idnits 2.17.1 draft-ietf-opsec-lla-only-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 25, 2014) is 3494 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-07) exists of draft-ietf-opsec-bgp-security-05 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPsec Working Group M. Behringer 3 Internet-Draft E. Vyncke 4 Intended status: Informational Cisco 5 Expires: March 29, 2015 September 25, 2014 7 Using Only Link-Local Addressing Inside an IPv6 Network 8 draft-ietf-opsec-lla-only-11 10 Abstract 12 In an IPv6 network it is possible to use only link-local addresses on 13 infrastructure links between routers. This document discusses the 14 advantages and disadvantages of this approach to help the decision 15 process for a given network. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on March 29, 2015. 34 Copyright Notice 36 Copyright (c) 2014 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Using Link-Local Addressing on Infrastructure Links . . . . . 2 53 2.1. The Approach . . . . . . . . . . . . . . . . . . . . . . 3 54 2.2. Advantages . . . . . . . . . . . . . . . . . . . . . . . 4 55 2.3. Caveats . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 2.4. Internet Exchange Points . . . . . . . . . . . . . . . . 6 57 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 60 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 61 6. Informative References . . . . . . . . . . . . . . . . . . . 8 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 64 1. Introduction 66 An infrastructure link between a set of routers typically does not 67 require global or unique local addresses [RFC4193]. Using only link- 68 local addressing on such links has a number of advantages. For 69 example, that routing tables do not need to carry link addressing, 70 and can therefore be significantly smaller. This helps to decrease 71 failover times in certain routing convergence events. An interface 72 of a router is also not reachable beyond the link boundaries, 73 therefore reducing the attack surface. 75 This document discusses the advantages and caveats of this approach. 77 Note that some traditionally used techniques to operate a network 78 such as pinging interfaces, or seeing interface information in a 79 traceroute do not work with this approach. Details are discussed 80 below. 82 During WG and IETF last call the technical correctness of the 83 document has been reviewed, however debate exists as to whether to 84 recommend this technique. The deployment of this technique is 85 appropriate where it is found to be necessary. 87 2. Using Link-Local Addressing on Infrastructure Links 89 This document discusses the approach of using only link-local 90 addresses (LLA) on all router interfaces on infrastructure links. 91 Routers don't typically need to receive packets from hosts or nodes 92 outside the network. For a network operator, there may be reasons to 93 use greater than link-local scope addresses on infrastructure 94 interfaces for certain operational tasks, such as pings to an 95 interface or traceroutes across the network. This document discusses 96 such cases and proposes alternative procedures. 98 2.1. The Approach 100 In this approach neither globally routed IPv6 addresses nor unique 101 local addresses are configured on infrastructure links. In the 102 absence of specific global or unique local address definitions, the 103 default behavior of routers is to use link-local addresses notably 104 for routing protocols. 106 The sending of ICMPv6 [RFC4443] error messages (packet-too-big, time- 107 exceeded...) is required for routers. Therefore, another interface 108 must be configured with an IPv6 address with a greater scope than 109 link-local. This address will usually be a loopback interface with a 110 global scope address belonging to the operator and part of an 111 announced prefix (with a suitable prefix length) to avoid being 112 dropped by other routers implementing [RFC3704]. This is 113 implementation dependent. For the remainder of this document we will 114 refer to this interface as a "loopback interface". 116 [RFC6724] recommends that greater than link-local scope IPv6 117 addresses are used as the source IPv6 address for all generated 118 ICMPv6 messages sent to a non-link-local address, with the exception 119 of ICMPv6 redirect messages, as defined in [RFC4861] section 4.5. 121 The effect on specific traffic types is as follows: 123 o Most control plane protocols, such as BGP [RFC4271], ISIS [IS-IS], 124 OSPFv3 [RFC5340], RIPng [RFC2080], PIM [RFC4609] work by default 125 or can be configured to work with link-local addresses. 126 Exceptions are explained in the caveats section (Section 2.3). 128 o Management plane traffic, such as SSH [RFC4251], Telnet [RFC0495], 129 SNMP [RFC1157], and ICMPv6 echo request [RFC4443], can use the 130 address of the router loopback interface as the destination 131 address. Router management can also be done over out-of-band 132 channels. 