idnits 2.17.1 draft-ietf-pim-sm-bsr-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1757. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1768. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1775. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1781. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 127 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (6 May 2006) is 6563 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-pim-sm-v2-new-11 == Outdated reference: A later version (-09) exists of draft-ietf-pim-bidir-08 -- Obsolete informational reference (is this intentional?): RFC 2362 (ref. '7') (Obsoleted by RFC 4601, RFC 5059) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force PIM WG 2 INTERNET-DRAFT Nidhi Bhaskar/Cisco 3 draft-ietf-pim-sm-bsr-08.txt Alexander Gall/SWITCH 4 James Lingard 5 Stig Venaas/UNINETT 6 6 May 2006 7 Expires: November 2006 9 Bootstrap Router (BSR) Mechanism for PIM 11 Status of this Document 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware have 15 been or will be disclosed, and any of which he or she becomes aware will 16 be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering Task 19 Force (IETF), its areas, and its working groups. Note that other groups 20 may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference material 25 or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/1id-abstracts.html 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 This document is a product of the IETF PIM WG. Comments should be 34 addressed to the authors, or the WG's mailing list at pim@ietf.org. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This document specifies the Bootstrap Router (BSR) mechanism 43 for the class of multicast routing protocols in the PIM 44 (Protocol Independent Multicast) family that use the concept 45 of a Rendezvous Point as a means for receivers to discover the 46 sources that send to a particular multicast group. BSR is one 47 way that a multicast router can learn the set of group-to-RP 48 mappings required in order to function. The mechanism is 49 dynamic, largely self-configuring, and robust to router 50 failure. 52 Table of Contents 54 1. Introduction. . . . . . . . . . . . . . . . . . . . . . 4 55 1.1. Background . . . . . . . . . . . . . . . . . . . . . 4 56 1.2. Protocol Overview. . . . . . . . . . . . . . . . . . 6 57 1.3. Administrative Scoping and BSR . . . . . . . . . . . 7 58 2. BSR State and Timers. . . . . . . . . . . . . . . . . . 9 59 3. Bootstrap Router Election and RP-Set 60 Distribution. . . . . . . . . . . . . . . . . . . . . . 9 61 3.1. Bootstrap Router Election. . . . . . . . . . . . . . 9 62 3.1.1. Per-Scope-Zone Candidate-BSR State 63 Machine . . . . . . . . . . . . . . . . . . . . . 10 64 3.1.2. Per-Scope-Zone State Machine for Non- 65 Candidate-BSR Routers . . . . . . . . . . . . . . 12 66 3.1.3. Bootstrap Message Processing Checks . . . . . . . 14 67 3.1.4. State Machine Transition Events . . . . . . . . . 15 68 3.1.5. State Machine Actions . . . . . . . . . . . . . . 16 69 3.2. Sending Candidate-RP-Advertisement Messages. . . . . 17 70 3.3. Creating the RP-Set at the BSR . . . . . . . . . . . 19 71 3.4. Forwarding Bootstrap Messages. . . . . . . . . . . . 21 72 3.5. Bootstrap Messages to New and Rebooting 73 Routers. . . . . . . . . . . . . . . . . . . . . . . 22 74 3.5.1. No-Forward Bootstrap Messages . . . . . . . . . . 22 75 3.5.2. Unicasting Bootstrap Messages . . . . . . . . . . 23 76 3.6. Receiving and Using the RP-Set . . . . . . . . . . . 23 77 4. Message Formats . . . . . . . . . . . . . . . . . . . . 23 78 4.1. Bootstrap Message Format . . . . . . . . . . . . . . 25 79 4.1.1. Semantic Fragmentation of BSMs. . . . . . . . . . 29 80 4.2. Candidate-RP-Advertisement Message Format. . . . . . 30 81 5. Timers and Timer Values . . . . . . . . . . . . . . . . 32 82 6. Security Considerations . . . . . . . . . . . . . . . . 35 83 6.1. Possible Threats . . . . . . . . . . . . . . . . . . 35 84 6.2. Limiting Third-Party DoS Attacks . . . . . . . . . . 35 85 6.3. Bootstrap Message Security . . . . . . . . . . . . . 36 86 6.3.1. Rejecting Bootstrap Messages from Invalid 87 Neighbors . . . . . . . . . . . . . . . . . . . . 36 88 6.4. Candidate-RP-Advertisement Message Security. . . . . 37 89 6.4.1. Non-Cryptographic Security of C-RP-Adv 90 Messages. . . . . . . . . . . . . . . . . . . . . 37 91 6.4.2. Cryptographic Security of C-RP-Adv 92 Messages. . . . . . . . . . . . . . . . . . . . . 37 93 6.5. Denial of Service using IPsec. . . . . . . . . . . . 38 94 7. Contributors. . . . . . . . . . . . . . . . . . . . . . 38 95 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . 38 96 9. IANA Considerations . . . . . . . . . . . . . . . . . . 39 97 10. Normative References . . . . . . . . . . . . . . . . . 39 98 11. Informative References . . . . . . . . . . . . . . . . 39 100 1. Introduction 102 This document assumes some familiarity with the concepts of Protocol 103 Independent Multicast - Sparse Mode (PIM-SM), as defined in [1], and Bi- 104 directional Protocol Independent Multicast (BIDIR-PIM), as defined in 105 [2], as well as with Administratively Scoped IP Multicast, as described 106 in [3], and the IPv6 Scoped Address Architecture, described in [4]. 108 For correct operation, every multicast router within a PIM domain must 109 be able to map a particular multicast group address to the same 110 Rendezvous Point (RP). The PIM specifications do not mandate the use of 111 a single mechanism to provide routers with the information to perform 112 this group-to-RP mapping. 114 This document describes the PIM Bootstrap Router (BSR) mechanism. BSR 115 is one way that a multicast router can learn the information required to 116 perform the group-to-RP mapping. The mechanism is dynamic, largely 117 self-configuring, and robust to router failure. 119 BSR was first defined in RFC 2362 [7], which has since been obsoleted. 120 This document provides an updated specification of the BSR mechanism 121 from RFC 2362, and also extends it to cope with administratively scoped 122 region boundaries and different flavors of routing protocols. 124 Throughout the document, any reference to the PIM protocol family is 125 restricted to the subset of RP-based protocols, namely PIM-SM and BIDIR- 126 PIM, unless stated otherwise. 128 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 129 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 130 document are to be interpreted as described in RFC 2119 [6]. 132 1.1. Background 134 A PIM domain is a contiguous set of routers that all implement PIM and 135 are configured to operate within a common boundary defined by PIM 136 Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the 137 rest of the internet. 139 Every PIM multicast group needs to be associated with the IP address of 140 a Rendezvous Point (RP). This address is used as the root of a group- 141 specific distribution tree whose branches extend to all nodes in the 142 domain that want to receive traffic sent to the group. Senders inject 143 packets into the tree in such a manner that they reach all connected 144 receivers. How this is done and how the packets are forwarded along the 145 distribution tree depends on the particular routing protocol. 147 For all senders to reach all receivers, it is crucial that all routers 148 in the domain use the same mappings of group addresses to RP addresses. 150 An exception to the above is where a PIM domain has been broken up into 151 multiple administrative scope regions. These are regions where a border 152 has been configured so that a set of multicast groups will not be 153 forwarded across that border. In this case, all PIM routers within the 154 same scope region must map a particular scoped group to the same RP 155 within that region. 157 In order to determine the RP for a multicast group, a PIM router 158 maintains a collection of group-to-RP mappings, called the RP-Set. A 159 group-to-RP mapping contains the following elements. 161 o Multicast group range, expressed as an address and prefix length 163 o RP priority 165 o RP address 167 o Hash mask length 169 o SM / BIDIR flag 171 In general, the group ranges of these group-to-RP mappings may overlap 172 in arbitrary ways; hence a particular multicast group may be covered by 173 multiple group-to-RP mappings. When this is the case, the router 174 chooses only one of the RPs by applying a deterministic algorithm so 175 that all routers in the domain make the same choice. It is important to 176 note that this algorithm is part of the specification of the individual 177 routing protocols (and may differ among them), not of the BSR 178 specification. E.g. PIM-SM [1] defines one such algorithm. It makes 179 use of a hash function for the case where a group range has multiple RPs 180 with the same priority. The hash mask length is used by this function. 182 There are a number of ways in which such group-to-RP mappings can be 183 established. The simplest solution is for all the routers in the domain 184 to be statically configured with the same information. However, static 185 configuration generally doesn't scale well, and, except when used in 186 conjunction with Anycast-RP (see [8] and [9]), does not dynamically 187 adapt to route around router or link failures. 189 The BSR mechanism provides a way in which viable group-to-RP mappings 190 can be created and rapidly distributed to all the PIM routers in a 191 domain. It is adaptive, in that if an RP becomes unreachable, this will 192 be detected and the RP-Sets will be modified so that the unreachable RP 193 is no longer used. 195 1.2. Protocol Overview 197 In this section we give an informal and non-definitive overview of the 198 BSR mechanism. The definitive specification begins in section 2. 200 The general idea behind the BSR mechanism is that some of the PIM 201 routers within a PIM domain are configured to be potential RPs for the 202 domain. These are known as Candidate-RPs (C-RPs). A subset of the C- 203 RPs will eventually be used as the actual RPs for the domain. In 204 addition, some of the PIM routers in the domain are configured to be 205 candidate bootstrap routers, or Candidate-BSRs (C-BSRs). One of these 206 C-BSRs will be elected to be the bootstrap router (BSR) for the domain, 207 and all the PIM routers in the domain will learn the result of this 208 election through Bootstrap messages. The C-RPs will then report their 209 candidacy to the elected BSR, which chooses a subset of these C-RPs and 210 distributes corresponding group-to-RP mappings to all the routers in the 211 domain through Bootstrap messages. 