The Pros and Cons of Going Unnumbered Kireeti
The Pros and Cons of “Going Unnumbered” Kireeti Kompella Juniper Fellow Copyright © 2006 Juniper Networks, Inc. www. juniper. net 1
Agenda § Does an IP router require IP addresses? • for the data plane? • for the control plane? § Issues with address assignment § Issues with going unnumbered § What else can be done? Copyright © 2006 Juniper Networks, Inc. www. juniper. net 2
A Word on the Confusing Terminology § IP addresses were often called “IP numbers” • An interface with an IP address was said to be “numbered”; consequently, one without an IP address was called “unnumbered” (no IP number) § Funnily enough, an unnumbered interface has a numerical index (the interface index) § In this presentation, we will stay with this terminology, paradoxical as it might seem Copyright © 2006 Juniper Networks, Inc. www. juniper. net 3
Caveats § We will only consider point-to-point interfaces as candidates for unnumbering § There are issues in addressing end-points on a multi-drop (multipoint, LAN) interfaces without IP addresses • Typically, one uses some form of ARP to resolve this, but for this to work, one needs IP addresses § Also, we assume that a router will have at least one IP address, the loopback address Copyright © 2006 Juniper Networks, Inc. www. juniper. net 4
Why Have IP Addresses on Routers? § Does a router need IP addresses on each interface to forward transit packets? • Ignore source-routed packets : -) § Packets are generally not addressed to the router itself • In this case, the addresses on the router (or lack thereof) are mostly irrelevant • Even if packets are addressed to the router itself, they are usually addressed to • the loopback address (for administration, i. BGP, …) • a well-known multicast address (for most IGPs) Copyright © 2006 Juniper Networks, Inc. www. juniper. net 5
Forwarding Path Exceptions § ICMP often requires interface addresses • Redirects only apply to multipoint interfaces • Most other ICMP packets (TTL expiry, DF, …) can be modified to use the loopback address • This may provide less information than using the interface address, so this is a trade-off to consider carefully • For example, if one has a small MTU on one interface, one may want to identify the exact interface, not the router as a whole Copyright © 2006 Juniper Networks, Inc. www. juniper. net 6
What About a Router’s Control Plane? § Most routing protocols have been updated to accommodate unnumbered interfaces • OSPFv 2 and v 3 have supported unnumbered point-topoint interfaces from the beginning • IS-IS only carries IP addresses as ballast • i. BGP peering is to the loopback address • RSVP-TE and LDP also support unnumbered i/fs • PIM? • IGMP is mostly used on multipoint interfaces, which is outside the scope of this talk Copyright © 2006 Juniper Networks, Inc. www. juniper. net 7
Unnumbered Operation Routers with unnumbered interfaces (IP addresses only for loopback) i-BGP peering between loopbacks Copyright © 2006 Juniper Networks, Inc. OSPF with unnumbered interfaces Packet forwarding through routed network www. juniper. net 8
What About “External” Interfaces? § The one glaring exception is e. BGP, whose peering is typically to an interface address § We’ll come back to this issue § First, let’s see why we should reconsider having IP addresses on interfaces Copyright © 2006 Juniper Networks, Inc. www. juniper. net 9
Issues With Address Assignment § Management of addresses and subnets § Simplifying configuration of routers § Protection of router addresses Copyright © 2006 Juniper Networks, Inc. www. juniper. net 10
Address Management Must allocate addresses in same subnet for both ends (/31 subnets help) Every interface needs a unique address Copyright © 2006 Juniper Networks, Inc. Reconfiguration of router topology requires re-numbering interfaces Sometimes, address scarcity also plays a factor; if a single address block doesn’t cover all interface addresses, this can lead to more complexity www. juniper. net 11
Simplifying Configuration § One can (roughly) categorize a router’s configuration into • Infrastructure (what the router needs to operate) • Security (ACLs and policies) • Services (Qo. S/Co. S, peering, VPNs, …) § Infrastructure configuration consists of protocols, interfaces and self-protective ACLs • A significant portion of this configuration accrues from having interface addresses Copyright © 2006 Juniper Networks, Inc. www. juniper. net 12
Numbered Infrastructure Config § Every interface needs its own unique IP address • IP addresses at both ends of an interface must also be configured consistently § Each such address needs to be entered into the self-protective ACLs, to protect the router against Do. S attacks • Careful management of router interface address spaces can make this easier, but then address assignment becomes harder Copyright © 2006 Juniper Networks, Inc. www. juniper. net 13
