IETF Logo Mail Archive

Re: [pim] [MBONED] IGMPv3 backward compatibility issue killing SSM

Dave Katz <dkatz@juniper.net> Tue, 02 January 2024 20:24 UTC

Return-Path: <dkatz@juniper.net>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC08C19ECB3; Tue, 2 Jan 2024 12:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="miYkcR62"; dkim=pass (1024-bit key) header.d=juniper.net header.b="Fyr6g6w0"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jlvoIIR7SM6; Tue, 2 Jan 2024 12:24:06 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88ECC19ECB4; Tue, 2 Jan 2024 12:24:05 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 402BkK9U015104; Tue, 2 Jan 2024 12:23:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=PPS1017; bh=ru8yYYtFeMpCrTaD7s0exo88qGPJHfeny4VLkLH5nkA=; b=m iYkcR62d24uyxSluYtc2lxCrJkYiH0IKY0ME1p0p7uTrUDi4c8u2Bob1iAoHTfzy pPnWaMevQA6uV49rgGy89cEHH5n6l82V24U05SkQ+PaSY3PM/Eb3SXJYfKs4/Eh3 lI2F3ZbgdBy4LgTI7ZYs4EMmeO6gWvXzJuJa8bj464hif1ChAsTDFsUT2fv2nDvx k5XT2CGbfgFT2DLN33SHykjKhVm13IQFznUagbSP1i1xBJId/6O2eH0CfDF1Fhq5 fo0MS/cREkhXet6jqIQNJ3jg2PbqUynmMn2MlUCwHMebXLE9IKsPS0YA9A+2JSYA W4Uu4HtYsrxGrp7k3hTYw==
Received: from mw2pr02cu002.outbound.protection.outlook.com (mail-westus2azlp17013039.outbound.protection.outlook.com [40.93.10.39]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3vchwf1q2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Jan 2024 12:23:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TcADPaicj6/npeIIhXkr6dZci1KotAQOQR3KgnTOAJmcA0haSJ9QBjlXAb3yCPsNXkxt0bX4UuYt1+aFhl3OuaZZqrZmGv/w+1HAnNnCATzLUktNSVcC5jMmAUk2qPkcP3mwXpNYm4WvbJF9GQkN29SbOKatCHZTgtq3myv3Fmg5lWz2zn4fzo8n5Ko1j07+VKFcMET6E5x3N7evGWZmQ4TMrWfm4jI3DtjYDx5/zXdfp6tEc6i5rJNjwK81G69twWEam5LgDsNPKixlIG5InQCwswT28lqY/YU96Kltum9dmFNL7zLdyeYn6av73I4BdqNZK2KYZh5KeHnUOIHJRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ru8yYYtFeMpCrTaD7s0exo88qGPJHfeny4VLkLH5nkA=; b=kCRwaxjdbocZd0rJA072d33L6hbOEWo9suXKZD1n46ZGb3/rqHn3TavCx01n+b53F63yO1AKJCdVrodYBAyqBqv7LYyugdmiyEqH5jOios/rHHruhGwUTDnTPZAFZPpW5Wer0CzGpDArf1DRN//NDqVipOQQ9BDAGTi/EcG91upKqUewp/twbZooDy3COxjC3Raclqu5WiTLbLrNZsYsDxek6/Jy5UcwFEgbgZc0/vxad1nILhyGXDjliMaiEK8bKhPv2FvBZCUALZC1UzTzRUHPgqoiM1I6gOHHUlm6soRUicIAltn1QfjvaCUws7EUydGjLKdJMvABIF2DebHG7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ru8yYYtFeMpCrTaD7s0exo88qGPJHfeny4VLkLH5nkA=; b=Fyr6g6w0/M/wzNY5B74uxtxwdTSaZVzL2Ql0Z9f082wFjLdTo1UwEcGz9ewbY97PanCHEv5Z/kO2iHCDNihCQsHM8Y88M50VMI5n4ph9TNN6dyE/xPZ6ka4+dpbxUrsbN03OlqtOHhWaADYNDvnDoaGIoisEtesmvACQyyarxq0=
