idnits 2.17.1 draft-ietf-grow-embed-addr-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 437. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 414. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 421. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 427. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 23, 2004) is 7094 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2050 (ref. '1') (Obsoleted by RFC 7020) ** Obsolete normative reference: RFC 3330 (ref. '3') (Obsoleted by RFC 5735) ** Downref: Normative reference to an Informational RFC: RFC 3849 (ref. '4') -- Obsolete informational reference (is this intentional?): RFC 2030 (ref. '8') (Obsoleted by RFC 4330) Summary: 8 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Global Routing Operations D. Plonka 2 Internet-Draft University of Wisconsin 3 Expires: May 24, 2005 November 23, 2004 5 Embedding Globally Routable Internet Addresses Considered Harmful 6 draft-ietf-grow-embed-addr-05 8 Status of this Memo 10 This document is an Internet-Draft and is subject to all provisions 11 of section 3 of RFC 3667. By submitting this Internet-Draft, each 12 author represents that any applicable patent or other IPR claims of 13 which he or she is aware have been or will be disclosed, and any of 14 which he or she become aware will be disclosed, in accordance with 15 RFC 3668. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as 20 Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on May 24, 2005. 35 Copyright Notice 37 Copyright (C) The Internet Society (2004). 39 Abstract 41 This document means to clarify best current practices in the Internet 42 community. Internet hosts should not contain globally routable 43 Internet Protocol addresses embedded within firmware or elsewhere as 44 part of their default configuration such that it influences run-time 45 behavior. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 4 52 3.1 Disable Unused Features . . . . . . . . . . . . . . . . . 5 53 3.2 Provide User Interface for IP Features . . . . . . . . . . 5 54 3.3 Use Domain Names as Service Identifiers . . . . . . . . . 5 55 3.4 Use Special-Purpose, Reserved IP Addresses When 56 Available . . . . . . . . . . . . . . . . . . . . . . . . 6 57 3.5 Discover and Utilize Local Services . . . . . . . . . . . 6 58 3.6 Avoid Mentioning the IP Addresses of Services . . . . . . 7 59 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 60 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 61 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 8 65 8.2 Informative References . . . . . . . . . . . . . . . . . . . 8 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9 67 A. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 Intellectual Property and Copyright Statements . . . . . . . . 10 70 1. Introduction 72 Vendors of consumer electronics and network gear have unfortunately 73 chosen to embed, or "hard-code", globally routable Internet Protocol 74 addresses within their products' firmware. These products use these 75 embedded IP addresses as service identifiers and direct service 76 requests (unsolicited Internet traffic) to them. One recent example 77 was the embedding of the globally routable IP address of a Network 78 Time Protocol server in the firmware of hundreds of thousands of 79 Internet hosts that are now in operation world-wide. The hosts are 80 primarily, but are not necessarily limited to, low-cost routers and 81 middleboxes for personal or residential use. 83 This "hard-coding" of globally routable IP addresses as identifiers 84 within the host's firmware presents significant problems to the 85 operation of the Internet and to the management of its address space. 87 Ostensibly, this practice arose as an attempt to simplify 88 configuration of IP hosts by preloading them with IP addresses as 89 service identifiers. Products that rely on such embedded IP 90 addresses initially may appear convenient to both the product's 91 designer and its operator or user, but this dubious benefit comes at 92 the expense of others in the Internet community. 94 This document denounces the practice of embedding references to 95 unique, globally routable IP addresses in Internet hosts, describes 96 some of the resulting problems, and considers selected alternatives. 97 It also reminds the Internet community of the ephemeral nature of 98 unique, globally routable IP addresses and that the assignment and 99 use of IP addresses as identifiers is temporary and therefore should 100 not be used in fixed configurations. 102 2. Problems 104 In a number cases, the embedding of IP addresses in products has 105 caused an increasing number of Internet hosts to rely on a single 106 central Internet service. This can result in a service outage when 107 the aggregate workload overwhelms that service. When fixed addresses 108 are embedded in an ever-increasing number of client IP hosts, this 109 practice runs directly counter to the design intent of hierarchically 110 deployed services that would otherwise be robust solutions. 