IETF Logo Mail Archive

Re: [MBONED] [pim] IGMPv3 backward compatibility issue killing SSM

Brian Haberman <brian@innovationslab.net> Tue, 02 January 2024 13:39 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EFEEC14F694 for <mboned@ietfa.amsl.com>; Tue, 2 Jan 2024 05:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=innovationslab-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HASWeYW1E4ck for <mboned@ietfa.amsl.com>; Tue, 2 Jan 2024 05:39:12 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8619C14F5E6 for <mboned@ietf.org>; Tue, 2 Jan 2024 05:39:12 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5e76948cda7so59838357b3.3 for <mboned@ietf.org>; Tue, 02 Jan 2024 05:39:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innovationslab-net.20230601.gappssmtp.com; s=20230601; t=1704202752; x=1704807552; darn=ietf.org; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=I65jegQuYZlRy8KGH7b+PXfP2/oKY1tmdifksxexn7w=; b=dl+6eHbQxqt7PRdd4PgHNpmYs/rJxSY667rlhWhWGjjK0xNLGPo8oPoztho0Ka/kz4 40gqhETQkZ1qSHzLDsrNJjTrUF3wDO97wZ07FgcHJEGET6tZ0Gg/bz92EsrIvJ07pk0Z NzFkHDNdaiPNq9tt/QJWbRiYqzq0uWoGelM5G1aLROOPo3nlQ+/Gn3ytlKVQ2IxE32JP 3pEkbCsqenQntqvYTKbBZDk5CqbYmU92DcINuMZ10AvrAN35iVw9pIbHSgYjTPIRCpb7 Rmcnb2Gf5Pas/AsAuzLNt56Q96a723yrsBCqwfLPqgQBmhhaIKuku4jfPQn9WQY9Lizi SyPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704202752; x=1704807552; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=I65jegQuYZlRy8KGH7b+PXfP2/oKY1tmdifksxexn7w=; b=mLrV8KAH/AbQxEbfLggHYHGgkxi/lT9wXeqG96maMN3bFJgcK+Q6+cfZBmKmNaQVgu sZ3M9eOyxolNwogS/aA3O/tnzW63TLDKEn0ng3c8JA6ZsdciQFukuCNCFg7AXJiIRmHf mmgba+mNUC6d2lxJaKs8gB7VKo8JQb05ZqA2vANRD9Ea9GIvxdVDJGsxjln3soM9ul1V GB0npSAG2VJ/cA0/FWDyGT3ShE3FneEoMHxIPFTSH9vUQdp5unXqmyGItPCpmoNW88ru LhqvBsmgQWSTyM8CwrgCj1j9EAYOsBVNrDPdZPj77BoobZ1dqcqKI3OwfN47HEmYvaw+ klWw==
X-Gm-Message-State: AOJu0YzhR5anneXwQbd36I28Mkm8JsJ5AplKWT/3l7m/tikaE+D6kqWl MvkKbtVzfQD+oo+Cu8hklT8BDCglAaTUpg==
X-Google-Smtp-Source: AGHT+IEv82yH20UE3q+leAVS8mwtufQZILP2ChAmLKsKgZ94pYQQwM4OS9pjclHWlQ8Y6cCthJsjKg==
X-Received: by 2002:a05:690c:3501:b0:5ea:7eda:dbeb with SMTP id fq1-20020a05690c350100b005ea7edadbebmr9670267ywb.5.1704202751661; Tue, 02 Jan 2024 05:39:11 -0800 (PST)