Received: from CO6PR05MB7601.namprd05.prod.outlook.com (2603:10b6:5:353::14) by IA1PR05MB10301.namprd05.prod.outlook.com (2603:10b6:208:3af::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.25; Tue, 2 Jan 2024 20:23:44 +0000
Received: from CO6PR05MB7601.namprd05.prod.outlook.com ([fe80::d98c:4a56:351b:f719]) by CO6PR05MB7601.namprd05.prod.outlook.com ([fe80::d98c:4a56:351b:f719%4]) with mapi id 15.20.7159.013; Tue, 2 Jan 2024 20:23:44 +0000
From: Dave Katz <dkatz@juniper.net>
To: Hitoshi Asaeda <asaeda@ieee.org>
CC: Brian Haberman <brian@innovationslab.net>, Lenny Giuliano <lenny@juniper.net>, "Holland, Jake" <jholland=40akamai.com@dmarc.ietf.org>, Toerless Eckert <tte@cs.fau.de>, "mboned@ietf.org" <mboned@ietf.org>, "fenner@fenron.com" <fenner@fenron.com>, "pim@ietf.org" <pim@ietf.org>
Thread-Topic: [MBONED] [pim] IGMPv3 backward compatibility issue killing SSM
Thread-Index: AQHaPYEVUW+Kgkuj5kOMeYOPSJsoHg==
Date: Tue, 02 Jan 2024 20:23:43 +0000
Message-ID: <DA4D4581-B457-4DE9-BFD2-6386B3BCB36D@juniper.net>
References: <CAHANBtKf03ukXH4sgwN0WVdkaVXnbRYdAGBDmQK56YXrS-z6yA@mail.gmail.com> <CAHANBtKdfS0cPceqv8_R+ToeGOBdUksH7gArKqegqSt_Q0Sf0Q@mail.gmail.com> <ZXtzwBljE45Og27f@faui48e.informatik.uni-erlangen.de> <EDE809A0-E672-4A3B-9F46-E08ECD3D4C23@akamai.com> <edc9d539-4b6c-f238-54c6-210c152e2065@juniper.net> <e9ed1779-4f43-4f71-b8c3-d813bcea81d1@innovationslab.net> <532D7FE8-B721-4CF8-A54D-CF139BD8128B@ieee.org> <8DF64ABE-E20A-4C2C-A3D5-63ECEE24EA6C@juniper.net>
In-Reply-To: <8DF64ABE-E20A-4C2C-A3D5-63ECEE24EA6C@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.4)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO6PR05MB7601:EE_|IA1PR05MB10301:EE_
x-ms-office365-filtering-correlation-id: 9a0746b4-9cb9-4719-42c1-08dc0bd0b78d
x-ld-processed: bea78b3c-4cdb-4130-854a-1d193232e5f4,ExtAddr,ExtFwd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iBFnLn+7o1z+H6n7o6D23i0NPv+IDqI4qPYHfNr9Dj2ix6h0+JUnu6SmXwg4lLjiAjtkT4dPCLyfwUkStgQLHyQt8MrI6lkH3aKuS95wONelf2IU5ytB9wjzTohhKPL0SiJGjZdoXCnxOv90vlgHCHNNKg6aGkIHGZwaDRcyikBvub7FbAaLbN6bV+E22UXoNiJNh+OmbHU6QC3cLAhNUx0gTlUcC30sQ4uoOLvRmLL6Krf1pSF9E1j1pAls8QBLiLzRAKi1OyUe5wFTnfLv/10ZOI9VOz/cM+ol1wVqGWdAYMxC6kIh4yaKDR/t9n5+JWIws/l2ismwiIPe0pAaatliat+V3Cs1hW9HPqeiNygh69/Pls0J3ajoQkon1z5Qd83ZKCIhSvckP0Rc05y8c2vHJyWFm6u2T2aQsVUe3UVU2kOLRpVX9mW/sJ2RNZ6HuFFoG7rMIg6+IQYOYfi3qGNXGQA+IXy+rp3AcQxvmX3THR5ac1mJP+IT8H3Hf85XbMgCsOPbk5kFxPU4g6LPdehz9L+IUzjMznKM35ztpPPoa3rEZ9JMxDEJfbHq7iQdKJcVAXzgpZb0ZPnaQo8ABBoCmcHrUDxYCcD5Qgar2dYK24FPriTBy2WIrVrwAB6mY+sA4h1RroqOvK+m6lFacI6Z+cKBdSNoubLcOrU7CZ7IxkHivnr5GpUHRLTg65aEPBRADxFnh3fAR1YVEN/QATG6fD0z1CLlRAUUX9Nv6KE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR05MB7601.