One document matched: draft-ietf-opsec-lla-only-07.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC4271 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4271.xml">
<!ENTITY RFC5340 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5340.xml">
<!ENTITY RFC2080 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2080.xml">
<!ENTITY RFC4609 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4609.xml">
<!ENTITY RFC4251 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4251.xml">
<!ENTITY RFC1157 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1157.xml">
<!ENTITY RFC0495 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0495.xml">
<!ENTITY RFC4987 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4987.xml">
<!ENTITY RFC6724 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6724.xml">
<!ENTITY RFC3209 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3209.xml">
<!ENTITY RFC3704 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3704.xml">
<!ENTITY RFC4193 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4193.xml">
<!ENTITY RFC4443 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4443.xml">
<!ENTITY RFC5837 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5837.xml">
<!ENTITY RFC6192 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6192.xml">
<!ENTITY RFC6752 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6752.xml">
<!ENTITY RFC6860 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6860.xml">
<!ENTITY RFC4861 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4861.xml">
<!ENTITY I-D.ietf-opsec-bgp-security PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-opsec-bgp-security.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="3"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="info" docName="draft-ietf-opsec-lla-only-07" ipr="trust200902"
submissionType="IETF" xml:lang="en">
<front>
<title abbrev="Link-Local Only">Using Only Link-Local Addressing Inside an
IPv6 Network</title>
<author fullname="Michael Behringer" initials="M." surname="Behringer">
<organization>Cisco</organization>
<address>
<postal>
<street>Building D, 45 Allee des Ormes</street>
<city>Mougins</city>
<region/>
<code>06250</code>
<country>France</country>
</postal>
<email>mbehring@cisco.com</email>
</address>
</author>
<author fullname="Eric Vyncke" initials="E" surname="Vyncke">
<organization>Cisco</organization>
<address>
<postal>
<street>De Kleetlaan, 6A</street>
<city>Diegem</city>
<region/>
<code>1831</code>
<country>Belgium</country>
</postal>
<email>evyncke@cisco.com</email>
</address>
</author>
<date day="13" month="February" year="2014"/>
<!-- Meta-data Declarations -->
<area>Operations and Management</area>
<workgroup>OPsec Working Group</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>IPv6 security routing</keyword>
<keyword>Link-Local</keyword>
<keyword>Routing Protocol</keyword>
<keyword>Security</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>In an IPv6 network it is possible to use only link-local addresses on
infrastructure links between routers. This document discusses the
advantages and disadvantages of this approach to help the decision
process for a given network.</t>
</abstract>
</front>
<middle>
<section anchor="Introduction" title="Introduction" toc="default">
<t>An infrastructure link between a set of routers typically does not
require global or unique local addresses
<xref target="RFC4193"/>.
Using only link-local addressing on such links has a
number of advantages. For example, that routing tables do not need to
carry link addressing, and can therefore be significantly smaller. This
helps to decrease failover times in certain routing convergence events.
An interface of a router is also not reachable beyond the link
boundaries, therefore reducing the attack horizon.</t>
<t>This document discusses the advantages and caveats of this
approach.</t>
</section>
<section anchor="using"
title="Using Link-Local Address on Infrastructure Links"
toc="default">
<t>This document discusses the approach of using only link-local
addresses (LLA) on all router interfaces on infrastructure links.
Routers don't typically need to receive packets from hosts or
nodes outside the network. For a network operator, there may be reasons
to use greater than link-local scope addresses on infrastructure
interfaces for certain operational tasks, such as pings to an
interface or traceroutes across the network. This document discusses
such cases and proposes alternative procedures.</t>
<section anchor="approach" title="The Approach" toc="default">
<t>In this approach neither globally routed IPv6 addresses nor unique
local addresses are
configured on infrastructure links. In the absence of specific global
or unique local address definitions, the default behavior of routers
is to use link-local addresses notably for routing protocols.</t>
<t>The sending of <xref target="RFC4443">ICMPv6</xref> error messages
(packet-too-big, time-exceeded...) is required for routers. Therefore,
another interface must be configured with an IPv6 address with a
greater scope than link-local. This address will usually be a loopback
interface with a global scope address belonging to the operator and
part of an announced prefix (with a suitable prefix length) to avoid
being dropped by other routers implementing <xref target="RFC3704"/>.
This is implementation dependent.
For the remainder of this document we will refer to this interface as
a "loopback interface". </t>
<t><xref target="RFC6724"/> recommends that greater
than link-local scope IPv6 addresses are used as the source IPv6
address for all generated ICMPv6 messages sent to a non link-local
address, with the exception of ICMPv6 redirect messages, as defined
in <xref target="RFC4861"/> section 4.5. </t>
<t>The effect on specific traffic types is as follows:<list
style="symbols">
<t>Most control plane protocols, such as BGP <xref target="RFC4271"/>,
ISIS <xref target="IS-IS"/>, OSPFv3 <xref target="RFC5340"/>,
RIPng <xref target="RFC2080"/>, PIM <xref target="RFC4609"/> work
by default or can be configured to work with link-local
addresses. Exceptions are explained in the
<xref target="caveats">caveats section</xref>. </t>
<t>Management plane traffic, such as SSH <xref target="RFC4251"/>,
Telnet <xref target="RFC0495"/>, SNMP <xref target="RFC1157"/>,
and ICMPv6 echo request <xref target="RFC4443"/>, can use
the address of the router loopback interface as the
destination address.