134 o ICMP error messages are usually sourced from a loopback interface 135 with a greater than link-local address scope. [RFC4861] section 136 4.5 explains one exception: ICMP redirect messages can also be 137 sourced from a link-local address. 139 o Data plane traffic is forwarded independently of the link address 140 type. 142 o Neighbor discovery (neighbor solicitation and neighbor 143 advertisement) is done by using link-local unicast and multicast 144 addresses. Therefore neighbor discovery is not affected. 146 We therefore conclude that it is possible to construct a working 147 network in this way. 149 2.2. Advantages 151 The following list of advantages is in no particular order. 153 Smaller routing tables: Since the routing protocol only needs to 154 carry one global address (the loopback interface) per router, it is 155 smaller than the traditional approach where every infrastructure link 156 address is carried in the routing protocol. This reduces memory 157 consumption, and increases the convergence speed in some routing 158 failover cases. Because the Forwarding Information Base to be 159 downloaded to line cards is smaller and there are fewer prefixes in 160 the Routing Information Base, the routing algorithm is accelerated. 161 Note: smaller routing tables can also be achieved by putting 162 interfaces in passive mode for the Interior Gateway Protocol (IGP). 164 Simpler address management: Only loopback interface addresses need to 165 be considered in an addressing plan. This also allows for easier 166 renumbering. 168 Lower configuration complexity: link-local addresses require no 169 specific configuration, thereby lowering the complexity and size of 170 router configurations. This also reduces the likelihood of 171 configuration mistakes. 173 Simpler DNS: Less routable address space in use also means less 174 reverse and forward mapping DNS resource records to maintain. Of 175 course, if the operator selects not to enter any global interface 176 addresses in the DNS anyway, then this is less of an advantage. 178 Reduced attack surface: Every routable address on a router 179 constitutes a potential attack point: a remote attacker can send 180 traffic to that address, for example a TCP SYN flood (see [RFC4987]). 181 If a network only uses the addresses of the router loopback 182 interface(s), only those addresses need to be protected from outside 183 the network. This may ease protection measures, such as 184 infrastructure access control lists (iACL). Without using link-local 185 addresses, it is still possible to achieve the simple iACL if the 186 network addressing scheme is set up such that all link and loopback 187 interfaces have greater than link-local addresses and are 188 aggregatable, and if the infrastructure access list covers that 189 entire aggregated space. See also [RFC6752] for further discussion 190 on this topic. [RFC6860] describes another approach to hide 191 addressing on infrastructure links for OSPFv2 and OSPFv3, by 192 modifying the existing protocols. This document does not modify any 193 protocol, however it works only for IPv6. 195 2.3. Caveats 197 The caveats listed in this section are in no particular order. 199 Interface ping: if an interface doesn't have a routable address, it 200 can only be pinged from a node on the same link. Therefore, it is 201 not possible to ping a specific link interface remotely. A possible 202 workaround is to ping the loopback address of a router instead. In 203 most cases today, it is not possible to see which link the packet was 204 received on; however, [RFC5837] suggests including the interface 205 identifier of the interface a packet was received on in the ICMPv6 206 response; it must be noted that there are few implementations of this 207 ICMPv6 extension. With this approach it would be possible to ping a 208 router on the addresses of loopback interfaces, yet see which 209 interface the packet was received on. To check liveliness of a 210 specific interface, it may be necessary to use other methods, such as 211 connecting to the router via SSH and checking locally or using SNMP. 213 Traceroute: similar to the ping case, a reply to a traceroute packet 214 would come from the address of a loopback interface, and current 215 implementations do not display the specific interface the packets 216 came in on. Also here, [RFC5837] provides a solution. As in the 217 ping case above, it is not possible to traceroute to a particular 218 interface if it only has a link-local address. Conversely, this 219 approach may make network topology discovery from outside the network 220 simpler; because instead of responding with multiple different 221 interface IP addresses, which have to be correlated by the outsider, 222 a router will always respond with the same loopback address. If 223 reverse DNS mapping is used, the mapping is trivial in either case. 225 Hardware dependency: LLAs have usually been EUI-64 