draft-ietf-opsec-lla-only-00.txt   draft-ietf-opsec-lla-only-01.txt 
Network Working Group M. Behringer Operational Security Capabilities for M. Behringer
Internet-Draft E. Vyncke IP Network Infrastructure E. Vyncke
Intended status: Informational Cisco Internet-Draft Cisco
Expires: February 18, 2013 August 17, 2012 Intended status: Informational September 21, 2012
Expires: March 25, 2013
Using Only Link-Local Addressing Inside an IPv6 Network Using Only Link-Local Addressing Inside an IPv6 Network
draft-ietf-opsec-lla-only-00 draft-ietf-opsec-lla-only-01
Abstract Abstract
This document proposes to use only IPv6 link-local addresses on In an IPv6 network it is possible to use only link-local addresses on
infrastructure links between routers, wherever possible. It infrastructure links between routers. This document discusses the
discusses the advantages and disadvantages of this approach to aide advantages and disadvantages of this approach to help the decision
the decision process for a given network, process for a given network.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 18, 2013. This Internet-Draft will expire on March 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 10 skipping to change at page 2, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
2. Using Link-Local Address on Infrastructure Links . . . . . . . 3 2. Using Link-Local Address on Infrastructure Links . . . . . . . 3
2.1. The Suggested Approach . . . . . . . . . . . . . . . . . . 3 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Caveats and Possible Workarounds . . . . . . . . . . . . . 5 2.3. Caveats and Possible Workarounds . . . . . . . . . . . . . 5
2.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . . 7 6.2. Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
An infrastructure link between a set of routers typically does not An infrastructure link between a set of routers typically does not
require global or even unique local addressing [RFC4193]. Using require global or even unique local addressing [RFC4193]. Using
link-local addressing on such links has a number of advantages, for link-local addressing on such links has a number of advantages, for
example that routing tables do not need to carry link addressing, and example that routing tables do not need to carry link addressing, and
can therefore be significantly smaller. This helps to decrease can therefore be significantly smaller. This helps to decrease
failover times in certain routing convergence events. An interface failover times in certain routing convergence events. An interface
of a router is also not reachable beyond the link boundaries, of a router is also not reachable beyond the link boundaries,
therefore reducing the attack horizon. therefore reducing the attack horizon.
We propose to configure neither globally routable IPv6 addresses nor We propose to configure neither globally routable IPv6 addresses nor
unique local addresses on infrastructure links of routers, wherever unique local addresses on infrastructure links of routers, wherever
possible. We recommend to use exclusively link-local addresses on possible. We recommend to use exclusively link-local addresses on
such links. such links.
This document discusses the advantages and caveats of this approach. This document discusses the advantages and caveats of this approach.
Note: [I-D.ietf-ospf-prefix-hiding] describes another approach for
OPSFv2 and OSPFv3 by modifying the existing protocols while this
document does not modify any protocol but works only for IPv6.
1.1. Requirements Language 1.1. Requirements Language
In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
described in RFC2119 [RFC2119]. document are to be interpreted as described in RFC2119 [RFC2119] when
they appear in ALL CAPS. These words may also appear in this
document in lower case as plain English words, absent their normative
meanings.
2. Using Link-Local Address on Infrastructure Links 2. Using Link-Local Address on Infrastructure Links
This document proposes to use only link-local addresses (LLA) on all This document proposes to use only link-local addresses (LLA) on all
router interfaces on infrastructure links. Routers typically do not router interfaces on infrastructure links. Routers typically do not
need to be reached from from users of the network, nor from outside need to be reached from nodes of the network, nor from outside the
the network. For an network operator there may be reasons to send network. For an network operator there may be reasons to send
packets to an infrastructure link for certain monitoring tasks; we packets to an infrastructure link for certain monitoring tasks; many
suggest that many of those tasks could also be handled differently, of those tasks could also be handled differently, not requiring
not requiring routable address space on infrastructure links. routable address space on infrastructure links.
