| draft-ietf-opsec-lla-only-01.txt | draft-ietf-opsec-lla-only-02.txt | |||
|---|---|---|---|---|
| Operational Security Capabilities for M. Behringer | Operational Security Capabilities for M. Behringer | |||
| IP Network Infrastructure E. Vyncke | IP Network Infrastructure E. Vyncke | |||
| Internet-Draft Cisco | Internet-Draft Cisco | |||
| Intended status: Informational September 21, 2012 | Intended status: Informational October 22, 2012 | |||
| Expires: March 25, 2013 | Expires: April 25, 2013 | |||
| Using Only Link-Local Addressing Inside an IPv6 Network | Using Only Link-Local Addressing Inside an IPv6 Network | |||
| draft-ietf-opsec-lla-only-01 | draft-ietf-opsec-lla-only-02 | |||
| Abstract | Abstract | |||
| In an IPv6 network it is possible to use only link-local addresses on | In an IPv6 network it is possible to use only link-local addresses on | |||
| infrastructure links between routers. This document discusses the | infrastructure links between routers. This document discusses the | |||
| advantages and disadvantages of this approach to help the decision | advantages and disadvantages of this approach to help the decision | |||
| process for a given network. | process for a given network. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 25, 2013. | This Internet-Draft will expire on April 25, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 12 | skipping to change at page 2, line 12 | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Using Link-Local Address on Infrastructure Links . . . . . . . 3 | 2. Using Link-Local Address on Infrastructure Links . . . . . . . 3 | |||
| 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. Caveats and Possible Workarounds . . . . . . . . . . . . . 5 | 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . . 6 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . . 7 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . . 7 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 1. Introduction | 1. Introduction | |||
| An infrastructure link between a set of routers typically does not | An infrastructure link between a set of routers typically does not | |||
| require global or even unique local addressing [RFC4193]. Using | require global or even unique local addressing [RFC4193]. Using | |||
| link-local addressing on such links has a number of advantages, for | link-local addressing on such links has a number of advantages, for | |||
| example that routing tables do not need to carry link addressing, and | example that routing tables do not need to carry link addressing, and | |||
| can therefore be significantly smaller. This helps to decrease | can therefore be significantly smaller. This helps to decrease | |||
| failover times in certain routing convergence events. An interface | failover times in certain routing convergence events. An interface | |||
| of a router is also not reachable beyond the link boundaries, | of a router is also not reachable beyond the link boundaries, | |||
| skipping to change at page 4, line 10 | skipping to change at page 4, line 10 | |||
| Neither global IPv6 addresses nor unique local addresses are | Neither global IPv6 addresses nor unique local addresses are | |||
| configured on infrastructure links. In the absence of specific | configured on infrastructure links. In the absence of specific | |||
| global or unique local address definitions, the default behavior of | global or unique local address definitions, the default behavior of | |||
| routers is to use link-local addresses notably for routing protocols. | routers is to use link-local addresses notably for routing protocols. | |||
| These link-local addresses SHOULD be hard-coded to prevent the change | These link-local addresses SHOULD be hard-coded to prevent the change | |||
| of EUI-64 addresses when changing of MAC address (such as after | of EUI-64 addresses when changing of MAC address (such as after | |||
| changing a network interface card). | changing a network interface card). | |||
| ICMPv6 [RFC4443] error messages (packet-too-big, time-exceeded...) | ICMPv6 [RFC4443] error messages (packet-too-big, time-exceeded...) | |||
| are required for routers, therefore a loopback interface MUST be | are required for routers, therefore a loopback interface must be | |||
| configured with an IPv6 address with a greater scope than link-local | configured with an IPv6 address with a greater scope than link-local | |||
| (this will usually be a global scope). This greater-than-link scope | (this will usually be a global scope). This greater than link-local | |||
| IPv6 address MUST be used as the source IPv6 address for all | scope IPv6 address must be used as the source IPv6 address for all | |||
| generated ICMPv6 messages sent to a non-link-local address and MUST | generated ICMPv6 messages sent to a non link-local address and must | |||
