IGMP and PIM protection

Multicast encryption using GDOI works well, although I haven't seen that implemented on a LAN. If you're trying to provide encryption for LAN listeners (more accurately to exclude some LAN listeners) you'll probably find more bang for the buck in implementing this on a per-application basis. That leaves the IGMP request subject to eavesdropping, but the data itself flows over a secure channel. If instead you want the IGMP itself to be encrypted, then you'll need all of the switches to participate in the security protocol, and I would imagine that there are far easier ways to provide secure connections. I believe GDOI is esp-only.

Cisco's term for GDOI is GETVPN.

-David Barak