Received: from [192.168.1.5] ([172.59.220.98]) by smtp.gmail.com with ESMTPSA id et4-20020a05690c2e0400b005e5d28fc279sm5485582ywb.63.2024.01.02.05.39.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jan 2024 05:39:11 -0800 (PST)
Message-ID: <e9ed1779-4f43-4f71-b8c3-d813bcea81d1@innovationslab.net>
Date: Tue, 02 Jan 2024 08:39:09 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Leonard Giuliano <lenny@juniper.net>, "Holland, Jake" <jholland=40akamai.com@dmarc.ietf.org>
Cc: Toerless Eckert <tte@cs.fau.de>, Stig Venaas <stig@venaas.com>, "zzhang@juniper.net" <zzhang@juniper.net>, "n.leymann@telekom.de" <n.leymann@telekom.de>, "pim@ietf.org" <pim@ietf.org>, "mboned@ietf.org" <mboned@ietf.org>, "fenner@fenron.com" <fenner@fenron.com>, Dave Katz <dkatz@juniper.net>
References: <CAHANBtKf03ukXH4sgwN0WVdkaVXnbRYdAGBDmQK56YXrS-z6yA@mail.gmail.com> <CAHANBtKdfS0cPceqv8_R+ToeGOBdUksH7gArKqegqSt_Q0Sf0Q@mail.gmail.com> <ZXtzwBljE45Og27f@faui48e.informatik.uni-erlangen.de> <EDE809A0-E672-4A3B-9F46-E08ECD3D4C23@akamai.com> <edc9d539-4b6c-f238-54c6-210c152e2065@juniper.net>
From: Brian Haberman <brian@innovationslab.net>
Autocrypt: addr=brian@innovationslab.net; keydata= xsFNBGFCWtIBEAC2FIgMIrH27l4L1Uu+vxCBakOv0Y1nxsu61+aulA78two2kCl7OCF+myP8 KQHEFMoZSn+ZvR+QDFyhsHe7qDK0CVf1K3n97PptXG5kvbnDJdwVJV0w9zYC17/VDgGAKLqj 0iNDVc9mYg/zCYdPn616UAj7hNpFgc9f982gLokyR/xbMNvtOwOpToysK+7Oc25oOam0xuUx CHcE4BfzJHO2VmUgWHeTvxervtIeMcn5PUlQ4XhzYH88mLlI1Uno7W5Dfx8FjXLNNAq4aNBM 6QND2LRekYi75pSTFXNpYIZvmgVT/VB6SHpsyJ3Hkio4YqGkPiqCEcB6U1lArT2FmXnzsTOt 6ydx6ONClxtcOmoEWrES+8tU+knaCEo1/XOrWtivTFMzn3Mahf726XxQBG55FkhqQ/Mir70e mTtpm8MDf+Qj4o5OsSF01l0MMxwOPiB57pz+XuUoWvLEjLgnb83eY0/YpBJdYESL3zZ3zMBo zA65cUozqSGHwQnlE1ACRDKhsReSYmiPJR5o3pWvNf5z+1M3tyn4qpuPxFFA1X8tEstpoC9t QoX8oextRj9BXlJCcCOwSVbCN8buO7aJMN3PIwSewjYvNLMxLrMph/8jNAHIaZnIt3CRHAq6 RsEAv8VQBWruIyNyyX0N8upnOpvriqx1eI2yS/B/Z2D8fQoFewARAQABzSlCcmlhbiBIYWJl cm1hbiA8YnJpYW5AaW5ub3ZhdGlvbnNsYWIubmV0PsLBlAQTAQgAPhYhBKm74/fFK6tXux1c k5E020tPLWqqBQJhQlrSAhsDBQkHhh8tBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJE0 20tPLWqq9fAP/1BO1H3SxphcXPbIsuJ+LoBCoKhrIftwGrLZzyiHYyLSFJ/HWLH2Kv79XJP4 6GkpTCk3VfJp6LEjw9FItwXUn0BEf0LyEy1L7w81YXPq+e4kwTPaQI8CgnbpSS9HBkcUj2r9 bwCjf+QZMqfgbz4d2MkVdVrIM2XPLYQND+Xtu1tyTTnrvFndLQFkDdqHAM9HqoikoNqWqz5j JPaxpJfxqmWr86vNThI7sD0rgMX5TWj7Flngzv2G9/uGEz4rHOIwK6KKiXNKk79kTqjUCQ9j