Using Only Link-Local Addressing Inside an IPv6 Network

This document discusses the approach of using only link-local addresses (LLA) on all router interfaces on infrastructure links. Routers don't typically need to receive packets from hosts or nodes outside the network. For a network operator, there may be reasons to use greater than link-local scope addresses on infrastructure interfaces for certain operational tasks, such as pings to an interface or traceroutes across the network. This document discusses such cases and proposes alternative procedures.

In this approach neither globally routed IPv6 addresses nor unique local addresses are configured on infrastructure links. In the absence of specific global or unique local address definitions, the default behavior of routers is to use link-local addresses notably for routing protocols. The sending of ICMPv6 error messages (packet-too-big, time-exceeded...) is required for routers. Therefore, another interface must be configured with an IPv6 address with a greater scope than link-local. This address will usually be a loopback interface with a global scope address belonging to the operator and part of an announced prefix (with a suitable prefix length) to avoid being dropped by other routers implementing . This is implementation dependent. For the remainder of this document we will refer to this interface as a "loopback interface". recommends that greater than link-local scope IPv6 addresses are used as the source IPv6 address for all generated ICMPv6 messages sent to a non-link-local address, with the exception of ICMPv6 redirect messages, as defined in section 4.5. The effect on specific traffic types is as follows: Most control plane protocols, such as BGP , ISIS , OSPFv3 , RIPng , PIM work by default or can be configured to work with link-local addresses. Exceptions are explained in the caveats section. Management plane traffic, such as SSH , Telnet , SNMP , and ICMPv6 echo request , can use the address of the router loopback interface as the destination address. Router management can also be done over out-of-band channels. ICMP error messages are usually sourced from a loopback interface with a greater than link-local address scope. section 4.5 explains one exception: ICMP redirect messages can also be sourced from a link-local address. Data plane traffic is forwarded independently of the link address type. Neighbor discovery (neighbor solicitation and neighbor advertisement) is done by using link-local unicast and multicast addresses. Therefore neighbor discovery is not affected. We therefore conclude that it is possible to construct a working network in this way.

The following list of advantages is in no particular order. Smaller routing tables: Since the routing protocol only needs to carry one global address (the loopback interface) per router, it is smaller than the traditional approach where every infrastructure link address is carried in the routing protocol. This reduces memory consumption, and increases the convergence speed in some routing failover cases. Because the Forwarding Information Base to be downloaded to line cards is smaller and there are fewer prefixes in the Routing Information Base, the routing algorithm is accelerated. Note: smaller routing tables can also be achieved by putting interfaces in passive mode for the Interior Gateway Protocol (IGP). Simpler address management: Only loopback interface addresses need to be considered in an addressing plan. This also allows for easier renumbering. Lower configuration complexity: link-local addresses require no specific configuration, thereby lowering the complexity and size of router configurations. This also reduces the likelihood of configuration mistakes. Simpler DNS: Less routable address space in use also means less reverse and forward mapping DNS resource records to maintain. Of course, if the operator selects not to enter any global interface addresses in the DNS anyway, then this is less of an advantage. Reduced attack surface: Every routable address on a router constitutes a potential attack point: a remote attacker can send traffic to that address, for example a TCP SYN flood (see ). If a network only uses the addresses of the router loopback interface(s), only those addresses need to be protected from outside the network. This may ease protection measures, such as infrastructure access control lists (iACL). Without using link-local addresses, it is still possible to achieve the simple iACL if the network addressing scheme is set up such that all link and loopback interfaces have greater than link-local addresses and are aggregatable, and if the infrastructure access list covers that entire aggregated space. See also for further discussion on this topic. describes another approach to hide addressing on infrastructure links for OSPFv2 and OSPFv3, by modifying the existing protocols. This document does not modify any protocol, however it works only for IPv6.

