Specifications

Appendix C: PIM-Sparse Mode

In Protocol Independent Multicast-Sparse Mode (PIM-SM), the assumption is that no hosts want the multicast

traffic unless they ask for it specifically. In contrast, PIM-Dense Mode (PIM-DM) assumes downstream router

membership unless it receives an explicit prune message. PIM-SM is appropriate for wide-scale deployment for

both densely and sparsely populated groups, and is the best choice for all production networks, regardless of

size and membership density.

The operation of PIM-SM centers on the use of a shared tree, with a router functioning as a rendezvous point

(RP), as the root of the tree. A shared tree prevents each router from maintaining source and group state

information for every multicast source. Regardless of the number or location of multicast receivers, multicast

senders register with the RP and send a single copy of multicast data through it to the registered receivers. Also,

regardless of the location or number of sources, group members register to receive data and always receive it

through the RP.

Figure C-1: PIM: Shared Tree example topology

In order to receive a multicast stream, routers explicitly join the stream by sending “join” messages to the RP.

This join message is analogous to a unicast router following a default route to a destination. Effectively, the

function of the RP is a place for multicast sources and receivers to meet.

PIM-SM is extremely memory and CPU efficient. Because the only thing most routers need to know is how to

reach the RP, memory requirements are reduced greatly. There are several methods that can be used by routers

in a PIM-SM domain to learn where to find the RP. Probably the simplest mechanism is statically configuring

all routers to reach the RP. However, if the routers are configured statically to an RP and the RP fails, then the

multicast network is no longer functional.

Alternatively, the RP can be learned dynamically through the PIM-SM bootstrap mechanism. Because this

bootstrap mechanism is dynamic, it allows for network changes and redundancy. The PIM-SM bootstrap

mechanism is generally the recommended approach for simplicity and redundancy.

Appendix D: virus throttle security

Virus throttle is based on the detection of anomalous behavior of network traffic that differs from a normal

activity. Under normal activity, a server will make fairly few outgoing connections to new clients or servers, but

instead, is more likely to connect regularly to the same set of end nodes. This is in contrast to the fundamental

behavior of a rapidly spreading worm, which will attempt many outgoing connections to new computers. For

example, while computers normally make approximately one connection per second, the SQL Slammer virus

tries to infect more than 800 systems per second.

Multicast

source

Rendezvous

point

Multicast

receiver

Shared Tree, Multicast Protocol

Very efficient in cases where

there are relatively few multicast

receivers