Operational Security Capabilities for
OPsec Working Group                                         M. Behringer
IP Network Infrastructure
Internet-Draft                                                 E. Vyncke
Internet-Draft                                                     Cisco
Intended status: Informational                         February 12, 2013                                     Cisco
Expires: August 16, April 23, 2014                                 October 20, 2013

        Using Only Link-Local Addressing Inside an IPv6 Network
                      draft-ietf-opsec-lla-only-03
                      draft-ietf-opsec-lla-only-04

Abstract

   In an IPv6 network it is possible to use only link-local addresses on
   infrastructure links between routers.  This document discusses the
   advantages and disadvantages of this approach to help the decision
   process for a given network.

Status of this This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 16, 2013. April 23, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . . . 3   2
   2.  Using Link-Local Address on Infrastructure Links  . . . . . . . 3   2
     2.1.  The Approach  . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  Advantages  . . . . . . . . . . . . . . . . . . . . . . . . 4   3
     2.3.  Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . 5   4
     2.4.  Internet Exchange Points  . . . . . . . . . . . . . . . . . 6   5
     2.5.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 7   6
   3.  Security Considerations . . . . . . . . . . . . . . . . . . . . 8   7
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8   7
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     6.1.  Normative References  . . . . . . . . . . . . . . . . . . . 8
     6.2.  Informative References  . . . . . . . . . . . . . . . . . . 8 .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   An infrastructure link between a set of routers typically does not
   require global or even unique local addressing [RFC4193].  Using only
   link-local addressing on such links has a number of advantages, for
   example that routing tables do not need to carry link addressing, and
   can therefore be significantly smaller.  This helps to decrease
   failover times in certain routing convergence events.  An interface
   of a router is also not reachable beyond the link boundaries,
   therefore reducing the attack horizon.

   We propose to configure neither globally routable IPv6 addresses nor
   unique local addresses on infrastructure links of routers, wherever
   possible.  We recommend to use exclusively link-local addresses on
   such links.

   This document discusses the advantages and caveats of this approach.

   Note: [I-D.ietf-ospf-prefix-hiding] [RFC6860] describes another approach for OPSFv2 and OSPFv3 by
   modifying the existing protocols while this document does not modify
   any protocol but works only for IPv6.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [RFC2119] when
   they appear in ALL CAPS.  These words may also appear in this
   document in lower case as plain English words, absent their normative
   meanings.

2.  Using Link-Local Address on Infrastructure Links

   This document proposes to use discusses the approach of using only link-local
   addresses (LLA) on all router interfaces on infrastructure links.
   Routers typically do not need to be reached receive packets neither from nodes of the network, hosts, nor
   from nodes outside the network.  For an network operator there may be
   reasons to send
   packets to an use greater than link-local scope addresses on
   infrastructure link interfaces for certain monitoring tasks; many
   of those tasks could also be handled differently, not requiring
   routable address space on infrastructure links. operational tasks, for example
   pings to an interface or traceroutes across the network.  This
   document discusses such cases and proposes alternative procedures.

2.1.  The Approach

   Neither global IPv6 addresses nor unique local addresses are
   configured on infrastructure links.  In the absence of specific
   global or unique local address definitions, the default behavior of
   routers is to use link-local addresses notably for routing protocols.

   These link-local addresses SHOULD be hard-coded to prevent the change
   of EUI-64 addresses when changing

   The sending of MAC address (such as after
   changing a network interface card). ICMPv6 [RFC4443] error messages (packet-too-big, time-exceeded...)
   are time-
   exceeded...) is required for routers, therefore a loopback another interface
   must be configured with an IPv6 address with a greater scope than link-local
   (this
   link-local.  This will usually be a loopback interface with a global scope).  This greater than link-local
   scope IPv6 address must be used as the source IPv6 address for all
   generated ICMPv6 messages sent to a non link-local address and must
   belong belonging to the operator and be part of an announced
   prefix (with a suitable prefix length) to avoid being dropped by
   other routers implementing [RFC3704].  For the remainder of this
   document we will refer to this interface as a "loopback interface".
   [RFC6724] mandates that greater than link-local scope IPv6 addresses
   must be used as the source IPv6 address for all generated ICMPv6
   messages sent to a non link-local address.

