IETF Logo Mail Archive

Re: [pim] IGMPv3 backward compatibility issue killing SSM (was: Re: pim wglc for 3228bis, 3376bis and 3810bis)

"Holland, Jake" <jholland@akamai.com> Mon, 18 December 2023 23:56 UTC

Return-Path: <jholland@akamai.com>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EDACC14CE5E; Mon, 18 Dec 2023 15:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdMX3YoTuAeb; Mon, 18 Dec 2023 15:56:38 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC059C14CE22; Mon, 18 Dec 2023 15:56:37 -0800 (PST)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3BIHn0SW012337; Mon, 18 Dec 2023 23:56:24 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=jan2016.eng; bh=sQYf3mKox1tZnaNeVN6CSiyf8QrN/xwLRVY8ijyD184=; b= SnxZbjFj3onxslOZOq6XUv/4lsLHFWeYJefR29eShqJvopLHo7AsRdebKC+ju8M4 WxJaNHH37nkq5wJhrOJqYZV63AqYpyij875KJw3AmvmPEg8gEZifqdIiw1f6MzNP zGxvtIrjz31SgVo0JuZZ6HI2vFJORkoW6ETY7mNgk6j2eLlGXIWyNhgw5aFd64XY BEDaecrZ42qygTXd+WIUpmUeNWVtMw2uoUnRgxEgk8wMp68REDnYod1/5/FBUn+B GWZpdVJETPAejHwvSvXxvOr/plI1MpLbBl5AAxBesYkCl6MNdqkB1ZSIw3zDpzYo NTo2/H+vLL3/Rx9N86RH4A==
Received: from prod-mail-ppoint4 (a72-247-45-32.deploy.static.akamaitechnologies.com [72.247.45.32] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3v2stakqjt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Dec 2023 23:56:23 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 3BILtJK2007510; Mon, 18 Dec 2023 18:56:23 -0500
Received: from email.msg.corp.akamai.com ([172.27.50.207]) by prod-mail-ppoint4.akamai.com (PPS) with ESMTPS id 3v18424c3u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Dec 2023 18:56:23 -0500
Received: from ustx2ex-dag4mb5.msg.corp.akamai.com (172.27.50.204) by ustx2ex-dag4mb8.msg.corp.akamai.com (172.27.50.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 18 Dec 2023 15:56:22 -0800
Received: from ustx2ex-dag4mb5.msg.corp.akamai.com ([172.27.50.204]) by ustx2ex-dag4mb5.msg.corp.akamai.com ([172.27.50.204]) with mapi id 15.02.1258.028; Mon, 18 Dec 2023 15:56:22 -0800
From: "Holland, Jake" <jholland@akamai.com>
To: Toerless Eckert <tte@cs.fau.de>, Stig Venaas <stig@venaas.com>, "zzhang@juniper.net" <zzhang@juniper.net>, "brian@innovationslab.net" <brian@innovationslab.net>, "n.leymann@telekom.de" <n.leymann@telekom.de>, "pim@ietf.org" <pim@ietf.org>, "mboned@ietf.org" <mboned@ietf.org>, "fenner@fenron.com" <fenner@fenron.com>
Thread-Topic: [pim] IGMPv3 backward compatibility issue killing SSM (was: Re: pim wglc for 3228bis, 3376bis and 3810bis)
Thread-Index: AQHaLtSvtgCtmNvzYUW6x/6Anu/ccLCveV+A
Date: Mon, 18 Dec 2023 23:56:22 +0000
Message-ID: <EDE809A0-E672-4A3B-9F46-E08ECD3D4C23@akamai.com>
References: <CAHANBtKf03ukXH4sgwN0WVdkaVXnbRYdAGBDmQK56YXrS-z6yA@mail.gmail.com> <CAHANBtKdfS0cPceqv8_R+ToeGOBdUksH7gArKqegqSt_Q0Sf0Q@mail.gmail.com> <ZXtzwBljE45Og27f@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZXtzwBljE45Og27f@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.79.23120117
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A6961EFD6D007B46972EF62A81B8D3A5@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-18_15,2023-12-14_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2312180177
X-Proofpoint-GUID: PenkozsrI3ECW9Gk4Z1i7cqFuM5ZRh0V
X-Proofpoint-ORIG-GUID: PenkozsrI3ECW9Gk4Z1i7cqFuM5ZRh0V
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-18_15,2023-12-14_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 spamscore=0 lowpriorityscore=0 malwarescore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1011 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2312180178
Archived-At: <https://mailarchive.ietf.org/arch/msg/pim/XZrE3n8Ec3b3zpOSRtlQT8wN62E>
Subject: Re: [pim] IGMPv3 backward compatibility issue killing SSM (was: Re: pim wglc for 3228bis, 3376bis and 3810bis)
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 23:56:42 -0000

