Internet Engineering Task Force Internet-Draft Multicast Remnants WG INTERNET-DRAFT W. Fenner draft-ietf-idmr-membership-reports-05.txt July 11, 2000 Expires December 2000 Domain Wide Multicast Group Membership Reports Status of this Memo This document is an Internet Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Distribution of this document is unlimited. Abstract When running a multi-level multicast routing protocol, upper levels need to know about group memberships in lower levels in a protocol- independent fashion. Domain Wide Multicast Group Membership Reports allow this information to be learned in a fashion similar to IGMP[RFC2236] at the domain level. This document is a product of the IDMR working group within the Internet Engineering Task Force. Comments are solicited and should be addressed to the working group's mailing list at idmr@cs.ucl.ac.uk and/or the author. Fenner Expires December 2000 [Page 1] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 1. Introduction Domain-Wide Multicast Group Membership Reports (DWRs) are a group membership protocol at the domain level. When using a hierarchical multicast routing protocol [Thya94,Estr98], the inter-domain protocol needs to learn of group memberships inside domains. Although some intra-domain routing protocols can provide this information easily to the domain border routers, some cannot. DWRs specify a protocol- independent manner to learn group membership inside a domain. This document specifies the DWR protocol, as used by border routers and interior routers. It specifies a behavior that can be used with any intra-domain protocol, along with optimizations for certain intra-domain protocols, and a transition scheme so that all interior routers need not be updated. 1.1. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Tunable timer values are named inside square brackets, e.g. [Robustness Variable]. These values are described in section 8. 2. Packet Format DWR packets are sent as UDP packets (IP protocol #17). The UDP destination port is 644. The UDP checksum SHOULD be calculated on transmission. However, packets without checksums MUST be accepted. Received packets with incorrect checksums MUST be dropped. The UDP payload is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MBZ | DWR Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type-specific header ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2.1. MBZ: 24 bits Must be zeroed on transmission and ignored on reception. Fenner Expires December 2000 [Page 2] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 2.2. DWR Type: 8 bits The following DWR types are defined: center; c | c l | l. Type Name _ 0x00 Domain-Wide Query 0x01 Domain-Wide Membership Report 0x02 Domain-Wide Leave 0x03 Non- authoritative Domain-Wide Leave 2.3. Type-specific header The only type-specific header defined is for the Domain-Wide Query; its header contains: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Response Time | Query Interval| Robustness | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MBZ | Priority | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2.3.1. Response Time The time, in units of 10ms, allowed for responses to this query. Varying this field allows tuning the burstiness of DWR traffic at the cost of higher latencies. 2.3.2. Query Interval The time, in units of 10 seconds, between periodic Query messages from this Querier. 2.3.3. Robustness The Robustness variable, described later. Along with the Query Interval, conveying this data in the Query allows exact calculation of Querier timeouts and allows interior routers to calculate the group membership lifetime. 2.3.4. Priority The configured priority of this border router for Querier Election purposes. If no value is configured, the default value is 128. Lower values are better, i.e. more likely to be selected as the querier. Fenner Expires December 2000 [Page 3] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 2.3.5. MBZ This field must be zeroed on transmission and ignored on reception. There is no type-specific header for Report and Leave messages; the data field starts immediately after the checksum. 2.4. Data The remainder of the packet consists of a series of groups and options. Each field in the rest of the packet is either a group address: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Group Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ or an option header: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option number | MBZ |S|I| Option Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The two forms may be told apart because option numbers are assigned in the range [0,223], the first byte of an IPv4 group address is in the range [224,239], and the first byte of an IPv6 group address is 255. 2.4.1. Data Description 2.4.1.1. Group Address The group address being reported or queried. 2.4.1.2. Option Number The number of the option. Fenner Expires December 2000 [Page 4] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 2.4.1.3. MBZ Must be zeroed on transmission and ignored on reception. 2.4.1.4. I Ignore this packet or group for group membership purposes if the option is not recognized. 2.4.1.5. S Ignore this packet or group for report suppression purposes (on Reports or Leaves) or for reply purposes (on Queries) if the option is not recognized. 2.4.1.6. Option Length The number of words, excluding the initial word, of option data following the option header. 