SlideShare a Scribd company logo

Learning Multicast Part 8 Securing Multicast

D
David Hedley

This lesson covers how to secure your multicast implementation. You may want to take a victory lap after getting things working, but a lot can happen if you don't take the time to secure what you built.

Technology
1 of 17
Download to read offline
David Hedley’s Tuesday Tech Talks Multicast Part 8 Securing Multicast Turning networking on it’s head © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Cisco Certified Network Professional: Enterprise, Routing & Switching • Cisco Certified Design Professional • Cisco Certified Specialist: Enterprise Core, Enterprise Design, Wireless Design, Wireless Implementation, Advanced Infrastructure Implementation. • Cisco Certified Network Associate: Routing & Switching, Wireless, Data Center, Security • Cisco Certified Design Associate • ITIL v4 Foundations • CompTIA A+ • https://www.youracclaim.com/users/david-hedley/badges © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Specific brands and models are for illustration purposes only. • They do not imply any endorsement by the vendor, in any way. • This talk does not represent the business process of any employer or client, past or present, this is based on my own work and study. • I only include equipment that I have experience with. • At the time of writing, I have not received any compensation, or inducement from any vendor. © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Definition • In computer networking, multicast is group communication[1] where data transmission is addressed to a group of destination computers simultaneously. Wikipedia https://en.wikipedia.org/wiki/Multicast retrieved July 5,2018 • Originally defined in RFC 966 (1985) © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Purpose: We’ve got it working, maybe too well! • Question: What risks am I introducing and how to I mitigate them? © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Triple Constraints • Time • Quality or Scope • Money or Budget © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Unicast vs. Multicast © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Multicast Advantages • Eliminates Traffic Redundancy = Less Bandwidth © 2018-2020 David M. Hedley All Rights Reserved. 0 2 4 6 8 10 12 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Unicast vs Multicast Mulicast Unicast
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Multicast Addressing (IPv4) Layer 3 • Source (Class A, B, C) 1.0.0.0 – 223.255.255.255 • Destination (Class D) 224.0.0.0 – 239.255.255.255 • 232.0.0.0 – 232.255.255.255 Source Specific Range • 239.0.0.0 – 239.255.255.255 Administratively Scoped Addresses • SOURCE CAN NEVER BE CLASS D GROUP ADDRESS!!!! © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • IP Multicast MAC Address Mapping Layer 2 • In IPv4, all multicast address start with bits 1110, so the last 28 bits differentiate the different multicast addresses • Each Multicast MAC begins with 0x01005e with a zero in the 25th bit • The last 23 bits are taken from the group address • Example • 239.200.128.1 = 11101111 11001000 10000000 00000001 • Mac 0000001 00000000 01011111 01001000 10000000 00000001 (01-00-5e-48-80-01) • 224.72.128.1 = 11100000 01001000 10000000 00000001 • Mac 00000001 00000000 0101111 01001000 10000000 00000001 (01-00-5e-48-80-01) • 32:1 Address Overlap! © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Host-Router – Internet Group Management Protocol (IGMP) Layer 2/3 • Hosts tells routers about group membership. • Routers solicit group membership from hosts. • IGMP v. 1 RFC 1112 (1989) https://www.rfc-editor.org/rfc/rfc1112.txt • IGMP v. 2 RFC 2236 (1997) https://www.rfc-editor.org/rfc/rfc2236.txt • IGMP v. 3 RFC 3376 (2002) https://www.rfc-editor.org/rfc/rfc3376.txt • For IPv6 Multicast Listener Discovery (MLD) v.1 is equivalent to IGMP v. 2 • MLD v. 2 is the IPv6 equivalent for IGMP v. 3. © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • By default, as long as we enable PIM on an interface, and provide an RP for the group, or range of groups, multicast traffic is allowed by default. • Poor choice of groups can introduce lots of traffic. • Ex: advertising 224.0.0.0/4 or advertising 239.255.0.0/16 • SSDP: 239.255.255.252 • Enabling all user interfaces can have traffic which isn’t needed or may not even work. • Some of the zero config protocols use multicast vs broadcast, but have a TTL of 1, so won’t router, but multicast will try to connect (and fail) • Users can do illegal of malicious actions such as streaming movies to internal staff. © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • Solutions: • 1. Limit RP advertisements to only groups you want. • 239.200.128.5 vs 239.200.0.0/16 • 2. Use boundary statements at the edge or turn off PIM at the edge if not needed. • 3. Only turn on PIM for interfaces which will need to route multicast traffic. • Avoid user VLANs, if you can. • Be very selective in which Wireless VLANs you enable PIM. • 4. Use igmp filters at SVI’s to further limit which groups are accepted. • Recall that on a multilayer switch, even without an RP advertising the group, the switch can router between SVIs on the same switch. • ip igmp access-group access-list • Be careful not to block neighbors, if needed © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • Solutions: • 5. Use priorities in BSR to control which is the BSR and which is the RP. • Lowest for the BSR, with default of 0, and RP, highest • 6. If you cannot control other business units on the network, you may find it necessary to block advertisements of certain RP’s. • ip pim [ vrf vrf-name ] rp-announce-filter { group-list access-list | rp-list access-list [ group-list access-list ] } • group-list access-list • Specifies the number or name of a standard access list that defines the multicast groups to be permitted or denied from RP announcements sent by C-RPs to the RP mapping agent. • rp-list access-list • Specifies the number or name of a standard access list that defines the IP addresses of C- RPs whose RP announcements are to be permitted or denied by the RP mapping agent. • https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr- book/imc_i3.html#wp1565018604 © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Components © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Tech Talk #2 • To do list! • What do I need? • Do I really need PIM on that VLAN? • Can I limited the groups allowed on that SVI? • How can I limit my RP announcements to cover only the groups I need, and not leave additional groups enabled? • Is the RP placed so I can used boundaries to contain the traffic? © 2018-2020 David M. Hedley All Rights Reserved.
David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Thanks for watching! • You can subscribe to my YouTube Channel https://www.youtube.com/channel/UCZ3pcIh5Zmbp3rdjhfR7BOg • Or connect with me on Linkedin https://www.linkedin.com/in/david- hedley-541985/ • You can suggest topics in the comments! © 2018-2020 David M. Hedley All Rights Reserved.

