draft-ietf-v6ops-ipv6-discard-prefix-02.txt   draft-ietf-v6ops-ipv6-discard-prefix-03.txt 
v6ops Working Group N. Hilliard v6ops Working Group N. Hilliard
Internet-Draft INEX Internet-Draft INEX
Updates: 5156 (if approved) January 9, 2012 Updates: 5156 (if approved) March 28, 2012
Intended status: Informational Intended status: Informational
Expires: July 12, 2012 Expires: September 29, 2012
A Discard Prefix for IPv6 A Discard Prefix for IPv6
draft-ietf-v6ops-ipv6-discard-prefix-02 draft-ietf-v6ops-ipv6-discard-prefix-03
Abstract Abstract
Remote triggered black hole filtering describes a method of Remote triggered black hole filtering describes a method of
militating against denial-of-service attacks by selectively mitigating the effects of denial-of-service attacks by selectively
discarding traffic based on source or destination address. Remote discarding traffic based on source or destination address. Remote
triggered black hole routing describes a method of selectively re- triggered black hole routing describes a method of selectively re-
routing traffic into a sinkhole router (for further analysis) based routing traffic into a sinkhole router (for further analysis) based
on destination address. This document updates RFC5156 by explaining on destination address. This document updates RFC5156 by explaining
why a unique IPv6 prefix should be formally assigned by IANA for the why a unique IPv6 prefix should be formally assigned by IANA for the
purpose of facilitating IPv6 remote triggered black hole filtering purpose of facilitating IPv6 remote triggered black hole filtering
and routing. and routing.
Status of this Memo Status of this Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 12, 2012. This Internet-Draft will expire on September 29, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3
2. A Discard Prefix for IPv6 . . . . . . . . . . . . . . . . . . . 4 2. A Discard Prefix for IPv6 . . . . . . . . . . . . . . . . . . . 3
3. Operational Implications . . . . . . . . . . . . . . . . . . . 4 3. Operational Implications . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . . 5 6.2. Informative References . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
Remote triggered black hole (RTBH) filtering describes a class of Remote triggered black hole (RTBH) filtering describes a class of
methods of blocking IP traffic either from a specific source methods of blocking IP traffic either from a specific source
([RFC5635]) or to a specific destination ([RFC3882]) on a network. ([RFC5635]) or to a specific destination ([RFC3882]) on a network.
Remote triggered black hole (RTBH) routing describes a class of RTBH routing describes a class of methods of re-routing IP traffic
methods of re-routing IP traffic destined to the attacked/targeted destined to the attacked/targeted host to a special path (tunnel)
host to a special path (tunnel) where a sniffer could capture the where a sniffer could capture the traffic for analysis. Both these
traffic for analysis. These methods operate by setting the next-hop methods operate by setting the next-hop address of an IP packet with
address of an IP packet with a specified source or destination a specified source or destination address to be a unicast prefix
address to be a unicast prefix which is wired locally or remotely to which is connected locally or remotely to a router's discard, null or
a router's discard, null or tunnel interface. Typically, this tunnel interface. Typically, reachability information for this
information is propagated throughout an autonomous system using a prefix is propagated throughout an autonomous system using a dynamic
dynamic routing protocol such as BGP ([RFC3882]). By deploying RTBH routing protocol such as BGP ([RFC3882]). By deploying RTBH systems
systems across a network, traffic to or from specific destinations across a network, traffic to or from specific destinations may be
may be selectively black-holed or re-routed to a sinkhole device in a selectively black-holed or re-routed to a sinkhole device in a manner
manner which is efficient, scalable and straightforward to implement. which is efficient, scalable and straightforward to implement.
For IPv4, some networks configure RTBH installations using [RFC1918]
address space or the address blocks reserved for documentation in
[RFC5737].
However RTBH configurations are not documentation, but operationally On some networks, operators configure RTBH installations using
[RFC1918] address space or the address blocks reserved for
documentation in [RFC5737]. This approach is inadequate because RTBH
configurations are not documentation, but rather operationally
important features of many public-facing production networks. important features of many public-facing production networks.
Furthermore, [RFC3849] specifies that the IPv6 documentation prefix Furthermore, [RFC3849] specifies that the IPv6 documentation prefix
should be filtered in both local and public contexts. On this basis, should be filtered in both local and public contexts. On this basis,
it is suggested that both private network address blocks and it is suggested that both private network address blocks and the
documentation prefixes described in [RFC5737] are inappropriate for documentation prefixes described in [RFC5737] are inappropriate for
the purpose of RTBH configurations. RTBH configurations, and that a dedicated IPv6 prefix should be
assigned instead.