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(136003)(366004)(39860400002)(346002)(396003)(230173577357003)(230273577357003)(230922051799003)(451199024)(1800799012)(64100799003)(186009)(66574015)(83380400001)(6512007)(53546011)(26005)(2616005)(8936002)(8676002)(4326008)(41300700001)(2906002)(122000001)(6916009)(6486002)(966005)(478600001)(66446008)(66946007)(66556008)(6506007)(71200400001)(5660300002)(66476007)(64756008)(316002)(54906003)(86362001)(76116006)(38070700009)(91956017)(36756003)(33656002)(38100700002)(66899024)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zUaPospWDF7lXshdg/yO2+V+SeIrqHGJ79CXJc4LhetO4+DYcKHQbf8MZIfGvKo3B9ZrUGE7lDOMSTiOpQnWsCFCf2jd8q3slx9UVtvwxc4+GqUJ3BM+pD5ZfFJU8KfDULkqq+PWm025ovgoDb6WKHvNFuHiUAiZushEHnvzfNfuYL9dUrBEK7jPKjUCCK9C0bkj5zSKAgoPE8ihHPGCSjSMpb2IykSInhA9z5fi6M6p/pq/2HvcwLnhhDFp4cV7SukNm6cRK3qzxfbsY6MeV3snswiKkc3aJt8+9GDOH4xn5s83KYfbieJMV0Wz3rS293j7uOaN8StAPCynauq6nDPxANeNef9UZo+u4ki2i0bszlB07gEMD1K7Nq7QRcqPGWeIZA+f6nkkDUhOQ14GZ7FWOceJfm6XVwLVYjPPYWMmO7DYhoEV/MjkQl5DRVyvwLHdyoCnY/mWVRnSOOm2V/FzSuuSJigGVYykUh82yteHaS4s97Z4U1ec4nEGywWzHFnpFq21HDmN8cg5GfaNou5tXcsvtODSkCs4WnBsYs1XDC5v0jdivUCDdfuau9FfQqww5Hn9whxOTHQDpdXFt4b2SOm7kP9xMPQRWxP3jbfAXtCJNNWVg3al3JnwU5ZxpD1ZZJeWEMsYzyraxElRXEzTHY7CqDppLdhrEZ7xIdc1SO/ACjPEbz8wRxBxw0jb29739UAwtnAL1XSK6XP1CLx9iSi4QP22Td+HNPhsdBuFiWSOy6v4B4MDvCpZDOURjHJVMmyte4O79WBq6WBpVW4RR78tZ7pPYuaVP26lbat1Jzb7K3cWUaE2GcCgxA11FkFQ4nEbezfj2ELIE0gGk3Ytxll9gm4yMJAbMKO+yo2HJWxauXXefXMU0rMhuBCXWXiLqxaaHmoW22tVY6bOJSx6XMtvNHpdQSWdoRp2XjQLUcVvG3IDBDDH/R+3muMM5I3N+N2A9zviU0bZPxbUgOd5aGpmmogg9H2sGDozaZvXrczoGc41o76Yk15UXXvHm9T1GA8CqmSZro38avimGtfQQRV4XIeuuuKAVsQZosYylKU85dUyZJiaDU97eKOGYysK/ov1cFpTIajUUZnkYGzKlbwkLh3Dtw648QRzzLuP/wzWdaAkqb5HU/ZxAU9Ao9sbYTQmX+F3tH1ci2qMYVx5vcLIneOTDlAXBDOErGHH1dRRhRFbQfMCXtFPDPErF0syvpRJIeWUSizHWlzN55InifOvgle9jkfzb8/B67Z9+fuEDXhNLC3B1GaHW4jHOcDlP3xT2zy7RwF1xb8y8qdxusfxaaLBTngpkn9o45h0d2deJX2dzCvfq2DEgIs7u1YvpCRN9CwplyQPQ0OiEpUmMgvTN/x+sEbXgLrH6M4Eeuyg+1GVdkKM0Mdyt9aakI8Uxflplhihycm4XjFALpS0hbu+ZD1eKaaBsDzWwXmvAZFYGZCQoumS1xa/OeghlRjA2EyOOeDN5sCTXV6627Pc+yLI6QJFgfwFS7k7c1yvnvtBn2H+eVj/GN69zTPh1NabKIqdh0nqgyIrP9tm/t448qCPtEVwZveituhG8VvNlSRlvw+/BhPgRDvxpTot
Content-Type: text/plain; charset="utf-8"
Content-ID: <5283D65DE79B5948AF52FA560C0DF306@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR05MB7601.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a0746b4-9cb9-4719-42c1-08dc0bd0b78d