213 In more detail, the BSR mechanism works as follows. There are four 214 basic phases (although in practice all phases may be occurring 215 simultaneously): 217 1. BSR Election. Each Candidate-BSR originates Bootstrap messages 218 (BSMs). Every BSM contains a BSR Priority field. Routers within 219 the domain flood the BSMs throughout the domain. A C-BSR that 220 hears about a higher-priority C-BSR than itself then suppresses its 221 sending of further BSMs for some period of time. The single 222 remaining C-BSR becomes the elected BSR, and its BSMs inform all 223 the other routers in the domain that it is the elected BSR. 225 2. C-RP Advertisement. Each Candidate-RP within a domain sends 226 periodic Candidate-RP-Advertisement (C-RP-Adv) messages to the 227 elected BSR. A C-RP-Adv message includes the priority of the 228 advertising C-RP, as well as a list of group ranges for which the 229 candidacy is advertised. In this way, the BSR learns about 230 possible RPs that are currently up and reachable. 232 3. RP-Set Formation. The BSR selects a subset of the C-RPs that it 233 has received C-RP-Adv messages from to form the RP-Set. In general 234 it should do this in such a way that the RP-Set is neither too 235 large to inform all the routers in the domain about, nor too small 236 so that load is overly concentrated on some RPs. It should also 237 attempt to produce an RP-Set that does not change frequently. 239 4. RP-Set Flooding. In future Bootstrap messages, the BSR includes 240 the RP-Set information. Bootstrap messages are flooded through the 241 domain, which ensures that the RP-Set rapidly reaches all the 242 routers in the domain. BSMs are originated periodically to ensure 243 consistency after failure restoration. 245 When a PIM router receives a Bootstrap message, it adds the group- 246 to-RP mappings contained therein to its pool of mappings obtained 247 from other sources (e.g. static configuration). It calculates the 248 final mappings of group addresses to RP addresses from this pool 249 according to rules specific to the particular routing protocol and 250 uses that information to construct multicast distribution trees. 252 If a PIM domain becomes partitioned, each area separated from the old 253 BSR will elect its own BSR, which will distribute an RP-Set containing 254 RPs that are reachable within that partition. When the partition heals, 255 another election will occur automatically and only one of the BSRs will 256 continue to send out Bootstrap messages. As is expected at the time of 257 a partition or healing, some disruption in packet delivery may occur. 258 This time will be on the order of the region's round-trip time and the 259 BS_Timeout value. 261 1.3. Administrative Scoping and BSR 263 The mechanism described in the previous section does not work when the 264 PIM domain is divided into administratively scoped regions. To handle 265 this situation, we use the protocol modifications described in this 266 section. 268 Administrative scoping permits a PIM domain to be divided into multiple 269 admin-scope regions. Each admin-scope region is a convex connected set 270 of PIM routers, and is associated with a set of group addresses. The 271 boundary of the admin-scope region is formed by Zone Border Routers 272 (ZBRs). ZBRs are configured not to forward traffic for any of the 273 scoped group addresses into or out of the scoped region. It is 274 important to note that a given scope boundary always creates at least 275 two scoped regions: one on either side of the boundary. 277 In IPv4, administratively scoped regions are associated with a set of 278 addresses given by an address and a prefix length. In IPv6, 279 administratively scoped regions are associated with a set of addresses 280 given by a single scope ID value. The set of addresses corresponding to 281 a given scope ID value is defined in [5]. For example, a scope ID of 5 282 maps to the 16 IPv6 address ranges ff[0-f]5::/16. 284 There are certain topological restrictions on admin-scope regions. 285 Firstly, the scope zone border must be complete and convex. By this we 286 mean that there must be no path from inside the scoped zone to outside 287 it that does not pass through a configured scope border router, and that 288 the multicast capable path between any arbitrary pair of multicast 289 routers in the scope zone must remain in the zone. In addition, a 290 boundary for one scope must always be a boundary for all smaller scopes, 291 where a smaller scope for IPv4 is one whose address range is contained 292 within the other address range, and for IPv6 is one whose scope ID is 293 less than the other scope ID. 295 Administrative scoping complicates BSR because we do not want a PIM 296 router within the scoped region to use an RP outside the scoped region. 297 Thus we need to modify the basic mechanism to ensure that this doesn't 298 happen. 300 This is done by running a separate copy of the basic BSR mechanism, as 301 described in the previous section, within each admin scope region of a 302 PIM domain. Thus a separate BSR election takes place for each admin- 303 scope region, a C-RP typically registers to the BSR of every admin scope 304 zone it is in, and every PIM router receives Bootstrap messages for 305 every scope zone it is in. The Bootstrap messages sent by the BSR for a 306 particular scope zone contain information about the RPs that should be 307 used for the set of addresses associated with that scope zone. 309 Bootstrap messages are marked to indicate which scope zone they belong 310 to. Such admin scoped Bootstrap messages are flooded in the normal way, 311 but will not be forwarded by a ZBR across the boundary for that scope 312 zone. 314 For the BSR mechanism to function correctly with admin scoping, within 315 each admin scope region there must be at least one C-BSR, and at least 316 one C-RP that is configured to be a C-RP for the set of group addresses 317 associated with the scoped region. 319 Even when administrative scoping is used, a copy of the BSR mechanism is 320 still used across the entire PIM domain, in order to distribute RP 321 information for groups that are not administratively scoped. We call 322 this copy of the mechanism Non-Scoped BSR. The copies of the mechanism 323 run for each admin-scope region are called Scoped BSR. 325 Only the C-BSRs and the ZBRs need to be configured to know about the 326 existence of the scope zones. Other routers, including the C-RPs, learn 327 of their existence from Bootstrap messages. 329 All PIM routers within a PIM bootstrap domain where admin scope ranges 330 are in use must be capable of receiving Bootstrap messages and storing 331 the winning BSR and RP-Set for all admin scope zones that apply. Thus 332 PIM routers that only implement RFC 2362 or Non-Scoped BSR (which only 333 allows one BSR per domain) cannot be used within the admin-scope regions 334 of a PIM domain. 336 2. BSR State and Timers 338 A PIM router implementing BSR holds the following state. 340 RP-Set 342 Per Configured or Learned Scope Zone (Z): 344 At all routers: 346 Current Bootstrap Router's IP Address 348 Current Bootstrap Router's BSR Priority 350 Last BSM received from current BSR 352 Bootstrap Timer (BST(Z)) 354 Per group-to-RP mapping (M): 356 Group-to-RP mapping Expiry Timer (GET(M,Z)) 358 At a Candidate-BSR for Z: 360 My state: One of "Candidate-BSR", "Pending-BSR", 361 "Elected-BSR" 363 At a router that is not a Candidate-BSR for Z: 365 My state: One of "Accept Any", "Accept Preferred" 367 Scope-Zone Expiry Timer (SZT(Z)) 369 At the current Bootstrap Router for Z only: 371 Per group-to-C-RP mapping (M): 373 Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 375 At a C-RP only: 377 C-RP Advertisement Timer (CRPT) 379 3. Bootstrap Router Election and RP-Set Distribution 381 3.1. Bootstrap Router Election 383 For simplicity, Bootstrap messages are used in both the BSR election and 384 the RP-Set distribution mechanisms. 386 Each Bootstrap message indicates the scope that it belongs to. If the 387 Admin Scope Zone bit is set in the first group range in the Bootstrap 388 message, the message is called a scoped BSM. If the Admin Scope Zone 389 bit is not set in the first group range in the Bootstrap message, the 390 message is called a non-scoped BSM. 392 In a scoped IPv4 BSM, the scope of the message is given by the first 393 group range in the message, which can be any sub-range of 224/4. In a 394 scoped IPv6 BSM, the scope of the message is given by the scope ID of 395 the first group range in the message, which must have a mask length of 396 at least 16. For example, a group range of ff05::/16 with the Admin 397 Scope Zone bit set indicates that the Bootstrap message is for the scope 398 with scope ID 5. If the mask length of the first group range in a 399 scoped IPv6 BSM is less than 16, the message MUST be dropped and a 400 warning SHOULD be logged. 402 The state machine for Bootstrap messages depends on whether or not a 403 router has been configured to be a Candidate-BSR for a particular scope 404 zone. The per-scope-zone state machine for a C-BSR is given below, 405 followed by the state machine for a router that is not configured to be 406 a C-BSR. 408 3.1.1. Per-Scope-Zone Candidate-BSR State Machine 410 +-----------------------------------------------------------------------+ 411 | When in C-BSR state | 412 +-----------+------------------+--------------------+-------------------+ 413 | Event | Receive | Bootstrap | Receive Non- | 414 | | Preferred BSM | Timer Expires | preferred BSM | 415 | | | | from Elected | 416 | | | | BSR | 417 +-----------+------------------+--------------------+-------------------+ 418 | | -> C-BSR state | -> P-BSR state | -> P-BSR state | 419 | | Forward BSM; | Set Bootstrap | Forward BSM; | 420 | Action | Store RP-Set; | Timer to | Set Bootstrap | 421 | | Set Bootstrap | BS_Rand_Override | Timer to | 422 | | Timer to | | BS_Rand_Override | 423 | | BS_Timeout | | | 424 +-----------+------------------+--------------------+-------------------+ 425 +-----------------------------------------------------------------------+ 426 | When in P-BSR state | 427 +------------+-------------------+-------------------+------------------+ 428 | Event | Receive | Bootstrap | Receive Non- | 429 | | Preferred BSM | Timer Expires | preferred BSM | 430 +------------+-------------------+-------------------+------------------+ 431 | | -> C-BSR state | -> E-BSR state | -> P-BSR state | 432 | | Forward BSM; | Originate BSM; | Forward BSM | 433 | Action | Store RP-Set; | Set Bootstrap | | 434 | | Set Bootstrap | Timer to | | 435 | | Timer to | BS_Period | | 436 | | BS_Timeout | | | 437 +------------+-------------------+-------------------+------------------+ 439 +-----------------------------------------------------------------------+ 440 | When in E-BSR state | 441 +------------+-------------------+-------------------+------------------+ 442 | Event | Receive | Bootstrap | Receive Non- | 443 | | Preferred BSM | Timer Expires | preferred BSM | 444 +------------+-------------------+-------------------+------------------+ 445 | | -> C-BSR state | -> E-BSR state | -> E-BSR state | 446 | | Forward BSM; | Originate BSM; | Originate BSM; | 447 | Action | Store RP-Set; | Set Bootstrap | Set Bootstrap | 448 | | Set Bootstrap | Timer to | Timer to | 449 | | Timer to | BS_Period | BS_Period | 450 | | BS_Timeout | | | 451 +------------+-------------------+-------------------+------------------+ 453 A Candidate-BSR may be in one of three states for a particular scope 454 zone: 456 Candidate-BSR (C-BSR) 457 The router is a candidate to be the BSR for the scope zone, but 458 currently another router is the preferred BSR. 460 Pending-BSR (P-BSR) 461 The router is a candidate to be the BSR for the scope zone. 462 Currently no other router is the preferred BSR, but this router is 463 not yet the elected BSR. This is a temporary state that prevents 464 rapid thrashing of the choice of BSR during BSR election. 