[eix-wg] IPv6 Link Local Addressing on IXPs?
Harald Michl harald.michl at univie.ac.at
Fri Nov 23 09:13:34 CET 2012
Servus Michael, Hi Eric, My first impression was "wow what an idea". But while reading the document I must admit that some concerns where rising on the horzion.. Some comments and thoughts wearing different hats: IXP-related: I think it is a big advantage of having global routable addresses on an IXP-LAN. You can easily see in a traceroute whether you cross an IXP or not. If you see only loopback-addresses in the traceroute you never know whether the routed traffic goes via a private interconnect or the IXP plattform. That makes debugging much more complex from my point of view. Except from limited reachablitity (= attack risk) I do not see any advantage of LLAs. Limiting this risk is also possible via filtering of traffic from outside to the IXP of all participants as you mention in the document. And it's a kind of trust that all parties connected to an IXP do what is expected and I can imagine ways to check that -> ping or traceroute to the IXP LAN via Atlas UDM would be one of the possibilities. Or having a probe within the IXP-LAN pinging an address at the IXP-Members network which shouldn't work. In case it works -> alarm. ISP-related: The Austrian Academic Network consists of multiple redundant links. Our (open source) monitoring system Icinga pings regularly all our router interfaces (dual-stack) to ensure all links are working properly. The real-config is syced with our database and it's therefore very easy to automagically generate the config for the monitoring tool (and the (r)dns-config as well, btw). Having only LLAs in the network would certainly make monitoring and the configuration of the monitoring system much more complex. Something I do not understand: one one side the documents mentions that the configuration gets lighter as addresses don't have to be configured - on the other hand recommends to use statically configured LLAs (which would make sense from my point of view). The problem is: if you configure LLAs statically, the benefit is lost. Attack potential: Of course link interfaces could not be attacked from outside if they have no global routeable address, but: you still have to have a loopback-address, which has to be global routable. And as long as the router has one single global reachable address, it's attackable. Therefore you need an infrastructure protection acl anyway (as mentioned in your document) -> We solve this problem by having a nice address-structure and our infrastructure protection acl has exactly one entry which includes Loopback _and_ link networks. very easy, very clear. The only benefit I really see is that the routing table can be reduced. For a network of our size this benefit is not worth the risks, I personally think. So, these are my comments - I'm curiously waiting for other opinions to discuss. kind regards from Vienna, Harald On 21.11.12 14:42, Michael Behringer (mbehring) wrote: > EIX WG, > > Eric and myself have put together an internet draft on the usage of > IPv6 link local addressing on infrastructure links. The goal is to > document what works and what doesn't when you only have IP6 link > local addresses on such links. > > We were pointed to the fact that this question is also arising for > IXPs, and have now tried to capture the high level view for IXPs. > > We'd appreciate feedback on our draft, specifically section 2.4 > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-02 > > Please let us know how we can improve the draft, specifically this > section. Any feedback is welcome. If you are "okay" with the current > draft, a quick note would also help us. > > Thanks! Eric and Michael > > -- Harald Michl <harald.michl at univie.ac.at> Vienna University - ACOnet www.ACO.net - VIX www.VIX.at Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: +43 1 4277 - 14078 (Fax: - 9140) HM3550-RIPE
[ eix-wg Archives ]