Recommended

Learning Multicast Part 7 Bringing Clarity
Learning Multicast Part 7 Bringing ClarityLearning Multicast Part 7 Bringing Clarity
Learning Multicast Part 7 Bringing ClarityDavid Hedley
 
Learning Multicast Part 6 Troubleshooting
Learning Multicast Part 6 TroubleshootingLearning Multicast Part 6 Troubleshooting
Learning Multicast Part 6 TroubleshootingDavid Hedley
 
Multicast pt2
Multicast pt2Multicast pt2
Multicast pt2David Hedley
 
Learning Multicast Part 4 Rendezvous Points
Learning Multicast Part 4 Rendezvous PointsLearning Multicast Part 4 Rendezvous Points
Learning Multicast Part 4 Rendezvous PointsDavid Hedley
 
Enterprise Preparation for IPv6
Enterprise Preparation for IPv6Enterprise Preparation for IPv6
Enterprise Preparation for IPv6John Rhoton
 
World’s First G.fast Chipsets Announced by Sckipio
World’s First G.fast Chipsets Announced by SckipioWorld’s First G.fast Chipsets Announced by Sckipio
World’s First G.fast Chipsets Announced by SckipioSckipio
 
David Hedley's Tech Talk -- Redundancy
David Hedley's Tech Talk -- RedundancyDavid Hedley's Tech Talk -- Redundancy
David Hedley's Tech Talk -- RedundancyDavid Hedley
 
