[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00 01 02

Mboned                                                          T. Chown
Internet-Draft                                 University of Southampton
Intended status: Informational                              July 4, 2011
Expires: January 5, 2012


                     Multicast Filtering Practices
               draft-chown-mboned-multicast-filtering-00

Abstract

   Operators of multicast networks may apply various filters to
   multicast traffic at boundary routers or on MSDP peerings.  The aim
   of this text is to document existing filtering practices, with a view
   to generating some discussion towards producing guidance on best
   filtering practice.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 5, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Chown                    Expires January 5, 2012                [Page 1]


Internet-Draft        Multicast Filtering Practices            July 2011


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Border and MSDP Filtering . . . . . . . . . . . . . . . . . . . 3
   3.  Subnet filtering  . . . . . . . . . . . . . . . . . . . . . . . 5
   4.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5
   8.  Informative References  . . . . . . . . . . . . . . . . . . . . 6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 6








































Chown                    Expires January 5, 2012                [Page 2]


Internet-Draft        Multicast Filtering Practices            July 2011


1.  Introduction

   Multicast filtering can be applied at a multicast boundary or on an
   MSDP peering as a means to prevent unintended leakage of multicast
   traffic beyond its desired scope.  An informal discussion of
   filtering practices suggested that those practices vary from
   organisation to organisation.  The aim of this text is to gather and
   document commonly used existing filtering practices.  Whether it is
   then possible to draw up a definitive best practice is to be
   determined; it is quite possible that due to the shifting nature of
   the target that a point-in-time recommendation would quickly be
   overtaken by events.  For example, the recent addition of unicast
   prefix-based IPv4 multicast addresses [RFC6034] meant that filtering
   of all of 234.0.0.0/8 became undesirable.  However, general
   principles may remain valid over time.

   For sites on academic research networks, some examples of filtering
   recommendations already exists, e.g. in documentation [I2multicast]
   from the Internet2 Multicast WG, and in the JANET IPv4 Multicast
   Guide [JANETmulticast].

   An additional resource is the registry of IPv4 multicast address
   space held by IANA [IANAmulticast].  This registry should be a
   definitive guide to the formal use of ranges of addresses within the
   overall IPv4 multicast address space.  A similar registry is
   maintained for IPv6 multicast address space [IANA6multicast].

   This text is a very early draft, aimed at soliciting feedback, both
   on content and whether the goal of the draft is actually worthwhile.
   Different sites may have different requirements.  There may also be
   issues with handling scope boundaries that need to be considered.  So
   there may be general principles that could be captured in a document
   such as this, even if specific filtering rules are not included.


2.  Border and MSDP Filtering

   In this section we summarise IPv4 multicast addresses that are
   commonly filtered at site borders or on MSDP peerings.  Based on
   responses we received from a couple of multicast community lists, it
   wasn't clear which filters are applied on border routers and which on
   MSDP SA messages.  Some sites apply minimal traffic filters, but
   heavier MSDP filtering.

   Some sites choose to route multicast around their unicast firewalls,
   for performance or other operational reasons, but this shouldn't
   alter the requirement to filter groups appropriately where necessary.




Chown                    Expires January 5, 2012                [Page 3]


Internet-Draft        Multicast Filtering Practices            July 2011


   In this section we draw on the small number contributions so far; we
   hope to get more inputs in time.  In general, many 224.0.0.*
   addresses that are used by infrastructure are typically blocked, as
   well as some addresses that are global scope but should not be, like
   Ghostcast.  Local scope multicast should also generally be
   constrained to the intended site scope.

   The following list currently includes multicast IP addresses that are
   being filtered based on the union of responses received so far (hence
   the apparent duplication of certain prefixes).  The list of filters
   applied by all respondents would be somewhat shorter.

