Transcript The Pros and Cons of “Going Unnumbered”
The Pros and Cons of “Going Unnumbered”
Kireeti Kompella Juniper Fellow Copyright © 2006 Juniper Networks, Inc. www.juniper.net 1
Agenda
Does an IP router require IP addresses?
• for the data plane?
• for the control plane?
Issues with address assignment Issues with going unnumbered What else can be done?
Copyright © 2006 Juniper Networks, Inc. www.juniper.net 2
A Word on the Confusing Terminology
IP addresses were often called “IP numbers” • An interface with an IP address was said to be “numbered”; consequently, one without an IP address was called “unnumbered” (no IP number) Funnily enough, an unnumbered interface has a numerical index (the interface index) In this presentation, we will stay with this terminology, paradoxical as it might seem Copyright © 2006 Juniper Networks, Inc. www.juniper.net 3
Caveats
We will only consider point-to-point interfaces as candidates for unnumbering There are issues in addressing end-points on a multi-drop (multipoint, LAN) interfaces without IP addresses • Typically, one uses some form of ARP to resolve this, but for this to work, one needs IP addresses Also, we assume that a router will have at least one IP address, the loopback address Copyright © 2006 Juniper Networks, Inc. www.juniper.net 4
Why Have IP Addresses on Routers?
Does a router need IP addresses on each interface to forward transit packets?
• Ignore source-routed packets :-) Packets are generally not addressed to the router itself • • In this case, the addresses on the router (or lack thereof) are mostly irrelevant Even if packets are addressed to the router itself, they are usually addressed to • the loopback address (for administration, iBGP, …) • a well-known multicast address (for most IGPs) Copyright © 2006 Juniper Networks, Inc. www.juniper.net 5
Forwarding Path Exceptions
ICMP often requires interface addresses • • Redirects only apply to multipoint interfaces Most other ICMP packets (TTL expiry, DF, …) can be modified to use the loopback address • This may provide less information than using the interface address, so this is a trade-off to consider carefully • For example, if one has a small MTU on one interface, one may want to identify the exact interface, not the router as a whole Copyright © 2006 Juniper Networks, Inc. www.juniper.net 6
What About a Router’s Control Plane?
Most routing protocols have been updated to accommodate unnumbered interfaces • OSPFv2 and v3 have supported unnumbered point-to point interfaces from the beginning • IS-IS only carries IP addresses as ballast • • • • iBGP peering is to the loopback address RSVP-TE and LDP also support unnumbered i/fs PIM?
IGMP is mostly used on multipoint interfaces, which is outside the scope of this talk Copyright © 2006 Juniper Networks, Inc. www.juniper.net 7
Unnumbered Operation
Routers with unnumbered interfaces (IP addresses only for loopback) OSPF with unnumbered interfaces i-BGP peering between loopbacks Packet forwarding through routed network Copyright © 2006 Juniper Networks, Inc. www.juniper.net 8
What About “External” Interfaces?
The one glaring exception is eBGP, whose peering is typically to an interface address We’ll come back to this issue First, let’s see why we should reconsider having IP addresses on interfaces Copyright © 2006 Juniper Networks, Inc. www.juniper.net 9
Issues With Address Assignment
Management of addresses and subnets Simplifying configuration of routers Protection of router addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 10
Address Management
Must allocate addresses in same subnet for both ends (/31 subnets help) Reconfiguration of router topology requires re-numbering interfaces Every interface needs a unique address Copyright © 2006 Juniper Networks, Inc. Sometimes, address scarcity also plays a factor; if a single address block doesn’t cover all interface addresses, this can lead to more complexity www.juniper.net 11
Simplifying Configuration
One can (roughly) categorize a router’s configuration into • Infrastructure (what the router needs to operate) • Security (ACLs and policies) • Services (QoS/CoS, peering, VPNs, …) Infrastructure configuration consists of protocols, interfaces and self-protective ACLs • A significant portion of this configuration accrues from having interface addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 12
Numbered Infrastructure Config
Every interface needs its own unique IP address • IP addresses at both ends of an interface must also be configured consistently Each such address needs to be entered into the self-protective ACLs, to protect the router against DoS attacks • Careful management of router interface address spaces can make this easier, but then address assignment becomes harder Copyright © 2006 Juniper Networks, Inc. www.juniper.net 13
Unnumbered Infrastructure Config