466 Elected-BSR (E-BSR) 467 The router is the elected BSR for the scope zone and it must 468 perform all the BSR functions. 470 In addition to the three states, there is one timer: 472 o The Bootstrap Timer (BST) - used to time out old bootstrap router 473 information, and used in the election process to terminate P-BSR 474 state. 476 On startup, the initial state for this configured scope zone is 477 "Pending-BSR"; the Bootstrap Timer is initialized to BS_Rand_Override. 479 3.1.2. Per-Scope-Zone State Machine for Non-Candidate-BSR Routers 481 +-----------------------------------------------------------------------+ 482 | When in NoInfo state | 483 +---------------------+-------------------------------------------------+ 484 | Event | Receive BSM | 485 +---------------------+-------------------------------------------------+ 486 | | -> AP state | 487 | Action | Forward BSM; Store RP-Set; | 488 | | Set Bootstrap Timer to BS_Timeout; | 489 | | Set SZT to SZ_Timeout | 490 +---------------------+-------------------------------------------------+ 492 +-----------------------------------------------------------------------+ 493 | When in Accept Any state | 494 +---------------+----------------------------+--------------------------+ 495 | Event | Receive BSM | Scope-Zone Expiry | 496 | | | Timer Expires | 497 +---------------+----------------------------+--------------------------+ 498 | | -> AP state | -> NoInfo state | 499 | | Forward BSM; Store | Cancel timers; | 500 | Action | RP-Set; Set | Clear state | 501 | | Bootstrap Timer to | | 502 | | BS_Timeout; Set | | 503 | | SZT to SZ_Timeout | | 504 +---------------+----------------------------+--------------------------+ 505 +-----------------------------------------------------------------------+ 506 | When in Accept Preferred state | 507 +----------+-----------------------+------------------+-----------------+ 508 | Event | Receive Preferred | Bootstrap | Receive Non- | 509 | | BSM | Timer Expires | preferred BSM | 510 +----------+-----------------------+------------------+-----------------+ 511 | | -> AP state | -> AA state | -> AP state | 512 | | Forward BSM; Store | Refresh RP- | | 513 | Action | RP-Set; Set | Set; Remove | | 514 | | Bootstrap Timer to | BSR state | | 515 | | BS_Timeout; Set SZT | | | 516 | | to SZ_Timeout | | | 517 +----------+-----------------------+------------------+-----------------+ 518 A router that is not a Candidate-BSR may be in one of three states: 520 NoInfo 521 The router has no information about this scope zone. This state 522 does not apply if the router is configured to know about this scope 523 zone, or for the global scope zone. When in this state, no state 524 information is held and no timers run that refer to this scope 525 zone. 527 Accept Any (AA) 528 The router does not know of an active BSR, and will accept the 529 first Bootstrap message it sees as giving the new BSR's identity 530 and the RP-Set. 532 Accept Preferred (AP) 533 The router knows the identity of the current BSR, and is using the 534 RP-Set provided by that BSR. Only Bootstrap messages from that BSR 535 or from a C-BSR with higher weight than the current BSR will be 536 accepted. 538 In addition to the three states, there are two timers: 540 o The Bootstrap Timer (BST) - used to time out old bootstrap router 541 information. 543 o The Scope-Zone Expiry Timer (SZT) - used to time out the scope zone 544 itself if Bootstrap messages specifying this scope zone stop arriving. 546 On startup, the initial state for this scope zone is "Accept Any" for 547 routers that know about this scope zone, either through configuration or 548 because the scope zone is the global scope which always exists; the 549 Scope-Zone Expiry Timer is considered to be always running for such 550 scope zones. For routers that do not know about a particular scope 551 zone, the initial state is NoInfo; no timers exist for the scope zone. 553 3.1.3. Bootstrap Message Processing Checks 555 When a Bootstrap message is received, the following initial checks must 556 be performed: 558 if ((DirectlyConnected(BSM.src_ip_address) == FALSE) OR 559 (we have no Hello state for BSM.src_ip_address)) { 560 drop the Bootstrap message silently 561 } 563 if (BSM.dst_ip_address == ALL-PIM-ROUTERS) { 564 if (BSM.no_forward_bit == 0) { 565 if (BSM.src_ip_address != RPF_neighbor(BSM.BSR_ip_address)) { 566 drop the Bootstrap message silently 567 } 568 } else if ((any previous BSM for this scope has been accepted) OR 569 (more than BS_Period has elapsed since startup)) { 570 #only accept no-forward BSM if quick refresh on startup 571 drop the Bootstrap message silently 572 } 573 } else if ((Unicast BSM support enabled) AND 574 (BSM.dst_ip_address is one of my addresses)) { 575 if ((any previous BSM for this scope has been accepted) OR 576 (more than BS_Period has elapsed since startup)) { 577 #the packet was unicast, but this wasn't 578 #a quick refresh on startup 579 drop the Bootstrap message silently 580 } 581 } else { 582 drop the Bootstrap message silently 583 } 585 if (the interface the message arrived on is an Admin Scope 586 border for the BSM.first_group_address) { 587 drop the Bootstrap message silently 588 } 590 Basically, the packet must have come from a directly connected neighbor 591 for which we have active Hello state. It must have been sent to the 592 ALL-PIM-ROUTERS group, and unless it is a No-Forward BSM, been sent by 593 the correct upstream router towards the BSR that originated the 594 Bootstrap message; or, if it is a No-Forward BSM, we must have recently 595 restarted and have no BSR state for that admin scope. Also, if unicast 596 BSM support is enabled, a unicast BSM is accepted if it is addressed to 597 us and we have recently restarted and have no BSR state for that admin 598 scope. In addition, it must not have arrived on an interface that is a 599 configured admin scope border for the first group address contained in 600 the Bootstrap message. 602 3.1.4. State Machine Transition Events 604 If the Bootstrap message passes the initial checks above without being 605 discarded, then it may cause a state transition event in one of the 606 above state machines. For both candidate and non-candidate BSRs, the 607 following transition events are defined: 609 Receive Preferred BSM 610 A Bootstrap message is received from a BSR that has higher or 611 equal weight than the current BSR. If a router is in P-BSR 612 state, then it uses its own weight as that of the current BSR. 614 A Bootstrap message is also preferred if it is from the 615 current BSR with a lower weight than the previous BSM it sent, 616 provided that if the router is a Candidate BSR the current BSR 617 still has a weight higher or equal than the router itself. In 618 this case, the "Current Bootstrap Router's BSR Priority" state 619 must be updated. (For lower weight, see Non-preferred BSM 620 from Elected BSR case.) 622 The weight of a BSR is defined to be the concatenation in 623 fixed-precision unsigned arithmetic of the BSR Priority field 624 from the Bootstrap message and the IP address of the BSR from 625 the Bootstrap message (with the BSR Priority taking the most- 626 significant bits and the IP address taking the least 627 significant bits). 629 Receive Non-preferred BSM 630 A Bootstrap message is received from a BSR that has lower 631 weight than the current BSR. If a router is in P-BSR state, 632 then it uses its own weight as that of the current BSR. 634 Receive Non-preferred BSM from Elected BSR 635 A Bootstrap message is received from the elected BSR, but the 636 BSR Priority field in the received message has changed, so 637 that now the currently elected BSR has lower weight that the 638 router itself. 640 Receive BSM 641 A Bootstrap message is received, regardless of BSR weight. 643 In addition to state machine transitions caused by the receipt of 644 Bootstrap messages, a state machine transition takes place each time the 645 Bootstrap Timer or Scope-Zone Expiry Timer expires. 647 3.1.5. State Machine Actions 649 The state machines specify actions that include setting the Bootstrap 650 Timer and the Scope-Zone Expiry Timer to various values. These values 651 are defined in Section 5. 653 In addition to setting and cancelling the timers, the following actions 654 may be triggered by state changes in the state machines: 656 Forward BSM 657 A multicast Bootstrap message with No-Forward bit cleared that 658 passes the Bootstrap Message Processing Checks is forwarded 659 out of all interfaces with PIM neighbors (including the 660 interface it is received on), except where this would cause 661 the BSM to cross an admin-scope boundary for the scope zone 662 indicated in the message. For details, see section 3.4. 664 Originate BSM 665 A new Bootstrap message is constructed by the BSR, giving the 666 BSR's address and BSR priority, and containing the BSR's 667 chosen RP-Set. The message is forwarded out of all interfaces 668 on which PIM neighbors exist, except where this would cause 669 the BSM to cross an admin-scope boundary for the scope zone 670 indicated in the message. 