idnits 2.17.1 draft-ietf-idmr-snoop-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 13 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 290: '... MUST NOT send Queries....' RFC 2119 keyword, line 430: '...ing devices. Keywords as MUST, SHOULD,...' RFC 2119 keyword, line 431: '... MUST NOT etc. are suggestions only....' RFC 2119 keyword, line 433: '...ets with IP-PROTO = 2) SHOULD be redi-...' RFC 2119 keyword, line 437: '...support for IGMP snooping MUST forward...' (18 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 53 has weird spacing: '...rder to minim...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'MLDv2' is defined on line 609, but no explicit reference was found in the text == Unused Reference: 'RFC2236' is defined on line 626, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'BRIDGE' -- Possible downref: Non-RFC (?) normative reference: ref. 'CISCO' -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' == Outdated reference: A later version (-10) exists of draft-ietf-idmr-igmp-v3-06 == Outdated reference: A later version (-08) exists of draft-vida-mld-v2-00 == Outdated reference: A later version (-10) exists of draft-ietf-idmr-igmp-mrdisc-06 -- Possible downref: Non-RFC (?) normative reference: ref. 'MSOFT' ** Downref: Normative reference to an Informational RFC: RFC 2375 Summary: 5 errors (**), 0 flaws (~~), 8 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IDMR Working Group M. Christensen 3 Internet Draft Vitesse 4 June 2001 F. Solensky 5 Expiration Date: December 2001 Gotham Networks 7 IGMP and MLD snooping switches 8 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026 [RFC2026]. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that other 17 groups may also distribute working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 Abstract 32 This memo describes the interoperability problems and issues that can 33 arise when a mixed deployment of IGMPv3 and IGMPv2 capable hosts and 34 routers are interconnected by a switch with IGMP snooping 35 capabilities. The memo also covers MLDv2 for IPv6. It is intended as 36 an accompanying document to the IGMPv3 and MLDv2 specifications. 38 The memo contains a brief IGMP walk through followed by a description 39 of the IGMP snooping functionality. Specific examples are given 40 which are all based on Ethernet as the link layer protocol. MLDv2 for 41 IPv6 is discussed. Finally recommendations are given for the 42 behavior of IGMP snooping switches. 44 The purpose of this document is twofold: 46 - We want to summarize IGMP snooping induced problems and best cur- 47 rent solutions. We hope that a description of IGMP snooping will 48 be of aid to the IETF when standardizing new protocols and behav- 49 iors within this scope. 51 - We also hope to bring this work to the attention of switch ven- 52 dors, typically active within the IEEE community but perhaps not 53 within IETF, in order to minimize protocol interoperability 54 problems in the future. 56 1. Introduction 58 In recent years, a number of commercial vendors have introduced prod- 59 ucts described as "IGMP snooping switches" to the market. These 60 devices do not adhere to the conceptual model that provides the 61 strict separation of functionality between different communications 62 layers in the ISO model and instead utilizes information in the upper 63 level protocol headers as factors to be considered in the processing 64 at the lower levels. This is analogous to the manner in which a 65 router can act as a firewall by looking into the transport protocol's 66 header before allowing a packet to be forwarded to its destination 67 address. 69 In the case of multicast traffic, an IGMP snooping switch provides 70 the benefit of conserving bandwidth on those segments of the network 71 where no node has expressed interest in receiving packets addressed 72 to the group address. 74 The discussions in this document are based on IGMP which applies to 75 IPv4 only. For IPv6 we must use MLD in stead. Because MLD is based on 76 IGMP with only a few differences these discussions also apply to 77 IPv6. 79 2. IGMP snooping overview 81 For a full description of IGMP we refer to [IGMPv3], however, IGMP 82 operation is summarized in the following: 84 * Hosts send IGMP Membership Report messages to inform neighboring 85 routers that they wish to join a specific IP multicast group. 