idnits 2.17.1 draft-ietf-mboned-mtrace-v2-26.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 31, 2018) is 2095 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MBONED Working Group H. Asaeda 3 Internet-Draft NICT 4 Intended status: Standards Track K. Meyer 5 Expires: February 1, 2019 6 W. Lee, Ed. 7 July 31, 2018 9 Mtrace Version 2: Traceroute Facility for IP Multicast 10 draft-ietf-mboned-mtrace-v2-26 12 Abstract 14 This document describes the IP multicast traceroute facility, named 15 Mtrace version 2 (Mtrace2). Unlike unicast traceroute, Mtrace2 16 requires special implementations on the part of routers. This 17 specification describes the required functionality in multicast 18 routers, as well as how an Mtrace2 client invokes a query and 19 receives a reply. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on February 1, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 This document may contain material from IETF Documents or IETF 54 Contributions published or made publicly available before November 55 10, 2008. The person(s) controlling the copyright in some of this 56 material may not have granted the IETF Trust the right to allow 57 modifications of such material outside the IETF Standards Process. 58 Without obtaining an adequate license from the person(s) controlling 59 the copyright in such materials, this document may not be modified 60 outside the IETF Standards Process, and derivative works of it may 61 not be created outside the IETF Standards Process, except to format 62 it for publication as an RFC or to translate it into languages other 63 than English. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 69 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 70 3. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . 7 71 3.1. Mtrace2 TLV format . . . . . . . . . . . . . . . . . . . 8 72 3.2. Defined TLVs . . . . . . . . . . . . . . . . . . . . . . 8 73 3.2.1. Mtrace2 Query . . . . . . . . . . . . . . . . . . . . 9 74 3.2.2. Mtrace2 Request . . . . . . . . . . . . . . . . . . . 11 75 3.2.3. Mtrace2 Reply . . . . . . . . . . . . . . . . . . . . 11 76 3.2.4. IPv4 Mtrace2 Standard Response Block . . . . . . . . 12 77 3.2.5. IPv6 Mtrace2 Standard Response Block . . . . . . . . 16 78 3.2.6. Mtrace2 Augmented Response Block . . . . . . . . . . 19 79 3.2.7. Mtrace2 Extended Query Block . . . . . . . . . . . . 20 80 4. Router Behavior . . . . . . . . . . . . . . . . . . . . . . . 21 81 4.1. Receiving Mtrace2 Query . . . . . . . . . . . . . . . . . 21 82 4.1.1. Query Packet Verification . . . . . . . . . . . . . . 21 83 4.1.2. Query Normal Processing . . . . . . . . . . . . . . . 22 84 4.2. Receiving Mtrace2 Request . . . . . . . . . . . . . . . . 22 85 4.2.1. Request Packet Verification . . . . . . . . . . . . . 22 86 4.2.2. Request Normal Processing . . . . . . . . . . . . . . 23 87 4.3. Forwarding Mtrace2 Request . . . . . . . . . . . . . . . 24 88 4.3.1. Destination Address . . . . . . . . . . . . . . . . . 25 89 4.3.2. Source Address . . . . . . . . . . . . . . . . . . . 25 90 4.3.3. Appending Standard Response Block . . . . . . . . . . 25 91 4.4. Sending Mtrace2 Reply . . . . . . . . . . . . . . . . . . 26 92 4.4.1. Destination Address . . . . . . . . . . . . . . . . . 26 93 4.4.2. Source Address . . . . . . . . . . . . . . . . . . . 26 94 4.4.3. Appending Standard Response Block . . . . . . . . . . 26 95 4.5. Proxying Mtrace2 Query . . . . . . . . . . . . . . . . . 26 96 4.6. Hiding Information . . . . . . . . . . . . . . . . . . . 27 98 5. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 27 99 5.1. Sending Mtrace2 Query . . . . . . . . . . . . . . . . . . 27 100 5.1.1. Destination Address . . . . . . . . . . . . . . . . . 28 101 5.1.2. Source Address . . . . . . . . . . . . . . . . . . . 28 102 5.2. Determining the Path . . . . . . . . . . . . . . . . . . 28 103 5.3. Collecting Statistics . . . . . . . . . . . . . . . . . . 28 104 5.4. Last Hop Router (LHR) . . . . . . . . . . . . . . . . . . 28 105 5.5. First Hop Router (FHR) . . . . . . . . . . . . . . . . . 29 106 5.6. Broken Intermediate Router . . . . . . . . . . . . . . . 29 107 5.7. Non-Supported Router . . . . . . . . . . . . . . . . . . 29 108 5.8. Mtrace2 Termination . . . . . . . . . . . . . . . . . . . 29 109 5.8.1. Arriving at Source . . . . . . . . . . . . . . . . . 29 110 5.8.2. Fatal Error . . . . . . . . . . . . . . . . . . . . . 30 111 5.8.3. No Upstream Router . . . . . . . . . . . . . . . . . 30 112 5.8.4. Reply Timeout . . . . . . . . . . . . . . . . . . . . 30 113 5.9. Continuing after an Error . . . . . . . . . . . . . . . . 30 114 6. Protocol-Specific Considerations . . . . . . . . . . . . . . 31 115 6.1. PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . 31 116 6.2. Bi-Directional PIM . . . . . . . . . . . . . . . . . . . 31 117 6.3. PIM-DM . . . . . . . . . . . . . . . . . . . . . . . . . 31 118 6.4. IGMP/MLD Proxy . . . . . . . . . . . . . . . . . . . . . 32 119 7. Problem Diagnosis . . . . . . . . . . . . . . . . . . . . . . 32 120 7.1. Forwarding Inconsistencies . . . . . . . . . . . . . . . 32 121 7.2. TTL or Hop Limit Problems . . . . . . . . . . . . . . . . 32 122 7.3. Packet Loss . . . . . . . . . . . . . . . . . . . . . . . 32 123 7.4. Link Utilization . . . . . . . . . . . . . . . . . . . . 33 124 7.5. Time Delay . . . . . . . . . . . . . . . . . . . . . . . 33 125 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 126 8.1. "Mtrace2 Forwarding Codes" Registry . . . . . . . . . . . 33 127 8.2. "Mtrace2 TLV Types" Registry . . . . . . . . . . . . . . 34 128 8.3. UDP Destination Port . . . . . . . . . . . . . . . . . . 34 129 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34 130 9.1. Addresses in Mtrace2 Header . . . . . . . . . . . . . . . 34 131 9.2. Verification of Clients and Peers . . . . . . . . . . . . 34 132 9.3. Topology Discovery . . . . . . . . . . . . . . . . . . . 35 133 9.4. Characteristics of Multicast Channel . . . . . . . . . . 35 134 9.5. Limiting Query/Request Rates . . . . . . . . . . . . . . 35 135 9.6. Limiting Reply Rates . . . . . . . . . . . . . . . . . . 36 136 9.7. Specific Security Concerns . . . . . . . . . . . . . . . 36 137 9.7.1. Request and Response Bombardment . . . . . . . . . . 36 138 9.7.2. Amplification Attack . . . . . . . . . . . . . . . . 36 139 9.7.3. Leaking of Confidential Topology Details . . . . . . 36 140 9.7.4. Delivery of False Information (Forged Reply Messages) 37 141 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 38 142 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 143 11.1. Normative References . . . . . . . . . . . . . . . . . . 38 144 11.2. Informative References . . . . . . . . . . . . . . . . . 39 145 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 147 1. Introduction 149 Given a multicast distribution tree, tracing hop-by-hop downstream 150 from a multicast source to a given multicast receiver is difficult 151 because there is no efficient and deterministic way to determine the 152 branch of the multicast routing tree on which that receiver lies. On 153 the other hand, walking up the tree from a receiver to a source is 154 easy, as most existing multicast routing protocols know the upstream 155 router for each source. Tracing from a receiver to a source can 156 involve only the routers on the direct path. 158 This document specifies the multicast traceroute facility named 159 Mtrace version 2 or Mtrace2 which allows the tracing of an IP 160 multicast routing path. Mtrace2 is usually initiated from an Mtrace2 161 client by sending an Mtrace2 Query to a Last Hop Router (LHR) or to a 162 Rendezvous Point (RP). The RP is a special router where sources and 163 receivers meet in Protocol Independent Multicast - Sparse Mode (PIM- 164 SM) [5]. From the LHR/RP receiving the query, the tracing is 165 directed towards a specified source if a source address is specified 166 and source specific state exists on the receiving router. If no 167 source address is specified or if no source specific state exists on 168 a receiving LHR, the tracing is directed toward the RP for the 169 specified group address. Moreover, Mtrace2 provides additional 170 information such as the packet rates and losses, as well as other 171 diagnostic information. Mtrace2 is primarily intended for the 172 following purposes: 174 o To trace the path that a packet would take from a source to a 175 receiver. 177 o To isolate packet loss problems (e.g., congestion). 179 o To isolate configuration problems (e.g., Time to live (TTL) 180 threshold). 182 Figure 1 shows a typical case on how Mtrace2 is used. First-hop 183 router (FHR) represents the first-hop router, LHR represents the 184 last-hop router (LHR), and the arrow lines represent the Mtrace2 185 messages that are sent from one node to another. The numbers before 186 the Mtrace2 messages represent the sequence of the messages that 187 would happen. Source, Receiver and Mtrace2 client are typically 188 hosts. 190 2. Request 2. Request 191 +----+ +----+ 192 | | | | 193 v | v | 194 +--------+ +-----+ +-----+ +----------+ 195 | Source |----| FHR |----- The Internet -----| LHR |----| Receiver | 196 +--------+ +-----+ | +-----+ +----------+ 197 \ | ^ 198 \ | / 199 \ | / 200 \ | / 201 3. Reply \ | / 1. Query 202 \ | / 203 \ | / 204 \ +---------+ / 205 v | Mtrace2 |/ 206 | client | 207 +---------+ 209 Figure 1 211 When an Mtrace2 client initiates a multicast trace, it sends an 212 Mtrace2 Query packet to an LHR or RP for a multicast group and, 213 optionally, a source address. The LHR/RP turns the Query packet into 214 a Request. The Request message type enables each of the upstream 215 routers processing the message to apply different packet and message 216 validation rules than those required for handling of a Query message. 217 The LHR/RP then appends a standard response block containing its 218 interface addresses and packet statistics to the Request packet, then 219 forwards the packet towards the source/RP. The Request packet is 220 either unicasted to its upstream router towards the source/RP, or 221 multicasted to the group if the upstream router's IP address is not 222 known. In a similar fashion, each router along the path to the 223 source/RP appends a standard response block to the end of the Request 224 packet before forwarding it to its upstream router. When the FHR 225 receives the Request packet, it appends its own standard response 226 block, turns the Request packet into a Reply, and unicasts the Reply 227 back to the Mtrace2 client. 