672 Store RP-Set 673 The router uses the group-to-RP mappings contained in a BSM to 674 update its local RP-Set. 676 This action is skipped for an empty BSM. A BSM is empty if it 677 contains no group ranges, or if it only contains a single 678 group range where that group range has the Admin Scope Zone 679 bit set (a scoped BSM) and an RP count of zero. 681 If a mapping does not yet exist, it is created and the 682 associated Group-to-RP mapping Expiry Timer (GET) is 683 initialized with the holdtime from the BSM. 685 If a mapping already exists, its GET is set to the holdtime 686 from the BSM. If the holdtime is zero, the mapping is removed 687 immediately. Note that for an existing mapping, the RP 688 priority must be updated if changed. 690 Mappings for a group range are also to be immediately removed 691 if they are not present in the received group range. This 692 means that if there are any existing Group-to-RP mappings for 693 a range where the respective RPs are not in the received 694 range, then those mappings must be removed. 696 All RP mappings associated with the scope zone of the BSM are 697 updated with the new hash mask length from the received BSM. 698 This includes RP mappings for all group ranges learned for 699 this zone, not just the ranges in this particular BSM. 701 In addition, the entire BSM is stored for use in the action 702 Refresh RP-Set and to prime a new PIM neighbor as described 703 below. 705 Refresh RP-Set 706 When the Bootstrap Timer expires, the router uses the copy of 707 the last BSM that it has received to refresh its RP-Set 708 according to the action Store RP-Set as if it had just 709 received it. This will increase the chance that the group-to- 710 RP mappings will not expire during the election of the new 711 BSR. 713 Remove BSR state 714 When the Bootstrap Timer expires, all state associated with 715 the current BSR is removed (see section 2). Note that this 716 does not include any group-to-RP mappings. 718 3.2. Sending Candidate-RP-Advertisement Messages 720 Every C-RP periodically unicasts a C-RP-Adv message to the BSR for each 721 scope zone for which it has state, to inform the BSR of the C-RP's 722 willingness to function as an RP. These messages are sent with an 723 interval of C_RP_Adv_Period, except when a new BSR is elected, see 724 below. 726 When a new BSR is elected, the C-RP MUST send one to three C-RP-Adv 727 messages, waiting a randomized amount of 0-3 seconds before sending each 728 message. We recommend sending three messages because it is important 729 that the BSR quickly learns which RPs are active, and some packet loss 730 may occur when a new BSR is elected due to changes in the network. One 731 way of implementing this is to set the CRPT to 0-3 seconds when the new 732 BSR is elected, as well as setting a counter to 2. Whenever the CRPT 733 expires, we first send a C-RP-Adv message as usual. Next, if the 734 counter is non-zero, it is decremented and the CRPT is again set to 0-3 735 seconds instead of C_RP_Adv_Period. 737 The Priority field in these messages is used by the BSR to select which 738 C-RPs to include in the RP-Set. Note that lower values of this field 739 indicate higher priorities, so that a value of zero is the highest 740 possible priority. C-RPs should by default send C-RP-Adv messages with 741 the Priority field set to 192. 743 When a C-RP is being shut down, it SHOULD immediately send a C-RP-Adv 744 message to the BSR for each scope zone for which it is currently serving 745 as an RP; the Holdtime in this C-RP-Adv message should be zero. The BSR 746 will then immediately time out the C-RP and generate a new Bootstrap 747 message with the shut down RP holdtime set to 0. 749 A C-RP-Adv message carries a list of group address and group mask field 750 pairs. This enables the C-RP to specify the group prefixes for which it 751 is willing to be the RP. If the C-RP becomes an RP, it may enforce this 752 scope acceptance when receiving Register or Join/Prune messages. 754 A C-RP is configured with a list of group ranges for which it should 755 advertise itself as the C-RP. A C-RP uses the following algorithm to 756 determine which ranges to send to a given BSR. 758 For each group range R in the list, the C-RP advertises that range to 759 the scoped BSR for the smallest scope that "contains" R. For IPv6, the 760 containing scope is determined by matching the scope identifier of the 761 group range with the scope of the BSR. For IPv4, it is the longest- 762 prefix match for R, amongst the known admin-scope ranges. If no scope 763 is found to contain the group range the C-RP includes it in the C-RP-Adv 764 sent to the non-scoped BSR. If a non-scoped BSR is not known, the range 765 is not included in any C-RP-Adv. 767 In addition, for each IPv4 group range R in the list, for each scoped 768 BSR whose scope range is strictly contained within R, the C-RP SHOULD by 769 default advertise that BSR's scope range to that BSR. And for each IPv6 770 group range R in the list with prefix length < 16, the C-RP SHOULD by 771 default advertise each sub-range of prefix length 16 to the scoped BSR 772 with the corresponding scope ID. An implementation MAY supply a 773 configuration option to prevent the behavior described in this 774 paragraph, but such an option SHOULD be disabled by default. 776 For IPv6, the mask length of all group ranges included in the C-RP-Adv 777 message sent to a scoped BSR MUST be >= 16. 779 If the above algorithm determines that there are no group ranges to 780 advertise to the BSR for a particular scope zone, a C-RP-Adv message 781 MUST NOT be sent to that BSR. A C-RP MUST NOT send a C-RP-Adv message 782 with no group ranges in it. 784 If the same router is the BSR for more than one scope zone, the C-RP-Adv 785 messages for these scope zones MAY be combined into a single message. 787 If the C-RP is a ZBR for an admin scope zone, then the Admin Scope Zone 788 bit MUST be set in the C-RP-Adv messages it sends for that scope zone; 789 otherwise this bit MUST NOT be set. This information is currently only 790 used for logging purposes by the BSR, but might allow for future 791 extensions of the protocol. 793 3.3. Creating the RP-Set at the BSR 795 Upon receiving a C-RP-Adv message, the router needs to decide whether or 796 not to accept each of the group ranges included in the message. For 797 each group range in the message, the router checks to see if it is the 798 elected BSR for any scope zone that contains the group range, or if it 799 is elected as the non-scoped BSR. If so, the group range is accepted; 800 if not, the group range is ignored. 802 For security reasons, we recommend that implementations have a way of 803 restricting which IP addresses the BSR accepts C-RP-Adv messages from, 804 e.g., access lists. For use of scoped BSR, it may also be useful to 805 specify which group ranges should be accepted. 807 If the group range is accepted, a group-to-C-RP mapping is created for 808 this group range and the RP Address from the C-RP-Adv message. 810 If the mapping is not already part of the C-RP-Set, it is added to the 811 C-RP-Set and the associated Group-to-C-RP mapping Expiry Timer (CGET) is 812 initialized to the holdtime from the C-RP-Adv message. Its priority is 813 set to the Priority from the C-RP-Adv message. 815 If the mapping is already part of the C-RP-Set, it is updated with the 816 Priority from the C-RP-Adv message and its associated CGET is reset to 817 the holdtime from the C-RP-Adv message. If the holdtime is zero, the 818 mapping is immediately removed from the C-RP-Set. 820 The hash mask length is a global property of the BSR and is therefore 821 the same for all mappings managed by the BSR. 823 For compatibility with the previous version of the BSR specification, a 824 C-RP-Adv message with no group ranges SHOULD be treated as though it 825 contained the single group range ff00::/8 or 224/4. Therefore, 826 according to the rule above, this group range will be accepted if and 827 only if the router is elected as the non-scoped BSR. 829 When a CGET expires, the corresponding group-to-C-RP mapping is removed 830 from the C-RP-Set. 832 The BSR constructs the RP-Set from the C-RP-Set. It may apply a local 833 policy to limit the number of Candidate-RPs included in the RP-Set. The 834 BSR may override the prefix indicated in a C-RP-Adv message unless the 835 `Priority' field from the C-RP-Adv message is less than 128. 837 For inclusion in a BSM, the RP-Set is subdivided into sets of {group- 838 prefix, RP-Count, RP-addresses}. For each RP-address, the "RP-Holdtime" 839 field is set to the Holdtime from the C-RP-Set, subject to the 840 constraint that it MUST be larger than BS_Period and SHOULD be larger 841 than 2.5 times BS_Period to allow for some Bootstrap messages getting 842 lost. If some holdtimes from the C-RP-Sets do not satisfy this 843 constraint, the BSR MUST replace those holdtimes with a value satisfying 844 the constraint. An exception to this is the holdtime of zero which is 845 used to immediately withdraw mappings. 847 The format of the Bootstrap message allows `semantic fragmentation', if 848 the length of the original Bootstrap message exceeds the packet maximum 849 boundaries. However, we recommend against configuring a large number of 850 routers as C-RPs, to reduce the semantic fragmentation required. 852 In general BSMs are originated at regular intervals according to the 853 BS_Period timer. We do recommend that a BSM is also originated whenever 854 the RP-set to be announced in the BSMs changes. This will usually 855 happen when receiving C-RP advertisements from a new C-RP, or when a C- 856 RP is shut down (C-RP advertisement with a holdtime of zero). There 857 MUST however be a minimum of 10 seconds between each time a BSM is sent. 858 In particular, when a new BSR is elected, it will first send one BSM 859 (which is likely to be empty since it has not yet received any C-RP 860 advertisements), and then wait at least 10 seconds before sending a new 861 one. During those 10 seconds, it is likely to have received C-RP 862 advertisements from all usable C-RPs (since we say that a C-RP should 863 send one or more advertisements with small random delays of 0-3 seconds 864 when a new BSR is elected). For this case in particular, where routers 865 may not have a usable RP-set, we recommend originating a BSM as soon as 866 those 10 seconds have passed. We suggest though that a BSR can do this 867 in general. One way of implementing this, is to decrease the Bootstrap 868 Timer to 10 seconds whenever the RP-set changes, while not changing the 869 timer if it is less or equal to 10. 