87 * IGMPv3 Membership Reports may be qualified with a list of allowed 88 or forbidden source addresses. 90 * Routers periodically send IGMP Query messages to hosts in order 91 to maintain group membership state information. These queries 92 can be either general or group specific queries. 94 * Hosts respond to queries with Membership Reports. 96 * Hosts running either IGMPv2 or IGMPv3 may also send a Leave Group 97 message to routers to withdraw from the group. 99 A traditional Ethernet network may be separated into different net- 100 work segments to prevent placing too many devices onto the same 101 shared media. These segments are connected by bridges and switches. 102 When a packet with a broadcast or multicast destination address is 103 received, the switch will forward a copy into each of the remaining 104 network segments in accordance with the IEEE MAC bridge standard 105 [BRIDGE]. Eventually, the packet is made accessible to all nodes 106 connected to the network. 108 This approach works well for broadcast packets that are intended to 109 be seen or processed by all connected nodes. In the case of multi- 110 cast packets, however, this approach could lead to less efficient use 111 of network bandwidth, particularly when the packet is intended for 112 only a small number of nodes. Packets will be flooded into network 113 segments where no node has any interest in receiving the packet. 114 While nodes will rarely incur any processing overhead to filter pack- 115 ets addressed to unrequested group addresses, they are unable to 116 transmit new packets onto the shared media for the period of time 117 that the multicast packet is flooded. 119 The problem of wasting bandwidth is even worse when the LAN segment 120 is not shared, for example in Full Duplex links. Full Duplex is 121 standard today for most switches operating at 1Gbps, and it will be 122 standard for 10Gbps ethernet too. In this case the wasted bandwidth 123 is proportional to the number of attached nodes. 125 Allowing switches to snoop IGMP packets is a creative effort to solve 126 this problem. The switch uses the information in the IGMP packets as 127 they are being forwarded throughout the network to determine which 128 segments should receive packets directed to the group address. 130 IGMP snooping is being implemented slightly different by different 131 switch vendors. We will not address specific implementations here as 132 documentation is not widely available. For details of one implementa- 133 tion we refer to [CISCO]. 135 In the following we will describe problems in relation to IGMP snoop- 136 ing with the following constraints, which we believe are the most 137 common cases. 139 1. Group membership is based on multicast MAC addresses only. 141 2. Forwarding is based on a 'list' of member ports for each sup- 142 ported multicast group. 144 3. The switch is equipped with a CPU for maintaining group member- 145 ship information. 147 Constraint 3 above is not a strict requirement as IGMP snooping could 148 be accomplished entirely in hardware. However, when sending IGMP 149 datagrams all is done to ensure that the packets are not routed. For 150 example the TTL is set to 1 and the IP header contains the router 151 alert option. This is a hint to developers that there is probably a 152 need to send this packet to the CPU. 154 IGMP snooping switches build forwarding lists by listening for (and 155 in some cases intercepting) IGMP messages. Although the software 156 processing the IGMP messages may maintain state information based on 157 the full IP group addresses, the forwarding tables are typically 158 mapped to link layer addresses. An example of such a forwarding 159 table is shown in Figure 1. 161 Multicast MAC address | Member ports 162 ------------------------------------- 163 01-00-5e-00-00-01 | 2, 7 164 01-00-5e-01-02-03 | 1, 2, 3, 7 165 01-00-5e-23-e2-05 | 1, 4 166 ------------------------------------- 167 Figure 1. 169 Because only the least significant 23 bits of the IP address are 170 mapped to Ethernet addresses [RFC1112], there is a loss of informa- 171 tion when forwarding solely on the destination MAC address. This 172 means that for example 224.0.0.123 and 239.128.0.123 and similar IP 173 multicast addresses all map to MAC address 01-00-5e-00-00-7b (for 174 Ethernet). As a consequence, IGMP snooping switches may collapse IP 175 multicast group memberships into a single Ethernet multicast member- 176 ship group. 