Unnumbered Infrastructure Config § Interface configuration can be “cookie-cutter” • A template mechanism allows one to configure all interfaces with (say) a PPP encapsulation, and supporting network protocols of IPv 4, ISIS and MPLS § Not having interface addresses means having to configure much fewer self-protective ACLs • Just have to protect the loopback address, and this need be done only once • Managing an address space for loopbacks is quite easy, as these are /32 s (no fragmentation) Copyright © 2006 Juniper Networks, Inc. www. juniper. net 14
Protection of Router Addresses § IP routing is often viewed as insecure • The reason is largely the same as IP’s success: the global nature of IP addressing • ATM/Frame Relay, on the other hand, are viewed as secure, because the addresses are link-local, and attacks on the control plane are much harder § Aside: remember the OSPF vs. IS-IS debate? One argument in favor of IS-IS was that OSPF was more vulnerable to Do. S attacks § Unnumbered interfaces go a long way towards redressing this issue -- i/f indices are link-local Copyright © 2006 Juniper Networks, Inc. www. juniper. net 15
Alternatives to Unnumbering § Use private addresses for interfaces § Use independent /32 s for each interface § Automatically assign interface addresses (IPv 6) § Establish IGP adjacencies over numbered interfaces, but don’t inject interface addresses into IGP • Interfaces have addresses, but not reachability Copyright © 2006 Juniper Networks, Inc. www. juniper. net 16
Private Interface Addresses § This solves many of the issues with interface addresses • Protection (most ISPs won’t forward packets with private addresses) • Address management -- much larger address blocks are available, making management simpler § Configuration is still needed, however § Redoing the topology still requires a fair amount of work Copyright © 2006 Juniper Networks, Inc. www. juniper. net 17
Independent /32 s for Interfaces § This means that there is no relation between the addresses on the two ends of an interface • This relies on the IGP to provide this relationship § This significantly reduces the burden of address management and synchronization • Also, reconfiguration of topology is much easier § Protection of router addresses is still an issue • If one combines the previous approach (private /32 s for interfaces), this offers a fairly good solution Copyright © 2006 Juniper Networks, Inc. www. juniper. net 18
Automatic Address Assignment § This is unfortunately not an option for IPv 4, because of address scarcity § However, for IPv 6, this works quite well • The issues of address management and configuration disappear • Protection of interface addresses is also a non-issue • Reconfiguration of topology is automatically handled § In a sense, unnumbered interfaces attempt to do for IPv 4 what link-local addresses offer IPv 6 Copyright © 2006 Juniper Networks, Inc. www. juniper. net 19
Unadvertised Interface Addresses § The option of assigning interface addresses, but not advertising them into the IGP is being used by a few Service Providers § This alleviates most of the protection issues of address assignment • However, the other issues remain § Again, one can use this in conjunction with other techniques Copyright © 2006 Juniper Networks, Inc. www. juniper. net 20
Back to e. BGP § We’ve left the issue of e. BGP hanging § It’s important to keep in mind the balance between “infrastructure” and “services” • what’s inside the network and what’s outside § Running e. BGP only to interface addresses allows a great deal more control and protection • One doesn’t have to expose router loopbacks to peers • External interfaces also need public addresses Copyright © 2006 Juniper Networks, Inc. www. juniper. net 21
Summary § Why have IP addresses on interfaces? § Why not? § Infrastructure plug-and-play Copyright © 2006 Juniper Networks, Inc. www. juniper. net 22
Why IP Addresses on Interfaces? § For one, we are used to this • This may not seem a good reason, but change is hard § In many cases, this is required for management • Many implementations of SNMP-based tools assume that interfaces have addresses, and use common subnets to associate both ends of an interface • This is ironic, as SNMP itself uses interface indices (not addresses) to identify interfaces! Copyright © 2006 Juniper Networks, Inc. www. juniper. net 23
Why not? § We’ve seen several reasons, including • simplified configuration • address management • router self-protection § But let’s talk about one more: “plug-and-play” Copyright © 2006 Juniper Networks, Inc. www. juniper. net 24
Infrastructure Plug-and-Play § For IP routing, reconfiguration of topology is fairly complex and configuration intensive § For Ethernet switching, however, topology reconfiguration is trivial, thanks to plug-and-play § Can we make IP reconfiguration as easy? • Going unnumbered would be a very important step if we decide that this would be a Good Thing § Should we? • Automatic P&P in the infrastructure may be good; P&P on the edge would be dangerous Copyright © 2006 Juniper Networks, Inc. www. juniper. net 25
Thank you!
- Slides: 26