Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8487

Mtrace Version 2: Traceroute Facility for IP Multicast

Pages: 41
Proposed Standard
Part 2 of 2 – Pages 22 to 41
First   Prev   None

Top   ToC   RFC8487 - Page 22   prevText

4. Router Behavior

This section describes the router behavior in the context of Mtrace2 in detail.

4.1. Receiving an Mtrace2 Query

An Mtrace2 Query message is an Mtrace2 message with no response blocks filled in and uses a TLV Type of 0x01.

4.1.1. Query Packet Verification

Upon receiving an Mtrace2 Query message, a router MUST examine whether the Multicast Address and the Source Address are a valid combination as specified in Section 3.2.1, and whether the Mtrace2 Client Address is a valid IP unicast address. If either one is invalid, the Query MUST be silently ignored.
Top   ToC   RFC8487 - Page 23
   Mtrace2 supports a non-local client to the LHR/RP.  A router MUST,
   however, support a mechanism to drop Queries from clients beyond a
   specified administrative boundary.  The potential approaches are
   described in Section 9.2.

   In the case where a local LHR client is required, the router must
   then examine the Query to see if it is the proper LHR/RP for the
   destination address in the packet.  It is the proper local LHR if it
   has a multicast-capable interface on the same subnet as the Mtrace2
   Client Address and is the router that would forward traffic from the
   given (S,G) or (*,G) onto that subnet.  It is the proper RP if the
   multicast group address specified in the Query is 0 and if the IP
   header destination address is a valid RP address on this router.

   If the router determines that it is not the proper LHR/RP, or it
   cannot make that determination, it does one of two things depending
   on whether the Query was received via multicast or unicast.  If the
   Query was received via multicast, then it MUST be silently discarded.
   If it was received via unicast, the router turns the Query into a
   Reply message by changing the TLV Type to 0x03 and appending a
   Standard Response Block with a Forwarding Code of WRONG_LAST_HOP.
   The rest of the fields in the Standard Response Block MUST be zeroed.
   The router then sends the Reply message to the Mtrace2 Client Address
   on the Client Port # as specified in the Mtrace2 Query.

   Duplicate Query messages as identified by the tuple (Mtrace2 Client
   Address, Query ID) SHOULD be ignored.  This MAY be implemented using
   a cache of previously processed Queries keyed by the Mtrace2 Client
   Address and Query ID pair.  The duration of the cached entries is
   implementation specific.  Duplicate Request messages MUST NOT be
   ignored in this manner.

4.1.2. Query Normal Processing

When a router receives an Mtrace2 Query and it determines that it is the proper LHR/RP, it turns the Query to a Request by changing the TLV Type from 0x01 to 0x02, and it performs the steps listed in Section 4.2.

4.2. Receiving an Mtrace2 Request

An Mtrace2 Request is an Mtrace2 message that uses the TLV Type of 0x02. With the exception of the LHR, whose Request was just converted from a Query, each Request received by a router should have at least one Standard Response Block filled in.
Top   ToC   RFC8487 - Page 24

4.2.1. Request Packet Verification

If the Mtrace2 Request does not come from an adjacent router, or if the Request is not addressed to this router, or if the Request is addressed to a multicast group that is not a link-scoped group (i.e., 224.0.0.0/24 for IPv4 and FFx2::/16 for IPv6 [2]), it MUST be silently ignored. The Generalized TTL Security Mechanism (GTSM) [13] SHOULD be used by the router to determine whether the router is adjacent or not. Source verification specified in Section 9.2 is also considered. If the sum of the number of the Standard Response Blocks in the received Mtrace2 Request and the value of the Augmented Response Type of 0x01, if any, is equal or more than the # Hops in the Mtrace2 Request, it MUST be silently ignored.

4.2.2. Request Normal Processing

When a router receives an Mtrace2 Request message, it performs the following steps. Note that it is possible to have multiple situations covered by the Forwarding Codes. The first one encountered is the one that is reported, i.e., all "note Forwarding Code N" should be interpreted as "if Forwarding Code is not already set, set Forwarding Code to N". Note that in the steps described below, the "Outgoing Interface" is the one on which the Mtrace2 Request message arrives. 1. Prepare a Standard Response Block to be appended to the packet, setting all fields to an initial default value of zero. 2. If Mtrace2 is administratively prohibited, note the Forwarding Code of ADMIN_PROHIB and skip to step 4. 3. In the Standard Response Block, fill in the Query Arrival Time, Outgoing Interface Address (for IPv4) or Outgoing Interface ID (for IPv6), Output Packet Count, and Fwd TTL (for IPv4). 4. Attempt to determine the forwarding information for the specified source and group, using the same mechanisms as would be used when a packet is received from the source destined for the group. A state need not be instantiated, it can be a "phantom" state created only for the purpose of the trace, such as "dry-run". If using a shared-tree protocol and there is no source-specific state, or if no source-specific information is desired (i.e., all ones for IPv4 or an unspecified address (::) for IPv6), group state should be used. If there is no group state or no
Top   ToC   RFC8487 - Page 25
        group-specific information is desired, potential source state
        (i.e., the path that would be followed for a source-specific
        "join") should be used.

