight than the current BSR will be 535 accepted. 537 In addition to the three states, there are two timers: 539 o The Bootstrap Timer (BST) - used to time out old bootstrap router 540 information. 542 o The Scope-Zone Expiry Timer (SZT) - used to time out the scope zone 543 itself if Bootstrap messages specifying this scope zone stop arriving. 545 On startup, the initial state for this scope zone is "Accept Any" for 546 routers that know about this scope zone, either through configuration or 547 because the scope zone is the global scope which always exists; the 548 Scope-Zone Expiry Timer is considered to be always running for such 549 scope zones. For routers that do not know about a particular scope 550 zone, the initial state is NoInfo; no timers exist for the scope zone. 552 3.1.3. Bootstrap Message Processing Checks 554 When a Bootstrap message is received, the following initial checks must 555 be performed: 557 if ((DirectlyConnected(BSM.src_ip_address) == FALSE) OR 558 (we have no Hello state for BSM.src_ip_address)) { 559 drop the Bootstrap message silently 560 } 562 if (BSM.dst_ip_address == ALL-PIM-ROUTERS) { 563 if (BSM.src_ip_address != RPF_neighbor(BSM.BSR_ip_address)) { 564 drop the Bootstrap message silently 565 } 566 } else if (BSM.dst_ip_address is my primary address on the interface) { 567 if ((any previous BSM for this scope has been accepted) OR 568 (more than BS_Period has elapsed since startup)) { 569 #the packet was unicast, but this wasn't 570 #a quick refresh on startup 571 drop the Bootstrap message silently 572 } 573 } else { 574 drop the Bootstrap message silently 575 } 577 if (the interface the message arrived on is an Admin Scope 578 border for the BSM.first_group_address) { 579 drop the Bootstrap message silently 580 } 582 Basically, the packet must have come from a directly connected neighbor 583 for which we have active Hello state. It must have been sent to the 584 ALL-PIM-ROUTERS group by the correct upstream router towards the BSR 585 that originated the Bootstrap message, or the router must have recently 586 restarted, have no BSR state for that admin scope and have received the 587 Bootstrap message by unicast. The destination address of a unicast 588 Bootstrap message must be our primary address on the interface it was 589 received, that is, the address we source PIM Hello messages from. In 590 addition it must not have arrived on an interface that is a configured 591 admin scope border for the first group address contained in the 592 Bootstrap message. 594 3.1.4. State Machine Transition Events 596 If the Bootstrap message passes the initial checks above without being 597 discarded, then it may cause a state transition event in one of the 598 above state machines. For both candidate and non-candidate BSRs, the 599 following transition events are defined: 601 Receive Preferred BSM 602 A Bootstrap message is received from a BSR that has higher or 603 equal weight than the current BSR. If a router is in P-BSR 604 state, then it uses its own weight as that of the current BSR. 606 A Bootstrap message is also preferred if it is from the 607 current BSR with a lower weight than the previous BSM it sent, 608 provided that if the router is a Candidate BSR the current BSR 609 still has a weight higher or equal than the router itself. In 610 this case, the "Current Bootstrap Router's BSR Priority" state 611 must be updated. (For lower weight, see Non-preferred BSM 612 from Elected BSR case.) 614 The weight of a BSR is defined to be the concatenation in 615 fixed-precision unsigned arithmetic of the BSR Priority field 616 from the Bootstrap message and the IP address of the BSR from 617 the Bootstrap message (with the BSR Priority taking the most- 618 significant bits and the IP address taking the least 619 significant bits). 621 Receive Non-preferred BSM 622 A Bootstrap message is received from a BSR that has lower 623 weight than the current BSR. If a router is in P-BSR state, 624 then it uses its own weight as that of the current BSR. 626 Receive Non-preferred BSM from Elected BSR 627 A Bootstrap message is received from the elected BSR, but the 628 BSR Priority field in the received message has changed, so 629 that now the currently elected BSR has lower weight that the 630 router itself. 632 Receive BSM 633 A Bootstrap message is received, regardless of BSR weight. 635 In addition to state machine transitions caused by the receipt of 636 Bootstrap messages, a state machine transition takes place each time the 637 Bootstrap Timer or Scope-Zone Expiry Timer expires. 639 3.1.5. State Machine Actions 641 The state machines specify actions that include setting the Bootstrap 642 Timer and the Scope-Zone Expiry Timer to various values. These values 643 are defined in Section 5. 645 In addition to setting and cancelling the timers, the following actions 646 may be triggered by state changes in the state machines: 648 Forward BSM 649 A Bootstrap message that passes the Bootstrap Message 650 Processing Checks is forwarded out of all interfaces with PIM 651 neighbors (including the interface it is received on), except 652 where this would cause the BSM to cross an admin-scope 653 boundary for the scope zone indicated in the message. For 654 details, see section 3.4. 656 Originate BSM 657 A new Bootstrap message is constructed by the BSR, giving the 658 BSR's address and BSR priority, and containing the BSR's 659 chosen RP-Set. The message is forwarded out of all interfaces 660 on which PIM neighbors exist, except where this would cause 661 the BSM to cross an admin-scope boundary for the scope zone 662 indicated in the message. 664 Store RP-Set 665 The router uses the group-to-RP mappings contained in a BSM to 666 update its local RP-Set. 668 This action is skipped for an empty BSM. A BSM is empty if it 669 contains no group ranges, or if it only contains a single 670 group range where that group range has the Admin Scope Zone 671 bit set (a scoped BSM) and an RP count of zero. 673 If a mapping does not yet exist, it is created and the 674 associated Group-to-RP mapping Expiry Timer (GET) is 675 initialized with the holdtime from the BSM. 677 If a mapping already exists, its GET is set to the holdtime 678 from the BSM. If the holdtime is zero, the mapping is removed 679 immediately. Note that for an existing mapping, the RP 680 priority must be updated if changed. 682 Mappings for a group range are also to be immediately removed 683 if they are not present in the received group range. This 684 means that if there are any existing Group-to-RP mappings for 685 a range where the respective RPs are not in the received 686 range, then those mappings must be removed. 688 All RP mappings associated with the scope zone of the BSM are 689 updated with the new hash mask length from the received BSM. 690 This includes RP mappings for all group ranges learned for 691 this zone, not just the ranges in this particular BSM. 693 In addition, the entire BSM is stored for use in the action 694 Refresh RP-Set and to prime a new PIM neighbor as described 695 below. 