draft-ietf-opsec-lla-only-11.txt   rfc7404.txt 
OPsec Working Group M. Behringer Internet Engineering Task Force (IETF) M. Behringer
Internet-Draft E. Vyncke Request for Comments: 7404 E. Vyncke
Intended status: Informational Cisco Category: Informational Cisco
Expires: March 29, 2015 September 25, 2014 ISSN: 2070-1721 November 2014
Using Only Link-Local Addressing Inside an IPv6 Network Using Only Link-Local Addressing inside an IPv6 Network
draft-ietf-opsec-lla-only-11
Abstract Abstract
In an IPv6 network it is possible to use only link-local addresses on In an IPv6 network, it is possible to use only link-local addresses
infrastructure links between routers. This document discusses the on infrastructure links between routers. This document discusses the
advantages and disadvantages of this approach to help the decision advantages and disadvantages of this approach to facilitate the
process for a given network. decision process for a given network.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on March 29, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7404.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Using Link-Local Addressing on Infrastructure Links . . . . . 2 2. Using Link-Local Addressing on Infrastructure Links . . . . . 2
2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 3 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6
2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 8
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 4. Informative References . . . . . . . . . . . . . . . . . . . 8
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Informative References . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
An infrastructure link between a set of routers typically does not An infrastructure link between a set of routers typically does not
require global or unique local addresses [RFC4193]. Using only link- require global or unique local addresses [RFC4193]. Using only link-
local addressing on such links has a number of advantages. For local addressing on such links has a number of advantages; for
example, that routing tables do not need to carry link addressing, example, routing tables do not need to carry link addressing and can
and can therefore be significantly smaller. This helps to decrease therefore be significantly smaller. This helps to decrease failover
failover times in certain routing convergence events. An interface times in certain routing convergence events. An interface of a
of a router is also not reachable beyond the link boundaries, router is also not reachable beyond the link boundaries, therefore
therefore reducing the attack surface. reducing the attack surface.
This document discusses the advantages and caveats of this approach. This document discusses the advantages and caveats of this approach.
Note that some traditionally used techniques to operate a network Note that some traditional techniques used to operate a network, such
such as pinging interfaces, or seeing interface information in a as pinging interfaces or seeing interface information in a
traceroute do not work with this approach. Details are discussed traceroute, do not work with this approach. Details are discussed
below. below.
During WG and IETF last call the technical correctness of the During WG and IETF last call, the technical correctness of the
document has been reviewed, however debate exists as to whether to document was reviewed; however, debate exists as to whether to
recommend this technique. The deployment of this technique is recommend this technique. The deployment of this technique is
appropriate where it is found to be necessary. appropriate where it is found to be necessary.
2. Using Link-Local Addressing on Infrastructure Links 2. Using Link-Local Addressing on Infrastructure Links
This document discusses the approach of using only link-local This document discusses the approach of using only link-local
addresses (LLA) on all router interfaces on infrastructure links. addresses (LLAs) on all router interfaces on infrastructure links.
Routers don't typically need to receive packets from hosts or nodes Routers don't typically need to receive packets from hosts or nodes
outside the network. For a network operator, there may be reasons to outside the network. For a network operator, there may be reasons to
use greater than link-local scope addresses on infrastructure use addresses that are greater than link-local scope on
interfaces for certain operational tasks, such as pings to an infrastructure interfaces for certain operational tasks, such as
interface or traceroutes across the network. This document discusses pings to an interface or traceroutes across the network. This
such cases and proposes alternative procedures. document discusses such cases and proposes alternative procedures.
2.1. The Approach 2.1. The Approach
In this approach neither globally routed IPv6 addresses nor unique In this approach, neither globally routed IPv6 addresses nor unique
local addresses are configured on infrastructure links. In the local addresses are configured on infrastructure links. In the
absence of specific global or unique local address definitions, the absence of specific global or unique local address definitions, the
default behavior of routers is to use link-local addresses notably default behavior of routers is to use link-local addresses, notably
for routing protocols. for routing protocols.
