idnits 2.17.1 draft-white-linklocalnh-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4291], [RFC4271]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 1, 2019) is 1667 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 249, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 283, but no explicit reference was found in the text == Unused Reference: 'RFC3552' is defined on line 287, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Interdomain Routing R. White 3 Internet-Draft Juniper Networks 4 Intended status: Standards Track D. Sharp 5 Expires: April 3, 2020 Cumulus Networks 6 D. Dutt 7 Stardust Consulting 8 B. Sadhu 9 VMWare 10 J. Tantsura 11 Apstra, Inc. 12 October 1, 2019 14 Link Local Next Hop Handling for BGP 15 draft-white-linklocalnh-00 17 Abstract 19 BGP, described in [RFC4271], was originally designed to provide 20 reachability between domains and between the edges of a domain. As 21 such, BGP assumes the next hop towards any reachable destination may 22 not reside on the advertising speaker, but rather may either be 23 through a router connected to the same subnet as the speaker, or 24 through a router only reachable by traversing multiple hops through 25 the network. Because of this, BGP does not recognize the use of IPv6 26 link local addresses, as described in [RFC4291], as a valid next hop 27 for forwarding purposes. 29 However, BGP speakers are now often deployed on point-to-point links 30 in networks where multihop reachability of any kind is not assumed or 31 desired (all next hops are assumed to be the speaker reachable 32 through a directly connected point-to-point link). This is common, 33 for instance, in data center fabrics. In these situations, a global 34 IPv6 address is not required for the advertisement of reachability 35 information; in fact, providing global IPv6 addresses in these kinds 36 of networks can be detrimental to Zero Touch Provisioning (ZTP). 38 This draft standardizes the operation of BGP over a point-to-point 39 link using link local IPv6 addressing only. 41 Status of This Memo 43 This Internet-Draft is submitted in full conformance with the 44 provisions of BCP 78 and BCP 79. 46 Internet-Drafts are working documents of the Internet Engineering 47 Task Force (IETF). Note that other groups may also distribute 48 working documents as Internet-Drafts. The list of current Internet- 49 Drafts is at https://datatracker.ietf.org/drafts/current/. 51 Internet-Drafts are draft documents valid for a maximum of six months 52 and may be updated, replaced, or obsoleted by other documents at any 53 time. It is inappropriate to use Internet-Drafts as reference 54 material or to cite them other than as "work in progress." 56 This Internet-Draft will expire on April 3, 2020. 58 Copyright Notice 60 Copyright (c) 2019 IETF Trust and the persons identified as the 61 document authors. All rights reserved. 63 This document is subject to BCP 78 and the IETF Trust's Legal 64 Provisions Relating to IETF Documents 65 (https://trustee.ietf.org/license-info) in effect on the date of 66 publication of this document. Please review these documents 67 carefully, as they describe your rights and restrictions with respect 68 to this document. Code Components extracted from this document must 69 include Simplified BSD License text as described in Section 4.e of 70 the Trust Legal Provisions and are provided without warranty as 71 described in the Simplified BSD License. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 76 2. Changes to BGP Next Hop Attribute to Support Link Local on 77 Point-to-Point . . . . . . . . . . . . . . . . . . . . . . . 3 78 3. Receiver Processing of IPv6 Link Local Forwarding Addresses . 4 79 4. Error handling . . . . . . . . . . . . . . . . . . . . . . . 4 80 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 81 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 82 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 83 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 84 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 85 8.2. Informative References . . . . . . . . . . . . . . . . . 7 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 88 1. Introduction 90 BGP, described in [RFC4271], was originally designed to provide 91 reachability between domains and between the edges of a domain. As 92 such, BGP assumes the next hop towards any reachable destination may 93 not reside on the advertising speaker, but rather may either be 94 through a router connected to the same subnet as the speaker, or 95 through a router only reachable by traversing multiple hops through 96 the network. Because of this, BGP does not recognize the use of IPv6 97 link local addresses, as described in [RFC4271], as a valid next hop 98 for forwarding purposes. 