IGMP Proxy¶
The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP operates between the client computer and a local multicast router. Like other network management protocols, it operates above the network layer. There are three versions of IGMP: version 1, defined by RFC 1112, version 2, defined by RFC 2236, and version 3 was initially defined by RFC 3376 and has been updated by RFC 4604
. A router can serve as an IGMP proxy, as we shall soon see.
The IPv4 address scheme assigns Class D addresses for IP multicasting. IGMP is the protocol that uses these addresses. The following addresses have specific functions or are unavailable:
- 222.0.0.0 is reserved, and you cannot assign it to a group.
- 222.0.0.1 is the all-hosts address – a pack sent to this address reaches all hosts on a subnet.
- 222.0.0.2 is the all-routers address – a packet sent to this address reaches all routers on a subnet.
This implementation of IGMP complies with IGMPv2, which involves the exchange of the following types of messages between routers and hosts:
- Group membership queries
- Group membership reports
- Leave group membership messages
A multicast router can be a querier or a nonquerier. There is only one querier on a network at any time. Multicast routers monitor queries from other multicast routers to determine the status of the querier. If the querier hears a query from a router with a lower IP address, it relinquishes its role to that router.
Multicast routers send two types of group membership queries to hosts on the network: [1] general queries to the all-hosts group address, and [2] specific queries to the appropriate multicast group address. The purpose of a membership group query is to discover the multicast groups to which a host belongs. When a host receives such a query, it identifies the groups associated with the query and determines to which groups it belongs. Since the query has a Max Response Time field (the maximum time a host can take to respond to a query), the host sets a timer less than this field, and when the timer expires, the host muliticasts a group membership report to the group address. When a multicast router receives a report, it adds the group to the membership list for the network and sets a timer to the Group Membership Interval. If this timer expires before the router receives another group membership report, the router determines that the group has no members left on the network. If the router does not receive any reports for a specific multicast group within the Max Response Time, it assumes that the group has no members on the network. The router does not forward subsequent multicasts for that group to the network.
New to IGMP version 2 are the leave group membership messages. When a host leaves a group, it sends such a message to multicast routers on the network. A host generally addresses leave group membership messages to the all-routers group address, 222.0.0.2.
IGMP proxy configuration is relatively simple. You enable IGMP proxy on one interface, which connects to a router closer to the root of the tree. This interface is the upstream interface. The router on the upstream interface should be running IGMP. You also enable IGMP on the interfaces that connect the system to its hosts that are farther away from the root of the tree. These interfaces are known as downstream interfaces. When you configure IGMP proxy, the system interacts with the router on its upstream interface through the exchange of IGMP messages. However, when acting as the proxy, the system performs the host portion of the IGMP task on the upstream interface as follows:
When queried, sends group membership reports to the group. When one of its hosts joins a multicast address group to which none of its other hosts belong, sends unsolicited group membership reports to that group. When the last of its hosts in a particular multicast group leaves the group, sends an unsolicited leave group membership report to the all-routers group.
To configure IGMP Proxy in DefenseBolt, first navigate to Services -> IGMP Proxy.
Click on the plus button to add a new interface.
To configure the upstream interface, select WAN in the Interface dropdown box. Then at Description, add an appropriate description. For Type, select Upstream Interface. At Threshold, you can set a time to live (TTL) threshold (the default is 1). At “Network(s)“, press the plus button and add one or more networks (along with the number of bits in the network name at the “CIDR” dropdown box). This defines which subnets are allowed to communicate via the IGMP proxy. I set it to “0.0.0.0” for the network and “0” for the CIDR to allow all outside hosts to send IGMP messages, but you can change this setting if necessary. Then press Save to save the new interface, and Apply changes on the next page.
Now you need to configure the down stream interface. Click the plus button again. At Interface, choose the interface on which the hosts will belong to a multicast group (probably LAN). At Description, type an appropriate description, and at Type, select Downstream Interface from the dropdown box. At threshold, define a TTL threshold if necessary. At Network, click on the plus button and specify at least one network name and CIDR. Then press Save to save the changes and Apply changes to apply the changes.
You also need a firewall rule on the downstream side (typically LAN) that matches/passes this traffic which has the advanced option checked to allow packets with IP Options. To do this, navigate to Firewall -> Rules, and click on the appropriate tab (probably LAN). Click on plus to add a new rule. Leave settings for Interface, TCP/IP Version, Protocol, Source and Destination unchanged. At Description, enter a description. Scroll down to Advanced features, and at Advanced Options,
click on the Advanced button, and check on the first check box to allow packets with IP options to pass. Then scroll down, press the Save button to save this rule and on the next page press Apply changes to apply the changes.