2.4.1.7. Option Data Option Length words of data. 2.4.2. Option Processing Options which precede any group addresses are called Global Options. Options which follow a group address are associated with that group address and are called Group Options. There are two bits describing how to handle unsupported options. 2.4.2.1. The S bit The S bit is used when processing Queries, Reports and Leaves by interior routers. Groups with options attached should be ignored as if they were not present if there are unrecognized Group Options with the S bit set. Packets with Global Options should be ignored as if they were not received if there are unrecognized Global Options with the S bit set. 2.4.2.2. The I bit The I bit is used when processing Reports and Leaves by border routers. Groups with options attached should be ignored as if they were not present if there are unrecognized Group Options with the I bit set. Packets with Global Options should be ignored as if they were not received if there are unrecognized Global Options with the I bit set. Fenner Expires December 2000 [Page 5] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 2.4.3. Defined Options 2.4.3.1. Padding (option #0) This option need not be handled specially by option parsers; it may be left as an unrecognized option. The S and I bits are both 0, so failing to recognize this option does not affect the processing of the packet. The length field may be 0, meaning there are 0 additional words of data associated with the option. A non-zero length field may be used with the padding option if additional padding is required. Routers MUST interpret the S and I bits of Padding options as though the option is not supported. 2.4.3.2. Group masks accepted/present (option #1) This option may be used as a global option on a Query, to indicate that all border routers understand the group mask option in Report and Leave messages. This option MUST only be sent when the Querier knows that all border routers support it; in general this can only be by manual configuration. In this use, the I and S bits are off. When the most recent Query message contained the Group masks accepted global option, a router may attach a group masks present option to any group in its Report or Leave messages. This option contains the following data: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | MBZ |0|0| 1 for IPv4, 4 for IPv6 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mask to go with group | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The data portion is a bitwise mask, to be applied to the group to create a group range. This usage also has the S and I bits turned off. 2.4.3.3. Unicast-reply (option #2) This option has the S and I bits turned off. If a query is received with this option, the reply should be unicasted to the source of the query. If the option Fenner Expires December 2000 [Page 6] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 carries a unicast address, it is the address to be unicasted to. If a unicast address is specified in the option, the option MUST be ignored if the packet is not authenticated using IPSEC[RFC2401] as described later in this document. 3. Message Descriptions 3.1. Domain-Wide Query A Domain-Wide Query is sent periodically by one of the domain's border routers. The default period is 5 minutes, and MUST be configurable. Domain-Wide Query messages are sent to the well- known Domain-Wide Query multicast group (224.0.255.254). This group is in the range of addresses that are scoped to a single domain, 224.0.255.0 through 224.0.255.255. A Domain-Wide Query with no additional data is a request for knowledge of all multicast group memberships in the domain. The Domain-Wide Query may be restricted by including groups or options in the data portion of the packet. If group addresses or DWR options are specified in the packet, the Query is restricted to those groups or other options as specified in the packet. 3.2. Domain-Wide Report A Domain-Wide Report is sent by a router in response to a Domain- Wide Query message, or in response to the appearance of a new group member in the domain. The latter messages are called "Unsolicited" Domain-Wide Reports. A Domain-Wide Report message includes a list of group memberships and other options in the additional data portion of the packet. 3.3. Domain-Wide Leave A Domain-Wide Leave is sent by a router when it knows that there are no more members in the domain of a group or groups. The group or groups listed in the additional data portion of the packet are considered by the border routers to have no more members. 3.4. Non-Authoritative Domain-Wide Leave A Non-Authoritative Domain-Wide Leave is sent by a router when it knows of no more members of the group but cannot be sure there are no more members in the domain. Reception of a Domain-Wide Leave causes the elected border router to send a Domain-Wide Query Fenner Expires December 2000 [Page 7] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 message for the group(s) mentioned in the Non-Authoritative Domain- Wide Leave message. 4. Interior Router Behavior 4.1. General Behavior This section describes the general behavior of interior routers, or of proxies running inside domains. Some of these behaviors may be optimized when running multicast routing protocols with more centralized knowledge of group memberships inside the domain; these optimizations will be described later. If a router has not yet been upgraded to perform domain-wide reports, a proxy may be placed on each of its connected networks. This proxy must participate in the network's group membership protocol (e.g. IGMPv2[RFC2236]). For example, it may perform only the duties of a Non-Querier router in IGMPv2, which allow it to passively learn all of the group members on a network. The proxy can then respond to Domain-Wide Query messages just as the interior router would. 