   5.   If no forwarding information can be determined, the router notes
        a Forwarding Code of NO_ROUTE, sets the remaining fields that
        have not yet been filled in to zero, and then sends an Mtrace2
        Reply back to the Mtrace2 client.

   6.   If a Forwarding Code of ADMIN_PROHIB has been set, skip to step
        7.  Otherwise, fill in the Incoming Interface Address (or
        Incoming Interface ID and Local Address for IPv6), Upstream
        Router Address (or Remote Address for IPv6), Input Packet Count,
        Total Number of Packets, Routing Protocol, S, and Src Mask (or
        Src Prefix Len for IPv6) using the forwarding information
        determined in step 4.

   7.   If the Outgoing Interface is not enabled for multicast, note
        Forwarding Code of NO_MULTICAST.  If the Outgoing Interface is
        the interface from which the router would expect data to arrive
        from the source, note Forwarding Code RPF_IF.  If the Outgoing
        Interface is not one to which the router would forward data from
        the source or RP to the group, a Forwarding Code of WRONG_IF is
        noted.  In the above three cases, the router will return an
        Mtrace2 Reply and terminate the trace.

   8.   If the group is subject to administrative scoping on either the
        Outgoing or Incoming Interfaces, a Forwarding Code of SCOPED is
        noted.

   9.   If this router is the RP for the group for a non-source-specific
        Query, note a Forwarding Code of REACHED_RP.  The router will
        send an Mtrace2 Reply and terminate the trace.

   10.  If this router is directly connected to the specified source or
        source network on the Incoming Interface, it sets the Upstream
        Router Address (for IPv4) or the Remote Address (for IPv6) of
        the response block to zero.  The router will send an Mtrace2
        Reply and terminate the trace.

   11.  If this router has sent a prune upstream that applies to the
        source and group in the Mtrace2 Request, it notes a Forwarding
        Code of PRUNE_SENT.  If the router has stopped forwarding
        downstream in response to a prune sent by the downstream router,
        it notes a Forwarding Code of PRUNE_RCVD.  If the router should
        normally forward traffic downstream for this source and group
        but is not, it notes a Forwarding Code of NOT_FORWARDING.
Top   ToC   RFC8487 - Page 26
   12.  If this router is a gateway (e.g., a NAT or firewall) that hides
        the information between this router and the Mtrace2 client, it
        notes a Forwarding Code of REACHED_GW.  The router continues the
        processing as described in Section 4.5.

   13.  If the total number of the Standard Response Blocks, including
        the newly prepared one, and the value of the Augmented Response
        Type of 0x01, if any, is less than the # Hops in the Request,
        the packet is then forwarded to the upstream router as described
        in Section 4.3; otherwise, the packet is sent as an Mtrace2
        Reply to the Mtrace2 client as described in Section 4.4.

4.3. Forwarding Mtrace2 Request

This section describes how an Mtrace2 Request should be forwarded.

4.3.1. Destination Address

If the upstream router for the Mtrace2 Request is known for this Request, the Mtrace2 Request is sent to that router. If the Incoming Interface is known but the upstream router is not, the Mtrace2 Request is sent to an appropriate multicast address on the Incoming Interface. The multicast address SHOULD depend on the multicast routing protocol in use, such as ALL-[protocol]-ROUTERS group. It MUST be a link-scoped group (i.e., 224.0.0.0/24 for IPv4 and FF02::/16 for IPv6) and MUST NOT be the all-systems multicast group (224.0.0.1) for IPv4 and All Nodes Address (FF02::1) for IPv6. It MAY also be the all-routers multicast group (224.0.0.2) for IPv4 or All Routers Address (FF02::2) for IPv6 if the routing protocol in use does not define a more appropriate multicast address.

