IGMP snooping

Multicast con­nec­tions are an easy way to send data packets in IP networks to various receiving devices without having to address and supply each of these devices sep­a­rate­ly. The packet’s sender dis­trib­utes this task to the various nodes of the subnets involved, thereby saving valuable resources. Real-time internet ap­pli­ca­tions used by many users benefit es­pe­cial­ly from this form of mul­ti­point con­nec­tion created with the help of special multicast groups. The IGMP protocol, which is the basis for smooth IPv4 multicast com­mu­ni­ca­tion between sender, router, and receiver, plays a major role in the or­ga­ni­za­tion of these groups. In addition, multicast traffic can be filtered via IGMP messages to reduce the load on in­di­vid­ual target networks. This is also known as IGMP snooping.

Multicast packets often pass through multiple stations on their way to the target hosts. Routers use the protocol-in­de­pen­dent multicast (PIM) method to calculate the optimal route so they can forward the data stream as ef­fi­cient­ly as possible. Network switches or mul­ti­func­tion­al internet routers in private house­holds, on the other hand, find it con­sid­er­ably more difficult to transmit multicast packets. This is because the usual attempt to sign the packets using the des­ig­nat­ed MAC address fails (it only works with unicast con­nec­tions), so the devices forward the incoming packets to all available devices in the re­spec­tive subnet for lack of al­ter­na­tives.

This is where IGMP snooping (sometimes also known as “multicast snooping”) comes into play: this process lives up to its name and listens to all IGMP traffic exchanged between multicast routers and hosts. Switches or internet routers that have IGMP snooping enabled are therefore able to monitor the multicast ac­tiv­i­ties of the in­di­vid­ual network par­tic­i­pants. Specif­i­cal­ly, this means that the devices are notified when a host joins (“multicast query”) or leaves (“leave message” from IGMPv2 onwards) a multicast group. Based on this in­for­ma­tion, an entry for the network interface connected to the host can then be created or removed in the MAC address table.

Multicast snooping helps switches and internet routers to ef­fi­cient­ly deliver multicast data streams to the desired des­ti­na­tion(s). How valuable this support is becomes clear when a filtering method of mul­ti­point trans­mis­sion is missing: the incoming multicast packets are then sent to all hosts of the network that the switch or internet router reaches. In larger networks, es­pe­cial­ly, this approach ensures un­nec­es­sar­i­ly high traffic, which can even lead to network con­ges­tion. Criminals can take advantage of this and flood in­di­vid­ual hosts or the entire network with multicast packets to bring them down, just like a classic DoS/DDoS attack.

With IGMP snooping enabled, overload problems and attacks like these won’t be cause for concern. All network hosts only receive multicast traffic for which they have pre­vi­ous­ly reg­is­tered via group request. The use of this eaves­drop­ping tech­nol­o­gy is therefore worth­while wherever ap­pli­ca­tions are used that require a great deal of bandwidth. Examples include IPTV and other streaming services as well as web con­fer­ence solutions. Networks in which there are only a few sub­scribers and hardly any multicast traffic, however, do not benefit from the filter procedure. Even if the switch or router offers the multicast snooping feature, it should remain off in this case to prevent un­nec­es­sary eaves­drop­ping.