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2024 20:23:43.9801 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sPw/96O/OEsZTsp6uz2EK6TMkLUgF47m6qijq8GHMIa7U/IfpZ1BA4qVUU5XU/NWVEQ9Ge2uHLnMjfafpaZlzA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR05MB10301
X-Proofpoint-GUID: no4eqwt4bf2l9sQwsZMCBuHLBAclhyMt
X-Proofpoint-ORIG-GUID: no4eqwt4bf2l9sQwsZMCBuHLBAclhyMt
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_02,2023-12-07_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 adultscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401020151
Archived-At: <https://mailarchive.ietf.org/arch/msg/pim/3pBqhCy9Ej3MJuofANu6mD12LlI>
Subject: Re: [pim] [MBONED] IGMPv3 backward compatibility issue killing SSM
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 20:24:09 -0000

I also see I marked it as proprietary back then, so it goes.  I think it’s generally useful information and whatever advantage we might have had for actually knowing what we were implementing has probably dissipated…

—Dave

> On Jan 2, 2024, at 8:53 AM, Dave Katz <dkatz@juniper.net> wrote:
> 
> Here’s something I wrote up about 15 years ago (!) when I rewrote IGMP when we expected that cable TV was going to be delivered by multicast (that didn’t quite work out, thank you Netflix).
> 
> I’ve forgotten all of it but perhaps there is something to be gleaned from the document…
> 
> —Dave
> 
> <igmp_guide.txt>
> 
>> On Jan 2, 2024, at 8:28 AM, Hitoshi Asaeda <asaeda@ieee.org> wrote:
>> 
>> [External Email. Be cautious of content]
>> 
>> 
>> Hi Brian and folks,
>> 
>> I have a different opinion about Lenny's comment.
>> 
>> Dependency or relation between protocol designs and operational issues (or policies) should be always minimized.
>> Protocol behavior should not be solidly relies on the address range.
>> 
>> IP multicast has a long history for allocating (or chopping) its address ranges. We had adopted complicated "address scopes" such as administrative/site-local/organization-local scope... How we can interact with SSM range and them?
>> I've just remembered GLOP. How SSM and GLOP can be interacted with?
>> One may deduce, no need to interact with them, use SSM range.
>> Then what address ranges are obsolete today? What range should be used now? Is its decision persistent?
>> Such a dirty hack or patch work is not sustainable for designing protocols.
>> 
>> What I'm saying here may be a bit too conceptual. So, please ignore the points if people agree to relying on the SSM range. However, even so, I guess the following point must be taken into account.