229 The Mtrace2 Reply may be returned before reaching the FHR under some 230 circumstances. This can happen if a Request packet is received at an 231 RP or gateway, or when any of several types of error or exception 232 conditions occur which prevent sending of a request to the next 233 upstream router. 235 The Mtrace2 client waits for the Mtrace2 Reply message and displays 236 the results. When not receiving an Mtrace2 Reply message due to 237 network congestion, a broken router (see Section 5.6), or a non- 238 responding router (see Section 5.7), the Mtrace2 client may resend 239 another Mtrace2 Query with a lower hop count (see Section 3.2.1), and 240 repeat the process until it receives an Mtrace2 Reply message. The 241 details are Mtrace2 client specific and outside the scope of this 242 document. 244 Note that when a router's control plane and forwarding plane are out 245 of sync, the Mtrace2 Requests might be forwarded based on the control 246 states instead. In this case, the traced path might not represent 247 the real path the data packets would follow. 249 Mtrace2 supports both IPv4 and IPv6. Unlike the previous version of 250 Mtrace, which implements its query and response as Internet Group 251 Management Protocol (IGMP) messages [8], all Mtrace2 messages are 252 UDP-based. Although the packet formats of IPv4 and IPv6 Mtrace2 are 253 different because of the address families, the syntax between them is 254 similar. 256 This document describes the base specification of Mtrace2 that can 257 serve as a basis for future proposals such as Mtrace2 for Automatic 258 Multicast Tunneling (AMT) [9] and Mtrace2 for Multicast in MPLS/BGP 259 IP VPNs (MVPN) [10]. They are therefore out of the scope of this 260 document. 262 2. Terminology 264 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 265 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 266 and "OPTIONAL" are to be interpreted as described in RFC 2119 [1], 267 and indicate requirement levels for compliant Mtrace2 268 implementations. 270 2.1. Definitions 272 Since Mtrace2 Queries and Requests flow in the opposite direction to 273 the data flow, we refer to "upstream" and "downstream" with respect 274 to data, unless explicitly specified. 276 Incoming interface 277 The interface on which data is expected to arrive from the 278 specified source and group. 280 Outgoing interface 281 This is one of the interfaces to which data from the source or RP 282 is expected to be transmitted for the specified source and group. 283 It is also the interface on which the Mtrace2 Request was 284 received. 286 Upstream router 287 The router, connecting to the Incoming interface of the current 288 router, which is responsible for forwarding data for the specified 289 source and group to the current router. 291 First-hop router (FHR) 292 The router that is directly connected to the source the Mtrace2 293 Query specifies. 295 Last-hop router (LHR) 296 A router that is directly connected to a receiver. It is also the 297 router that receives the Mtrace2 Query from an Mtrace2 client. 299 Group state 300 The state a shared-tree protocol, such as PIM-SM [5], uses to 301 choose the upstream router towards the RP for the specified group. 302 In this state, source-specific state is not available for the 303 corresponding group address on the router. 305 Source-specific state 306 The state that is used to choose the path towards the source for 307 the specified source and group. 309 ALL-[protocol]-ROUTERS group 310 Link-local multicast address for multicast routers to communicate 311 with their adjacent routers that are running the same routing 312 protocol. For instance, the IPv4 'ALL-PIM-ROUTERS' group is 313 '224.0.0.13', and the IPv6 'ALL-PIM-ROUTERS' group is 'ff02::d' 314 [5]. 316 3. Packet Formats 318 This section describes the details of the packet formats for Mtrace2 319 messages. 321 All Mtrace2 messages are encoded in the Type/Length/Value (TLV) 322 format (see Section 3.1). The first TLV of a message is a message 323 header TLV specifying the type of message and additional context 324 information required for processing of the message and for parsing of 325 subsequent TLVs in the message. Subsequent TLVs in a message, 326 referred to as Blocks, are appended after the header TLV to provide 327 additional information associated with the message. If an 328 implementation receives an unknown TLV type for any TLV in a message, 329 it SHOULD ignore and silently discard the entire packet. If the 330 length of a TLV exceeds the available space in the containing packet, 331 the implementation MUST ignore and silently discard the TLV and any 332 remaining portion of the containing packet. 334 All Mtrace2 messages are UDP packets. For IPv4, Mtrace2 335 Query/Request/Reply messages MUST NOT be fragmented. Therefore, 336 Mtrace2 clients and LHRs/RPs MUST set the IP header do-not-fragment 337 (DF) bit for all Mtrace2 messages. For IPv6, the packet size for the 338 Mtrace2 messages MUST NOT exceed 1280 bytes, which is the smallest 339 Maximum Transmission Unit (MTU) for an IPv6 interface [2]. The 340 source port is uniquely selected by the local host operating system. 341 The destination port is the IANA reserved Mtrace2 port number (see 342 Section 8). All Mtrace2 messages MUST have a valid UDP checksum. 344 Additionally, Mtrace2 supports both IPv4 and IPv6, but not mixed. 345 For example, if an Mtrace2 Query or Request message arrives in as an 346 IPv4 packet, all addresses specified in the Mtrace2 messages MUST be 347 IPv4 as well. Same rule applies to IPv6 Mtrace2 messages. 349 3.1. Mtrace2 TLV format 351 0 1 2 3 352 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 353 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 354 | Type | Length | Value .... | 355 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 357 Type: 8 bits 359 Describes the format of the Value field. For all the available 360 types, please see Section 3.2 362 Length: 16 bits 364 Length of Type, Length, and Value fields in octets. Minimum 365 length required is 4 octets. The length MUST be a multiple of 4 366 octets. The maximum TLV length is not defined; however the entire 367 Mtrace2 packet length MUST NOT exceed the available MTU. 369 Value: variable length 371 The format is based on the Type value. The length of the value 372 field is Length field minus 3. All reserved fields in the Value 373 field MUST be transmitted as zeros and ignored on receipt. 375 3.2. Defined TLVs 377 The following TLV Types are defined: 379 Code Type 380 ==== ================================ 381 0x00 Reserved 382 0x01 Mtrace2 Query 383 0x02 Mtrace2 Request 384 0x03 Mtrace2 Reply 385 0x04 Mtrace2 Standard Response Block 386 0x05 Mtrace2 Augmented Response Block 387 0x06 Mtrace2 Extended Query Block 389 Each Mtrace2 message MUST begin with either a Query, Request or Reply 390 TLV. The first TLV determines the type of each Mtrace2 message. 391 Following a Query TLV, there can be a sequence of optional Extended 392 Query Blocks. In the case of a Request or a Reply TLV, it is then 393 followed by a sequence of Standard Response Blocks, each from a 394 multicast router on the path towards the source or the RP. In the 395 case more information is needed, a Standard Response Block can be 396 followed by one or multiple Augmented Response Blocks. 398 We will describe each message type in detail in the next few 399 sections. 401 3.2.1. Mtrace2 Query 403 An Mtrace2 Query is originated by an Mtrace2 client which sends an 404 Mtrace2 Query message to the LHR. The LHR modifies only the Type 405 field of the Query TLV (to turn it into a "Request") before appending 406 a Standard Response Block and forwarding it upstream. The LHR and 407 intermediate routers handling the Mtrace2 message when tracing 408 upstream MUST NOT modify any other fields within the Query/Request 409 TLV. Additionally, intermediate routers handling the message after 410 the LHR has converted the Query into a Request MUST NOT modify the 411 type field of the Request TLV. If the actual number of hops is not 412 known, an Mtrace2 client could send an initial Query message with a 413 large # Hops (e.g., 0xff), in order to try to trace the full path. 415 An Mtrace2 Query message is shown as follows: 417 0 1 2 3 418 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 419 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 420 | Type | Length | # Hops | 421 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 422 | | 423 | Multicast Address | 424 | | 425 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 426 | | 427 | Source Address | 428 | | 429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 430 | | 431 | Mtrace2 Client Address | 432 | | 433 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 434 | Query ID | Client Port # | 435 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 437 Figure 2 439 Length: 16 bits 440 The length field MUST be either 20 (i.e., 8 plus 3 * 4 (IPv4 441 addresses)) or 56 (i.e., 8 + 3 * 16 (IPv6 addresses)); if the 442 length is 20, then IPv4 addresses MUST be assumed and if the 443 length is 56, then IPv6 addresses MUST be assumed. 445 # Hops: 8 bits 446 This field specifies the maximum number of hops that the Mtrace2 447 client wants to trace. If there are some error conditions in the 448 middle of the path that prevent an Mtrace2 Reply from being 449 received by the client, the client MAY issue another Mtrace2 Query 450 with a lower number of hops until it receives a Reply. 452 Multicast Address: 32 bits or 128 bits 453 This field specifies an IPv4 or IPv6 address, which can be either: 455 m-1: a multicast group address to be traced; or, 457 m-2: all 1's in case of IPv4 or the unspecified address (::) in 458 case of IPv6 if no group-specific information is desired. 