[ip6] filter host originated multicast packets

[sunytt]

This PR adds the possibility to filter multicast packets sent from host directly to its thread TUN interface with following rules:

• packets to link-local and realm-local scope multicast addresses are dropped
• packets to > realm-local scope addresses are sent to Thread network only if the multicast group address is in the BBR multicast listener table

This is to avoid potential multicast flooding into the low power and low data rate Thread network by malicious application on the device.

This feature can be enabled with OPENTHREAD_CONFIG_FILTER_LOCAL_ORIGINATED_MULTICAST_PACKETS. It's disabled by default, and should be enabled on open environment, e.g. Android.

Note that when this feature is enabled, ping command from host to Thread network link-local/realm-local multicast addresses will not work, to test connectivity the ot cli ping command can be used to reach Thread multicast addresses.

[size-report]

Size Report of OpenThread

Merging #9735 into main(3f99b11).

name	branch	text	data	bss	total
ot-cli-ftd	main	464048	760	66244	531052
	#9735	464048	760	66244	531052
	+/-	0	0	0	0
ot-ncp-ftd	main	434364	760	61464	496588
	#9735	434364	760	61464	496588
	+/-	0	0	0	0
libopenthread-ftd.a	main	233552	0	40198	273750
	#9735	233552	0	40198	273750
	+/-	0	0	0	0
libopenthread-cli-ftd.a	main	56611	0	8067	64678
	#9735	56611	0	8067	64678
	+/-	0	0	0	0
libopenthread-ncp-ftd.a	main	31841	0	5916	37757
	#9735	31841	0	5916	37757
	+/-	0	0	0	0
ot-cli-mtd	main	363176	760	51132	415068
	#9735	363176	760	51132	415068
	+/-	0	0	0	0
ot-ncp-mtd	main	346076	760	46376	393212
	#9735	346076	760	46376	393212
	+/-	0	0	0	0
libopenthread-mtd.a	main	156910	0	25110	182020
	#9735	156910	0	25110	182020
	+/-	0	0	0	0
libopenthread-cli-mtd.a	main	39472	0	8043	47515
	#9735	39472	0	8043	47515
	+/-	0	0	0	0
libopenthread-ncp-mtd.a	main	24721	0	5916	30637
	#9735	24721	0	5916	30637
	+/-	0	0	0	0
ot-cli-ftd-br	main	532176	768	130916	663860
	#9735	532176	768	130916	663860
	+/-	0	0	0	0
libopenthread-ftd-br.a	main	296451	5	104846	401302
	#9735	296501	5	104846	401352
	+/-	+50	0	0	+50
libopenthread-cli-ftd-br.a	main	70131	0	8091	78222
	#9735	70131	0	8091	78222
	+/-	0	0	0	0
ot-rcp	main	62168	564	20604	83336
	#9735	62168	564	20604	83336
	+/-	0	0	0	0
libopenthread-rcp.a	main	9522	0	5052	14574
	#9735	9522	0	5052	14574
	+/-	0	0	0	0
libopenthread-radio.a	main	18811	0	214	19025
	#9735	18811	0	214	19025
	+/-	0	0	0	0

[wgtdkp]

LGTM. 👍

[superwhd]

This seems dropping all multicast packets within realm local scope. Is this desired behavior? My understanding is that the filter should only apply to packets destined to multicast scope greater than realm local.

[sunytt]

I think when untrusted source is sending to multicast scope <= realm-local, then we should filter it so misbehaving applications can't flood the thread network. The application can still communicate with Thread network with subscribed multicast addresses, similar to the other devices on the backbone interface, their packet sent to multicast address <= realm-local scope are not forwarded to Thread network.

[superwhd]

I'm inclined not to dropping such packets. If such packets are dropped, that means we cannot run ping command targeting ff02::1 on Thread interface on a Linux based BR. That's kind of confusing to me.

[codecov]

Codecov Report

Attention: 10 lines in your changes are missing coverage. Please review.

Comparison is base (12af023) 85.68% compared to head (0b17b23) 85.70%.
Report is 24 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9735      +/-   ##
==========================================
+ Coverage   85.68%   85.70%   +0.01%     
==========================================
  Files         555      556       +1     
  Lines       73829    73969     +140     
==========================================
+ Hits        63262    63395     +133     
- Misses      10567    10574       +7     

Files	Coverage Δ
...core/backbone_router/multicast_listeners_table.hpp	100.00% <ø> (ø)
src/core/net/ip6.cpp	76.84% <71.42%> (-0.05%)	⬇️
...core/backbone_router/multicast_listeners_table.cpp	89.28% <0.00%> (-5.42%)	⬇️

... and 30 files with indirect coverage changes

[abtink]

Thanks for submitting the PR and also adding a detailed PR description. 👍

Some smaller comments/questions below:

[bukepo]

Should we add a new API to control the behavior at runtime? I think this is a security feature, and should be controlled by upper layer.

[sunytt]

I'll update this PR to add API control for it.

[superwhd]

LGTM 👍

[abtink]

With this feature we can decide not to forward this message over the thread mesh (to other nodes) which sounds reasonable. But the VerifyOrExit() check here, we also disallow it to be received by the device itself (since we skip calling HandleDatagram()).

What if this device itself is subscribed to the destination of the multicast message? Do we need to receive/process this multicast? Or should we drop it here as the desired behavior? (I don't have any answer/suggestion myself, just raising it so we consider and think about this situation)

Related to this, we have otMessageSetMulticastLoopEnabled() which allows caller to inidcate whether we want to allow multicast loops.

If the goal is to only disallow forwarding over thread mesh, we can consider moving this new code block to HandleDatagram() method instead?

[sunytt]

Letting otMessageSetMulticastLoopEnabled() decide if multicast loops are allowed for host originated packets sounds good to me, I'll update this PR to move the code to HandleDatagram().