The Pros and Cons of “Going Unnumbered”

Download Report

Transcript The Pros and Cons of “Going Unnumbered”

The Pros and Cons of “Going Unnumbered”

Kireeti Kompella Juniper Fellow Copyright © 2006 Juniper Networks, Inc. www.juniper.net 1

Agenda

 Does an IP router require IP addresses?

   • for the data plane?

• for the control plane?

Issues with address assignment Issues with going unnumbered What else can be done?

Copyright © 2006 Juniper Networks, Inc. www.juniper.net 2

A Word on the Confusing Terminology

 IP addresses were often called “IP numbers”   • An interface with an IP address was said to be “numbered”; consequently, one without an IP address was called “unnumbered” (no IP number) Funnily enough, an unnumbered interface has a numerical index (the interface index) In this presentation, we will stay with this terminology, paradoxical as it might seem Copyright © 2006 Juniper Networks, Inc. www.juniper.net 3

Caveats

  We will only consider point-to-point interfaces as candidates for unnumbering There are issues in addressing end-points on a multi-drop (multipoint, LAN) interfaces without IP addresses  • Typically, one uses some form of ARP to resolve this, but for this to work, one needs IP addresses Also, we assume that a router will have at least one IP address, the loopback address Copyright © 2006 Juniper Networks, Inc. www.juniper.net 4

Why Have IP Addresses on Routers?

 Does a router need IP addresses on each interface to forward transit packets?

• Ignore source-routed packets :-)  Packets are generally not addressed to the router itself • • In this case, the addresses on the router (or lack thereof) are mostly irrelevant Even if packets are addressed to the router itself, they are usually addressed to • the loopback address (for administration, iBGP, …) • a well-known multicast address (for most IGPs) Copyright © 2006 Juniper Networks, Inc. www.juniper.net 5

Forwarding Path Exceptions

 ICMP often requires interface addresses • • Redirects only apply to multipoint interfaces Most other ICMP packets (TTL expiry, DF, …) can be modified to use the loopback address • This may provide less information than using the interface address, so this is a trade-off to consider carefully • For example, if one has a small MTU on one interface, one may want to identify the exact interface, not the router as a whole Copyright © 2006 Juniper Networks, Inc. www.juniper.net 6

What About a Router’s Control Plane?

 Most routing protocols have been updated to accommodate unnumbered interfaces • OSPFv2 and v3 have supported unnumbered point-to point interfaces from the beginning • IS-IS only carries IP addresses as ballast • • • • iBGP peering is to the loopback address RSVP-TE and LDP also support unnumbered i/fs PIM?

IGMP is mostly used on multipoint interfaces, which is outside the scope of this talk Copyright © 2006 Juniper Networks, Inc. www.juniper.net 7

Unnumbered Operation

Routers with unnumbered interfaces (IP addresses only for loopback) OSPF with unnumbered interfaces i-BGP peering between loopbacks Packet forwarding through routed network Copyright © 2006 Juniper Networks, Inc. www.juniper.net 8

What About “External” Interfaces?

  The one glaring exception is eBGP, whose peering is typically to an interface address We’ll come back to this issue  First, let’s see why we should reconsider having IP addresses on interfaces Copyright © 2006 Juniper Networks, Inc. www.juniper.net 9

Issues With Address Assignment

   Management of addresses and subnets Simplifying configuration of routers Protection of router addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 10

Address Management

Must allocate addresses in same subnet for both ends (/31 subnets help) Reconfiguration of router topology requires re-numbering interfaces Every interface needs a unique address Copyright © 2006 Juniper Networks, Inc. Sometimes, address scarcity also plays a factor; if a single address block doesn’t cover all interface addresses, this can lead to more complexity www.juniper.net 11

Simplifying Configuration

 One can (roughly) categorize a router’s configuration into • Infrastructure (what the router needs to operate) • Security (ACLs and policies)  • Services (QoS/CoS, peering, VPNs, …) Infrastructure configuration consists of protocols, interfaces and self-protective ACLs • A significant portion of this configuration accrues from having interface addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 12

Numbered Infrastructure Config

 Every interface needs its own unique IP address  • IP addresses at both ends of an interface must also be configured consistently Each such address needs to be entered into the self-protective ACLs, to protect the router against DoS attacks • Careful management of router interface address spaces can make this easier, but then address assignment becomes harder Copyright © 2006 Juniper Networks, Inc. www.juniper.net 13