100 However, BGP speakers are now often deployed on point-to-point links 101 in networks where multihop reachability of any kind is not assumed or 102 desired (all next hops are assumed to be the speaker reachable 103 through a directly connected point-to-point link). This is common, 104 for instance, in data center fabrics. In these situations, a global 105 IPv6 address is not required for the advertisement of reachability 106 information; in fact, providing global IPv6 addresses in these kinds 107 of networks can be detrimental to Zero Touch Provisioning (ZTP). 109 2. Changes to BGP Next Hop Attribute to Support Link Local on Point-to- 110 Point 112 [RFC2545], section 2, notes link local IPv6 addresses are not 113 generally suitable for use in the Next Hop field of the 114 MP_REACH_NLRI. In order to support the many uses of link local 115 addresses, however, [RFC2545] constructs the Next Hop field in IPv6 116 route advertisements by setting the length of the field to 32, and 117 including both a link local and global IPv6 address in the resulting 118 enlarged field. In this way, the receiving BGP speaker can use the 119 global IPv6 address to build local forwarding information, and the 120 link local address for ICMPv6 redirects, etc. [RFC2545] does not, 121 however, provide an explanation for situations where there is only a 122 link local IPv6 address in the Next Hop field of the MP_REACH_NLRI. 123 The result is each implementation that supports link local peering 124 along with forwarding to a link local address has implemented the 125 construction of the Next Hop field in the MP_REACH_NLRI when there is 126 only a link local address available in slightly different ways. 128 If an implementation intends to send a single link local forwarding 129 address in the Next Hop field of the MP_REACH_NLRI, it MUST set the 130 length of the Next Hop field to 16 and include only the IPv6 link 131 local address in the Next Hop field. 133 If an implementation intends to send both a link local and global 134 IPv6 forwarding address in the Next Hop field of the MP_REACH_NLRI, 135 it MUST set the length of the Next Hop field to 32 and include both 136 the IPv6 link local and global IPv6 forwarding addresses in the Next 137 Hop field. If both link local and global IPv6 forwarding addresses 138 are carried in the Next Hop Field, the speaker SHOULD provide a local 139 configuration option to determine which address is preferred for 140 forwarding. 142 3. Receiver Processing of IPv6 Link Local Forwarding Addresses 144 On receiving an MP_REACH_NLRI with a Next Hop length of 16, 145 implementations SHOULD form the forwarding information using the IPv6 146 next hop contained in the Next Hop field, regardless of whether it is 147 a link local or globally reachable IPv6 address. 149 Implementations MAY check the validity of any IPv6 link local address 150 used to calculate forwarding information by insuring the address is 151 in the local neighbor table for the interface on which the BGP update 152 was received (or through which the BGP speaker from which the update 153 was received is reachable). There MUST be a configuration option to 154 enable/disable this check. 156 Note: It is possible that checking the IPv6 neighbor table for the 157 existence or validity of a link local next hop may make instances 158 where a link is being overwhelmed through some form of Deinal of 159 Service (DoS) attack worse than they would otherwise be. If the IPv6 160 neighbor cache is overrun in a way that causes the link local address 161 being used for BGP peering to be removed from the table, which is 162 possible through an on-link DoS attack, any fresh BGP update will 163 cause the entire peering session to fail if the implementation is 164 checking the validity of link local next hops as described above. 165 Operators should carefully assess the use of validation against the 166 local IPv6 neighbor table to determine if it is appropriate for any 167 particular peering session. 169 4. Error handling 171 A BGP speaker receiving an MP_REACH_NLRI with the length of the Next 172 Hop Field set to 32, where the update contains anything other than a 173 link local IPv6 address and a global IPv6 address, SHOULD consider 174 this a malformed UPDATE message, and proceed as described in the 175 following paragraphs. In order to support backwards compatibility 176 with existing implementations, an implementation MAY ignore a second 177 link local IPv6 address or 0::0/0 included with an IPv6 link local 178 address when the length of the Next Hop Field is set to 32; in this 179 case, the implementation SHOULD report the existence of this 180 additional information so the operator can correct the sending BGP 181 implementation. 