| draft-ietf-opsec-lla-only-05.txt | draft-ietf-opsec-lla-only-06.txt | |||
|---|---|---|---|---|
| OPsec Working Group M. Behringer | OPsec Working Group M. Behringer | |||
| Internet-Draft E. Vyncke | Internet-Draft E. Vyncke | |||
| Intended status: Informational Cisco | Intended status: Informational Cisco | |||
| Expires: June 5, 2014 December 2, 2013 | Expires: July 10, 2014 January 6, 2014 | |||
| Using Only Link-Local Addressing Inside an IPv6 Network | Using Only Link-Local Addressing Inside an IPv6 Network | |||
| draft-ietf-opsec-lla-only-05 | draft-ietf-opsec-lla-only-06 | |||
| Abstract | Abstract | |||
| In an IPv6 network it is possible to use only link-local addresses on | In an IPv6 network it is possible to use only link-local addresses on | |||
| infrastructure links between routers. This document discusses the | infrastructure links between routers. This document discusses the | |||
| advantages and disadvantages of this approach to help the decision | advantages and disadvantages of this approach to help the decision | |||
| process for a given network. | process for a given network. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 33 | skipping to change at page 1, line 33 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 5, 2014. | This Internet-Draft will expire on July 10, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Using Link-Local Address on Infrastructure Links . . . . . . 2 | 2. Using Link-Local Address on Infrastructure Links . . . . . . 2 | |||
| 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 2 | 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6 | 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6 | |||
| 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Informative References . . . . . . . . . . . . . . . . . . . 8 | 6. Informative References . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| An infrastructure link between a set of routers typically does not | An infrastructure link between a set of routers typically does not | |||
| require global or unique local addresses [RFC4193]. Using only link- | require global or unique local addresses [RFC4193]. Using only link- | |||
| local addressing on such links has a number of advantages. For | local addressing on such links has a number of advantages. For | |||
| example, that routing tables do not need to carry link addressing, | example, that routing tables do not need to carry link addressing, | |||
| and can therefore be significantly smaller. This helps to decrease | and can therefore be significantly smaller. This helps to decrease | |||
| skipping to change at page 7, line 25 | skipping to change at page 7, line 25 | |||
| the service provider would have to employ other methods of traffic | the service provider would have to employ other methods of traffic | |||
| engineering. | engineering. | |||
| If an Internet Exchange Point is using a global prefix registered for | If an Internet Exchange Point is using a global prefix registered for | |||
| this purpose, a traceroute will indicate whether the trace crosses an | this purpose, a traceroute will indicate whether the trace crosses an | |||
| IXP rather than a private interconnect. If link local addressing is | IXP rather than a private interconnect. If link local addressing is | |||
| used instead, a traceroute will not provide this distinction. | used instead, a traceroute will not provide this distinction. | |||
| 2.5. Summary | 2.5. Summary | |||
| Using link-local addressing only on infrastructure links has a number | Using exclusively link-local addressing on infrastructure links has a | |||
| of advantages, such as a smaller routing table size and a reduced | number of advantages and disadvantages, which are both described in | |||
| attack surface. It also simplifies router configurations. However, | detail in this document. A network operator can use this document to | |||
| the way certain network management tasks are carried out today has to | evaluate whether using link-local addressing on infrastructure links | |||
| be adapted to provide the same level of detail, for example interface | is a good idea in the context of his/her network or not. This | |||
| identifiers in traceroute. | document makes no particular recommendation either in favour or | |||
| against. | ||||
| 3. Security Considerations | 3. Security Considerations | |||
| Using LLAs only on infrastructure links reduces the attack surface of | Using LLAs only on infrastructure links reduces the attack surface of | |||
| a router: loopback interfaces with routed addresses are still | a router: loopback interfaces with routed addresses are still | |||
| reachable and must be secured, but infrastructure links can only be | reachable and must be secured, but infrastructure links can only be | |||
| attacked from the local link. This simplifies security of control | attacked from the local link. This simplifies security of control | |||
| and management planes. The approach does not impact the security of | and management planes. The approach does not impact the security of | |||
| the data plane. The link-local-only approach does not address | the data plane. The link-local-only approach does not address | |||
| control plane [RFC6192] attacks generated by data plane packets (such | control plane [RFC6192] attacks generated by data plane packets (such | |||
| End of changes. 7 change blocks. | ||||
| 12 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||