Router management can also be done over out-of-band channels.</t>
<t>ICMP error messages are usually sourced from a loopback interface
with a greater than link-local address scope.
<xref target="RFC4861"/> section 4.5 explains one exception:
ICMP redirect messages can also be sourced from a link-local
address.</t>
<t>Data plane traffic is forwarded independently of the link
address type.</t>
<t>Neighbor discovery (neighbor solicitation and neighbor
advertisement) is done by using link-local unicast and multicast
addresses. Therefore neighbor discovery is not affected.</t>
</list>We therefore conclude that it is possible to construct a
working network in this way.</t>
</section>
<section anchor="advantages" title="Advantages" toc="default">
<t>The following list of advantages is in no particular order. </t>
<t>Smaller routing tables: Since the routing protocol only needs to
carry one global address (the loopback interface) per router, it is
smaller than the traditional approach where every infrastructure link
address is carried in the routing protocol. This reduces memory
consumption, and increases the convergence speed in some routing
failover cases. Because the Forwarding Information Base to be
downloaded to line cards is smaller and there are fewer
prefixes in the Routing Information Base, the
routing algorithm is accellerated.
Note: smaller routing tables can also be achieved
by putting interfaces in passive mode for the Interior Gateway
Protocol (IGP).</t>
<t>Simpler address management: Only loopback interface addresses
need to be
considered in an addressing plan. This also allows for easier
renumbering. </t>
<t>Lower configuration complexity: link-local addresses require no
specific configuration, thereby lowering the complexity and size of
router configurations. This also reduces the likelihood of
configuration mistakes.</t>
<t>Simpler DNS: Less routable address space in use also means less
reverse and forward mapping DNS resource records to maintain.</t>
<t>Reduced attack surface: Every routable address on a router
constitutes a potential attack point: a remote attacker can send
traffic to that address. Examples are a TCP SYN flood (see <xref
target="RFC4987"/>), or SSH brute force password attacks.
If a network only uses the addresses of the router loopback
interface(s), only those addresses need to be protected from outside the
network. This may ease protection measures, such as infrastructure
access control lists.</t>
<t>Without using link-local addresses, it is still possible to achieve
the same result if the network addressing scheme is set up such that
all link and loopback interfaces have greater than link-local
addresses and are aggregatable, and if the infrastructure access list
covers that entire aggregated space. See also <xref target="RFC6752"/>
for further discussion on this topic.</t>
<t><xref target="RFC6860"/> describes another approach to hide
addressing on infrastructure links for OSPFv2
and OSPFv3, by modifying the existing protocols. This document does
not modify any protocol, however it works only for IPv6.</t>
</section>
<section anchor="caveats" title="Caveats" toc="default">
<t>The caveats listed in this section are in no particular order.</t>
<t>Interface ping: if an interface doesn't have a routable address, it
can only be pinged from a node on the same link. Therefore, it is not
possible to ping a specific link interface remotely. A possible
workaround is to ping the loopback address of a router instead. In
most cases today, it is not possible to see which link the packet was
received on; however, <xref target="RFC5837"/> suggests
including the interface identifier of the interface a packet was
received on in the ICMPv6 response; it must be noted that there are few
implementations of this ICMPv6 extension. With this approach it would be
possible to ping a router on the addresses of loopback interfaces, yet
see which interface the packet was received on. To check liveliness of
a specific interface, it may be necessary to use other methods, such
as connecting to the router via SSH and checking locally or using
SNMP.</t>
<t>Traceroute: similar to the ping case, a reply to a traceroute
packet would come from the address of a loopback interface, and
current implementations do not display the specific interface the
packets came in on. Also here, <xref target="RFC5837"/>
provides a solution. As in the ping case above, it is not possible
to traceroute to a particular interface if it only has a link-local
address.</t>
<t>Hardware dependency: LLAs are usually EUI-64 based, hence, they
change when the MAC address is changed. This could pose problem in a
case where the routing neighbor must be configured explicitly (e.g.
BGP) and a line card needs to be physically replaced hence changing
the EUI-64 LLA and breaking the routing neighborship. LLAs can be
statically configured such as fe80::1 and fe80::2 which can be used to
configure any required static routing neighborship. However,
this static LLA
configuration may be more complex to operate than statically configured
greater than link-local addresses, because the link scope must also be
considered, as in this example: 'BGP neighbor fe80::1%eth0 is down'.
</t>
<t>Network Management System (NMS) toolkits: if there is any NMS tool
that makes use of interface IP address of a router to carry out any of
its NMS functions, then it would no longer work if the interface does
not have a routable address. A possible workaround for such tools is to
use the routable address of the router loopback interface instead.
