--- 1/draft-ietf-grow-embed-addr-02.txt 2006-02-04 23:24:02.000000000 +0100 +++ 2/draft-ietf-grow-embed-addr-03.txt 2006-02-04 23:24:02.000000000 +0100 @@ -1,17 +1,17 @@ Global Routing Operations D. Plonka Internet-Draft University of Wisconsin Expires: December 7, 2004 June 8, 2004 Embedding Globally Routable Internet Addresses Considered Harmful - draft-ietf-grow-embed-addr-02 + draft-ietf-grow-embed-addr-03 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. @@ -40,20 +40,28 @@ Internet Protocol addresses embedded within firmware or elsewhere as part of their default configuration such that it influences run-time behavior. Revision History RFC-EDITOR: PLEASE REMOVE REVISION HISTORY BEFORE PUBLICATION. The following is the revision history of this document $Log: draft-ietf-grow-embed-addr.xml,v $ + Revision 1.17 2004/06/08 20:27:02 plonka + minor edits + + renamed from "-02" to "-03" + + Revision 1.16 2004/06/08 20:15:03 plonka + minor edits, fixed some typos + Revision 1.15 2004/06/08 14:16:45 plonka revised conclusion based on input from Geoff Huston added netgear-sntp technical report to list of informative references Revision 1.14 2004/06/07 18:16:27 plonka split references into normative and informative sections Revision 1.13 2004/06/07 16:32:10 plonka Set category to BCP. @@ -107,24 +115,24 @@ These products are now in operation world-wide and primarily include, but are not necessarily limited to, low-cost routers and middleboxes for personal or residential use. This "hard-coding" of globally routable IP addresses as identifiers within the host's firmware presents significant problems to the operation of the Internet and to the management of its address space. Ostensibly, this practice arose as an attempt to simplify configuration of IP hosts by preloading them with IP addresses as - service identifiers. Unfortunately, products that rely on such - embedded IP addresses initially may appear convenient to both the - product's designer and its operator or user, but this dubious benefit - comes at the expense of others in the Internet community. + service identifiers. Products that rely on such embedded IP + addresses initially may appear convenient to both the product's + designer and its operator or user, but this dubious benefit comes at + the expense of others in the Internet community. This document denounces the practice of embedding references to unique, globally routable IP addresses in Internet hosts, describes some of the resulting problems, and considers selected alternatives. It also reminds the Internet community of the ephemeral nature of unique, globally routable IP addresses and that the assignment and use of IP addresses as identifiers is temporary and therefore should not be used in fixed configurations. 2. Problems @@ -148,50 +156,50 @@ set of answers returned by many DNS server implementations. Upon receiving such a response to a query, resolvers typically will try the answers in order, until one succeeds, thus enabling the operator to distribute the user request load across a set of servers with discrete IP addresses that generally remain unknown to the user. Embedding globally unique IP addresses taints the IP address blocks in which they reside, lessening the usefulness and portability of those IP address blocks and increasing the cost of operation. Unsolicited traffic may continue to be delivered to the embedded - addresses well after the IP address or block has been reassigned and - no longer hosts the service for which that traffic was intended. - Circa 1997, the authors of RFC 2101 [5] made this observation: + address well after the IP address or block has been reassigned and no + longer hosts the service for which that traffic was intended. Circa + 1997, the authors of RFC 2101 [5] made this observation: Due to dynamic address allocation and increasingly frequent network renumbering, temporal uniqueness of IPv4 addresses is no longer globally guaranteed, which puts their use as identifiers into severe question. When IP addresses are used as service identifiers in the configuration of many Internet hosts, the IP address blocks become encumbered by their historical use. This may interfere with the ability of the Internet Assigned Numbers Authority (IANA) and the Internet Registry (IR) hierarchy to usefully reallocate IP address blocks. Likewise, to facilitate IP address reuse, RFC 2050 [1], encourages Internet Service Providers (ISPs) to treat address assignments as "loans". Because consumers are not necessarily experienced in the operation of - Internet hosts, they are not able to be relied upon to implement a - fix if and when problems arise. As such, a significant - responsibility lies with the manufacturer or vendor of the Internet - host to avoid embedding IP addresses in ways which cause the - aforementioned problems. + Internet hosts, they are not able to be relied upon to fix problems + if and when they arise. As such, a significant responsibility lies + with the manufacturer or vendor of the Internet host to avoid + embedding IP addresses in ways which cause the aforementioned + problems. 