The sending of ICMPv6 [RFC4443] error messages (packet-too-big, time- The sending of ICMPv6 [RFC4443] error messages ("packet-too-big",
exceeded...) is required for routers. Therefore, another interface "time-exceeded", etc.) is required for routers. Therefore, another
must be configured with an IPv6 address with a greater scope than interface must be configured with an IPv6 address that has a greater
link-local. This address will usually be a loopback interface with a scope than link-local. This address will usually be a loopback
global scope address belonging to the operator and part of an interface with a global scope address belonging to the operator and
announced prefix (with a suitable prefix length) to avoid being part of an announced prefix (with a suitable prefix length) to avoid
dropped by other routers implementing [RFC3704]. This is being dropped by other routers implementing ingress filtering
implementation dependent. For the remainder of this document we will [RFC3704]. This is implementation dependent. For the remainder of
refer to this interface as a "loopback interface". this document, we will refer to this interface as a "loopback
interface".
[RFC6724] recommends that greater than link-local scope IPv6 [RFC6724] recommends that IPv6 addresses that are greater than link-
addresses are used as the source IPv6 address for all generated local scope be used as the source IPv6 address for all generated
ICMPv6 messages sent to a non-link-local address, with the exception ICMPv6 messages sent to a non-link-local address, with the exception
of ICMPv6 redirect messages, as defined in [RFC4861] section 4.5. of ICMPv6 redirect messages (as defined in Section 4.5 of [RFC4861]).
The effect on specific traffic types is as follows: The effect on specific traffic types is as follows:
o Most control plane protocols, such as BGP [RFC4271], ISIS [IS-IS], o Most control plane protocols (such as BGP [RFC4271], IS-IS
OSPFv3 [RFC5340], RIPng [RFC2080], PIM [RFC4609] work by default [IS-IS], OSPFv3 [RFC5340], Routing Information Protocol Next
Generation (RIPng) [RFC2080], and PIM [RFC4609]) work by default
or can be configured to work with link-local addresses. or can be configured to work with link-local addresses.
Exceptions are explained in the caveats section (Section 2.3). Exceptions are explained in the caveats section (Section 2.3).
o Management plane traffic, such as SSH [RFC4251], Telnet [RFC0495], o Management plane traffic (such as Secure SHell (SSH) Protocol
SNMP [RFC1157], and ICMPv6 echo request [RFC4443], can use the [RFC4251], Telnet [RFC0495], Simple Network Management Protocol
(SNMP) [RFC1157], and ICMPv6 Echo Request [RFC4443]) can use the
address of the router loopback interface as the destination address of the router loopback interface as the destination
address. Router management can also be done over out-of-band address. Router management can also be done over out-of-band
channels. channels.
o ICMP error messages are usually sourced from a loopback interface o ICMP error messages are usually sourced from a loopback interface
with a greater than link-local address scope. [RFC4861] section with a scope that is greater than link-local. Section 4.5 of
4.5 explains one exception: ICMP redirect messages can also be [RFC4861] explains one exception: ICMP redirect messages can also
sourced from a link-local address. be sourced from a link-local address.
o Data plane traffic is forwarded independently of the link address o Data plane traffic is forwarded independently of the link address
type. type.
o Neighbor discovery (neighbor solicitation and neighbor o Neighbor discovery (neighbor solicitation and neighbor
advertisement) is done by using link-local unicast and multicast advertisement) is done by using link-local unicast and multicast
addresses. Therefore neighbor discovery is not affected. addresses. Therefore, neighbor discovery is not affected.
We therefore conclude that it is possible to construct a working Thus, we conclude that it is possible to construct a working network
network in this way. in this way.
2.2. Advantages 2.2. Advantages
The following list of advantages is in no particular order. The following list of advantages is in no particular order.
Smaller routing tables: Since the routing protocol only needs to Smaller routing tables: Since the routing protocol only needs to
carry one global address (the loopback interface) per router, it is carry one global address (the loopback interface) per router, it is
smaller than the traditional approach where every infrastructure link smaller than the traditional approach where every infrastructure link
address is carried in the routing protocol. This reduces memory address is carried in the routing protocol. This reduces memory
consumption, and increases the convergence speed in some routing consumption and increases the convergence speed in some routing
failover cases. Because the Forwarding Information Base to be failover cases. Because the Forwarding Information Base to be
downloaded to line cards is smaller and there are fewer prefixes in downloaded to line cards is smaller, and there are fewer prefixes in
the Routing Information Base, the routing algorithm is accelerated. the Routing Information Base, the routing algorithm is accelerated.
