draft-ietf-grow-embed-addr-02.txt   draft-ietf-grow-embed-addr-03.txt 
Global Routing Operations D. Plonka Global Routing Operations D. Plonka
Internet-Draft University of Wisconsin Internet-Draft University of Wisconsin
Expires: December 7, 2004 June 8, 2004 Expires: December 7, 2004 June 8, 2004
Embedding Globally Routable Internet Addresses Considered Harmful Embedding Globally Routable Internet Addresses Considered Harmful
draft-ietf-grow-embed-addr-02 draft-ietf-grow-embed-addr-03
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 2, line 11 skipping to change at page 2, line 11
Internet Protocol addresses embedded within firmware or elsewhere as Internet Protocol addresses embedded within firmware or elsewhere as
part of their default configuration such that it influences run-time part of their default configuration such that it influences run-time
behavior. behavior.
Revision History Revision History
RFC-EDITOR: PLEASE REMOVE REVISION HISTORY BEFORE PUBLICATION. The RFC-EDITOR: PLEASE REMOVE REVISION HISTORY BEFORE PUBLICATION. The
following is the revision history of this document following is the revision history of this document
$Log: draft-ietf-grow-embed-addr.xml,v $ $Log: draft-ietf-grow-embed-addr.xml,v $
Revision 1.17 2004/06/08 20:27:02 plonka
minor edits
renamed from "-02" to "-03"
Revision 1.16 2004/06/08 20:15:03 plonka
minor edits, fixed some typos
Revision 1.15 2004/06/08 14:16:45 plonka Revision 1.15 2004/06/08 14:16:45 plonka
revised conclusion based on input from Geoff Huston revised conclusion based on input from Geoff Huston
added netgear-sntp technical report to list of informative references added netgear-sntp technical report to list of informative references
Revision 1.14 2004/06/07 18:16:27 plonka Revision 1.14 2004/06/07 18:16:27 plonka
split references into normative and informative sections split references into normative and informative sections
Revision 1.13 2004/06/07 16:32:10 plonka Revision 1.13 2004/06/07 16:32:10 plonka
Set category to BCP. Set category to BCP.
skipping to change at page 4, line 20 skipping to change at page 4, line 20
These products are now in operation world-wide and primarily include, These products are now in operation world-wide and primarily include,
but are not necessarily limited to, low-cost routers and middleboxes but are not necessarily limited to, low-cost routers and middleboxes
for personal or residential use. for personal or residential use.
This "hard-coding" of globally routable IP addresses as identifiers This "hard-coding" of globally routable IP addresses as identifiers
within the host's firmware presents significant problems to the within the host's firmware presents significant problems to the
operation of the Internet and to the management of its address space. operation of the Internet and to the management of its address space.
Ostensibly, this practice arose as an attempt to simplify Ostensibly, this practice arose as an attempt to simplify
configuration of IP hosts by preloading them with IP addresses as configuration of IP hosts by preloading them with IP addresses as
service identifiers. Unfortunately, products that rely on such service identifiers. Products that rely on such embedded IP
embedded IP addresses initially may appear convenient to both the addresses initially may appear convenient to both the product's
product's designer and its operator or user, but this dubious benefit designer and its operator or user, but this dubious benefit comes at
comes at the expense of others in the Internet community. the expense of others in the Internet community.
This document denounces the practice of embedding references to This document denounces the practice of embedding references to
unique, globally routable IP addresses in Internet hosts, describes unique, globally routable IP addresses in Internet hosts, describes
some of the resulting problems, and considers selected alternatives. some of the resulting problems, and considers selected alternatives.
It also reminds the Internet community of the ephemeral nature of It also reminds the Internet community of the ephemeral nature of
unique, globally routable IP addresses and that the assignment and unique, globally routable IP addresses and that the assignment and
use of IP addresses as identifiers is temporary and therefore should use of IP addresses as identifiers is temporary and therefore should
not be used in fixed configurations. not be used in fixed configurations.
2. Problems 2. Problems
skipping to change at page 5, line 33 skipping to change at page 5, line 33
set of answers returned by many DNS server implementations. Upon set of answers returned by many DNS server implementations. Upon
receiving such a response to a query, resolvers typically will try receiving such a response to a query, resolvers typically will try
the answers in order, until one succeeds, thus enabling the operator the answers in order, until one succeeds, thus enabling the operator
to distribute the user request load across a set of servers with to distribute the user request load across a set of servers with
discrete IP addresses that generally remain unknown to the user. discrete IP addresses that generally remain unknown to the user.
Embedding globally unique IP addresses taints the IP address blocks Embedding globally unique IP addresses taints the IP address blocks
in which they reside, lessening the usefulness and portability of in which they reside, lessening the usefulness and portability of
those IP address blocks and increasing the cost of operation. those IP address blocks and increasing the cost of operation.
