8. Security Considerations

We consider the ramifications of a forged message of each type.

8.1. Query Message

A forged Query message from a machine with a lower IP address than the current Querier will cause Querier election to occur. This may cause the current Querier to stop sending Queries and waiting for the new Querier to start. Since the new Querier is invalid, the Query timer on the routers may eventually expire, causing them to drop their membership information.

A DoS attack is possible by sending forged Queries with a small Maximum Response Code. This would cause all hosts on the LAN to send Reports simultaneously, potentially overwhelming the network or the router.

8.2. Current State Report messages

A forged Report message may cause the router to believe that there are listeners for a group on a network when there are not. This can cause multicast traffic to be forwarded to the network unnecessarily, consuming bandwidth.

8.3. State Change Report messages

A forged State Change Report message may cause the router to believe that a system has joined or left a group. Forged "Join" reports (ALLOW or TO_IN) cause unnecessary traffic. Forged "Leave" reports (BLOCK or TO_EX) may cause the router to send a Multicast-Address-Specific Query, and if no valid hosts respond in time, the router may stop forwarding traffic for the group, causing a denial of service to legitimate listeners.

8.4. IPsec

The IPsec Authentication Header (AH) [RFC2402] or Encapsulating Security Payload (ESP) [RFC2406] may be used to protect MLDv2 messages. When AH or ESP is used, the authentication is applied to the entire IP packet, including the MLDv2 message. This can prevent the forgery of MLDv2 messages. However, key management for multicast is complex and is an area of ongoing research.