Bob, Addressing these specific points. (Note that I'm not a multicast expert.) On Mon, Jun 11, 2018 at 10:47:28PM +0100, Bob Briscoe wrote: > If there is an SSM tree from host A to multicast address G, I am not > familiar enough with SSM to know what happens when host B sends a > packet to G with source address A (i.e. spoofing A). I assume the > IGMP messages build the tree back from each member to A, so usually > there will be no route from B, even if it is spoofing A as the > source. However, I would have thought that a host connected to the > same router as A could spoof A and get onto the SSM tree. Or does > SSM always check for this type of spoofing? In general, when multicast traffic is forwarded, it is checked against the incoming interface to see if it should be forwarded or not. When it's against a valid IIF, it may be distributed out the outbound interface list for that tree. Traffic that doesn't match the IIF is dropped, I believe. A general problem with multicast is that hosts along the tree can inject spoofed traffic. BFD would have the same issue; it is not a new consideration. Your follow-up comment about MPLS is correct in that external injection is even more difficult without some other way to tunnel the labeled traffic to the tree. But once it's there, the same issue applies. -- Jeff P.S. Thanks, Greg, for handling the followup discussion.
