From: Andrew Lunn <andrew@lunn.ch>
To: Kevin Cernekee <cernekee@chromium.org>
Cc: netdev@vger.kernel.org
Subject: Re: Incorrect source IP address on IGMP membership report
Date: Sat, 9 Dec 2017 17:01:16 +0100 [thread overview]
Message-ID: <20171209160116.GA2299@lunn.ch> (raw)
In-Reply-To: <CAJzqFtbXdrFYmRj7r1CF+1jH0KcH8EVG-yVdF3yMcAdzHWL5_A@mail.gmail.com>
On Fri, Dec 08, 2017 at 09:25:58PM -0800, Kevin Cernekee wrote:
> Closing a multicast socket after the final IPv4 address is deleted
> from an interface will generate a membership report that uses the
> source IP from a different interface. The following test script, run
> from an isolated netns, reproduces the issue:
>
> #!/bin/bash
>
> ip link add dummy0 type dummy
> ip link add dummy1 type dummy
> ip link set dummy0 up
> ip link set dummy1 up
> ip addr add 10.1.1.1/24 dev dummy0
> ip addr add 192.168.99.99/24 dev dummy1
>
> tcpdump -U -i dummy0 -w dummy0.pcap &
> socat EXEC:"sleep 2"
> UDP4-DATAGRAM:239.101.1.68:8889,ip-add-membership=239.0.1.68:10.1.1.1
> &
>
> sleep 1
> ip addr del 10.1.1.1/24 dev dummy0
> sleep 5
> kill %tcpdump
>
> After running this script, dummy0.pcap contains one Membership Report
> / Join Group packet with source IP 10.1.1.1, and two Membership Report
> / Leave Group packets with source IP 192.168.99.99.
>
> Sending out multicasts on the LAN using an unexpected source IP
> address seems to be causing issues in some enterprise environments[0],
> where the network infrastructure is set up to flag suspicious packets.
>
> I believe the source address is provided by ip_route_output_ports()
> called from igmpv3_newpack() in the kernel.
>
> Is this behavior intentional? If not, is it something that we should fix?
Hi Kevin
The choice of IP address for IGMP in Linux is 'interesting'. Try with
multiple IP addresses on the interfaces, addresses with different
scopes, etc. I've seen it reply to the querier using an address from
a different subnet to the incoming request, etc.
Part of it is an implementation problem. When the application did a
join, it passed an IP address to identify the interface to perform the
join on. That IP address would be an idle choice for IGMP for that
group. However, the information gets discard once the interface has
been determined.
With a single IP address on a single interface, Linux IGMP probably
works. Outside of that, expect oddness.
In your particular case, it is a global scope address. You are allowed
to use it on any interface. So it should not really trigger suspicious
activity. However, the RFC about multicast suggests IGMP with an
unexpected source address should be dropped. However, it is only a
should, not a must, if i remember correctly.
Andrew
next prev parent reply other threads:[~2017-12-09 16:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-09 5:25 Incorrect source IP address on IGMP membership report Kevin Cernekee
2017-12-09 16:01 ` Andrew Lunn [this message]
2017-12-09 20:32 ` Kevin Cernekee
2017-12-09 22:20 ` Andrew Lunn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171209160116.GA2299@lunn.ch \
--to=andrew@lunn.ch \
--cc=cernekee@chromium.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).