Using accept-rp is a security best practice to prevent unauthorized RP advertisements in an environment where you have dynamic RP discovery enabled. It’s not just about effort, it’s about combining dynamic discovery flexibility with security controls. You don’t have to configure accept-rp on every router, but you should on all PIM routers you want to protect from rogue/mistaken RP info. In practice, that’s usually all routers in the PIM domain.
I understand how, from an effort point of view, this seems the same as configuring a static RP on every router. However, there is a difference in the result. Think about it this way:
accept-rp = “I’ll accept dynamic RP information, but only from these trusted sources”
Static RP = “I’ll never accept dynamic information; everything is hardcoded”
So, the results are very different, which means you should choose the solution based on what you actually need for your deployment.
accept-rp is not a replacement for a static RP. It’s a safeguard you add when you choose a dynamic RP discovery method (Auto-RP or BSR). The reason to use accept-rp is to keep the operational advantages of dynamic RP discovery while preventing your routers from trusting a rogue or misconfigured RP. If you don’t need those dynamic benefits, then a static RP (or Anycast RP) with Auto-RP/BSR disabled is perfectly valid.
I think I should clarify what I meant. Basically, both techniques prevent rogue APs, however, the advantage of dynamic AP discovery is cancelled out as you have to hardcode the APs using accept-rp on all routers, anyway.
So to me it seems like two different techniques to achieve the same outcome, but now AutoRP + accept-rp seems like the more complex solution when compared to simply using a static entry.
Their might be other advantages to using AutoRP + accept-rp over static entry, but I cant see it yet.
Yes I understand your logic and it makes sense. I would like to point out however that the issue is not just the effort of hardcoding the static RP and/or configuring the accept-rp feature on each and every router. Although both techniques do prevent rogue RPs, the use of static RPs will eliminate some other advantages of AutoRP that would have still been active if AutoRP was used with accept-rp together.
Let me use an example. If you have a multicast topology with, say, 20 multicast routers, and you have configured a static RP, you will have solved the rogue RP problem. But, for every topology change you may make in the future (i.e., IP address scheme change, addition of a router, a modification of which router plays the role of the RP, etc.), you will have to go into every router and perform time-consuming configurations that are error-prone and disruptive, especially in large networks.
Alternatively, if you used AutoRP with accept-rp, you would initially go into every router and configure the accept-rp feature, but any future topology changes, address scheme changes, etc… will not require you to touch any of the RP configuration. Its reconfiguration will automatically take place, adapting to the network changes you make, because that is what it was designed for. Does that make sense?
I’m not sure I follow. Do you mean that the following command:
ip pim accept-rp auto-rp
can be used to limit the joins only to what it has learned from auto-rp and only needs configuring once? If so, that doesn’t seem very secure from as a rogue mapping agent could still populate the router with rogue RPs.
However, it did occur to me that using:
ip pim accept-rpip-address
mean you can restrict which RPs are allowed but with each RP still being able to determine which groups it serves. With static RP you’d have to hard code both.
I was reading that Auto-RP is outdated and BSR is the recommended method for automatically discovering an RP. It doesn’t surprise me seeing as there appears to be many security issues.
For example, even though ip pim accept-rp ip-address restricts joins/prunes, it doesn’t actually stop the router from learning rogue RPs from a rogue mapping server, at least not according to my labs.
Yes, you’re right. The ip pim accept-rp command does NOT prevent your router from learning rogue RP mappings from a rogue auto-rp mapping agent. It only controls whether the router will USE those learned RPs for actual PIM operations (joins/prunes and registrations). This can create a false sense of security if you rely on this command alone.
So your router can still learn a rogue RP mapping even though it won’t use it for actual join/prune operations, but depending on platform behavior, it might still cause unnecessary state entries or confusion.
BSR does resolve several auto-rp shortcomings, including the security issues you are describing.
I like these discussions cause they help us to work through features and capabilities and understand how they work, and what their limitations are. I’m hopeful that the discussion has been as beneficial for you as it has been for me!!