| |
Firewall Testing About VESARiA |
|
|
5.13 How Do I Make IP Multicast Work With My Firewall?
IP multicast is a means of getting IP traffic from one host to a set
of hosts without using broadcasting; that is, instead of every host
getting the traffic, only those that want it will get it, without each
having to maintain a separate connection to the server. IP unicast is
where one host talks to another, multicast is where one host talks to
a set of hosts, and broadcast is where one host talks to all hosts.
The public Internet has a multicast backbone (``MBone'') where users
can engage in multicast traffic exchange. Common uses for the MBone
are streams of IETF meetings and similar such interaction. Getting
one's own network connected to the MBone will require that the
upstream provider route multicast traffic to and from your network.
Additionally, your internal network will have to support multicast
routing.
The role of the firewall in multicast routing, conceptually, is no
different from its role in other traffic routing. That is, a policy
that identifies which multicast groups are and aren't allowed must be
defined and then a system of allowing that traffic according to policy
must be devised. Great detail on how exactly to do this is beyond the
scope of this document. Fortunately, RFC 2588 [2]
discusses the subject in more detail. Unless your firewall product
supports some means of selective multicast forwarding or you have the
ability to put it in yourself, you might find forwarding multicast
traffic in a way consistent with your security policy to be a bigger
headache than it's worth.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
