idnits 2.17.1 draft-ietf-mboned-ipv4-mcast-unusable-01.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing revision: the document name given in the document, 'draft-ietf-mboned-ipv4-mcast-', does not give the document revision number ~~ Missing draftname component: the document name given in the document, 'draft-ietf-mboned-ipv4-mcast-', does not seem to contain all the document name components required ('draft' prefix, document source, document name, and revision) -- see https://www.ietf.org/id-info/guidelines#naming for more information. == Mismatching filename: the document gives the document name as 'draft-ietf-mboned-ipv4-mcast-', but the file name used is 'draft-ietf-mboned-ipv4-mcast-unusable-01' == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 3 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (December 2003) is 7437 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1519 (ref. 'CIDR') (Obsoleted by RFC 4632) ** Obsolete normative reference: RFC 1700 (Obsoleted by RFC 3232) ** Obsolete normative reference: RFC 3330 (Obsoleted by RFC 5735) -- Possible downref: Non-RFC (?) normative reference: ref. 'GHOST' -- Possible downref: Non-RFC (?) normative reference: ref. 'IMCAST' -- Possible downref: Non-RFC (?) normative reference: ref. 'ALTIRIS' ** Downref: Normative reference to an Experimental draft: draft-ietf-msdp-spec (ref. 'MSDP') -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' Summary: 8 errors (**), 1 flaw (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft B. Nickless 3 Document: draft-ietf-mboned-ipv4-mcast- Argonne National 4 unusable-01.txt Laboratory 5 Expires: June 2004 December 2003 7 IPv4 Multicast Unusable Group And Source Addresses 9 1. Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six 20 months and may be updated, replaced, or obsoleted by other documents 21 at any time. It is inappropriate to use Internet-Drafts as 22 reference material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 2. Abstract 32 Some IPv4 multicast datagrams should not be routed, either within an 33 administrative domain or between administrative domains. A list of 34 those restrictions is supplied here. These restrictions SHOULD be 35 respected by IPv4 multicast applications and included in network 36 device access control lists. IANA should permanently reserve 37 certain address ranges. 39 3. Table of Contents 41 1. Status of this Memo.............................................1 42 2. Abstract........................................................1 43 4. Conventions used in this document...............................2 44 5. Background......................................................2 45 6. Specific (Source,Group) Restrictions............................2 46 7. Unusable Locally................................................4 47 8. Unusable Inter-domain...........................................4 48 9. No Flooding of Knowledge of Active Sources......................5 49 10. IANA Considerations............................................6 50 11. Security Considerations........................................6 51 IPv4 Multicast Unusable Group December 2003 52 And Source Addresses 54 12. Acknowledgements...............................................6 55 13. References.....................................................6 56 12. Author's Address...............................................7 58 4. Conventions used in this document 60 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 61 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 62 document are to be interpreted as described in RFC-2119 [RFC2119]. 64 5. Background 66 IPv4 multicast [MCAST] is an internetwork service that allows IPv4 67 datagrams sent from a source to be delivered to one or more 68 interested receiver(s). That is, a given source sends a packet the 69 network with a destination address 224/4 CIDR [CIDR] range. The 70 network transports this packet to all receivers (replicated where 71 necessary) that have registered their interest in receiving these 72 packets. 