| draft-ietf-grow-no-more-unallocated-slash8s-04.txt | rfc6441.txt | |||
|---|---|---|---|---|
| Network Working Group L. Vegoda | Internet Engineering Task Force (IETF) L. Vegoda | |||
| Internet-Draft ICANN | Request for Comments: 6441 ICANN | |||
| Intended status: BCP October 12, 2011 | BCP: 171 November 2011 | |||
| Expires: April 14, 2012 | Category: Best Current Practice | |||
| ISSN: 2070-1721 | ||||
| Time to Remove Filters for Previously Unallocated IPv4 /8s | Time to Remove Filters for Previously Unallocated IPv4 /8s | |||
| draft-ietf-grow-no-more-unallocated-slash8s-04 | ||||
| Abstract | Abstract | |||
| It has been common for network administrators to filter IP traffic | It has been common for network administrators to filter IP traffic | |||
| from and BGP prefixes of unallocated IPv4 address space. Now that | from and BGP prefixes of unallocated IPv4 address space. Now that | |||
| there are no longer any unallocated IPv4 /8s, this practise is more | there are no longer any unallocated IPv4 /8s, this practise is more | |||
| complicated, fragile and expensive. Network administrators are | complicated, fragile, and expensive. Network administrators are | |||
| advised to remove filters based on the registration status of the | advised to remove filters based on the registration status of the | |||
| address space. | address space. | |||
| This document explains why any remaining packet and BGP prefix | This document explains why any remaining packet and BGP prefix | |||
| filters for unallocated IPv4 /8s should now be removed on border | filters for unallocated IPv4 /8s should now be removed on border | |||
| routers and documents those IPv4 unicast prefixes that should not be | routers and documents those IPv4 unicast prefixes that should not be | |||
| routed across the public Internet. | routed across the public Internet. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | This memo documents an Internet Best Current Practice. | |||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| BCPs is available in Section 2 of RFC 5741. | ||||
| This Internet-Draft will expire on April 14, 2012. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| http://www.rfc-editor.org/info/rfc6441. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 | 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. No Longer Filtering Based on Address Registration | 3.1. No Longer Filtering Based on Address Registration | |||
| Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Continuing to Filter Traffic from Unallocated IPv4 | 3.2. Continuing to Filter Traffic from Unallocated IPv4 | |||
| Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Prefixes That Should Not be Routed Across the Internet . . . . 4 | 4. Prefixes That Should Not be Routed across the Internet . . . . 3 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 3 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 4 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 5 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 5 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 6 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| It has been common for network administrators to filter IP traffic | It has been common for network administrators to filter IP traffic | |||
| from and BGP prefixes of unallocated IPv4 address space. Now that | from and BGP prefixes of unallocated IPv4 address space. Now that | |||
| there are no longer any unallocated IPv4 /8s, this practise is more | there are no longer any unallocated IPv4 /8s, this practise is more | |||
| complicated, fragile and expensive. Network administrators are | complicated, fragile, and expensive. Network administrators are | |||
| advised to remove filters based on the registration status of the | advised to remove filters based on the registration status of the | |||
| address space. | address space. | |||
| This document explains why any remaining packet and BGP prefix | This document explains why any remaining packet and BGP prefix | |||
| filters for unallocated IPv4 /8s should now be removed on border | filters for unallocated IPv4 /8s should now be removed on border | |||
| routers and documents those IPv4 unicast prefixes that should not be | routers and documents those IPv4 unicast prefixes that should not be | |||