460 Source Address: 32 bits or 128 bits 461 This field specifies an IPv4 or IPv6 address, which can be either: 463 s-1: a unicast address of the source to be traced; or, 464 s-2: all 1's in case of IPv4 or the unspecified address (::) in 465 case of IPv6 if no source-specific information is desired. 466 For example, the client is tracing a (*,g) group state. 468 Note that it is invalid to have a source-group combination of 469 (s-2, m-2). If a router receives such combination in an Mtrace2 470 Query, it MUST silently discard the Query. 472 Mtrace2 Client Address: 32 bits or 128 bits 473 This field specifies the Mtrace2 client's IPv4 address or IPv6 474 global address. This address MUST be a valid unicast address, and 475 therefore, MUST NOT be all 1's or an unspecified address. The 476 Mtrace2 Reply will be sent to this address. 478 Query ID: 16 bits 479 This field is used as a unique identifier for this Mtrace2 Query 480 so that duplicate or delayed Reply messages may be detected. 482 Client Port #: 16 bits 483 This field specifies the destination UDP port number for receiving 484 the Mtrace2 Reply packet. 486 3.2.2. Mtrace2 Request 488 The Mtrace2 Request TLV is exactly the same as an Mtrace2 Query 489 except for identifying the Type field of 0x02. 491 When a LHR receives an Mtrace2 Query message, it turns the Query into 492 a Request by changing the Type field of the Query from 0x01 to 0x02. 493 The LHR then appends an Mtrace2 Standard Response Block (see 494 Section 3.2.4) of its own to the Request message before sending it 495 upstream. The upstream routers do the same without changing the Type 496 field until one of them is ready to send a Reply. 498 3.2.3. Mtrace2 Reply 500 The Mtrace2 Reply TLV is exactly the same as an Mtrace2 Query except 501 for identifying the Type field of 0x03. 503 When a FHR or an RP receives an Mtrace2 Request message which is 504 destined to itself, it appends an Mtrace2 Standard Response Block 505 (see Section 3.2.4) of its own to the Request message. Next, it 506 turns the Request message into a Reply by changing the Type field of 507 the Request from 0x02 to 0x03 and by changing the UDP destination 508 port to the port number specified in the Client Port number field in 509 the Request. It then unicasts the Reply message to the Mtrace2 510 client specified in the Mtrace2 Client Address field. 512 There are a number of cases in which an intermediate router might 513 return a Reply before a Request reaches the FHR or the RP. See 514 Section 4.1.1, Section 4.2.2, Section 4.3.3, and Section 4.5 for more 515 details. 517 3.2.4. IPv4 Mtrace2 Standard Response Block 519 This section describes the message format of an IPv4 Mtrace2 Standard 520 Response Block. The Type field is 0x04. 522 0 1 2 3 523 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 525 | Type | Length | MBZ | 526 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 527 | Query Arrival Time | 528 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 529 | Incoming Interface Address | 530 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 531 | Outgoing Interface Address | 532 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 533 | Upstream Router Address | 534 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 535 | | 536 . Input packet count on incoming interface . 537 | | 538 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 539 | | 540 . Output packet count on outgoing interface . 541 | | 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | | 544 . Total number of packets for this source-group pair . 545 | | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 547 | Rtg Protocol | Multicast Rtg Protocol | 548 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 549 | Fwd TTL | MBZ |S| Src Mask |Forwarding Code| 550 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 552 MBZ: 8 bits 553 This field MUST be zeroed on transmission and ignored on 554 reception. 556 Query Arrival Time: 32 bits 557 The Query Arrival Time is a 32-bit Network Time Protocol (NTP) 558 timestamp specifying the arrival time of the Mtrace2 Query or 559 Request packet at this router. The 32-bit form of an NTP 560 timestamp consists of the middle 32 bits of the full 64-bit form; 561 that is, the low 16 bits of the integer part and the high 16 bits 562 of the fractional part. 564 The following formula converts from a timespec (fractional part in 565 nanoseconds) to a 32-bit NTP timestamp: 567 query_arrival_time 568 = ((tv.tv_sec + 32384) << 16) + ((tv.tv_nsec << 7) / 1953125) 570 The constant 32384 is the number of seconds from Jan 1, 1900 to 571 Jan 1, 1970 truncated to 16 bits. ((tv.tv_nsec << 7) / 1953125) 572 is a reduction of ((tv.tv_nsec / 1000000000) << 16). 574 Note that synchronized clocks are required on the traced routers 575 to estimate propagation and queueing delays between successive 576 hops. Nevertheless, even without this synchronization, an 577 application can still estimate an upper bound on cumulative one 578 way latency by measuring the time between sending a Query and 579 receiving a Reply. 581 Additionally, Query Arrival Time is useful for measuring the 582 packet rate. For example, suppose that a client issues two 583 queries, and the corresponding requests R1 and R2 arrive at router 584 X at time T1 and T2, then the client would be able to compute the 585 packet rate on router X by using the packet count information 586 stored in the R1 and R2, and the time T1 and T2. 588 Incoming Interface Address: 32 bits 589 This field specifies the address of the interface on which packets 590 from the source or the RP are expected to arrive, or 0 if unknown 591 or unnumbered. 593 Outgoing Interface Address: 32 bits 594 This field specifies the address of the interface on which packets 595 from the source or the RP are expected to transmit towards the 596 receiver, or 0 if unknown or unnumbered. This is also the address 597 of the interface on which the Mtrace2 Query or Request arrives. 599 Upstream Router Address: 32 bits 600 This field specifies the address of the upstream router from which 601 this router expects packets from this source. This MAY be a 602 multicast group (e.g., ALL-[protocol]-ROUTERS group) if the 603 upstream router is not known because of the workings of the 604 multicast routing protocol. However, it MUST be 0 if the incoming 605 interface address is unknown or unnumbered. 607 Input packet count on incoming interface: 64 bits 608 This field contains the number of multicast packets received for 609 all groups and sources on the incoming interface, or all 1's if no 610 count can be reported. This counter may have the same value as 611 ifHCInMulticastPkts from the Interfaces Group MIB (IF-MIB) [12] 612 for this interface. 614 Output packet count on outgoing interface: 64 bit 615 This field contains the number of multicast packets that have been 616 transmitted or queued for transmission for all groups and sources 617 on the outgoing interface, or all 1's if no count can be reported. 618 This counter may have the same value as ifHCOutMulticastPkts from 619 the IF-MIB [12] for this interface. 621 Total number of packets for this source-group pair: 64 bits 622 This field counts the number of packets from the specified source 623 forwarded by the router to the specified group, or all 1's if no 624 count can be reported. If the S bit is set (see below), the count 625 is for the source network, as specified by the Src Mask field (see 626 below). If the S bit is set and the Src Mask field is 127, 627 indicating no source-specific state, the count is for all sources 628 sending to this group. This counter should have the same value as 629 ipMcastRoutePkts from the IP Multicast MIB [13] for this 630 forwarding entry. 632 Rtg Protocol: 16 bits 633 This field describes the unicast routing protocol running between 634 this router and the upstream router, and it is used to determine 635 the RPF interface for the specified source or RP. This value 636 should have the same value as ipMcastRouteRtProtocol from the IP 637 Multicast MIB [13] for this entry. If the router is not able to 638 obtain this value, all 0's must be specified. 640 Multicast Rtg Protocol: 16 bits 641 This field describes the multicast routing protocol in use between 642 the router and the upstream router. This value should have the 643 same value as ipMcastRouteProtocol from the IP Multicast MIB [13] 644 for this entry. If the router cannot obtain this value, all 0's 645 must be specified. 647 Fwd TTL: 8 bits 648 This field contains the configured multicast TTL threshold, if 649 any, of the outgoing interface. 651 S: 1 bit 652 If this bit is set, it indicates that the packet count for the 653 source-group pair is for the source network, as determined by 654 masking the source address with the Src Mask field. 656 Src Mask: 7 bits 657 This field contains the number of 1's in the netmask the router 658 has for the source (i.e. a value of 24 means the netmask is 659 0xffffff00). If the router is forwarding solely on group state, 660 this field is set to 127 (0x7f). 662 Forwarding Code: 8 bits 663 This field contains a forwarding information/error code. Values 664 with the high order bit set (0x80-0xff) are intended for use with 665 conditions that are transitory or automatically recovered. Other 666 forwarding code values indicate a need to fix a problem in the 667 Query or a need to redirect the Query. Section 4.1 and 668 Section 4.2 explain how and when the Forwarding Code is filled. 669 Defined values are as follows: 671 Value Name Description 672 ----- -------------- ---------------------------------------------- 673 0x00 NO_ERROR No error 674 0x01 WRONG_IF Mtrace2 Request arrived on an interface 675 to which this router would not forward for 676 the specified group towards the source or RP. 677 0x02 PRUNE_SENT This router has sent a prune upstream which 678 applies to the source and group in the 679 Mtrace2 Request. 680 0x03 PRUNE_RCVD This router has stopped forwarding for this 681 source and group in response to a request 682 from the downstream router. 683 0x04 SCOPED The group is subject to administrative 684 scoping at this router. 685 0x05 NO_ROUTE This router has no route for the source or 686 group and no way to determine a potential 687 route. 