idnits 2.17.1 draft-nickless-ipv4-mcast-unusable-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing revision: the document name given in the document, 'draft-nickless-ipv4-mcast-unusable-', does not give the document revision number ~~ Missing draftname component: the document name given in the document, 'draft-nickless-ipv4-mcast-unusable-', does not seem to contain all the document name components required ('draft' prefix, document source, document name, and revision) -- see https://www.ietf.org/id-info/guidelines#naming for more information. == Mismatching filename: the document gives the document name as 'draft-nickless-ipv4-mcast-unusable-', but the file name used is 'draft-nickless-ipv4-mcast-unusable-02' == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (June 2003) is 7620 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1519 (ref. 'CIDR') (Obsoleted by RFC 4632) -- Possible downref: Non-RFC (?) normative reference: ref. 'GHOST' -- Possible downref: Non-RFC (?) normative reference: ref. 'IMCAST' -- Possible downref: Non-RFC (?) normative reference: ref. 'ALTIRIS' ** Downref: Normative reference to an Experimental draft: draft-ietf-msdp-spec (ref. 'MSDP') -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' Summary: 7 errors (**), 1 flaw (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft B. Nickless 2 Document: draft-nickless-ipv4-mcast-unusable- Argonne National 3 02.txt Laboratory 4 Expires: December 2003 June 2003 6 IPv4 Multicast Unusable Group And Source Addresses 8 1. Status of this Memo 10 This document is an Internet-Draft and is in full conformance with 11 all provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering 14 Task Force (IETF), its areas, and its working groups. Note that 15 other groups may also distribute working documents as Internet- 16 Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six 19 months and may be updated, replaced, or obsoleted by other documents 20 at any time. It is inappropriate to use Internet-Drafts as 21 reference material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 2. Abstract 31 Some IPv4 multicast datagrams should not be routed, either within an 32 administrative domain or between administrative domains. A list of 33 those restrictions is supplied here. These restrictions SHOULD be 34 respected by IPv4 multicast applications, and included in network 35 device access control lists. 37 And Source Addresses 39 3. Table of Contents 41 1. Status of this Memo.............................................1 42 2. Abstract........................................................1 43 4. Conventions used in this document...............................2 44 5. Background......................................................2 45 6. Specific (Source,Group) Restrictions............................2 46 7. Unusable Locally................................................4 47 8. Unusable Inter-domain...........................................4 48 9. No Flooding of Knowledge of Active Sources......................5 49 9. Security Considerations.........................................6 50 10. Acknowledgements...............................................6 51 11. References.....................................................6 52 12. Author's Address...............................................7 54 4. Conventions used in this document 56 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 57 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 58 document are to be interpreted as described in RFC-2119 [RFC2119]. 60 5. Background 62 IPv4 multicast [MCAST] is an internetwork service that allows IPv4 63 datagrams sent from a source to be delivered to one or more 64 interested receiver(s). That is, a given source sends a packet the 65 network with a destination address 224/4 CIDR [CIDR] range. The 66 network transports this packet to all receivers (replicated where 67 necessary) that have registered their interest in receiving these 68 packets. 70 Some combinations of Source Address and Group Address SHOULD NOT be 71 routed for various reasons. This note describes those restrictions 72 so they can be: 74 - Avoided by applications, especially those that choose multicast 75 groups on a random or ad-hoc basis. 76 - Properly reflected in network device restriction lists. 