IGMP snooping

Multicast con­nec­tions are an easy way to send data packets in IP networks to various receiving devices without having to address and supply each of these devices sep­ar­ately. The packet’s sender dis­trib­utes this task to the various nodes of the subnets involved, thereby saving valuable resources. Real-time internet ap­plic­a­tions used by many users benefit es­pe­cially from this form of mul­ti­point con­nec­tion created with the help of special multicast groups. The IGMP protocol, which is the basis for smooth IPv4 multicast com­mu­nic­a­tion between sender, router, and receiver, plays a major role in the or­gan­isa­tion of these groups. In addition, multicast traffic can be filtered via IGMP messages to reduce the load on in­di­vidu­al target networks. This is also known as IGMP snooping.

Multicast packets often pass through multiple stations on their way to the target hosts. Routers use the protocol-in­de­pend­ent multicast (PIM) method to calculate the optimal route so they can forward the data stream as ef­fi­ciently as possible. Network switches or mul­ti­func­tion­al internet routers in private house­holds, on the other hand, find it con­sid­er­ably more difficult to transmit multicast packets. This is because the usual attempt to sign the packets using the des­ig­nated MAC address fails (it only works with unicast con­nec­tions), so the devices forward the incoming packets to all available devices in the re­spect­ive subnet for lack of al­tern­at­ives.

This is where IGMP snooping (sometimes also known as “multicast snooping”) comes into play: this process lives up to its name and listens to all IGMP traffic exchanged between multicast routers and hosts. Switches or internet routers that have IGMP snooping enabled are therefore able to monitor the multicast activ­it­ies of the in­di­vidu­al network par­ti­cipants. Spe­cific­ally, this means that the devices are notified when a host joins (“multicast query”) or leaves (“leave message” from IGMPv2 onwards) a multicast group. Based on this in­form­a­tion, an entry for the network interface connected to the host can then be created or removed in the MAC address table.

Multicast snooping helps switches and internet routers to ef­fi­ciently deliver multicast data streams to the desired des­tin­a­tion(s). How valuable this support is becomes clear when a filtering method of mul­ti­point trans­mis­sion is missing: the incoming multicast packets are then sent to all hosts of the network that the switch or internet router reaches. In larger networks, es­pe­cially, this approach ensures un­ne­ces­sar­ily high traffic, which can even lead to network con­ges­tion. Criminals can take advantage of this and flood in­di­vidu­al hosts or the entire network with multicast packets to bring them down, just like a classic DoS/DDoS attack.

With IGMP snooping enabled, overload problems and attacks like these won’t be cause for concern. All network hosts only receive multicast traffic for which they have pre­vi­ously re­gistered via group request. The use of this eaves­drop­ping tech­no­logy is therefore worth­while wherever ap­plic­a­tions are used that require a great deal of bandwidth. Examples include IPTV and other streaming services as well as web con­fer­ence solutions. Networks in which there are only a few sub­scribers and hardly any multicast traffic, however, do not benefit from the filter procedure. Even if the switch or router offers the multicast snooping feature, it should remain off in this case to prevent un­ne­ces­sary eaves­drop­ping.