112 The reliability, scalability, and performance of many Internet 113 services require that the pool of users not directly access a service 114 by IP address. Instead they typically rely on a level of indirection 115 provided by the Domain Name System, RFC 2219 [6]. When appropriately 116 utilized, DNS permits the service operator to reconfigure the 117 resources for maintenance and to load-balance without the 118 participation of the users and without necessitating configuration 119 changes in the client hosts. For instance, one common load-balancing 120 technique employs multiple DNS records with the same name that are 121 then rotated in a round-robin fashion in the set of answers returned 122 by many DNS server implementations. Upon receiving such a response 123 to a query, resolvers typically will try the answers in order, until 124 one succeeds, thus enabling the operator to distribute the user 125 request load across a set of servers with discrete IP addresses that 126 generally remain unknown to the user. 128 Embedding globally unique IP addresses taints the IP address blocks 129 in which they reside, lessening the usefulness and mobility of those 130 IP address blocks and increasing the cost of operation. Unsolicited 131 traffic may continue to be delivered to the embedded address well 132 after the IP address or block has been reassigned and no longer hosts 133 the service for which that traffic was intended. Circa 1997, the 134 authors of RFC 2101 [7] made this observation: 136 Due to dynamic address allocation and increasingly frequent 137 network renumbering, temporal uniqueness of IPv4 addresses is no 138 longer globally guaranteed, which puts their use as identifiers 139 into severe question. 141 When IP addresses are used as service identifiers in the 142 configuration of many Internet hosts, the IP address blocks become 143 encumbered by their historical use. This may interfere with the 144 ability of the Internet Assigned Numbers Authority (IANA) and the 145 Internet Registry (IR) hierarchy to usefully reallocate IP address 146 blocks. Likewise, to facilitate IP address reuse, RFC 2050 [1], 147 encourages Internet Service Providers (ISPs) to treat address 148 assignments as "loans". 150 Because consumers are not necessarily experienced in the operation of 151 Internet hosts, they are not able to be relied upon to fix problems 152 if and when they arise. As such, a significant responsibility lies 153 with the manufacturer or vendor of the Internet host to avoid 154 embedding IP addresses in ways which cause the aforementioned 155 problems. 157 3. Recommendations 159 Internet host and router designers, including network product 160 manufacturers, should not assume that their products will be deployed 161 and used in only the single global Internet that they happen to 162 observe today. A myriad of private or future internetworks in which 163 these products will be used may not allow those hosts to establish 164 communications with arbitrary hosts on the global Internet. Since 165 the product failure modes resulting from unknown future states cannot 166 be fully explored, one should avoid assumptions regarding the 167 longevity of our current Internet. 169 The following recommendations are presented as best practice today: 171 3.1 Disable Unused Features 173 Vendors should, by default, disable unnecessary features in their 174 products. This is especially true of features that generate 175 unsolicited Internet traffic. In this way these hosts will be 176 conservative regarding the unsolicited Internet traffic they produce. 177 For instance, one of the most common uses of embedded IP addresses 178 has been the hard-coding of addresses of well known public Simple 179 Network Time Protocol (SNTP RFC 2030 [8]) servers, even though only a 180 small fraction of the users benefits from these products even having 181 some notion of the current date and time. 183 3.2 Provide User Interface for IP Features 185 Vendors should provide an operator interface for every feature that 186 generates unsolicited Internet traffic. A prime example of this is 187 that the Domain Name System resolver should have an interface 188 enabling the operator to either explicitly set the servers of his 189 choosing or to enable the use of a standard automated configuration 190 protocol such as DHCP, defined by RFC 2132 [9]. Within the operator 191 interface, these features should originally be disabled so that one 192 consequence of subsequently enabling these features is that the 193 operator becomes aware that the feature exists. This will mean that 194 it is more likely that the product's owner or operator can 195 participate in problem determination and mitigation when problems 196 arise. 198 RFC 2606 [2] defines the IANA-reserved "example.com", "example.net", 199 and "example.org" domains for use in example configurations and 200 documentation. These are candidate examples to be used in user 201 interface documentation. 203 3.3 Use Domain Names as Service Identifiers 205 Internet hosts should use the Domain Name System to determine the IP 206 addresses associated with the Internet services they require. 