2.1. The Suggested Approach 2.1. The Approach
Neither global IPv6 addresses nor unique local addresses are Neither global IPv6 addresses nor unique local addresses are
configured on infrastructure links. In the absence of specific configured on infrastructure links. In the absence of specific
global or unique local address definitions, the default behavior of global or unique local address definitions, the default behavior of
routers is to use link-local addresses. These link-local addresses routers is to use link-local addresses notably for routing protocols.
MAY be hard-coded to prevent the change of EUI-64 addresses when
changing of MAC address (such as after changing a network interface
card).
ICMPv6 [RFC4443] error messages (packet-too-big...) are required for These link-local addresses SHOULD be hard-coded to prevent the change
routers, therefore a loopback interface MUST be configured with a of EUI-64 addresses when changing of MAC address (such as after
global scope IPv6 address. This global scope IPv6 address MUST be changing a network interface card).
used as the source IPv6 address for all generated ICMPv6 messages.
ICMPv6 [RFC4443] error messages (packet-too-big, time-exceeded...)
are required for routers, therefore a loopback interface MUST be
configured with an IPv6 address with a greater scope than link-local
(this will usually be a global scope). This greater-than-link scope
IPv6 address MUST be used as the source IPv6 address for all
generated ICMPv6 messages sent to a non-link-local address and MUST
belong to the operator to avoid being dropped by other routers
implementing [RFC3704].
The effect on specific traffic types is as follows: The effect on specific traffic types is as follows:
o Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, PIM o Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, PIM
work by default or can be configured to work with link-local work by default or can be configured to work with link-local
addresses. addresses.
o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo
request ... can be addressed to loopback addresses of routers with request ... can be addressed to loopback addresses of routers with
a global scope address. Router management can also be done over a greater than link-local scope address. Router management can
out-of-band channels. also be done over out-of-band channels.
o IICMP error message can also be sourced from the global scope o ICMP error message can also be sourced from the loopback address.
loopback address.
o Data plane traffic is forwarded independently of the link address o Data plane traffic is forwarded independently of the link address
type. type.
o Neighbor discovery (neighbor solicitation and neighbor o Neighbor discovery (neighbor solicitation and neighbor
advertisement) is done by using link-local unicast and multicast advertisement) is done by using link-local unicast and multicast
addresses, therefore neighbor discovery is not affected. addresses, therefore neighbor discovery is not affected.
We therefore conclude that it is possible to construct a working We therefore conclude that it is possible to construct a working
network in this way. network in this way.
2.2. Advantages 2.2. Advantages
Smaller routing tables: Since the routing protocol only needs to Smaller routing tables: Since the routing protocol only needs to
carry one loopback address per router, it is smaller than in the carry one loopback address per router, it is smaller than in the
traditional approach where every infrastructure link addresses are traditional approach where every infrastructure link addresses are
carried in the routing protocol. This reduces memory consumption, carried in the routing protocol. This reduces memory consumption,
and increases the convergence speed in some routing failover cases. and increases the convergence speed in some routing failover cases
Note: smaller routing tables can also be achieved by putting (notably because the Forwarding Information Base to be downloaded to
interfaces in passive mode for the IGP. line cards are smaller but also because there are less prefixes in
the Routing Information Base hence accelerating the routing
algorithm). Note: smaller routing tables can also be achieved by
putting interfaces in passive mode for the IGP.
Reduced attack surface: Every globally routable address on a router Reduced attack surface: Every routable address on a router
constitutes a potential attack point: a remote attacker can send constitutes a potential attack point: a remote attacker can send
traffic to that address, for example a TCP SYN flood, or he can traffic to that address, for example a TCP SYN flood, or he can
intent SSH brute force password attacks. If a network only uses intent SSH brute force password attacks. If a network only uses
loopback addresses for the routers, only those loopback addresses loopback addresses for the routers, only those loopback addresses
need to be protected from outside the network. This significantly need to be protected from outside the network. This significantly
eases protection measures, such as infrastructure access control eases protection measures, such as infrastructure access control
lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further
discussion on this topic. discussion on this topic.