>> Section 2 in RFC4604 says;
>>  A host or router may be configured to apply SSM semantics to
>>  addresses other than those in the IANA-allocated range.  The GMP
>>  module on a host or router SHOULD have a configuration option to set
>>  the SSM address range(s).  If this configuration option exists, it
>>  MUST default to the IANA-allocated SSM range.  The mechanism for
>>  setting this configuration option MUST at least allow for manual
>>  configuration.  Protocol mechanisms to set this option may be defined
>>  in the future.
>> I think this paragraph implies that applications that want to invoke SSM services can use any multicast address range.
>> If RFC4604 should be the normative reference, RFC4604 itself must be also revised.
>> 
>> Regards,
>> 
>> Hitoshi
>> 
>> 
>>> On Jan 2, 2024, at 22:39, Brian Haberman <brian@innovationslab.net> wrote:
>>> 
>>> Lenny's assessment is correct from my perspective. Section 7.3.2 specifies that IGMP version compatibility is kept on a per-group basis. This should preclude compliant routers from disabling SSM service in the SSM address range.
>>> 
>>> Section 7.3.1 discusses the compatibility mode configuration option for IGMPv3 routers, but there is not a recommended default setting for that option.
>>> 
>>> Are there aspects of RFC 4604 that people think need to be updated?
>>> 
>>> Regards,
>>> Brian
>>> 
>>> On 12/19/23 4:09 PM, Leonard Giuliano wrote:
>>>> As I understand, RFC4604 explicitly prevents SSM service from being killed
>>>> by the presence of an IGMPv1/2 host (assuming the router is SSM aware,
>>>> which in 2023 is a fairly valid assumption).  That is bc the router should
>>>> ignore any v1/v2 reports in the ssm range (232/8).  And as I understand,
>>>> RFC3376 Sect 7.3.2 provides backwards compatibility for v1/2 hosts, but
>>>> only on a *per-group* basis- not for the whole LAN.
>>>> Combining the two, SSM service is protected in SSM range (232/8).  In
>>>> non-SSM range, due to backward compat, you could lose SSM behavior- but
>>>> since you are in non-SSM range, all bets were off in the first place.
>>>> So unless I'm missing something, I don't see see the risk of SSM being
>>>> killed by v3 backwards compatibility.  Adding DKatz, who know this stuff
>>>> way better than me in case I misinterpreted any of these specs.
>>>> -Lenny
>>>> On Mon, 18 Dec 2023, Holland, Jake wrote:
>>>> |
>>>> | On 12/14/23, 1:29 PM, "pim on behalf of Toerless Eckert" <pim-bounces@ietf.org <mailto:pim-bounces@ietf.org> on behalf of tte@cs.fau.de <mailto:tte@cs.fau.de>> wrote:
>>>> | > The elephant IMHO is that rfc3376bis is so far not including changes to IGMPv3 behaviors
>>>> | > about backeward compatibility with v1/v2 routers on the LAN, and exactly this behavior is
>>>> | > killing SSM in deployment because any such router when it becomes querier will kill SSM
>>>> | > ... because hosts will revert to v1/v2 and not report their SSM (S,G) memberships.
>>>> |
>>>> | +1, this is a serious problem.  The current default behavior bakes a DOS for SSM into the
>>>> | protocol.
>>>> |
>>>> | > If there are routers that have config options to disable this backward compatibility with
>>>> | > older routers, i would love to learn about it.
>>>> |
>>>> | When using linux routing there is `sysctl net.ipv4.force_igmp_version=3`, but it says because
>>>> | of the difference in the security considerations between MLD and IGMP it doesn't actually
>>>> | ignore v1 and v2 even when it's set:
>>>> | https://urldefense.com/v3/__https://sysctl-explorer.net/net/ipv4/force_igmp_version/__;!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZENUoioNQ$
>>>> |
>>>> | (MLD permits an "ignore v1 completely" setting, but says it should only be used when
>>>> | source filtering is critical:
>>>> | https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc3810*section-10.2__;Iw!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZEHCk8UTw$  )
>>>> |
>>>> | > - Replace with something like:
>>>> | >
>>>> | > This revision of IGMPv3 version 3 removes automatic fallback to IGMP version 2 and version 1
>>>> | > routers on the same network as specified in [RFC3376]. Instead,
>>>> | > such older version router behavior MUST be explicitly configured.