On 12/14/23, 1:29 PM, "pim on behalf of Toerless Eckert" <pim-bounces@ietf.org <mailto:pim-bounces@ietf.org> on behalf of tte@cs.fau.de <mailto:tte@cs.fau.de>> wrote:
> The elephant IMHO is that rfc3376bis is so far not including changes to IGMPv3 behaviors
> about backeward compatibility with v1/v2 routers on the LAN, and exactly this behavior is
> killing SSM in deployment because any such router when it becomes querier will kill SSM
> ... because hosts will revert to v1/v2 and not report their SSM (S,G) memberships.

+1, this is a serious problem.  The current default behavior bakes a DOS for SSM into the
protocol.

> If there are routers that have config options to disable this backward compatibility with
> older routers, i would love to learn about it.

When using linux routing there is `sysctl net.ipv4.force_igmp_version=3`, but it says because
of the difference in the security considerations between MLD and IGMP it doesn't actually
ignore v1 and v2 even when it's set:
https://sysctl-explorer.net/net/ipv4/force_igmp_version/

(MLD permits an "ignore v1 completely" setting, but says it should only be used when
source filtering is critical:
https://datatracker.ietf.org/doc/html/rfc3810#section-10.2 )

> - Replace with something like:
>
> This revision of IGMPv3 version 3 removes automatic fallback to IGMP version 2 and version 1
> routers on the same network as specified in [RFC3376]. Instead,
> such older version router behavior MUST be explicitly configured.

While I agree that to the greatest extent we can induce, IGMPv3 queriers from now
on should maintain the capability to propagate SSM and accept IGMPv3 membership
reports under all circumstances (even when there is an IGMPv1 or v2 receiver on the
LAN), I'm not sure it makes sense to ship text that makes all the currently deployed
routers retroactively non-compliant with a MUST in the new IGMPv3.

But I'd support adding a section that describes the problem and provides a well-
justified and strong recommendation that the default behavior be changed from
what's in RFC 3376 and that a config option be provided to ignore IGMPv1 and v2
packets, like with MLD.

It might be worth saying something like now that we have RFC 8815 and in light of
the experimental status of RFC 3618 (MSDP) and its deployment BCP in 4611, source
filtering should always be considered critical for clients that support it?  (Not sure that's
necessary, just a brainstorming idea to point to some of the docs that cover new
operational experience since 3376...)

> IGMPv3 routers MUST have a configuration option, disabled by default, to operate
> as an IGMPv2 router. When enabled, all procedures of [RFC2236] apply. Configuring this
> option is necessary in the presence of non-IGMPv3 capable IGMP snooping switches or
> PIM routers. These are rare but may still be depoyed.
>
> When operating in IGMP version 3, routers MUST ignore version 1 and version 2 queries.
> In version 3, the presence of those older version queries constitutes a misconfiguration
> or attack, and these messages SHOULD result in logging of an error (rate-limited).
>
> - And in an appropriate part of the host behavior:
>
> IGMP version 3 hosts MUST have a configuration option, disabled by default, to ignore
> IGMP version 1 and version 2 queries. This option SHOULD be auto-enabled when the host
> is running SSM receiver applications, and hence depends on IGMP version 3 to operate in the
> network.
>
> This is about as much as i think we can do if we still want to go full standard with rfc3376bis.
> I can think of no operational deployment where the introduction of devices with existing
> older RFC compatibility would cause interoperability issues. At worst the new router would
> need to be explicitly configured for IGMPv2, which in my experience most routers deployed
> into IGMPv3 environments are done anyhow.
>
> Comments welcome. Would love to see positive replies in which case i will be happy to explicitly
> sugest the text changes for this elephant issue to the draft.

Thanks for raising this, Toerless, the IGMP downgrade problem has been a major source of pain
for some deployments that rely on SSM.

- Jake

v2.23.0 | Report a Bug | By Email