Note: smaller routing tables can also be achieved by putting Note that smaller routing tables can also be achieved by putting
interfaces in passive mode for the Interior Gateway Protocol (IGP). interfaces in passive mode for the Interior Gateway Protocol (IGP).
Simpler address management: Only loopback interface addresses need to Simpler address management: Only loopback interface addresses need to
be considered in an addressing plan. This also allows for easier be considered in an addressing plan. This also allows for easier
renumbering. renumbering.
Lower configuration complexity: link-local addresses require no Lower configuration complexity: Link-local addresses require no
specific configuration, thereby lowering the complexity and size of specific configuration, thereby lowering the complexity and size of
router configurations. This also reduces the likelihood of router configurations. This also reduces the likelihood of
configuration mistakes. configuration mistakes.
Simpler DNS: Less routable address space in use also means less Simpler DNS: Less routable address space in use also means less
reverse and forward mapping DNS resource records to maintain. Of reverse and forward mapping DNS resource records to maintain. Of
course, if the operator selects not to enter any global interface course, if the operator selects not to enter any global interface
addresses in the DNS anyway, then this is less of an advantage. addresses in the DNS anyway, then this is less of an advantage.
Reduced attack surface: Every routable address on a router Reduced attack surface: Every routable address on a router
constitutes a potential attack point: a remote attacker can send constitutes a potential attack point; a remote attacker can send
traffic to that address, for example a TCP SYN flood (see [RFC4987]). traffic to that address, for example, a TCP SYN flood (see
If a network only uses the addresses of the router loopback [RFC4987]). If a network only uses the addresses of the router
interface(s), only those addresses need to be protected from outside loopback interface(s), only those addresses need to be protected from
the network. This may ease protection measures, such as outside the network. This may ease protection measures, such as
infrastructure access control lists (iACL). Without using link-local Infrastructure Access Control Lists (iACL). Without using link-local
addresses, it is still possible to achieve the simple iACL if the addresses, it is still possible to achieve the simple iACL if the
network addressing scheme is set up such that all link and loopback network addressing scheme is set up such that all link and loopback
interfaces have greater than link-local addresses and are interfaces have addresses that are greater than link-local and are
aggregatable, and if the infrastructure access list covers that aggregatable, and if the infrastructure access list covers that
entire aggregated space. See also [RFC6752] for further discussion entire aggregated space. See also [RFC6752] for further discussion
on this topic. [RFC6860] describes another approach to hide on this topic. [RFC6860] describes another approach to hide
addressing on infrastructure links for OSPFv2 and OSPFv3, by addressing on infrastructure links for OSPFv2 and OSPFv3 by modifying
modifying the existing protocols. This document does not modify any the existing protocols. This document does not modify any protocol
protocol, however it works only for IPv6. and applies only to IPv6.
2.3. Caveats 2.3. Caveats
The caveats listed in this section are in no particular order. The caveats listed in this section are in no particular order.
Interface ping: if an interface doesn't have a routable address, it Interface ping: If an interface doesn't have a routable address, it
can only be pinged from a node on the same link. Therefore, it is can only be pinged from a node on the same link. Therefore, it is
not possible to ping a specific link interface remotely. A possible not possible to ping a specific link interface remotely. A possible
workaround is to ping the loopback address of a router instead. In workaround is to ping the loopback address of a router instead. In
most cases today, it is not possible to see which link the packet was most cases today, it is not possible to see which link the packet was
received on; however, [RFC5837] suggests including the interface received on; however, [RFC5837] suggests including the interface
identifier of the interface a packet was received on in the ICMPv6 identifier of the interface a packet was received on in the ICMPv6
response; it must be noted that there are few implementations of this response. It must be noted that there are few implementations of
ICMPv6 extension. With this approach it would be possible to ping a this ICMPv6 extension. With this approach, it would be possible to
router on the addresses of loopback interfaces, yet see which ping a router on the addresses of loopback interfaces, yet see which
interface the packet was received on. To check liveliness of a interface the packet was received on. To check liveliness of a
specific interface, it may be necessary to use other methods, such as specific interface, it may be necessary to use other methods, such as
connecting to the router via SSH and checking locally or using SNMP. connecting to the router via SSH and checking locally or using SNMP.