178 Finally, it should be mentioned that in addition to building and 179 maintaining lists of multicast group memberships the snooping switch 180 should also maintain a list of multicast routers. When forwarding 181 multicast packets they should be forwarded on ports which have joined 182 using IGMP but also on ports on which multicast routers are attached. 183 The reason for this is that in IGMP there is only one active querier. 184 This means that all other routers on the network are suppressed and 185 thus not detectable by the switch. 187 2.1. Problems in older networks 189 The drawback of using IGMP snooping switches to make the flooding of 190 multicast traffic more efficient is that the underlying link layer 191 topology is required to remain very stable. This is especially true 192 in IGMP versions 1 and 2 where group members do not transmit Member- 193 ship Report messages after having overheard a report from another 194 group member. 196 This problem can be demonstrated with an example. In the topology 197 illustrated in figure 2, a topology loop exists between four IGMP 198 snooping switches labeled A, B, C and D. 200 - The spanning tree algorithm would detect this loop and disable 201 one of the links; for example, the link connecting ports B3 and 202 C1. 204 - Host H1 transmits a group Membership Report which will be flooded 205 throughout the network. 207 - When switch A hears the report, it determines that packets 208 addressed to the group should be forwarded to port A3. 210 - Router R hears the Join message and starts forwarding packets 211 with the multicast destination address into the network. Host H1 212 is now part of the group. 214 - The link between D2 and C2 is broken. The spanning tree algo- 215 rithm reactivates the blocked link B3-C1. 217 - If switch A relies solely on the exchange of IGMP messages to 218 alter its forwarding behavior, host H1 will be unable to receive 219 packets forwarded to the group address until router R sends out 220 another Membership Query. 222 One possible approach to work around this limitation would be for the 223 switch to keep track of which nodes belong to the group, altering the 224 forwarding tables whenever a member becomes visible through a different 225 port. When switch A sees that host H1 has moved from port A3 to A2, the 226 group membership table would be updated. This does not work, however, 227 when more than one node joins the same group address when at least one 228 of them has not yet been upgraded to IGMPv3: if hosts H1 and H2 were to 229 join the group at approximately the same time, they would both start off 230 random timers for the transmission of their first Membership Reports. 231 If host H2 selects a longer interval than H1, it will hear H1's report 232 message and cancel the one it was about to send. Switch A, therefore, 233 +------+ B2 234 B1 |Snoop |----- - - - +------+ 235 -----|Switch| | Host | 236 / | B |----- / | H1 | 237 +--------+ A2 / +------+ B3 X C1 +------+ +--+---+ 238 A1 | Snoop |----- / -----|Snoop | | 239 --+----| Switch | |Switch|-----+---- 240 | | A |----- -----| C | C3 241 +-+-+ +--------+ A3 \ +------+ D2 / C2 +------+ 242 | R | \ D1 |Snoop |----- 243 ++-++ -----|Switch| 244 | | | D |---------+------ - - - 245 +------+ D3 | 246 +--+---+ 247 | Host | 248 | H2 | 249 +------+ 250 Figure 2 251 never learns that node H2 has joined the group. When the switch learns 252 that H1 is now accessible through port A2, it has no way of knowing that 253 it should continue forwarding group packets to port A3 as well. 255 Two recommendations can be made based on the above discussion: 257 - The switch should play an active role when detecting a topology 258 change; The spanning tree root bridge (which is also a snooping 259 switch) should initiate the transmission of a IGMP General Query, 260 for example through signalling the CPU. This will help to reduce 261 the join latency otherwise introduced. 263 - IGMP Membership Reports should not be flooded because this will 264 lead to Join suppression. 