871 A BSR originates separate scoped BSMs for each scope zone for which it 872 is the elected BSR, as well as originating non-scoped BSMs if it is the 873 elected non-scoped BSR. 875 Each group-to-C-RP mapping is included in precisely one of these BSM, 876 namely the scoped BSM for the narrowest scope containing the group range 877 of the mapping, if any, or the non-scoped BSM otherwise. 879 A scoped BSM MUST have at least one group range, and the first group 880 range in a scoped BSM MUST have the "Admin Scope Zone" bit set. This 881 group range identifies the scope of the BSM. In a scoped IPv4 BSM, the 882 first group range is the range corresponding to the scope of the BSM. 883 In a scoped IPv6 BSM, the first group range may be any group range 884 subject to the general condition that all the group ranges in such a BSM 885 MUST have a mask length of at least 16 and MUST have the same scope ID 886 as the scope of the BSM. 888 RP mappings may be included in the first group range of a BSM, just as 889 for any other group range. After this group range, other group ranges 890 for which there are RP mappings appear in any order. 892 The "Admin Scope Zone" bit of all group ranges other than the first 893 SHOULD be set to 0 on origination, and MUST be ignored on receipt. 895 When an elected BSR is being shut down, it should immediately originate 896 a Bootstrap message listing its current RP-Set, but with the BSR 897 Priority field set to the lowest priority value possible. This will 898 cause the election of a new BSR to happen more quickly. 900 3.4. Forwarding Bootstrap Messages 902 Generally, bootstrap messages originate at the BSR, and are hop-by-hop 903 forwarded by intermediate routers if they pass the Bootstrap Message 904 Processing Checks. There are two exceptions to this. One is that a 905 bootstrap message is not forwarded if its No-Forward bit is set, see 906 3.5.1. The other is that unicast BSMs, see 3.5.2, are usually not 907 forwarded. Implementers MAY, however, at their own discretion choose to 908 re-send a No-Forward or unicast BSM in a multicast BSM which MUST have 909 the No-Forward bit cleared. It is essential that the No-Forward bit is 910 cleared, since no RPF check is performed by the receiver when set. 912 By hop-by-hop forwarding, we mean that the bootstrap message itself is 913 forwarded, not the entire IP packet. Each hop constructs an IP packet 914 for each of the interfaces the BSM is to be forwarded out of; each 915 packet containing the entire BSM that was received. 917 When a Bootstrap message is forwarded, it is forwarded out of every 918 multicast-capable interface which has PIM neighbors (including the one 919 over which the message was received). The exception to this is if the 920 interface is an administrative scope boundary for the admin scope zone 921 indicated in the first group address in the Bootstrap message packet. 923 As an optimization, a router MAY choose not to forward a BSM out of the 924 interface the message was received on if that interface is a point-to- 925 point interface. On interfaces with multiple PIM neighbors, a router 926 SHOULD forward an accepted BSM onto the interface that BSM was received 927 on, but if the number of PIM neighbors on that interface is large, it 928 MAY delay forwarding a BSM onto that interface by a small randomized 929 interval to prevent message implosion. A configuration option MAY be 930 provided to disable forwarding onto the interface a message was received 931 on, but we recommend that the default behavior is to forward onto that 932 interface. 934 Rationale: A BSM needs to be forwarded onto the interface the message 935 was received on (in addition to the other interfaces) because the 936 routers on a LAN may not have consistent routing information. If three 937 routers on a LAN are A, B, and C, and at router B RPF(BSR)==A and at 938 router C RPF(BSR)==B, then router A originally forwards the BSM onto the 939 LAN, but router C will only accept it when router B re-forwards the 940 message onto the LAN. If the underlying routing protocol configuration 941 guarantees that the routers have consistent routing information, then 942 forwarding onto the incoming interface may safely be disabled. 944 A ZBR constrains all BSMs which are of equal or smaller scope than the 945 configured boundary. That is, the BSMs are not accepted from, 946 originated or forwarded on the interfaces on which the boundary is 947 configured. For IPv6 the check is a comparison between the scope of the 948 first range in the scoped BSM and the scope of the configured boundary. 949 For IPv4, the first range in the scoped BSM is checked to see if it is 950 contained in or is the same as the range of the configured boundary. 952 3.5. Bootstrap Messages to New and Rebooting Routers 954 To allow new or rebooting routers to learn the RP-Set quickly, when a 955 Hello message is received from a new neighbor, or a Hello message with a 956 new GenID is received from an existing neighbor, one router on the LAN 957 sends a stored copy of the Bootstrap message for each admin scope zone 958 to the new or rebooting router. 960 This message SHOULD be sent as a No-Forward Bootstrap message, see 961 3.5.1. For backwards compatibility, this message MAY instead or in 962 addition be sent as a Unicast Bootstrap message, see 3.5.2. These 963 messages MUST only be accepted at startup, see 3.1.3. 965 The router that does this is the Designated Router (DR) on the LAN, or, 966 if the new or rebooting router is the DR, the router that would be the 967 DR if the new or rebooting router were excluded from the DR election 968 process. 970 Before sending a Bootstrap message in this manner, the router must wait 971 until it has sent a triggered Hello message on this interface; 972 otherwise, the new neighbor will discard the Bootstrap message. 974 3.5.1. No-Forward Bootstrap Messages 976 A No-Forward Bootstrap message, is a bootstrap message that has the No- 977 Forward bit set. All implementations SHOULD support sending of No- 978 Forward Bootstrap messages, and SHOULD also accept them. The RPF check 979 MUST NOT be performed in the BSM processing check for a No-Forward BSM, 980 see 3.1.3. The messages have the same source and destination addresses 981 as the usual multicast Bootstrap messages. 983 3.5.2. Unicasting Bootstrap Messages 985 For backwards compatibility implementations MAY support Unicast 986 Bootstrap messages. Whether to send Unicast Bootstrap Messages instead 987 of or in addition to No-Forward Bootstrap Messages, and also whether to 988 accept such messages, SHOULD be configurable. This message is unicast 989 to the neighbor. 991 3.6. Receiving and Using the RP-Set 993 The RP-Set maintained by BSR is used by RP-based multicast routing 994 protocols like PIM-SM and BIDIR-PIM. These protocols may obtain RP-Sets 995 from other sources as well. How the final group-to-RP mappings are 996 obtained from these RP-Sets is not part of the BSR specification. In 997 general, the routing protocols need to re-calculate the mappings when 998 any of their RP-Sets change. How such a change is signalled to the 999 routing protocol is also not part of the present specification. 1001 Some group-to-RP mappings in the RP-Set indicate group ranges for which 1002 PIM-SM should be used; others indicate group ranges for use with BIDIR- 1003 PIM. Routers that only support one of these protocols MUST NOT ignore 1004 ranges indicated as being for the other protocol. They MUST NOT treat 1005 them as being for the protocol they support. 1007 4. Message Formats 1009 BSR messages are PIM messages, as defined in [1]. The values of the PIM 1010 Message Type field for BSR messages are: 1012 4 Bootstrap 1014 8 Candidate-RP-Advertisement 1016 As with all other PIM control messages, BSR messages have IP protocol 1017 number 103. 1019 Candidate-RP-Advertisement messages are unicast to a BSR. Usually, 1020 Bootstrap messages are multicast with TTL 1 to the ALL-PIM-ROUTERS 1021 group, but in some circumstances (described in section 3.5.2) Bootstrap 1022 messages are unicast to a specific PIM neighbor. 1024 The IP source address used for Candidate-RP-Advertisement messages is a 1025 domain-wide reachable address. The IP source address used for Bootstrap 1026 messages (regardless of whether they are being originated or forwarded) 1027 is the link-local address of the interface on which the message is being 1028 sent (that is, the same source address that the router uses for the 1029 Hello messages it sends out that interface). 1031 The IPv4 ALL-PIM-ROUTERS group is 224.0.0.13. The IPv6 ALL-PIM-ROUTERS 1032 group is ff02::d. 1034 In this section we use the following terms defined in the PIM-SM 1035 specification [1]: 1037 o Encoded-Unicast format 1039 o Encoded-Group format 1041 We repeat these here to aid readability. 1043 Encoded-Unicast address 1045 An Encoded-Unicast address takes the following format: 1047 0 1 2 3 1048 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1049 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1050 | Addr Family | Encoding Type | Unicast Address 1051 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1053 Addr Family 1054 The PIM address family of the `Unicast Address' field of this 1055 address. 1057 Values of 0-127 are as assigned by the IANA for Internet Address 1058 Families in [10]. Values 128-250 are reserved to be assigned by 1059 the IANA for PIM-specific Address Families. Values 251 though 255 1060 are designated for private use. As there is no assignment 1061 authority for this space, collisions should be expected. 1063 Encoding Type 1064 The type of encoding used within a specific Address Family. The 1065 value `0' is reserved for this field, and represents the native 1066 encoding of the Address Family. 1068 Unicast Address 1069 The unicast address as represented by the given Address Family and 1070 Encoding Type. 1072 Encoded-Group address 1073 Encoded-Group addresses take the following format: 1075 0 1 2 3 1076 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1077 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1078 | Addr Family | Encoding Type |B| Reserved |Z| Mask Len | 1079 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1080 | Group multicast Address 1081 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... 1083 Addr Family 1084 described above. 1086 Encoding Type 1087 described above. 1089 [B]IDIR bit 1090 When set, all BIDIR capable PIM routers will operate the protocol 1091 described in [2] for the specified group range. 