| draft-ietf-grow-no-more-unallocated-slash8s-00.txt | draft-ietf-grow-no-more-unallocated-slash8s-01.txt | |||
|---|---|---|---|---|
| Network Working Group L. Vegoda | Network Working Group L. Vegoda | |||
| Internet-Draft ICANN | Internet-Draft ICANN | |||
| Intended status: BCP March 12, 2011 | Intended status: BCP May 13, 2011 | |||
| Expires: September 13, 2011 | Expires: November 14, 2011 | |||
| Time to Remove Filters for Previously Unallocated IPv4 /8s | Time to Remove Filters for Previously Unallocated IPv4 /8s | |||
| draft-ietf-grow-no-more-unallocated-slash8s-00 | draft-ietf-grow-no-more-unallocated-slash8s-01 | |||
| Abstract | Abstract | |||
| It has been common for network administrators to filter IP traffic | It has been common for network administrators to filter IP traffic | |||
| coming from unallocated IPv4 address space. Now that there are no | from and BGP prefixes of unallocated IPv4 address space. Now that | |||
| longer any unallocated IPv4 /8s, this practise is more complicated, | there are no longer any unallocated IPv4 /8s, this practise is more | |||
| fragile and expensive. Network administrators are advised to remove | complicated, fragile and expensive. Network administrators are | |||
| filters based on the registration status of the address space. | advised to remove filters based on the registration status of the | |||
| address space. | ||||
| This document explains why any remaining filters for unallocated IPv4 | This document explains why any remaining packet and BGP prefix | |||
| /8s should now be removed on border routers and documents those IPv4 | filters for unallocated IPv4 /8s should now be removed on border | |||
| unicast prefixes that should not be routed across the public | routers and documents those IPv4 unicast prefixes that should not be | |||
| Internet. | routed across the public Internet. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 13, 2011. | This Internet-Draft will expire on November 14, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 18 | skipping to change at page 2, line 19 | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 | 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. No Longer Filtering Based on Address Registration | 3.1. No Longer Filtering Based on Address Registration | |||
| Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Continuing to Filter Traffic from Unallocated IPv4 | 3.2. Continuing to Filter Traffic from Unallocated IPv4 | |||
| Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Prefixes That Should Not be Routed Across the Internet . . . . 4 | 4. Prefixes That Should Not be Routed Across the Internet . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . . 5 | 7. Normative References . . . . . . . . . . . . . . . . . . . . . 5 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 5 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| It has been common for network administrators to filter IP traffic | It has been common for network administrators to filter IP traffic | |||
| coming from unallocated IPv4 address space. Now that there are no | from and BGP prefixes of unallocated IPv4 address space. Now that | |||
| longer any unallocated IPv4 /8s, this practise is more complicated, | there are no longer any unallocated IPv4 /8s, this practise is more | |||
| fragile and expensive. Network administrators are advised to remove | complicated, fragile and expensive. Network administrators are | |||
| filters based on the registration status of the address space. | advised to remove filters based on the registration status of the | |||
| address space. | ||||
| This document explains why any remaining filters for unallocated IPv4 | This document explains why any remaining packet and BGP prefix | |||
| /8s should now be removed on border routers and documents those IPv4 | filters for unallocated IPv4 /8s should now be removed on border | |||
| unicast prefixes that should not be routed across the public | routers and documents those IPv4 unicast prefixes that should not be | |||
| Internet. | routed across the public Internet. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in BCP 14, RFC 2119 | document are to be interpreted as described in BCP 14, RFC 2119 | |||
| [RFC2119]. | [RFC2119]. | |||
| Bogons are packets sourced from addresses that have not yet been | ||||
| allocated by IANA or the Regional Internet Registries (RIRs), or | ||||
| addresses reserved for private or special use by RFCs [RFC3871]. | ||||
| Martians are packets with an altogether bogus (non-registered or ill- | ||||
| formed) Internet address [RFC1208]. Bogons are referred to as "Dark | ||||
| IP" in some circles. | ||||
| 3. Traffic Filtering Options | 3. Traffic Filtering Options | |||
| 3.1. No Longer Filtering Based on Address Registration Status | 3.1. No Longer Filtering Based on Address Registration Status | |||
| Network administrators who implemented filters for unallocated IPv4 | Network administrators who implemented filters for unallocated IPv4 | |||
| /8s did so in the knowledge that those /8s were not a legitimate | /8s did so in the knowledge that those /8s were not a legitimate | |||
| source of traffic on the Internet and that there was a small number | source of traffic on the Internet and that there was a small number | |||