697 Refresh RP-Set 698 When the Bootstrap Timer expires, the router uses the copy of 699 the last BSM that it has received to refresh its RP-Set 700 according to the action Store RP-Set as if it had just 701 received it. This will increase the chance that the group-to- 702 RP mappings will not expire during the election of the new 703 BSR. 705 Remove BSR state 706 When the Bootstrap Timer expires, all state associated with 707 the current BSR is removed (see section 2). Note that this 708 does not include any group-to-RP mappings. 710 3.2. Sending Candidate-RP-Advertisement Messages 712 Every C-RP periodically unicasts a C-RP-Adv message to the BSR for each 713 scope zone for which it has state, to inform the BSR of the C-RP's 714 willingness to function as an RP. These messages are sent with an 715 interval of C_RP_Adv_Period, except when a new BSR is elected, see 716 below. 718 When a new BSR is elected, the C-RP MUST send one to three C-RP-Adv 719 messages, waiting a randomized amount of 0-3 seconds before sending each 720 message. We recommend sending three messages because it is important 721 that the BSR quickly learns which RPs are active, and some packet loss 722 may occur when a new BSR is elected due to changes in the network. One 723 way of implementing this is to set the CRPT to 0-3 seconds when the new 724 BSR is elected, as well as setting a counter to 2. Whenever the CRPT 725 expires, we first send a C-RP-Adv message as usual. Next, if the 726 counter is non-zero, it is decremented and the CRPT is again set to 0-3 727 seconds instead of C_RP_Adv_Period. 729 The Priority field in these messages is used by the BSR to select which 730 C-RPs to include in the RP-Set. Note that lower values of this field 731 indicate higher priorities, so that a value of zero is the highest 732 possible priority. C-RPs should by default send C-RP-Adv messages with 733 the Priority field set to 192. 735 When a C-RP is being shut down, it SHOULD immediately send a C-RP-Adv 736 message to the BSR for each scope zone for which it is currently serving 737 as an RP; the Holdtime in this C-RP-Adv message should be zero. The BSR 738 will then immediately time out the C-RP and generate a new Bootstrap 739 message with the shut down RP holdtime set to 0. 741 A C-RP-Adv message carries a list of group address and group mask field 742 pairs. This enables the C-RP to specify the group prefixes for which it 743 is willing to be the RP. If the C-RP becomes an RP, it may enforce this 744 scope acceptance when receiving Register or Join/Prune messages. 746 A C-RP is configured with a list of group ranges for which it should 747 advertise itself as the C-RP. A C-RP uses the following algorithm to 748 determine which ranges to send to a given BSR. 750 For each group range R in the list, the C-RP advertises that range to 751 the scoped BSR for the smallest scope that "contains" R. For IPv6, the 752 containing scope is determined by matching the scope identifier of the 753 group range with the scope of the BSR. For IPv4, it is the longest- 754 prefix match for R, amongst the known admin-scope ranges. If no scope 755 is found to contain the group range the C-RP includes it in the C-RP-Adv 756 sent to the non-scoped BSR. If a non-scoped BSR is not known, the range 757 is not included in any C-RP-Adv. 759 In addition, for each IPv4 group range R in the list, for each scoped 760 BSR whose scope range is strictly contained within R, the C-RP SHOULD by 761 default advertise that BSR's scope range to that BSR. And for each IPv6 762 group range R in the list with prefix length < 16, the C-RP SHOULD by 763 default advertise each sub-range of prefix length 16 to the scoped BSR 764 with the corresponding scope ID. An implementation MAY supply a 765 configuration option to prevent the behavior described in this 766 paragraph, but such an option SHOULD be disabled by default. 768 For IPv6, the mask length of all group ranges included in the C-RP-Adv 769 message sent to a scoped BSR MUST be >= 16. 771 If the above algorithm determines that there are no group ranges to 772 advertise to the BSR for a particular scope zone, a C-RP-Adv message 773 MUST NOT be sent to that BSR. A C-RP MUST NOT send a C-RP-Adv message 774 with no group ranges in it. 776 If the same router is the BSR for more than one scope zone, the C-RP-Adv 777 messages for these scope zones MAY be combined into a single message. 779 If the C-RP is a ZBR for an admin scope zone, then the Admin Scope Zone 780 bit MUST be set in the C-RP-Adv messages it sends for that scope zone; 781 otherwise this bit MUST NOT be set. This information is currently only 782 used for logging purposes by the BSR, but might allow for future 783 extensions of the protocol. 785 3.3. Creating the RP-Set at the BSR 787 Upon receiving a C-RP-Adv message, the router needs to decide whether or 788 not to accept each of the group ranges included in the message. For 789 each group range in the message, the router checks to see if it is the 790 elected BSR for any scope zone that contains the group range, or if it 791 is elected as the non-scoped BSR. If so, the group range is accepted; 792 if not, the group range is ignored. 794 If the group range is accepted, a group-to-C-RP mapping is created for 795 this group range and the RP Address from the C-RP-Adv message. 797 If the mapping is not already part of the C-RP-Set, it is added to the 798 C-RP-Set and the associated Group-to-C-RP mapping Expiry Timer (CGET) is 799 initialized to the holdtime from the C-RP-Adv message. Its priority is 800 set to the Priority from the C-RP-Adv message. 802 If the mapping is already part of the C-RP-Set, it is updated with the 803 Priority from the C-RP-Adv message and its associated CGET is reset to 804 the holdtime from the C-RP-Adv message. If the holdtime is zero, the 805 mapping is immediately removed from the C-RP-Set. 807 The hash mask length is a global property of the BSR and is therefore 808 the same for all mappings managed by the BSR. 810 For compatibility with the previous version of the BSR specification, a 811 C-RP-Adv message with no group ranges SHOULD be treated as though it 812 contained the single group range ff00::/8 or 224/4. Therefore, 813 according to the rule above, this group range will be accepted if and 814 only if the router is elected as the non-scoped BSR. 816 When a CGET expires, the corresponding group-to-C-RP mapping is removed 817 from the C-RP-Set. 819 The BSR constructs the RP-Set from the C-RP-Set. It may apply a local 820 policy to limit the number of Candidate-RPs included in the RP-Set. The 821 BSR may override the prefix indicated in a C-RP-Adv message unless the 822 `Priority' field from the C-RP-Adv message is less than 128. 824 For inclusion in a BSM, the RP-Set is subdivided into sets of {group- 825 prefix, RP-Count, RP-addresses}. For each RP-address, the "RP-Holdtime" 826 field is set to the Holdtime from the C-RP-Set, subject to the 827 constraint that it MUST be larger than BS_Period and SHOULD be larger 828 than 2.5 times BS_Period to allow for some Bootstrap messages getting 829 lost. 831 The format of the Bootstrap message allows `semantic fragmentation', if 832 the length of the original Bootstrap message exceeds the packet maximum 833 boundaries. However, we recommend against configuring a large number of 834 routers as C-RPs, to reduce the semantic fragmentation required. 