1093 Reserved 1094 Transmitted as zero. Ignored upon receipt. 1096 Admin Scope [Z]one 1097 When set, this bit indicates that this group address range is an 1098 administratively scoped range. 1100 Mask Len 1101 The Mask length field is 8 bits. The value is the number of 1102 contiguous one bits left justified used as a mask which, combined 1103 with the group address, describes a range of groups. It is less 1104 than or equal to the address length in bits for the given Address 1105 Family and Encoding Type. If the message is sent for a single 1106 group then the Mask length must equal the address length in bits 1107 for the given Address Family and Encoding Type. (e.g. 32 for IPv4 1108 native encoding and 128 for IPv6 native encoding). 1110 Group multicast Address 1111 Contains the group address. 1113 4.1. Bootstrap Message Format 1115 A bootstrap message may be divided up into 'semantic fragments' if the 1116 resulting IP datagram would exceed the maximum packet size boundaries. 1117 Basically, a single Bootstrap message can be sent as multiple semantic 1118 fragments (each in a separate IP datagram), so long as the fragment tags 1119 of all the semantic fragments comprising the message are the same. The 1120 format of a single non-fragmented message is the same as the one used 1121 for semantic fragments. 1123 The format of a single `fragment' is given below: 1125 0 1 2 3 1126 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1128 |PIM Ver| Type |N| Reserved | Checksum | 1129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1130 | Fragment Tag | Hash Mask Len | BSR Priority | 1131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1132 | BSR Address (Encoded-Unicast format) | 1133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1134 | Group Address 1 (Encoded-Group format) | 1135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1136 | RP Count 1 | Frag RP Cnt 1 | Reserved | 1137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1138 | RP Address 1 (Encoded-Unicast format) | 1139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1140 | RP1 Holdtime | RP1 Priority | Reserved | 1141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1142 | RP Address 2 (Encoded-Unicast format) | 1143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1144 | RP2 Holdtime | RP2 Priority | Reserved | 1145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1146 | . | 1147 | . | 1148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1149 | RP Address m (Encoded-Unicast format) | 1150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1151 | RPm Holdtime | RPm Priority | Reserved | 1152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1153 | Group Address 2 (Encoded-Group format) | 1154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1155 | . | 1156 | . | 1157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1158 | Group Address n (Encoded-Group format) | 1159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1160 | RP Count n | Frag RP Cnt n | Reserved | 1161 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1162 | RP Address 1 (Encoded-Unicast format) | 1163 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1164 | RP1 Holdtime | RP1 Priority | Reserved | 1165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1166 | RP Address 2 (Encoded-Unicast format) | 1167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1168 | RP2 Holdtime | RP2 Priority | Reserved | 1169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1170 | . | 1171 | . | 1172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1173 | RP Address m (Encoded-Unicast format) | 1174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1175 | RPm Holdtime | RPm Priority | Reserved | 1176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1178 PIM Version, Reserved, Checksum 1179 Described in [1]. 1181 Type 1182 PIM Message Type. Value is 4 for a Bootstrap message. 1184 [N]o-forward bit 1185 When set, this bit means that the Bootstrap message fragment is not 1186 to be forwarded. 1188 Fragment Tag 1189 A randomly generated number, acts to distinguish the fragments 1190 belonging to different Bootstrap messages; fragments belonging to 1191 same Bootstrap message carry the same `Fragment Tag'. 1193 Hash Mask Len 1194 The length (in bits) of the mask to use in the hash function. For 1195 IPv4 we recommend a value of 30. For IPv6 we recommend a value of 1196 126. This field SHOULD be the same for all fragments belonging to 1197 the same Bootstrap message. 1199 BSR Priority 1200 Contains the BSR priority value of the included BSR. This field is 1201 considered as a high order byte when comparing BSR addresses. BSRs 1202 should by default set this field to 64. Note that for historical 1203 reasons, the highest BSR priority is 255 (the higher the better), 1204 whereas the highest RP Priority (see below) is 0 (the lower the 1205 better). 1207 BSR Address 1208 The address of the bootstrap router for the domain. The format for 1209 this address is given in the Encoded-Unicast address in [1]. 1211 Group Address 1..n 1212 The group prefix (address and mask) with which the Candidate-RPs 1213 are associated. Format described in [1]. In a fragment containing 1214 admin scope ranges, the first group address in the fragment MUST 1215 satisfy the following conditions: it MUST have the Admin Scope bit 1216 set; for IPv4 it MUST be the group range for the entire admin scope 1217 range (this is the case even if there are no RPs in the RP-Set for 1218 the entire admin scope range - in this case the sub-ranges for the 1219 RP-Set are specified later in the fragment along with their RPs); 1220 for IPv6 the Mask Len MUST be at least 16 and have the scope ID of 1221 the admin scope range. 1223 RP Count 1..n 1224 The number of Candidate-RP addresses included in the whole 1225 Bootstrap message for the corresponding group prefix. A router 1226 does not replace its old RP-Set for a given group prefix 1227 until/unless it receives `RP-Count' addresses for that prefix; the 1228 addresses could be carried over several fragments. If only part of 1229 the RP-Set for a given group prefix was received, the router 1230 discards it, without updating that specific group prefix's RP-Set. 1232 Frag RP Cnt 1..m 1233 The number of Candidate-RP addresses included in this fragment of 1234 the Bootstrap message, for the corresponding group prefix. The 1235 `Frag RP Cnt' field facilitates parsing of the RP-Set for a given 1236 group prefix, when carried over more than one fragment. 1238 RP address 1..m 1239 The address of the Candidate-RPs, for the corresponding group 1240 prefix. The format for these addresses is given in the Encoded- 1241 Unicast address in [1]. 1243 RP1..m Holdtime 1244 The Holdtime (in seconds) for the corresponding RP. This field is 1245 copied from the `Holdtime' field of the associated RP stored at the 1246 BSR. 1248 RP1..m Priority 1249 The `Priority' of the corresponding RP and Encoded-Group Address. 1250 This field is copied from the `Priority' field stored at the BSR 1251 when receiving a C-RP-Adv message. The highest priority is `0' 1252 (i.e. unlike BSR priority, the lower the value of the `Priority' 1253 field, the better). Note that the priority is per RP per Group 1254 Address. 1256 Within a Bootstrap message, the BSR Address, all the Group Addresses and 1257 all the RP Addresses MUST be of the same address family. In addition, 1258 the address family of the fields in the message MUST be the same as the 1259 IP source and destination addresses of the packet. This permits maximum 1260 implementation flexibility for dual-stack IPv4/IPv6 routers. 1262 4.1.1. Semantic Fragmentation of BSMs 1264 Bootstrap messages may be split over several PIM Bootstrap Message 1265 Fragments (BSMF); this is known as semantic fragmentation. Each of 1266 these must be according to the above format. 1268 This is useful if the BSM would otherwise exceed the MTU of the link the 1269 message will be forwarded over. If one relies purely on IP 1270 fragmentation, one would lose the entire message if one fragment is 1271 lost. By use of semantic fragmentation, one lost IP fragment will only 1272 cause the loss of the semantic fragment that the IP fragment was part 1273 of. As described below, a router only needs to receive all the RPs for 1274 a specific group range to update that range. This means that loss of a 1275 semantic fragment, due to an IP fragment getting lost, only affects the 1276 group ranges the lost semantic fragment contains information for. 1278 If the BSR can split up the BSM so that each group prefix (and all of 1279 its RP information) can fit entirely inside one BSMF, then it should do 1280 so. If a BSMF is lost, the state from the previous BSM for the group- 1281 prefixes from the missing BSMF will be retained. Each fragment that 1282 does arrive will update the RP information for the group-prefixes 1283 contained in that fragment, and the new group-to-RP mappings for those 1284 can be used immediately. The information from the missing fragment will 1285 be obtained when the next BSM is transmitted. 1287 If the list of RPs for a single group-prefix is long, one may split the 1288 information across multiple BSMFs to avoid IP fragmentation. In this 1289 case, all the BSMFs comprising the information for that group-prefix 1290 must be received before the group-to-RP mapping in use can be modified. 1291 This is the purpose of the RP Count field - a router receiving BSMFs 1292 from the same BSM (i.e. that have the same fragment tag) must wait until 1293 BSMFs providing RP Count RPs for that group-prefix have been received 1294 before the new group-to-RP mapping can be used for that group-prefix. 1295 If a single BSMF from such a large group-prefix is lost, then that 1296 entire group-prefix will have to wait until the next BSM is originated. 1297 Hence the benefit of using semantic fragmentation is in this case 1298 dubious. 1300 Next we need to consider how a BSR would remove group-prefixes from the 1301 BSM. A router receiving a set of BSMFs cannot tell if a group-prefix is 1302 missing. If it has seen a group-prefix before, it must assume that that 1303 group-prefix still exists, and that the BSMF describing it has been 1304 lost. It should retain this information for BS_Timeout. Thus for a BSR 1305 to remove a group-prefix from the BSR, it should include that group- 1306 prefix, but with a RP Count of zero, and it should resend this 1307 information in each BSM for BS_Timeout. 