We all know that the major change with IPv6 is about addresses – they are longer and they have the potential for better aggregation.
What some might not know is they also have a little used scope: the link-local scope, the addresses starting with FE80:: which are always present and active on all IPv6 interfaces.
Link-Local Addresses (LLAs) have the rather obvious property of being linked locally. This means that a layer-3 route cannot route IP packets destined to a LLAs. Instead they can only be forwarded within a layer-2 domain. As such, LLAs have an interesting security property – they cannot be reached from outside of the layer-2 link as they are hidden and isolated.
All Interior Gateway Protocols (IGPs), including OSPFv3 and RIPng, use only LLAs to exchange route information. Even BGP can be configured with LLA neighbours as long as they are in the same layer-2 domain.
RFC 7404 “Using Only Link-Local Addressing inside an IPv6 Network” is all about LLAs. The document proposes to use LLAs for links between routers in a network.
Using LLAs for links between routers
An example of this is shown in figure 1. The dotted blue line is the IGP domain. All interfaces in this domain can be configured only with LLAs, i.e. without any global addresses. All IGPs work perfectly and packets are forwarded as usual. This paradigm shift is only possible in IPv6, yet another little-known advantage of IPv6 🙂
Of note, this shift impacts three operational procedures:
- Management plane must be done out-of-band in a different VLAN or VRF
- Usually it is required for P routers to generate ICMP error messages (hop limit expired for traceroute or packets too big for path PTU discovery)
- Data plane pings cannot be done anymore.
Point 2, can be solved by ensuring that MTU is large enough everywhere, and that traceroute is not critical. Several MPLS networks hide their core P routers from a traceroute operation, so, nothing really new.
Point 3 can be solved by using a loopback address for each router in order to generate the ICMP echo replies or any other ICMP messages. It must be noted, if there are multiple links between P5 and P7 (Figure 2), then the ping will always be answered, even if one link is down (except if RFC 5837 is used).
Advantages of using LLAs for IGPs
Having said all this, using only LLAs for IGPs does have two advantages:
- All core routers are hidden from the Internet therefore, nobody can attack them from outside the layer-2 link
- As the router-to-router links are layer-2 only, they do not appear in the layer-3 routing tables. So, a faster convergence time for the IGP.
The balance between the pros and the cons is obviously up to every operator.
However, there is at least one case where RFC 7404 should be used – on the link between a peer or customer and a shared Provider Edge (PE) router, such as PE1 (see Figure 2). In this specific case, the operational impact is minimum and the security advantage is at its maximum.
In short, we are only starting to scratch the surface of IPv6 potential. IPv6 has the potential of changing the way networks operate and how services are deployed.
Eric Vyncke is a distinguished engineer working for Cisco, Belgium. He is the co-author of RFC 7404 and is the co-chair of the OPSEC working group at the IETF. He is also known for his IPv6 statistics, which leverage some IPv6 data from APNIC.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Stop encouraging people to ruin diagnostic and troubleshooting possibilities in their networks for no clear reason whatsoever. Traceroute IS important, “MPLS sucks so we can suck too” is NO excuse.
The fail whale ‘benefit’ of “core routers are hidden from the Internet”, you know where else stuff is “hidden from the Internet” — in IPv4 RFC1918. Yeah let’s all just use that plus CGN, instead of IPv6, it’s so much more secure!
Traceroute must be answered with loopback IP as a source.
The fact that the only tools we have to use is ping and traceroute is the real issue. After 25 years we still are behind what SONET had 25 years ago.