688 0x06 WRONG_LAST_HOP This router is not the proper LHR. 689 0x07 NOT_FORWARDING This router is not forwarding this source and 690 group out the outgoing interface for an 691 unspecified reason. 692 0x08 REACHED_RP Reached the Rendezvous Point. 693 0x09 RPF_IF Mtrace2 Request arrived on the expected 694 RPF interface for this source and group. 695 0x0A NO_MULTICAST Mtrace2 Request arrived on an interface 696 which is not enabled for multicast. 697 0x0B INFO_HIDDEN One or more hops have been hidden from this 698 trace. 699 0x0C REACHED_GW Mtrace2 Request arrived on a gateway (e.g., 700 a NAT or firewall) that hides the 701 information between this router and the 702 Mtrace2 client. 703 0x0D UNKNOWN_QUERY A non-transitive Extended Query Type was 704 received by a router which does not support 705 the type. 706 0x80 FATAL_ERROR A fatal error is one where the router may 707 know the upstream router but cannot forward 708 the message to it. 709 0x81 NO_SPACE There was not enough room to insert another 710 Standard Response Block in the packet. 711 0x83 ADMIN_PROHIB Mtrace2 is administratively prohibited. 713 3.2.5. IPv6 Mtrace2 Standard Response Block 715 This section describes the message format of an IPv6 Mtrace2 Standard 716 Response Block. The Type field is also 0x04. 718 0 1 2 3 719 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 720 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 721 | Type | Length | MBZ | 722 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 723 | Query Arrival Time | 724 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 725 | Incoming Interface ID | 726 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 727 | Outgoing Interface ID | 728 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 729 | | 730 * Local Address * 731 | | 732 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 733 | | 734 * Remote Address * 735 | | 736 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 737 | | 738 . Input packet count on incoming interface . 739 | | 740 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 741 | | 742 . Output packet count on outgoing interface . 743 | | 744 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 745 | | 746 . Total number of packets for this source-group pair . 747 | | 748 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 749 | Rtg Protocol | Multicast Rtg Protocol | 750 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 751 | MBZ 2 |S|Src Prefix Len |Forwarding Code| 752 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 754 MBZ: 8 bits 755 This field MUST be zeroed on transmission and ignored on 756 reception. 758 Query Arrival Time: 32 bits 759 Same definition as in IPv4. 761 Incoming Interface ID: 32 bits 762 This field specifies the interface ID on which packets from the 763 source or RP are expected to arrive, or 0 if unknown. This ID 764 should be the value taken from InterfaceIndex of the IF-MIB [12] 765 for this interface. 767 Outgoing Interface ID: 32 bits 768 This field specifies the interface ID to which packets from the 769 source or RP are expected to transmit, or 0 if unknown. This ID 770 should be the value taken from InterfaceIndex of the IF-MIB [12] 771 for this interface 773 Local Address: 128 bits 774 This field specifies a global IPv6 address that uniquely 775 identifies the router. A unique local unicast address [11] SHOULD 776 NOT be used unless the router is only assigned link-local and 777 unique local addresses. If the router is only assigned link-local 778 addresses, its link-local address can be specified in this field. 780 Remote Address: 128 bits 781 This field specifies the address of the upstream router, which, in 782 most cases, is a link-local unicast address for the upstream 783 router. 785 Although a link-local address does not have enough information to 786 identify a node, it is possible to detect the upstream router with 787 the assistance of Incoming Interface ID and the current router 788 address (i.e., Local Address). 790 Note that this may be a multicast group (e.g., ALL-[protocol]- 791 ROUTERS group) if the upstream router is not known because of the 792 workings of a multicast routing protocol. However, it should be 793 the unspecified address (::) if the incoming interface address is 794 unknown. 796 Input packet count on incoming interface: 64 bits 797 Same definition as in IPv4. 799 Output packet count on outgoing interface: 64 bits 800 Same definition as in IPv4. 802 Total number of packets for this source-group pair: 64 bits 803 Same definition as in IPv4, except if the S bit is set (see 804 below), the count is for the source network, as specified by the 805 Src Prefix Len field. If the S bit is set and the Src Prefix Len 806 field is 255, indicating no source-specific state, the count is 807 for all sources sending to this group. This counter should have 808 the same value as ipMcastRoutePkts from the IP Multicast MIB [13] 809 for this forwarding entry. 811 Rtg Protocol: 16 bits 812 Same definition as in IPv4. 814 Multicast Rtg Protocol: 16 bits 815 Same definition as in IPv4. 817 MBZ 2: 15 bits 818 This field MUST be zeroed on transmission and ignored on 819 reception. 821 S: 1 bit 822 Same definition as in IPv4, except the Src Prefix Len field is 823 used to mask the source address. 825 Src Prefix Len: 8 bits 826 This field contains the prefix length this router has for the 827 source. If the router is forwarding solely on group state, this 828 field is set to 255 (0xff). 830 Forwarding Code: 8 bits 831 Same definition as in IPv4. 833 3.2.6. Mtrace2 Augmented Response Block 835 In addition to the Standard Response Block, a multicast router on the 836 traced path can optionally add one or multiple Augmented Response 837 Blocks before sending the Request to its upstream router. 839 The Augmented Response Block is flexible for various purposes such as 840 providing diagnosis information (see Section 7) and protocol 841 verification. Its Type field is 0x05, and its format is as follows: 843 0 1 2 3 844 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 845 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 846 | Type | Length | MBZ | 847 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 848 | Augmented Response Type | Value .... | 849 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 851 MBZ: 8 bits 852 This field MUST be zeroed on transmission and ignored on 853 reception. 855 Augmented Response Type: 16 bits 856 This field specifies the type of various responses from a 857 multicast router that might need to communicate back to the 858 Mtrace2 client as well as the multicast routers on the traced 859 path. 861 The Augmented Response Type is defined as follows: 863 Code Type 864 ====== ============================================== 865 0x0001 # of the returned Standard Response Blocks 867 When the NO_SPACE error occurs on a router, the router should send 868 the original Mtrace2 Request received from the downstream router 869 as a Reply back to the Mtrace2 client and continue with a new 870 Mtrace2 Request. In the new Request, the router adds a Standard 871 Response Block followed by an Augmented Response Block with 0x01 872 as the Augmented Response Type, and the number of the returned 873 Mtrace2 Standard Response Blocks as the Value. 875 Each upstream router recognizes the total number of hops the 876 Request has been traced so far by adding this number and the 877 number of the Standard Response Block in the current Request 878 message. 880 This document only defines one Augmented Response Type in the 881 Augmented Response Block. The description on how to provide 882 diagnosis information using the Augmented Response Block is out of 883 the scope of this document, and will be addressed in separate 884 documents. 886 Value: variable length 887 The format is based on the Augmented Response Type value. The 888 length of the value field is Length field minus 6. 890 3.2.7. Mtrace2 Extended Query Block 892 There may be a sequence of optional Extended Query Blocks that follow 893 an Mtrace2 Query to further specify any information needed for the 894 Query. For example, an Mtrace2 client might be interested in tracing 895 the path the specified source and group would take based on a certain 896 topology. In this case, the client can pass in the multi-topology ID 897 as the Value for an Extended Query Type (see below). The Extended 898 Query Type is extensible and the behavior of the new types will be 899 addressed by separate documents. 901 The Mtrace2 Extended Query Block's Type field is 0x06, and is 902 formatted as follows: 904 0 1 2 3 905 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 906 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 907 | Type | Length | MBZ |T| 908 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 909 | Extended Query Type | Value .... | 910 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 912 MBZ: 7 bits 913 This field MUST be zeroed on transmission and ignored on 914 reception. 916 T-bit (Transitive Attribute): 1 bit 917 If the TLV type is unrecognized by the receiving router, then this 918 TLV is either discarded or forwarded along with the Query, 919 depending on the value of this bit. If this bit is set, then the 920 router MUST forward this TLV. If this bit is clear, the router 921 MUST send an Mtrace2 Reply with an UNKNOWN_QUERY error. 923 Extended Query Type: 16 bits 924 This field specifies the type of the Extended Query Block. 926 Value: 16 bits 927 This field specifies the value of this Extended Query. 929 4. Router Behavior 931 This section describes the router behavior in the context of Mtrace2 932 in detail. 934 4.1. Receiving Mtrace2 Query 936 An Mtrace2 Query message is an Mtrace2 message with no response 937 blocks filled in, and uses TLV type of 0x01. 939 4.1.1. Query Packet Verification 941 Upon receiving an Mtrace2 Query message, a router MUST examine 942 whether the Multicast Address and the Source Address are a valid 943 combination as specified in Section 3.2.1, and whether the Mtrace2 944 Client Address is a valid IP unicast address. If either one is 945 invalid, the Query MUST be silently ignored. 