74 Some combinations of Source Address and Group Address SHOULD NOT be 75 routed for various reasons. This note describes those restrictions 76 so they can be: 78 - Avoided by applications, especially those that choose multicast 79 groups on a random or ad-hoc basis. 80 - Properly reflected in network device restriction lists. 81 - Reserved by IANA. 83 6. Specific (Source,Group) Restrictions 85 Following is a list of (Source,Group) ranges that should not be used 86 or routed in certain circumstances. Each range is associated with a 87 brief explanation and a cross-reference to a fuller explanation to 88 be found in following sections of this note. 90 (*,224.0.1.2/32) SGI-Dogfight Section 8.4 91 (*,224.0.1.3/32) Rwhod Section 8.5 92 (*,224.0.1.22/32) SVRLOC Section 8.4 93 (*,224.0.1.24/32) Microsoft-DS Section 8.4 94 (*,224.0.1.35/32) SVRLOC-DA Section 8.5 95 (*,224.0.1.39/32) CISCO-RP-ANNOUNCE Section 8.5 96 (*,224.0.1.40/32) CISCO-RP-DISCOVERY Section 8.5 97 (*,224.0.1.60/32) HP-DEVICE-DISC Section 8.5 98 (*,224.0.2.2/32) SUN-RPC Section 8.4 99 (*,224.77.0.0/16) Norton Ghost Section 8.3 100 (*,224.128.0.0/24) Control plane of IGMP snoopers Section 7.1 101 (*,225.0.0.0/24) Control plane of IGMP snoopers Section 7.1 102 (*,225.1.2.3/32) Altiris Section 8.3 103 IPv4 Multicast Unusable Group December 2003 104 And Source Addresses 106 (*,225.128.0.0/24) Control plane of IGMP snoopers Section 7.1 107 (*,226.0.0.0/24) Control plane of IGMP snoopers Section 7.1 108 (*,226.77.0.0/16) Norton Ghost Section 8.3 109 (*,226.128.0.0/24) Control plane of IGMP snoopers Section 7.1 110 (*,227.0.0.0/24) Control plane of IGMP snoopers Section 7.1 111 (*,227.128.0.0/24) Control plane of IGMP snoopers Section 7.1 112 (*,228.0.0.0/24) Control plane of IGMP snoopers Section 7.1 113 (*,228.128.0.0/24) Control plane of IGMP snoopers Section 7.1 114 (*,229.0.0.0/24) Control plane of IGMP snoopers Section 7.1 115 (*,229.128.0.0/24) Control plane of IGMP snoopers Section 7.1 116 (*,230.0.0.0/24) Control plane of IGMP snoopers Section 7.1 117 (*,230.128.0.0/24) Control plane of IGMP snoopers Section 7.1 118 (*,231.0.0.0/24) Control plane of IGMP snoopers Section 7.1 119 (*,231.128.0.0/24) Control plane of IGMP snoopers Section 7.1 120 (*,232.0.0.0/24) Control plane of IGMP snoopers Section 7.1 121 (*,232.128.0.0/24) Control plane of IGMP snoopers Section 7.1 122 (*,232.0.0.0/8) Source-Specific Multicast Section 9.1 123 (*,233.0.0.0/24) Control plane of IGMP snoopers Section 7.1 124 (*,233.128.0.0/24) Control plane of IGMP snoopers Section 7.1 125 (*,234.0.0.0/24) Control plane of IGMP snoopers Section 7.1 126 (*,234.42.42.42/32) Phoenix/StorageSoft ImageCast Section 8.3 127 (*,234.128.0.0/24) Control plane of IGMP snoopers Section 7.1 128 (*,234.142.142.42/31) Phoenix/StorageSoft ImageCast Section 8.3 129 (*,234.142.142.44/30) Phoenix/StorageSoft ImageCast Section 8.3 130 (*,234.142.142.48/28) Phoenix/StorageSoft ImageCast Section 8.3 131 (*,234.142.142.64/26) Phoenix/StorageSoft ImageCast Section 8.3 132 (*,234.142.142.128/29) Phoenix/StorageSoft ImageCast Section 8.3 133 (*,234.142.142.136/30) Phoenix/StorageSoft ImageCast Section 8.3 134 (*,234.142.142.140/31) Phoenix/StorageSoft ImageCast Section 8.3 135 (*,234.142.142.142/32) Phoenix/StorageSoft ImageCast Section 8.3 136 (*,235.0.0.0/24) Control plane of IGMP snoopers Section 7.1 137 (*,235.128.0.0/24) Control plane of IGMP snoopers Section 7.1 138 (*,236.0.0.0/24) Control plane of IGMP snoopers Section 7.1 139 (*,236.128.0.0/24) Control plane of IGMP snoopers Section 7.1 140 (*,237.0.0.0/24) Control plane of IGMP snoopers Section 7.1 141 (*,237.128.0.0/24) Control plane of IGMP snoopers Section 7.1 142 (*,238.0.0.0/24) Control plane of IGMP snoopers Section 7.1 143 (*,238.128.0.0/24) Control plane of IGMP snoopers Section 7.1 144 (*,239.0.0.0/8) Administratively Scoped Groups Section 8.1 145 (*,239.0.0.0/24) Control plane of IGMP snoopers Section 7.1 146 (*,239.128.0.0/24) Control plane of IGMP snoopers Section 7.1 148 (0.0.0.0/0,*) Link Local Addresses Section 8.2 149 (10.0.0.0/8,*) Private Address Space Section 8.2 150 (127.0.0.0/8,*) Loopback Address Space Section 8.2 151 (169.254.0.0/8,*) Link Local Addresses Section 8.2 152 (172.16.0.0/12,*) Private Address Space Section 8.2 153 (192.0.2.0/24,*) Documentation/Example Section 8.2 154 (192.168.0.0/16,*) Private Address Space Section 8.2 155 IPv4 Multicast Unusable Group December 2003 156 And Source Addresses 158 7. Unusable Locally 160 Multicast datagrams that match the criteria in this section SHOULD 161 NOT be used, even on local, unrouted subnetworks. 