266 2.2. IGMPv2 snooping and 224.0.0.X 268 Special attention should be brought to the IP address range from 269 224.0.0.1 through 224.0.0.255 which is reserved for routing protocols 270 and other low-level topology discovery or maintenance protocols 271 [IANA]. Examples of reserved multicast addresses are: 273 Multicast routers are discouraged from routing packets when a desti- 274 nation address falls within this range, regardless of the TTL value. 275 The router will be the originator or consumer of these messages so it 276 has less of a motivation to maintain forwarding path information for 277 these addresses. As a result, it becomes less critical for the 278 224.0.0.2 All Routers on this Subnet 279 224.0.0.4 DVMRP 280 224.0.0.5 (M)OSPF routers 281 224.0.0.6 (M)OSPF DRs 282 224.0.0.9 RIP2 Routers 283 224.0.0.13 PIM Routers 284 224.0.0.22 IGMPv3 Membership Reports 285 router to send out periodic Query messages for these groups. If the 286 router chooses not to, the group would be unable to recover from 287 topology changes as described above. Note that the only difference 288 between the 'all hosts' address (224.0.0.1) and the remainder of this 289 range is that the router has no discretion in the former case: it 290 MUST NOT send Queries. 292 To avoid this situation, IGMP snooping switches should be less con- 293 servative when forwarding packets to these addresses and flood them 294 to all ports. 296 As an example of this, it is reported in [MSOFT] that a number of 297 switches can be misconfigured to perform IGMP snooping and forwarding 298 for all IP multicast groups: 300 Figure 3 illustrates the scenario where two routers R1 and R2 are 301 communicating using for example 224.0.0.6. The routers never send 302 IGMP Joins for this address. The switch floods the (unknown) multi- 303 cast traffic on all ports. 305 Now the server SVR is started and it sends an IGMP Join for 306 224.0.0.6, which is snooped by the switch. The switch then generates 307 a Membership Query on all ports to determine which ports have devices 308 attached that also belong to this group. 310 The routers R1 and R2 do not respond and the switch builds a forward- 311 ing port list with only SVR in it. Now R1 and R2 are not able to 312 communicate using this address. 314 +----+ +----------+ 315 --| R1 |-----| | 316 +----+ | Snooping | +-----+ 317 | |----| SVR | 318 +----+ | switch | +-----+ 319 --| R2 |-----| | 320 +----+ +----------+ 322 Figure 3. 324 There are two possible fixes to this problem: One is to require that 325 all routers (also being hosts) which use IP multicast respond to IGMP 326 queries in the range 224.0.0.X. This seems unnecessary as discussed 327 above because of the inherent link local scope of these messages. 329 Another solution to this problem, which is also discussed above, is 330 that the switch is configured to forward all packets for a range of 331 IP multicast addresses to all ports (flooding). 333 It is suggested that all multicast packets in the range 224.0.0.1 334 through 224.0.0.255 are forwarded on all ports. This of course 335 requires an examination of the network layer header. Note that these 336 are IP adress ranges and that mapping these to MAC address range 337 01-00-5e-00-00-X is subject to problems discussed in the previous 338 sections. 340 2.3. IGMPv3 and IGMPv2 coexistence 342 IGMPv3 and IGMPv2 are designed to interoperate with older versions of 343 IGMP. Both hosts and routers are capable of falling back to an ear- 344 lier version when receiving older IGMP messages, thus enabling a 345 mixed deployment and migration to new versions. While this works fine 346 in a network of hosts and routers an IGMP snooping switch introduces 347 problems. 349 In figure 4 where hosts H1 and H2 are connected to an IGMP snooping 350 switch on ports P1 and P2 respectively, consider the following 351 sequence of communication: 353 - Router R sends an IGMPv3 Query 355 - Host H1 sends an IGMPv2 Report since it has only implemented v2. 356 R notices this and switches to IGMPv2 mode. The report is not 357 received by H2 because of the snooping functionality. 359 - Switch S puts H1's port P1 in the forwarding table. 361 - Host H2 sends an IGMPv3 Report in response to R's Query. 363 - Switch S fails to add H2's port P2 to the forwarding table 364 because it doesn't support IGMPv3. 