208 When using domain names as service identifiers in the configurations 209 of deployed Internet hosts, designers and vendors are encouraged to 210 introduce service names either within a domain which they control or 211 have entered into an agreement with its operator to utilize (such as 212 for public services provided by the Internet community). This is 213 commonly done by simply introducing a service-specific prefix to the 214 domain name. 216 For instance, a vendor named "Example, Inc." with the domain 217 "example.com" might configure its product to find its SNTP server by 218 the name "sntp-server.config.example.com" or even by a product and 219 version-specific name such as 220 "sntp-server.v1.widget.config.example.com". Here, the 221 "config.example.com" namespace is dedicated to that vendor's product 222 configuration, with sub-domains introduced as deemed necessary. Such 223 special-purpose domain names enable ongoing maintenance and 224 reconfiguration of the services for their client hosts and can aid in 225 the ongoing measurement of service usage throughout the product's 226 lifetime. 228 An alternative to inventing vendor-specific domain naming conventions 229 for a product's service identifiers is to utilize SRV resource 230 records (RR), defined by RFC 2782 [10]. SRV records are a generic 231 type of RR which uses a service-specific prefix in combination with a 232 base domain name. For example, an SRV-cognizant SNTP client might 233 discover Example, Inc.'s suggested NTP server by performing an 234 SRV-type query to lookup for "_ntp._udp.example.com". 236 However, note that simply hard-coding DNS name service identifiers 237 rather than IP addresses is not a panacea. Entries in the domain 238 name space are also ephemeral and can change owners for various 239 reasons including acquisitions and litigation. As such, developers 240 and vendors should explore a product's potential failure modes 241 resulting from the loss of administrative control of a given domain 242 for whatever reason. 244 3.4 Use Special-Purpose, Reserved IP Addresses When Available 246 Default configurations, documentation, and example configurations for 247 Internet hosts should use Internet addresses that reside within 248 special blocks that have been reserved for these purposes, rather 249 than unique, globally routable IP addresses. For IPv4, RFC 3330 [3] 250 states that the 192.0.2.0/24 block has been assigned for use in 251 documentation and example code. The IPv6 global unicast address 252 prefix 2001:DB8::/32 has been similarly reserved for documentation 253 purposes RFC 3849 [4]. Private Internet Addresses, as defined by RFC 254 1918 [5], should not be used for such purposes. 256 3.5 Discover and Utilize Local Services 258 Service providers and enterprise network operators should advertise 259 the identities of suitable local services, such as NTP. Very often 260 these services exist, but the advertisement and automated 261 configuration of their use is missing. For instance, the DHCP 262 protocol, as defined by RFC 2132 [9], enables one to configure a 263 server to answer queries for service identitifiers to clients that 264 ask for them. When local services including NTP are available but 265 not pervasively advertised using such common protocols, designers are 266 more likely deploy ad hoc initialization mechanisms that 267 unnecessarily rely on central services. 269 3.6 Avoid Mentioning the IP Addresses of Services 271 Operators that provide public services on the global Internet, such 272 as those in the NTP community, should deprecate the explicit 273 advertisement of the IP addresses of public services. These 274 addresses are ephemeral. As such, their widespread citation in 275 public service indexes interferes with the ability to reconfigure the 276 service as necessary to address unexpected, increased traffic and the 277 aforementioned problems. 279 4. Security Considerations 281 Embedding or "hard-coding" IP addresses within a host's configuration 282 often means that a host-based trust model is being employed, and that 283 the Internet host with the given address is trusted in some way. Due 284 to the ephemeral roles of globally routable IP addresses, the 285 practice of embedding them within products' firmware or default 286 configurations presents a security risk in that unknown parties may 287 inadvertently be trusted. 289 Internet host designers may be tempted to implement some sort of 290 remote control mechanism within a product, by which its Internet host 291 configuration can be changed without reliance on, interaction with, 292 or even the knowledge of its operator or user. This raises security 293 issues of its own. If such a scheme is implemented, its presence 294 should be fully disclosed to the customer, operator, and user so that 295 an informed decision can be made, perhaps in accordance with local 296 security or privacy policy. Furthermore, the significant possibility 297 of malicious parties exploiting such a remote control mechanism may 298 completely negate any potential benefit of the remote control scheme. 299 As such, remote control mechanisms should be disabled by default to 300 be subsequently enabled and disabled by the user. 302 5. IANA Considerations 304 This document creates no new requirements on IANA namespaces. 306 6. Conclusion 308 When large numbers of homogenous Internet hosts are deployed, it is 309 particularly important that both their designers and other members of 310 the Internet community diligently assess host implementation quality 311 and reconfigurability. 