163 7.1 Groups processed in the control plane of IGMP-snooping switches. 165 [MCAST] describes the mapping of IPv4 Multicast Group addresses to 166 Ethernet MAC addresses, as follows: 168 An IP host group address is mapped to an Ethernet multicast 169 address by placing the low-order 23-bits of the IP address 170 into the low-order 23 bits of the Ethernet multicast address 171 01-00-5E-00-00-00 (hex). Because there are 28 significant 172 bits in an IP host group address, more than one host group 173 address may map to the same Ethernet multicast address. 175 Multicast group addresses in the 224.0.0.0/24 range are used for 176 local subnetwork control. This maps to the Ethernet multicast 177 address range 01-00-5E-00-00-XX, where XX is 00 through FF. 178 Ethernet frames within this range are always processed in the 179 control plane of many popular network devices, such as IGMP-snooping 180 switches. 182 Because of the many-to-one mapping of IPv4 Multicast Group Addresses 183 to Ethernet MAC addresses, it is possible to overwhelm the control 184 plane of network devices by sending to group addresses that map into 185 the 01-00-5E-00-00-XX (hex) range. 187 IGMP-snooping network devices must also flood these frames to all 188 outgoing ports, so the damage may extend to end systems and routers. 190 8. Unusable Inter-domain 192 Multicast datagrams that match the criteria in this section SHOULD 193 NOT be routed between administrative domains. 195 Section 7 (Unusable Locally) is incorporated here by reference. 197 8.1 Administratively Scoped Addresses 199 RFC 2366 [ADMIN] defines 239.0.0.0/8 for use within an 200 administrative domain. As such, datagrams with group addresses that 201 match 239.0.0.0/8 SHOULD NOT be passed between administrative 202 domains. 204 8.2 Special Use IPv4 Source Addresses 206 RFC 1918 [PRIVATE] defines certain ranges of IPv4 unicast addresses 207 that can be used within an administrative domain. Multicast 208 datagrams are no exception to the rule that datagrams addressed 209 within these ranges SHOULD NOT be passed between administrative 210 domains. 212 IPv4 Multicast Unusable Group December 2003 213 And Source Addresses 215 127.0.0.0/8 is widely used for internal host addressing, and is 216 generally not valid on datagrams passed between hosts. 218 0.0.0.0/8 and 169.254.0.0/16 are valid only in the context of local 219 links. Such source addresses are not valid for datagrams passed 220 between networks. [RFC 1700] [RFC 3330] 222 192.0.2.0/24 is reserved for documentation and example code. 223 [RFC 3330] 225 8.3 Personal Computer Deployment and Control Applications 227 The Norton Ghost [GHOST], Phoenix/StorageSoft ImageCast [IMCAST], 228 and Altiris [ALTIRIS] applications are used to duplicate files and 229 filesystems from servers to clients, and to otherwise maintain 230 groups of Personal Computers. They are intended to be used on a 231 local subnet or within an administrative domain, but the default 232 addresses used by the software are not within the administratively- 233 scoped range 239.0.0.0/8 (see Section 8.1 above). 235 8.4 Known Insecure Services 237 Applications that use certain multicast group addresses have been 238 demonstrated to be vulnerable to exploitation, leading to serious 239 security problems. 241 8.5 Internal Resource Discovery 243 Applications that use certain multicast group addresses are used to 244 discover resources within an administrative domain. 