4.3.2. Source Address

An Mtrace2 Request should be sent with the address of the Incoming Interface. However, if the Incoming Interface is unnumbered, the router can use one of its numbered interface addresses as the source address.

4.3.3. Appending Standard Response Block

An Mtrace2 Request MUST be sent upstream towards the source or the RP after appending a Standard Response Block to the end of the received Mtrace2 Request. The Standard Response Block includes the multicast states and statistics information of the router described in Section 3.2.4.
Top   ToC   RFC8487 - Page 27
   If appending the Standard Response Block would make the Mtrace2
   Request packet longer than the MTU of the Incoming Interface, or, in
   the case of IPv6, longer than 1280 bytes, the router MUST change the
   Forwarding Code in the last Standard Response Block of the received
   Mtrace2 Request into NO_SPACE.  The router then turns the Request
   into a Reply and sends the Reply as described in Section 4.4.

   The router will continue with a new Request by copying the old
   Request, excluding all the response blocks, followed by the
   previously prepared Standard Response Block and an Augmented Response
   Block with 0x01 as the Augmented Response Type, and the number of the
   returned Standard Response Blocks as the Value.

4.4. Sending Mtrace2 Reply

An Mtrace2 Reply MUST be returned to the client by a router if any of the following conditions occur: 1. The total number of the traced routers are equal to the # Hops in the Request (including the one just added) plus the number of the returned blocks, if any. 2. Appending the Standard Response Block would make the Mtrace2 Request packet longer than the MTU of the Incoming Interface. (In case of IPv6, not more than 1280 bytes; see Section 4.3.3 for additional details on the handling of this case.) 3. The Request has reached the RP for a non-source-specific Query or has reached the first-hop router for a source-specific Query (see Section 4.2.2, items 9 and 10, for additional details).

4.4.1. Destination Address

An Mtrace2 Reply MUST be sent to the address specified in the Mtrace2 Client Address field in the Mtrace2 Request.

4.4.2. Source Address

An Mtrace2 Reply SHOULD be sent with the address of the router's Outgoing Interface. However, if the Outgoing Interface address is unnumbered, the router can use one of its numbered interface addresses as the source address.

4.4.3. Appending Standard Response Block

An Mtrace2 Reply MUST be sent with the prepared Standard Response Block appended at the end of the received Mtrace2 Request except in the case of NO_SPACE Forwarding Code.
Top   ToC   RFC8487 - Page 28

4.5. Proxying Mtrace2 Query

When a gateway (e.g., a NAT or firewall), which needs to block unicast packets to the Mtrace2 client, or hide information between the gateway and the Mtrace2 client, receives an Mtrace2 Query from an adjacent host or Mtrace2 Request from an adjacent router, it appends a Standard Response Block with REACHED_GW as the Forwarding Code. It turns the Query or Request into a Reply and sends the Reply back to the client. At the same time, the gateway originates a new Mtrace2 Query message by copying the original Mtrace2 header (the Query or Request without any of the response blocks) and making the following changes: o setting the RPF interface's address as the Mtrace2 Client Address; o using its own port number as the Client Port #; and, o decreasing # Hops by ((number of the Standard Response Blocks that were just returned in a Reply) - 1). The "- 1" in this expression accounts for the additional Standard Response Block appended by the gateway router. The new Mtrace2 Query message is then sent to the upstream router or to an appropriate multicast address on the RPF interface. When the gateway receives an Mtrace2 Reply whose Query ID matches the one in the original Mtrace2 header, it MUST relay the Mtrace2 Reply back to the Mtrace2 client by replacing the Reply's header with the original Mtrace2 header. If the gateway does not receive the corresponding Mtrace2 Reply within the [Mtrace Reply Timeout] period (see Section 5.8.4), then it silently discards the original Mtrace2 Query or Request message and terminates the trace.

4.6. Hiding Information

Information about a domain's topology and connectivity may be hidden from Mtrace2 Requests. The Forwarding Code of INFO_HIDDEN may be used to note that. For example, the Incoming Interface address and packet count on the ingress router of a domain, and the Outgoing Interface address and packet count on the egress router of the domain, can be specified as all ones. Additionally, the source-group packet count (see Sections 3.2.4 and 3.2.5) within the domain may be all ones if it is hidden.
Top   ToC   RFC8487 - Page 29

5. Client Behavior

This section describes the behavior of an Mtrace2 client in detail.

5.1. Sending Mtrace2 Query

An Mtrace2 client initiates an Mtrace2 Query by sending the Query to the LHR of interest.