| belong to the operator to avoid being dropped by other routers | belong to the operator and be part of an announced prefix (with a | |||
| suitable prefix length) to avoid being dropped by other routers | ||||
| implementing [RFC3704]. | implementing [RFC3704]. | |||
| The effect on specific traffic types is as follows: | The effect on specific traffic types is as follows: | |||
| o Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, PIM | o Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, PIM | |||
| work by default or can be configured to work with link-local | work by default or can be configured to work with link-local | |||
| addresses. | addresses. | |||
| o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo | o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo | |||
| request ... can be addressed to loopback addresses of routers with | request ... can be addressed to loopback addresses of routers with | |||
| a greater than link-local scope address. Router management can | a greater than link-local scope address. Router management can | |||
| also be done over out-of-band channels. | also be done over out-of-band channels. | |||
| o ICMP error message can also be sourced from the loopback address. | o ICMP error message can be sourced from a loopback address. They | |||
| must not be sourced from link-local addresses when the destination | ||||
| is non link-local. | ||||
| o Data plane traffic is forwarded independently of the link address | o Data plane traffic is forwarded independently of the link address | |||
| type. | type. | |||
| o Neighbor discovery (neighbor solicitation and neighbor | o Neighbor discovery (neighbor solicitation and neighbor | |||
| advertisement) is done by using link-local unicast and multicast | advertisement) is done by using link-local unicast and multicast | |||
| addresses, therefore neighbor discovery is not affected. | addresses, therefore neighbor discovery is not affected. | |||
| We therefore conclude that it is possible to construct a working | We therefore conclude that it is possible to construct a working | |||
| network in this way. | network in this way. | |||
| skipping to change at page 5, line 16 | skipping to change at page 5, line 19 | |||
| constitutes a potential attack point: a remote attacker can send | constitutes a potential attack point: a remote attacker can send | |||
| traffic to that address, for example a TCP SYN flood, or he can | traffic to that address, for example a TCP SYN flood, or he can | |||
| intent SSH brute force password attacks. If a network only uses | intent SSH brute force password attacks. If a network only uses | |||
| loopback addresses for the routers, only those loopback addresses | loopback addresses for the routers, only those loopback addresses | |||
| need to be protected from outside the network. This significantly | need to be protected from outside the network. This significantly | |||
| eases protection measures, such as infrastructure access control | eases protection measures, such as infrastructure access control | |||
| lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further | lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further | |||
| discussion on this topic. | discussion on this topic. | |||
| Lower configuration complexity: LLAs require no specific | Lower configuration complexity: LLAs require no specific | |||
| configuration, thereby lowering the complexity and size of router | configuration (except when they are statically configured), thereby | |||
| configurations. This also reduces the likelihood of configuration | lowering the complexity and size of router configurations. This also | |||
| mistakes. | reduces the likelihood of configuration mistakes. | |||
| Simpler DNS: Less greater-than-link-local address space in use also | Simpler DNS: Less routable address space in use also means less DNS | |||
| means less DNS mappings to maintain because DNS is not really | mappings to maintain. | |||
| suitable to contain link-local addresses as DNS has no clue to the | ||||
| link scope. | ||||
| 2.3. Caveats and Possible Workarounds | 2.3. Caveats | |||
| Interface ping: If an interface doesn't have a routable address, it | Interface ping: If an interface doesn't have a routable address, it | |||
| can only be pinged from a node on the same link. Therefore it is not | can only be pinged from a node on the same link. Therefore it is not | |||
| possible to ping a specific link interface remotely. A possible | possible to ping a specific link interface remotely. A possible | |||
| workaround is to ping the loopback address of a router instead. In | workaround is to ping the loopback address of a router instead. In | |||
| most cases today it is not possible to see which link the packet was | most cases today it is not possible to see which link the packet was | |||
| received on; however, RFC5837 [RFC5837] suggests to include the | received on; however, RFC5837 [RFC5837] suggests to include the | |||