| routed across the public Internet. | routed across the public Internet. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in BCP 14, RFC 2119 | document are to be interpreted as described in BCP 14, RFC 2119 | |||
| [RFC2119]. | [RFC2119]. | |||
| Martians [RFC1208] is a humorous term applied to packets that turn up | Martians [RFC1208] is a humorous term applied to packets that turn up | |||
| unexpectedly on the wrong network because of bogus routing entries. | unexpectedly on the wrong network because of bogus routing entries. | |||
| It is also used as a name for a packet which has an altogether bogus | It is also used as a name for a packet that has an altogether bogus | |||
| (non-registered or ill-formed) Internet address. Bogons [RFC3871] | (non-registered or ill-formed) Internet address. Bogons [RFC3871] | |||
| are packets sourced from addresses that have not yet been allocated | are packets sourced from addresses that have not yet been allocated | |||
| by IANA or the Regional Internet Registries (RIRs), or addresses | by IANA or the Regional Internet Registries (RIRs), or addresses | |||
| reserved for private or special use by RFCs [RFC5735].Bogons are | reserved for private or special use by RFCs [RFC5735]. Bogons are | |||
| referred to as "Dark IP" in some circles. . | referred to as "Dark IP" in some circles. | |||
| 3. Traffic Filtering Options | 3. Traffic Filtering Options | |||
| 3.1. No Longer Filtering Based on Address Registration Status | 3.1. No Longer Filtering Based on Address Registration Status | |||
| Network administrators who implemented filters for unallocated IPv4 | Network administrators who implemented filters for unallocated IPv4 | |||
| /8s did so in the knowledge that those /8s were not a legitimate | /8s did so in the knowledge that those /8s were not a legitimate | |||
| source of traffic on the Internet and that there was a small number | source of traffic on the Internet and that there was a small number | |||
| of bogon filters to implement. Now that there are no longer any | of bogon filters to implement. Now that there are no longer any | |||
| unallocated unicast IPv4 /8s, there will be legitimate Internet | unallocated unicast IPv4 /8s, there will be legitimate Internet | |||
| skipping to change at page 4, line 15 | skipping to change at page 3, line 35 | |||
| 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space | 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space | |||
| Some network administrators might want to continue filtering | Some network administrators might want to continue filtering | |||
| unallocated IPv4 addresses managed by the RIRs. This requires | unallocated IPv4 addresses managed by the RIRs. This requires | |||
| significantly more granular ingress filters and the highly dynamic | significantly more granular ingress filters and the highly dynamic | |||
| nature of the RIRs' address pools means that filters need to be | nature of the RIRs' address pools means that filters need to be | |||
| updated on a daily basis to avoid blocking legitimate incoming | updated on a daily basis to avoid blocking legitimate incoming | |||
| traffic. | traffic. | |||
| 4. Prefixes That Should Not be Routed Across the Internet | 4. Prefixes That Should Not be Routed across the Internet | |||
| Network operators who only wish to filter traffic originating from | ||||
| addresses that should never be routed across the Internet, Martians, | ||||
| can deploy a set of packet and prefix filters designed to block | ||||
| traffic from address blocks reserved for special purposes. These | ||||
| are: | ||||
| - 0.0.0.0/8 (Local identification) [RFC1122]; | ||||
| - 10.0.0.0/8 (Private use) [RFC1918]; | ||||
| - 127.0.0.0/8 (Loopback) [RFC1122]; | ||||
| - 169.254.0.0/16 (Link local) [RFC3927]; | ||||
| - 172.16.0.0/12 (Private use) [RFC1918]; | ||||
| - 192.0.2.0/24 (TEST-NET-1) [RFC5737]; | ||||
| - 192.168.0.0/16 (Private use) [RFC1918]; | ||||
| - 198.18.0.0/15 (Benchmark testing) [RFC2544]; | ||||
| - 198.51.100.0/24 (TEST-NET-2) [RFC5737]; | ||||
| - 203.0.113.0/24 (TEST-NET-3) [RFC5737]; | ||||
| - 224.0.0.0/4 (Multicast) [RFC5771]; and | ||||
| - 240.0.0.0/4 (Future use) [RFC1112]. | ||||
| A full set of special use IPv4 addresses can be found in [RFC5735]. | Network operators may deploy filters that block traffic destined for | |||
