From mbehring at cisco.com Wed Nov 21 14:42:18 2012 From: mbehring at cisco.com (Michael Behringer (mbehring)) Date: Wed, 21 Nov 2012 13:42:18 +0000 Subject: [eix-wg] IPv6 Link Local Addressing on IXPs? Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F5D0ADF@xmb-rcd-x14.cisco.com> EIX WG, Eric and myself have put together an internet draft on the usage of IPv6 link local addressing on infrastructure links. The goal is to document what works and what doesn't when you only have IP6 link local addresses on such links. We were pointed to the fact that this question is also arising for IXPs, and have now tried to capture the high level view for IXPs. We'd appreciate feedback on our draft, specifically section 2.4 http://tools.ietf.org/html/draft-ietf-opsec-lla-only-02 Please let us know how we can improve the draft, specifically this section. Any feedback is welcome. If you are "okay" with the current draft, a quick note would also help us. Thanks! Eric and Michael From harald.michl at univie.ac.at Fri Nov 23 09:13:34 2012 From: harald.michl at univie.ac.at (Harald Michl) Date: Fri, 23 Nov 2012 09:13:34 +0100 Subject: [eix-wg] IPv6 Link Local Addressing on IXPs? In-Reply-To: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F5D0ADF@xmb-rcd-x14.cisco.com> References: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F5D0ADF@xmb-rcd-x14.cisco.com> Message-ID: <50AF302E.8060504@univie.ac.at> Servus Michael, Hi Eric, My first impression was "wow what an idea". But while reading the document I must admit that some concerns where rising on the horzion.. Some comments and thoughts wearing different hats: IXP-related: I think it is a big advantage of having global routable addresses on an IXP-LAN. You can easily see in a traceroute whether you cross an IXP or not. If you see only loopback-addresses in the traceroute you never know whether the routed traffic goes via a private interconnect or the IXP plattform. That makes debugging much more complex from my point of view. Except from limited reachablitity (= attack risk) I do not see any advantage of LLAs. Limiting this risk is also possible via filtering of traffic from outside to the IXP of all participants as you mention in the document. And it's a kind of trust that all parties connected to an IXP do what is expected and I can imagine ways to check that -> ping or traceroute to the IXP LAN via Atlas UDM would be one of the possibilities. Or having a probe within the IXP-LAN pinging an address at the IXP-Members network which shouldn't work. In case it works -> alarm. ISP-related: The Austrian Academic Network consists of multiple redundant links. Our (open source) monitoring system Icinga pings regularly all our router interfaces (dual-stack) to ensure all links are working properly. The real-config is syced with our database and it's therefore very easy to automagically generate the config for the monitoring tool (and the (r)dns-config as well, btw). Having only LLAs in the network would certainly make monitoring and the configuration of the monitoring system much more complex. Something I do not understand: one one side the documents mentions that the configuration gets lighter as addresses don't have to be configured - on the other hand recommends to use statically configured LLAs (which would make sense from my point of view). The problem is: if you configure LLAs statically, the benefit is lost. Attack potential: Of course link interfaces could not be attacked from outside if they have no global routeable address, but: you still have to have a loopback-address, which has to be global routable. And as long as the router has one single global reachable address, it's attackable. Therefore you need an infrastructure protection acl anyway (as mentioned in your document) -> We solve this problem by having a nice address-structure and our infrastructure protection acl has exactly one entry which includes Loopback _and_ link networks. very easy, very clear. The only benefit I really see is that the routing table can be reduced. For a network of our size this benefit is not worth the risks, I personally think. So, these are my comments - I'm curiously waiting for other opinions to discuss. kind regards from Vienna, Harald On 21.11.12 14:42, Michael Behringer (mbehring) wrote: > EIX WG, > > Eric and myself have put together an internet draft on the usage of > IPv6 link local addressing on infrastructure links. The goal is to > document what works and what doesn't when you only have IP6 link > local addresses on such links. > > We were pointed to the fact that this question is also arising for > IXPs, and have now tried to capture the high level view for IXPs. > > We'd appreciate feedback on our draft, specifically section 2.4 > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-02 > > Please let us know how we can improve the draft, specifically this > section. Any feedback is welcome. If you are "okay" with the current > draft, a quick note would also help us. > > Thanks! Eric and Michael > > -- Harald Michl Vienna University - ACOnet www.ACO.net - VIX www.VIX.at Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: +43 1 4277 - 14078 (Fax: - 9140) HM3550-RIPE From evyncke at cisco.com Fri Nov 23 13:55:57 2012 From: evyncke at cisco.com (Eric Vyncke (evyncke)) Date: Fri, 23 Nov 2012 12:55:57 +0000 Subject: [eix-wg] IPv6 Link Local Addressing on IXPs? In-Reply-To: <50AF302E.8060504@univie.ac.at> References: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F5D0ADF@xmb-rcd-x14.cisco.com> <50AF302E.8060504@univie.ac.at> Message-ID: <97EB7536A2B2C549846804BBF3FD47E11190A6ED@xmb-aln-x02.cisco.com> Harald Thanks for the feedback. Regarding the IXP discussion, based on Jerome Durand's I-D, it appears that IXP prefix are sometimes longer than /48 and some people drop such prefixes received over BGP. And, it there is no route the IXP prefix, then packets generated with the IXP prefix as source address will be dropped by uRPF checks. Using LLA in IXP will prevent any IXP customer to use the IXP prefix as a source address ;-) Nothing magic but could be useful > -----Original Message----- > From: Harald Michl [mailto:harald.michl at univie.ac.at] > Sent: vendredi 23 novembre 2012 09:14 > To: Michael Behringer (mbehring) > Cc: eix-wg at ripe.net; Eric Vyncke (evyncke) > Subject: Re: [eix-wg] IPv6 Link Local Addressing on IXPs? > > Servus Michael, Hi Eric, > > My first impression was "wow what an idea". But while reading the document I > must admit that some concerns where rising on the horzion.. > > Some comments and thoughts wearing different hats: > > IXP-related: > > I think it is a big advantage of having global routable addresses on an IXP- > LAN. You can easily see in a traceroute whether you cross an IXP or not. > If you see only loopback-addresses in the traceroute you never know whether > the routed traffic goes via a private interconnect or the IXP plattform. That > makes debugging much more complex from my point of view. > > Except from limited reachablitity (= attack risk) I do not see any advantage > of LLAs. Limiting this risk is also possible via filtering of traffic from > outside to the IXP of all participants as you mention in the document. And > it's a kind of trust that all parties connected to an IXP do what is expected > and I can imagine ways to check that -> ping or traceroute to the IXP LAN via > Atlas UDM would be one of the possibilities. Or having a probe within the > IXP-LAN pinging an address at the IXP-Members network which shouldn't work. > In case it works -> alarm. > > > ISP-related: > > The Austrian Academic Network consists of multiple redundant links. Our (open > source) monitoring system Icinga pings regularly all our router interfaces > (dual-stack) to ensure all links are working properly. The real-config is > syced with our database and it's therefore very easy to automagically > generate the config for the monitoring tool (and the (r)dns-config as well, > btw). > Having only LLAs in the network would certainly make monitoring and the > configuration of the monitoring system much more complex. > > Something I do not understand: one one side the documents mentions that the > configuration gets lighter as addresses don't have to be configured > - on the other hand recommends to use statically configured LLAs (which would > make sense from my point of view). The problem is: if you configure LLAs > statically, the benefit is lost. > > Attack potential: > Of course link interfaces could not be attacked from outside if they have no > global routeable address, but: you still have to have a loopback-address, > which has to be global routable. And as long as the router has one single > global reachable address, it's attackable. > Therefore you need an infrastructure protection acl anyway (as mentioned in > your document) -> We solve this problem by having a nice address-structure > and our infrastructure protection acl has exactly one entry which includes > Loopback _and_ link networks. very easy, very clear. > > The only benefit I really see is that the routing table can be reduced. > For a network of our size this benefit is not worth the risks, I personally > think. > > > So, these are my comments - I'm curiously waiting for other opinions to > discuss. > > kind regards from Vienna, > Harald > > > > On 21.11.12 14:42, Michael Behringer (mbehring) wrote: > > EIX WG, > > > > Eric and myself have put together an internet draft on the usage of > > IPv6 link local addressing on infrastructure links. The goal is to > > document what works and what doesn't when you only have IP6 link local > > addresses on such links. > > > > We were pointed to the fact that this question is also arising for > > IXPs, and have now tried to capture the high level view for IXPs. > > > > We'd appreciate feedback on our draft, specifically section 2.4 > > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-02 > > > > Please let us know how we can improve the draft, specifically this > > section. Any feedback is welcome. If you are "okay" with the current > > draft, a quick note would also help us. > > > > Thanks! Eric and Michael > > > > > > -- > Harald Michl > Vienna University - ACOnet www.ACO.net - VIX www.VIX.at > Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe > Tel: +43 1 4277 - 14078 (Fax: - 9140) HM3550-RIPE