183 If the Next Hop field is malformed, the implementation MUST handle 184 the mailformed UPDATE message using the approach of "treat-as- 185 withdraw", as described in section 7.3 of [RFC7606]. It MAY send a 186 NOTIFICATION message as described in section 4 of [RFC4271], using 187 the UPDATE error message code (8 - Invalid NEXT_HOP Attribute) 188 indicating there is an invalid NEXT_HOP field 189 If the Next Hop field is properly formed, but the link local next hop 190 is not reachable (as determined by an examination of the IPv6 191 neighbor table), the implementation MAY handle the mailformed UPDATE 192 message using the approach of "treat-as-withdraw", as described in 193 section 7.3 of [RFC7606] (see note above on checking the local 194 neighbor table for the correctness of the next hop). The 195 implementation MAY send a NOTIFICATION message as described in 196 section 4 of [RFC4271] using the UPDATE error message code (TBA), 197 indicating a link local address was included in the MP_REACH_NLRI, 198 but the link local address included cannot be reached. As this could 199 indicate a security breach of some type (see the security 200 considerations section below), the operator SHOULD have a local 201 configuration option to terminate the peering session until manual 202 intervention is initiated. 204 5. Acknowledgements 206 The authors would like to thank Don Slice, Jeff Haas, and John 207 Scudder for their contributions to this draft. 209 6. IANA Considerations 211 This memo requests IANA assign a number from the "Error Subcodes" 212 registry defined in the IANA Considerations section in [RFC4271]. 213 This allocation will be for a new UPDATE error subcode, code (TBA), 214 with a value of "Unreachable Link Local Address." 216 7. Security Considerations 218 The mechanism described in this draft can be used as a component of 219 ZTP for building BGP adjacencies across point-to-point links. This 220 method, then, can be used by an attacker to form a peering session 221 with a BGP speaker, ultimately advertising incorrect routing 222 information into a routing domain in order to misdirect traffic or 223 cause a denial of service. By using link local IPv6 addresses, the 224 attacker would be able to forego the use of a valid IPv6 address 225 within the domain, making such an attack easier. 227 Operators SHOULD carefully consider security when deploying link 228 local addresses for BGP peering. Operators SHOULD filter traffic on 229 links where BGP peering is not intended to occur to prevent speakers 230 from accepting BGP session requests, as well as other mechanisms 231 described in [RFC7454]. 233 Operators MAY also use some form of cryptographic validation on links 234 within the network to prevent unauthorized devices from forming BGP 235 peering sessions. Authentication, such as the TCP authentication 236 described in [RFC5925], may provide some relief, if it is present and 237 correctly configured. However, the distribution and management of 238 keys in an environment where global addresses are not present on BGP 239 speakers may be challenging. 241 Operators also MAY instruct a BGP peer which has received an UPDATE 242 with an unreachable NEXT_HOP to disable the peering session over 243 which the invalid NEXT_HOP was received pending manual intervention. 245 8. References 247 8.1. Normative References 249 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 250 Requirement Levels", BCP 14, RFC 2119, 251 DOI 10.17487/RFC2119, March 1997, 252 . 254 [RFC2545] Marques, P. and F. Dupont, "Use of BGP-4 Multiprotocol 255 Extensions for IPv6 Inter-Domain Routing", RFC 2545, 256 DOI 10.17487/RFC2545, March 1999, 257 . 259 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 260 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 261 DOI 10.17487/RFC4271, January 2006, 262 . 264 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 265 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 266 2006, . 268 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 269 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 270 June 2010, . 272 [RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations 273 and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454, 274 February 2015, . 276 [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. 277 Patel, "Revised Error Handling for BGP UPDATE Messages", 278 RFC 7606, DOI 10.17487/RFC7606, August 2015, 279 . 281 8.2. Informative References 283 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 284 DOI 10.17487/RFC2629, June 1999, 285 . 287 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 288 Text on Security Considerations", BCP 72, RFC 3552, 289 DOI 10.17487/RFC3552, July 2003, 290 . 292 Authors' Addresses 294 Russ White 295 Juniper Networks 297 Email: russ@riw.us 299 Donald Sharp 300 Cumulus Networks 302 Email: sharpd@cumulusnetworks.com 304 Dinesh Dutt 305 Stardust Consulting 307 Email: ddutt@hobbesdutt.com 309 Biswajit Sadhu 310 VMWare 312 Email: biswajit.sadhu@gmail.com 314 Jeff Tantsura 315 Apstra, Inc. 317 Email: jefftant.ietf@gmail.com