The caveats listed in this section are in no particular order. Interface ping: if an interface doesn't have a routable address, it can only be pinged from a node on the same link. Therefore, it is not possible to ping a specific link interface remotely. A possible workaround is to ping the loopback address of a router instead. In most cases today, it is not possible to see which link the packet was received on; however, suggests including the interface identifier of the interface a packet was received on in the ICMPv6 response; it must be noted that there are few implementations of this ICMPv6 extension. With this approach it would be possible to ping a router on the addresses of loopback interfaces, yet see which interface the packet was received on. To check liveliness of a specific interface, it may be necessary to use other methods, such as connecting to the router via SSH and checking locally or using SNMP. Traceroute: similar to the ping case, a reply to a traceroute packet would come from the address of a loopback interface, and current implementations do not display the specific interface the packets came in on. Also here, provides a solution. As in the ping case above, it is not possible to traceroute to a particular interface if it only has a link-local address. Conversely, this approach may make network topology discovery from outside the network simpler; because instead of responding with multiple different interface IP addresses, which have to be correlated by the outsider, a router will always respond with the same loopback address. If reverse DNS mapping is used, the mapping is trivial in either case. Hardware dependency: LLAs have usually been EUI-64 based, hence, they change when the MAC address is changed. This could pose problem in a case where the routing neighbor must be configured explicitly (e.g. BGP) and a line card needs to be physically replaced hence changing the EUI-64 LLA and breaking the routing neighborship. LLAs can be statically configured such as fe80::1 and fe80::2 which can be used to configure any required static routing neighborship. However, this static LLA configuration may be more complex to operate than statically configured greater than link-local scope addresses, because LLAs are inherently ambiguous for a multi-link node such as a router; to deal with the ambiguity, the link zone index must also be considered explicitly, e.g., using the extended textual notation described in as in this example: 'BGP neighbor fe80::1%eth0 is down'. Network Management System (NMS) toolkits: if there is any NMS tool that makes use of interface IP address of a router to carry out any of its NMS functions, then it would no longer work if the interface does not have a routable address. A possible workaround for such tools is to use the routable address of the router loopback interface instead. Most vendor implementations allow the specification of loopback interface addresses for SYSLOG, IPfix, and SNMP. The protocol LLDP (IEEE 802.1AB-2009) runs directly over Ethernet and does not require any IPv6 address, so dynamic network discovery is not hindered when using LLDP. But, network discovery based on NDP cache content will only display the link-local addresses and not the addresses of the loopback interfaces; therefore, network discovery should rather be based on the Route Information Base to detect adjacent nodes. MPLS and RSVP-TE allow establishing an MPLS LSP on a path that is explicitly identified by a strict sequence of IP prefixes or addresses (each pertaining to an interface or a router on the path). This is commonly used for Fast Re-Route (FRR). However, if an interface uses only a link-local address, then such LSPs cannot be established. At the time of writing this document, there is no workaround for this case; therefore, where RSVP-TE is being used, the approach described in this document does not work.

Internet Exchange Points (IXPs) have a special importance in the global Internet, because they connect a high number of networks in a single location, and because a significant part of Internet traffic passes through at least one IXP. An IXP requires therefore a very high level of security. The address space used on an IXP is generally known, as it is registered in the global Internet Route Registry, or it is easily discoverable through traceroute. The IXP prefix is especially critical, because practically all addresses on this prefix are critical systems in the Internet. Apart from general device security guidelines, there are generally two additional ways to raise security (see also ): Not to announce the prefix in question, and To drop all traffic from remote locations destined to the IXP prefixes. Not announcing the prefix of the IXP would frequently result in traceroute and similar packets (required for PMTUD) to be dropped due to unicast Reverse Path Forwarding (uRPF) checks. Given that PMTUD is critical, this is generally not acceptable. Dropping all external traffic to the IXP prefix is hard to implement, because if only one service provider connected to an IXP does not filter correctly, then all IXP routers are reachable from at least that service provider network. As the prefix used in the IXP is usually longer than a /48, it is frequently dropped by route filters on the Internet having the same net effect as not announcing the prefix. Using link-local addresses on the IXP may help in this scenario. In this case, the generated ICMPv6 packets would be generated from loopback interfaces or from any other interface with a globally routable address without any configuration. However in this case, each service provider would use his own address space, making a generic attack against all devices on the IXP harder. All of an IXP's loopback interface addresses can be discovered by a potential attacker with a simple traceroute; a generic attack is therefore still possible, but it would require more work. In some cases service providers carry the IXP addresses in their IGP for certain forms of traffic engineering across multiple exit points. Link-local addresses cannot be used for this purpose; in this case, the service provider would have to employ other methods of traffic engineering. If an Internet Exchange Point is using a global prefix registered for this purpose, a traceroute will indicate whether the trace crosses an IXP rather than a private interconnect. If link local addressing is used instead, a traceroute will not provide this distinction.

Using exclusively link-local addressing on infrastructure links has a number of advantages and disadvantages, which are both described in detail in this document. A network operator can use this document to evaluate whether using link-local addressing on infrastructure links is a good idea in the context of his/her network or not. This document makes no particular recommendation either in favour or against.