947 Mtrace2 supports a non-local client to the LHR/RP. A router MUST, 948 however, support a mechanism to drop Queries from clients beyond a 949 specified administrative boundary. The potential approaches are 950 described in Section 9.2. 952 In the case where a local LHR client is required, the router must 953 then examine the Query to see if it is the proper LHR/RP for the 954 destination address in the packet. It is the proper local LHR if it 955 has a multicast-capable interface on the same subnet as the Mtrace2 956 Client Address and is the router that would forward traffic from the 957 given (S,G) or (*,G) onto that subnet. It is the proper RP if the 958 multicast group address specified in the query is 0 and if the IP 959 header destination address is a valid RP address on this router. 961 If the router determines that it is not the proper LHR/RP, or it 962 cannot make that determination, it does one of two things depending 963 on whether the Query was received via multicast or unicast. If the 964 Query was received via multicast, then it MUST be silently discarded. 965 If it was received via unicast, the router turns the Query into a 966 Reply message by changing the TLV type to 0x03 and appending a 967 Standard Response Block with a Forwarding Code of WRONG_LAST_HOP. 968 The rest of the fields in the Standard Response Block MUST be zeroed. 969 The router then sends the Reply message to the Mtrace2 Client Address 970 on the Client Port # as specified in the Mtrace2 Query. 972 Duplicate Query messages as identified by the tuple (Mtrace2 Client 973 Address, Query ID) SHOULD be ignored. This MAY be implemented using 974 a cache of previously processed queries keyed by the Mtrace2 Client 975 Address and Query ID pair. The duration of the cached entries is 976 implementation specific. Duplicate Request messages MUST NOT be 977 ignored in this manner. 979 4.1.2. Query Normal Processing 981 When a router receives an Mtrace2 Query and it determines that it is 982 the proper LHR/RP, it turns the Query to a Request by changing the 983 TLV type from 0x01 to 0x02, and performs the steps listed in 984 Section 4.2. 986 4.2. Receiving Mtrace2 Request 988 An Mtrace2 Request is an Mtrace2 message that uses TLV type of 0x02. 989 With the exception of the LHR, whose Request was just converted from 990 a Query, each Request received by a router should have at least one 991 Standard Response Block filled in. 993 4.2.1. Request Packet Verification 995 If the Mtrace2 Request does not come from an adjacent router, or if 996 the Request is not addressed to this router, or if the Request is 997 addressed to a multicast group which is not a link-scoped group 998 (i.e., 224.0.0.0/24 for IPv4, FFx2::/16 [3] for IPv6), it MUST be 999 silently ignored. The Generalized TTL Security Mechanism (GTSM) [14] 1000 SHOULD be used by the router to determine whether the router is 1001 adjacent or not. Source verification specified in Section 9.2 is 1002 also considered. 1004 If the sum of the number of the Standard Response Blocks in the 1005 received Mtrace2 Request and the value of the Augmented Response Type 1006 of 0x01, if any, is equal or more than the # Hops in the Mtrace2 1007 Request, it MUST be silently ignored. 1009 4.2.2. Request Normal Processing 1011 When a router receives an Mtrace2 Request message, it performs the 1012 following steps. Note that it is possible to have multiple 1013 situations covered by the Forwarding Codes. The first one 1014 encountered is the one that is reported, i.e. all "note Forwarding 1015 Code N" should be interpreted as "if Forwarding Code is not already 1016 set, set Forwarding Code to N". Note that in the steps described 1017 below the "Outgoing Interface" is the one on which the Mtrace2 1018 Request message arrives. 1020 1. Prepare a Standard Response Block to be appended to the packet, 1021 setting all fields to an initial default value of zero. 1023 2. If Mtrace2 is administratively prohibited, note the Forwarding 1024 Code of ADMIN_PROHIB and skip to step 4. 1026 3. In the Standard Response Block, fill in the Query Arrival Time, 1027 Outgoing Interface Address (for IPv4) or Outgoing Interface ID 1028 (for IPv6), Output Packet Count, and Fwd TTL (for IPv4). 1030 4. Attempt to determine the forwarding information for the 1031 specified source and group, using the same mechanisms as would 1032 be used when a packet is received from the source destined for 1033 the group. A state need not be instantiated, it can be a 1034 "phantom" state created only for the purpose of the trace, such 1035 as "dry-run." 1037 If using a shared-tree protocol and there is no source-specific 1038 state, or if no source-specific information is desired (i.e., 1039 all 1's for IPv4 or unspecified address (::) for IPv6), group 1040 state should be used. If there is no group state or no group- 1041 specific information is desired, potential source state (i.e., 1042 the path that would be followed for a source-specific Join) 1043 should be used. 1045 5. If no forwarding information can be determined, the router notes 1046 a Forwarding Code of NO_ROUTE, sets the remaining fields that 1047 have not yet been filled in to zero, and then sends an Mtrace2 1048 Reply back to the Mtrace2 client. 1050 6. If a Forwarding Code of ADMIN_PROHIB has been set, skip to step 1051 7. Otherwise, fill in the Incoming Interface Address (or 1052 Incoming Interface ID and Local Address for IPv6), Upstream 1053 Router Address (or Remote Address for IPv6), Input Packet Count, 1054 Total Number of Packets, Routing Protocol, S, and Src Mask (or 1055 Src Prefix Len for IPv6) using the forwarding information 1056 determined in step 4. 1058 7. If the Outgoing interface is not enabled for multicast, note 1059 Forwarding Code of NO_MULTICAST. If the Outgoing interface is 1060 the interface from which the router would expect data to arrive 1061 from the source, note forwarding code RPF_IF. If the Outgoing 1062 interface is not one to which the router would forward data from 1063 the source or RP to the group, a Forwarding code of WRONG_IF is 1064 noted. In the above three cases, the router will return an 1065 Mtrace2 Reply and terminate the trace. 1067 8. If the group is subject to administrative scoping on either the 1068 Outgoing or Incoming interfaces, a Forwarding Code of SCOPED is 1069 noted. 1071 9. If this router is the RP for the group for a non-source-specific 1072 query, note a Forwarding Code of REACHED_RP. The router will 1073 send an Mtrace2 Reply and terminate the trace. 1075 10. If this router is directly connected to the specified source or 1076 source network on the Incoming interface, it sets the Upstream 1077 Router Address (for IPv4) or the Remote Address (for IPv6) of 1078 the response block to zero. The router will send an Mtrace2 1079 Reply and terminate the trace. 1081 11. If this router has sent a prune upstream which applies to the 1082 source and group in the Mtrace2 Request, it notes a Forwarding 1083 Code of PRUNE_SENT. If the router has stopped forwarding 1084 downstream in response to a prune sent by the downstream router, 1085 it notes a Forwarding Code of PRUNE_RCVD. If the router should 1086 normally forward traffic downstream for this source and group 1087 but is not, it notes a Forwarding Code of NOT_FORWARDING. 1089 12. If this router is a gateway (e.g., a NAT or firewall) that hides 1090 the information between this router and the Mtrace2 client, it 1091 notes a Forwarding Code of REACHED_GW. The router continues the 1092 processing as described in Section 4.5. 1094 13. If the total number of the Standard Response Blocks, including 1095 the newly prepared one, and the value of the Augmented Response 1096 Type of 0x01, if any, is less than the # Hops in the Request, 1097 the packet is then forwarded to the upstream router as described 1098 in Section 4.3; otherwise, the packet is sent as an Mtrace2 1099 Reply to the Mtrace2 client as described in Section 4.4. 1101 4.3. Forwarding Mtrace2 Request 1103 This section describes how an Mtrace2 Request should be forwarded. 1105 4.3.1. Destination Address 1107 If the upstream router for the Mtrace2 Request is known for this 1108 request, the Mtrace2 Request is sent to that router. If the Incoming 1109 interface is known but the upstream router is not, the Mtrace2 1110 Request is sent to an appropriate multicast address on the Incoming 1111 interface. The multicast address SHOULD depend on the multicast 1112 routing protocol in use, such as ALL-[protocol]-ROUTERS group. It 1113 MUST be a link-scoped group (i.e., 224.0.0.0/24 for IPv4, FF02::/16 1114 for IPv6), and MUST NOT be the all-systems multicast group 1115 (224.0.0.1) for IPv4 and All Nodes Address (FF02::1) for IPv6. It 1116 MAY also be the all-routers multicast group (224.0.0.2) for IPv4 or 1117 All Routers Address (FF02::2) for IPv6 if the routing protocol in use 1118 does not define a more appropriate multicast address. 1120 4.3.2. Source Address 1122 An Mtrace2 Request should be sent with the address of the Incoming 1123 interface. However, if the Incoming interface is unnumbered, the 1124 router can use one of its numbered interface addresses as the source 1125 address. 1127 4.3.3. Appending Standard Response Block 1129 An Mtrace2 Request MUST be sent upstream towards the source or the RP 1130 after appending a Standard Response Block to the end of the received 1131 Mtrace2 Request. The Standard Response Block includes the multicast 1132 states and statistics information of the router described in 1133 Section 3.2.4. 1135 If appending the Standard Response Block would make the Mtrace2 1136 Request packet longer than the MTU of the Incoming Interface, or, in 1137 the case of IPv6, longer than 1280 bytes, the router MUST change the 1138 Forwarding Code in the last Standard Response Block of the received 1139 Mtrace2 Request into NO_SPACE. The router then turns the Request 1140 into a Reply and sends the Reply as described in Section 4.4. 1142 The router will continue with a new Request by copying from the old 1143 Request excluding all the response blocks, followed by the previously 1144 prepared Standard Response Block, and an Augmented Response Block 1145 with Augmented Response Type of 0x01 and the number of the returned 1146 Standard Response Blocks as the value. The new Request is then 1147 forwarded upstream. 