| interface identifier of the interface a packet was received on in the | interface identifier of the interface a packet was received on in the | |||
| ICMP response; it must be noted that there are little implemention of | ICMP response; it must be noted that there are little implemention of | |||
| this ICMP extension. With this approach it would be possible to ping | this ICMP extension. With this approach it would be possible to ping | |||
| skipping to change at page 6, line 10 | skipping to change at page 6, line 12 | |||
| case where the routing neighbor must be configured explicitly (e.g. | case where the routing neighbor must be configured explicitly (e.g. | |||
| BGP) and a line card needs to be physically replaced hence changing | BGP) and a line card needs to be physically replaced hence changing | |||
| the EUI-64 LLA and breaking the routing neighborship. But, LLAs can | the EUI-64 LLA and breaking the routing neighborship. But, LLAs can | |||
| be statically configured such as fe80::1 and fe80::2 which can be | be statically configured such as fe80::1 and fe80::2 which can be | |||
| used to configure any required static routing neighborship. | used to configure any required static routing neighborship. | |||
| Network Management System (NMS) toolkits: If there is any NMS tool | Network Management System (NMS) toolkits: If there is any NMS tool | |||
| that makes use of interface IP address of a router to carry out any | that makes use of interface IP address of a router to carry out any | |||
| of NMS functions, then it would no longer work, if the interface is | of NMS functions, then it would no longer work, if the interface is | |||
| missing routable address. A possible workaround for such tools is to | missing routable address. A possible workaround for such tools is to | |||
| use the routable loopback address of the router instead. | use the routable loopback address of the router instead. Most vendor | |||
| implementations allow the specification of the loopback address for | ||||
| SYSLOG, IPfix, SNMP. LLDP (IEEE 802.1AB-2009) runs directly over | ||||
| Ethernet and does not require any IPv6 address so dynamic network | ||||
| discovery is not hindered when using LLDP. But, network discovery | ||||
| based on NDP cache content will only display the link-local addresses | ||||
| and not the loopback global address; therefore, network discovery | ||||
| should rather be based on the Route Information Base to detect | ||||
| adjacent nodes. | ||||
| MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path | MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path | |||
| that is explicitly identified by a strict sequence of IP prefixes or | that is explicitly identified by a strict sequence of IP prefixes or | |||
| addresses (each pertaining to an interface or a router on the path). | addresses (each pertaining to an interface or a router on the path). | |||
| This is commonly used for FRR. However, if an interface uses only a | This is commonly used for Fast Re-Route (FRR). However, if an | |||
| link-local address, then such LSPs can not be established. A | interface uses only a link-local address, then such LSPs cannot be | |||
| possible workaround is to use loose sequence of IP prefixes or | established. At the time of writing this document, there is no | |||
| addresses (each pertaining to a router) to identify an explicit path | workaround for this case; therefore where RSVP-TE is being used, the | |||
| along with shared-risk-link-group (to not use a set of common | approach proposed in this document does not work. | |||
| interfaces). | ||||
| 2.4. Summary | 2.4. Internet Exchange Points | |||
| Internet Exchange Points (IXPs) have a special importance in the | ||||
| global Internet, because they connect a high number of networks in a | ||||
| single location, and because significant part of Internet traffic | ||||
| pass through at least one IXP. An IXP with all the service provider | ||||
| nodes requires therefore a very high level of security. The address | ||||
| space used on an IXP is generally known, as it is registered in the | ||||
| global Internet Route Registry, or it is easily discoverable through | ||||
| traceroute. The IXP prefix is especially critical, because | ||||
| practically all addresses on this prefix are critical systems in the | ||||
| Internet. | ||||
| Apart from general device security guidelines, there are generally | ||||
| two additional ways to raise security (see also | ||||
| [I-D.jdurand-bgp-security]): | ||||
| 1. Not to announce the prefix in question, and | ||||
| 2. To drop all traffic destined to the IXP prefixes from traffic | ||||
| from remote locations. | ||||
| Not announcing the prefix of the IXP however would frequently result | ||||
| in traceroute and similar packets (required for PMTUd) to be dropped | ||||
| due to uRPF checks. Given that PMTUd is critical, this is generally | ||||