Traceroute: similar to the ping case, a reply to a traceroute packet Traceroute: Similar to the ping case, a reply to a traceroute packet
would come from the address of a loopback interface, and current would come from the address of a loopback interface, and current
implementations do not display the specific interface the packets implementations do not display the specific interface the packets
came in on. Also here, [RFC5837] provides a solution. As in the came in on. Again, [RFC5837] provides a solution. As in the ping
ping case above, it is not possible to traceroute to a particular case above, it is not possible to traceroute to a particular
interface if it only has a link-local address. Conversely, this interface if it only has a link-local address. Conversely, this
approach may make network topology discovery from outside the network approach may make network topology discovery from outside the network
simpler; because instead of responding with multiple different simpler: instead of responding with multiple different interface IP
interface IP addresses, which have to be correlated by the outsider, addresses, which have to be correlated by the outsider, a router will
a router will always respond with the same loopback address. If always respond with the same loopback address. If reverse DNS
reverse DNS mapping is used, the mapping is trivial in either case. mapping is used, the mapping is trivial in either case.
Hardware dependency: LLAs have usually been EUI-64 based, hence, they Hardware dependency: LLAs have usually been based on 64-bit Extended
change when the MAC address is changed. This could pose problem in a Unique Identifiers (EUI-64); hence, they change when the Message
case where the routing neighbor must be configured explicitly (e.g. Authentication Code (MAC) address is changed. This could pose a
BGP) and a line card needs to be physically replaced hence changing problem in a case where the routing neighbor must be configured
the EUI-64 LLA and breaking the routing neighborship. LLAs can be explicitly (e.g., BGP) and a line card needs to be physically
statically configured such as fe80::1 and fe80::2 which can be used replaced, hence changing the EUI-64 LLA and breaking the routing
to configure any required static routing neighborship. However, this neighborship. LLAs can be statically configured, such as fe80::1 and
static LLA configuration may be more complex to operate than fe80::2, which can be used to configure any required static routing
statically configured greater than link-local scope addresses, neighborship. However, this static LLA configuration may be more
because LLAs are inherently ambiguous for a multi-link node such as a complex to operate than statically configured addresses that are
router; to deal with the ambiguity, the link zone index must also be greater than link-local scope. This is because LLAs are inherently
considered explicitly, e.g., using the extended textual notation ambiguous. For a multi-link node, such as a router, to deal with the
described in [RFC4007] as in this example: 'BGP neighbor fe80::1%eth0 ambiguity, the link zone index must also be considered explicitly,
is down'. e.g., using the extended textual notation described in [RFC4007], as
in this example, 'BGP neighbor fe80::1%eth0 is down'.
Network Management System (NMS) toolkits: if there is any NMS tool Network Management System (NMS) toolkits: If there is any NMS tool
that makes use of interface IP address of a router to carry out any that makes use of an interface IP address of a router to carry out
of its NMS functions, then it would no longer work if the interface any of its NMS functions, then it would no longer work if the
does not have a routable address. A possible workaround for such interface does not have a routable address. A possible workaround
tools is to use the routable address of the router loopback interface for such tools is to use the routable address of the router loopback
instead. Most vendor implementations allow the specification of interface instead. Most vendor implementations allow the
loopback interface addresses for SYSLOG, IPfix, and SNMP. The specification of loopback interface addresses for SYSLOG, IPFIX, and
protocol LLDP (IEEE 802.1AB-2009) runs directly over Ethernet and SNMP. The Link Layer Discovery Protocol (LLDP) (IEEE 802.1AB-2009)
does not require any IPv6 address, so dynamic network discovery is runs directly over Ethernet and does not require any IPv6 address, so
not hindered when using LLDP. But, network discovery based on NDP dynamic network discovery is not hindered by using only LLA when
cache content will only display the link-local addresses and not the using LLDP. But, network discovery based on Neighbor Discovery
addresses of the loopback interfaces; therefore, network discovery Protocol (NDP) cache content will only display the link-local
should rather be based on the Route Information Base to detect addresses and not the addresses of the loopback interfaces;
adjacent nodes. therefore, network discovery should rather be based on the Route
Information Base to detect adjacent nodes.