1149 4.4. Sending Mtrace2 Reply 1151 An Mtrace2 Reply MUST be returned to the client by a router if any of 1152 the following conditions occur: 1154 1. The total number of the traced routers are equal to the # of hops 1155 in the request (including the one just added) plus the number of 1156 the returned blocks, if any. 1158 2. Appending the Standard Response Block would make the Mtrace2 1159 Request packet longer than the MTU of the Incoming interface. 1160 (In case of IPv6 not more than 1280 bytes; see Section 4.3.3 for 1161 additional details on handling of this case.) 1163 3. The request has reached the RP for a non source specific query or 1164 has reached the first hop router for a source specific query (see 1165 Section 4.2.2, items 9 and 10 for additional details). 1167 4.4.1. Destination Address 1169 An Mtrace2 Reply MUST be sent to the address specified in the Mtrace2 1170 Client Address field in the Mtrace2 Request. 1172 4.4.2. Source Address 1174 An Mtrace2 Reply SHOULD be sent with the address of the router's 1175 Outgoing interface. However, if the Outgoing interface address is 1176 unnumbered, the router can use one of its numbered interface 1177 addresses as the source address. 1179 4.4.3. Appending Standard Response Block 1181 An Mtrace2 Reply MUST be sent with the prepared Standard Response 1182 Block appended at the end of the received Mtrace2 Request except in 1183 the case of NO_SPACE forwarding code. 1185 4.5. Proxying Mtrace2 Query 1187 When a gateway (e.g., a NAT or firewall), which needs to block 1188 unicast packets to the Mtrace2 client, or hide information between 1189 the gateway and the Mtrace2 client, receives an Mtrace2 Query from an 1190 adjacent host or Mtrace2 Request from an adjacent router, it appends 1191 a Standard Response Block with REACHED_GW as the Forwarding Code. It 1192 turns the Query or Request into a Reply, and sends the Reply back to 1193 the client. 1195 At the same time, the gateway originates a new Mtrace2 Query message 1196 by copying the original Mtrace2 header (the Query or Request without 1197 any of the response blocks), and makes the changes as follows: 1199 o sets the RPF interface's address as the Mtrace2 Client Address; 1201 o uses its own port number as the Client Port #; and, 1203 o decreases # Hops by ((number of the Standard Response Blocks that 1204 were just returned in a Reply) - 1). The "-1" in this expression 1205 accounts for the additional Standard Response Block appended by 1206 the gateway router. 1208 The new Mtrace2 Query message is then sent to the upstream router or 1209 to an appropriate multicast address on the RPF interface. 1211 When the gateway receives an Mtrace2 Reply whose Query ID matches the 1212 one in the original Mtrace2 header, it MUST relay the Mtrace2 Reply 1213 back to the Mtrace2 client by replacing the Reply's header with the 1214 original Mtrace2 header. If the gateway does not receive the 1215 corresponding Mtrace2 Reply within the [Mtrace Reply Timeout] period 1216 (see Section 5.8.4), then it silently discards the original Mtrace2 1217 Query or Request message, and terminates the trace. 1219 4.6. Hiding Information 1221 Information about a domain's topology and connectivity may be hidden 1222 from the Mtrace2 Requests. The Forwarding Code of INFO_HIDDEN may be 1223 used to note that. For example, the incoming interface address and 1224 packet count on the ingress router of a domain, and the outgoing 1225 interface address and packet count on the egress router of the domain 1226 can be specified as all 1's. Additionally, the source-group packet 1227 count (see Section 3.2.4 and Section 3.2.5) within the domain may be 1228 all 1's if it is hidden. 1230 5. Client Behavior 1232 This section describes the behavior of an Mtrace2 client in detail. 1234 5.1. Sending Mtrace2 Query 1236 An Mtrace2 client initiates an Mtrace2 Query by sending the Query to 1237 the LHR of interest. 1239 5.1.1. Destination Address 1241 If an Mtrace2 client knows the proper LHR, it unicasts an Mtrace2 1242 Query packet to that router; otherwise, it MAY send the Mtrace2 Query 1243 packet to the all-routers multicast group (224.0.0.2) for IPv4 or All 1244 Routers Address (FF02::2) for IPv6. This will ensure that the packet 1245 is received by the LHR on the subnet. 1247 See also Section 5.4 on determining the LHR. 1249 5.1.2. Source Address 1251 An Mtrace2 Query MUST be sent with the client's interface address, 1252 which is the Mtrace2 Client Address. 1254 5.2. Determining the Path 1256 An Mtrace2 client could send an initial Query messages with a large # 1257 Hops, in order to try to trace the full path. If this attempt fails, 1258 one strategy is to perform a linear search (as the traditional 1259 unicast traceroute program does); set the # Hops field to 1 and try 1260 to get a Reply, then 2, and so on. If no Reply is received at a 1261 certain hop, this hop is identified as the probable cause of 1262 forwarding failures on the path. Nevertheless, the sender may 1263 attempt to continue tracing past the non-responding hop by further 1264 increasing the hop count in the hopes that further hops may respond. 1265 Each of these attempts MUST NOT be initiated before the previous 1266 attempt has terminated either because of successful reception of a 1267 Reply or because the [Mtrace Reply Timeout] timeout has occurred. 1269 See also Section 5.6 on receiving the results of a trace. 1271 5.3. Collecting Statistics 1273 After a client has determined that it has traced the whole path or as 1274 much as it can expect to (see Section 5.8), it might collect 1275 statistics by waiting a short time and performing a second trace. If 1276 the path is the same in the two traces, statistics can be displayed 1277 as described in Section 7.3 and Section 7.4. 1279 5.4. Last Hop Router (LHR) 1281 The Mtrace2 client may not know which is the last-hop router, or that 1282 router may be behind a firewall that blocks unicast packets but 1283 passes multicast packets. In these cases, the Mtrace2 Request should 1284 be multicasted to the all-routers multicast group (224.0.0.2) for 1285 IPv4 or All Routers Address (FF02::2) for IPv6. All routers except 1286 the correct last-hop router SHOULD ignore any Mtrace2 Request 1287 received via multicast. 1289 5.5. First Hop Router (FHR) 1291 The IANA assigned 224.0.1.32 as the default multicast group for old 1292 IPv4 mtrace (v1) responses, in order to support mtrace clients that 1293 are not unicast reachable from the first-hop router. Mtrace2, 1294 however, does not require any IPv4/IPv6 multicast addresses for the 1295 Mtrace2 Replies. Every Mtrace2 Reply is sent to the unicast address 1296 specified in the Mtrace2 Client Address field of the Mtrace2 Reply. 1298 5.6. Broken Intermediate Router 1300 A broken intermediate router might simply not understand Mtrace2 1301 packets, and drop them. The Mtrace2 client will get no Reply at all 1302 as a result. It should then perform a hop-by-hop search by setting 1303 the # Hops field until it gets an Mtrace2 Reply. The client may use 1304 linear or binary search; however, the latter is likely to be slower 1305 because a failure requires waiting for the [Mtrace Reply Timeout] 1306 period. 1308 5.7. Non-Supported Router 1310 When a non-supported router receives an Mtrace2 Query or Request 1311 message whose destination address is a multicast address, the router 1312 will silently discard the message. 1314 When the router receives an Mtrace2 Query which is destined to 1315 itself, the router returns an Internet Control Message Protocol 1316 (ICMP) port unreachable to the Mtrace2 client. On the other hand, 1317 when the router receives an Mtrace2 Request which is destined to 1318 itself, the router returns an ICMP port unreachable to its adjacent 1319 router from which the Request receives. Therefore, the Mtrace2 1320 client needs to terminate the trace when the [Mtrace Reply Timeout] 1321 timeout has occurred, and may then issue another Query with a lower 1322 number of # Hops. 1324 5.8. Mtrace2 Termination 1326 When performing an expanding hop-by-hop trace, it is necessary to 1327 determine when to stop expanding. 1329 5.8.1. Arriving at Source 1331 A trace can be determined to have arrived at the source if the 1332 Incoming Interface of the last router in the trace is non-zero, but 1333 the Upstream Router is zero. 1335 5.8.2. Fatal Error 1337 A trace has encountered a fatal error if the last Forwarding Error in 1338 the trace has the 0x80 bit set. 1340 5.8.3. No Upstream Router 1342 A trace cannot continue if the last Upstream Router in the trace is 1343 set to 0. 1345 5.8.4. Reply Timeout 1347 This document defines the [Mtrace Reply Timeout] value, which is used 1348 to time out an Mtrace2 Reply as seen in Section 4.5, Section 5.2, and 1349 Section 5.7. The default [Mtrace Reply Timeout] value is 10 1350 (seconds), and can be manually changed on the Mtrace2 client and 1351 routers. 1353 5.9. Continuing after an Error 1355 When the NO_SPACE error occurs, as described in Section 4.2, a router 1356 will send back an Mtrace2 Reply to the Mtrace2 client, and continue 1357 with a new Request (see Section 4.3.3). In this case, the Mtrace2 1358 client may receive multiple Mtrace2 Replies from different routers 1359 along the path. When this happens, the client MUST treat them as a 1360 single Mtrace2 Reply message by collating the augmented response 1361 blocks of subsequent Replies sharing the same query ID, sequencing 1362 each cluster of augmented response blocks based on the order in which 1363 they are received. 1365 If a trace times out, it is very likely that a router in the middle 1366 of the path does not support Mtrace2. That router's address will be 1367 in the Upstream Router field of the last Standard Response Block in 1368 the last received Reply. A client may be able to determine (via 1369 mrinfo or the Simple Network Management Protocol (SNMP) [11][13]) a 1370 list of neighbors of the non-responding router. The neighbors 1371 obtained in this way could then be probed (via the multicast MIB 1372 [13]) to determine which one is the upstream neighbor (i.e., Reverse 1373 Path Forwarding (RPF) neighbor) of the non-responding router. This 1374 algorithm can identify the upstream neighbor because, even though 1375 there may be multiple neighbors, the non-responding router should 1376 only have sent a "join" to the one neighbor corresponding to its 1377 selected RPF path. Because of this, only the RPF neighbor should 1378 contain the non-responding router as a multicast next hop in its MIB 1379 output list for the affected multicast route. 