| It includes prefixes that are intended for Internet use. | Martian prefixes. Currently, the Martian prefix table is defined by | |||
| [RFC5735] which reserves each Martian prefix for some specific, | ||||
| special use. If the Martian prefix table ever changes, that change | ||||
| will be documented in an RFC that either updates or obsoletes | ||||
| [RFC5735]. | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| The cessation of filters based on unallocated IPv4 /8 allocations is | The cessation of filters based on unallocated IPv4 /8 allocations is | |||
| an evolutionary step towards reasonable security filters. While | an evolutionary step towards reasonable security filters. While | |||
| these filters are no longer necessary, and in fact harmful, this does | these filters are no longer necessary, and in fact harmful, this does | |||
| not obviate the need to continue other security solutions. These | not obviate the need to continue other security solutions. These | |||
| other solutions are as necessary today as they ever were. | other solutions are as necessary today as they ever were. | |||
| 6. IANA Considerations | 6. References | |||
| This document makes no request of IANA. | ||||
| 7. References | ||||
| 7.1. Normative References | ||||
| [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, | ||||
| RFC 1112, August 1989. | ||||
| [RFC1122] Braden, R., "Requirements for Internet Hosts - | ||||
| Communication Layers", STD 3, RFC 1122, October 1989. | ||||
| [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | 6.1. Normative References | |||
| E. Lear, "Address Allocation for Private Internets", | ||||
| BCP 5, RFC 1918, February 1996. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | ||||
| Configuration of IPv4 Link-Local Addresses", RFC 3927, | ||||
| May 2005. | ||||
| [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", | [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", | |||
| BCP 153, RFC 5735, January 2010. | BCP 153, RFC 5735, January 2010. | |||
| [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for | 6.2. Informative References | |||
| IPv4 Multicast Address Assignments", BCP 51, RFC 5771, | ||||
| March 2010. | ||||
| 7.2. Informative References | ||||
| [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", | [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", | |||
| RFC 1208, March 1991. | RFC 1208, March 1991. | |||
| [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for | ||||
| Network Interconnect Devices", RFC 2544, March 1999. | ||||
| [RFC3871] Jones, G., "Operational Security Requirements for Large | [RFC3871] Jones, G., "Operational Security Requirements for Large | |||
| Internet Service Provider (ISP) IP Network | Internet Service Provider (ISP) IP Network | |||
| Infrastructure", RFC 3871, September 2004. | Infrastructure", RFC 3871, September 2004. | |||
| [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks | ||||
| Reserved for Documentation", RFC 5737, January 2010. | ||||
| Appendix A. Acknowledgments | Appendix A. Acknowledgments | |||
| Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello and | Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello, and | |||
| Joe Abley for helpful advice on how to focus this document. Thanks | Joe Abley for helpful advice on how to focus this document. Thanks | |||
| also go to Andy Davidson, Philip Smith and Rob Thomas for early | also go to Andy Davidson, Philip Smith, and Rob Thomas for early | |||
| reviews and suggestions for improvements to the text and Carlos | reviews and suggestions for improvements to the text, and to Carlos | |||
| Pignataro for his support and comments. | Pignataro for his support and comments. | |||
| Author's Address | Author's Address | |||
| Leo Vegoda | Leo Vegoda | |||
| Internet Corporation for Assigned Names and Numbers | Internet Corporation for Assigned Names and Numbers | |||
| 4676 Admiralty Way, Suite 330 | 4676 Admiralty Way, Suite 330 | |||
| Marina del Rey, CA 90292 | Marina del Rey, CA 90292 | |||
| United States of America | United States of America | |||
| Phone: +1-310-823-9358 | Phone: +1-310-823-9358 | |||
| Email: leo.vegoda@icann.org | EMail: leo.vegoda@icann.org | |||
| URI: http://www.iana.org/ | URI: http://www.iana.org/ | |||
| End of changes. 23 change blocks. | ||||
| 102 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||