Network Working Group M. Behringer Internet-Draft E. Vyncke Intended status: Informational Cisco Expires: February 18, 2013 August 17, 2012 Using Only Link-Local Addressing Inside an IPv6 Network draft-ietf-opsec-lla-only-00 Abstract This document proposes to use only IPv6 link-local addresses on infrastructure links between routers, wherever possible. It discusses the advantages and disadvantages of this approach to aide the decision process for a given network, Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 18, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Behringer & Vyncke Expires February 18, 2013 [Page 1] Internet-Draft Link-Local Only August 2012 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 2. Using Link-Local Address on Infrastructure Links . . . . . . . 3 2.1. The Suggested Approach . . . . . . . . . . . . . . . . . . 3 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Caveats and Possible Workarounds . . . . . . . . . . . . . 5 2.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Behringer & Vyncke Expires February 18, 2013 [Page 2] Internet-Draft Link-Local Only August 2012 1. Introduction An infrastructure link between a set of routers typically does not require global or even unique local addressing [RFC4193]. Using link-local addressing on such links has a number of advantages, for example that routing tables do not need to carry link addressing, and can therefore be significantly smaller. This helps to decrease failover times in certain routing convergence events. An interface of a router is also not reachable beyond the link boundaries, therefore reducing the attack horizon. We propose to configure neither globally routable IPv6 addresses nor unique local addresses on infrastructure links of routers, wherever possible. We recommend to use exclusively link-local addresses on such links. This document discusses the advantages and caveats of this approach. 1.1. Requirements Language In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as described in RFC2119 [RFC2119]. 2. Using Link-Local Address on Infrastructure Links This document proposes to use only link-local addresses (LLA) on all router interfaces on infrastructure links. Routers typically do not need to be reached from from users of the network, nor from outside the network. For an network operator there may be reasons to send packets to an infrastructure link for certain monitoring tasks; we suggest that many of those tasks could also be handled differently, not requiring routable address space on infrastructure links. 2.1. The Suggested Approach Neither global IPv6 addresses nor unique local addresses are configured on infrastructure links. In the absence of specific global or unique local address definitions, the default behavior of routers is to use link-local addresses. These link-local addresses MAY be hard-coded to prevent the change of EUI-64 addresses when changing of MAC address (such as after changing a network interface card). ICMPv6 [RFC4443] error messages (packet-too-big...) are required for routers, therefore a loopback interface MUST be configured with a global scope IPv6 address. This global scope IPv6 address MUST be Behringer & Vyncke Expires February 18, 2013 [Page 3] Internet-Draft Link-Local Only August 2012 used as the source IPv6 address for all generated ICMPv6 messages. The effect on specific traffic types is as follows: o Control plane protocols, such as BGP, ISIS, OSPFv3, RIPng, PIM work by default or can be configured to work with link-local addresses. o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo request ... can be addressed to loopback addresses of routers with a global scope address. Router management can also be done over out-of-band channels. o IICMP error message can also be sourced from the global scope loopback address. o Data plane traffic is forwarded independently of the link address type. o Neighbor discovery (neighbor solicitation and neighbor advertisement) is done by using link-local unicast and multicast addresses, therefore neighbor discovery is not affected. We therefore conclude that it is possible to construct a working network in this way. 2.2. Advantages Smaller routing tables: Since the routing protocol only needs to carry one loopback address per router, it is smaller than in the traditional approach where every infrastructure link addresses are carried in the routing protocol. This reduces memory consumption, and increases the convergence speed in some routing failover cases. Note: smaller routing tables can also be achieved by putting interfaces in passive mode for the IGP. Reduced attack surface: Every globally routable address on a router constitutes a potential attack point: a remote attacker can send traffic to that address, for example a TCP SYN flood, or he can intent SSH brute force password attacks. If a network only uses loopback addresses for the routers, only those loopback addresses need to be protected from outside the network. This significantly eases protection measures, such as infrastructure access control lists. See also [I-D.ietf-grow-private-ip-sp-cores] for further discussion on this topic. Lower configuration complexity: LLAs require no specific configuration, thereby lowering the complexity and size of router Behringer & Vyncke Expires February 18, 2013 [Page 4] Internet-Draft Link-Local Only August 2012 configurations. This also reduces the likelihood of configuration mistakes. Simpler DNS: Less address space in use also means less DNS mappings to maintain. 