idnits 2.17.1 draft-ietf-grow-embed-addr-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 2003) is 7468 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '7' is mentioned on line 306, but not defined ** Obsolete normative reference: RFC 2050 (ref. '2') (Obsoleted by RFC 7020) ** Downref: Normative reference to an Informational RFC: RFC 2101 (ref. '3') ** Obsolete normative reference: RFC 2030 (ref. '4') (Obsoleted by RFC 4330) Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Global Routing Operations D. Plonka 3 Internet-Draft University of Wisconsin 4 Expires: May 1, 2004 November 2003 6 Embedding Globally Routable Internet Addresses Considered Harmful 7 draft-ietf-grow-embed-addr-00 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that other 16 groups may also distribute working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at http:// 24 www.ietf.org/ietf/1id-abstracts.txt. 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 This Internet-Draft will expire on May 1, 2004. 31 Copyright Notice 33 Copyright (C) The Internet Society (2003). All Rights Reserved. 35 Abstract 37 Vendors of consumer electronics and network gear have produced and 38 sold hundreds of thousands of Internet hosts with globally routable 39 Internet Protocol addresses embedded within their products' firmware. 40 These products are now in operation world-wide and primarily include, 41 but are not necessarily limited to, low-cost routers and middleboxes 42 for personal or residential use. 44 This "hard-coding" of globally routable IP addresses as identifiers 45 within the host's firmware presents significant problems to the 46 operation of the Internet and to the management of its address space. 48 This document means to clarify best current practices in the Internet 49 community. It denouces the practice of embedding references to 50 unique, globally routable IP addresses in Internet hosts, describes 51 some of the resulting problems, and considers selected alternatives. 52 It is also intended to remind the Internet community of the ephemeral 53 nature of unique, globally routable IP addresses and that the 54 assignment and use of IP addresses as identifiers is temporary and 55 therefore should not be used in fixed configurations. 57 Revision History 59 The following is the revision history of this document since "-00": 61 $Log: draft-ietf-grow-embed-addr.xml,v $ 62 Revision 1.11 2003/12/02 22:28:04 plonka 63 renamed from draft-plonka-embed-addr to draft-ietf-grow-embed-addr 65 integrated suggestions from Paul Barford 67 reordered references to match the text 69 added quote from RFC2101 re: use of IPv4 addresses as identifiers 70 as mentioned by Brian Carpenter 72 Revision 1.10 2003/11/03 17:06:54 plonka 73 added background information in appendix 75 Revision 1.9 2003/11/03 16:39:30 plonka 76 various updates based on input from Mike O'Connor: 77 - indicated that DNS server(s) should be configurable 78 - clarified DNS round-robin behavior 79 - clarified "unsolicited traffic" by saying "IP traffic" 81 added revision history and appendix A 83 Figure 1 85 1. Introduction 87 Internet hosts should not contain globally routable Internet Protocol 88 addresses embedded within firmware or elsewhere as part of their 89 default configuration influencing their run-time behavior. 91 Ostensibly, this practice arose as an attempt to simplify 92 configuration of IP hosts by preloading them with IP addresses as 93 service identifiers. Unfortunately, products that rely on such 94 embedded IP addresses initially may appear convenient to both the 95 product's designer and its operator or user, but this dubious benefit 96 comes at the expense of others in the Internet community. 98 2. Problems 100 In a number cases, the embedding of IP addresses has caused Internet 101 products to rely on a single central Internet service. This can 102 result in a service outage when the aggregate workload overwhelms 103 that service. When fixed addresses are embedded in an 104 ever-increasing number of client IP hosts, this practice runs 105 directly counter to the design intent of hierarchically deployed 106 services that would otherwise be robust solutions. 108 The reliability, scalability, and performance of many Internet 109 services require that the pool of users not directly access a service 110 by IP address. Instead they rely on a level of indirection provided 111 by the Domain Name System, RFC 2219 [1]. DNS permits the service 112 operator to reconfigure the resources for maintenance and 113 load-balancing without the participation of the users. For instance, 114 one common load-balancing technique employs multiple DNS records with 115 the same name that are then rotated in a round-robin fashion in the 116 set of answers returned by the Berkeley Internet Name Daemon (BIND) 117 and other DNS server implementations. Upon receiving such as 118 response to a query, resolvers typically use the first valid answer 119 in the set, thus enabling the operator to distribute the user request 120 load across a set of servers with discrete IP addresses that 121 generally remain unknown to the user. 123 Embedding globally unique IP addresses taints the IP address blocks 124 in which they reside, lessening the usefulness and portability of 125 those IP address blocks and increasing the cost of operation. 126 Unsolicited traffic may continue to be delivered to the embedded 127 addresses, even after the IP address or block has been reassigned and 128 no longer hosts the service for which that traffic was meant. Circa 129 1997, the authors of RFC 2101 [3] made this observation: 131 Due to dynamic address allocation and increasingly frequent 132 network renumbering, temporal uniqueness of IPv4 addresses is no 133 longer globally guaranteed, which puts their use as identifiers 134 into severe question. 