[174635] in North American Network Operators' Group
Re: IPV6 Multicast Listener storm control?
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Mon Sep 22 23:55:39 2014
X-Original-To: nanog@nanog.org
Date: Tue, 23 Sep 2014 05:55:30 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Richard Holbo <holbor@sonss.net>
In-Reply-To: <CAFiN6rqyqPspPvV3Yi1im2uxCnm9NoPbDof1MXEO++A7vk9kZQ@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Mon, 22 Sep 2014, Richard Holbo wrote:
> Now it looks like from my reading that CISCO MLD snooping would _help_ with
> this, though it would not stop the offender from generating the multicast
> requests, it might keep if from reaching _all_ ports, but it would still
If the packets are sent to ff02::1, then this will be sent to all ports
even with MLD snooping turned on.
http://www.ietf.org/rfc/rfc4541.txt
"In IPv6, the data forwarding rules are more straight forward because
MLD is mandated for addresses with scope 2 (link-scope) or greater.
The only exception is the address FF02::1 which is the all hosts
link-scope address for which MLD messages are never sent. Packets
with the all hosts link-scope address should be forwarded on all
ports."
So I doubt turning on MLD snooping will help.
Your switches, can't you do some kind of protocol based filtering, and
only allow two ethertypes, ARP and IPv4?
--
Mikael Abrahamsson email: swmike@swm.pp.se