Lower configuration complexity: LLAs require no specific Lower configuration complexity: LLAs require no specific
configuration, thereby lowering the complexity and size of router configuration, thereby lowering the complexity and size of router
configurations. This also reduces the likelihood of configuration configurations. This also reduces the likelihood of configuration
mistakes. mistakes.
Simpler DNS: Less address space in use also means less DNS mappings Simpler DNS: Less greater-than-link-local address space in use also
to maintain. means less DNS mappings to maintain because DNS is not really
suitable to contain link-local addresses as DNS has no clue to the
link scope.
2.3. Caveats and Possible Workarounds 2.3. Caveats and Possible Workarounds
Interface ping: If an interface doesn't have a globally routable Interface ping: If an interface doesn't have a routable address, it
address, it can only be pinged from a node on the same link. can only be pinged from a node on the same link. Therefore it is not
Therefore it is not possible to ping a specific link interface possible to ping a specific link interface remotely. A possible
remotely. A possible workaround is to ping the loopback address of a workaround is to ping the loopback address of a router instead. In
router instead. In most cases today it is not possible to see which most cases today it is not possible to see which link the packet was
link the packet was received on; however, RFC5837 [RFC5837] suggests received on; however, RFC5837 [RFC5837] suggests to include the
to include the interface identifier of the interface a packet was interface identifier of the interface a packet was received on in the
received on in the ICMP response; it must be noted that there are ICMP response; it must be noted that there are little implemention of
little implemented of this extension. With this approach it would be this ICMP extension. With this approach it would be possible to ping
possible to ping a router on the loopback address, yet see which a router on the loopback address, yet see which interface the packet
interface the packet was received on. To check liveliness of a was received on. To check liveliness of a specific interface it may
specific interface it may be necessary to use other methods, for be necessary to use other methods, for example to connect to the
example to connect to the router via SSH and to check locally. router via SSH and to check locally or use SNMP.
Traceroute: Similar to the ping case, a reply to a traceroute packet Traceroute: Similar to the ping case, a reply to a traceroute packet
would come from a loopback address with a global address. Today this would come from a loopback address with a greater than link-local
does not display the specific interface the packets came in on. Also address. Today this does not display the specific interface the
here, RFC5837 [RFC5837] provides a solution. packets came in on. Also here, RFC5837 [RFC5837] provides a
solution.
Hardware dependency: LLAs are usually EUI-64 based, hence, they Hardware dependency: LLAs are usually EUI-64 based, hence, they
change when the MAC address is changed. This could pose problem in a change when the MAC address is changed. This could pose problem in a
case where the routing neighbor must be configured explicitly (e.g. case where the routing neighbor must be configured explicitly (e.g.
BGP) and a line card needs to be physically replaced hence changing BGP) and a line card needs to be physically replaced hence changing
the EUI-64 LLA and breaking the routing neighborship. But, LLAs can the EUI-64 LLA and breaking the routing neighborship. But, LLAs can
be statically configured such as fe80::1 and fe80::2 which can be be statically configured such as fe80::1 and fe80::2 which can be
used to configure any required static routing neighborship. used to configure any required static routing neighborship.
NMS toolkits: If there is any NMS tool that makes use of interface IP Network Management System (NMS) toolkits: If there is any NMS tool
address of a router to carry out any of NMS functions, then it would that makes use of interface IP address of a router to carry out any
no longer work, if the interface is missing globally routable of NMS functions, then it would no longer work, if the interface is
address. A possible workaround for such tools is to use the globally missing routable address. A possible workaround for such tools is to
routable lopback address of the router instead. use the routable loopback address of the router instead.
MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path
that is explicitly identified by a strict sequence of IP prefixes or that is explicitly identified by a strict sequence of IP prefixes or
addresses (each pertaining to an interface or a router on the path). addresses (each pertaining to an interface or a router on the path).
This is commonly used for FRR. However, if an interface uses only a This is commonly used for FRR. However, if an interface uses only a
link-local address, then such LSPs can not be established. A link-local address, then such LSPs can not be established. A
possible workaround is to use loose sequence of IP prefixes or possible workaround is to use loose sequence of IP prefixes or
addresses (each pertaining to a router) to identify an explicit path addresses (each pertaining to a router) to identify an explicit path
along with shared-risk-link-group (to not use a set of common along with shared-risk-link-group (to not use a set of common
interfaces). interfaces).
2.4. Summary 2.4. Summary
Using link-local addressing only on infrastructure links has a number Using link-local addressing only on infrastructure links has a number
of advantages, such as a smaller routing table size and a reduced of advantages, such as a smaller routing table size and a reduced
attack surface. It also simplifies router configurations. However, attack surface. It also simplifies router configurations. However,
the way certain network management tasks are carried out has to be the way certain network management tasks are carried out today has to
adapted to provide the same level of detail, for example interface be adapted to provide the same level of detail, for example interface
identifiers in traceroute. identifiers in traceroute.
3. Security Considerations 3. Security Considerations
Using LLAs only on infrastructure links reduces the attack surface of Using LLAs only on infrastructure links reduces the attack surface of
a router: Loopback addresses with globally routed addresses are still a router: loopback addresses with routed addresses are still
reachable and must be secured, but infrastructure links can only be reachable and must be secured, but infrastructure links can only be
attacked from the local link. This simplifies security of control attacked from the local link. This simplifies security of control
and management planes. The proposal does not impact the security of and management planes. The proposal does not impact the security of
the data plane. This proposal does not address control plane the data plane. This proposal does not address control plane
[RFC6192] attacks generated by data plane packets (such as hop-limit [RFC6192] attacks generated by data plane packets (such as hop-limit
expiration). expiration or packets containing a hop-by-hop extension header).
As in the traditional approach, also this approach relies on the As in the traditional approach, this approach relies on the
assumption that all routers can be trusted due to physical and assumption that all routers can be trusted due to physical and
operational security. operational security.
4. IANA Considerations 4. IANA Considerations
There are no IANA considerations or implications that arise from this There are no IANA considerations or implications that arise from this
document. document.
5. Acknowledgements 5. Acknowledgements
The authors would like to thank Salman Asadullah, Janos Mohacsi and The authors would like to thank Salman Asadullah, Brian Carpenter,
Wes George for their useful comments about this work. Benoit Claise, Simon Eng, Wes George, Janos Mohacsi, Alvaro Retana
for their useful comments about this work.
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
6.2. Informative References 6.2. Informative References
[I-D.ietf-grow-private-ip-sp-cores] [I-D.ietf-grow-private-ip-sp-cores]
Kirkham, A., "Issues with Private IP Addressing in the Kirkham, A., "Issues with Private IP Addressing in the
Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in
progress), July 2012. progress), July 2012.
[I-D.ietf-ospf-prefix-hiding]
Yang, Y., Retana, A., and A. Roy, "Hiding Transit-only
Networks in OSPF", draft-ietf-ospf-prefix-hiding-05 (work
in progress), July 2012.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
Tunnels", RFC 3209, December 2001. Tunnels", RFC 3209, December 2001.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005. Addresses", RFC 4193, October 2005.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006. Version 6 (IPv6) Specification", RFC 4443, March 2006.
[RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR. [RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR.
Rivers, "Extending ICMP for Interface and Next-Hop Rivers, "Extending ICMP for Interface and Next-Hop
Identification", RFC 5837, April 2010. Identification", RFC 5837, April 2010.
 End of changes. 28 change blocks. 
70 lines changed or deleted 97 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/