tXl8BC2LQj8xsnWeGISTMR3xbiBPeTX94686O6KcLl7QIVKVS+nqs2l2j2gaXo1AjhBXO7gP GFN+rZzPOUZnPQUek3FeQoZCkfC/ljWBPooCpBe2euv5uZ4NbfKHAr9nmmhg4Uh1IceMxMQ/ /kB2wXTbuoprWLkK02r/y9LyGI5zLqLNl0NG17erJ0NCke76xYJkKBYezgBj1pZmYQDC1Sox fKlsaFCWkBrcKuGWc49qbEtWVM8h/mw+0w5pFyKX733xa6A+S8TOPYng/qFYgauotV9unjjt b7Npn7XyYzypk7QqKo4zipBqpHKeQ96Y/FKXSHPuTVj7dGK3Dn4b0q9Dgti7ogCc8F3tJcZI E0R8Q+4TRcQ192dLvyyTrv4h9BY6q5aB56Z6dsn11TAx7YCAzsFNBGFCWtIBEACqN6OFHSNq jiPy8s05QTC2fCqi0G5CcbRFXcqmHDEKdwqHk5VuOEL8CcWKNzOEMCt6EJvNL4ivfeHs1e7f rfm08+0Da0xAFiab92B9lOTLfv/NkKZ3jakQs06rtSzX7tYDbnmDeX206Uqff1mDjsiXHoAJ fdW7CjNLdWp42B3fkSjUR8mUgeNPqO4Jhgd7d3tTN2ov7M0rS7kUoE6Gd01LmNoPUQ024g8G ecMXVBldgg78aKmehs5pSWLmoBfczymGmNT/++9B6btmy7ruU+febVXRaQJY7aqpkTL7oy4H 3LMRSy/0BXHm1WgO7201Aj7PuaXM424hAhzmAJhO5AvlT9PuS9eSaIP0sqgP7ZTX7UezVj1H Tv5VJtgHI1fiNfhd/KFqDQDGaKdlM0iysyPanSCscjsWqAG0Od2TPdSuURqvgt8suBZrAAfK d55Ovguy+8uCi047sQxShUonw7TxGl3FMAe04PBIOgMCB/uys4yDUjYrawrlNigvx60Nec+T ExE+qszoO57If3/rG78J2ntGjog+yTDNffkbzljcy3YDe3k/r+T2FKOcWxJTlwSWAs1aVLZ7 DWx73lpYrSNJxiU7PrPihfS/Doy3VfmfF/RbH/xmkuPvsyrVfd16pEEtHGi5hBk2KQyjVqi1 IWwXV9ZVOQFBE9nJ7i6A7Aw3EwARAQABwsF8BBgBCAAmFiEEqbvj98Urq1e7HVyTkTTbS08t aqoFAmFCWtICGwwFCQeGHy0ACgkQkTTbS08taqrpIBAAjc6GdUjCyVsZLYwV8bMM4loltFrx z/mroCIFW4PZ0u4zENaloQbHuhDx7Ii6mR9jRiVNbXP4XvuyhjlUO+pt6hGrPbzsmV9vGvN0 2nkGYmSpxQNEzHQf/CJyLhPWY5qTJlDEr4zHbloG2KRPQ6dv9mdRIyAwDxNDSq2tVlrJC+b4 hG9vYp9msCZspqVDRTzvRTZQoWAvGJUaUgZd/FLPTfFePAmX+enXkUKl332i82xNU/nTix73 WajK7WhWC2GugrEbi42fJgUKRtYWhY36QyxucB1VWUacn7iKt/eLfPrCVVsHP2j4vqjlL/HJ 38TvbqfI4WbXyXF630U7IOlMT8//vpo3Y8hjWw0p5dm22fyPcjfnqxDdDefKCJpN215JgvDi Ww42J+VDTsd+5FJYCSUqg3jXmJl1z6FewF5hjuUGf/VdKCrhFocfh1b8VFgne2M1vyNcPoS8 23lJOMpcVAmzFhmVl5y/az/kgPJzbQggSByv3pZZUlJttLKf9BSGwmKcoGEgNo8p/DUyMkQV kVCJdmnamJzYEa/s3XRasTZhoWzNSjIEfeJaLd8dVXTzByMzgYuj/raFP1UF33GQ8W+zr23b VLVc8pEjMQlWeRGfJRyvG4ZOYpFk0c7jw8LpERCd/1SGHL3RQ3CwOqouQgKV+0BjMbY6A6Vj CuWio7k=
In-Reply-To: <edc9d539-4b6c-f238-54c6-210c152e2065@juniper.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------459QG8tkkfWDkpCNeMX6IR0p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/6-UA0YEVfpOtEVQeiaeShj-v6Ig>
Subject: Re: [MBONED] [pim] IGMPv3 backward compatibility issue killing SSM
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 13:39:17 -0000