1309 4.2. Candidate-RP-Advertisement Message Format 1311 Candidate-RP-Advertisement messages are periodically unicast from the C- 1312 RPs to the BSR. 1314 0 1 2 3 1315 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1317 |PIM Ver| Type | Reserved | Checksum | 1318 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1319 | Prefix Count | Priority | Holdtime | 1320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1321 | RP Address (Encoded-Unicast format) | 1322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1323 | Group Address 1 (Encoded-Group format) | 1324 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1325 | . | 1326 | . | 1327 | . | 1328 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1329 | Group Address n (Encoded-Group format) | 1330 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1332 PIM Version, Reserved, Checksum 1333 Described in [1]. 1335 Type 1336 PIM Message Type. Value is 8 for a Candidate-RP-Advertisement 1337 message. 1339 Prefix Count 1340 The number of encoded group addresses included in the message; 1341 indicating the group prefixes for which the C-RP is advertising. 1342 C-RPs MUST NOT send C-RP-Adv messages with a Prefix Count of `0'. 1344 Priority 1345 The `Priority' of the included RP, for the corresponding Encoded- 1346 Group Address (if any). The highest priority is `0' (i.e. the 1347 lower the value of the `Priority' field, the higher the priority). 1348 This field is stored at the BSR upon receipt along with the RP 1349 address and corresponding Encoded-Group Address. 1351 Holdtime 1352 The amount of time (in seconds) the advertisement is valid. This 1353 field allows advertisements to be aged out. This field should be 1354 set to 2.5 times C_RP_Adv_Period. 1356 RP Address 1357 The address of the interface to advertise as a Candidate RP. The 1358 format for this address is given in the Encoded-Unicast address in 1359 [1]. 1361 Group Address-1..n 1362 The group prefixes for which the C-RP is advertising. Format 1363 described in Encoded-Group-Address in [1]. 1365 Within a Candidate-RP-Advertisement message, the RP Address and all the 1366 Group Addresses MUST be of the same address family. In addition, the 1367 address family of the fields in the message MUST be the same as the IP 1368 source and destination addresses of the packet. This permits maximum 1369 implementation flexibility for dual-stack IPv4/IPv6 routers. 1371 5. Timers and Timer Values 1373 Timer Name: Bootstrap Timer (BST(Z)) 1375 +---------------------+--------------------------+----------------------+ 1376 | Value Name | Value | Explanation | 1377 +---------------------+--------------------------+----------------------+ 1378 | BS_Period | Default: 60 seconds | Periodic interval | 1379 | | | with which BSMs | 1380 | | | are normally | 1381 | | | originated | 1382 +---------------------+--------------------------+----------------------+ 1383 | BS_Timeout | Default: 130 seconds | Interval after | 1384 | | | which a BSR is | 1385 | | | timed out if no | 1386 | | | BSM is received | 1387 | | | from that BSR | 1388 +---------------------+--------------------------+----------------------+ 1389 | BS_Rand_Override | see below | Randomized | 1390 | | | interval used to | 1391 | | | reduce control | 1392 | | | message overhead | 1393 | | | during BSR | 1394 | | | election | 1395 +---------------------+--------------------------+----------------------+ 1397 Note that BS_Timeout MUST be larger than BS_Period, even if their values 1398 are changed from the defaults. We recommend that BS_Timeout is set to 2 1399 times BS_Period plus 10 seconds. 1401 BS_Rand_Override is calculated using the following pseudocode, in which 1402 all values are in units of seconds. The values of BS_Rand_Override 1403 generated by this pseudocode are between 5 and 23 seconds, with smaller 1404 values generated if the C-BSR has a high bootstrap weight, and larger 1405 values generated if the C-BSR has a low bootstrap weight. 1407 BS_Rand_Override = 5 + priorityDelay + addrDelay 1409 where priorityDelay is given by: 1411 priorityDelay = 2 * log_2(1 + bestPriority - myPriority) 1413 and addrDelay is given by the following for IPv4: 1415 if (bestPriority == myPriority) { 1416 addrDelay = log_2(1 + bestAddr - myAddr) / 16 1417 } else { 1418 addrDelay = 2 - (myAddr / 2^31) 1419 } 1421 and addrDelay is given by the following for IPv6: 1423 if (bestPriority == myPriority) { 1424 addrDelay = log_2(1 + bestAddr - myAddr) / 64 1425 } else { 1426 addrDelay = 2 - (myAddr / 2^127) 1427 } 1429 and bestPriority is given by: 1431 bestPriority = max(storedPriority, myPriority) 1433 and bestAddr is given by: 1435 bestAddr = max(storedAddr, myAddr) 1437 and where myAddr is the Candidate-BSR's address, storedAddr is the 1438 stored BSR's address, myPriority is the Candidate-BSR's configured 1439 priority, and storedPriority is the stored BSR's priority. 1441 Timer Name: Scope Zone Expiry Timer (SZT(Z)) 1443 +----------------+-----------------------------+------------------------+ 1444 | Value Name | Value | Explanation | 1445 +----------------+-----------------------------+------------------------+ 1446 | SZ_Timeout | Default: 1300 seconds | Interval after | 1447 | | | which a scope zone | 1448 | | | is timed out if no | 1449 | | | BSM is received | 1450 | | | for that scope | 1451 | | | zone | 1452 +----------------+-----------------------------+------------------------+ 1454 Note that SZ_Timeout MUST be larger than BS_Timeout, even if their 1455 values are changed from the defaults. We recommend that SZ_Timeout is 1456 set to 10 times BS_Timeout. 1458 Timer Name: Group-to-C-RP mapping Expiry Timer (CGET(M,Z)) 1460 +--------------------------+--------------------+-----------------------+ 1461 | Value Name | Value | Explanation | 1462 +--------------------------+--------------------+-----------------------+ 1463 | C-RP Mapping Timeout | from message | Holdtime from C- | 1464 | | | RP-Adv message | 1465 +--------------------------+--------------------+-----------------------+ 1467 Timer Name: Group-to-RP mapping Expiry Timer (GET(M,Z)) 1469 +-------------------------+--------------------+------------------------+ 1470 | Value Name | Value | Explanation | 1471 +-------------------------+--------------------+------------------------+ 1472 | RP Mapping Timeout | from message | Holdtime from BSM | 1473 +-------------------------+--------------------+------------------------+ 1475 Timer Name: C-RP Advertisement Timer (CRPT) 1477 +---------------------+-------------------------+-----------------------+ 1478 | Value Name | Value | Explanation | 1479 +---------------------+-------------------------+-----------------------+ 1480 | C_RP_Adv_Period | Default: 60 seconds | Periodic interval | 1481 | | | with which C-RP- | 1482 | | | Adv messages are | 1483 | | | sent to a BSR | 1484 +---------------------+-------------------------+-----------------------+ 1485 6. Security Considerations 1487 6.1. Possible Threats 1489 Threats affecting the PIM BSR mechanism are primarily of two forms: 1490 denial of service attacks, and traffic diversion attacks. An attacker 1491 that subverts the BSR mechanism can prevent multicast traffic from 1492 reaching the intended recipients, can divert multicast traffic to a 1493 place where they can monitor it, and can potentially flood third parties 1494 with traffic. 1496 Traffic can be prevented from reaching the intended recipients by one of 1497 two mechanisms: 1499 o Subverting a BSM, and specifying RPs that won't actually forward 1500 traffic. 1502 o Registering with the BSR as a C-RP, and then not forwarding 1503 traffic. 1505 Traffic can be diverted to a place where it can be monitored by both of 1506 the above mechanisms; in this case the RPs would forward the traffic, 1507 but are located so as to aid monitoring or man-in-the-middle attacks on 1508 the multicast traffic. 1510 A third party can be flooded by either of the above two mechanisms by 1511 specifying the third party as the RP, and register-encapsulated traffic 1512 will then be forwarded to them. 1514 6.2. Limiting Third-Party DoS Attacks 1516 The third party DoS attack above can be greatly reduced if PIM routers 1517 acting as DR do not continue to forward Register traffic to the RP in 1518 the presence of ICMP Protocol Unreachable or ICMP Host Unreachable 1519 responses. If a PIM router sending Register packets to an RP receives 1520 one of these responses to a data packet it has sent, it should rate- 1521 limit the transmission of future Register packets to that RP for a short 1522 period of time. 1524 As this does not affect interoperability, the precise details are left 1525 to the implementer to decide. However we note that a router 1526 implementing such rate limiting must only do so if the ICMP packet 1527 correctly echoes part of a Register packet that was sent to the RP. If 1528 this check were not made, then simply sending ICMP Unreachable packets 1529 to the DR with the source address of the RP spoofed would be sufficient 1530 to cause a denial-of-service attack on the multicast traffic originating 1531 from that DR. 1533 6.3. Bootstrap Message Security 1535 If a legitimate PIM router is compromised, there is little any security 1536 mechanism can do to prevent that router subverting PIM traffic in that 1537 domain. However we recommend that implementers provide a mechanism 1538 whereby a PIM router using the BSR mechanisms can be configured with the 1539 IP addresses of valid BSR routers, and that any Bootstrap message from 1540 any other BSR should then be dropped and logged as a security issue. We 1541 also recommend that this not be enabled by default, as it makes the 1542 initial configuration of a PIM domain problematic - it is the sort of 1543 feature that might be enabled once the configuration of a domain has 1544 stabilized. 1546 The primary security requirement for BSR (as for PIM) is that it is 1547 possible to prevent hosts that are not legitimate PIM routers, either 1548 within or outside the domain, from subverting the BSR mechanism. 1550 The Bootstrap Message Processing Checks prevent a router from accepting 1551 a Bootstrap message from outside of the PIM Domain, as the source 1552 address on Bootstrap messages must be an immediate PIM neighbor. There 1553 is however a small window of time after a reboot where a PIM router will 1554 accept a bad Bootstrap message unicast from an immediate neighbor, and 1555 it might be possible to unicast a Bootstrap message to a router during 1556 this interval from outside the domain, using the spoofed source address 1557 of a neighbor. This can be prevented if PMBRs perform source-address 1558 filtering to prevent packets entering the PIM domain with IP source 1559 addresses that are infrastructure addresses in the PIM domain. It might 1560 also be a good idea to configure the PMBRs to not accept any Bootstrap 1561 messages from outside the domain. One might configure the PMBRs to drop 1562 all unicast PIM messages (Bootstrap message, Candidate RP Advertisement, 1563 PIM register and PIM register stop). 