2.3. Caveats and Possible Workarounds Interface ping: If an interface doesn't have a globally routable address, it can only be pinged from a node on the same link. Therefore it is not possible to ping a specific link interface remotely. A possible workaround is to ping the loopback address of a router instead. In most cases today it is not possible to see which link the packet was received on; however, RFC5837 [RFC5837] suggests to include the interface identifier of the interface a packet was received on in the ICMP response; it must be noted that there are little implemented of this extension. With this approach it would be possible to ping a router on the loopback address, yet see which interface the packet was received on. To check liveliness of a specific interface it may be necessary to use other methods, for example to connect to the router via SSH and to check locally. Traceroute: Similar to the ping case, a reply to a traceroute packet would come from a loopback address with a global address. Today this does not display the specific interface the packets came in on. Also here, RFC5837 [RFC5837] provides a solution. Hardware dependency: LLAs are usually EUI-64 based, hence, they change when the MAC address is changed. This could pose problem in a case where the routing neighbor must be configured explicitly (e.g. BGP) and a line card needs to be physically replaced hence changing the EUI-64 LLA and breaking the routing neighborship. But, LLAs can be statically configured such as fe80::1 and fe80::2 which can be used to configure any required static routing neighborship. NMS toolkits: If there is any NMS tool that makes use of interface IP address of a router to carry out any of NMS functions, then it would no longer work, if the interface is missing globally routable address. A possible workaround for such tools is to use the globally routable lopback address of the router instead. MPLS and RSVP-TE [RFC3209] allows establishing MPLS LSP on a path that is explicitly identified by a strict sequence of IP prefixes or addresses (each pertaining to an interface or a router on the path). This is commonly used for FRR. However, if an interface uses only a link-local address, then such LSPs can not be established. A possible workaround is to use loose sequence of IP prefixes or addresses (each pertaining to a router) to identify an explicit path Behringer & Vyncke Expires February 18, 2013 [Page 5] Internet-Draft Link-Local Only August 2012 along with shared-risk-link-group (to not use a set of common interfaces). 2.4. Summary Using link-local addressing only on infrastructure links has a number of advantages, such as a smaller routing table size and a reduced attack surface. It also simplifies router configurations. However, the way certain network management tasks are carried out has to be adapted to provide the same level of detail, for example interface identifiers in traceroute. 3. Security Considerations Using LLAs only on infrastructure links reduces the attack surface of a router: Loopback addresses with globally routed addresses are still reachable and must be secured, but infrastructure links can only be attacked from the local link. This simplifies security of control and management planes. The proposal does not impact the security of the data plane. This proposal does not address control plane [RFC6192] attacks generated by data plane packets (such as hop-limit expiration). As in the traditional approach, also this approach relies on the assumption that all routers can be trusted due to physical and operational security. 4. IANA Considerations There are no IANA considerations or implications that arise from this document. 5. Acknowledgements The authors would like to thank Salman Asadullah, Janos Mohacsi and Wes George for their useful comments about this work. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Behringer & Vyncke Expires February 18, 2013 [Page 6] Internet-Draft Link-Local Only August 2012 6.2. Informative References [I-D.ietf-grow-private-ip-sp-cores] Kirkham, A., "Issues with Private IP Addressing in the Internet", draft-ietf-grow-private-ip-sp-cores-07 (work in progress), July 2012. [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP Tunnels", RFC 3209, December 2001. [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, October 2005. [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 4443, March 2006. [RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR. Rivers, "Extending ICMP for Interface and Next-Hop Identification", RFC 5837, April 2010. [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the Router Control Plane", RFC 6192, March 2011. Authors' Addresses Michael Behringer Cisco 400 Avenue Roumanille, Bat 3 Biot, 06410 France Email: mbehring@cisco.com Eric Vyncke Cisco De Kleetlaan, 6A Diegem, 1831 Belgium Email: evyncke@cisco.com Behringer & Vyncke Expires February 18, 2013 [Page 7]