5.1.1. Destination Address

If an Mtrace2 client knows the proper LHR, it unicasts an Mtrace2 Query packet to that router; otherwise, it MAY send the Mtrace2 Query packet to the all-routers multicast group (224.0.0.2) for IPv4 or All Routers Address (FF02::2) for IPv6. This will ensure that the packet is received by the LHR on the subnet. See also Section 5.4 on determining the LHR.

5.1.2. Source Address

An Mtrace2 Query MUST be sent with the client's interface address, which is the Mtrace2 Client Address.

5.2. Determining the Path

An Mtrace2 client could send an initial Query message with a large # Hops, in order to try to trace the full path. If this attempt fails, one strategy is to perform a linear search (as the traditional unicast traceroute program does); set the # Hops field to 1 and try to get a Reply, then 2, and so on. If no Reply is received at a certain hop, this hop is identified as the probable cause of forwarding failures on the path. Nevertheless, the sender may attempt to continue tracing past the non-responding hop by further increasing the hop count in the hope that further hops may respond. Each of these attempts MUST NOT be initiated before the previous attempt has terminated either because of successful reception of a Reply or because the [Mtrace Reply Timeout] timeout has occurred. See also Section 5.6 on receiving the results of a trace.

5.3. Collecting Statistics

After a client has determined that it has traced the whole path or as much as it can expect to (see Section 5.8), it might collect statistics by waiting a short time and performing a second trace. If the path is the same in the two traces, statistics can be displayed as described in Sections 7.3 and 7.4.
Top   ToC   RFC8487 - Page 30

5.4. Last-Hop Router (LHR)

The Mtrace2 client may not know which is the last-hop router, or that router may be behind a firewall that blocks unicast packets but passes multicast packets. In these cases, the Mtrace2 Request should be multicasted to the all-routers multicast group (224.0.0.2) for IPv4 or All Routers Address (FF02::2) for IPv6. All routers except the correct last-hop router SHOULD ignore any Mtrace2 Request received via multicast.

5.5. First-Hop Router (FHR)

The IANA assigned 224.0.1.32 as the default multicast group for old IPv4 mtrace (v1) responses, in order to support mtrace clients that are not unicast reachable from the first-hop router. Mtrace2, however, does not require any IPv4/IPv6 multicast addresses for the Mtrace2 Replies. Every Mtrace2 Reply is sent to the unicast address specified in the Mtrace2 Client Address field of the Mtrace2 Reply.

5.6. Broken Intermediate Router

A broken intermediate router might simply not understand Mtrace2 packets and drop them. The Mtrace2 client will get no Reply at all as a result. It should then perform a hop-by-hop search by setting the # Hops field until it gets an Mtrace2 Reply. The client may use linear or binary search; however, the latter is likely to be slower because a failure requires waiting for the [Mtrace Reply Timeout] period.

5.7. Non-supported Router

When a non-supported router receives an Mtrace2 Query or Request message whose destination address is a multicast address, the router will silently discard the message. When the router receives an Mtrace2 Query that is destined to itself, the router returns an Internet Control Message Protocol (ICMP) port unreachable to the Mtrace2 client. On the other hand, when the router receives an Mtrace2 Request that is destined to itself, the router returns an ICMP port unreachable to its adjacent router from which the Request receives. Therefore, the Mtrace2 client needs to terminate the trace when the [Mtrace Reply Timeout] timeout has occurred, and it may then issue another Query with a lower number of # Hops.
Top   ToC   RFC8487 - Page 31

5.8. Mtrace2 Termination

When performing an expanding hop-by-hop trace, it is necessary to determine when to stop expanding.

5.8.1. Arriving at Source

A trace can be determined to have arrived at the source if the Incoming Interface of the last router in the trace is non-zero, but the upstream router is zero.

5.8.2. Fatal Error

A trace has encountered a fatal error if the last Forwarding Error in the trace has the 0x80 bit set.

5.8.3. No Upstream Router

A trace cannot continue if the last upstream router in the trace is set to 0.

5.8.4. Reply Timeout

This document defines the [Mtrace Reply Timeout] value, which is used to time out an Mtrace2 Reply as seen in Sections 4.5, 5.2, and 5.7. The default [Mtrace Reply Timeout] value is 10 (seconds) and can be manually changed on the Mtrace2 client and routers.