366 - H2 does not receive any traffic before R sends its next Query 367 which will put H2 in IGMPv2 mode. 369 This introduces a Join latency for host H2, which apparently cannot be 370 avoided. The latency is potentially of the order of minutes. It is 371 possible however to reduce this latency by tuning the Query Interval 372 which defaults to 125 seconds. 374 When operating in a mixed deployment mode it is suggested that initially 375 the Query Interval is set to "a low value" until the compatibility modes 376 have stabilized both host and routers on the same IGMP version. After 377 stabilization the Query Interval could be increased to its original 378 value. 380 2.4. Source Specific Joins 382 Even for IGMPv3 snooping capable switches there can be limitations 383 caused by link layer based forwarding. This is illustrated in figure 384 4. 386 Assume that host H1 sends a Join(S1, G) to R and that host H2 sends a 387 Join(S2, G) to R. 389 The switch adds both hosts to the forwarding list for group G. 391 Frames originating from sources S1 and S2 for the same multicast 392 address G are routed via R. These are sent from R with the router's 393 MAC address as source. 395 The switch is unable to distinguish the two different types of flow 396 and forwards both flows to both hosts. This effectively disables the 397 Join source functionality in this network configuration. 399 +----+ P1+----------+ 400 | H1 |-----| | 401 +----+ | Snooping | +---+ (S1, G) 402 | |----| R |--- and 403 +----+ | switch | +---+ (S2, G) 404 | H2 |-----| | 405 +----+ P2+----------+ 407 Figure 4. 409 This is a problem caused by layer 2 based forwarding of a layer 3 410 flow in conjunction with the difference between the link layer and 411 the network layer information. 413 The example above means that host implementations cannot rely on the 414 router to perform all source address filtering. Therefore they must 415 still filter out packets that do not match the source address 416 criterion specified in the Join messages. While this might be seen 417 as an inconvience, this is no different than the case where the 418 router is directly connected to both hosts on a shared LAN and no 419 snooping switch is present. 421 An complete solution would be for the switch to further qualify the 422 search process by including the source IP address when determining 423 which ports should forward the packet. 425 Similar problems occur with the attempt to exclude sources. 427 3. Snooping Requirements 429 Note that in the following we provide suggestions for good/best prac- 430 tices when designing IGMP snooping devices. Keywords as MUST, SHOULD, 431 MUST NOT etc. are suggestions only. 433 1) All IGMP packets (IP packets with IP-PROTO = 2) SHOULD be redi- 434 rected to the CPU for IGMP snooping processing and table management. 435 This allows for the most flexible IGMP snooping solution. 437 2) The switch that provides support for IGMP snooping MUST forward 438 all unrecognized IGMP messages and MUST NOT attempt to make use of 439 any information beyond the end of the network layer header. In par- 440 ticular, messages where any reserved fields are non-zero MUST NOT be 441 subject to "normal" snooping since this could indicate an incompati- 442 ble change to the message format. 444 3) Packets with a destination IP address in the 224.0.0.X range which 445 are *not* IGMP SHOULD be forwarded on all ports. 447 4) Packets with a destination IP address outside 224.0.0.X which are 448 *not* IGMP SHOULD be forwarded according to port membership tables 449 and MUST also be forwarded on router ports. 451 5) If a switch receives a *non* IGMP multicast packet without having 452 first processed Membership Reports for the group address, it MUST 453 forward the packet on all ports. In other words, the switch must 454 allow for the possibility that connected hosts and routers have been 455 upgraded to support future versions or extensions of IGMP that the 456 switch does not yet recognize. A switch MAY have a configuration 457 option that suppresses this operation, but default behavior MUST be 458 to allow flooding of unregistered packets. 