78 6. Specific (Source,Group) Restrictions 80 Following is a list of (Source,Group) ranges that should not be used 81 or routed in certain circumstances. Each range is associated with a 82 brief explanation and a cross-reference to a fuller explanation to 83 be found in following sections of this note. 85 (*,224.0.1.2/32) SGI-Dogfight Section 8.4 86 (*,224.0.1.3/32) Rwhod Section 8.5 87 And Source Addresses 89 (*,224.0.1.22/32) SVRLOC Section 8.4 90 (*,224.0.1.22/32) Microsoft-DS Section 8.4 91 (*,224.0.1.35/32) SVRLOC-DA Section 8.5 92 (*,224.0.1.39/32) CISCO-RP-ANNOUNCE Section 8.5 93 (*,224.0.1.40/32) CISCO-RP-DISCOVERY Section 8.5 94 (*,224.0.2.2/32) SUN-RPC Section 8.4 95 (*,224.77.0.0/16) Norton Ghost Section 8.3 96 (*,224.128.0.0/24) Control plane of IGMP snoopers Section 7.1 97 (*,225.0.0.0/24) Control plane of IGMP snoopers Section 7.1 98 (*,225.1.2.3/32) Altiris Section 8.3 99 (*,225.128.0.0/24) Control plane of IGMP snoopers Section 7.1 100 (*,226.0.0.0/24) Control plane of IGMP snoopers Section 7.1 101 (*,226.77.0.0/16) Norton Ghost Section 8.3 102 (*,226.128.0.0/24) Control plane of IGMP snoopers Section 7.1 103 (*,227.0.0.0/24) Control plane of IGMP snoopers Section 7.1 104 (*,227.128.0.0/24) Control plane of IGMP snoopers Section 7.1 105 (*,228.0.0.0/24) Control plane of IGMP snoopers Section 7.1 106 (*,228.128.0.0/24) Control plane of IGMP snoopers Section 7.1 107 (*,229.0.0.0/24) Control plane of IGMP snoopers Section 7.1 108 (*,229.128.0.0/24) Control plane of IGMP snoopers Section 7.1 109 (*,230.0.0.0/24) Control plane of IGMP snoopers Section 7.1 110 (*,230.128.0.0/24) Control plane of IGMP snoopers Section 7.1 111 (*,231.0.0.0/24) Control plane of IGMP snoopers Section 7.1 112 (*,231.128.0.0/24) Control plane of IGMP snoopers Section 7.1 113 (*,232.0.0.0/24) Control plane of IGMP snoopers Section 7.1 114 (*,232.128.0.0/24) Control plane of IGMP snoopers Section 7.1 115 (*,232.0.0.0/8) Source-Specific Multicast Section 9.1 116 (*,233.0.0.0/24) Control plane of IGMP snoopers Section 7.1 117 (*,233.128.0.0/24) Control plane of IGMP snoopers Section 7.1 118 (*,234.0.0.0/24) Control plane of IGMP snoopers Section 7.1 119 (*,234.42.42.42/32) Phoenix/StorageSoft ImageCast Section 8.3 120 (*,234.128.0.0/24) Control plane of IGMP snoopers Section 7.1 121 (*,234.142.142.42/31) Phoenix/StorageSoft ImageCast Section 8.3 122 (*,234.142.142.44/30) Phoenix/StorageSoft ImageCast Section 8.3 123 (*,234.142.142.48/28) Phoenix/StorageSoft ImageCast Section 8.3 124 (*,234.142.142.64/26) Phoenix/StorageSoft ImageCast Section 8.3 125 (*,234.142.142.128/29) Phoenix/StorageSoft ImageCast Section 8.3 126 (*,234.142.142.136/30) Phoenix/StorageSoft ImageCast Section 8.3 127 (*,234.142.142.140/31) Phoenix/StorageSoft ImageCast Section 8.3 128 (*,234.142.142.142/32) Phoenix/StorageSoft ImageCast Section 8.3 129 (*,235.0.0.0/24) Control plane of IGMP snoopers Section 7.1 130 (*,235.128.0.0/24) Control plane of IGMP snoopers Section 7.1 131 (*,236.0.0.0/24) Control plane of IGMP snoopers Section 7.1 132 (*,236.128.0.0/24) Control plane of IGMP snoopers Section 7.1 133 (*,237.0.0.0/24) Control plane of IGMP snoopers Section 7.1 134 (*,237.128.0.0/24) Control plane of IGMP snoopers Section 7.1 135 (*,238.0.0.0/24) Control plane of IGMP snoopers Section 7.1 136 (*,238.128.0.0/24) Control plane of IGMP snoopers Section 7.1 137 (*,239.0.0.0/8) Administratively Scoped Groups Section 8.1 138 (*,239.0.0.0/24) Control plane of IGMP snoopers Section 7.1 139 (*,239.128.0.0/24) Control plane of IGMP snoopers Section 7.1 141 (10.0.0.0/8,*) Private Address Space Section 8.2 142 And Source Addresses 144 (127.0.0.0/8,*) Loopback Address Space Section 8.2 145 (172.16.0.0/12,*) Private Address Space Section 8.2 146 (192.168.0.0/16,*) Private Address Space Section 8.2 148 7. Unusable Locally 150 Multicast datagrams that match the criteria in this section SHOULD 151 NOT be used, even on local, unrouted subnetworks. 153 7.1 Groups processed in the control plane of IGMP-snooping switches. 155 [MCAST] describes the mapping of IPv4 Multicast Group addresses to 156 Ethernet MAC addresses, as follows: 158 An IP host group address is mapped to an Ethernet multicast 159 address by placing the low-order 23-bits of the IP address 160 into the low-order 23 bits of the Ethernet multicast address 161 01-00-5E-00-00-00 (hex). Because there are 28 significant 162 bits in an IP host group address, more than one host group 163 address may map to the same Ethernet multicast address. 165 Multicast group addresses in the 224.0.0.0/24 range are used for 166 local subnetwork control. This maps to the Ethernet multicast 167 address range 01-00-5E-00-00-XX, where XX is 00 through FF. 168 Ethernet frames within this range are always processed in the 169 control plane of many popular network devices, such as IGMP-snooping 170 switches. 172 Because of the many-to-one mapping of IPv4 Multicast Group Addresses 173 to Ethernet MAC addresses, it is possible to overwhelm the control 174 plane of network devices by sending to group addresses that map into 175 the 01-00-5E-00-00-XX (hex) range. 177 8. Unusable Inter-domain 179 Multicast datagrams that match the criteria in this section SHOULD 180 NOT be routed between administrative domains. 182 Section 7 (Unusable Locally) is incorporated here by reference. 184 8.1 Administratively Scoped Addresses 186 RFC 2366 [ADMIN] defines 239.0.0.0/8 for use within an 187 administrative domain. As such, datagrams with group addresses that 188 match 239.0.0.0/8 SHOULD NOT be passed between administrative 189 domains. 