136 In this way, IP address blocks containing addresses that have been 137 embedded into the configuration of many Internet hosts become 138 encumbered by their historical use. This may interfere with the 139 ability of the Internet Assigned Numbers Authority (IANA) and the 140 Internet Registry (IR) hierarchy to usefully reallocate IP address 141 blocks. This is of particular concern as the IPv4 address space nears 142 exhaustion. Note that, to facilitate IP address reuse, RFC 2050 [2], 143 encourages Internet Service Providers (ISPs) to treat address 144 assignments as "loans". 146 Because consumers are not necessarily capable, experienced operators 147 of Internet hosts, they are not able to be relied upon to implement a 148 fix if and when problems arise. As such, a significant 149 responsibility lies with the manufacturer or vendor of the Internet 150 host to avoid embedding IP addresses. 152 3. Recommendations 154 Internet host and router designers, including network product 155 manufacturers, should not assume that their products will only be 156 deployed on a single global Internet, that they happen to observe 157 today. A myriad of private internets in which these products will be 158 used will often not allow these hosts to establish end-to-end 159 communications with arbitrary hosts on the global Internet. 161 Vendors should, by default, disable unnecessary features in their 162 products. This is especially true of features that generate 163 unsolicited IP traffic. In this way these hosts will be conservative 164 regarding the unsolicited Internet traffic they produce. For 165 instance, one of the most common uses of embedded IP addresses has 166 been the hard-coding of addresses of well know public Simple Network 167 Time Protocol (SNTP RFC 2030 [4]) servers, even though only a small 168 fraction of the users benefits from these products even having some 169 notion of the current date and time. 171 Vendors should provide an operator interface for every feature that 172 generates unsolicited IP traffic. A prime example of this that the 173 Domain Name System resolver should have an interface enabling the 174 operator to either explicitl set the servers of his choosing or to 175 enable the use of a standard automated configuration protocol such as 176 DHCP, defined by RFC 2132 [5]. Within the operator interface, these 177 features should be disabled by default so that one consequence of 178 enabling these features is that the operator becomes aware that the 179 feature exists. This will mean that it is more likely that the 180 product's owner or operator can participate in problem determination 181 and mitigation when problems arise. 183 Internet hosts should use the Domain Name System to determine the 184 routable IP addresses associated with the Internet services they 185 require. However, note that simply hard-coding DNS names rather than 186 IP addresses is not a panacea. Entries in the domain name space are 187 also ephemeral and can change owners for various reasons including 188 such as acquisitions and litigation. A given vendor ought not assume 189 that it will retain control of a given zone indefinitely. 191 Whenever possible, default configurations, documentation, and example 192 configurations for Internet hosts should use Private Internet 193 Addresses, as defined by RFC 1918 [6], rather than unique, globally 194 routable IP addresses. 196 Service providers and enterprise network operators should advertise 197 the identities of suitable local services. For instance, the DHCP 198 protocol, as defined by RFC 2132 [5], enables one to configure a 199 server to answer queries regarding available servers to clients that 200 ask for them. Unless the advertisement of local services is 201 ubiquitous, designers may resort to ad hoc mechanisms that rely on 202 central services. 204 Operators that provide public services on the global Internet, such 205 as the NTP community, should deprecate the explicit advertisement of 206 IP addresses of public services. These addresses are ephemeral. As 207 such, their widespread citations in public service indexes interferes 208 with the ability to reconfigure the service as necessary to address 209 unexpected, increased workloads. 211 4. Security Considerations 213 Embedding or "hard-coding" IP addresses within a host's configuration 214 almost always means that some sort of host-based trust model is being 215 employed, and that the Internet host with the given address is 216 trusted in some way. Due to the ephemeral roles of routable IP 217 addresses, the practice of embedding them within products' firmware 218 or default configurations presents a security risk. 220 An Internet host designer may be tempted to implement some sort of 221 remote control mechanism within a product, by which its Internet host 222 configuration can be changed without reliance on, interaction with, 223 or even the knowledge of its operator or user. This raises security 224 issues of its own. If such a scheme is implemented, this should be 225 fully disclosed to the customer, operator, and user so that an 226 informed decision can be made, in accordance with local security or 227 privacy policy. Furthermore, the significant possibility of 228 malicious parties exploiting such a remote control mechanism may 229 completely negate any potential benefit of the remote control scheme. 