search

troglobit / pimd

PIM-SM/SSM multicast routing for UNIX and Linux
http://troglobit.com/projects/pimd/
BSD 3-Clause "New" or "Revised" License
194 stars 86 forks source link

fix: reject IGMPv2 for SSM group #230

Closed stormshield-sylvainm closed 1 year ago

stormshield-sylvainm commented 1 year ago

For this request, in IGMPv2, all Membership report for group in SSM range are rejected.

troglobit commented 1 year ago

This change I'm not so sure of. Do you have any reference to an RFC that says we should ignore v2 reports?

Thing is this: on a shared LAN, switches implementing IGMP snooping may back down to the lowest common IGMP version if any end-device on that LAN starts sending with a lower version.

I'm actually quite suspicious in general of the SSM support in pimd. It has proven several times to have derailed some critical functionality and caused backwards incompatibility problems.

stormshield-sylvainm commented 1 year ago

We have found this RFC for SSM : https://datatracker.ietf.org/doc/html/rfc4607#section-8. This patch is not valid as is, there is no check if the interface is in v2 or v3. If the interface is v3, the SSM range is valid, if the interface is v2, the SSM range does not exist. This test should be done everywhere in pimd....

troglobit commented 1 year ago

Ah, there it is. Thank you! (saving!) Always great to include a reference, or the reasoning/why for a change. For future reference.

Yeah this is very difficult to solve, not just in pimd, but also on a system level. IGMP snooping switches usually cannot filter on (S,G), only on (*,G), and what's worse they usually only support L2 filtering using RFC1112 translation from the IPv4 multicast range to 01:00:5e:xx:yy:zz.