5.9. Continuing after an Error

When the NO_SPACE error occurs, as described in Section 4.2, a router will send back an Mtrace2 Reply to the Mtrace2 client and continue with a new Request (see Section 4.3.3). In this case, the Mtrace2 client may receive multiple Mtrace2 Replies from different routers along the path. When this happens, the client MUST treat them as a single Mtrace2 Reply message by collating the Augmented Response Blocks of subsequent Replies sharing the same Query ID, sequencing each cluster of Augmented Response Blocks based on the order in which they are received. If a trace times out, it is very likely that a router in the middle of the path does not support Mtrace2. That router's address will be in the Upstream Router field of the last Standard Response Block in the last received Reply. A client may be able to determine a list of neighbors of the non-responding router (e.g., by using the Simple Network Management Protocol (SNMP) [12] [14]). The neighbors obtained in this way could then be probed (via the multicast MIB [14]) to determine which one is the upstream neighbor (i.e., an RPF
Top   ToC   RFC8487 - Page 32
   neighbor) of the non-responding router.  This algorithm can identify
   the upstream neighbor because, even though there may be multiple
   neighbors, the non-responding router should only have sent a "join"
   to the one neighbor corresponding to its selected RPF path.  Because
   of this, only the RPF neighbor should contain the non-responding
   router as a multicast next hop in its MIB output list for the
   affected multicast route.

6. Protocol-Specific Considerations

This section describes the Mtrace2 behavior with the presence of different multicast protocols.

6.1. PIM-SM

When an Mtrace2 reaches a PIM-SM RP, and the RP does not forward the trace on, it means that the RP has not performed a source-specific join, so there is no more state to trace. However, the path that traffic would use if the RP did perform a source-specific join can be traced by setting the trace destination to the RP, the trace source to the traffic source, and the trace group to 0. This Mtrace2 Query may be unicasted to the RP, and the RP takes the same actions as an LHR.

6.2. Bidirectional PIM

Bidirectional PIM [4] is a variant of PIM-SM that builds bidirectional shared trees that connect multicast sources and receivers. Along the bidirectional shared trees, multicast data is natively forwarded from the sources to the Rendezvous Point Link (RPL), and from which, to receivers without requiring source-specific state. In contrast to PIM-SM, Bidirectional PIM always has the state to trace. A Designated Forwarder (DF) for a given Rendezvous Point Address (RPA) is in charge of forwarding downstream traffic onto its link and forwarding upstream traffic from its link towards the RPL that the RPA belongs to. Hence, Mtrace2 Reply reports DF addresses or RPA along the path.

6.3. PIM-DM

Routers running PIM - Dense Mode (PIM-DM) [11] do not know the path packets would take unless traffic is flowing. Without some extra protocol mechanism, this means that in an environment with multiple possible paths with branch points on shared media, Mtrace2 can only trace existing paths, not potential paths. When there are multiple
Top   ToC   RFC8487 - Page 33
   possible paths but the branch points are not on shared media, the
   upstream router is known, but the LHR may not know that it is the
   appropriate last hop.

   When traffic is flowing, PIM-DM routers know whether or not they are
   the LHR for the link (because they won or lost an Assert battle) and
   know who the upstream router is (because it won an Assert battle).
   Therefore, Mtrace2 is always able to follow the proper path when
   traffic is flowing.

6.4. IGMP/MLD Proxy

When an IGMP or Multicast Listener Discovery (MLD) Proxy [3] receives an Mtrace2 Query packet on an Incoming Interface, it notes a WRONG_IF in the Forwarding Code of the last Standard Response Block (see Section 3.2.4) and sends the Mtrace2 Reply back to the Mtrace2 client. On the other hand, when an Mtrace2 Query packet reaches an Outgoing Interface of the IGMP/MLD proxy, it is forwarded onto its Incoming Interface towards the upstream router.

7. Problem Diagnosis

This section describes different scenarios in which Mtrace2 can be used to diagnose the multicast problems.

7.1. Forwarding Inconsistencies

The Forwarding Error code can tell if a group is unexpectedly pruned or administratively scoped.

7.2. TTL or Hop-Limit Problems

By taking the maximum of hops from the source and forwarding the TTL threshold over all hops, it is possible to discover the TTL or hop limit required for the source to reach the destination.

7.3. Packet Loss

By taking multiple traces, it is possible to find packet-loss information by tracking the difference between the output packet count for the specified source-group address pair at a given upstream router and the input packet count on the next-hop downstream router. On a point-to-point link, any steadily increasing difference in these counts implies packet loss. Although the packet counts will differ due to Mtrace2 Request propagation delay, the difference should remain essentially constant (except for jitter caused by differences in propagation time among the trace iterations). However, this difference will display a steady increase if packet loss is
Top   ToC   RFC8487 - Page 34
   occurring.  On a shared link, the count of input packets can be
   larger than the number of output packets at the previous hop, due to
   other routers or hosts on the link injecting packets.  This appears
   as "negative loss", which may mask real packet loss.