Most vendor implementations allow the specification of loopback
interface addresses for SYSLOG, IPfix, and SNMP. The protocol LLDP (IEEE
802.1AB-2009) runs directly over Ethernet and does not require any
IPv6 address, so dynamic network discovery is not hindered when using
LLDP. But, network discovery based on NDP cache content will only
display the link-local addresses and not the addresses of the loopback
interfaces; therefore, network discovery should rather be based on the
Route Information Base to detect adjacent nodes.</t>
<t>MPLS and RSVP-TE <xref target="RFC3209"/> allows establishing MPLS
LSP on a path that is explicitly identified by a strict sequence of IP
prefixes or addresses (each pertaining to an interface or a router on
the path). This is commonly used for Fast Re-Route (FRR). However, if
an interface uses only a link-local address, then such LSPs cannot be
established. At the time of writing this document, there is no
workaround for this case; therefore, where RSVP-TE is being used, the
approach described in this document does not work.</t>
</section>
<section title="Internet Exchange Points">
<t>Internet Exchange Points (IXPs) have a special importance in the
global Internet, because they connect a high number of networks in a
single location, and because a significant part of Internet traffic passes
through at least one IXP. An IXP
requires therefore a very high level of security. The address space
used on an IXP is generally known, as it is registered in the global
Internet Route Registry, or it is easily discoverable through
traceroute. The IXP prefix is especially critical, because practically
all addresses on this prefix are critical systems in the Internet.</t>
<t>Apart from general device security guidelines, there are generally
two additional ways to raise security (see also <xref
target="I-D.ietf-opsec-bgp-security"/>): <list style="numbers">
<t>Not to announce the prefix in question, and</t>
<t>To drop all traffic from remote locations destined to the IXP
prefixes.</t>
</list>Not announcing the prefix of the IXP would frequently
result in traceroute and similar packets (required for PMTUd) to be
dropped due to uRPF checks. Given that PMTUd is critical, this is
generally not acceptable. Dropping all external traffic to the IXP
prefix is hard to implement, because if only one service provider
connected to
an IXP does not filter correctly, then all IXP routers are
reachable from at least that service provider network.</t>
<t>As the prefix used in the IXP is usually longer than a /48, it is
frequently dropped by route filters on the Internet having the same
net effect as not announcing the prefix.</t>
<t>Using link-local addresses on the IXP may help in this scenario. In
this case, the generated ICMPv6 packets would be generated from loopback
interfaces or from any other interface with a globally routable address
without any configuration. However in this case, each service provider
would use his own address space, making a generic attack against all
devices on the IXP harder. All of an IXP's loopback interface
addresses can be discovered by a potential attacker with a
simple traceroute; a generic attack is therefore still possible, but
it would require more work.</t>
<t>In some cases service providers carry the IXP addresses in their
IGP for certain forms of traffic engineering across multiple exit
points. Link-local addresses cannot be used for
this purpose; in this case, the service provider would have to employ
other methods of traffic engineering.</t>
<t>If an Internet Exchange Point is using a global prefix registered
for this purpose, a traceroute will indicate whether the trace crosses
an IXP rather than a private interconnect. If link local addressing is
used instead, a traceroute will not provide this distinction.</t>
</section>
<section title="Summary" toc="default">
<t>Using exclusively link-local addressing on infrastructure links has a number
of advantages and disadvantages, which are both described in detail
in this document. A network operator can use this document to
evaluate whether using link-local addressing on infrastructure links
is a good idea in the context of his/her network or not. This document
makes no particular recommendation either in favour or against.</t>
</section>
</section>
<section title="Security Considerations">
<t>Using LLAs only on infrastructure links reduces the attack surface of
a router: loopback interfaces with routed addresses are
still reachable and must be secured, but infrastructure links can only
be attacked from the local link. This simplifies security of control and
management planes. The approach does not impact the security of the data
plane. The link-local-only approach does not address <xref target="RFC6192">control
plane</xref> attacks generated by data plane packets (such as hop-limit
expiration or packets containing a hop-by-hop extension header).</t>
</section>
<section title="IANA Considerations">
<t>There are no IANA considerations or implications that arise from this
document.</t>
</section>
<section title="Acknowledgements">
<t>The authors would like to thank Salman Asadullah, Brian Carpenter,
Bill Cerveny,
Benoit Claise, Rama Darbha, Simon Eng, Wes George, Fernando Gont,
Jen Linkova, Harald
Michl, Janos Mohacsi, Ivan Pepelnjak, and Alvaro Retana for their useful
comments about this work.</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<references title="Informative References">
&RFC0495;
&RFC1157;
&RFC2080;
&RFC3209;
&RFC3704;
&RFC4193;
&RFC4251;
&RFC4271;
&RFC4443;
&RFC4609;
&RFC4861;
&RFC4987;
&RFC5340;
&RFC5837;
&RFC6192;
&RFC6724;
&RFC6752;
&RFC6860;
&I-D.ietf-opsec-bgp-security;
<reference anchor="IS-IS">
<front>
<title>Intermediate System to Intermediate System Intra-Domain
Routing Exchange Protocol for use in Conjunction with the Protocol
for Providing the Connectionless-mode Network Service (ISO
8473)</title>
<author surname="ISO/IEC 10589"/>
<date month="June" year="1992"/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 10:54:18 |