Lenny's assessment is correct from my perspective. Section 7.3.2 
specifies that IGMP version compatibility is kept on a per-group basis. 
This should preclude compliant routers from disabling SSM service in the 
SSM address range.

Section 7.3.1 discusses the compatibility mode configuration option for 
IGMPv3 routers, but there is not a recommended default setting for that 
option.

Are there aspects of RFC 4604 that people think need to be updated?

Regards,
Brian

On 12/19/23 4:09 PM, Leonard Giuliano wrote:
> 
> As I understand, RFC4604 explicitly prevents SSM service from being killed
> by the presence of an IGMPv1/2 host (assuming the router is SSM aware,
> which in 2023 is a fairly valid assumption).  That is bc the router should
> ignore any v1/v2 reports in the ssm range (232/8).  And as I understand,
> RFC3376 Sect 7.3.2 provides backwards compatibility for v1/2 hosts, but
> only on a *per-group* basis- not for the whole LAN.
> 
> Combining the two, SSM service is protected in SSM range (232/8).  In
> non-SSM range, due to backward compat, you could lose SSM behavior- but
> since you are in non-SSM range, all bets were off in the first place.
> 
> So unless I'm missing something, I don't see see the risk of SSM being
> killed by v3 backwards compatibility.  Adding DKatz, who know this stuff
> way better than me in case I misinterpreted any of these specs.
> 
> 
> -Lenny
> 
> On Mon, 18 Dec 2023, Holland, Jake wrote:
> 
> |
> | On 12/14/23, 1:29 PM, "pim on behalf of Toerless Eckert" <pim-bounces@ietf.org <mailto:pim-bounces@ietf.org> on behalf of tte@cs.fau.de <mailto:tte@cs.fau.de>> wrote:
> | > The elephant IMHO is that rfc3376bis is so far not including changes to IGMPv3 behaviors
> | > about backeward compatibility with v1/v2 routers on the LAN, and exactly this behavior is
> | > killing SSM in deployment because any such router when it becomes querier will kill SSM
> | > ... because hosts will revert to v1/v2 and not report their SSM (S,G) memberships.
> |
> | +1, this is a serious problem.  The current default behavior bakes a DOS for SSM into the
> | protocol.
> |
> | > If there are routers that have config options to disable this backward compatibility with
> | > older routers, i would love to learn about it.
> |
> | When using linux routing there is `sysctl net.ipv4.force_igmp_version=3`, but it says because
> | of the difference in the security considerations between MLD and IGMP it doesn't actually
> | ignore v1 and v2 even when it's set:
> | https://urldefense.com/v3/__https://sysctl-explorer.net/net/ipv4/force_igmp_version/__;!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZENUoioNQ$
> |
> | (MLD permits an "ignore v1 completely" setting, but says it should only be used when
> | source filtering is critical:
> | https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc3810*section-10.2__;Iw!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZEHCk8UTw$  )
> |
> | > - Replace with something like:
> | >
> | > This revision of IGMPv3 version 3 removes automatic fallback to IGMP version 2 and version 1
> | > routers on the same network as specified in [RFC3376]. Instead,
> | > such older version router behavior MUST be explicitly configured.
> |
> | While I agree that to the greatest extent we can induce, IGMPv3 queriers from now
> | on should maintain the capability to propagate SSM and accept IGMPv3 membership
> | reports under all circumstances (even when there is an IGMPv1 or v2 receiver on the
> | LAN), I'm not sure it makes sense to ship text that makes all the currently deployed
> | routers retroactively non-compliant with a MUST in the new IGMPv3.
> |
> | But I'd support adding a section that describes the problem and provides a well-
> | justified and strong recommendation that the default behavior be changed from
> | what's in RFC 3376 and that a config option be provided to ignore IGMPv1 and v2
> | packets, like with MLD.
> |
> | It might be worth saying something like now that we have RFC 8815 and in light of
> | the experimental status of RFC 3618 (MSDP) and its deployment BCP in 4611, source
> | filtering should always be considered critical for clients that support it?  (Not sure that's
> | necessary, just a brainstorming idea to point to some of the docs that cover new
> | operational experience since 3376...)
> |
> | > IGMPv3 routers MUST have a configuration option, disabled by default, to operate
> | > as an IGMPv2 router. When enabled, all procedures of [RFC2236] apply. Configuring this
> | > option is necessary in the presence of non-IGMPv3 capable IGMP snooping switches or
> | > PIM routers. These are rare but may still be depoyed.
> | >
> | > When operating in IGMP version 3, routers MUST ignore version 1 and version 2 queries.
> | > In version 3, the presence of those older version queries constitutes a misconfiguration
> | > or attack, and these messages SHOULD result in logging of an error (rate-limited).
> | >
> | > - And in an appropriate part of the host behavior:
> | >
> | > IGMP version 3 hosts MUST have a configuration option, disabled by default, to ignore
> | > IGMP version 1 and version 2 queries. This option SHOULD be auto-enabled when the host
> | > is running SSM receiver applications, and hence depends on IGMP version 3 to operate in the
> | > network.
> | >
> | > This is about as much as i think we can do if we still want to go full standard with rfc3376bis.
> | > I can think of no operational deployment where the introduction of devices with existing
> | > older RFC compatibility would cause interoperability issues. At worst the new router would
> | > need to be explicitly configured for IGMPv2, which in my experience most routers deployed
> | > into IGMPv3 environments are done anyhow.
> | >
> | > Comments welcome. Would love to see positive replies in which case i will be happy to explicitly
> | > sugest the text changes for this elephant issue to the draft.
> |
> | Thanks for raising this, Toerless, the IGMP downgrade problem has been a major source of pain
> | for some deployments that rely on SSM.
> |
> | - Jake
> |
> |
> | _______________________________________________
> | MBONED mailing list
> | MBONED@ietf.org
> | https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/mboned__;!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZG9c7AK9g$
> |

v2.23.0 | Report a Bug | By Email