based, hence, they 226 change when the MAC address is changed. This could pose problem in a 227 case where the routing neighbor must be configured explicitly (e.g. 228 BGP) and a line card needs to be physically replaced hence changing 229 the EUI-64 LLA and breaking the routing neighborship. LLAs can be 230 statically configured such as fe80::1 and fe80::2 which can be used 231 to configure any required static routing neighborship. However, this 232 static LLA configuration may be more complex to operate than 233 statically configured greater than link-local scope addresses, 234 because LLAs are inherently ambiguous for a multi-link node such as a 235 router; to deal with the ambiguity, the link zone index must also be 236 considered explicitly, e.g., using the extended textual notation 237 described in [RFC4007] as in this example: 'BGP neighbor fe80::1%eth0 238 is down'. 240 Network Management System (NMS) toolkits: if there is any NMS tool 241 that makes use of interface IP address of a router to carry out any 242 of its NMS functions, then it would no longer work if the interface 243 does not have a routable address. A possible workaround for such 244 tools is to use the routable address of the router loopback interface 245 instead. Most vendor implementations allow the specification of 246 loopback interface addresses for SYSLOG, IPfix, and SNMP. The 247 protocol LLDP (IEEE 802.1AB-2009) runs directly over Ethernet and 248 does not require any IPv6 address, so dynamic network discovery is 249 not hindered when using LLDP. But, network discovery based on NDP 250 cache content will only display the link-local addresses and not the 251 addresses of the loopback interfaces; therefore, network discovery 252 should rather be based on the Route Information Base to detect 253 adjacent nodes. 255 MPLS and RSVP-TE [RFC3209] allow establishing an MPLS LSP on a path 256 that is explicitly identified by a strict sequence of IP prefixes or 257 addresses (each pertaining to an interface or a router on the path). 258 This is commonly used for Fast Re-Route (FRR). However, if an 259 interface uses only a link-local address, then such LSPs cannot be 260 established. At the time of writing this document, there is no 261 workaround for this case; therefore, where RSVP-TE is being used, the 262 approach described in this document does not work. 264 2.4. Internet Exchange Points 266 Internet Exchange Points (IXPs) have a special importance in the 267 global Internet, because they connect a high number of networks in a 268 single location, and because a significant part of Internet traffic 269 passes through at least one IXP. An IXP requires therefore a very 270 high level of security. The address space used on an IXP is 271 generally known, as it is registered in the global Internet Route 272 Registry, or it is easily discoverable through traceroute. The IXP 273 prefix is especially critical, because practically all addresses on 274 this prefix are critical systems in the Internet. 276 Apart from general device security guidelines, there are generally 277 two additional ways to raise security (see also 278 [I-D.ietf-opsec-bgp-security]): 280 1. Not to announce the prefix in question, and 282 2. To drop all traffic from remote locations destined to the IXP 283 prefixes. 285 Not announcing the prefix of the IXP would frequently result in 286 traceroute and similar packets (required for PMTUD) to be dropped due 287 to unicast Reverse Path Forwarding (uRPF) checks. Given that PMTUD 288 is critical, this is generally not acceptable. Dropping all external 289 traffic to the IXP prefix is hard to implement, because if only one 290 service provider connected to an IXP does not filter correctly, then 291 all IXP routers are reachable from at least that service provider 292 network. 294 As the prefix used in the IXP is usually longer than a /48, it is 295 frequently dropped by route filters on the Internet having the same 296 net effect as not announcing the prefix. 298 Using link-local addresses on the IXP may help in this scenario. In 299 this case, the generated ICMPv6 packets would be generated from 300 loopback interfaces or from any other interface with a globally 301 routable address without any configuration. However in this case, 302 each service provider would use his own address space, making a 303 generic attack against all devices on the IXP harder. All of an 304 IXP's loopback interface addresses can be discovered by a potential 305 attacker with a simple traceroute; a generic attack is therefore 306 still possible, but it would require more work. 308 In some cases service providers carry the IXP addresses in their IGP 309 for certain forms of traffic engineering across multiple exit points. 310 Link-local addresses cannot be used for this purpose; in this case, 311 the service provider would have to employ other methods of traffic 312 engineering. 