What is the difference between unicast, anycast, broadcast and multicast traffic?

I have never had the privilege of working in an environment that required complicated routing or if it did require it, it was handled upstream of me. I've always used very simple static routing configurations and never needed to do any multipath routing -- hence my general confusion regarding this subject. I would like to understand multicasting and anycasting better.

  • What is the difference between unicast, anycast, broadcast and multicast traffic?
  • What situations are they generally used in and why (e.g., what applications use which method)?
  • How do you calculate how much broadcast traffic is too much for a given network segment or broadcast domain?
  • What are the security implications of allowing broadcast and multicast traffic?

Simply put:

------------------------------------------------------------
| TYPE      | ASSOCIATIONS     | SCOPE           | EXAMPLE |
------------------------------------------------------------
| Unicast   | 1 to 1           | Whole network   | HTTP    | 
------------------------------------------------------------
| Broadcast | 1 to Many        | Subnet          | ARP     |
------------------------------------------------------------
| Multicast | One/Many to Many | Defined horizon | SLP     |
------------------------------------------------------------
| Anycast   | Many to Few      | Whole network   | 6to4    |
------------------------------------------------------------

Unicast is used when two network nodes need to talk to each other. This is pretty straight forward, so I'm not going to spend much time on it. TCP by definition is a Unicast protocol, except when there is Anycast involved (more on that below).

When you need to have more than two nodes see the traffic, you have options.

If all of the nodes are on the same subnet, then broadcast becomes a viable solution. All nodes on the subnet will see all traffic. There is no TCP-like connection state maintained. Broadcast is a layer 2 feature in the Ethernet protocol, and also a layer 3 feature in IPv4.

Multicast is like a broadcast that can cross subnets, but unlike broadcast does not touch all nodes. Nodes have to subscribe to a multicast group to receive information. Multicast protocols are usually UDP protocols, since by definition no connection-state can be maintained. Nodes transmitting data to a multicast group do not know what nodes are receiving. By default, Internet routers do not pass Multicast traffic. For internal use, though, it is perfectly allowed; thus, "Defined horizon" in the above chart. Multicast is a layer 3 feature of IPv4 & IPv6.

To use anycast you advertise the same network in multiple spots of the Internet, and rely on shortest-path calculations to funnel clients to your multiple locations. As far the network nodes themselves are concerned, they're using a unicast connection to talk to your anycasted nodes. For more on Anycast, try: What is "anycast" and how is it helpful?. Anycast is also a layer 3 feature, but is a function of how route-coalescing happens.


Examples

Some examples of how the non-Unicast methods are used in the real Internet.

Broadcast
ARP is a broadcast protocol, and is used by TCP/IP stacks to determine how to send traffic to other nodes on the network. If the destination is on the same subnet, ARP is used to figure out the MAC address that goes to the stated IP address. This is a Level 2 (Ethernet) broadcast, to the reserved FF:FF:FF:FF:FF:FF MAC address.

Also, Microsoft's machine browsing protocol is famously broadcast based. Work-arounds like WINS were created to allow cross-subnet browsing. This involves a Level 3 (IP) broadcast, which is an IP packet with the Destination address listed as the broadcast address of the subnet (in 192.168.101.0/24, the broadcast address would be 192.168.101.255).

The NTP protocol allows a broadcast method for announcing time sources.

Multicast
Inside a corporate network, Multicast can deliver live video to multiple nodes without having to have massive bandwidth on the part of the server delivering the video feed. This way you can have a video server feeding a 720p stream on only a 100Mb connection, and yet still serve that feed to 3000 clients.

When Novell moved away from IPX and to IP, they had to pick a service-advertising protocol to replace the SAP protocol in IPX. In IPX, the Service Advertising Protocol, did a network-wide announcement every time it announced a service was available. As TCP/IP lacked such a global announcement protocol, Novell chose to use a Multicast based protocol instead: the Service Location Protocol. New servers announce their services on the SLP multicast group. Clients looking for specific types of services announce their need to the multicast group and listen for unicasted replies.

