Re: MLD snooping of solicted-node multicast (Was: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

Erik Nordmark <nordmark@acm.org> Fri, 17 January 2014 17:22 UTC

Return-Path: <nordmark@acm.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A0E1AC43F for <ipv6@ietfa.amsl.com>; Fri, 17 Jan 2014 09:22:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUt-MsyWBHqw for <ipv6@ietfa.amsl.com>; Fri, 17 Jan 2014 09:22:27 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF371A1F19 for <ipv6@ietf.org>; Fri, 17 Jan 2014 09:22:27 -0800 (PST)
Received: from [10.0.1.44] (184-23-158-201.dsl.dynamic.sonic.net [184.23.158.201]) (authenticated bits=0) by d.mail.sonic.net (8.14.4/8.14.4) with ESMTP id s0HHM5r9031262 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 17 Jan 2014 09:22:05 -0800
Message-ID: <52D966BD.3090606@acm.org>
Date: Fri, 17 Jan 2014 09:22:05 -0800
From: Erik Nordmark <nordmark@acm.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Tim Chown <tjc@ecs.soton.ac.uk>, Ole Troan <otroan@employees.org>
Subject: Re: MLD snooping of solicted-node multicast (Was: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
References: <20140111004402.10451.90724.idtracker@ietfa.amsl.com> <BF6E0BD839774345977891C597F8B50C5CE74C@eusaamb109.ericsson.se> <72381AF1F18BAE4F890A0813768D992817FCA84E@sdcexchms.au.logicalis.com> <892FB91E-311D-4A50-A38B-4972F70847AB@employees.org> <5DC8FA82-DD79-49F5-8842-0243CDF77B7D@ecs.soton.ac.uk> <EMEW3|25336b861042fd40fe5245953c91fd64q0GDc803tjc|ecs.soton.ac.uk|5DC8FA82-DD79-49F5-8842-0243CDF77B7D@ecs.soton.ac.uk>
In-Reply-To: <EMEW3|25336b861042fd40fe5245953c91fd64q0GDc803tjc|ecs.soton.ac.uk|5DC8FA82-DD79-49F5-8842-0243CDF77B7D@ecs.soton.ac.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Sonic-ID: C;6g3j4pt/4xG5tYIY+v0w6Q== M;WMgK45t/4xG5tYIY+v0w6Q==
Cc: 6man WG <ipv6@ietf.org>, Ing-Wher Chen <ing-wher.chen@ericsson.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 17:22:28 -0000

On 1/17/14 5:38 AM, Tim Chown wrote:
>
> On 17 Jan 2014, at 09:43, Ole Troan <otroan@employees.org> wrote:
>
>> Greg, sorry to divert your thread.
>>
>>> Neighbour Solicitation messages for incomplete entries (per RFC 4861 S7.2.2) will be dropped by the snooping switches if there is no Multicast subscriber for the solicited nodes' multicast address.  Not only is this a mitigation of the potential attack, but also indicates an alternative for non-snooping networks:
>>
>> I hear that MLD snooping for the solicited-node multicast groups isn't supported in most (if not all) switches.
>> partly because MLD snooping doesn't work well, but also because it becomes very costly to support state for this many multicast groups.
>>
>> anyone with differing experience?
>
> Well, MLD snooping seems very prone to bugs.  We have an open case currently with a particular vendor which means if we enable MLD snooping (which is beneficial given we have several multicast IPv6 TV channels) the devices will get a little 'enthusiastic' and filter all RAs.  We have had at least one similar case in the past.  I guess use of MLD snooping in enterprise networks is relatively rare though.

Tim,

was that for WiFi APs or wireless controllers doing MLD snooping? Or 
good ol' Ethernet switches?

The more data we have on this the better.

Thanks,
    Erik