MPLS and RSVP-TE [RFC3209] allow establishing an MPLS LSP on a path MPLS and RSVP-Traffic Engineering (RSVP-TE) [RFC3209] allow the
that is explicitly identified by a strict sequence of IP prefixes or establishment of an MPLS Label Switched Path (LSP) on a path that is
explicitly identified by a strict sequence of IP prefixes or
addresses (each pertaining to an interface or a router on the path). addresses (each pertaining to an interface or a router on the path).
This is commonly used for Fast Re-Route (FRR). However, if an This is commonly used for Fast Reroute (FRR). However, if an
interface uses only a link-local address, then such LSPs cannot be interface uses only a link-local address, then such LSPs cannot be
established. At the time of writing this document, there is no established. At the time of writing this document, there is no
workaround for this case; therefore, where RSVP-TE is being used, the workaround for this case; therefore, where RSVP-TE is being used, the
approach described in this document does not work. approach described in this document does not work.
2.4. Internet Exchange Points 2.4. Internet Exchange Points
Internet Exchange Points (IXPs) have a special importance in the Internet Exchange Points (IXPs) have a special importance in the
global Internet, because they connect a high number of networks in a global Internet because they connect a high number of networks in a
single location, and because a significant part of Internet traffic single location and because a significant part of Internet traffic
passes through at least one IXP. An IXP requires therefore a very passes through at least one IXP. An IXP requires, therefore, a very
high level of security. The address space used on an IXP is high level of security. The address space used on an IXP is
generally known, as it is registered in the global Internet Route generally known, as it is registered in the global Internet Route
Registry, or it is easily discoverable through traceroute. The IXP Registry, or it is easily discoverable through traceroute. The IXP
prefix is especially critical, because practically all addresses on prefix is especially critical because practically all addresses on
this prefix are critical systems in the Internet. this prefix are critical systems in the Internet.
Apart from general device security guidelines, there are generally Apart from general device security guidelines, there are basically
two additional ways to raise security (see also two additional ways to raise security (see also [BGP-OPSEC]):
[I-D.ietf-opsec-bgp-security]):
1. Not to announce the prefix in question, and 1. Not to announce the prefix in question, and
2. To drop all traffic from remote locations destined to the IXP 2. To drop all traffic from remote locations destined to the IXP
prefixes. prefixes.
Not announcing the prefix of the IXP would frequently result in Not announcing the prefix of the IXP would frequently result in
traceroute and similar packets (required for PMTUD) to be dropped due traceroute and similar packets (required for Path MTU Discovery
to unicast Reverse Path Forwarding (uRPF) checks. Given that PMTUD (PMTUD)) being dropped due to unicast Reverse Path Forwarding (uRPF)
is critical, this is generally not acceptable. Dropping all external checks. Given that PMTUD is critical, this is generally not
traffic to the IXP prefix is hard to implement, because if only one acceptable. Dropping all external traffic to the IXP prefix is hard
service provider connected to an IXP does not filter correctly, then to implement because if only one service provider connected to an IXP
all IXP routers are reachable from at least that service provider does not filter correctly, then all IXP routers are reachable from at
network. least that service provider network.
As the prefix used in the IXP is usually longer than a /48, it is As the prefix used in the IXP is usually longer than a /48, it is
frequently dropped by route filters on the Internet having the same frequently dropped by route filters on the Internet having the same
net effect as not announcing the prefix. net effect as not announcing the prefix.
Using link-local addresses on the IXP may help in this scenario. In Using link-local addresses on the IXP may help in this scenario. In
this case, the generated ICMPv6 packets would be generated from this case, the generated ICMPv6 packets would be generated from
loopback interfaces or from any other interface with a globally loopback interfaces or from any other interface with a globally
routable address without any configuration. However in this case, routable address without any configuration. However, in this case,
each service provider would use his own address space, making a each service provider would use their own address space, making a
generic attack against all devices on the IXP harder. All of an generic attack against all devices on the IXP harder. All of an
IXP's loopback interface addresses can be discovered by a potential IXP's loopback interface addresses can be discovered by a potential
attacker with a simple traceroute; a generic attack is therefore attacker with a simple traceroute; a generic attack is, therefore,
still possible, but it would require more work. still possible, but it would require more work.