   224.0.1.2       SGI-Dogfight
   224.0.1.3       Rwhod
   224.0.1.8       SUN NIS+
   224.0.1.20      any private experiment
   224.0.1.22      SVRLOC
   224.0.1.24      microsoft-ds
   224.0.1.25      nbc-pro
   224.0.1.35      SVRLOC-DA
   224.0.1.39      cisco-rp-announce
   224.0.1.40      cisco-rp-discovery
   224.0.1.41      gatekeeper
   224.0.1.60      hp-device-disc
   224.0.1.65      iapp
   224.0.1.76      IAPP
   224.0.2.1       rwho
   224.0.2.2       SUN RPC
   224.0.2.3       EPSON-disc-set
   224.0.23.1      Ricoh-device-ctrl
   224.0.23.2      Ricoh-device-ctrl
   224.1.0.1       ?
   224.77.0.0/16   Norton Ghost
   224.101.101.101 ?
   225.1.2.3       Altiris
   226.77.0.0/16   ?
   229.55.150.208  Norton Ghost
   234.42.42.0/30  ?
   234.42.42.40/30 ImageCast
   234.142.142.42/31       ImageCast
   234.142.142.44/30       ImageCast
   234.142.142.48/28       ImageCast
   234.142.142.64/26       ImageCast
   234.142.142.128/29      ImageCast
   234.142.142.136/30      ImageCast
   234.142.142.140/31      ImageCast
   234.142.142.142 ImageCast
   239.0.0.0/8     Scoped groups



Chown                    Expires January 5, 2012                [Page 4]


Internet-Draft        Multicast Filtering Practices            July 2011


   239.252.0.0/14  Scoped groups

   Different networks make different use of the scoped address space
   under 239.0.0.0/8, which may lead to different organisational filters
   in different scenarios.

   The SSM range 232.0.0.0/8 should not be carried in MSDP peerings.

   As a general principle, multicast sourced from private address ranges
   [RFC1918] or from 169.254.0.0/16, 192.0.2.0/24 or 127.0.0.0/8 should
   be dropped, regardless of the multicast destination.

   In certain cases, rate limiting may be desirable, where complete
   filtering might not, e.g. in mitigating against SAP [RFC2974] storms,
   or against unintended MSDP SA bursts.


3.  Subnet filtering

   Two respondents are currently filtering uPNP between subnets, and one
   is filtering mDNS.  One reason for the uPNP filtering was due to
   issues with errant Ricoh printers which flood announcements with too-
   large TTLs.


4.  Conclusions

   This text is a very drafty first version of a document aimed to
   summarise the use of multicast filtering practices in the wild.  It
   includes filters at various boundaries as well as MSDP SA filters.
   Further feedback on the text, and the practices reported to date is
   welcomed.


5.  Security Considerations

   There are no extra security consideration for this document.


6.  IANA Considerations

   There are no extra IANA consideration for this document.


7.  Acknowledgments

   The author would like to thank the following people for their
   contributions to this text: Scott Bertilson, Alan Buxey, Bruce



Chown                    Expires January 5, 2012                [Page 5]


Internet-Draft        Multicast Filtering Practices            July 2011


   Curtis, Andy Gatward, Jeffry J. Handal, Lonnie Leger, and William F.
   Maton Sotomayor.


8.  Informative References

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets",
              BCP 5, RFC 1918, February 1996.

   [RFC2974]  Handley, M., Perkins, C., and E. Whelan, "Session
              Announcement Protocol", RFC 2974, October 2000.

   [RFC6034]  Thaler, D., "Unicast-Prefix-Based IPv4 Multicast
              Addresses", RFC 6034, October 2010.

   [JANETmulticast]
              Price, D., "IPv4 Multicast on JANET", 2006, <http://
              www.ja.net/documents/publications/technical-guides/
              ipv4-multicast-web.pdf>.

   [IANA6multicast]
              "IPv6 Multicast Address Space Registry", <http://
              www.iana.org/assignments/ipv6-multicast-addresses/
              ipv6-multicast-addresses.xml>.

   [IANAmulticast]
              "IPv4 Multicast Address Space Registry", <http://
              www.iana.org/assignments/multicast-addresses/
              multicast-addresses.xml>.

   [I2multicast]
              "Enabling IP Multicast with Internet2", <http://
              noc.net.internet2.edu/i2network/multicast-cookbook.html>.


Author's Address

   Tim Chown
   University of Southampton
   Highfield
   Southampton, Hampshire  SO17 1BJ
   United Kingdom

   Email: tjc@ecs.soton.ac.uk






Chown                    Expires January 5, 2012                [Page 6]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/