Learning Multicast Part 1: Fundamentals
Learning Multicast Part 1: FundamentalsLearning Multicast Part 1: Fundamentals
Learning Multicast Part 1: FundamentalsDavid Hedley
 

Recommended

Learning Multicast Part 7 Bringing Clarity
Learning Multicast Part 7 Bringing ClarityLearning Multicast Part 7 Bringing Clarity
Learning Multicast Part 7 Bringing ClarityDavid Hedley
 
Learning Multicast Part 6 Troubleshooting
Learning Multicast Part 6 TroubleshootingLearning Multicast Part 6 Troubleshooting
Learning Multicast Part 6 TroubleshootingDavid Hedley
 
Multicast pt2
Multicast pt2Multicast pt2
Multicast pt2David Hedley
 
Learning Multicast Part 4 Rendezvous Points
Learning Multicast Part 4 Rendezvous PointsLearning Multicast Part 4 Rendezvous Points
Learning Multicast Part 4 Rendezvous PointsDavid Hedley
 
Enterprise Preparation for IPv6
Enterprise Preparation for IPv6Enterprise Preparation for IPv6
Enterprise Preparation for IPv6John Rhoton
 
World’s First G.fast Chipsets Announced by Sckipio
World’s First G.fast Chipsets Announced by SckipioWorld’s First G.fast Chipsets Announced by Sckipio
World’s First G.fast Chipsets Announced by SckipioSckipio
 
David Hedley's Tech Talk -- Redundancy
David Hedley's Tech Talk -- RedundancyDavid Hedley's Tech Talk -- Redundancy
David Hedley's Tech Talk -- RedundancyDavid Hedley
 
Learning Multicast Part 1: Fundamentals
Learning Multicast Part 1: FundamentalsLearning Multicast Part 1: Fundamentals
Learning Multicast Part 1: FundamentalsDavid Hedley
 
Learning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIMLearning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIMDavid Hedley
 
David Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 TroubleshootingDavid Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 TroubleshootingDavid Hedley
 
Learning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP isLearning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP isDavid Hedley
 
Deploying VoIP Part 1
Deploying VoIP Part 1Deploying VoIP Part 1
Deploying VoIP Part 1David Hedley
 
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ HiveMQ
 
RTBkit Introduction & Best Practices
RTBkit Introduction & Best PracticesRTBkit Introduction & Best Practices
RTBkit Introduction & Best PracticesDatacratic
 
Architecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT SolutionsArchitecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT SolutionsChristopher Carpentier
 
QoS for Media Networks
QoS for Media NetworksQoS for Media Networks
QoS for Media NetworksAmine Choukir
 
Iot in-production
Iot in-productionIot in-production
Iot in-productionFlorian Raschbichler
 
Hacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assetsHacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assetsETCenter
 
ZTE channel program 2015
ZTE channel program 2015 ZTE channel program 2015
ZTE channel program 2015 calerlee
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
The Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the EnterpriseThe Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the EnterpriseAlok Vasudeva
 
Edge overview 5 14
Edge overview 5 14Edge overview 5 14
Edge overview 5 14Lloyd Owens
 
Open Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeOpen Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeApache Geode
 
An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)Anthony Baker
 
HiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ
 
RTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap PreviewRTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap PreviewDatacratic
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
Serrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in CaliforniaSerrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in CaliforniaDavid Hedley
 
David Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI ModelDavid Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI ModelDavid Hedley
 

More Related Content

Similar to Learning Multicast Part 8 Securing Multicast

Learning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIMLearning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIMDavid Hedley
 
David Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 TroubleshootingDavid Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 TroubleshootingDavid Hedley
 
Learning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP isLearning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP isDavid Hedley
 
Deploying VoIP Part 1
Deploying VoIP Part 1Deploying VoIP Part 1
Deploying VoIP Part 1David Hedley
 
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ HiveMQ
 
RTBkit Introduction & Best Practices
RTBkit Introduction & Best PracticesRTBkit Introduction & Best Practices
RTBkit Introduction & Best PracticesDatacratic
 
Architecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT SolutionsArchitecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT SolutionsChristopher Carpentier
 
QoS for Media Networks
QoS for Media NetworksQoS for Media Networks
QoS for Media NetworksAmine Choukir
 
Hacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assetsHacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assetsETCenter
 
ZTE channel program 2015
ZTE channel program 2015 ZTE channel program 2015
ZTE channel program 2015 calerlee
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
The Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the EnterpriseThe Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the EnterpriseAlok Vasudeva
 
Edge overview 5 14
Edge overview 5 14Edge overview 5 14
Edge overview 5 14Lloyd Owens
 
Open Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeOpen Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeApache Geode
 
An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)Anthony Baker
 
HiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ
 
RTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap PreviewRTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap PreviewDatacratic
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 

Similar to Learning Multicast Part 8 Securing Multicast (20)

Learning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIMLearning Multicast Part 3 -1 PIM
Learning Multicast Part 3 -1 PIM
 
David Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 TroubleshootingDavid Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
David Hedley's Tuesday Tech Talks Multicast Part 6 Troubleshooting
 
Learning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP isLearning Multicast Part 5 How routers know where the RP is
Learning Multicast Part 5 How routers know where the RP is
 
Deploying VoIP Part 1
Deploying VoIP Part 1Deploying VoIP Part 1
Deploying VoIP Part 1
 
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
 
RTBkit Introduction & Best Practices
RTBkit Introduction & Best PracticesRTBkit Introduction & Best Practices
RTBkit Introduction & Best Practices
 
Architecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT SolutionsArchitecting, Integrating, and Managing IoT Solutions
Architecting, Integrating, and Managing IoT Solutions
 
QoS for Media Networks
QoS for Media NetworksQoS for Media Networks
QoS for Media Networks
 
Iot in-production
Iot in-productionIot in-production
Iot in-production
 
Hacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assetsHacking IoT: the new threat for content assets
Hacking IoT: the new threat for content assets
 
ZTE channel program 2015
ZTE channel program 2015 ZTE channel program 2015
ZTE channel program 2015
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 
The Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the EnterpriseThe Role of a SIP Softswitch in the Enterprise
The Role of a SIP Softswitch in the Enterprise
 
Edge overview 5 14
Edge overview 5 14Edge overview 5 14
Edge overview 5 14
 
Open Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeOpen Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache Geode
 
An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)
 
HiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ Cloud Webinar
HiveMQ Cloud Webinar
 
RTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap PreviewRTBkit 2.0 Roadmap Preview
RTBkit 2.0 Roadmap Preview
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 

More from David Hedley

Serrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in CaliforniaSerrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in CaliforniaDavid Hedley
 
David Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI ModelDavid Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI ModelDavid Hedley
 
David Hedleys Tuesday Tech Talk Bad Design
David Hedleys Tuesday Tech Talk Bad DesignDavid Hedleys Tuesday Tech Talk Bad Design
David Hedleys Tuesday Tech Talk Bad DesignDavid Hedley
 
David Hedley's Tuesday Tech Talk Certification
David Hedley's Tuesday Tech Talk CertificationDavid Hedley's Tuesday Tech Talk Certification
David Hedley's Tuesday Tech Talk CertificationDavid Hedley
 
David Hedley's Tuesday Tech Talk Reliability
David Hedley's Tuesday Tech Talk ReliabilityDavid Hedley's Tuesday Tech Talk Reliability
David Hedley's Tuesday Tech Talk ReliabilityDavid Hedley
 

More from David Hedley (6)

Serrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in CaliforniaSerrano V. Priest and Educational Equalization in California
Serrano V. Priest and Educational Equalization in California
 
David Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI ModelDavid Hedley's Tuesday Tech Talk OSI Model
David Hedley's Tuesday Tech Talk OSI Model
 