HP printers announce their presence on a multicast group by default. With the right tools, it makes it real easy to learn what printers are available on your network.

The NTP protocol also allows a multicast method (IP 224.0.1.1) for announcing time sources to areas beyond just the one subnet.

Anycast
Anycast is a bit special since Unicast layers on top of it. Anycast is announcing the same network in different parts of the network, in order to decrease the network hops needed to get to that network.

The 6to4 IPv6 transition protocol uses Anycast. 6to4 gateways announce their presence on a specific IP, 192.88.99.1. Clients looking to use a 6to4 gateway send traffic to 192.88.99.1 and trust the network to deliver the connection request to a 6to4 router.

NTP services for especially popular NTP hosts may very well be anycasted, but I don't have proof of this. There is nothing in the protocol to prevent it.

Other services use Anycast to improve data locality to end users. Google does Anycast with its search pages in some places (and geo-IP in others). The Root DNS servers use Anycast for similar reasons. ServerFault itself just might go there, they do have datacenters in New York and Oregon, but hasn't gone there yet.


Network concerns

Excessive broadcast traffic can rob all nodes in that subnet of bandwidth. This is less of a concern these days with full-duplex GigE ports, but back in the half-duplex 10Mb days a broadcast storm could bring a network to a halt real fast. Those half-duplex networks with one big collision domain across all nodes were especially vulnerable to broadcast storms, which is why networking books, especially older ones, say to keep an eye on broadcast traffic. Switched/Full-Duplex networks are a lot harder to bring to a halt with a broadcast storm, but it can still happen. Broadcast is required for correct functioning of IP networks.

Multicast has the same possibility for abuse. If one node on the multicast group starts sending huge amounts of traffic to that group, all subscribed nodes will see all of that traffic. As with broadcast, excessive Mcast traffic can increase the possibilities of collisions on such connections where that is a problem.

Multicast is an optional feature with IPv4, but required for IPv6. The IPv4 broadcast is replaced by multicast in IPv6 (See also: Why can't IPv6 send broadcasts?). It is frequently turned off on IPv4 networks. Not coincidentally, enabling multicast is one of the many reasons network-engineers are leery of moving to IPv6 before they have to do it.

Calculating how much traffic is too much traffic depends on a few things

  • Half vs Full Duplex: Half-duplex networks have much lower tolerances for bcast/mcast traffic.
  • Speed of network ports: The faster your network, the less of an issue this becomes. In the 10Mb ethernet days 5-10% of traffic on a port could be bcast traffic, if not more, but on GigE less than 1% (probably way less) is more likely.
  • Number of nodes on the network: The more nodes you have, the more unavoidable broadcast traffic you'll incur (ARP). If you have broadcast specific protocols in use, Windows browsing or other things like cluster heartbeats, where problems start will change.
  • Network technology: Wired Ethernet is fast enough that so long as you have modern gear driving it, bcast/mcast isn't likely to cause you problems. Wireless, on the other hand, can suffer from excessive broadcast traffic as it is a shared medium amongst all nodes and therefore in a single collision domain.

In the end, Bcast and Mcast traffic rob ports of bandwidth off the top. When you start to worry is highly dependent on your individual network and tolerance for variable performance. In general, network-node counts haven't scaled as fast as network speeds so the overall broadcast percentage-as-traffic number has been dropping over time.

Some networks disallow Multicast for specific reasons, and others have never taken the time to set it up. There are some multicast protocols that can reveal interesting information (SLP is one such) to anyone listening for the right things. Personally, I don't mind minor multicast traffic as the biggest annoyance I've seen with it is polluted network captures when I'm doing some network analysis; and for that there are filters.


Here's some basic info:

Unicast: Unicast traffic is traffic that is meant for a single host. All other hosts will ignore unicast traffic not meant for themselves. In a switched environment, unicast traffic is generally not "heard" by any hosts other than the host that the traffic is intended for. In an environment that uses hubs (shudder) all hosts will "hear" unicast traffic meant for every other host, but they'll ignore all traffic not intended for themselves.

