9. Security Considerations

We consider the ramifications of a forged message of each type.

9.1. Query Message

A forged Query message from a machine with a lower IP address than the current Querier will cause Querier election to occur. This may cause the current Querier to stop sending Queries and waiting for the new Querier to start. Since the new Querier is invalid, the Query timer on the routers may eventually expire, causing them to drop their membership information.

A DoS attack is possible by sending forged Queries with a small Max Resp Code. This would cause all hosts on the LAN to send Reports simultaneously, potentially overwhelming the network or the router.

9.2. Current State Report messages

A forged Report message may cause the router to believe that there are members of a group on a network when there are not. This can cause multicast traffic to be forwarded to the network unnecessarily, consuming bandwidth.

9.3. State Change Report messages

A forged State Change Report message may cause the router to believe that a system has joined or left a group. Forged "Join" reports (ALLOW or TO_IN) cause unnecessary traffic. Forged "Leave" reports (BLOCK or TO_EX) may cause the router to send a Group-Specific Query, and if no valid hosts respond in time, the router may stop forwarding traffic for the group, causing a denial of service to legitimate members.

9.4. IPsec

The IPsec Authentication Header (AH) [RFC2402] may be used to protect IGMP messages. When AH is used, the authentication is applied to the entire IP packet, including the IGMP message. This can prevent the forgery of IGMP messages. However, key management for multicast is complex and is an area of ongoing research.