246 9. No Flooding of Knowledge of Active Sources 248 In the absence of explicit requests by interested receivers, 249 multicast datagrams that match the criteria in this section SHOULD 250 NOT be transmitted across administrative domain boundaries. 252 The knowledge of active sources that match the criteria in this 253 section SHOULD NOT be passed between administrative domains, for 254 example through the operation of the Multicast Source Discovery 255 Protocol (MSDP) [MSDP]. 257 Sections 7 and 8 are incorporated here by reference. 259 9.1 Source-Specific Multicast 261 Multicast datagrams addressed within 232.0.0.0/8 (See [IANA]) are 262 used in the Source-Specific Multicast regime. Interested recipients 263 request traffic from specific sources using specific group 264 addresses. Knowledge of active sources is not flooded throughout 265 IPv4 Multicast Unusable Group December 2003 266 And Source Addresses 268 the Internet, as it is the responsibility of the application to 269 discover the active sources. 271 10. IANA Considerations 273 Due to the issue outlined in Section 7.1 with 233.0.0.0/24 and 274 233.128.0.0/24 above, IANA SHOULD NOT allocate AS 0 nor AS 32768 to 275 any Autonomous System or Registry. 277 IANA SHOULD reserve the 31 address blocks referenced in Section 7. 279 11. Security Considerations 281 Low to moderate multicast traffic levels, using addresses within 282 these Section 7.1 Multicast Group Address ranges, can result in 283 severe denial of service on network devices that process frames with 284 Ethernet MAC addresses in the 01-00-5E-00-00-XX (hex) range in the 285 control plane. 287 Interdomain forwarding of multicast traffic generated by certain 288 multicast applications (see Section 8.3) can result in internal 289 enterprise data being replicated far beyond that which was intended. 291 Interdomain forwarding of multicast traffic on certain multicast 292 groups (see Section 8.4) can lead to compromise of host systems. 294 12. Acknowledgements 296 The author relied heavily on a list of problematic groups maintained 297 by Cisco Systems, especially Beau Williamson and his colleagues. 299 Jay Ford and Alan Croswell provided references for the Norton Ghost 300 restriction. 302 Leonard Giuliano, John Kristoff, Alastair Matthews, Pekka Savola, 303 and Beau Williamson provided helpful comments, corrections, and 304 suggestions. 306 This work was supported by the Mathematical, Information, and 307 Computational Sciences Division subprogram of the Office of Advanced 308 Scientific Computing Research, U.S. Department of Energy, under 309 Contract W-31-109-Eng-38. 311 13. References 313 [RFC2119] RFC 2119: Key Words for use in RFCs to Indicate 314 Requirement Levels. S. Bradner. March 1997. 316 IPv4 Multicast Unusable Group December 2003 317 And Source Addresses 319 [MCAST] RFC 1112: Host extensions for IP multicasting. S.E. Deering. 320 Aug-01-1989. 322 [CIDR] RFC 1519: Classless Inter-Domain Routing (CIDR): an Address 323 Assignment and Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. 324 Varadhan. September 1993. 326 [ADMIN] RFC 2365: Administratively Scoped IP Multicast. D. Meyer. 327 July 1998. 329 [PRIVATE] RFC 1918: Address Allocation for Private Internets. Y 330 Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. 331 February 1996. 333 [RFC 1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, 334 RFC 1700, October 1994. 336 [RFC 3330] "Special-Use IPv4 Addresses", IANA, RFC 3330, September 337 2002. 339 [GHOST] Symantec. 340 http://service2.symantec.com/SUPPORT/ghost.nsf/docid/ 341 1999033015222425 343 [IMCAST] Phoenix Technologies. 344 http://www.storagesoft.com/products/imagecast 346 [ALTIRIS] Altiris 347 http://www.altiris.com/support/docs/altirisexpress/ 348 axtechref41.pdf 350 [MSDP] Multicast Source Discovery Protocol. Bill Fenner and David 351 Meyer, Editors. Work in Progress. draft-ietf-msdp-spec-20.txt 353 [IANA] Internet Assigned Numbers Authority. 354 http://www.iana.org/assignments/multicast-addresses 356 14. Author's Address 358 Bill Nickless 359 Argonne National Laboratory 360 9700 South Cass Avenue #221 Phone: +1 630 252 7390 361 Argonne, IL 60439 Email: nickless@mcs.anl.gov