David Hedleys Tuesday Tech Talk Bad Design
David Hedleys Tuesday Tech Talk Bad DesignDavid Hedleys Tuesday Tech Talk Bad Design
David Hedleys Tuesday Tech Talk Bad Design
 
David Hedley's Tuesday Tech Talk Certification
David Hedley's Tuesday Tech Talk CertificationDavid Hedley's Tuesday Tech Talk Certification
David Hedley's Tuesday Tech Talk Certification
 
David Hedley's Tuesday Tech Talk Reliability
David Hedley's Tuesday Tech Talk ReliabilityDavid Hedley's Tuesday Tech Talk Reliability
David Hedley's Tuesday Tech Talk Reliability
 
Quality
QualityQuality
Quality
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Learning Multicast Part 8 Securing Multicast

  • 1. David Hedley’s Tuesday Tech Talks Multicast Part 8 Securing Multicast Turning networking on it’s head © 2018-2020 David M. Hedley All Rights Reserved.
  • 2. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Cisco Certified Network Professional: Enterprise, Routing & Switching • Cisco Certified Design Professional • Cisco Certified Specialist: Enterprise Core, Enterprise Design, Wireless Design, Wireless Implementation, Advanced Infrastructure Implementation. • Cisco Certified Network Associate: Routing & Switching, Wireless, Data Center, Security • Cisco Certified Design Associate • ITIL v4 Foundations • CompTIA A+ • https://www.youracclaim.com/users/david-hedley/badges © 2018-2020 David M. Hedley All Rights Reserved.
  • 3. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Specific brands and models are for illustration purposes only. • They do not imply any endorsement by the vendor, in any way. • This talk does not represent the business process of any employer or client, past or present, this is based on my own work and study. • I only include equipment that I have experience with. • At the time of writing, I have not received any compensation, or inducement from any vendor. © 2018-2020 David M. Hedley All Rights Reserved.
  • 4. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Definition • In computer networking, multicast is group communication[1] where data transmission is addressed to a group of destination computers simultaneously. Wikipedia https://en.wikipedia.org/wiki/Multicast retrieved July 5,2018 • Originally defined in RFC 966 (1985) © 2018-2020 David M. Hedley All Rights Reserved.
  • 5. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Purpose: We’ve got it working, maybe too well! • Question: What risks am I introducing and how to I mitigate them? © 2018-2020 David M. Hedley All Rights Reserved.
  • 6. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Triple Constraints • Time • Quality or Scope • Money or Budget © 2018-2020 David M. Hedley All Rights Reserved.
  • 7. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Unicast vs. Multicast © 2018-2020 David M. Hedley All Rights Reserved.
  • 8. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Multicast Advantages • Eliminates Traffic Redundancy = Less Bandwidth © 2018-2020 David M. Hedley All Rights Reserved. 0 2 4 6 8 10 12 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Unicast vs Multicast Mulicast Unicast
  • 9. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Multicast Addressing (IPv4) Layer 3 • Source (Class A, B, C) 1.0.0.0 – 223.255.255.255 • Destination (Class D) 224.0.0.0 – 239.255.255.255 • 232.0.0.0 – 232.255.255.255 Source Specific Range • 239.0.0.0 – 239.255.255.255 Administratively Scoped Addresses • SOURCE CAN NEVER BE CLASS D GROUP ADDRESS!!!! © 2018-2020 David M. Hedley All Rights Reserved.
  • 10. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • IP Multicast MAC Address Mapping Layer 2 • In IPv4, all multicast address start with bits 1110, so the last 28 bits differentiate the different multicast addresses • Each Multicast MAC begins with 0x01005e with a zero in the 25th bit • The last 23 bits are taken from the group address • Example • 239.200.128.1 = 11101111 11001000 10000000 00000001 • Mac 0000001 00000000 01011111 01001000 10000000 00000001 (01-00-5e-48-80-01) • 224.72.128.1 = 11100000 01001000 10000000 00000001 • Mac 00000001 00000000 0101111 01001000 10000000 00000001 (01-00-5e-48-80-01) • 32:1 Address Overlap! © 2018-2020 David M. Hedley All Rights Reserved.