460 6) A snooping switch SHOULD forward IGMP Membership Reports on router 461 "ports" only. 463 7) The switch supporting IGMP snooping MUST maintain a list of multi- 464 cast routers. This list SHOULD be built using IGMP Multicast Router 465 Discovery [MRDISC] which is currently going through IETF Last Call. 466 IGMP snooping switches MAY build this list based on the arrival port 467 for packets destined to 224.0.0.X, when 469 - The packets are IGMP Queries or 471 - The packets are *not* IGMP or 473 - The ports are configured (by management) as having multicast 474 routers attached 476 8) IGMP snooping switches MAY maintain forwarding tables based on either 477 MAC addresses or IP addresses. If a switch supports both types of for- 478 warding tables then the default behavior SHOULD be to use IP addresses. 480 9) Switches which rely on information in the IP header MAY verify that 481 the IP header checksum is correct. 483 10) IGMP snooping switches SHOULD inform the CPU (or hardware) when a 484 link layer topology change has been detected. Following a topology 485 change the switch SHOULD initiate the transmission of a General Query on 486 all ports in order to reduce Join latency. 488 4. IPv6 Considerations 490 In order to avoid confusion, the previous discussions have been based 491 on IGMPv3 functionality which only applies to IPv4 multicast. In the 492 case of IPv6 most of the above discussions are still valid with a few 493 exceptions which we will describe here. 495 In IPv6 the protocol for multicast group maintenance is called Multi- 496 cast Listener Discovery (MLDv2). IPv6 is not widely deployed today 497 and neither is IPv6 multicast. However, it is anticipated that at 498 some time IPv6 switches capable of MLD snooping will appear. 500 The three main differences between IGMPv3 and MLDv2 are 502 - MLDv2 uses ICMPv6 message types instead of IGMP message types. 504 - The ethernet encapsulation is a mapping of 32bits of the 128bit 505 DIP addresses into 48bit DMAC addresses [IPENCAPS]. 507 - Multicast router discovery is done using Neighbor Discovery Pro- 508 tocol (NDP) for IPv6. NDP uses ICMPv6 message types. 510 A minor difference which applies to the requirements section is that in 511 IPv6 there is no checksum in the IP header. This is the reason that the 512 checksum validation requirement is listed as a MAY. 514 The fact that MLDv2 is using ICMPv6 adds new requirements to a snooping 515 switch because ICMPv6 has multiple uses aside from MLD. This means that 516 it is no longer sufficient to detect that the next-header field of the 517 IP header is ICMPv6 in order to redirect packets to the CPU. If this 518 was the case the CPU queue assigned for MLD would potentially be filled 519 with non-MLD related packets. Furthermore ICMPv6 packets destined for 520 other hosts would not reach their destination. 522 A solution is either to require that the snooping switch looks further 523 into the packets or to be able to detect a multicast DMAC address in 524 conjunction with ICMPv6. 526 The first solution is desirable only if it is configurable which message 527 types should trigger a CPU redirect and which should not. The reason is 528 that a hardcoding of message types is unflexible for the introduction of 529 new message types. 531 The second solution introduces the risk of new protocols, which are not 532 related to MLD but uses ICMPv6 and multicast DMAC addresses wrongly 533 being identified as MLD. We do not suggest a recommended solution in 534 this case. 536 The mapping from IP multicast addresses to multicast DMAC addresses 537 introduces a potentially enormous overlap. The structure of an IPv6 mul- 538 ticast address is shown in figure 5. Theoretically 2**80, two to the 539 power of 80 (128 - 8 - 4 - 4 - 32) unique DIP addresses could map to one 540 DMAC address. This should be compared to 2**5 in the case of IPv4. 542 Initial allocation of IPv6 multicast addresses, however, uses only the 543 lower 32 bits of group ID. This eliminates the address ambiguity for the 544 time being but it should be noted that the allocation policy may change 545 in the future. 547 | 8 | 4 | 4 | 112 bits | 548 +--------+----+----+---------------------------------------+ 549 |11111111|flgs|scop| group ID | 550 +--------+----+----+---------------------------------------+ 551 Figure 5 553 In the case of IPv6 forwarding can be made on the basis of DMAC 554 addresses in the forseable future. 