836 In general BSMs are originated at regular intervals according to the 837 BS_Period timer. We do recommend that a BSM is also originated whenever 838 the RP-set to be announced in the BSMs changes. This will usually 839 happen when receiving C-RP advertisements from a new C-RP, or when a C- 840 RP is shut down (C-RP advertisement with a holdtime of zero). There 841 MUST however be a minimum of 10 seconds between each time a BSM is sent. 843 In particular, when a new BSR is elected, it will first send one BSM 844 (which is likely to be empty since it has not yet received any C-RP 845 advertisements), and then wait at least 10 seconds before sending a new 846 one. During those 10 seconds, it is likely to have received C-RP 847 advertisements from all usable C-RPs (since we say that a C-RP should 848 send one or more advertisements with small random delays of 0-3 seconds 849 when a new BSR is elected). For this case in particular, where routers 850 may not have a usable RP-set, we recommend originating a BSM as soon as 851 those 10 seconds have passed. We suggest though that a BSR can do this 852 in general. One way of implementing this, is to decrease the Bootstrap 853 Timer to 10 seconds whenever the RP-set changes, while not changing the 854 timer if it is less or equal to 10. 856 A BSR originates separate scoped BSMs for each scope zone for which it 857 is the elected BSR, as well as originating non-scoped BSMs if it is the 858 elected non-scoped BSR. 860 Each group-to-C-RP mapping is included in precisely one of these BSM, 861 namely the scoped BSM for the narrowest scope containing the group range 862 of the mapping, if any, or the non-scoped BSM otherwise. 864 A scoped BSM MUST have at least one group range, and the first group 865 range in a scoped BSM MUST have the "Admin Scope Zone" bit set. This 866 group range identifies the scope of the BSM. In a scoped IPv4 BSM, the 867 first group range is the range corresponding to the scope of the BSM. 868 In a scoped IPv6 BSM, the first group range may be any group range 869 subject to the general condition that all the group ranges in such a BSM 870 MUST have a mask length of at least 16 and MUST have the same scope ID 871 as the scope of the BSM. 873 RP mappings may be included in the first group range of a BSM, just as 874 for any other group range. After this group range, other group ranges 875 for which there are RP mappings appear in any order. 877 The "Admin Scope Zone" bit of all group ranges other than the first 878 SHOULD be set to 0 on origination, and MUST be ignored on receipt. 880 When an elected BSR is being shut down, it should immediately originate 881 a Bootstrap message listing its current RP-Set, but with the BSR 882 Priority field set to the lowest priority value possible. This will 883 cause the election of a new BSR to happen more quickly. 885 3.4. Forwarding Bootstrap Messages 887 Bootstrap messages originate at the BSR, and are hop-by-hop forwarded by 888 intermediate routers if they pass the Bootstrap Message Processing 889 Checks. When a Bootstrap message is forwarded, it is forwarded out of 890 every multicast-capable interface which has PIM neighbors (including the 891 one over which the message was received). The exception to this is if 892 the interface is an administrative scope boundary for the admin scope 893 zone indicated in the first group address in the Bootstrap message 894 packet. 896 As an optimization, a router MAY choose not to forward a BSM out of the 897 interface the message was received on if that interface is a point-to- 898 point interface. On interfaces with multiple PIM neighbors, a router 899 SHOULD forward an accepted BSM onto the interface that BSM was received 900 on, but if the number of PIM neighbors on that interface is large, it 901 MAY delay forwarding a BSM onto that interface by a small randomized 902 interval to prevent message implosion. A configuration option MAY be 903 provided to disable forwarding onto the interface a message was received 904 on, but we recommend that the default behavior is to forward onto that 905 interface. 907 Rationale: A BSM needs to be forwarded onto the interface the message 908 was received on (in addition to the other interfaces) because the 909 routers on a LAN may not have consistent routing information. If three 910 routers on a LAN are A, B, and C, and at router B RPF(BSR)==A and at 911 router C RPF(BSR)==B, then router A originally forwards the BSM onto the 912 LAN, but router C will only accept it when router B re-forwards the 913 message onto the LAN. If the underlying routing protocol configuration 914 guarantees that the routers have consistent routing information, then 915 forwarding onto the incoming interface may safely be disabled. 917 A ZBR constrains all BSMs which are of equal or smaller scope than the 918 configured boundary. That is, the BSMs are not accepted from, 919 originated or forwarded on the interfaces on which the boundary is 920 configured. For IPv6 the check is a comparison between the scope of the 921 first range in the scoped BSM and the scope of the configured boundary. 922 For IPv4, the first range in the scoped BSM is checked to see if it is 923 contained in or is the same as the range of the configured boundary. 925 3.5. Unicasting Bootstrap Messages to New and Rebooting Routers 927 To allow new or rebooting routers to learn the RP-Set quickly, when a 928 Hello message is received from a new neighbor, or a Hello message with a 929 new GenID is received from an existing neighbor, one router on the LAN 930 unicasts a stored copy of the Bootstrap message for each admin scope 931 zone to the new or rebooting router. 933 The router that does this is the Designated Router (DR) on the LAN, or, 934 if the new or rebooting router is the DR, the router that would be the 935 DR if the new or rebooting router were excluded from the DR election 936 process. 938 Before unicasting a Bootstrap message in this manner, the DR must wait 939 until it has sent a triggered Hello message on this interface; 940 otherwise, the new neighbor will discard the Bootstrap message. 942 3.6. Receiving and Using the RP-Set 944 The RP-Set maintained by BSR is used by RP-based multicast routing 945 protocols like PIM-SM and BIDIR-PIM. These protocols may obtain RP-Sets 946 from other sources as well. How the final group-to-RP mappings are 947 obtained from these RP-Sets is not part of the BSR specification. In 948 general, the routing protocols need to re-calculate the mappings when 949 any of their RP-Sets change. How such a change is signalled to the 950 routing protocol is also not part of the present specification. 952 Some group-to-RP mappings in the RP-Set indicate group ranges for which 953 PIM-SM should be used; others indicate group ranges for use with BIDIR- 954 PIM. Routers that only support one of these protocols MUST NOT ignore 955 ranges indicated as being for the other protocol. They MUST NOT treat 956 them as being for the protocol they support. 958 4. Message Formats 960 BSR messages are PIM messages, as defined in [1]. The values of the PIM 961 Message Type field for BSR messages are: 963 4 Bootstrap 965 8 Candidate-RP-Advertisement 967 As with all other PIM control messages, BSR messages have IP protocol 968 number 103. 