313 Implementors of host services should avoid any kind of use of unique 314 globally routable IP addresses within a fixed configuration part of 315 the service implementation. If there is a requirement for 316 pre-configured state then care should be taken to use an appropriate 317 service identifier and use standard resolution mechanisms to 318 dynamically resolve the identifier into an IP address. Also, any 319 such identifiers should be alterable in the field through a 320 conventional command and control interface for the service. 322 7. Acknowledgements 324 The author thanks the following reviewers for their contributions to 325 this document: Paul Barford, Geoff Huston, David Meyer, Mike 326 O'Connor, Michael Patton, Tom Petch, and Pekka Savola. Harald 327 Alvestrand, Spencer Dawkins, Ted Hardie, and Thomas Narten provided 328 valuable feedback during AD and IESG review. 330 8. References 332 8.1 Normative References 334 [1] Hubbard, K., "INTERNET REGISTRY IP ALLOCATION GUIDELINES", RFC 335 2050, BCP 12, November 1996. 337 [2] Eastlake, D., "Reserved Top Level DNS Names", RFC 2606, BCP 32, 338 June 1999. 340 [3] Internet Assigned Numbers Authority, "Special-Use IPv4 341 Addresses", RFC 3330, September 2002. 343 [4] Huston, G., "IPv6 Address Prefix Reserved for Documentation", 344 RFC 3849, July 2004. 346 [5] Rekhter, Y., "Address Allocation for Private Internets", RFC 347 1918, BCP 5, February 1996. 349 8.2 Informative References 351 [6] Hamilton, M., "Use of DNS Aliases for Network Services", RFC 352 2219, BCP 17, October 1997. 354 [7] Carpenter, B., "IPv4 Address Behaviour Today", RFC 2101, 355 February 1997. 357 [8] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for 358 IPv4, IPv6 and OSI", RFC 2030, October 1996. 360 [9] Alexander, S., "DHCP Options and BOOTP Vendor Extensions", RFC 361 2132, March 1997. 363 [10] Gulbrandsen, A., "A DNS RR for specifying the location of 364 services (DNS SRV)", RFC 2782, February 2000. 366 [11] Plonka, D., "Flawed Routers Flood University of Wisconsin 367 Internet Time Server", August 2003, 368 . 370 Author's Address 372 David Plonka 373 University of Wisconsin - Madison 375 EMail: plonka AT doit DOT wisc DOT edu 376 URI: http://net.doit.wisc.edu/~plonka/ 378 Appendix A. Background 380 In June 2003, the University of Wisconsin discovered that a network 381 product vendor named NetGear had manufactured and shipped over 382 700,000 routers with firmware containing a hard-coded reference to 383 the IP address of one of the University's NTP servers: 384 128.105.39.11, which was also known as "ntp1.cs.wisc.edu", a public 385 stratum-2 NTP server. 387 Due to that embedded fixed configuration and an unrelated bug in the 388 SNTP client, the affected products occasionally exhibit a failure 389 mode in which each flawed router produces one query per second 390 destined for the IP address 128.105.39.11, and hence produces a 391 large-scale flood of Internet traffic from hundreds-of-thousands of 392 source addresses, destined for the University's network, resulting in 393 significant operational problems. 395 These flawed routers are widely deployed throughout the global 396 Internet and are likely to remain in use for years to come. As such, 397 the University of Wisconsin with the cooperation of NetGear will 398 build a new anycast time service which aims to mitigate the damage 399 caused by the misbehavior of these flawed routers. 401 A technical report regarding the details of this situation is 402 available on the world wide web: Flawed Routers Flood University of 403 Wisconsin Internet Time Server [11]. 405 Intellectual Property Statement 407 The IETF takes no position regarding the validity or scope of any 408 Intellectual Property Rights or other rights that might be claimed to 409 pertain to the implementation or use of the technology described in 410 this document or the extent to which any license under such rights 411 might or might not be available; nor does it represent that it has 412 made any independent effort to identify any such rights. Information 413 on the procedures with respect to rights in RFC documents can be 414 found in BCP 78 and BCP 79. 416 Copies of IPR disclosures made to the IETF Secretariat and any 417 assurances of licenses to be made available, or the result of an 418 attempt made to obtain a general license or permission for the use of 419 such proprietary rights by implementers or users of this 420 specification can be obtained from the IETF on-line IPR repository at 421 http://www.ietf.org/ipr. 423 The IETF invites any interested party to bring to its attention any 424 copyrights, patents or patent applications, or other proprietary 425 rights that may cover technology that may be required to implement 426 this standard. Please address the information to the IETF at 427 ietf-ipr@ietf.org. 429 Disclaimer of Validity 431 This document and the information contained herein are provided on an 432 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 433 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 434 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 435 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 436 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 437 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 439 Copyright Statement 441 Copyright (C) The Internet Society (2004). This document is subject 442 to the rights, licenses and restrictions contained in BCP 78, and 443 except as set forth therein, the authors retain all their rights. 445 Acknowledgment 447 Funding for the RFC Editor function is currently provided by the 448 Internet Society.