| not acceptable. Dropping all external traffic to the IXP prefix is | ||||
| hard to implement, because if only one service provider on an IXP | ||||
| routes does not filter correctly, then all IXP routers are reachable | ||||
| from at least that service provider network. | ||||
| As the prefix used in IXP is usually longer than a /48 it is | ||||
| frequently dropped by route filters on the Internet having the same | ||||
| net effect as not announced the prefix. | ||||
| Using link-local addresses on the IXP may help in this scenario. In | ||||
| this case, the generated ICMP packets would be generated from | ||||
| loopback interfaces or from any other interfaces with globally | ||||
| routable sources without any configuration. However in this case, | ||||
| each service provider would use his own address space, making a | ||||
| generic attack against all devices on the IXP harder. Also all the | ||||
| loopback addresses on the IXP can be discovered by a potential | ||||
| attacker by a simple traceroute; a generic attack is therefore still | ||||
| possible, but it would require significantly more work. | ||||
| In some cases service providers carry the IXP addresses in their IGP | ||||
| for certain forms of traffic engineering across multiple exit points. | ||||
| If link local addresses are used, these cannot be used for this | ||||
| purpose; in this case, the service provider would have to employ | ||||
| other methods of traffic engineering. | ||||
| 2.5. Summary | ||||
| Using link-local addressing only on infrastructure links has a number | Using link-local addressing only on infrastructure links has a number | |||
| of advantages, such as a smaller routing table size and a reduced | of advantages, such as a smaller routing table size and a reduced | |||
| attack surface. It also simplifies router configurations. However, | attack surface. It also simplifies router configurations. However, | |||
| the way certain network management tasks are carried out today has to | the way certain network management tasks are carried out today has to | |||
| be adapted to provide the same level of detail, for example interface | be adapted to provide the same level of detail, for example interface | |||
| identifiers in traceroute. | identifiers in traceroute. | |||
| 3. Security Considerations | 3. Security Considerations | |||
| skipping to change at page 7, line 8 | skipping to change at page 8, line 17 | |||
| operational security. | operational security. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| There are no IANA considerations or implications that arise from this | There are no IANA considerations or implications that arise from this | |||
| document. | document. | |||
| 5. Acknowledgements | 5. Acknowledgements | |||
| The authors would like to thank Salman Asadullah, Brian Carpenter, | The authors would like to thank Salman Asadullah, Brian Carpenter, | |||
| Benoit Claise, Simon Eng, Wes George, Janos Mohacsi, Alvaro Retana | Benoit Claise, Simon Eng, Wes George, Janos Mohacsi, Alvaro Retana, | |||
| for their useful comments about this work. | Ivan Pepelnjak for their useful comments about this work. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [I-D.ietf-grow-private-ip-sp-cores] | [I-D.ietf-grow-private-ip-sp-cores] | |||
| Kirkham, A., "Issues with Private IP Addressing in the | Kirkham, A., "Issues with Private IP Addressing in the | |||
| Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in | Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in | |||
| progress), July 2012. | progress), July 2012. | |||
| [I-D.ietf-ospf-prefix-hiding] | [I-D.ietf-ospf-prefix-hiding] | |||
| Yang, Y., Retana, A., and A. Roy, "Hiding Transit-only | Yang, Y., Retana, A., and A. Roy, "Hiding Transit-only | |||
| Networks in OSPF", draft-ietf-ospf-prefix-hiding-05 (work | Networks in OSPF", draft-ietf-ospf-prefix-hiding-05 (work | |||
| in progress), July 2012. | in progress), July 2012. | |||
| [I-D.jdurand-bgp-security] | ||||
| Durand, J., Pepelnjak, I., and G. Doering, "BGP operations | ||||
| and security", draft-jdurand-bgp-security-02 (work in | ||||
| progress), September 2012. | ||||
| [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., | [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., | |||
| and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP | and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP | |||
| Tunnels", RFC 3209, December 2001. | Tunnels", RFC 3209, December 2001. | |||
| [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | |||
| Networks", BCP 84, RFC 3704, March 2004. | Networks", BCP 84, RFC 3704, March 2004. | |||
| [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | |||
| Addresses", RFC 4193, October 2005. | Addresses", RFC 4193, October 2005. | |||
| End of changes. 15 change blocks. | ||||
| 37 lines changed or deleted | 101 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||