970 Candidate-RP-Advertisement messages are unicast to a BSR. Usually, 971 Bootstrap messages are multicast with TTL 1 to the ALL-PIM-ROUTERS 972 group, but in some circumstances (described in section 3.5) Bootstrap 973 messages are unicast to a specific PIM neighbor. Unicast Bootstrap 974 messages MUST be sent with TTL 1 to the source address of the neighbor's 975 PIM hello messages. 977 The IP source address used for Candidate-RP-Advertisement messages is a 978 domain-wide reachable address. The IP source address used for Bootstrap 979 messages (regardless of whether they are being originated or forwarded) 980 is the link-local address of the interface on which the message is being 981 sent (that is, the same source address that the router uses for the 982 Hello messages it sends out that interface). 984 All Bootstrap and Candidate-RP-Advertisement messages SHOULD carry the 985 Router Alert IP option [7] for IPv4, and the IPv6 Router Alert Option 986 [8] for IPv6. See section 6 for information about the way in which the 987 Router Alert option is checked by receiving routers. 989 The IPv4 ALL-PIM-ROUTERS group is 224.0.0.13. The IPv6 ALL-PIM-ROUTERS 990 group is ff02::d. 992 In this section we use the following terms defined in the PIM-SM 993 specification [1]: 995 o Encoded-Unicast format 997 o Encoded-Group format 999 We repeat these here to aid readability. 1001 Encoded-Unicast address 1003 An Encoded-Unicast address takes the following format: 1005 0 1 2 3 1006 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1007 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1008 | Addr Family | Encoding Type | Unicast Address 1009 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1011 Addr Family 1012 The PIM address family of the `Unicast Address' field of this 1013 address. 1015 Values of 0-127 are as assigned by the IANA for Internet Address 1016 Families in [12]. Values 128-250 are reserved to be assigned by 1017 the IANA for PIM-specific Address Families. Values 251 though 255 1018 are designated for private use. As there is no assignment 1019 authority for this space, collisions should be expected. 1021 Encoding Type 1022 The type of encoding used within a specific Address Family. The 1023 value `0' is reserved for this field, and represents the native 1024 encoding of the Address Family. 1026 Unicast Address 1027 The unicast address as represented by the given Address Family and 1028 Encoding Type. 1030 Encoded-Group address 1032 Encoded-Group addresses take the following format: 1034 0 1 2 3 1035 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1036 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1037 | Addr Family | Encoding Type |B| Reserved |Z| Mask Len | 1038 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1039 | Group multicast Address 1040 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1042 Addr Family 1043 described above. 1045 Encoding Type 1046 described above. 1048 [B]IDIR bit 1049 When set, all BIDIR capable PIM routers will operate the protocol 1050 described in [2] for the specified group range. 1052 Reserved 1053 Transmitted as zero. Ignored upon receipt. 1055 Admin Scope [Z]one 1056 When set, this bit indicates that this group address range is an 1057 administratively scoped range. 1059 Mask Len 1060 The Mask length field is 8 bits. The value is the number of 1061 contiguous one bits left justified used as a mask which, combined 1062 with the group address, describes a range of groups. It is less 1063 than or equal to the address length in bits for the given Address 1064 Family and Encoding Type. If the message is sent for a single 1065 group then the Mask length must equal the address length in bits 1066 for the given Address Family and Encoding Type. (e.g. 32 for IPv4 1067 native encoding and 128 for IPv6 native encoding). 1069 Group multicast Address 1070 Contains the group address. 1072 4.1. Bootstrap Message Format 1074 A bootstrap message may be divided up into 'semantic fragments' if the 1075 resulting IP datagram would exceed the maximum packet size boundaries. 1076 Basically, a single Bootstrap message can be sent as multiple semantic 1077 fragments (each in a separate IP datagram), so long as the fragment tags 1078 of all the semantic fragments comprising the message are the same. The 1079 format of a single non-fragmented message is the same as the one used 1080 for semantic fragments. 1082 The format of a single `fragment' is given below: 1084 0 1 2 3 1085 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1086 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1087 |PIM Ver| Type | Reserved | Checksum | 1088 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1089 | Fragment Tag | Hash Mask Len | BSR Priority | 1090 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1091 | BSR Address (Encoded-Unicast format) | 1092 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1093 | Group Address 1 (Encoded-Group format) | 1094 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1095 | RP Count 1 | Frag RP Cnt 1 | Reserved | 1096 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1097 | RP Address 1 (Encoded-Unicast format) | 1098 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1099 | RP1 Holdtime | RP1 Priority | Reserved | 1100 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1101 | RP Address 2 (Encoded-Unicast format) | 1102 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1103 | RP2 Holdtime | RP2 Priority | Reserved | 1104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1105 | . | 1106 | . | 1107 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1108 | RP Address m (Encoded-Unicast format) | 1109 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1110 | RPm Holdtime | RPm Priority | Reserved | 1111 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1112 | Group Address 2 (Encoded-Group format) | 1113 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1114 | . | 1115 | . | 1116 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1117 | Group Address n (Encoded-Group format) | 1118 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1119 | RP Count n | Frag RP Cnt n | Reserved | 1120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1121 | RP Address 1 (Encoded-Unicast format) | 1122 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1123 | RP1 Holdtime | RP1 Priority | Reserved | 1124 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1125 | RP Address 2 (Encoded-Unicast format) | 1126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1127 | RP2 Holdtime | RP2 Priority | Reserved | 1128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1129 | . | 1130 | . | 1131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1132 | RP Address m (Encoded-Unicast format) | 1133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1134 | RPm Holdtime | RPm Priority | Reserved | 1135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1137 PIM Version, Reserved, Checksum 1138 Described in [1]. 1140 Type 1141 PIM Message Type. Value is 4 for a Bootstrap message. 1143 Fragment Tag 1144 A randomly generated number, acts to distinguish the fragments 1145 belonging to different Bootstrap messages; fragments belonging to 1146 same Bootstrap message carry the same `Fragment Tag'. 