191 8.2 Private and Loopback IPv4 Addresses 193 RFC 1918 [PRIVATE] defines certain ranges of IPv4 unicast addresses 194 that can be used within an administrative domain. Multicast 195 datagrams are no exception to the rule that datagrams addressed 196 And Source Addresses 198 within these ranges SHOULD NOT be passed between administrative 199 domains. 201 127.0.0.0/8 is widely used for internal host addressing, and is 202 generally not valid on datagrams passed between hosts. 204 8.3 Personal Computer Deployment and Control Applications 206 The Norton Ghost [GHOST], Phoenix/StorageSoft ImageCast [IMCAST], 207 and Altiris [ALTIRIS] applications are used to duplicate files and 208 filesystems from servers to clients, and to otherwise maintain 209 groups of Personal Computers. They are intended to be used on a 210 local subnet or within an administrative domain, but the default 211 addresses used by the software are not within the administratively- 212 scoped range 239.0.0.0/8 (see Section 8.1 above). 214 8.4 Known Insecure Services 216 Applications that use certain multicast group addresses have been 217 demonstrated to be vulnerable to exploitation, leading to serious 218 security problems. 220 8.5 Internal Resource Discovery 222 Applications that use certain multicast group addresses are used to 223 discover resources within an administrative domain. 225 9. No Flooding of Knowledge of Active Sources 227 In the absence of explicit requests by interested receivers, 228 multicast datagrams that match the criteria in this section SHOULD 229 NOT be transmitted across administrative domain boundaries. 231 The knowledge of active sources that match the criteria in this 232 section SHOULD NOT be passed between administrative domains, for 233 example through the operation of the Multicast Source Discovery 234 Protocol (MSDP) [MSDP]. 236 Sections 7 and 8 are incorporated here by reference. 238 9.1 Source-Specific Multicast 240 Multicast datagrams addressed within 232.0.0.0/8 (See [IANA]) are 241 used in the Source-Specific Multicast regime. Interested recipients 242 request traffic from specific sources using specific group 243 addresses. Knowledge of active sources is not flooded throughout 244 the Internet, as it is the responsibility of the application to 245 discover the active sources. 247 And Source Addresses 249 9. Security Considerations 251 Low to moderate multicast traffic levels, using addresses within 252 these Section 7.1 Multicast Group Address ranges, can result in 253 severe denial of service on network devices that process frames with 254 Ethernet MAC addresses in the 01-00-5E-00-00-XX (hex) range in the 255 control plane. 257 Interdomain forwarding of multicast traffic generated by certain 258 multicast applications (see Section 8.3) can result in internal 259 enterprise data being replicated far beyond that which was intended. 261 Interdomain forwarding of multicast traffic on certain multicast 262 groups (see Section 8.4) can lead to compromise of host systems. 264 10. Acknowledgements 266 The author relied heavily on a list of problematic groups maintained 267 by Cisco Systems, especially Beau Williamson and his colleagues. 269 Jay Ford and Alan Croswell provided references for the Norton Ghost 270 restriction. 272 This work was supported by the Mathematical, Information, and 273 Computational Sciences Division subprogram of the Office of Advanced 274 Scientific Computing Research, U.S. Department of Energy, under 275 Contract W-31-109-Eng-38. 277 11. References 279 [RFC2119] RFC 2119: Key Words for use in RFCs to Indicate 280 Requirement Levels. S. Bradner. March 1997. 282 [MCAST] RFC 1112: Host extensions for IP multicasting. S.E. Deering. 283 Aug-01-1989. 285 [CIDR] RFC 1519: Classless Inter-Domain Routing (CIDR): an Address 286 Assignment and Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. 287 Varadhan. September 1993. 289 [ADMIN] RFC 2365: Administratively Scoped IP Multicast. D. Meyer. 290 July 1998. 292 [PRIVATE] RFC 1918: Address Allocation for Private Internets. Y 293 Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. 294 February 1996. 296 [GHOST] Symantec. 297 http://service2.symantec.com/SUPPORT/ghost.nsf/docid/ 298 1999033015222425 299 And Source Addresses 301 [IMCAST] Phoenix Technologies. 302 http://www.storagesoft.com/products/imagecast 304 [ALTIRIS] Altiris 305 http://www.altiris.com/support/docs/altirisexpress/ 306 axtechref41.pdf 308 [MSDP] Multicast Source Discovery Protocol. Bill Fenner and David 309 Meyer, Editors. Work in Progress. draft-ietf-msdp-spec-20.txt 311 [IANA] Internet Assigned Numbers Authority. 312 http://www.iana.org/assignments/multicast-addresses 314 12. Author's Address 316 Bill Nickless 317 Argonne National Laboratory 318 9700 South Cass Avenue #221 Phone: +1 630 252 7390 319 Argonne, IL 60439 Email: nickless@mcs.anl.gov