4.1.1. Reception of Queries All routers in the domain join the Domain-Wide Query well-known multicast group. Upon reception of a Domain-Wide Query message, a router sets a timer to a value randomly chosen from the range (0, Response time] as specified in the packet. The Data section of the Query should be saved to be used when the timer expires. 4.1.2. Transmission of Reports Upon the expiration of a Domain-Wide Query timer, a router assembles a packet containing the list of group memberships known to this router via IGMP or other mechanism, excluding those that were suppressed by previous reports, and sends this message to the Domain-Wide Report well-known multicast group (224.0.255.253). If the Domain-Wide Query contained a list of groups or options, the Report should be restricted to those groups in the list in the Query message. 4.1.3. Reception of Reports All routers in the domain join the Domain-Wide Report well-known multicast group in order to perform suppression, as follows. Upon reception of a Domain-Wide Report message, a router processes the list of groups in the message. If the packet contains unrecognized global options, the packet should be dropped and not processed if Fenner Expires December 2000 [Page 8] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 any of the unrecognized options have their S bit set. For each group, if the group has unrecognized options, the group should be skipped if any of the unrecognized options have their S bit set. Otherwise, if the router's Domain-Wide Query timer is running, it SHOULD mark the group as having been suppressed and SHOULD NOT report it when the Domain-Wide Query timer expires. Routers MAY record the existence of this group membership in the domain to be used for future suppression. This record MUST time out after [Query Interval] * [Robustness Variable], and MUST be canceled by reception of a Domain-Wide Leave or Non-Authoritative Domain-Wide Leave message mentioning this group. 4.1.4. Reception of Leaves Upon the reception of a Domain-Wide Leave, a router should process the list of groups in the message. For each group, if the group has unrecognized options, it should be skipped if any of the unrecognized options have their S bit set. Otherwise, the router should remove its record of the existence of another group membership in the domain. 4.1.5. Transmission of Leaves A router sends a Non-Authoritative Leave when it no longer knows of any members of the group. This message MAY be suppressed if this router's last attempt to report this group was suppressed by reception of a Report. 4.2. Optimizations In explicit group membership protocols like PIM, CBT and MOSPF, there is a set of routers smaller than "all routers in the domain" which knows of group memberships in the domain. This section describes the optimizations possible when running a protocol like this. In PIM and CBT, only RP's and Cores must participate. MOSPF is a special case, in that all routers in the MOSPF domain know of all group memberships in the domain. In this case, the DWR protocol may degenerate to a virtual protocol run entirely inside the elected border router. 4.2.1. Reception of a Query Message Only participating interior routers must join the Domain-Wide Query well-known multicast group. Fenner Expires December 2000 [Page 9] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 4.2.2. Transmission of a Report Message Report messages contain all memberships that this router knows about (e.g. in MOSPF, it's all memberships in the domain; in PIM, it's all groups that for which this router is the RP). 4.2.3. Reception of a Report Message If there is no overlap of the groups being reported by each participant, the interior routers need not join the Domain-Wide Report well-known multicast group so will not receive Report messages. E.g. if R1 and R2 each handle one half of the multicast group address space, there is no need for either of them to join the Domain-Wide Report group. 4.2.4. Reception of a Leave Message As with Reports, if there is no overlap, the interior routers need not join the DWR group so will not receive these messages. 4.2.5. Transmission of a Leave Message If it is possible to know when the last member in the domain goes away, routers SHOULD send authoritative Domain-Wide Leave messages, instead of Non-Authoritative Domain-Wide Leave messages. 5. Unsolicited messages When a new group member appears in the domain, a Report message SHOULD be transmitted (called an Unsolicited Report). Interior routers MAY track the presence of group members inside the domain; a router which is doing this SHOULD suppress its unsolicited Report if it knows of another group member inside the domain. 