Unsolicited traffic may continue to be delivered to the embedded Unsolicited traffic may continue to be delivered to the embedded
addresses well after the IP address or block has been reassigned and address well after the IP address or block has been reassigned and no
no longer hosts the service for which that traffic was intended. longer hosts the service for which that traffic was intended. Circa
Circa 1997, the authors of RFC 2101 [5] made this observation: 1997, the authors of RFC 2101 [5] made this observation:
Due to dynamic address allocation and increasingly frequent Due to dynamic address allocation and increasingly frequent
network renumbering, temporal uniqueness of IPv4 addresses is no network renumbering, temporal uniqueness of IPv4 addresses is no
longer globally guaranteed, which puts their use as identifiers longer globally guaranteed, which puts their use as identifiers
into severe question. into severe question.
When IP addresses are used as service identifiers in the When IP addresses are used as service identifiers in the
configuration of many Internet hosts, the IP address blocks become configuration of many Internet hosts, the IP address blocks become
encumbered by their historical use. This may interfere with the encumbered by their historical use. This may interfere with the
ability of the Internet Assigned Numbers Authority (IANA) and the ability of the Internet Assigned Numbers Authority (IANA) and the
Internet Registry (IR) hierarchy to usefully reallocate IP address Internet Registry (IR) hierarchy to usefully reallocate IP address
blocks. Likewise, to facilitate IP address reuse, RFC 2050 [1], blocks. Likewise, to facilitate IP address reuse, RFC 2050 [1],
encourages Internet Service Providers (ISPs) to treat address encourages Internet Service Providers (ISPs) to treat address
assignments as "loans". assignments as "loans".
Because consumers are not necessarily experienced in the operation of Because consumers are not necessarily experienced in the operation of
Internet hosts, they are not able to be relied upon to implement a Internet hosts, they are not able to be relied upon to fix problems
fix if and when problems arise. As such, a significant if and when they arise. As such, a significant responsibility lies
responsibility lies with the manufacturer or vendor of the Internet with the manufacturer or vendor of the Internet host to avoid
host to avoid embedding IP addresses in ways which cause the embedding IP addresses in ways which cause the aforementioned
aforementioned problems. problems.
3. Recommendations 3. Recommendations
Internet host and router designers, including network product Internet host and router designers, including network product
manufacturers, should not assume that their products will be deployed manufacturers, should not assume that their products will be deployed
and used in only a single global Internet, that they happen to and used in only a single global Internet that they happen to observe
observe today. A myriad of private or future internets in which today. A myriad of private or future internets in which these
these products will be used may not allow those hosts to establish products will be used may not allow those hosts to establish
end-to-end communications with arbitrary hosts on the global end-to-end communications with arbitrary hosts on the global
Internet. Since the product failure modes resulting from unknown Internet. Since the product failure modes resulting from unknown
future states cannot be fully explored, one should avoid assumptions future states cannot be fully explored, one should avoid assumptions
regarding the longevity of our current Internet. regarding the longevity of our current Internet.
Vendors should, by default, disable unnecessary features in their Vendors should, by default, disable unnecessary features in their
products. This is especially true of features that generate products. This is especially true of features that generate
unsolicited IP traffic. In this way these hosts will be conservative unsolicited IP traffic. In this way these hosts will be conservative
regarding the unsolicited Internet traffic they produce. For regarding the unsolicited Internet traffic they produce. For
instance, one of the most common uses of embedded IP addresses has instance, one of the most common uses of embedded IP addresses has
skipping to change at page 7, line 50 skipping to change at page 7, line 50
addresses associated with the Internet services they require. addresses associated with the Internet services they require.
However, simply hard-coding DNS names rather than IP addresses is not However, simply hard-coding DNS names rather than IP addresses is not
a panacea. Entries in the domain name space are also ephemeral and a panacea. Entries in the domain name space are also ephemeral and
can change owners for various reasons including acquisitions and can change owners for various reasons including acquisitions and
litigation. A given vendor ought not assume that anyone will retain litigation. A given vendor ought not assume that anyone will retain
control of a given zone indefinitely. RFC 2606 [2] defines the control of a given zone indefinitely. RFC 2606 [2] defines the
IANA-reserved "example.com", "example.net", and "example.org" domains IANA-reserved "example.com", "example.net", and "example.org" domains
for use in example configurations and documentation. for use in example configurations and documentation.
Default configurations, documentation, and example configurations for Default configurations, documentation, and example configurations for
Internet hosts should use Internet addresses that reside with special Internet hosts should use Internet addresses that reside within
blocks that have been reserved for these purposes, rather than special blocks that have been reserved for these purposes, rather
unique, globally routable IP addresses. For IPv4, RFC 3330 [3] than unique, globally routable IP addresses. For IPv4, RFC 3330 [3]
states that the 192.0.2.0/24 block has been assigned for use in states that the 192.0.2.0/24 block has been assigned for use in
documentation and example code. The IPv6 global unicast address documentation and example code. The IPv6 global unicast address
prefix 2001:DB8::/32 has been similarly reserved for documentation prefix 2001:DB8::/32 has been similarly reserved for documentation
purposes. Private Internet Addresses, as defined by RFC 1918 [4], purposes. Private Internet Addresses, as defined by RFC 1918 [4],
should not be used for such purposes. should not be used for such purposes.