   In addition to the counts of input and output packets for all
   multicast traffic on the interfaces, the Standard Response Block
   includes a count of the packets forwarded by a node for the specified
   source-group pair.  Taking the difference in this count between two
   traces and then comparing those differences between two hops gives a
   measure of packet loss just for traffic from the specified source to
   the specified receiver via the specified group.  This measure is not
   affected by shared links.

   On a point-to-point link that is a multicast tunnel, packet loss is
   usually due to congestion in unicast routers along the path of that
   tunnel.  On native multicast links, loss is more likely in the output
   queue of one hop, perhaps due to priority dropping, or in the input
   queue at the next hop.  The counters in the Standard Response Block
   do not allow these cases to be distinguished.  Differences in packet
   counts between the Incoming and Outgoing Interfaces on one node
   cannot generally be used to measure queue overflow in the node.

7.4. Link Utilization

Again, with two traces, you can divide the difference in the input or output packet counts at some hop by the difference in timestamps from the same hop to obtain the packet rate over the link. If the average packet size is known, then the link utilization can also be estimated to see whether packet loss may be due to the rate limit or the physical capacity on a particular link being exceeded.

7.5. Time Delay

If the routers have synchronized clocks, it is possible to estimate propagation and queuing delay from the differences between the timestamps at successive hops. However, this delay includes control processing overhead, so is not necessarily indicative of the delay that data traffic would experience.

8. IANA Considerations

The following registries have been created and are maintained under the "Specification Required" registry policy as specified in [6].
Top   ToC   RFC8487 - Page 35

8.1. "Mtrace2 Forwarding Codes" Registry

This registry holds integers in the range 0-255. Assignment of a Forwarding Code requires specification of a value and a name for the Forwarding Code. Initial values for the Forwarding Codes are given in the table at the end of Section 3.2.4. Additional values (specific to IPv6) may also be specified at the end of Section 3.2.5. Any additions to this registry are required to fully describe the conditions under which the new Forwarding Code is used.

8.2. "Mtrace2 TLV Types" Registry

Assignment of a TLV Type requires specification of an integer value "Code" in the range 0-255 and a name ("Type"). Initial values for the TLV Types are given in the table at the beginning of Section 3.2.

8.3. UDP Destination Port

IANA has assigned UDP user port 33435 (mtrace) for use by this protocol as the Mtrace2 UDP destination port.

9. Security Considerations

This section addresses some of the security considerations related to Mtrace2.

9.1. Addresses in Mtrace2 Header

An Mtrace2 header includes three addresses: a source address, a multicast address, and an Mtrace2 Client Address. These addresses MUST be congruent with the definition defined in Section 3.2.1, and forwarding Mtrace2 messages that have invalid addresses MUST be prohibited. For instance, if the Mtrace2 Client Address specified in an Mtrace2 header is a multicast address, then a router that receives the Mtrace2 message MUST silently discard it.

9.2. Verification of Clients and Peers

A router providing Mtrace2 functionality MUST support a source- verification mechanism to drop Queries from clients and Requests from peer router or client addresses that are unauthorized or that are beyond a specified administrative boundary. This verification could, for example, be specified via a list of allowed/disallowed clients and peer addresses or subnets for a given Mtrace2 message type sent to the Mtrace2 protocol port. If a Query or Request is received from an unauthorized address or one beyond the specified administrative boundary, the Query/Request MUST NOT be processed. The router MAY, however, perform rate-limited logging of such events.
Top   ToC   RFC8487 - Page 36
   The required use of source verification on the participating routers
   minimizes the possible methods for introduction of spoofed Query/
   Request packets that would otherwise enable DoS amplification attacks
   targeting an authorized "query" host.  The source verification
   mechanisms provide this protection by allowing Query messages from an
   authorized host address to be received only by the router(s)
   connected to that host and only on the interface to which that host
   is attached.  For protection against spoofed Request messages, the
   source-verification mechanisms allow Request messages only from a
   directly connected routing peer and allow these messages to be
   received only on the interface to which that peer is attached.