1148 Hash Mask Len 1149 The length (in bits) of the mask to use in the hash function. For 1150 IPv4 we recommend a value of 30. For IPv6 we recommend a value of 1151 126. This field SHOULD be the same for all fragments belonging to 1152 the same Bootstrap message. 1154 BSR Priority 1155 Contains the BSR priority value of the included BSR. This field is 1156 considered as a high order byte when comparing BSR addresses. BSRs 1157 should by default set this field to 64. Note that for historical 1158 reasons, the highest BSR priority is 255 (the higher the better), 1159 whereas the highest RP Priority (see below) is 0 (the lower the 1160 better). 1162 BSR Address 1163 The address of the bootstrap router for the domain. The format for 1164 this address is given in the Encoded-Unicast address in [1]. 1166 Group Address 1..n 1167 The group prefix (address and mask) with which the Candidate-RPs 1168 are associated. Format described in [1]. In a fragment containing 1169 admin scope ranges, the first group address in the fragment MUST 1170 satisfy the following conditions: it MUST have the Admin Scope bit 1171 set; for IPv4 it MUST be the group range for the entire admin scope 1172 range (this is the case even if there are no RPs in the RP-Set for 1173 the entire admin scope range - in this case the sub-ranges for the 1174 RP-Set are specified later in the fragment along with their RPs); 1175 for IPv6 the Mask Len MUST be at least 16 and have the scope ID of 1176 the admin scope range. 1178 RP Count 1..n 1179 The number of Candidate-RP addresses included in the whole 1180 Bootstrap message for the corresponding group prefix. A router 1181 does not replace its old RP-Set for a given group prefix 1182 until/unless it receives `RP-Count' addresses for that prefix; the 1183 addresses could be carried over several fragments. If only part of 1184 the RP-Set for a given group prefix was received, the router 1185 discards it, without updating that specific group prefix's RP-Set. 1187 Frag RP Cnt 1..m 1188 The number of Candidate-RP addresses included in this fragment of 1189 the Bootstrap message, for the corresponding group prefix. The 1190 `Frag RP Cnt' field facilitates parsing of the RP-Set for a given 1191 group prefix, when carried over more than one fragment. 1193 RP address 1..m 1194 The address of the Candidate-RPs, for the corresponding group 1195 prefix. The format for these addresses is given in the Encoded- 1196 Unicast address in [1]. 1198 RP1..m Holdtime 1199 The Holdtime (in seconds) for the corresponding RP. This field is 1200 copied from the `Holdtime' field of the associated RP stored at the 1201 BSR. 1203 RP1..m Priority 1204 The `Priority' of the corresponding RP and Encoded-Group Address. 1205 This field is copied from the `Priority' field stored at the BSR 1206 when receiving a C-RP-Adv message. The highest priority is `0' 1207 (i.e. unlike BSR priority, the lower the value of the `Priority' 1208 field, the better). Note that the priority is per RP per Group 1209 Address. 1211 Within a Bootstrap message, the BSR Address, all the Group Addresses and 1212 all the RP Addresses MUST be of the same address family. In addition, 1213 the address family of the fields in the message MUST be the same as the 1214 IP source and destination addresses of the packet. This permits maximum 1215 implementation flexibility for dual-stack IPv4/IPv6 routers. 1217 4.1.1. Semantic Fragmentation of BSMs 1219 Bootstrap messages may be split over several PIM Bootstrap Message 1220 Fragments (BSMF); this is known as semantic fragmentation. Each of 1221 these must be according to the above format. 1223 This is useful if the BSM would otherwise exceed the MTU of the link the 1224 message will be forwarded over. If one relies purely on IP 1225 fragmentation, one would lose the entire message if one fragment is 1226 lost. By use of semantic fragmentation, one lost IP fragment will only 1227 cause the loss of the semantic fragment that the IP fragment was part 1228 of. As described below, a router only needs to receive all the RPs for 1229 a specific group range to update that range. This means that loss of a 1230 semantic fragment, due to an IP fragment getting lost, only affects the 1231 group ranges the lost semantic fragment contains information for. 1233 If the BSR can split up the BSM so that each group prefix (and all of 1234 its RP information) can fit entirely inside one BSMF, then it should do 1235 so. If a BSMF is lost, the state from the previous BSM for the group- 1236 prefixes from the missing BSMF will be retained. Each fragment that 1237 does arrive will update the RP information for the group-prefixes 1238 contained in that fragment, and the new group-to-RP mappings for those 1239 can be used immediately. The information from the missing fragment will 1240 be obtained when the next BSM is transmitted. 1242 If the list of RPs for a single group-prefix is long, one may split the 1243 information across multiple BSMFs to avoid IP fragmentation. In this 1244 case, all the BSMFs comprising the information for that group-prefix 1245 must be received before the group-to-RP mapping in use can be modified. 1246 This is the purpose of the RP Count field - a router receiving BSMFs 1247 from the same BSM (i.e. that have the same fragment tag) must wait until 1248 BSMFs providing RP Count RPs for that group-prefix have been received 1249 before the new group-to-RP mapping can be used for that group-prefix. 1250 If a single BSMF from such a large group-prefix is lost, then that 1251 entire group-prefix will have to wait until the next BSM is originated. 1252 Hence the benefit of using semantic fragmentation is in this case 1253 dubious. 1255 Next we need to consider how a BSR would remove group-prefixes from the 1256 BSM. A router receiving a set of BSMFs cannot tell if a group-prefix is 1257 missing. If it has seen a group-prefix before, it must assume that that 1258 group-prefix still exists, and that the BSMF describing it has been 1259 lost. It should retain this information for BS_Timeout. Thus for a BSR 1260 to remove a group-prefix from the BSR, it should include that group- 1261 prefix, but with a RP Count of zero, and it should resend this 1262 information in each BSM for BS_Timeout. 1264 4.2. Candidate-RP-Advertisement Message Format 1266 Candidate-RP-Advertisement messages are periodically unicast from the C- 1267 RPs to the BSR. 1269 0 1 2 3 1270 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1272 |PIM Ver| Type | Reserved | Checksum | 1273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1274 | Prefix Count | Priority | Holdtime | 1275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1276 | RP Address (Encoded-Unicast format) | 1277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1278 | Group Address 1 (Encoded-Group format) | 1279 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1280 | . | 1281 | . | 1282 | . | 1283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1284 | Group Address n (Encoded-Group format) | 1285 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1287 PIM Version, Reserved, Checksum 1288 Described in [1]. 1290 Type 1291 PIM Message Type. Value is 8 for a Candidate-RP-Advertisement 1292 message. 