>>>> |
>>>> | While I agree that to the greatest extent we can induce, IGMPv3 queriers from now
>>>> | on should maintain the capability to propagate SSM and accept IGMPv3 membership
>>>> | reports under all circumstances (even when there is an IGMPv1 or v2 receiver on the
>>>> | LAN), I'm not sure it makes sense to ship text that makes all the currently deployed
>>>> | routers retroactively non-compliant with a MUST in the new IGMPv3.
>>>> |
>>>> | But I'd support adding a section that describes the problem and provides a well-
>>>> | justified and strong recommendation that the default behavior be changed from
>>>> | what's in RFC 3376 and that a config option be provided to ignore IGMPv1 and v2
>>>> | packets, like with MLD.
>>>> |
>>>> | It might be worth saying something like now that we have RFC 8815 and in light of
>>>> | the experimental status of RFC 3618 (MSDP) and its deployment BCP in 4611, source
>>>> | filtering should always be considered critical for clients that support it?  (Not sure that's
>>>> | necessary, just a brainstorming idea to point to some of the docs that cover new
>>>> | operational experience since 3376...)
>>>> |
>>>> | > IGMPv3 routers MUST have a configuration option, disabled by default, to operate
>>>> | > as an IGMPv2 router. When enabled, all procedures of [RFC2236] apply. Configuring this
>>>> | > option is necessary in the presence of non-IGMPv3 capable IGMP snooping switches or
>>>> | > PIM routers. These are rare but may still be depoyed.
>>>> | >
>>>> | > When operating in IGMP version 3, routers MUST ignore version 1 and version 2 queries.
>>>> | > In version 3, the presence of those older version queries constitutes a misconfiguration
>>>> | > or attack, and these messages SHOULD result in logging of an error (rate-limited).
>>>> | >
>>>> | > - And in an appropriate part of the host behavior:
>>>> | >
>>>> | > IGMP version 3 hosts MUST have a configuration option, disabled by default, to ignore
>>>> | > IGMP version 1 and version 2 queries. This option SHOULD be auto-enabled when the host
>>>> | > is running SSM receiver applications, and hence depends on IGMP version 3 to operate in the
>>>> | > network.
>>>> | >
>>>> | > This is about as much as i think we can do if we still want to go full standard with rfc3376bis.
>>>> | > I can think of no operational deployment where the introduction of devices with existing
>>>> | > older RFC compatibility would cause interoperability issues. At worst the new router would
>>>> | > need to be explicitly configured for IGMPv2, which in my experience most routers deployed
>>>> | > into IGMPv3 environments are done anyhow.
>>>> | >
>>>> | > Comments welcome. Would love to see positive replies in which case i will be happy to explicitly
>>>> | > sugest the text changes for this elephant issue to the draft.
>>>> |
>>>> | Thanks for raising this, Toerless, the IGMP downgrade problem has been a major source of pain
>>>> | for some deployments that rely on SSM.
>>>> |
>>>> | - Jake
>>>> |
>>>> |
>>>> | _______________________________________________
>>>> | MBONED mailing list
>>>> | MBONED@ietf.org
>>>> | https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/mboned__;!!NEt6yMaO-gk!BhrKkLRDUzon0XP8RebeJvai8X02-AU2RBEGA0iJrQsgSIeCPBd4KVVIUoc5jD59w8aYpNbAYiTFWo_sN87x_ZG9c7AK9g$
>>>> |
>>> _______________________________________________
>>> MBONED mailing list
>>> MBONED@ietf.org
>>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/mboned__;!!NEt6yMaO-gk!CdCLpafWuYi5H5RtrXjSntQWEXq4pVwYPcx3vYhCezHPEQLfj04lbhOJPl4t7LCjKcwHNQokMyBl$
>> 
>

v2.23.0 | Report a Bug | By Email