6. Border Router Behavior 6.1. Querier Election All border routers should join the Domain-Wide Queries well-known multicast group, in order to perform Querier Election. All routers start up thinking they are the elected Querier. If a router hears a DWQ which has a lower ("better") priority, or an equal priority and a lower IP address, it elects that router as Querier. If a router has not heard a DWQ from the elected Querier in [Querier's Query Interval] * [Querier's Robustness Variable] + [Querier's Response Interval], it assumes the role of Querier. It is recommended to have an IPSEC[RFC2401] relationship for the DWQ multicast group among the domain border routers so that Querier Fenner Expires December 2000 [Page 10] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 Election can not be fouled by a forged packet. 6.2. Send Periodic Queries The elected border router sends periodic Queries once every [Query Interval]. These Queries include the router's Query Interval and Robustness Variable. The Response Interval should be set to [Normal Response Interval]. 6.3. Reception of Non-Authoritative Leave Upon reception of a Non-Authoritative Leave, the elected Querier sets a group membership timeout timer to [Robustness Variable] * [Fast Response Interval] + [Round Trip Delay], and sends a group- specific Query, listing all groups in the Non-Authoritative Leave message. The Response Interval should be set to [Fast Response Interval]. Until a response is heard for each listed group, the Query should be retransmitted once every [Fast Response Interval] for a total of [Robustness Variable] transmissions. The Querier MUST wait an additional [Round Trip Delay] after the final [Fast Response Interval] for reports before assuming that there are no members present in the domain. 6.4. Reception of Group-Specific Queries Upon reception of a Group-Specific Query, non-Querier routers MUST set a group membership timeout timer to [Querier's Robustness Variable] * [Querier's Response Interval] + [Round Trip Delay]. If this timeout occurs without receiving a Report for the listed groups, the group membership record is removed. The Querier's Query Interval and Querier's Response Interval are the values carried in the Query packet. 6.5. Reception of Reports Upon reception of a Domain-Wide Report message, all border routers set a group membership timer for each group mentioned in the Report. This timer's value is set to [Querier's Query Interval] * [Querier's Robustness Variable] + [Querier's Response Interval] * 2. The Querier's Query Interval, Querier's Response Interval and Querier's Robustness Variable are remembered from the last General Query received from the Querier. This timer is refreshed by reception of further messages. 6.6. Request Unicast Replies If a Border Router wishes to reduce the amount of DWR multicast traffic in a domain, it may add the "Reply via Unicast" option to Fenner Expires December 2000 [Page 11] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 its DWQ's. This has the advantage of reducing the amount of state kept inside the domain for forwarding packets destined to the DWR- reply multicast group, at the cost of eliminating suppression. The border router must multicast DWR's summarizing the replies it got via unicast to the DWR-reply multicast group at the end of the response interval, in order to share membership information with all routers. This summary MUST contain a global padding option with its S bit set to 1, to prevent suppression of real reports. 7. Use of IPSEC The use of IPSEC AH is recommended on Domain-Wide Query packets for two reasons: 1. Prevention of forgery of Queries which can foil Querier election. This use requires all border routers to use IPSEC. 2. In order to allow the use of the Unicast Replies option. This use requires all border and interior routers to use IPSEC. In either configuration, security associations are configured as described in section 4.7 of [RFC2401]. Briefly, a single Security Association is manually configured in all required devices with a static key. The number of devices (e.g. domain border routers) should be small enough for this to not be an undue burden. When a secure multicast key distribution protocol exists in the IPSEC framework, this protocol may be used instead of manual configuration. 8. List of timers and tunable values 8.1. Robustness Variable The Robustness Variable allows tuning for the expected packet loss in a domain. If transmission inside a domain is expected to be lossy, the Robustness Variable may be increased, at the cost of increased latency in determining failures. The DWR protocol is robust to ([Robustness Variable] - 1) packet losses. The Robustness Variable MUST NOT be zero, and SHOULD NOT be one. Default value: 2 8.2. Query Interval The Query Interval is the interval between General Queries sent by the domain-wide Querier. Default value: 5 minutes Fenner Expires December 2000 [Page 12] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 8.3. Normal Response Interval The Normal Response Interval is the Response Time inserted into the periodic General Queries. Default: 60 seconds By varying the [Normal Response Interval], an administrator may tune the burstiness of DWR messages in the domain; larger values make the traffic less bursty, as host responses are spread out over a larger interval. The number of seconds represented by the [Normal Response Interval] must be less than the [Query Interval]. 8.4. Fast Response Interval The Fast Response Interval is the Response Time inserted into Group-Specific Queries in response to Non-Authoritative Leave messages, and is also the time between the Group-Specific Query messages. Default: 1 second This value may be tuned to modify the "leave latency" of the domain. A reduced value results in reduced time to detect the loss of the last member of a group. 