1294 Prefix Count 1295 The number of encoded group addresses included in the message; 1296 indicating the group prefixes for which the C-RP is advertising. 1297 C-RPs MUST NOT send C-RP-Adv messages with a Prefix Count of `0'. 1299 Priority 1300 The `Priority' of the included RP, for the corresponding Encoded- 1301 Group Address (if any). The highest priority is `0' (i.e. the 1302 lower the value of the `Priority' field, the higher the priority). 1303 This field is stored at the BSR upon receipt along with the RP 1304 address and corresponding Encoded-Group Address. 1306 Holdtime 1307 The amount of time (in seconds) the advertisement is valid. This 1308 field allows advertisements to be aged out. This field should be 1309 set to 2.5 times C_RP_Adv_Period. 1311 RP Address 1312 The address of the interface to advertise as a Candidate RP. The 1313 format for this address is given in the Encoded-Unicast address in 1314 [1]. 1316 Group Address-1..n 1317 The group prefixes for which the C-RP is advertising. Format 1318 described in Encoded-Group-Address in [1]. 1320 Within a Candidate-RP-Advertisement message, the RP Address and all the 1321 Group Addresses MUST be of the same address family. In addition, the 1322 address family of the fields in the message MUST be the same as the IP 1323 source and destination addresses of the packet. This permits maximum 1324 implementation flexibility for dual-stack IPv4/IPv6 routers. 1326 5. Timers and Timer Values 1328 Timer Name: Bootstrap Timer (BST(Z)) 1330 +---------------------+--------------------------+----------------------+ 1331 | Value Name | Value | Explanation | 1332 +---------------------+--------------------------+----------------------+ 1333 | BS_Period | Default: 60 seconds | Periodic interval | 1334 | | | with which BSMs | 1335 | | | are normally | 1336 | | | originated | 1337 +---------------------+--------------------------+----------------------+ 1338 | BS_Timeout | Default: 130 seconds | Interval after | 1339 | | | which a BSR is | 1340 | | | timed out if no | 1341 | | | BSM is received | 1342 | | | from that BSR | 1343 +---------------------+--------------------------+----------------------+ 1344 | BS_Rand_Override | see below | Randomized | 1345 | | | interval used to | 1346 | | | reduce control | 1347 | | | message overhead | 1348 | | | during BSR | 1349 | | | election | 1350 +---------------------+--------------------------+----------------------+ 1352 Note that BS_Timeout MUST be larger than BS_Period, even if their values 1353 are changed from the defaults. We recommend that BS_Timeout is set to 2 1354 times BS_Period plus 10 seconds. 1356 BS_Rand_Override is calculated using the following pseudocode, in which 1357 all values are in units of seconds. The values of BS_Rand_Override 1358 generated by this pseudocode are between 5 and 23 seconds, with smaller 1359 values generated if the C-BSR has a high bootstrap weight, and larger 1360 values generated if the C-BSR has a low bootstrap weight. 1362 BS_Rand_Override = 5 + priorityDelay + addrDelay 1364 where priorityDelay is given by: 1366 priorityDelay = 2 * log_2(1 + bestPriority - myPriority) 1368 and addrDelay is given by the following for IPv4: 1370 if (bestPriority == myPriority) { 1371 addrDelay = log_2(1 + bestAddr - myAddr) / 16 1372 } else { 1373 addrDelay = 2 - (myAddr / 2^31) 1374 } 1376 and addrDelay is given by the following for IPv6: 1378 if (bestPriority == myPriority) { 1379 addrDelay = log_2(1 + bestAddr - myAddr) / 64 1380 } else { 1381 addrDelay = 2 - (myAddr / 2^127) 1382 } 1384 and bestPriority is given by: 1386 bestPriority = max(storedPriority, myPriority) 1388 and bestAddr is given by: 1390 bestAddr = max(storedAddr, myAddr) 1392 and where myAddr is the Candidate-BSR's address, storedAddr is the 1393 stored BSR's address, myPriority is the Candidate-BSR's configured 1394 priority, and storedPriority is the stored BSR's priority. 1396 Timer Name: Scope Zone Expiry Timer (SZT(Z)) 1398 +----------------+-----------------------------+------------------------+ 1399 | Value Name | Value | Explanation | 1400 +----------------+-----------------------------+------------------------+ 1401 | SZ_Timeout | Default: 1300 seconds | Interval after | 1402 | | | which a scope zone | 1403 | | | is timed out if no | 1404 | | | BSM is received | 1405 | | | for that scope | 1406 | | | zone | 1407 +----------------+-----------------------------+------------------------+ 1409 Note that SZ_Timeout MUST be larger than BS_Timeout, even if their 1410 values are changed from the defaults. We recommend that SZ_Timeout is 1411 set to 10 times BS_Timeout. 1413 Timer Name: Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 1415 +--------------------------+--------------------+-----------------------+ 1416 | Value Name | Value | Explanation | 1417 +--------------------------+--------------------+-----------------------+ 1418 | C-RP Mapping Timeout | from message | Holdtime from C- | 1419 | | | RP-Adv message | 1420 +--------------------------+--------------------+-----------------------+ 1422 Timer Name: Group-to-RP mapping Expiry Timer (GET(M,Z)) 1424 +-------------------------+--------------------+------------------------+ 1425 | Value Name | Value | Explanation | 1426 +-------------------------+--------------------+------------------------+ 1427 | RP Mapping Timeout | from message | Holdtime from BSM | 1428 +-------------------------+--------------------+------------------------+ 1430 Timer Name: C-RP Advertisement Timer (CRPT) 1432 +---------------------+-------------------------+-----------------------+ 1433 | Value Name | Value | Explanation | 1434 +---------------------+-------------------------+-----------------------+ 1435 | C_RP_Adv_Period | Default: 60 seconds | Periodic interval | 1436 | | | with which C-RP- | 1437 | | | Adv messages are | 1438 | | | sent to a BSR | 1439 +---------------------+-------------------------+-----------------------+ 1440 6. Security Considerations 1442 6.1. Possible Threats 1444 Threats affecting the PIM BSR mechanism are primarily of two forms: 1445 denial of service attacks, and traffic diversion attacks. An attacker 1446 that subverts the BSR mechanism can prevent multicast traffic from 1447 reaching the intended recipients, can divert multicast traffic to a 1448 place where they can monitor it, and can potentially flood third parties 1449 with traffic. 1451 Traffic can be prevented from reaching the intended recipients by one of 1452 two mechanisms: 1454 o Subverting a BSM, and specifying RPs that won't actually forward 1455 traffic. 1457 o Registering with the BSR as a C-RP, and then not forwarding 1458 traffic. 1460 Traffic can be diverted to a place where it can be monitored by both of 1461 the above mechanisms; in this case the RPs would forward the traffic, 1462 but are located so as to aid monitoring or man-in-the-middle attacks on 1463 the multicast traffic. 