  • 11. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Host-Router – Internet Group Management Protocol (IGMP) Layer 2/3 • Hosts tells routers about group membership. • Routers solicit group membership from hosts. • IGMP v. 1 RFC 1112 (1989) https://www.rfc-editor.org/rfc/rfc1112.txt • IGMP v. 2 RFC 2236 (1997) https://www.rfc-editor.org/rfc/rfc2236.txt • IGMP v. 3 RFC 3376 (2002) https://www.rfc-editor.org/rfc/rfc3376.txt • For IPv6 Multicast Listener Discovery (MLD) v.1 is equivalent to IGMP v. 2 • MLD v. 2 is the IPv6 equivalent for IGMP v. 3. © 2018-2020 David M. Hedley All Rights Reserved.
  • 12. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • By default, as long as we enable PIM on an interface, and provide an RP for the group, or range of groups, multicast traffic is allowed by default. • Poor choice of groups can introduce lots of traffic. • Ex: advertising 224.0.0.0/4 or advertising 239.255.0.0/16 • SSDP: 239.255.255.252 • Enabling all user interfaces can have traffic which isn’t needed or may not even work. • Some of the zero config protocols use multicast vs broadcast, but have a TTL of 1, so won’t router, but multicast will try to connect (and fail) • Users can do illegal of malicious actions such as streaming movies to internal staff. © 2018-2020 David M. Hedley All Rights Reserved.
  • 13. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • Solutions: • 1. Limit RP advertisements to only groups you want. • 239.200.128.5 vs 239.200.0.0/16 • 2. Use boundary statements at the edge or turn off PIM at the edge if not needed. • 3. Only turn on PIM for interfaces which will need to route multicast traffic. • Avoid user VLANs, if you can. • Be very selective in which Wireless VLANs you enable PIM. • 4. Use igmp filters at SVI’s to further limit which groups are accepted. • Recall that on a multilayer switch, even without an RP advertising the group, the switch can router between SVIs on the same switch. • ip igmp access-group access-list • Be careful not to block neighbors, if needed © 2018-2020 David M. Hedley All Rights Reserved.
  • 14. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Securing Multicast • Solutions: • 5. Use priorities in BSR to control which is the BSR and which is the RP. • Lowest for the BSR, with default of 0, and RP, highest • 6. If you cannot control other business units on the network, you may find it necessary to block advertisements of certain RP’s. • ip pim [ vrf vrf-name ] rp-announce-filter { group-list access-list | rp-list access-list [ group-list access-list ] } • group-list access-list • Specifies the number or name of a standard access list that defines the multicast groups to be permitted or denied from RP announcements sent by C-RPs to the RP mapping agent. • rp-list access-list • Specifies the number or name of a standard access list that defines the IP addresses of C- RPs whose RP announcements are to be permitted or denied by the RP mapping agent. • https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr- book/imc_i3.html#wp1565018604 © 2018-2020 David M. Hedley All Rights Reserved.
  • 15. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Components © 2018-2020 David M. Hedley All Rights Reserved.
  • 16. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Tech Talk #2 • To do list! • What do I need? • Do I really need PIM on that VLAN? • Can I limited the groups allowed on that SVI? • How can I limit my RP announcements to cover only the groups I need, and not leave additional groups enabled? • Is the RP placed so I can used boundaries to contain the traffic? © 2018-2020 David M. Hedley All Rights Reserved.
  • 17. David Hedley's Tuesday Tech Talks – Multicast Pt. 8 • Thanks for watching! • You can subscribe to my YouTube Channel https://www.youtube.com/channel/UCZ3pcIh5Zmbp3rdjhfR7BOg • Or connect with me on Linkedin https://www.linkedin.com/in/david- hedley-541985/ • You can suggest topics in the comments! © 2018-2020 David M. Hedley All Rights Reserved.