Broadcast: Broadcast traffic is traffic that is sent with the intent of being "heard" by all hosts on a particular network segment. Examples of broadcast traffic would be an ARP request, which is a broadcast at the physical layer (MAC address FF-FF-FF-FF-FF-FF) or a NetBIOS name query, which is a broadcast at the network layer (whatever happens to be the broadcast address for that particular network, such as 64.28.42.63 for the network 64.28.42.0/26).

Multicast: Multicast traffic is traffic that is sent with the intent of being "heard" by a particular group of hosts on a network segment. Some multicast traffic can be considered broadcast traffic, such as traffic to the multicast address 224.0.0.1, which is multicast traffic meant for all hosts on the same network segment. Another example of multicast traffic would be traffic sent to the multicast address 224.0.0.9 which is what RIP routers use to send routing information to other RIP routers on the same network segment.

I'll leave Anycast to someone else as I really don't know that much about it.


Anycast is not a widely accepted type of communication in IPv4, but it is present in IPv6.

Three type of communication in IPv4 are 1) Unicast, 2) Multicast 3) Broadcast.

1) IPv4 Unicast One-to-One type of communication. A network device communicates with another network device. Layer 3 address used for Unicast is IPv4 Class A, Class B, Class C addresses. Layer 2 address is a unicast MAC address.

Example: Browse a website, Download file using FTP, Connect to another device using SSH (Secure Shell) etc.

2) IPv4 Multicast One-to-many type of communication. A network device send an IPv4 data packet and it is delivered to the devices who are interested in that traffic. Layer 3 address used for IPv4 multicast is Class D IPv4 addresses (starts from 224 to 239) Layer 2 address for IPv4 multicast starts with "01:00:5e".

Example: IPTV, OSPF Hello messages, EIGRP Hello messages, RIPv2 Route Updates.

3) IPv4 Broadcast One-to-All type of communication. A network device send an IPv4 data packet and it will be delivered all devices in that LAN Segment. Problem with broadcast traffic is, broadcasts disturb all devices in LAN and cause bandwidth wastage.

Example: DHCPv4 Discover messages

In IPv6, we have Unicast, Multicast and Anycast. The concept of Unicast and Multicast are same in IPv4 and IPv6, except the changes in IPv6 Layer 3 addresses used for broadcast & multicast and the Layer 2 address used for multicast. Layer 2 address used for IPv6 multicast traffic starts from "33:33:" (in Ipv4, it is "01:00:5e").

IPv6 Anycast IPv6 Anycast type of communication is used to identify an interface from a group of interfaces, which provide the same service, but near to the client in routing distance (we can compare routing distance similar to geographical distance). Anycast is possible only with the help of routing protocols.

Check the below link for more clear explanation about IPv6 Anycast.

http://www.omnisecu.com/tcpip/ipv6/unicast-multicast-anycast-types-of-network-communication-in-ipv6.php

Example, My home is located in India, and I want to resolve the FQDN "www.serverfault.com" to an IP address. Consider I have three DNS servers, one located in USA, other in Canada, and other in India, all providing the same service. Better choice is the DNS server from India, because it is located near to my home. I will get a faster reply and cause less network traffic if I use the service near my place. Anycast can find the Server which is near to my home and get the service from that Server.


Just a clarification on anycast.

Anycast definitely shouldn't be grouped with the other *casts. However, it doesn't layer on top of unicast because it IS unicast. The term is simply used to identify that the same IP might exist in multiple places. In that respect it is a catchy mis-use of "cast". Kind of like "WiFi" is a catchy term based on the term "Hi-Fi" even though the two have nothing to do with each other.

When a router hears the same unicast prefix from multiple sources, it doesn't know (nor does it care) if they represent different destinations (anycast) or if it is the same destination reachable via different paths.