   Note that the following vulnerabilities cannot be covered by the
   source verification methods described here.  These methods can,
   nevertheless, prevent attacks launched from outside the boundaries of
   a given network as well as from any hosts within the network that are
   not on the same LAN as an intended authorized query client.

   o  A server/router "B" other than the server/router "A" that actually
      "owns" a given IP address could, if it is connected to the same
      LAN, send an Mtrace2 Query or Request with the source address set
      to the address for server/router "A".  This is not a significant
      threat, however, if only trusted servers and routers are connected
      to that LAN.

   o  A malicious application running on a trusted server or router
      could send packets that might cause an amplification problem.  It
      is beyond the scope of this document to protect against a DoS
      attack launched from the same host that is the target of the
      attack or from another "on path" host, but this is not a likely
      threat scenario.  In addition, routers on the path MAY rate-limit
      the packets as specified in Sections 9.5 and 9.6.

9.3. Topology Discovery

Mtrace2 can be used to discover any actively used topology. If your network topology is a secret, Mtrace2 may be restricted at the border of your domain, using the ADMIN_PROHIB Forwarding Code.

9.4. Characteristics of Multicast Channel

Mtrace2 can be used to discover what sources are sending to what groups and at what rates. If this information is a secret, Mtrace2 may be restricted at the border of your domain, using the ADMIN_PROHIB Forwarding Code.
Top   ToC   RFC8487 - Page 37

9.5. Limiting Query/Request Rates

A router may limit Mtrace2 Queries and Requests by ignoring some of the consecutive messages. The router MAY randomly ignore the received messages to minimize the processing overhead, i.e., to keep fairness in processing Queries or prevent traffic amplification. The rate limit is left to the router's implementation.

9.6. Limiting Reply Rates

The proxying and NO_SPACE behaviors may result in one Query returning multiple Reply messages. In order to prevent abuse, the routers in the traced path MAY need to rate-limit the Replies. The rate-limit function is left to the router's implementation.

9.7. Specific Security Concerns

9.7.1. Request and Response Bombardment

A malicious sender could generate invalid and undesirable Mtrace2 traffic to hosts and/or routers on a network by eliciting responses to spoofed or multicast client addresses. This could be done via forged or multicast client/source addresses in Mtrace2 Query or Request messages. The recommended protections against this type of attack are described in Sections 9.1, 9.2, 9.5, and 9.6.

9.7.2. Amplification Attack

Because an Mtrace2 Query results in Mtrace2 Request and Mtrace2 Reply messages that are larger than the original message, the potential exists for an amplification attack from a malicious sender. This threat is minimized by restricting the set of addresses from which Mtrace2 messages can be received on a given router as specified in Section 9.2. In addition, for a router running a PIM protocol (PIM-SM, PIM-DM, PIM - Source-Specific Multicast (PIM-SSM), or Bidirectional PIM), the router SHOULD drop any Mtrace2 Request or Reply message that is received from an IP address that does not correspond to an authenticated PIM neighbor on the interface from which the packet is received. The intent of this text is to prevent non-router endpoints from injecting Request messages. Implementations of non-PIM protocols SHOULD employ some other mechanism to prevent this attack.
Top   ToC   RFC8487 - Page 38

9.7.3. Leaking of Confidential Topology Details

Mtrace2 Queries are a potential mechanism for obtaining confidential topology information for a targeted network. Sections 9.2 and 9.4 describe required and optional methods for ensuring that information delivered with Mtrace2 messages is not disseminated to unauthorized hosts.

9.7.4. Delivery of False Information (Forged Reply Messages)

Forged Reply messages could potentially provide a host with invalid or incorrect topology information. They could also provide invalid or incorrect information regarding multicast traffic statistics, multicast stream propagation delay between hops, multicast and unicast protocols in use between hops and other information used for analyzing multicast traffic patterns, and troubleshooting multicast traffic problems. This threat is mitigated by the following factors: o The required source verification of permissible source addresses specified in Section 9.2 eliminates the origination of forged Replies from addresses that have not been authorized to send Mtrace2 messages to routers on a given network. This mechanism can block forged Reply messages sent from any "off path" source. o To forge a Reply, the sender would need to somehow know (or guess) the associated 2-byte Query ID for an extant Query and the dynamically allocated source port number. Because "off path" sources can be blocked by a source verification mechanism, the scope of this threat is limited to "on path" attackers. o The required use of source verification (Section 9.2) and recommended use of PIM neighbor authentication (Section 9.7.2) for messages that are only valid when sent by a multicast routing peer (Request and Reply messages) eliminate the possibility of reception of a forged Reply from an authorized host address that does not belong to a multicast peer router. o The use of encryption between the source of a Query and the endpoint of the trace would provide a method to protect the values of the Query ID and the dynamically allocated client (source) port (see Section 3.2.1). These are the values needed to create a forged Reply message that would pass validity checks at the querying client. This type of cryptographic protection is not practical, however, because the primary reason for executing an Mtrace2 is that the destination endpoint (and path to that endpoint) are not known by the querying client. While it is not practical to provide cryptographic protection between a client and the Mtrace2 endpoints (destinations), it may be possible to
Top   ToC   RFC8487 - Page 39
      prevent forged responses from "off path" nodes attached to any
      Mtrace2 transit LAN by devising a scheme to encrypt the critical
      portions of an Mtrace2 message between each valid sender/receiver
      pair at each hop to be used for multicast/Mtrace2 transit.  The
      use of encryption protection between nodes is, however, out of the
      scope of this document.