   The effect on specific traffic types is as follows:

   o  Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, BGP [RFC4271], ISIS [IS-IS],
      OSPFv3 [RFC5340], RIPng [RFC2080], PIM [RFC4609] work by default
      or can be configured to work with link-local addresses.

   o  Management plane traffic, such as SSH, Telnet, SNMP, SSH [RFC4251], Telnet [RFC0495],
      SNMP [RFC1157], and ICMP echo request ... [RFC4443], can be addressed to loopback addresses use as
      destination address the address of routers with
      a greater than link-local scope address. the router loopback interface.
      Router management can also be done over out-of-band channels.

   o  ICMP error message can be sourced from a loopback address. interface.  They
      must not be sourced from link-local addresses when the destination
      is non link-local.  See [RFC6724].

   o  Data plane traffic is forwarded independently of the link address
      type.

   o  Neighbor discovery (neighbor solicitation and neighbor
      advertisement) is done by using link-local unicast and multicast
      addresses, therefore neighbor discovery is not affected.

   We therefore conclude that it is possible to construct a working
   network in this way.

2.2.  Advantages

   Smaller routing tables: Since the routing protocol only needs to
   carry one loopback global address (the loopback interface) per router, it is
   smaller than in the traditional approach where every infrastructure link
   addresses are carried in the routing protocol.  This reduces memory
   consumption, and increases the convergence speed in some routing
   failover cases (notably because the Forwarding Information Base to be
   downloaded to line cards are is smaller but also because there are less
   prefixes in the Routing Information Base hence accelerating the
   routing algorithm).  Note: smaller routing tables can also be
   achieved by putting interfaces in passive mode for the IGP.

   Reduced attack surface: Every routable address on a router
   constitutes a potential attack point: a remote attacker can send
   traffic to that address, for example a TCP SYN flood, flood (see [RFC4987]),
   or he can
   intent attempt SSH brute force password attacks.  If a network only
   uses
   loopback the addresses for of the routers, router loopback interface(s), only those loopback addresses
   need to be protected from outside the network.  This may ease
   protection measures, such as infrastructure access control lists.  If

   Without using link-local addresses, it is still possible to achieve
   the same result if the network addressing scheme is set up such that
   all link addresses and all loopback interfaces have greater than link-local
   addresses and are aggregatable, and if the infrastructure access
   list covers that entire aggregated space, then changing to link-local
   addresses does not reduce the attack surface significantly. access list
   covers that entire aggregated space.  See also
   [I-D.ietf-grow-private-ip-sp-cores] [RFC6752] for further
   discussion on this topic.

   Lower configuration complexity: LLAs link-local addresses require no
   specific
   configuration (except when they are statically configured), configuration, thereby lowering the complexity and size of
   router configurations.  This also reduces the likelihood of
   configuration mistakes.

   Simpler DNS: Less routable address space in use also means less
   reverse and forward mapping DNS
   mappings resource records to maintain.

2.3.  Caveats

   Interface ping: If if an interface doesn't have a routable address, it
   can only be pinged from a node on the same link.  Therefore it is not
   possible to ping a specific link interface remotely.  A possible
   workaround is to ping the loopback address of a router instead.  In
   most cases today it is not possible to see which link the packet was
   received on; however, RFC5837 [RFC5837] suggests to include the
   interface identifier of the interface a packet was received on in the
   ICMP response; it must be noted that there are little implemention few implementions of
   this ICMP extension.  With this approach it would be possible to ping
   a router on the addresses of loopback address, interfaces, yet see which
   interface the packet was received on.  To check liveliness of a
   specific interface it may be necessary to use other methods, for
   example to connect to the router via SSH and to check locally or use
   SNMP.

   Traceroute: Similar similar to the ping case, a reply to a traceroute packet
   would come from a loopback the address with of a greater than link-local
   address.  Today this does loopback interface, and current
   implementations do not display the specific interface the packets
   came in on.  Also here, RFC5837 [RFC5837] provides a solution.

   Hardware dependency: LLAs are usually EUI-64 based, hence, they
   change when the MAC address is changed.  This could pose problem in a
   case where the routing neighbor must be configured explicitly (e.g.
   BGP) and a line card needs to be physically replaced hence changing
   the EUI-64 LLA and breaking the routing neighborship.  But, LLAs can
   be statically configured such as fe80::1 and fe80::2 which can be
   used to configure any required static routing neighborship.  This
   static configuration is similar in complexity to statically
   configured greater than link-local addresses, however, it is only
   required where routing peers are explicitly configured.

