IGMP Version 3

IGMP Version 3

IGMP version 3 adds support for “source filtering”. IGMP version 1 and version 2 allow hosts to join multicast groups but they don’t check the source of the traffic. Any source is able to receive traffic to the multicast group(s) that they joined.

With source filtering, we can join multicast groups but only from specified source addresses. IGMP version 3 is a requirement for SSM (Source Specific Multicast).

Why is this useful? Let me give you an example:

Multicast video server four hosts

Above, we have a video server streaming multicast traffic on the network using destination address 239.1.1.1. Four hosts are listening to this traffic. Life is good. Suddenly, something happens:

multicast attacker sending traffic

An attacker didn’t like the video stream and decided to stream his favorite video to destination address 239.1.1.1.1. Since we don’t check the source address, everyone will receive the traffic from our attacker. It’s also possible to send bogus traffic and create a DoS attack like this.

IGMP versions 1 and 2 don’t have any protection against this.

With IGMP version 3, our hosts can be configured to receive multicast traffic only from specified source addresses. Let’s see how this works. I’ll use the following topology for this:

Multicast IGMP Version 3 topology

We will only use two devices: one multicast-enabled router and a host device. I’m using a Cisco router as the host device as well.

Let’s start with R1:

R1(config)#ip multicast-routing
R1(config)#interface GigabitEthernet 0/1
R1(config-if)#ip pim sparse-mode 
R1(config-if)#ip igmp version 3

Our router requires multicast routing, and PIM should be enabled on the interface. The default version of IGMP is 2, so we’ll change it to version 3. Before we let H1 join a multicast group, let’s enable debugging on both devices:

R1 & H1#debug ip igmp 
IGMP debugging is on

R1 will start sending membership general queries like the one below:

multicast igmp version 3 membership query general

Let’s configure H1 to join a multicast group:

H1(config)#interface GigabitEthernet 0/1
H1(config-if)#ip igmp join-group 239.1.1.1 ?
  source  Include SSM source
  <cr>

Besides configuring a group, I can configure the host to include a source address. Let’s pick something:

H1(config-if)#ip igmp join-group source 239.1.1.1 source 1.1.1.1

H1 will now include the source address in its membership report messages. Here’s what you will see on the console:

H1#
IGMP(0): WAVL Insert group: 239.1.1.1 interface: GigabitEthernet0/1Successful
IGMP(0): Create source 1.1.1.1
IGMP(0): Building v3 Report on GigabitEthernet0/1
IGMP(0): Add Group Record for 239.1.1.1, type 5
IGMP(0): Add Source Record 1.1.1.1
IGMP(0): Add Group Record for 239.1.1.1, type 6
IGMP(0): No sources to add, group record removed from report
IGMP(0): Send unsolicited v3 Report with 1 group records on GigabitEthernet0/1
IGMP(0): Building v3 Report on GigabitEthernet0/1
IGMP(0): Add Group Record for 239.1.1.1, type 5
IGMP(0): Add Source Record 1.1.1.1
IGMP(0): Add Group Record for 239.1.1.1, type 6
IGMP(0): No sources to add, group record removed from report
IGMP(0): Send unsolicited v3 Report with 1 group records on GigabitEthernet0/1

H1 sends two membership report messages. The first message includes the multicast group and source addresses we want to receive. The second message includes the “mode”. There are two modes:

  • Include: this is a list of source addresses that we accept multicast traffic from. Everything else should not be forwarded.
  • Exclude: this is a list of source addresses that we refuse to accept multicast traffic from. Everything else should be forwarded.

Table of Content

Unit 1. Introduction to Multicast

Unit 2: IGMP (Internet Group Management Protocol)

Unit 3: Multicast L2

Unit 4: Multicast L3

Unit 5:  IPv6 Multicast