556 Finally we mention the reserved address range FF0X:0:0:0:0:0:X:X where X 557 is any value. This range is similar to 224.0.0.X for IPv4 and is 558 reserved to routing protocols and resource discovery [RFC2375]. In the 559 case of IPv6 it is suggested that packets in this range are forwarded on 560 all ports if they are not MLD packets. 562 5. Security Considerations 564 Security considerations for IGMPv3 are accounted for in [IGMPv3]. 565 The introduction of IGMP snooping switches adds the following consid- 566 erations with regard to IP multicast. 568 The exclude source failure which could cause traffic from sources 569 that are 'black listed' to reach hosts that have requested otherwise. 570 This can also occur in certain network topologies without IGMP snoop- 571 ing. 573 It is possible to generate packets which make the switch wrongly 574 believe that there is a multicast router on the segment on which the 575 source is attached. This will potentially lead to excessive flooding 576 on that segment. The authentication methods discussed in [IGMPv3] 577 will also provide protection in this case. 579 IGMP snooping switches which rely on the IP header of a packet for 580 their operation and which do not validate the header checksum poten- 581 tially will forward packets on the wrong ports. Even though the IP 582 headers are protected by the ethernet checksum this is a potential 583 vulnerability. 585 Generally though, it is worth to stress that IP multicast must so far 586 be considered insecure until the work of for example the suggested 587 Multicast Security (MSEC) working group or similar is completed or at 588 least has matured. 590 6. References 592 [BRIDGE] IEEE 802.1D, "Media Access Control (MAC) Bridges" 594 [CISCO] Cisco Tech Notes, "Multicast In a Campus Network: CGMP 595 and IGMP snooping", http://www.cisco.com/warp/pub- 596 lic/473/22.html 598 [IANA] Internet Assigned Numbers Authority, "Internet Multicast 599 Addresses", http://www.isi.edu/in-notes/iana/assign- 600 ments/multicast-addresses 602 [IGMPv3] Cain, B., "Internet Group Management Protocol, Version 603 3", draft-ietf-idmr-igmp-v3-06.txt, November 2000 605 [IPENCAPS] 606 Crawford, M., "Transmission of IPv6 Packets over Ethernet 607 Networks", RFC2464, December 1998. 609 [MLDv2] Vida, R., "Multicast Listener Discovery Version 2 (MLDv2) 610 for IPv6", draft-vida-mld-v2-00.txt, February 2001. 612 [MRDISC] Biswas, S. "IGMP Multicast Router Discovery", draft-ietf- 613 idmr-igmp-mrdisc-06.txt, May 2001. 615 [MSOFT] Microsoft support article Q223136, "Some LAN Switches 616 with IGMP Snooping Stop Forwarding Multicast Packets on 617 RRAS Startup", http://support.microsoft.com/sup- 618 port/kb/articles/Q223/1/36.ASP 620 [RFC1112] Deering, S., "Host Extensions for IP Multicasting", RFC 621 1112, August 1989. 623 [RFC2026] Bradner, S. "The Internet Standards Process -- Revision 624 3", RFC2026, October 1996. 626 [RFC2236] Fenner, W., "Internet Group Management Protocol, Version 627 2", RFC2236, November 1997. 629 [RFC2375] Hinden, R. "IPv6 Multicast Address Assignments", RFC2375, 630 July 1998. 632 7. Acknowledgements 634 We would like to thank Bill Fenner, Yiqun Cai, Edward Hilquist and 635 Martin Bak for comments and suggestions on this document. 637 8. Author's Addresses: 639 Morten Jagd Christensen 640 Vitesse Semiconductor Corporation 641 Hoerkaer 16 642 2730 Herlev 643 DENMARK 644 email: mjc@vitesse.com 646 Frank Solensky 647 Gotham Networks 648 15 Discovery Way 649 Acton, MA 01720 650 USA 651 email: fsolensky@GothamNetworks.com 652 solensky@acm.org 653 Table of Contents 655 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2 656 2. IGMP snooping overview . . . . . . . . . . . . . . . . . . . . . 2 657 2.1 Problems in older networks . . . . . . . . . . . . . . . . . . . 5 658 2.2 IGMPv2 snooping and 224.0.0.X . . . . . . . . . . . . . . . . . 6 659 2.3 IGMPv3 and IGMPv2 coexistence . . . . . . . . . . . . . . . . . 8 660 2.4 Source Specific Joins . . . . . . . . . . . . . . . . . . . . . 9 661 3. Snooping Requirements . . . . . . . . . . . . . . . . . . . . . . 10 662 4. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . . . 11 663 5. Security Considerations . . . . . . . . . . . . . . . . . . . . . 13 664 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 665 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 666 8. Author's Addresses: . . . . . . . . . . . . . . . . . . . . . . . 15