10. References

10.1. Normative References

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [2] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <https://www.rfc-editor.org/info/rfc4291>. [3] Fenner, B., He, H., Haberman, B., and H. Sandick, "Internet Group Management Protocol (IGMP) / Multicast Listener Discovery (MLD)-Based Multicast Forwarding ("IGMP/MLD Proxying")", RFC 4605, DOI 10.17487/RFC4605, August 2006, <https://www.rfc-editor.org/info/rfc4605>. [4] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, "Bidirectional Protocol Independent Multicast (BIDIR- PIM)", RFC 5015, DOI 10.17487/RFC5015, October 2007, <https://www.rfc-editor.org/info/rfc5015>. [5] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March 2016, <https://www.rfc-editor.org/info/rfc7761>. [6] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>. [7] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [8] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, <https://www.rfc-editor.org/info/rfc8200>.
Top   ToC   RFC8487 - Page 40

10.2. Informative References

[9] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, <https://www.rfc-editor.org/info/rfc2863>. [10] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A. Thyagarajan, "Internet Group Management Protocol, Version 3", RFC 3376, DOI 10.17487/RFC3376, October 2002, <https://www.rfc-editor.org/info/rfc3376>. [11] Adams, A., Nicholas, J., and W. Siadak, "Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised)", RFC 3973, DOI 10.17487/RFC3973, January 2005, <https://www.rfc-editor.org/info/rfc3973>. [12] Draves, R. and D. Thaler, "Default Router Preferences and More-Specific Routes", RFC 4191, DOI 10.17487/RFC4191, November 2005, <https://www.rfc-editor.org/info/rfc4191>. [13] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. Pignataro, "The Generalized TTL Security Mechanism (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, <https://www.rfc-editor.org/info/rfc5082>. [14] McWalter, D., Thaler, D., and A. Kessler, "IP Multicast MIB", RFC 5132, DOI 10.17487/RFC5132, December 2007, <https://www.rfc-editor.org/info/rfc5132>. [15] Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/ BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February 2012, <https://www.rfc-editor.org/info/rfc6513>. [16] Bumgardner, G., "Automatic Multicast Tunneling", RFC 7450, DOI 10.17487/RFC7450, February 2015, <https://www.rfc-editor.org/info/rfc7450>.
Top   ToC   RFC8487 - Page 41

Acknowledgements

This specification started largely as a transcription of Van Jacobson's slides from the 30th IETF meeting and the implementation in mrouted 3.3 by Ajit Thyagarajan. Van's original slides credit Steve Casner, Steve Deering, Dino Farinacci, and Deb Agrawal. The original multicast traceroute client, mtrace (version 1), has been implemented by Ajit Thyagarajan, Steve Casner, and Bill Fenner. The idea of the S bit to allow statistics for a source subnet is due to Tom Pusateri. For the Mtrace version 2 specification, the authors would like to give special thanks to Tatsuya Jinmei, Bill Fenner, and Steve Casner. Also, extensive comments were received from David L. Black, Ronald Bonica, Yiqun Cai, Liu Hui, Bharat Joshi, Robert Kebler, John Kristoff, Mankamana Mishra, Heidi Ou, Eric Rescorla, Pekka Savola, Shinsuke Suzuki, Dave Thaler, Achmad Husni Thamrin, Stig Venaas, Cao Wei, and the MBONED Working Group members.

Authors' Addresses

Hitoshi Asaeda National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: asaeda@nict.go.jp Kerry Meyer Dell EMC 176 South Street Hopkinton, MA 01748 United States Email: kerry.meyer@me.com WeeSan Lee (editor) Email: weesan@weesan.com