1465 A third party can be flooded by either of the above two mechanisms by 1466 specifying the third party as the RP, and register-encapsulated traffic 1467 will then be forwarded to them. 1469 6.2. Limiting Third-Party DoS Attacks 1471 The third party DoS attack above can be greatly reduced if PIM routers 1472 acting as DR do not continue to forward Register traffic to the RP in 1473 the presence of ICMP Protocol Unreachable or ICMP Host Unreachable 1474 responses. If a PIM router sending Register packets to an RP receives 1475 one of these responses to a data packet it has sent, it should rate- 1476 limit the transmission of future Register packets to that RP for a short 1477 period of time. 1479 As this does not affect interoperability, the precise details are left 1480 to the implementor to decide. However we note that a router 1481 implementing such rate limiting must only do so if the ICMP packet 1482 correctly echoes part of a Register packet that was sent to the RP. If 1483 this check were not made, then simply sending ICMP Unreachable packets 1484 to the DR with the source address of the RP spoofed would be sufficient 1485 to cause a denial-of-service attack on the multicast traffic originating 1486 from that DR. 1488 6.3. Bootstrap Message Security 1490 If a legitimate PIM router is compromised, there is little any security 1491 mechanism can do to prevent that router subverting PIM traffic in that 1492 domain. However we recommend that implementors provide a mechanism 1493 whereby a PIM router using the BSR mechanisms can be configured with the 1494 IP addresses of valid BSR routers, and that any Bootstrap message from 1495 any other BSR should then be dropped and logged as a security issue. We 1496 also recommend that this not be enabled by default, as it makes the 1497 initial configuration of a PIM domain problematic - it is the sort of 1498 feature that might be enabled once the configuration of a domain has 1499 stabilized. 1501 The primary security requirement for BSR (as for PIM) is that it is 1502 possible to prevent hosts that are not legitimate PIM routers, either 1503 within or outside the domain, from subverting the BSR mechanism. 1505 The Bootstrap Message Processing Checks prevent a router from accepting 1506 a Bootstrap message from outside of the PIM Domain, as the source 1507 address on Bootstrap messages must be an immediate PIM neighbor. There 1508 is however a small window of time after a reboot where a PIM router will 1509 accept a bad Bootstrap message unicast from an immediate neighbor, and 1510 it might be possible to unicast a Bootstrap message to a router during 1511 this interval from outside the domain, using the spoofed source address 1512 of a neighbor. This can be prevented if PMBRs perform source-address 1513 filtering to prevent packets entering the PIM domain with IP source 1514 addresses that are infrastructure addresses in the PIM domain. 1516 The principal threat to Bootstrap message security comes from hosts 1517 within the PIM domain that attempt to subvert the BSR mechanism. They 1518 may be able to do this by sending PIM messages to their local router, or 1519 by unicasting a Bootstrap message to another PIM router during the brief 1520 interval after it has restarted. 1522 6.3.1. Rejecting Unicast Bootstrap Messages 1524 All Bootstrap messages SHOULD carry the Router Alert option, for IPv4 1525 the Router Alert IP option [7], and for IPv6, the IPv6 Router Alert 1526 Option [8]. If a PIM router receives a Bootstrap message that does not 1527 carry the Router Alert option, it SHOULD drop it (a configuration option 1528 should also be provided to disable this check on a per-interface basic 1529 for backward compatibility with older PIM routers). The Router Alert 1530 option allows a PIM router to perform checks on unicast packets it would 1531 otherwise blindly forward. All PIM routers should check that packets 1532 with Router Alert that are not destined for the router itself are not 1533 PIM Bootstrap messages. Any such packets should be dropped and logged 1534 as a possible security issue - it is never acceptable for a PIM 1535 Bootstrap message to travel multiple IP hops. 1537 6.3.2. Rejecting Bootstrap Messages from Invalid Neighbors 1539 Most hosts that are likely to attempt to subvert PIM BSR are likely to 1540 be located on leaf subnets. We recommend that implementors provide a 1541 configuration option that specifies an interface is a leaf subnet, and 1542 that no PIM packets are accepted on such interfaces. 1544 On multi-access subnets with multiple PIM routers and hosts that are not 1545 trusted, we recommend that IPsec AH is used to protect communication 1546 between PIM routers, and that such routers are configured to drop and 1547 log communication attempts from any host that do not pass the 1548 authentication check. When all the PIM routers are under the same 1549 administrative control, this authentication may use a configured shared 1550 secret. The securing of interactions between PIM neighbors is discussed 1551 in more detail in the Security Considerations section of [1], and so we 1552 do not discuss the details further here. The same security mechanisms 1553 that can be used to secure PIM Join, Prune and Assert messages should 1554 also be used to secure Bootstrap messages. 1556 6.4. Candidate-RP-Advertisement Message Security 1558 Even if it is not possible to subvert Bootstrap messages, an attacker 1559 might be able to perform most of the same attacks by simply sending C- 1560 RP-Adv messages to the BSR specifying the attacker's choice of RPs. 1561 Thus it is necessary to control the sending of C-RP-Adv messages in 1562 essentially the same ways that we control Bootstrap messages. However, 1563 C-RP-Adv messages are unicast and normally travel multiple hops, so 1564 controlling them is more difficult. 1566 6.4.1. Non-Cryptographic Security of C-RP-Adv Messages 1568 We specify that C-RP-Adv messages SHOULD also carry the Router Alert 1569 option, and that the BSR SHOULD by default drop and log C-RP-Adv 1570 messages that do not carry this option. Setting Router Alert on these 1571 packets is practical because the rate of C-RP-Adv messages should be 1572 very low, so the extra load on routers forwarding these packets will be 1573 insignificant. PIM routers forwarding such a packet may then be capable 1574 of checking whether the packet came from a valid PIM neighbor, although 1575 note that such checks are only possible if the unicast and multicast 1576 topologies in the network are congruent. If this is not the case, it is 1577 legitimate to receive a C-RP-Adv message from a router which is not a 1578 valid PIM neighbor, and therefore in this situation a PIM router MUST 1579 NOT drop C-RP-Adv messages that do not come from a valid PIM neighbor. 1581 If the unicast and multicast topologies are known to be congruent, the 1582 following checks should be made. On interfaces that are configured to 1583 be leaf subnets, all C-RP-Adv messages should be dropped. On multi- 1584 access subnets with multiple PIM routers and hosts that are not trusted, 1585 the router can at least check that the source MAC address is that of a 1586 valid PIM neighbor. PMBRs should ensure that no C-RP-Adv messages enter 1587 the domain from an external neighbor. 