Unnumbered Infrastructure Config

 Interface configuration can be “cookie-cutter”  • A template mechanism allows one to configure all interfaces with (say) a PPP encapsulation, and supporting network protocols of IPv4, ISIS and MPLS Not having interface addresses means having to configure much fewer self-protective ACLs • • Just have to protect the loopback address, and this need be done only once Managing an address space for loopbacks is quite easy, as these are /32s (no fragmentation) Copyright © 2006 Juniper Networks, Inc. www.juniper.net 14

Protection of Router Addresses

 IP routing is often viewed as insecure   • The reason is largely the same as IP’s success: the global nature of IP addressing • ATM/Frame Relay, on the other hand, are viewed as secure, because the addresses are link-local, and attacks on the control plane are much harder Aside: remember the OSPF vs. IS-IS debate? One argument in favor of IS-IS was that OSPF was more vulnerable to DoS attacks Unnumbered interfaces go a long way towards redressing this issue -- i/f indices are link-local Copyright © 2006 Juniper Networks, Inc. www.juniper.net 15

Alternatives to Unnumbering

    Use private addresses for interfaces Use independent /32s for each interface Automatically assign interface addresses (IPv6) Establish IGP adjacencies over numbered interfaces, but don’t inject interface addresses into IGP • Interfaces have addresses, but not reachability Copyright © 2006 Juniper Networks, Inc. www.juniper.net 16

Private Interface Addresses

 This solves many of the issues with interface addresses • Protection (most ISPs won’t forward packets with private addresses)   • Address management -- much larger address blocks are available, making management simpler Configuration is still needed, however Redoing the topology still requires a fair amount of work Copyright © 2006 Juniper Networks, Inc. www.juniper.net 17

Independent /32s for Interfaces

 This means that there is no relation between the addresses on the two ends of an interface • This relies on the IGP to provide this relationship  This significantly reduces the burden of address management and synchronization  • Also, reconfiguration of topology is much easier Protection of router addresses is still an issue • If one combines the previous approach (private /32s for interfaces), this offers a fairly good solution Copyright © 2006 Juniper Networks, Inc. www.juniper.net 18

Automatic Address Assignment

  This is unfortunately not an option for IPv4, because of address scarcity However, for IPv6, this works quite well • The issues of address management and configuration disappear • • Protection of interface addresses is also a non-issue Reconfiguration of topology is automatically handled  In a sense, unnumbered interfaces attempt to do for IPv4 what link-local addresses offer IPv6 Copyright © 2006 Juniper Networks, Inc. www.juniper.net 19

Unadvertised Interface Addresses

  The option of assigning interface addresses, but not advertising them into the IGP is being used by a few Service Providers This alleviates most of the protection issues of address assignment  • However, the other issues remain Again, one can use this in conjunction with other techniques Copyright © 2006 Juniper Networks, Inc. www.juniper.net 20

Back to eBGP

   We’ve left the issue of eBGP hanging It’s important to keep in mind the balance between “infrastructure” and “services” • what’s inside the network and what’s outside Running eBGP only to interface addresses allows a great deal more control and protection • • One doesn’t have to expose router loopbacks to peers External interfaces also need public addresses Copyright © 2006 Juniper Networks, Inc. www.juniper.net 21

Summary

   Why have IP addresses on interfaces?

Why not?

Infrastructure plug-and-play Copyright © 2006 Juniper Networks, Inc. www.juniper.net 22

Why IP Addresses on Interfaces?

 For one, we are used to this  • This may not seem a good reason, but change is hard In many cases, this is required for management • Many implementations of SNMP-based tools assume that interfaces have addresses, and use common subnets to associate both ends of an interface • This is ironic, as SNMP itself uses interface indices (not addresses) to identify interfaces!

Copyright © 2006 Juniper Networks, Inc. www.juniper.net 23

Why not?

 We’ve seen several reasons, including • • simplified configuration address management  • router self-protection But let’s talk about one more: “plug-and-play” Copyright © 2006 Juniper Networks, Inc. www.juniper.net 24

Infrastructure Plug-and-Play

   For IP routing, reconfiguration of topology is fairly complex and configuration intensive For Ethernet switching, however, topology reconfiguration is trivial, thanks to plug-and-play Can we make IP reconfiguration as easy?

 • Going unnumbered would be a very important step if we decide that this would be a Good Thing Should we?

• Automatic P&P in the infrastructure may be good; P&P on the edge would be dangerous Copyright © 2006 Juniper Networks, Inc. www.juniper.net 25

Thank you!