1565 The principal threat to Bootstrap message security comes from hosts 1566 within the PIM domain that attempt to subvert the BSR mechanism. They 1567 may be able to do this by sending PIM messages to their local router, or 1568 by unicasting a Bootstrap message to another PIM router during the brief 1569 interval after it has restarted. 1571 The use of unicast BSMs is for backwards compatibility only. Due to the 1572 possible security implications, implementations supporting unicast BSMs 1573 should provide a configuration option for whether they are to be used. 1575 6.3.1. Rejecting Bootstrap Messages from Invalid Neighbors 1577 Most hosts that are likely to attempt to subvert PIM BSR are likely to 1578 be located on leaf subnets. We recommend that implementers provide a 1579 configuration option that specifies an interface is a leaf subnet, and 1580 that no PIM packets are accepted on such interfaces. 1582 On multi-access subnets with multiple PIM routers and hosts that are not 1583 trusted, we recommend that IPsec AH is used to protect communication 1584 between PIM routers, and that such routers are configured to drop and 1585 log communication attempts from any host that do not pass the 1586 authentication check. When all the PIM routers are under the same 1587 administrative control, this authentication may use a configured shared 1588 secret. The securing of interactions between PIM neighbors is discussed 1589 in more detail in the Security Considerations section of [1], and so we 1590 do not discuss the details further here. The same security mechanisms 1591 that can be used to secure PIM Join, Prune and Assert messages should 1592 also be used to secure Bootstrap messages. 1594 6.4. Candidate-RP-Advertisement Message Security 1596 Even if it is not possible to subvert Bootstrap messages, an attacker 1597 might be able to perform most of the same attacks by simply sending C- 1598 RP-Adv messages to the BSR specifying the attacker's choice of RPs. 1599 Thus it is necessary to control the sending of C-RP-Adv messages in 1600 essentially the same ways that we control Bootstrap messages. However, 1601 C-RP-Adv messages are unicast and normally travel multiple hops, so 1602 controlling them is more difficult. 1604 6.4.1. Non-Cryptographic Security of C-RP-Adv Messages 1606 We recommend that PMBRs are configured to drop C-RP-Adv messages. One 1607 might configure the PMBRs to drop all unicast PIM messages (Bootstrap 1608 message, Candidate RP Advertisement, PIM register and PIM register 1609 stop). PMBRs may also perform source-address filtering to prevent 1610 packets entering the PIM domain with IP source addresses that are 1611 infrastructure addresses in the PIM domain. We also recommend that 1612 implementations have a way of restricting which IP addresses the BSR 1613 accepts C-RP-Adv messages from. The BSR can then be configured to only 1614 accept C-RP-Adv messages from infrastructure addresses or the subset 1615 used for candidate RPs. 1617 If the unicast and multicast topologies are known to be congruent, the 1618 following checks should be made. On interfaces that are configured to 1619 be leaf subnets, all C-RP-Adv messages should be dropped. On multi- 1620 access subnets with multiple PIM routers and hosts that are not trusted, 1621 the router can at least check that the source MAC address is that of a 1622 valid PIM neighbor. 1624 6.4.2. Cryptographic Security of C-RP-Adv Messages 1626 For true security, we recommend that all C-RPs are configured to use 1627 IPsec authentication. The authentication process for a C-RP-Adv message 1628 between a C-RP and the BSR is identical to the authentication process 1629 for PIM Register messages between a DR and the relevant RP, except that 1630 there will normally be fewer C-RPs in a domain than there are DRs, so 1631 key management is a little simpler. We do not describe the details of 1632 this process further here, but refer to the Security Considerations 1633 section of [1]. Note that the use of cryptographic security for C-RP- 1634 Adv messages does not remove the need for the non-cryptographic 1635 mechanisms, as explained below. 1637 6.5. Denial of Service using IPsec 1639 An additional concern is that of Denial-of-Service attacks caused by 1640 sending high volumes of Bootstrap messages or C-RP-Adv messages with 1641 invalid IPsec authentication information. It is possible that these 1642 messages could overwhelm the CPU resources of the recipient. 1644 The non-cryptographic security mechanisms above restrict from where 1645 unicast Bootstrap messages and C-RP-Adv messages are accepted. In 1646 addition, we recommend that rate-limiting mechanisms can be configured, 1647 to be applied to receival of unicast PIM packets. The rate-limiter MUST 1648 independently rate-limit different types of PIM packets - for example a 1649 flood of C-RP-Adv messages MUST NOT cause a rate limiter to drop low- 1650 rate Bootstrap messages. Such a rate-limiter might itself be used to 1651 cause a denial of service attack by causing valid packets to be dropped, 1652 but in practice this is more likely to constrain bad PIM messages. The 1653 rate limiter will prevent attacks on PIM from affecting other activity 1654 on the receiving router, such as unicast routing. 1656 7. Contributors 1658 Bill Fenner, Mark Handley, Roger Kermode and David Thaler have 1659 contributed greatly to this draft. They were authors of this draft up 1660 to version 03, and much of the current text comes from version 03. 1662 8. Acknowledgments 1664 PIM-SM was designed over many years by a large group of people, 1665 including ideas from Deborah Estrin, Dino Farinacci, Ahmed Helmy, Steve 1666 Deering, Van Jacobson, C. Liu, Puneet Sharma, Liming Wei, Tom Pusateri, 1667 Tony Ballardie, Scott Brim, Jon Crowcroft, Paul Francis, Joel Halpern, 1668 Horst Hodel, Polly Huang, Stephen Ostrowski, Lixia Zhang, Girish 1669 Chandranmenon, Pavlin Radoslavov, John Zwiebel, Isidor Kouvelas and Hugh 1670 Holbrook. This BSR specification draws heavily on text from RFC 2362. 1672 Many members of the PIM Working Group have contributed comments and 1673 corrections for this document, including Christopher Thomas Brown, Ardas 1674 Cilingiroglu, Murthy Esakonu, Venugopal Hemige, Prashant Jhingran, 1675 Rishabh Parekh and Katta Sambasivarao. 1677 9. IANA Considerations 1679 This document has no actions for IANA. 1681 10. Normative References 1683 [1] W. Fenner, M. Handley, H. Holbrook, I. Kouvelas, "Protocol 1684 Independent Multicast - Sparse Mode (PIM-SM): Protocol 1685 Specification (Revised)", Internet Draft draft-ietf-pim-sm- 1686 v2-new-11.txt 1688 [2] M. Handley, I. Kouvelas, T. Speakman, L. Vicisano, "Bi-directional 1689 Protocol Independent Multicast (BIDIR-PIM)", Internet Draft draft- 1690 ietf-pim-bidir-08.txt 1692 [3] D. Meyer, "Administratively Scoped IP Multicast", RFC 2365, Jul 1693 1998. 1695 [4] S. Deering, B. Haberman, T. Jinmei, E. Nordmark, B. Zill, "IPv6 1696 Scoped Address Architecture", RFC 4007, Mar 2005. 1698 [5] R. Hinden, S. Deering, "IP Version 6 Addressing Architecture", RFC 1699 4291, Feb 2006. 1701 [6] S. Bradner, "Key words for use in RFCs to Indicate Requirement 1702 Levels", BCP 14, RFC 2119, Mar 1997. 1704 11. Informative References 1706 [7] D. Estrin et al., "Protocol Independent Multicast - Sparse Mode 1707 (PIM-SM): Protocol Specification", RFC 2362, June 1998 (now 1708 obsolete). 1710 [8] D. Kim, D. Meyer, H. Kilmer, D. Farinacci, "Anycast Rendevous Point 1711 (RP) mechanism using Protocol Independent Multicast (PIM) and 1712 Multicast Source Discovery Protocol (MSDP)", RFC 3446, Jan 2003. 1714 [9] D. Farinacci, Y. Cai, "Anycast-RP using PIM", Internet Draft draft- 1715 ietf-pim-anycast-rp-07.txt 1717 [10] IANA, "Address Family Numbers", linked from 1718 http://www.iana.org/numbers.html 1720 Authors' Addresses 1721 Nidhi Bhaskar 1722 Cisco Systems 1723 170 W. Tasman Drive 1724 San Jose, CA 95134 1725 USA 1726 nbhaskar@cisco.com 1728 Alexander Gall 1729 SWITCH 1730 Limmatquai 138 1731 P.O. Box 1732 CH-8021 Zurich 1733 Switzerland 1734 gall@switch.ch 1736 James Lingard 1737 james@lingard.com 1739 Stig Venaas 1740 UNINETT 1741 NO-7465 Trondheim 1742 Norway 1743 venaas@uninett.no 1745 Copyright Statement 1747 Copyright (C) The Internet Society (2006). This document is subject to 1748 the rights, licenses and restrictions contained in BCP 78, and except as 1749 set forth therein, the authors retain all their rights. 1751 This document and the information contained herein are provided on an 1752 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR 1753 IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1754 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1755 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1756 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1757 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1759 Intellectual Property 1761 The IETF takes no position regarding the validity or scope of any 1762 Intellectual Property Rights or other rights that might be claimed to 1763 pertain to the implementation or use of the technology described in this 1764 document or the extent to which any license under such rights might or 1765 might not be available; nor does it represent that it has made any 1766 independent effort to identify any such rights. Information on the 1767 procedures with respect to rights in RFC documents can be found in BCP 1768 78 and BCP 79. 1770 Copies of IPR disclosures made to the IETF Secretariat and any 1771 assurances of licenses to be made available, or the result of an attempt 1772 made to obtain a general license or permission for the use of such 1773 proprietary rights by implementers or users of this specification can be 1774 obtained from the IETF on-line IPR repository at 1775 http://www.ietf.org/ipr. 1777 The IETF invites any interested party to bring to its attention any 1778 copyrights, patents or patent applications, or other proprietary rights 1779 that may cover technology that may be required to implement this 1780 standard. Please address the information to the IETF at ietf- 1781 ipr@ietf.org.