1381 6. Protocol-Specific Considerations 1383 This section describes the Mtrace2 behavior with the presence of 1384 different multicast protocols. 1386 6.1. PIM-SM 1388 When an Mtrace2 reaches a PIM-SM RP, and the RP does not forward the 1389 trace on, it means that the RP has not performed a source-specific 1390 join so there is no more state to trace. However, the path that 1391 traffic would use if the RP did perform a source-specific join can be 1392 traced by setting the trace destination to the RP, the trace source 1393 to the traffic source, and the trace group to 0. This Mtrace2 Query 1394 may be unicasted to the RP, and the RP takes the same actions as an 1395 LHR. 1397 6.2. Bi-Directional PIM 1399 Bi-directional PIM [6] is a variant of PIM-SM that builds bi- 1400 directional shared trees connecting multicast sources and receivers. 1401 Along the bi-directional shared trees, multicast data is natively 1402 forwarded from the sources to the Rendezvous Point Link (RPL), and 1403 from which, to receivers without requiring source-specific state. In 1404 contrast to PIM-SM, Bi-directional PIM always has the state to trace. 1406 A Designated Forwarder (DF) for a given Rendezvous Point Address 1407 (RPA) is in charge of forwarding downstream traffic onto its link, 1408 and forwarding upstream traffic from its link towards the RPL that 1409 the RPA belongs to. Hence Mtrace2 Reply reports DF addresses or RPA 1410 along the path. 1412 6.3. PIM-DM 1414 Routers running PIM Dense Mode [15] do not know the path packets 1415 would take unless traffic is flowing. Without some extra protocol 1416 mechanism, this means that in an environment with multiple possible 1417 paths with branch points on shared media, Mtrace2 can only trace 1418 existing paths, not potential paths. When there are multiple 1419 possible paths but the branch points are not on shared media, the 1420 upstream router is known, but the LHR may not know that it is the 1421 appropriate last hop. 1423 When traffic is flowing, PIM Dense Mode routers know whether or not 1424 they are the LHR for the link (because they won or lost an Assert 1425 battle) and know who the upstream router is (because it won an Assert 1426 battle). Therefore, Mtrace2 is always able to follow the proper path 1427 when traffic is flowing. 1429 6.4. IGMP/MLD Proxy 1431 When an IGMP or Multicast Listener Discovery (MLD) Proxy [7] receives 1432 an Mtrace2 Query packet on an incoming interface, it notes a WRONG_IF 1433 in the Forwarding Code of the last Standard Response Block (see 1434 Section 3.2.4), and sends the Mtrace2 Reply back to the Mtrace2 1435 client. On the other hand, when an Mtrace2 Query packet reaches an 1436 outgoing interface of the IGMP/MLD proxy, it is forwarded onto its 1437 incoming interface towards the upstream router. 1439 7. Problem Diagnosis 1441 This section describes different scenarios Mtrace2 can be used to 1442 diagnose the multicast problems. 1444 7.1. Forwarding Inconsistencies 1446 The Forwarding Error code can tell if a group is unexpectedly pruned 1447 or administratively scoped. 1449 7.2. TTL or Hop Limit Problems 1451 By taking the maximum of hops from the source and forwarding TTL 1452 threshold over all hops, it is possible to discover the TTL or hop 1453 limit required for the source to reach the destination. 1455 7.3. Packet Loss 1457 By taking multiple traces, it is possible to find packet loss 1458 information by tracking the difference between the output packet 1459 count for the specified source-group address pair at a given upstream 1460 router and the input packet count on the next hop downstream router. 1461 On a point-to-point link, any steadily increasing difference in these 1462 counts implies packet loss. Although the packet counts will differ 1463 due to Mtrace2 Request propagation delay, the difference should 1464 remain essentially constant (except for jitter caused by differences 1465 in propagation time among the trace iterations). However, this 1466 difference will display a steady increase if packet loss is 1467 occurring. On a shared link, the count of input packets can be 1468 larger than the number of output packets at the previous hop, due to 1469 other routers or hosts on the link injecting packets. This appears 1470 as "negative loss" which may mask real packet loss. 1472 In addition to the counts of input and output packets for all 1473 multicast traffic on the interfaces, the Standard Response Block 1474 includes a count of the packets forwarded by a node for the specified 1475 source-group pair. Taking the difference in this count between two 1476 traces and then comparing those differences between two hops gives a 1477 measure of packet loss just for traffic from the specified source to 1478 the specified receiver via the specified group. This measure is not 1479 affected by shared links. 1481 On a point-to-point link that is a multicast tunnel, packet loss is 1482 usually due to congestion in unicast routers along the path of that 1483 tunnel. On native multicast links, loss is more likely in the output 1484 queue of one hop, perhaps due to priority dropping, or in the input 1485 queue at the next hop. The counters in the Standard Response Block 1486 do not allow these cases to be distinguished. Differences in packet 1487 counts between the incoming and outgoing interfaces on one node 1488 cannot generally be used to measure queue overflow in the node. 1490 7.4. Link Utilization 1492 Again, with two traces, you can divide the difference in the input or 1493 output packet counts at some hop by the difference in time stamps 1494 from the same hop to obtain the packet rate over the link. If the 1495 average packet size is known, then the link utilization can also be 1496 estimated to see whether packet loss may be due to the rate limit or 1497 the physical capacity on a particular link being exceeded. 1499 7.5. Time Delay 1501 If the routers have synchronized clocks, it is possible to estimate 1502 propagation and queuing delay from the differences between the 1503 timestamps at successive hops. However, this delay includes control 1504 processing overhead, so is not necessarily indicative of the delay 1505 that data traffic would experience. 1507 8. IANA Considerations 1509 The following new registries are to be created and maintained under 1510 the "Specification Required" registry policy as specified in [4]. 1512 8.1. "Mtrace2 Forwarding Codes" Registry 1514 This is an integer in the range 0-255. Assignment of a Forwarding 1515 Code requires specification of a value and a name for the Forwarding 1516 Code. Initial values for the forwarding codes are given in the table 1517 at the end of Section 3.2.4. Additional values (specific to IPv6) 1518 may also be specified at the end of Section 3.2.5. Any additions to 1519 this registry are required to fully describe the conditions under 1520 which the new Forwarding Code is used. 1522 8.2. "Mtrace2 TLV Types" Registry 1524 Assignment of a TLV Type requires specification of an integer value 1525 "Code" in the range 0-255 and a name ("Type"). Initial values for 1526 the TLV Types are given in the table at the beginning of Section 3.2. 1528 8.3. UDP Destination Port 1530 IANA has assigned UDP user port 33435 (mtrace) for use by this 1531 protocol as the Mtrace2 UDP destination port. 1533 9. Security Considerations 1535 This section addresses some of the security considerations related to 1536 Mtrace2. 1538 9.1. Addresses in Mtrace2 Header 1540 An Mtrace2 header includes three addresses, source address, multicast 1541 address, and Mtrace2 client address. These addresses MUST be 1542 congruent with the definition defined in Section 3.2.1 and forwarding 1543 Mtrace2 messages having invalid addresses MUST be prohibited. For 1544 instance, if Mtrace2 Client Address specified in an Mtrace2 header is 1545 a multicast address, then a router that receives the Mtrace2 message 1546 MUST silently discard it. 1548 9.2. Verification of Clients and Peers 1550 A router providing Mtrace2 functionality MUST support a source 1551 verification mechanism to drop Queries from clients and Requests from 1552 peer router or client addresses that are unauthorized or that are 1553 beyond a specified administrative boundary. This verification could, 1554 for example, be specified via a list of allowed/disallowed client and 1555 peer addresses or subnets for a given Mtrace2 message type sent to 1556 the Mtrace2 protocol port. If a Query or Request is received from an 1557 unauthorized address or one beyond the specified administrative 1558 boundary, the Query/Request MUST NOT be processed. The router MAY, 1559 however, perform rate limited logging of such events. 1561 The required use of source verification on the participating routers 1562 minimizes the possible methods for introduction of spoofed Query/ 1563 Request packets that would otherwise enable DoS amplification attacks 1564 targeting an authorized "query" host. The source verification 1565 mechanisms provide this protection by allowing Query messages from an 1566 authorized host address to be received only by the router(s) 1567 connected to that host, and only on the interface to which that host 1568 is attached. For protection against spoofed Request messages, the 1569 source verification mechanisms allow Request messages only from a 1570 directly connected routing peer and allow these messages to be 1571 received only on the interface to which that peer is attached. 1573 Note that the following vulnerabilities cannot be covered by the 1574 source verification methods described here. These methods can, 1575 nevertheless, prevent attacks launched from outside the boundaries of 1576 a given network as well as from any hosts within the network that are 1577 not on the same LAN as an intended authorized query client. 