3. Recommendations Internet host and router designers, including network product manufacturers, should not assume that their products will be deployed - and used in only a single global Internet, that they happen to - observe today. A myriad of private or future internets in which - these products will be used may not allow those hosts to establish + and used in only a single global Internet that they happen to observe + today. A myriad of private or future internets in which these + products will be used may not allow those hosts to establish end-to-end communications with arbitrary hosts on the global Internet. Since the product failure modes resulting from unknown future states cannot be fully explored, one should avoid assumptions regarding the longevity of our current Internet. Vendors should, by default, disable unnecessary features in their products. This is especially true of features that generate unsolicited IP traffic. In this way these hosts will be conservative regarding the unsolicited Internet traffic they produce. For instance, one of the most common uses of embedded IP addresses has @@ -216,37 +224,37 @@ addresses associated with the Internet services they require. However, simply hard-coding DNS names rather than IP addresses is not a panacea. Entries in the domain name space are also ephemeral and can change owners for various reasons including acquisitions and litigation. A given vendor ought not assume that anyone will retain control of a given zone indefinitely. RFC 2606 [2] defines the IANA-reserved "example.com", "example.net", and "example.org" domains for use in example configurations and documentation. Default configurations, documentation, and example configurations for - Internet hosts should use Internet addresses that reside with special - blocks that have been reserved for these purposes, rather than - unique, globally routable IP addresses. For IPv4, RFC 3330 [3] + Internet hosts should use Internet addresses that reside within + special blocks that have been reserved for these purposes, rather + than unique, globally routable IP addresses. For IPv4, RFC 3330 [3] states that the 192.0.2.0/24 block has been assigned for use in documentation and example code. The IPv6 global unicast address prefix 2001:DB8::/32 has been similarly reserved for documentation purposes. Private Internet Addresses, as defined by RFC 1918 [4], should not be used for such purposes. Service providers and enterprise network operators should advertise - the identities of suitable local services. For instance, the DHCP - protocol, as defined by RFC 2132 [8], enables one to configure a - server to answer queries for service identitifiers to clients that - ask for them. When local services are available but not pervasively - advertised using such common protocols, designers are more likely - deploy ad hoc initialization mechanisms that unnecessarily rely on - central services. + the identities of suitable local services, such as NTP. For + instance, the DHCP protocol, as defined by RFC 2132 [8], enables one + to configure a server to answer queries for service identitifiers to + clients that ask for them. When local services including NTP are + available but not pervasively advertised using such common protocols, + designers are more likely deploy ad hoc initialization mechanisms + that unnecessarily rely on central services. Operators that provide public services on the global Internet, such as the NTP community, should deprecate the explicit advertisement of the IP addresses of public services. These addresses are ephemeral. As such, their widespread citation in public service indexes interferes with the ability to reconfigure the service as necessary to address unexpected, increased traffic. 4. Security Considerations @@ -257,21 +265,21 @@ embedding them within products' firmware or default configurations presents a security risk in that unknown parties may inadvertently be trusted. Internet host designers may be tempted to implement some sort of remote control mechanism within a product, by which its Internet host configuration can be changed without reliance on, interaction with, or even the knowledge of its operator or user. This raises security issues of its own. If such a scheme is implemented, this should be fully disclosed to the customer, operator, and user so that an - informed decisions can be made, perhaps in accordance with local + informed decision can be made, perhaps in accordance with local security or privacy policy. Furthermore, the significant possibility of malicious parties exploiting such a remote control mechanism may completely negate any potential benefit of the remote control scheme. 5. IANA Considerations This document creates no new requirements on IANA namespaces. 6. Conclusion @@ -340,21 +348,21 @@ Appendix A. Background In June 2003, the University of Wisconsin discovered that a network product vendor named NetGear had manufactured and shipped over 700,000 routers with firmware containing a hard-coded reference to the IP address of one of the University's NTP servers: 128.105.39.11, which was also known as "ntp1.cs.wisc.edu", a public stratum-2 NTP server. Due to that embedded fixed configuration and an unrelated bug in the - SNMP client, the affected products occasionally exhibit a failure + SNTP client, the affected products occasionally exhibit a failure mode in which each flawed router produces one query per second destined for the IP address 128.105.39.11, and hence produces a large-scale flood of Internet traffic from hundreds-of-thousands of source addresses, destined for the University's network, resulting in significant operational problems. These flawed routers are widely deployed throughout the global Internet and are likely to remain in use for years to come. As such, the University of Wisconsin with the cooperation of NetGear will build a new anycast time service which aims to mitigate the damage