8.5. Round Trip Delay The Round Trip Delay is the worst-case round trip time through the domain. This is used to ensure that group membership is not lost due to a small Fast Response Interval and a large round trip delay through the domain. This value must be manually configured. Default: 100ms. IGMPv2 ignores end-to-end message delay, assuming that this delay is negligible. Although the DWR protocol is very similar to IGMPv2, the reality is that end-to-end round trip delays can be very different on LANs vs. in a routing domain. On a LAN, the round trip delay is generally dwarfed by the IGMPv2 response interval. Within a domain, the opposite may be true, so it's important for the protocol to acknowledge that. 9. Message destinations This information is provided elsewhere in the document, but is summarized here for convenience. Fenner Expires December 2000 [Page 13] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 Message Type Destination Group ------------ ----------------- General Query Domain-wide Query group (224.0.255.254) Group-specific Query Domain-wide Query group (224.0.255.254) Report Domain-wide Report group (224.0.255.253) Leave Domain-wide Report group (224.0.255.253) Non-Authoritative Leave Domain-wide Report group (224.0.255.253) 10. Acknowledgments The ideas of unicasting DWR replies and of electing a "designated reporter" came from a discussion on the IDMR mailing list with Jeffrey Zhang and Yunzhou Li of Bay Networks. 11. Security Considerations 11.1. Forged Packets 11.1.1. Forged Packets from Outside the Domain Since all packets in this memo are sent to domain-scoped multicast groups, a scope boundary around the domain which drops domain- scoped packets from entering the domain from outside protects against forged packets from outside the domain. 11.1.2. Forged Packets from Inside the Domain We consider the effects of a forged packet of each type. 11.1.2.1. Forged Query A forged Query will cause interior routers to send Reports for some or all of their group memberships, increasing control traffic within the domain but not affecting the memberships learned by the border routers. Border routers perform Querier Elections on Query messages. A forged General Query could cause the forger to be elected Querier, giving him some control over the group membership reporting in the domain. For this reason, IPSEC SHOULD be used between the domain border routers to ensure that Querier election only occurs between known border routers. 11.1.2.2. Forged Report A forged Report will cause interior routers to suppress their own Report messages for the group being reported. However, the forged Fenner Expires December 2000 [Page 14] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 message will be accepted by the border routers, so this accomplishes nothing. If interior routers keep state for all Reports heard, forged Reports can cause increased memory consumption on interior routers. However, keeping state for all Reports is optional, so interior routers that are running low on memory due to the amount of DWR- related state may simply release all of that state. Border routers must keep state for all Reports heard, so they are vulnerable to increased memory consumption. If this is a worry, once again IPSEC relationships may be created between all of the interior routers and the border routers. This is a much larger burden on administrators, however, so is only recommended if this is expected to be a problem. 11.1.2.3. Forged Leave A forged Leave (Authoritative or Non-Authoritative) will cause interior routers to forget their state (if any) regarding the suppression status of a group. This may cause increased control message traffic during the next Query interval. A forged Non-Authoritative leave will cause the border routers to issue group-specific Query messages to learn if there are remaining group members. This causes increased control message traffic. A forged Authoritative Leave will cause a black hole until the next Query occurs; the border routers will accept the Leave and not perform any Queries. Border routers SHOULD be configurable to ignore all Authoritative Leaves and interior routers SHOULD be configurable to only send Non-Authoritative Leaves, in order to be able to prevent this attack. 11.2. Unicast Responses Sending a DWQ requesting a unicast response can cause many DWR's to be unicasted to the sender. In order to prevent the use of this option as a "packet amplifier", any DWQ message using this option SHOULD be authenticated using IPSEC as described in this document. 12. References RFC2119 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119/BCP 14, Harvard University, March 1997. Fenner Expires December 2000 [Page 15] Internet Draft draft-ietf-idmr-membership-reports-05.txt July 11, 2000 Estr98 Estrin, D., D. Meyer, D. Thaler, ``Border Gateway Multicast Protocol (BGMP): Protocol Specification'', Work In Progress, March 1998. RFC2236 Fenner, W. ``Internet Group Management Protocol, Version 2'', RFC2236, Xerox PARC, November 1997. RFC2401 Kent, S. and R. Atkinson, ``Security Architecture for the Internet Protocol'', RFC 2401, November 1998. Thya95 Thyagarajan, A. and S. Deering, ``Hierarchical Distance- Vector Multicast Routing'', Proceedings of ACM Sigcomm, September 1995. 13. Author's Address William C. Fenner AT&T Labs - Research 75 Willow Road Menlo Park, CA 94025 Phone: +1 650 330 7893 Email: fenner@research.att.com Fenner Expires December 2000 [Page 16]