draft-ietf-opsec-lla-only-05.txt   draft-ietf-opsec-lla-only-06.txt 
OPsec Working Group M. Behringer OPsec Working Group M. Behringer
Internet-Draft E. Vyncke Internet-Draft E. Vyncke
Intended status: Informational Cisco Intended status: Informational Cisco
Expires: June 5, 2014 December 2, 2013 Expires: July 10, 2014 January 6, 2014
Using Only Link-Local Addressing Inside an IPv6 Network Using Only Link-Local Addressing Inside an IPv6 Network
draft-ietf-opsec-lla-only-05 draft-ietf-opsec-lla-only-06
Abstract Abstract
In an IPv6 network it is possible to use only link-local addresses on In an IPv6 network it is possible to use only link-local addresses on
infrastructure links between routers. This document discusses the infrastructure links between routers. This document discusses the
advantages and disadvantages of this approach to help the decision advantages and disadvantages of this approach to help the decision
process for a given network. process for a given network.
Status of This Memo Status of This Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 5, 2014. This Internet-Draft will expire on July 10, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Using Link-Local Address on Infrastructure Links . . . . . . 2 2. Using Link-Local Address on Infrastructure Links . . . . . . 2
2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 2 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 2
2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6
2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
6. Informative References . . . . . . . . . . . . . . . . . . . 8 6. Informative References . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
An infrastructure link between a set of routers typically does not An infrastructure link between a set of routers typically does not
require global or unique local addresses [RFC4193]. Using only link- require global or unique local addresses [RFC4193]. Using only link-
local addressing on such links has a number of advantages. For local addressing on such links has a number of advantages. For
example, that routing tables do not need to carry link addressing, example, that routing tables do not need to carry link addressing,
and can therefore be significantly smaller. This helps to decrease and can therefore be significantly smaller. This helps to decrease
skipping to change at page 7, line 25 skipping to change at page 7, line 25
the service provider would have to employ other methods of traffic the service provider would have to employ other methods of traffic
engineering. engineering.
If an Internet Exchange Point is using a global prefix registered for If an Internet Exchange Point is using a global prefix registered for
this purpose, a traceroute will indicate whether the trace crosses an this purpose, a traceroute will indicate whether the trace crosses an
IXP rather than a private interconnect. If link local addressing is IXP rather than a private interconnect. If link local addressing is
used instead, a traceroute will not provide this distinction. used instead, a traceroute will not provide this distinction.
2.5. Summary 2.5. Summary
Using link-local addressing only on infrastructure links has a number Using exclusively link-local addressing on infrastructure links has a
of advantages, such as a smaller routing table size and a reduced number of advantages and disadvantages, which are both described in
attack surface. It also simplifies router configurations. However, detail in this document. A network operator can use this document to
the way certain network management tasks are carried out today has to evaluate whether using link-local addressing on infrastructure links
be adapted to provide the same level of detail, for example interface is a good idea in the context of his/her network or not. This
identifiers in traceroute. document makes no particular recommendation either in favour or
against.
3. Security Considerations 3. Security Considerations
Using LLAs only on infrastructure links reduces the attack surface of Using LLAs only on infrastructure links reduces the attack surface of
a router: loopback interfaces with routed addresses are still a router: loopback interfaces with routed addresses are still
reachable and must be secured, but infrastructure links can only be reachable and must be secured, but infrastructure links can only be
attacked from the local link. This simplifies security of control attacked from the local link. This simplifies security of control
and management planes. The approach does not impact the security of and management planes. The approach does not impact the security of
the data plane. The link-local-only approach does not address the data plane. The link-local-only approach does not address
control plane [RFC6192] attacks generated by data plane packets (such control plane [RFC6192] attacks generated by data plane packets (such
 End of changes. 7 change blocks. 
12 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/