314 If an Internet Exchange Point is using a global prefix registered for 315 this purpose, a traceroute will indicate whether the trace crosses an 316 IXP rather than a private interconnect. If link local addressing is 317 used instead, a traceroute will not provide this distinction. 319 2.5. Summary 321 Using exclusively link-local addressing on infrastructure links has a 322 number of advantages and disadvantages, which are both described in 323 detail in this document. A network operator can use this document to 324 evaluate whether using link-local addressing on infrastructure links 325 is a good idea in the context of his/her network or not. This 326 document makes no particular recommendation either in favour or 327 against. 329 3. Security Considerations 331 Using only LLAs on infrastructure links reduces the attack surface of 332 a router: loopback interfaces with routed addresses are still 333 reachable and must be secured, but infrastructure links can only be 334 attacked from the local link. This simplifies security of control 335 and management planes. The approach does not impact the security of 336 the data plane. The link-local-only approach does not address 337 control plane [RFC6192] attacks generated by data plane packets (such 338 as hop-limit expiration or packets containing a hop-by-hop extension 339 header). 341 For additional security considerations, as previously stated, see 342 also [RFC5837] and [I-D.ietf-opsec-bgp-security]. 344 4. IANA Considerations 346 There are no IANA considerations or implications that arise from this 347 document. 349 5. Acknowledgements 351 The authors would like to thank Salman Asadullah, Brian Carpenter, 352 Bill Cerveny, Benoit Claise, Rama Darbha, Simon Eng, Wes George, 353 Fernando Gont, Jen Linkova, Harald Michl, Janos Mohacsi, Ivan 354 Pepelnjak, Alvaro Retana, Jinmei Tatuya and Peter Yee for their 355 useful comments about this work. 357 6. Informative References 359 [I-D.ietf-opsec-bgp-security] 360 Durand, J., Pepelnjak, I., and G. Doering, "BGP operations 361 and security", draft-ietf-opsec-bgp-security-05 (work in 362 progress), August 2014. 364 [IS-IS] ISO/IEC 10589, , "Intermediate System to Intermediate 365 System Intra-Domain Routing Exchange Protocol for use in 366 Conjunction with the Protocol for Providing the 367 Connectionless-mode Network Service (ISO 8473)", June 368 1992. 370 [RFC0495] McKenzie, A., "Telnet Protocol specifications", RFC 495, 371 May 1973. 373 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, 374 "Simple Network Management Protocol (SNMP)", STD 15, RFC 375 1157, May 1990. 377 [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, 378 January 1997. 380 [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., 381 and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP 382 Tunnels", RFC 3209, December 2001. 384 [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed 385 Networks", BCP 84, RFC 3704, March 2004. 387 [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and 388 B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, 389 March 2005. 391 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 392 Addresses", RFC 4193, October 2005. 394 [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 395 Protocol Architecture", RFC 4251, January 2006. 397 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 398 Protocol 4 (BGP-4)", RFC 4271, January 2006. 400 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control 401 Message Protocol (ICMPv6) for the Internet Protocol 402 Version 6 (IPv6) Specification", RFC 4443, March 2006. 404 [RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol 405 Independent Multicast - Sparse Mode (PIM-SM) Multicast 406 Routing Security Issues and Enhancements", RFC 4609, 407 October 2006. 409 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 410 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 411 September 2007. 413 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 414 Mitigations", RFC 4987, August 2007. 416 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 417 for IPv6", RFC 5340, July 2008. 419 [RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR. 420 Rivers, "Extending ICMP for Interface and Next-Hop 421 Identification", RFC 5837, April 2010. 423 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 424 Router Control Plane", RFC 6192, March 2011. 426 [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, 427 "Default Address Selection for Internet Protocol Version 6 428 (IPv6)", RFC 6724, September 2012. 430 [RFC6752] Kirkham, A., "Issues with Private IP Addressing in the 431 Internet", RFC 6752, September 2012. 433 [RFC6860] Yang, Y., Retana, A., and A. Roy, "Hiding Transit-Only 434 Networks in OSPF", RFC 6860, January 2013. 436 Authors' Addresses 438 Michael Behringer 439 Cisco 440 Building D, 45 Allee des Ormes 441 Mougins 06250 442 France 444 Email: mbehring@cisco.com 446 Eric Vyncke 447 Cisco 448 De Kleetlaan, 6A 449 Diegem 1831 450 Belgium 452 Email: evyncke@cisco.com