1589 6.4.2. Cryptographic Security of C-RP-Adv Messages 1591 For true security, we recommend that all C-RPs are configured to use 1592 IPsec authentication. The authentication process for a C-RP-Adv message 1593 between a C-RP and the BSR is identical to the authentication process 1594 for PIM Register messages between a DR and the relevant RP, except that 1595 there will normally be fewer C-RPs in a domain than there are DRs, so 1596 key management is a little simpler. We do not describe the details of 1597 this process further here, but refer to the Security Considerations 1598 section of [1]. Note that the use of cryptographic security for C-RP-Adv 1599 messages does not remove the need for the non-cryptographic mechanisms, 1600 as explained below. 1602 6.5. Denial of Service using IPsec 1604 An additional concern is that of Denial-of-Service attacks caused by 1605 sending high volumes of Bootstrap messages or C-RP-Adv messages with 1606 invalid IPsec authentication information. It is possible that these 1607 messages could overwhelm the CPU resources of the recipient. 1609 The non-cryptographic security mechanisms above prevent unicast 1610 Bootstrap messages from traveling multiple hops, and constrain who can 1611 originate such messages. However, it is obviously important that PIM 1612 messages that are required to have Router Alert checked are checked for 1613 this option before the IPsec AH is checked. Thus the remaining 1614 vulnerability primarily exists for hosts on multi-access subnets 1615 containing more than one PIM router. A PIM router receiving PIM packets 1616 with Router Alert set from such a subnet should already be checking that 1617 the source MAC address is that of a valid PIM neighbor, but this is 1618 hardly strong security. In addition, we recommend that rate-limiting 1619 mechanisms can be configured, to be applied to the forwarding of unicast 1620 PIM packets containing Router Alert options. The rate-limiter MUST 1621 independently rate-limit different types of PIM packets - for example a 1622 flood of C-RP-Adv messages MUST NOT cause a rate limiter to drop low- 1623 rate Bootstrap messages. Such a rate-limiter might itself be used to 1624 cause a denial of service attack by causing valid packets to be dropped, 1625 but in practice this is more likely to constrain bad PIM messages close 1626 to their origin. In addition, the rate limiter will prevent attacks on 1627 PIM from affecting other activity on the destination router, such as 1628 unicast routing. 1630 7. Contributors 1632 Bill Fenner, Mark Handley, Roger Kermode and David Thaler have 1633 contributed greatly to this draft. They were authors of this draft up 1634 to version 03. Most of the current text is identical to 03. 1636 8. Acknowledgments 1638 PIM-SM was designed over many years by a large group of people, 1639 including ideas from Deborah Estrin, Dino Farinacci, Ahmed Helmy, Steve 1640 Deering, Van Jacobson, C. Liu, Puneet Sharma, Liming Wei, Tom Pusateri, 1641 Tony Ballardie, Scott Brim, Jon Crowcroft, Paul Francis, Joel Halpern, 1642 Horst Hodel, Polly Huang, Stephen Ostrowski, Lixia Zhang, Girish 1643 Chandranmenon, Pavlin Radoslavov, John Zwiebel, Isidor Kouvelas and Hugh 1644 Holbrook. This BSR specification draws heavily on text from RFC 2362. 1646 Many members of the PIM Working Group have contributed comments and 1647 corrections for this document, including Christopher Thomas Brown, Ardas 1648 Cilingiroglu, Murthy Esakonu, Venugopal Hemige, Prashant Jhingran, 1649 Rishabh Parekh and Katta Sambasivarao. 1651 9. IANA Considerations 1653 IANA is requested to assign a value for the IPv6 Router Alert Option [8] 1654 to be used for both Bootstrap and Candidate-RP-Advertisement messages. 1656 10. Normative References 1658 [1] W. Fenner, M. Handley, H. Holbrook, I. Kouvelas, "Protocol 1659 Independent Multicast - Sparse Mode (PIM-SM): Protocol 1660 Specification (Revised)", Internet Draft draft-ietf-pim-sm- 1661 v2-new-11.txt 1663 [2] M. Handley, I. Kouvelas, T. Speakman, L. Vicisano, "Bi-directional 1664 Protocol Independent Multicast (BIDIR-PIM)", Internet Draft draft- 1665 ietf-pim-bidir-08.txt 1667 [3] D. Meyer, "Administratively Scoped IP Multicast", RFC 2365, Jul 1668 1998. 1670 [4] S. Deering, B. Haberman, T. Jinmei, E. Nordmark, B. Zill, "IPv6 1671 Scoped Address Architecture", RFC 4007, Mar 2005. 1673 [5] R. Hinden, S. Deering, "IP Version 6 Addressing Architecture", RFC 1674 4291, Feb 2006. 1676 [6] S. Bradner, "Key words for use in RFCs to Indicate Requirement 1677 Levels", BCP 14, RFC 2119, Mar 1997. 1679 [7] D. Katz, "IP Router Alert Option", RFC 2113, Feb 2006. 1681 [8] C. Partridge, A. Jackson, "IPv6 Router Alert Option", RFC 2711, Oct 1682 1999. 1684 11. Informative References 1686 [9] D. Estrin et al., "Protocol Independent Multicast - Sparse Mode 1687 (PIM-SM): Protocol Specification", RFC 2362, June 1998 (now 1688 obsolete). 1690 [10] D. Kim, D. Meyer, H. Kilmer, D. Farinacci, "Anycast Rendevous Point 1691 (RP) mechanism using Protocol Independent Multicast (PIM) and 1692 Multicast Source Discovery Protocol (MSDP)", RFC 3446, Jan 2003. 1694 [11] D. Farinacci, Y. Cai, "Anycast-RP using PIM", Internet Draft draft- 1695 ietf-pim-anycast-rp-07.txt 1697 [12] IANA, "Address Family Numbers", linked from 1698 http://www.iana.org/numbers.html 1700 Authors' Addresses 1702 Nidhi Bhaskar 1703 Cisco Systems 1704 170 W. Tasman Drive 1705 San Jose, CA 95134 1706 USA 1707 nbhaskar@cisco.com 1709 Alexander Gall 1710 SWITCH 1711 Limmatquai 138 1712 P.O. Box 1713 CH-8021 Zurich 1714 Switzerland 1715 gall@switch.ch 1717 James Lingard 1718 james@lingard.com 1719 Stig Venaas 1720 UNINETT 1721 NO-7465 Trondheim 1722 Norway 1723 venaas@uninett.no 1725 Copyright Statement 1727 Copyright (C) The Internet Society (2006). This document is subject to 1728 the rights, licenses and restrictions contained in BCP 78, and except as 1729 set forth therein, the authors retain all their rights. 1731 This document and the information contained herein are provided on an 1732 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR 1733 IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1734 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1735 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1736 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1737 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1739 Intellectual Property 1741 The IETF takes no position regarding the validity or scope of any 1742 Intellectual Property Rights or other rights that might be claimed to 1743 pertain to the implementation or use of the technology described in this 1744 document or the extent to which any license under such rights might or 1745 might not be available; nor does it represent that it has made any 1746 independent effort to identify any such rights. Information on the 1747 procedures with respect to rights in RFC documents can be found in BCP 1748 78 and BCP 79. 1750 Copies of IPR disclosures made to the IETF Secretariat and any 1751 assurances of licenses to be made available, or the result of an attempt 1752 made to obtain a general license or permission for the use of such 1753 proprietary rights by implementers or users of this specification can be 1754 obtained from the IETF on-line IPR repository at 1755 http://www.ietf.org/ipr. 1757 The IETF invites any interested party to bring to its attention any 1758 copyrights, patents or patent applications, or other proprietary rights 1759 that may cover technology that may be required to implement this 1760 standard. Please address the information to the IETF at ietf- 1761 ipr@ietf.org.