Interface configuration can be “cookie-cutter” • A template mechanism allows one to configure all interfaces with (say) a PPP encapsulation, and supporting network protocols of IPv4, ISIS and MPLS Not having interface addresses means having to configure much fewer self-protective ACLs • • Just have to protect the loopback address, and this need be done only once Managing an address space for loopbacks is quite easy, as these are /32s (no fragmentation) Copyright © 2006 Juniper Networks, Inc. www.juniper.net 14
Protection of Router Addresses
IP routing is often viewed as insecure • The reason is largely the same as IP’s success: the global nature of IP addressing • ATM/Frame Relay, on the other hand, are viewed as secure, because the addresses are link-local, and attacks on the control plane are much harder Aside: remember the OSPF vs. IS-IS debate? One argument in favor of IS-IS was that OSPF was more vulnerable to DoS attacks Unnumbered interfaces go a long way towards redressing this issue -- i/f indices are link-local Copyright © 2006 Juniper Networks, Inc. www.juniper.net 15
Alternatives to Unnumbering
Use private addresses for interfaces Use independent /32s for each interface Automatically assign interface addresses (IPv6) Establish IGP adjacencies over numbered interfaces, but don’t inject interface addresses into IGP • Interfaces have addresses, but not reachability Copyright © 2006 Juniper Networks, Inc. www.juniper.net 16
Private Interface Addresses
This solves many of the issues with interface addresses • Protection (most ISPs won’t forward packets with private addresses) • Address management -- much larger address blocks are available, making management simpler Configuration is still needed, however Redoing the topology still requires a fair amount of work Copyright © 2006 Juniper Networks, Inc. www.juniper.net 17
Independent /32s for Interfaces
This means that there is no relation between the addresses on the two ends of an interface • This relies on the IGP to provide this relationship This significantly reduces the burden of address management and synchronization • Also, reconfiguration of topology is much easier Protection of router addresses is still an issue • If one combines the previous approach (private /32s for interfaces), this offers a fairly good solution Copyright © 2006 Juniper Networks, Inc. www.juniper.net 18
Automatic Address Assignment
This is unfortunately not an option for IPv4, because of address scarcity However, for IPv6, this works quite well • The issues of address management and configuration disappear • • Protection of interface addresses is also a non-issue Reconfiguration of topology is automatically handled In a sense, unnumbered interfaces attempt to do for IPv4 what link-local addresses offer IPv6 Copyright © 2006 Juniper Networks, Inc. www.juniper.net 19
Unadvertised Interface Addresses
The option of assigning interface addresses, but not advertising them into the IGP is being used by a few Service Providers This alleviates most of the protection issues of address assignment • However, the other issues remain Again, one can use this in conjunction with other techniques Copyright © 2006 Juniper Networks, Inc. www.juniper.net 20
Back to eBGP
We’ve left the issue of eBGP hanging It’s important to keep in mind the balance between “infrastructure” and “services” • what’s inside the network and what’s outside Running eBGP only to interface addresses allows a great deal more control and protection • • One doesn’t have to expose router loopbacks to peers External interfaces also need public addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 21
Summary
Why have IP addresses on interfaces?
Why not?
Infrastructure plug-and-play Copyright © 2006 Juniper Networks, Inc. www.juniper.net 22
Why IP Addresses on Interfaces?
For one, we are used to this • This may not seem a good reason, but change is hard In many cases, this is required for management • Many implementations of SNMP-based tools assume that interfaces have addresses, and use common subnets to associate both ends of an interface • This is ironic, as SNMP itself uses interface indices (not addresses) to identify interfaces!
Copyright © 2006 Juniper Networks, Inc. www.juniper.net 23
Why not?
We’ve seen several reasons, including • • simplified configuration address management • router self-protection But let’s talk about one more: “plug-and-play” Copyright © 2006 Juniper Networks, Inc. www.juniper.net 24
Infrastructure Plug-and-Play
For IP routing, reconfiguration of topology is fairly complex and configuration intensive For Ethernet switching, however, topology reconfiguration is trivial, thanks to plug-and-play Can we make IP reconfiguration as easy?
• Going unnumbered would be a very important step if we decide that this would be a Good Thing Should we?
• Automatic P&P in the infrastructure may be good; P&P on the edge would be dangerous Copyright © 2006 Juniper Networks, Inc. www.juniper.net 25