| of filters to implement. Now that there are no longer any | of bogon filters to implement. Now that there are no longer any | |||
| unallocated unicast IPv4 /8s, there will be legitimate Internet | unallocated unicast IPv4 /8s, there will be legitimate Internet | |||
| traffic coming from all unicast /8s that are not reserved for special | traffic coming from all unicast /8s that are not reserved for special | |||
| purposes in an RFC. | purposes in an RFC. | |||
| Removing ingress filters based on the registration status of the IPv4 | Removing packet and prefix filters based on the registration status | |||
| address is a simple approach that will avoid blocking legitimate | of the IPv4 address is a simple approach that will avoid blocking | |||
| Internet traffic. | legitimate Internet traffic. Network operators SHOULD remove both | |||
| ingress and egress packet filters as well as BGP prefix filters for | ||||
| previously unallocated IPv4 /8s. | ||||
| 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space | 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space | |||
| Some network administrators might want to continue filtering | Some network administrators might want to continue filtering | |||
| unallocated IPv4 addresses managed by the Regional Internet | unallocated IPv4 addresses managed by the RIRs. This requires | |||
| Registries (RIRs). This requires significantly more granular ingress | significantly more granular ingress filters and the highly dynamic | |||
| filters and the highly dynamic nature of the RIRs' address pools | nature of the RIRs' address pools means that filters need to be | |||
| means that filters need to be updated on a daily basis to avoid | updated on a daily basis to avoid blocking legitimate incoming | |||
| blocking legitimate incoming traffic. | traffic. | |||
| 4. Prefixes That Should Not be Routed Across the Internet | 4. Prefixes That Should Not be Routed Across the Internet | |||
| Network operators who only wish to filter traffic originating from | Network operators who only wish to filter traffic originating from | |||
| addresses that should never be routed across the Internet can deploy | addresses that should never be routed across the Internet, Martians, | |||
| a set of ingress filters designed to block traffic from address | can deploy a set of packet and prefix filters designed to block | |||
| blocks reserved for special purposes. These are: | traffic from address blocks reserved for special purposes. These | |||
| are: | ||||
| - 0.0.0.0/8 (Local identification) [RFC1122]; | - 0.0.0.0/8 (Local identification) [RFC1122]; | |||
| - 10.0.0.0/8 (Private use) [RFC1918]; | - 10.0.0.0/8 (Private use) [RFC1918]; | |||
| - 127.0.0.0/8 (Loopback) [RFC1122]; | - 127.0.0.0/8 (Loopback) [RFC1122]; | |||
| - 169.254.0.0/16 (Link local) [RFC3927]; | - 169.254.0.0/16 (Link local) [RFC3927]; | |||
| - 172.16.0.0/12 (Private use) [RFC1918]; | - 172.16.0.0/12 (Private use) [RFC1918]; | |||
| skipping to change at page 5, line 13 | skipping to change at page 5, line 25 | |||
| This document makes no request of IANA. | This document makes no request of IANA. | |||
| 7. Normative References | 7. Normative References | |||
| [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, | [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, | |||
| RFC 1112, August 1989. | RFC 1112, August 1989. | |||
| [RFC1122] Braden, R., "Requirements for Internet Hosts - | [RFC1122] Braden, R., "Requirements for Internet Hosts - | |||
| Communication Layers", STD 3, RFC 1122, October 1989. | Communication Layers", STD 3, RFC 1122, October 1989. | |||
| [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", | ||||
| RFC 1208, March 1991. | ||||
| [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | |||
| E. Lear, "Address Allocation for Private Internets", | E. Lear, "Address Allocation for Private Internets", | |||
| BCP 5, RFC 1918, February 1996. | BCP 5, RFC 1918, February 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for | [RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for | |||
| Network Interconnect Devices", RFC 2544, March 1999. | Network Interconnect Devices", RFC 2544, March 1999. | |||
| [RFC3871] Jones, G., "Operational Security Requirements for Large | ||||
| Internet Service Provider (ISP) IP Network | ||||
| Infrastructure", RFC 3871, September 2004. | ||||
| [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | |||
| Configuration of IPv4 Link-Local Addresses", RFC 3927, | Configuration of IPv4 Link-Local Addresses", RFC 3927, | |||
| May 2005. | May 2005. | |||
| [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", | [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", | |||
| BCP 153, RFC 5735, January 2010. | BCP 153, RFC 5735, January 2010. | |||
| [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks | [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks | |||
| Reserved for Documentation", RFC 5737, January 2010. | Reserved for Documentation", RFC 5737, January 2010. | |||
| End of changes. 17 change blocks. | ||||
| 37 lines changed or deleted | 56 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||