In some cases service providers carry the IXP addresses in their IGP In some cases, service providers carry the IXP addresses in their IGP
for certain forms of traffic engineering across multiple exit points. for certain forms of traffic engineering across multiple exit points.
Link-local addresses cannot be used for this purpose; in this case, Link-local addresses cannot be used for this purpose; in this case,
the service provider would have to employ other methods of traffic the service provider would have to employ other methods of traffic
engineering. engineering.
If an Internet Exchange Point is using a global prefix registered for If an Internet Exchange Point is using a global prefix registered for
this purpose, a traceroute will indicate whether the trace crosses an this purpose, a traceroute will indicate whether the trace crosses an
IXP rather than a private interconnect. If link local addressing is IXP rather than a private interconnect. If link-local addressing is
used instead, a traceroute will not provide this distinction. used instead, a traceroute will not provide this distinction.
2.5. Summary 2.5. Summary
Using exclusively link-local addressing on infrastructure links has a Exclusively using link-local addressing on infrastructure links has a
number of advantages and disadvantages, which are both described in number of advantages and disadvantages, both of which are described
detail in this document. A network operator can use this document to in detail in this document. A network operator can use this document
evaluate whether using link-local addressing on infrastructure links to evaluate whether or not using link-local addressing on
is a good idea in the context of his/her network or not. This infrastructure links is a good idea in the context of his/her
document makes no particular recommendation either in favour or network. This document makes no particular recommendation either in
against. favor or against.
3. Security Considerations 3. Security Considerations
Using only LLAs on infrastructure links reduces the attack surface of Using only LLAs on infrastructure links reduces the attack surface of
a router: loopback interfaces with routed addresses are still a router. Loopback interfaces with routed addresses are still
reachable and must be secured, but infrastructure links can only be reachable and must be secured, but infrastructure links can only be
attacked from the local link. This simplifies security of control attacked from the local link. This simplifies security of control
and management planes. The approach does not impact the security of and management planes. The approach does not impact the security of
the data plane. The link-local-only approach does not address the data plane. The link-local-only approach does not address
control plane [RFC6192] attacks generated by data plane packets (such control plane [RFC6192] attacks generated by data plane packets (such
as hop-limit expiration or packets containing a hop-by-hop extension as hop-limit expiration or packets containing a hop-by-hop extension
header). header).
For additional security considerations, as previously stated, see For additional security considerations, as previously stated, see
also [RFC5837] and [I-D.ietf-opsec-bgp-security]. also [RFC5837] and [BGP-OPSEC].
4. IANA Considerations
There are no IANA considerations or implications that arise from this
document.
5. Acknowledgements
The authors would like to thank Salman Asadullah, Brian Carpenter,
Bill Cerveny, Benoit Claise, Rama Darbha, Simon Eng, Wes George,
Fernando Gont, Jen Linkova, Harald Michl, Janos Mohacsi, Ivan
Pepelnjak, Alvaro Retana, Jinmei Tatuya and Peter Yee for their
useful comments about this work.
6. Informative References 4. Informative References
[I-D.ietf-opsec-bgp-security] [BGP-OPSEC]
Durand, J., Pepelnjak, I., and G. Doering, "BGP operations Durand, J., Pepelnjak, I., and G. Doering, "BGP operations
and security", draft-ietf-opsec-bgp-security-05 (work in and security", Work in Progress, draft-ietf-opsec-bgp-
progress), August 2014. security-05, August 2014.
[IS-IS] ISO/IEC 10589, , "Intermediate System to Intermediate [IS-IS] International Organization for Standardization,
System Intra-Domain Routing Exchange Protocol for use in "Intermediate System to Intermediate System intra-domain
Conjunction with the Protocol for Providing the routeing information exchange protocol for use in
Connectionless-mode Network Service (ISO 8473)", June conjunction with the protocol for providing the
1992. connectionless-mode network service (ISO 8473)", ISO
Standard 10589, 2002.
