--- 1/draft-ietf-opsec-lla-only-02.txt 2013-02-15 21:07:59.743793021 +0100 +++ 2/draft-ietf-opsec-lla-only-03.txt 2013-02-15 21:07:59.763790732 +0100 @@ -1,19 +1,19 @@ Operational Security Capabilities for M. Behringer IP Network Infrastructure E. Vyncke Internet-Draft Cisco -Intended status: Informational October 22, 2012 -Expires: April 25, 2013 +Intended status: Informational February 12, 2013 +Expires: August 16, 2013 Using Only Link-Local Addressing Inside an IPv6 Network - draft-ietf-opsec-lla-only-02 + draft-ietf-opsec-lla-only-03 Abstract In an IPv6 network it is possible to use only link-local addresses on infrastructure links between routers. This document discusses the advantages and disadvantages of this approach to help the decision process for a given network. Status of this Memo @@ -23,25 +23,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 25, 2013. + This Internet-Draft will expire on August 16, 2013. Copyright Notice - Copyright (c) 2012 IETF Trust and the persons identified as the + Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -50,21 +50,21 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 2. Using Link-Local Address on Infrastructure Links . . . . . . . 3 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . . 6 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 7 - 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 + 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction An infrastructure link between a set of routers typically does not @@ -163,24 +163,28 @@ line cards are smaller but also because there are less prefixes in the Routing Information Base hence accelerating the routing algorithm). Note: smaller routing tables can also be achieved by putting interfaces in passive mode for the IGP. Reduced attack surface: Every routable address on a router constitutes a potential attack point: a remote attacker can send traffic to that address, for example a TCP SYN flood, or he can intent SSH brute force password attacks. If a network only uses loopback addresses for the routers, only those loopback addresses - need to be protected from outside the network. This significantly - eases protection measures, such as infrastructure access control - lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further - discussion on this topic. + need to be protected from outside the network. This may ease + protection measures, such as infrastructure access control lists. If + the addressing scheme is set up such that all link addresses and all + loopback addresses are aggregatable, and if the infrastructure access + list covers that entire aggregated space, then changing to link-local + addresses does not reduce the attack surface significantly. See also + [I-D.ietf-grow-private-ip-sp-cores] for further discussion on this + topic. Lower configuration complexity: LLAs require no specific configuration (except when they are statically configured), thereby lowering the complexity and size of router configurations. This also reduces the likelihood of configuration mistakes. Simpler DNS: Less routable address space in use also means less DNS mappings to maintain. 2.3. Caveats @@ -204,21 +208,24 @@ address. Today this does not display the specific interface the packets came in on. Also here, RFC5837 [RFC5837] provides a solution. Hardware dependency: LLAs are usually EUI-64 based, hence, they change when the MAC address is changed. This could pose problem in a case where the routing neighbor must be configured explicitly (e.g. BGP) and a line card needs to be physically replaced hence changing the EUI-64 LLA and breaking the routing neighborship. But, LLAs can be statically configured such as fe80::1 and fe80::2 which can be - used to configure any required static routing neighborship. + used to configure any required static routing neighborship. This + static configuration is similar in complexity to statically + configured greater than link-local addresses, however, it is only + required where routing peers are explicitly configured. Network Management System (NMS) toolkits: If there is any NMS tool that makes use of interface IP address of a router to carry out any of NMS functions, then it would no longer work, if the interface is missing routable address. A possible workaround for such tools is to use the routable loopback address of the router instead. Most vendor implementations allow the specification of the loopback address for SYSLOG, IPfix, SNMP. LLDP (IEEE 802.1AB-2009) runs directly over Ethernet and does not require any IPv6 address so dynamic network discovery is not hindered when using LLDP. But, network discovery @@ -312,40 +319,41 @@ 4. IANA Considerations There are no IANA considerations or implications that arise from this document. 5. Acknowledgements The authors would like to thank Salman Asadullah, Brian Carpenter, Benoit Claise, Simon Eng, Wes George, Janos Mohacsi, Alvaro Retana, - Ivan Pepelnjak for their useful comments about this work. + Ivan Pepelnjak, and Harald Michl for their useful comments about this + work. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 6.2. Informative References [I-D.ietf-grow-private-ip-sp-cores] Kirkham, A., "Issues with Private IP Addressing in the Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in progress), July 2012. [I-D.ietf-ospf-prefix-hiding] Yang, Y., Retana, A., and A. Roy, "Hiding Transit-only - Networks in OSPF", draft-ietf-ospf-prefix-hiding-05 (work - in progress), July 2012. + Networks in OSPF", draft-ietf-ospf-prefix-hiding-07 (work + in progress), December 2012. [I-D.jdurand-bgp-security] Durand, J., Pepelnjak, I., and G. Doering, "BGP operations and security", draft-jdurand-bgp-security-02 (work in progress), September 2012. [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP Tunnels", RFC 3209, December 2001. @@ -363,22 +371,22 @@ Rivers, "Extending ICMP for Interface and Next-Hop Identification", RFC 5837, April 2010. [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the Router Control Plane", RFC 6192, March 2011. Authors' Addresses Michael Behringer Cisco - 400 Avenue Roumanille, Bat 3 - Biot, 06410 + Building D, 45 Allee des Ormes + Mougins, 06250 France Email: mbehring@cisco.com Eric Vyncke Cisco De Kleetlaan, 6A Diegem, 1831 Belgium