   Network Management System (NMS) toolkits: If if there is any NMS tool
   that makes use of interface IP address of a router to carry out any
   of NMS functions, then it would no longer work, if the interface is
   missing routable address.  A possible workaround for such tools is to
   use the routable loopback address of the router loopback interface instead.
   Most vendor implementations allow the specification of the loopback address of
   the loopback interfaces for SYSLOG, IPfix, SNMP.  LLDP (IEEE
   802.1AB-2009) runs directly over Ethernet and does not require any
   IPv6 address so dynamic network discovery is not hindered when using
   LLDP.  But, network discovery based on NDP cache content will only
   display the link-local addresses and not the addresses of the
   loopback global address; interfaces; therefore, network discovery should rather be
   based on the Route Information Base to detect adjacent nodes.

   MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path
   that is explicitly identified by a strict sequence of IP prefixes or
   addresses (each pertaining to an interface or a router on the path).
   This is commonly used for Fast Re-Route (FRR).  However, if an
   interface uses only a link-local address, then such LSPs cannot be
   established.  At the time of writing this document, there is no
   workaround for this case; therefore where RSVP-TE is being used, the
   approach proposed described in this document does not work.

2.4.  Internet Exchange Points

   Internet Exchange Points (IXPs) have a special importance in the
   global Internet, because they connect a high number of networks in a
   single location, and because significant part of Internet traffic
   pass through at least one IXP.  An IXP with all the service provider
   nodes requires therefore a very high level of security.  The address
   space used on an IXP is generally known, as it is registered in the
   global Internet Route Registry, or it is easily discoverable through
   traceroute.  The IXP prefix is especially critical, because
   practically all addresses on this prefix are critical systems in the
   Internet.

   Apart from general device security guidelines, there are generally
   two additional ways to raise security (see also
   [I-D.jdurand-bgp-security]):
   [I-D.ietf-opsec-bgp-security]):

   1.  Not to announce the prefix in question, and

   2.  To drop all traffic destined to the IXP prefixes from traffic
       from remote locations.

   Not announcing the prefix of the IXP however would frequently result
   in traceroute and similar packets (required for PMTUd) to be dropped
   due to uRPF checks.  Given that PMTUd is critical, this is generally
   not acceptable.  Dropping all external traffic to the IXP prefix is
   hard to implement, because if only one service provider on an IXP
   routes does not filter correctly, then all IXP routers are reachable
   from at least that service provider network.

   As the prefix used in IXP is usually longer than a /48 it is
   frequently dropped by route filters on the Internet having the same
   net effect as not announced the prefix.

   Using link-local addresses on the IXP may help in this scenario.  In
   this case, the generated ICMP packets would be generated from
   loopback interfaces or from any other interfaces with globally
   routable sources without any configuration.  However in this case,
   each service provider would use his own address space, making a
   generic attack against all devices on the IXP harder.  Also all the
   loopback
   addresses of the loopback interfaces on the IXP can be discovered by
   a potential attacker by a simple traceroute; a generic attack is
   therefore still possible, but it would require significantly more work.

   In some cases service providers carry the IXP addresses in their IGP
   for certain forms of traffic engineering across multiple exit points.
   If link local link-local addresses are used, these cannot be used for this
   purpose; in this case, the service provider would have to employ
   other methods of traffic engineering.

   If an Internet Exchange Point is using a global prefix registered for
   this purpose, a traceroute will indicate whether the trace crosses an
   IXP rather than a private interconnect.  If link local addressing is
   used instead, a traceroute will not provide this distinction.

2.5.  Summary
   Using link-local addressing only on infrastructure links has a number
   of advantages, such as a smaller routing table size and a reduced
   attack surface.  It also simplifies router configurations.  However,
   the way certain network management tasks are carried out today has to
   be adapted to provide the same level of detail, for example interface
   identifiers in traceroute.

3.  Security Considerations

   Using LLAs only on infrastructure links reduces the attack surface of
   a router: loopback addresses of loopback interfaces with routed addresses are
   still reachable and must be secured, but infrastructure links can
   only be attacked from the local link.  This simplifies security of
   control and management planes.  The proposal approach does not impact the
   security of the data plane.  This proposal approach does not address control
   plane [RFC6192] attacks generated by data plane packets (such as hop-limit hop-
   limit expiration or packets containing a hop-by-hop extension
   header).

