53 How Do I Make IP Multicast Work With My Firewall?
Description
This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.
53 How Do I Make IP Multicast Work With My Firewall?
IP multicast is a means of getting IP traffic from one host to a set of
hosts without using broadcasting; that is, instead of every host getting the
traffic, only those that want it will get it, without each having to
maintain a separate connection to the server. IP unicast is where one host
talks to another, multicast is where one host talks to a set of hosts, and
broadcast is where one host talks to all hosts.
The public Internet has a multicast backbone (``MBone'') where users can
engage in multicast traffic exchange. Common uses for the MBone are streams
of IETF meetings and similar such interaction. Getting one's own network
connected to the MBone will require that the upstream provider route
multicast traffic to and from your network. Additionally, your internal
network will have to support multicast routing.
The role of the firewall in multicast routing, conceptually, is no different
from its role in other traffic routing. That is, a policy that identifies
which multicast groups are and aren't allowed must be defined and then a
system of allowing that traffic according to policy must be devised. Great
detail on how exactly to do this is beyond the scope of this document.
Fortunately, RFC 2588 [2] discusses the subject in more detail. Unless your
firewall product supports some means of selective multicast forwarding or
you have the ability to put it in yourself, you might find forwarding
multicast traffic in a way consistent with your security policy to be a
bigger headache than it's worth.
Continue to:
My Books
