Page 1 of 1

[ Bug/Vulnerability] RouterOS requires PIM enabled on subscriber interfaces for IGMP to work

Posted: Thu Sep 06, 2018 11:55 am
by ners
/routing pim interface
add interface=sfp-sfpplus2 protocols=pim
add interface=ether8 protocols=igmp
/routing pim rp
add address=10.0.1.2
sfp-sfpplus2 is the uplink interface where the RP can be located.
ether8 is the client interface the IPTV receiver is connected to. The receiver subscribes to an IPTV stream via IGMP.
Hence, only the IGMP protocol is enabled on ether8.

However this setup won't work at all.
Only when I enable BOTH pim and igmp on ether8 it starts working.

This is a big security risk as RouterOS starts sending PIM hello messages out ether8 trying to establish adjacencies. No hosts on the ether8 interfaces should be able to be part of the PIM domain or see PIM traffic.

What's going on here?