While it could be argued that there are other addresses and address
prefixes which could be used for this purpose (e.g. ::/128), or that
an operator could assign an address block from their own address
space for this purposes, there is currently no operational clarity on
what address block would be appropriate or inappropriate to use for
this purpose. By assigning a globally unique discard prefix for
IPv6, the IETF will introduce good practice for the implementation of
IPv6 RTBH configurations and will facilitate operational clarity by
allowing operators to implement consistent and deterministic inter-
domain prefix and traffic filtering policies for black-holed traffic.
This document updates [RFC5156]. This document updates [RFC5156].
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. A Discard Prefix for IPv6 2. A Discard Prefix for IPv6
For the purposes of implementing an IPv6 remote triggered black hole For the purposes of implementing an IPv6 remote triggered black hole
configuration, a unicast address block is required. There are configuration, a unicast address block is required. There are
currently no IPv6 unicast address blocks which are specifically currently no IPv6 unicast address blocks which are specifically
nominated for the purposes of implementing such RTBH systems. nominated for the purposes of implementing such RTBH systems.
While it could be argued that there are other addresses and address
prefixes which could be used for this purpose (e.g. documentation
prefixes, private address space), or that an operator could assign an
address block from their own address space for this purposes, there
is currently no operational clarity on what address block would be
appropriate or inappropriate to use for this purpose. By assigning a
globally unique discard prefix for IPv6, the IETF will introduce good
practice for the implementation of IPv6 RTBH configurations and will
facilitate operational clarity by allowing operators to implement
consistent and deterministic inter-domain prefix and traffic
filtering policies for black-holed traffic.
As [RFC3882] and [RFC5635] describe situations where more than one As [RFC3882] and [RFC5635] describe situations where more than one
discard address may be used for implementing multiple remote discard address may be used for implementing multiple remote
triggered black hole scenarios, a single assigned prefix is not triggered black hole scenarios, a single address is not sufficient to
sufficient to cover all likely RTBH situations. Consequently, an cover all likely RTBH situations. Consequently, an address block is
address block is required in preference to a single address. required.
3. Operational Implications 3. Operational Implications
This assignment MAY be carried in a dynamic routing protocol within This assignment MAY be carried in a dynamic routing protocol within
an autonomous system. The assignment SHOULD NOT be announced to or an autonomous system. The assignment SHOULD NOT be announced to or
accepted from third party autonomous systems and IPv6 traffic with a accepted from third party autonomous systems and IPv6 traffic with a
destination address within this prefix SHOULD NOT be forwarded to or destination address within this prefix SHOULD NOT be forwarded to or
accepted from third party autonomous systems. accepted from third party autonomous systems. If the prefix or a
subnet of the prefix is inadvertently announced to or accepted from a
third party autonomous system, this may cause excessive volumes of
traffic to pass unintentionally between the the two networks, which
would aggravate the effect of a denial-of-service attack.
On networks which implement IPv6 remote triggered black holes, some On networks which implement IPv6 remote triggered black holes, some
or all of this network block MAY be configured with a destination of or all of this network block MAY be configured with a next-hop
a discard or null interface on any or all IPv6 routers within the destination of a discard or null interface on any or all IPv6 routers
autonomous system. within the autonomous system.
4. IANA Considerations 4. IANA Considerations
This document directs IANA to record the allocation of the IPv6 This document directs IANA to record the allocation of the IPv6
address prefix xxxx/64 as a discard-only prefix in the IPv6 Address address prefix xxxx/64 as a discard-only prefix in the IPv6 Address
Space registry. No end party is to be assigned this prefix. The Space registry. No end party is to be assigned this prefix. The
prefix should be allocated from ::/3. prefix should be allocated from ::/3.
5. Security Considerations 5. Security Considerations
As the prefix specified in this document should not normally be As the prefix specified in this document ought not normally be
transmitted or accepted over inter-domain BGP sessions, it is usually transmitted or accepted over inter-domain BGP sessions for the
appropriate to include this prefix in inter-domain BGP prefix filters reasons described in Section 3, it is usually appropriate to include
[RFC3704]. this prefix in inter-domain BGP prefix filters [RFC3704].
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service [RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service
Attacks", RFC 3882, September 2004. Attacks", RFC 3882, September 2004.
[RFC5156] Blanchet, M., "Special-Use IPv6 Addresses", RFC 5156, [RFC5156] Blanchet, M., "Special-Use IPv6 Addresses", RFC 5156,
April 2008. April 2008.
[RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole
Filtering with Unicast Reverse Path Forwarding (uRPF)", Filtering with Unicast Reverse Path Forwarding (uRPF)",
 End of changes. 16 change blocks. 
46 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/