1579 o A server/router "B" other than the server/router "A" that actually 1580 "owns" a given IP address could, if it is connected to the same 1581 LAN, send an Mtrace2 Query or Request with the source address set 1582 to the address for server/router "A". This is not a significant 1583 threat, however, if only trusted servers and routers are connected 1584 to that LAN. 1586 o A malicious application running on a trusted server or router 1587 could send packets that might cause an amplification problem. It 1588 is beyond the scope of this document to protect against a DoS 1589 attack launched from the same host that is the target of the 1590 attack or from another "on path" host, but this is not a likely 1591 threat scenario. In addition, routers on the path MAY rate-limit 1592 the packets as specified in Section 9.5 and Section 9.6. 1594 9.3. Topology Discovery 1596 Mtrace2 can be used to discover any actively-used topology. If your 1597 network topology is a secret, Mtrace2 may be restricted at the border 1598 of your domain, using the ADMIN_PROHIB forwarding code. 1600 9.4. Characteristics of Multicast Channel 1602 Mtrace2 can be used to discover what sources are sending to what 1603 groups and at what rates. If this information is a secret, Mtrace2 1604 may be restricted at the border of your domain, using the 1605 ADMIN_PROHIB forwarding code. 1607 9.5. Limiting Query/Request Rates 1609 A router may limit Mtrace2 Queries and Requests by ignoring some of 1610 the consecutive messages. The router MAY randomly ignore the 1611 received messages to minimize the processing overhead, i.e., to keep 1612 fairness in processing queries, or prevent traffic amplification. 1613 The rate limit is left to the router's implementation. 1615 9.6. Limiting Reply Rates 1617 The proxying and NO_SPACE behaviors may result in one Query returning 1618 multiple Reply messages. In order to prevent abuse, the routers in 1619 the traced path MAY need to rate-limit the Replies. The rate limit 1620 function is left to the router's implementation. 1622 9.7. Specific Security Concerns 1624 9.7.1. Request and Response Bombardment 1626 A malicious sender could generate invalid and undesirable Mtrace2 1627 traffic to hosts and/or routers on a network by eliciting responses 1628 to spoofed or multicast client addresses. This could be done via 1629 forged or multicast client/source addresses in Mtrace2 Query or 1630 Request messages. The recommended protections against this type of 1631 attack are described in Section 9.1, Section 9.2, Section 9.5, and 1632 Section 9.6. 1634 9.7.2. Amplification Attack 1636 Because an Mtrace2 Query results in Mtrace2 Request and Mtrace2 Reply 1637 messages that are larger than the original message, the potential 1638 exists for an amplification attack from a malicious sender. This 1639 threat is minimized by restricting the set of addresses from which 1640 Mtrace2 messages can be received on a given router as specified in 1641 Section 9.2. 1643 In addition, for a router running a PIM protocol (PIM-SM, PIM-DM, PIM 1644 Source-Specific Multicast, or Bi-Directional PIM), the router SHOULD 1645 drop any Mtrace2 Request or Reply message that is received from an IP 1646 address that does not correspond to an authenticated PIM neighbor on 1647 the interface from which the packet is received. The intent of this 1648 text is to prevent non-router endpoints from injecting Request 1649 messages. Implementations of non-PIM protocols SHOULD employ some 1650 other mechanism to prevent this attack. 1652 9.7.3. Leaking of Confidential Topology Details 1654 Mtrace2 Queries are a potential mechanism for obtaining confidential 1655 topology information for a targeted network. Section 9.2 and 1656 Section 9.4 describe required and optional methods for ensuring that 1657 information delivered with Mtrace2 messages is not disseminated to 1658 unauthorized hosts. 1660 9.7.4. Delivery of False Information (Forged Reply Messages) 1662 Forged Reply messages could potentially provide a host with invalid 1663 or incorrect topology information. They could also provide invalid 1664 or incorrect information regarding multicast traffic statistics, 1665 multicast stream propagation delay between hops, multicast and 1666 unicast protocols in use between hops and other information used for 1667 analyzing multicast traffic patterns and for troubleshooting 1668 multicast traffic problems. This threat is mitigated by the 1669 following factors: 1671 o The required source verification of permissible source addresses 1672 specified in Section 9.2 eliminates the origination of forged 1673 Replies from addresses that have not been authorized to send 1674 Mtrace2 messages to routers on a given network. This mechanism 1675 can block forged Reply messages sent from any "off path" source. 1677 o To forge a Reply, the sender would need to somehow know (or guess) 1678 the associated two byte Query ID for an extant Query and the 1679 dynamically allocated source port number. Because "off path" 1680 sources can be blocked by a source verification mechanism, the 1681 scope of this threat is limited to "on path" attackers. 1683 o The required use of source verification (Section 9.2) and 1684 recommended use of PIM neighbor authentication (Section 9.7.2) for 1685 messages that are only valid when sent by a multicast routing peer 1686 (Request and Reply messages) eliminate the possibility of 1687 reception of a forged Reply from an authorized host address that 1688 does not belong to a multicast peer router. 1690 o The use of encryption between the source of a Query and the 1691 endpoint of the trace would provide a method to protect the values 1692 of the Query ID and the dynamically allocated client (source) port 1693 (see Section 3.2.1). These are the values needed to create a 1694 forged Reply message that would pass validity checks at the 1695 querying client. This type of cryptographic protection is not 1696 practical, however, because the primary reason for executing an 1697 Mtrace2 is that the destination endpoint (and path to that 1698 endpoint) are not known by the querying client. While it is not 1699 practical to provide cryptographic protection between a client and 1700 the Mtrace2 endpoints (destinations), it may be possible to 1701 prevent forged responses from "off path" nodes attached to any 1702 Mtrace2 transit LAN by devising a scheme to encrypt the critical 1703 portions of an Mtrace2 message between each valid sender/receiver 1704 pair at each hop to be used for multicast/mtrace transit. The use 1705 of encryption protection between nodes is, however, out of the 1706 scope of this document. 1708 10. Acknowledgements 1710 This specification started largely as a transcription of Van 1711 Jacobson's slides from the 30th IETF, and the implementation in 1712 mrouted 3.3 by Ajit Thyagarajan. Van's original slides credit Steve 1713 Casner, Steve Deering, Dino Farinacci and Deb Agrawal. The original 1714 multicast traceroute client, mtrace (version 1), has been implemented 1715 by Ajit Thyagarajan, Steve Casner and Bill Fenner. The idea of the 1716 "S" bit to allow statistics for a source subnet is due to Tom 1717 Pusateri. 1719 For the Mtrace version 2 specification, the authors would like to 1720 give special thanks to Tatsuya Jinmei, Bill Fenner, and Steve Casner. 1721 Also, extensive comments were received from David L. Black, Ronald 1722 Bonica, Yiqun Cai, Liu Hui, Bharat Joshi, Robert Kebler, John 1723 Kristoff, Mankamana Mishra, Heidi Ou, Eric Rescorla, Pekka Savola, 1724 Shinsuke Suzuki, Dave Thaler, Achmad Husni Thamrin, Stig Venaas, Cao 1725 Wei, and the Mboned working group members. 1727 11. References 1729 11.1. Normative References 1731 [1] Bradner, S., "Key words for use in RFCs to indicate 1732 requirement levels", RFC 2119, March 1997. 1734 [2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1735 (IPv6) Specification", RFC 8200, July 2017. 1737 [3] Hinden, R. and S. Deering, "IP Version 6 Addressing 1738 Architecture", RFC 4291, February 2006. 1740 [4] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1741 Writing an IANA Considerations Section in RFCs", RFC 8126, 1742 June 2017. 1744 [5] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., 1745 Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent 1746 Multicast - Sparse Mode (PIM-SM): Protocol Specification 1747 (Revised)", RFC 7761, March 2016. 1749 [6] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, 1750 "Bidirectional Protocol Independent Multicast (BIDIR- 1751 PIM)", RFC 5015, October 2007. 1753 [7] Fenner, B., He, H., Haberman, B., and H. Sandick, 1754 "Internet Group Management Protocol (IGMP) / Multicast 1755 Listener Discovery (MLD)-Based Multicast Forwarding 1756 ("IGMP/MLD Proxying")", RFC 4605, August 2006. 1758 11.2. Informative References 1760 [8] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A. 1761 Thyagarajan, "Internet Group Management Protocol, Version 1762 3", RFC 3376, October 2002. 1764 [9] Bumgardner, G., "Automatic Multicast Tunneling", RFC 7450, 1765 February 2015. 1767 [10] Rosen, E. and R. Aggarwal, "Multicast in MPLS/BGP IP 1768 VPNs", RFC 6513, February 2012. 1770 [11] Draves, R. and D. Thaler, "Default Router Preferences and 1771 More-Specific Routes", RFC 4191, November 2005. 1773 [12] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1774 MIB", RFC 2863, June 2000. 1776 [13] McWalter, D., Thaler, D., and A. Kessler, "IP Multicast 1777 MIB", RFC 5132, December 2007. 1779 [14] Gill, V., Heasley, J., Meyer, D., Savola, P., and C. 1780 Pignataro, "The Generalized TTL Security Mechanism 1781 (GTSM)", RFC 5082, October 2007. 1783 [15] Adams, A., Nicholas, J., and W. Siadak, "Protocol 1784 Independent Multicast - Dense Mode (PIM-DM): Protocol 1785 Specification (Revised)", RFC 3973, January 2005. 1787 Authors' Addresses 1789 Hitoshi Asaeda 1790 National Institute of Information and Communications Technology 1791 4-2-1 Nukui-Kitamachi 1792 Koganei, Tokyo 184-8795 1793 Japan 1795 Email: asaeda@nict.go.jp 1797 Kerry Meyer 1799 Email: kerry.meyer@me.com 1800 WeeSan Lee (editor) 1802 Email: weesan@weesan.com