[RFC0495] McKenzie, A., "Telnet Protocol specifications", RFC 495, [RFC0495] McKenzie, A., "Telnet Protocol specifications", RFC 495,
May 1973. May 1973, <http://www.rfc-editor.org/info/rfc0495>.
[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin,
"Simple Network Management Protocol (SNMP)", STD 15, RFC "Simple Network Management Protocol (SNMP)", STD 15, RFC
1157, May 1990. 1157, May 1990, <http://www.rfc-editor.org/info/rfc1157>.
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997. January 1997, <http://www.rfc-editor.org/info/rfc2080>.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
Tunnels", RFC 3209, December 2001. Tunnels", RFC 3209, December 2001,
<http://www.rfc-editor.org/info/rfc3209>.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004. Networks", BCP 84, RFC 3704, March 2004,
<http://www.rfc-editor.org/info/rfc3704>.
[RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
March 2005. March 2005, <http://www.rfc-editor.org/info/rfc4007>.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005. Addresses", RFC 4193, October 2005,
<http://www.rfc-editor.org/info/rfc4193>.
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006. Protocol Architecture", RFC 4251, January 2006,
<http://www.rfc-editor.org/info/rfc4251>.
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006. Protocol 4 (BGP-4)", RFC 4271, January 2006,
<http://www.rfc-editor.org/info/rfc4271>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006. Version 6 (IPv6) Specification", RFC 4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>.
[RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol [RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol
Independent Multicast - Sparse Mode (PIM-SM) Multicast Independent Multicast - Sparse Mode (PIM-SM) Multicast
Routing Security Issues and Enhancements", RFC 4609, Routing Security Issues and Enhancements", RFC 4609,
October 2006. October 2006, <http://www.rfc-editor.org/info/rfc4609>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. September 2007, <http://rfc-editor.org/info/rfc4861>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, August 2007. Mitigations", RFC 4987, August 2007,
<http://www.rfc-editor.org/info/rfc4987>.
[RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF
for IPv6", RFC 5340, July 2008. for IPv6", RFC 5340, July 2008,
<http://www.rfc-editor.org/info/rfc5340>.
[RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR. [RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR.
Rivers, "Extending ICMP for Interface and Next-Hop Rivers, "Extending ICMP for Interface and Next-Hop
Identification", RFC 5837, April 2010. Identification", RFC 5837, April 2010,
<http://www.rfc-editor.org/info/rfc5837>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011,
<http://www.rfc-editor.org/info/rfc6192>.
[RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6 "Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, September 2012. (IPv6)", RFC 6724, September 2012,
<http://www.rfc-editor.org/info/rfc6724>.
[RFC6752] Kirkham, A., "Issues with Private IP Addressing in the [RFC6752] Kirkham, A., "Issues with Private IP Addressing in the
Internet", RFC 6752, September 2012. Internet", RFC 6752, September 2012,
<http://www.rfc-editor.org/info/rfc6752>.
[RFC6860] Yang, Y., Retana, A., and A. Roy, "Hiding Transit-Only [RFC6860] Yang, Y., Retana, A., and A. Roy, "Hiding Transit-Only
Networks in OSPF", RFC 6860, January 2013. Networks in OSPF", RFC 6860, January 2013,
<http://www.rfc-editor.org/info/rfc6860>.
Acknowledgments
The authors would like to thank Salman Asadullah, Brian Carpenter,
Bill Cerveny, Benoit Claise, Rama Darbha, Simon Eng, Wes George,
Fernando Gont, Jen Linkova, Harald Michl, Janos Mohacsi, Ivan
Pepelnjak, Alvaro Retana, Jinmei Tatuya, and Peter Yee for their
useful comments about this work.
Authors' Addresses Authors' Addresses
Michael Behringer Michael Behringer
Cisco Cisco
Building D, 45 Allee des Ormes Building D, 45 Allee des Ormes
Mougins 06250 Mougins 06250
France France
Email: mbehring@cisco.com EMail: mbehring@cisco.com
Eric Vyncke Eric Vyncke
Cisco Cisco
De Kleetlaan, 6A De Kleetlaan, 6A
Diegem 1831 Diegem 1831
Belgium Belgium
Email: evyncke@cisco.com EMail: evyncke@cisco.com
 End of changes. 74 change blocks. 
192 lines changed or deleted 203 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/