   As in the traditional approach, this approach relies on the
   assumption that all routers can be trusted due to physical and
   operational security.

4.  IANA Considerations

   There are no IANA considerations or implications that arise from this
   document.

5.  Acknowledgements

   The authors would like to thank Salman Asadullah, Brian Carpenter,
   Benoit Claise, Rama Darbha, Simon Eng, Wes George, Fernando Gont,
   Harald Michl, Janos Mohacsi, Alvaro Retana,
   Ivan Pepelnjak, Retana and Harald Michl Ivan Pepelnjak for
   their useful comments about this work.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

6.2.  Informative References

   [I-D.ietf-grow-private-ip-sp-cores]
              Kirkham, A., "Issues with Private IP Addressing in the
              Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in
              progress), July 2012.

   [I-D.ietf-ospf-prefix-hiding]
              Yang, Y., Retana, A., and A. Roy, "Hiding Transit-only
              Networks in OSPF", draft-ietf-ospf-prefix-hiding-07 (work
              in progress), December 2012.

   [I-D.jdurand-bgp-security]

   [I-D.ietf-opsec-bgp-security]
              Durand, J., Pepelnjak, I., and G. Doering, "BGP operations
              and security", draft-jdurand-bgp-security-02 draft-ietf-opsec-bgp-security-01 (work in
              progress), July 2013.

   [IS-IS]    ISO/IEC 10589, ., "Intermediate System to Intermediate
              System Intra-Domain Routing Exchange Protocol for use in
              Conjunction with the Protocol for Providing the
              Connectionless-mode Network Service (ISO 8473)", June
              1992.

   [RFC0495]  McKenzie, A., "Telnet Protocol specifications", RFC 495,
              May 1973.

   [RFC0792]  Postel, J., "Internet Control Message Protocol", STD 5,
              RFC 792, September 2012. 1981.

   [RFC1157]  Case, J., Fedor, M., Schoffstall, M., and J. Davin,
              "Simple Network Management Protocol (SNMP)", STD 15, RFC
              1157, May 1990.

   [RFC2080]  Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
              January 1997.

   [RFC3209]  Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
              and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
              Tunnels", RFC 3209, December 2001.

   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
              Networks", BCP 84, RFC 3704, March 2004.

   [RFC4193]  Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
              Addresses", RFC 4193, October 2005.

   [RFC4251]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Protocol Architecture", RFC 4251, January 2006.

   [RFC4271]  Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
              Protocol 4 (BGP-4)", RFC 4271, January 2006.

   [RFC4443]  Conta, A., Deering, S., and M. Gupta, "Internet Control
              Message Protocol (ICMPv6) for the Internet Protocol
              Version 6 (IPv6) Specification", RFC 4443, March 2006.

   [RFC4609]  Savola, P., Lehtonen, R., and D. Meyer, "Protocol
              Independent Multicast - Sparse Mode (PIM-SM) Multicast
              Routing Security Issues and Enhancements", RFC 4609,
              October 2006.

   [RFC4987]  Eddy, W., "TCP SYN Flooding Attacks and Common
              Mitigations", RFC 4987, August 2007.

   [RFC5340]  Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF
              for IPv6", RFC 5340, July 2008.

   [RFC5837]  Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR.
              Rivers, "Extending ICMP for Interface and Next-Hop
              Identification", RFC 5837, April 2010.

   [RFC6192]  Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
              Router Control Plane", RFC 6192, March 2011.

   [RFC6724]  Thaler, D., Draves, R., Matsumoto, A., and T. Chown,
              "Default Address Selection for Internet Protocol Version 6
              (IPv6)", RFC 6724, September 2012.

   [RFC6752]  Kirkham, A., "Issues with Private IP Addressing in the
              Internet", RFC 6752, September 2012.

   [RFC6860]  Yang, Y., Retana, A., and A. Roy, "Hiding Transit-Only
              Networks in OSPF", RFC 6860, January 2013.

Authors' Addresses

   Michael Behringer
   Cisco
   Building D, 45 Allee des Ormes
   Mougins,
   Mougins  06250
   France

   Email: mbehring@cisco.com

   Eric Vyncke
   Cisco
   De Kleetlaan, 6A
   Diegem,
   Diegem  1831
   Belgium

   Email: evyncke@cisco.com