(Message mbone:2043)
Return-Path: <mbone-uk-request@cs.ucl.ac.uk>
Received: from brahma.sics.se by bells.cs.ucl.ac.uk with Internet SMTP 
          id <g.03544-0@bells.cs.ucl.ac.uk>; Tue, 27 Aug 1996 22:34:03 +0100
Received: by brahma.sics.se (8.7.3/SICS) id XAA29275;
          Tue, 27 Aug 1996 23:33:44 +0200 (MET DST)
X-Authentication-Warning: brahma.sics.se: root set sender to mbone-eu-request 
                          using -f
Received: from zephyr.isi.edu by brahma.sics.se (8.7.3/SICS) with SMTP 
          id XAA29269; Tue, 27 Aug 1996 23:33:41 +0200 (MET DST)
Received: by zephyr.isi.edu (5.65c/5.61+local-23) id <AA14906>;
          Tue, 27 Aug 1996 14:33:39 -0700
Received: from venera.isi.edu by zephyr.isi.edu (5.65c/5.61+local-23) 
          id <AA14900>; Tue, 27 Aug 1996 14:33:38 -0700
Received: from all-purpose-gunk.near.net 
          by venera.isi.edu (5.65c/5.61+local-25) id <AA00509>;
          Tue, 27 Aug 1996 14:33:37 -0700
Received: (from jhawk@localhost) 
          by all-purpose-gunk.near.net (8.8.Alpha.9/8.8.Alpha.9) id RAA18937;
          Tue, 27 Aug 1996 17:33:33 -0400 (EDT)
Date: Tue, 27 Aug 1996 17:33:33 -0400 (EDT)
Message-Id: <199608272133.RAA18937@all-purpose-gunk.near.net>
To: mbone@isi.edu, mbone-eu-op@ripe.net
Subject: Today's MBone disaster
From: John Hawkinson <jhawk@bbnplanet.com>
Sender: owner-mbone@ISI.EDU
Precedence: bulk


The MBone is currently experiencing a loop of PIM Register packets and
Register-Stop messages.

This is caused by bogus PIM join packets that cause routers to believe
that a multicast RP is valid (239.133.130.34).

This problem is resulting in a large number of data packets sent to
the multicast address 239.133.130.34, and a lot of duplicate packets
on various groups and sessions.

Unfortunately, the nature of this problem is such that any affected
PIM routers will re-infect each other.

The solutions are as follows, and we need everyone with a PIM-capable
router to implement them:

1. Don't accept any RP information for this bogus group.

In cisco-speak this is:

ip pim accept-rp 239.133.130.34 1
access-list 1 deny 0.0.0.0 255.255.255.255

You can of course use any access list other than 1.

2. Clear multicast forwarding state for all groups:

clear ip mr *

Cisco is actively working on fixing a number of bugs that have allowed
this condition to occur.

In the meantime, we will also need to track down the source of the
bogus RP information. After all PIM-capable routers have been configured
with the above, then it will be possible to determine the source by checking
log messages from routers. Eg:

%PIM-1-INVALID_RP_JOIN: Received (*, 224.2.153.62) Join from
131.119.0.196 for invalid RP 239.133.130.34

These messages will only be meaningful when all routers are "innoculated",
however.

Thanks very much to Bill Fenner, Dino Farinacci, Liming Wei, and kim
claffy, for working hard to track this problem down, and also to
Tamara Munzner for lending us her office to attack this.

--jhawk
  John Hawkinson