231 5. Conclusion 233 As larger numbers of homogenous hosts continue to be deployed, it is 234 particularly important that both their designers and other members of 235 the Internet community are diligent in assessing host implementation 236 quality and reconfigurability. Unique, globally routable IP 237 addresses should not be embedded within a host's fixed configuration 238 because doing so excludes the ability to remotely influence hosts 239 when the unsolicited IP traffic they generate causes problems for the 240 for those operating the IP addresses to which the traffic is 241 destined. 243 6. Acknowledgements 245 Thanks go to the following folks for providing input during the 246 preparation of this document: Paul Barford and Mike O'Connor. 248 References 250 [1] Hamilton, M., "Use of DNS Aliases for Network Services", RFC 251 2219, BCP 17, October 1997. 253 [2] Hubbard, K., "INTERNET REGISTRY IP ALLOCATION GUIDELINES", RFC 254 2050, BCP 12, November 1996. 256 [3] Carpenter, B., "IPv4 Address Behaviour Today", RFC 2101, 257 February 1997. 259 [4] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for 260 IPv4, IPv6 and OSI", RFC 2030, October 1996. 262 [5] Alexander, S., "DHCP Options and BOOTP Vendor Extensions", RFC 263 2132, March 1997. 265 [6] Rekhter, Y., "Address Allocation for Private Internets", RFC 266 1918, BCP 5, February 1996. 268 Author's Address 270 David J. Plonka 271 University of Wisconsin - Madison 272 DoIT, room b116 273 1210 W. Dayton Street 274 Madison, WI 53705 275 US 277 Phone: +1 608 265 5184 278 EMail: plonka@doit.wisc.edu 279 URI: http://net.doit.wisc.edu/~plonka/ 281 Appendix A. Background 283 In June 2003, the University of Wisconsin discovered that the network 284 product vendor named NetGear had manufactured and shipped over 285 700,000 routers with firmware containing a hard-coded reference to 286 the IP address of one of the University's NTP servers: 287 128.105.39.11, which was also known as "ntp1.cs.wisc.edu", a public 288 stratum-2 NTP server. 290 Due to that embedded fixed configuration and a bug in the 291 implementation, the NetGear SNTP client has a failure mode in which 292 each flawed router produces one query per second destined for the IP 293 address 128.105.39.11, and hence produces a large-scale flood of 294 Internet traffic from hundreds-of-thousands of legitimate source 295 addresses and destined for the University's network resulting in 296 significant operational problems. 298 These flawed routers are widely deployed throughout the global 299 Internet and are likely to remain in use for years to come. As such, 300 the University of Wisconsin with the cooperation of NetGear will 301 build a new anycast time service which aims to mitigate the damage 302 caused by the misbehavior of these flawed routers. 304 A technical report regarding the details of this situation is 305 available on the world-wide-web: Flawed Routers Flood University of 306 Wisconsin Internet Time Server [7] 308 Intellectual Property Statement 310 The IETF takes no position regarding the validity or scope of any 311 intellectual property or other rights that might be claimed to 312 pertain to the implementation or use of the technology described in 313 this document or the extent to which any license under such rights 314 might or might not be available; neither does it represent that it 315 has made any effort to identify any such rights. Information on the 316 IETF's procedures with respect to rights in standards-track and 317 standards-related documentation can be found in BCP-11. Copies of 318 claims of rights made available for publication and any assurances of 319 licenses to be made available, or the result of an attempt made to 320 obtain a general license or permission for the use of such 321 proprietary rights by implementors or users of this specification can 322 be obtained from the IETF Secretariat. 324 The IETF invites any interested party to bring to its attention any 325 copyrights, patents or patent applications, or other proprietary 326 rights which may cover technology that may be required to practice 327 this standard. Please address the information to the IETF Executive 328 Director. 330 Full Copyright Statement 332 Copyright (C) The Internet Society (2003). All Rights Reserved. 334 This document and translations of it may be copied and furnished to 335 others, and derivative works that comment on or otherwise explain it 336 or assist in its implementation may be prepared, copied, published 337 and distributed, in whole or in part, without restriction of any 338 kind, provided that the above copyright notice and this paragraph are 339 included on all such copies and derivative works. However, this 340 document itself may not be modified in any way, such as by removing 341 the copyright notice or references to the Internet Society or other 342 Internet organizations, except as needed for the purpose of 343 developing Internet standards in which case the procedures for 344 copyrights defined in the Internet Standards process must be 345 followed, or as required to translate it into languages other than 346 English. 348 The limited permissions granted above are perpetual and will not be 349 revoked by the Internet Society or its successors or assignees. 351 This document and the information contained herein is provided on an 352 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 353 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 354 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 355 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 356 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 358 Acknowledgment 360 Funding for the RFC Editor function is currently provided by the 361 Internet Society.