Service providers and enterprise network operators should advertise Service providers and enterprise network operators should advertise
the identities of suitable local services. For instance, the DHCP the identities of suitable local services, such as NTP. For
protocol, as defined by RFC 2132 [8], enables one to configure a instance, the DHCP protocol, as defined by RFC 2132 [8], enables one
server to answer queries for service identitifiers to clients that to configure a server to answer queries for service identitifiers to
ask for them. When local services are available but not pervasively clients that ask for them. When local services including NTP are
advertised using such common protocols, designers are more likely available but not pervasively advertised using such common protocols,
deploy ad hoc initialization mechanisms that unnecessarily rely on designers are more likely deploy ad hoc initialization mechanisms
central services. that unnecessarily rely on central services.
Operators that provide public services on the global Internet, such Operators that provide public services on the global Internet, such
as the NTP community, should deprecate the explicit advertisement of as the NTP community, should deprecate the explicit advertisement of
the IP addresses of public services. These addresses are ephemeral. the IP addresses of public services. These addresses are ephemeral.
As such, their widespread citation in public service indexes As such, their widespread citation in public service indexes
interferes with the ability to reconfigure the service as necessary interferes with the ability to reconfigure the service as necessary
to address unexpected, increased traffic. to address unexpected, increased traffic.
4. Security Considerations 4. Security Considerations
skipping to change at page 9, line 21 skipping to change at page 9, line 21
embedding them within products' firmware or default configurations embedding them within products' firmware or default configurations
presents a security risk in that unknown parties may inadvertently be presents a security risk in that unknown parties may inadvertently be
trusted. trusted.
Internet host designers may be tempted to implement some sort of Internet host designers may be tempted to implement some sort of
remote control mechanism within a product, by which its Internet host remote control mechanism within a product, by which its Internet host
configuration can be changed without reliance on, interaction with, configuration can be changed without reliance on, interaction with,
or even the knowledge of its operator or user. This raises security or even the knowledge of its operator or user. This raises security
issues of its own. If such a scheme is implemented, this should be issues of its own. If such a scheme is implemented, this should be
fully disclosed to the customer, operator, and user so that an fully disclosed to the customer, operator, and user so that an
informed decisions can be made, perhaps in accordance with local informed decision can be made, perhaps in accordance with local
security or privacy policy. Furthermore, the significant possibility security or privacy policy. Furthermore, the significant possibility
of malicious parties exploiting such a remote control mechanism may of malicious parties exploiting such a remote control mechanism may
completely negate any potential benefit of the remote control scheme. completely negate any potential benefit of the remote control scheme.
5. IANA Considerations 5. IANA Considerations
This document creates no new requirements on IANA namespaces. This document creates no new requirements on IANA namespaces.
6. Conclusion 6. Conclusion
skipping to change at page 14, line 15 skipping to change at page 14, line 15
Appendix A. Background Appendix A. Background
In June 2003, the University of Wisconsin discovered that a network In June 2003, the University of Wisconsin discovered that a network
product vendor named NetGear had manufactured and shipped over product vendor named NetGear had manufactured and shipped over
700,000 routers with firmware containing a hard-coded reference to 700,000 routers with firmware containing a hard-coded reference to
the IP address of one of the University's NTP servers: the IP address of one of the University's NTP servers:
128.105.39.11, which was also known as "ntp1.cs.wisc.edu", a public 128.105.39.11, which was also known as "ntp1.cs.wisc.edu", a public
stratum-2 NTP server. stratum-2 NTP server.
Due to that embedded fixed configuration and an unrelated bug in the Due to that embedded fixed configuration and an unrelated bug in the
SNMP client, the affected products occasionally exhibit a failure SNTP client, the affected products occasionally exhibit a failure
mode in which each flawed router produces one query per second mode in which each flawed router produces one query per second
destined for the IP address 128.105.39.11, and hence produces a destined for the IP address 128.105.39.11, and hence produces a
large-scale flood of Internet traffic from hundreds-of-thousands of large-scale flood of Internet traffic from hundreds-of-thousands of
source addresses, destined for the University's network, resulting in source addresses, destined for the University's network, resulting in
significant operational problems. significant operational problems.
These flawed routers are widely deployed throughout the global These flawed routers are widely deployed throughout the global
Internet and are likely to remain in use for years to come. As such, Internet and are likely to remain in use for years to come. As such,
the University of Wisconsin with the cooperation of NetGear will the University of Wisconsin with the cooperation of NetGear will
build a new anycast time service which aims to mitigate the damage build a new anycast time service which aims to mitigate the damage
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/