draft-ietf-v6ops-ipv6-discard-prefix-05.txt   rfc6666.txt 
v6ops Working Group N. Hilliard Internet Engineering Task Force (IETF) N. Hilliard
Internet-Draft INEX Request for Comments: 6666 INEX
Intended status: Informational D. Freedman Category: Informational D. Freedman
Expires: December 11, 2012 Claranet ISSN: 2070-1721 Claranet
June 9, 2012 August 2012
A Discard Prefix for IPv6 A Discard Prefix for IPv6
draft-ietf-v6ops-ipv6-discard-prefix-05
Abstract Abstract
Remote triggered black hole filtering describes a method of Remote triggered black hole filtering describes a method of
mitigating the effects of denial-of-service attacks by selectively mitigating the effects of denial-of-service attacks by selectively
discarding traffic based on source or destination address. Remote discarding traffic based on source or destination address. Remote
triggered black hole routing describes a method of selectively re- triggered black hole routing describes a method of selectively re-
routing traffic into a sinkhole router (for further analysis) based routing traffic into a sinkhole router (for further analysis) based
on destination address. This document updates the IPv6 Special on destination address. This document updates the "IPv6 Special
Purpose Address Registry by explaining why a unique IPv6 prefix Purpose Address Registry" by explaining why a unique IPv6 prefix
should be formally assigned by IANA for the purpose of facilitating should be formally assigned by IANA for the purpose of facilitating
IPv6 remote triggered black hole filtering and routing. IPv6 remote triggered black hole filtering and routing.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document is not an Internet Standards Track specification; it is
Task Force (IETF). Note that other groups may also distribute published for informational purposes.
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on December 11, 2012. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6666.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions .....................................3
2. A Discard Prefix for IPv6 . . . . . . . . . . . . . . . . . . . 3 2. A Discard Prefix for IPv6 .......................................3
3. Operational Implications . . . . . . . . . . . . . . . . . . . 4 3. Operational Implications ........................................4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 4. IANA Considerations .............................................4
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations .........................................4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. References ......................................................5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References .......................................5
6.2. Informative References . . . . . . . . . . . . . . . . . . 5 6.2. Informative References .....................................5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
Remote triggered black hole (RTBH) filtering describes a class of Remote Triggered Black Hole (RTBH) filtering describes a class of
methods of blocking IP traffic either from a specific source methods of blocking IP traffic either from a specific source
([RFC5635]) or to a specific destination ([RFC3882]) on a network. ([RFC5635]) or to a specific destination ([RFC3882]) on a network.
RTBH routing describes a class of methods of re-routing IP traffic RTBH routing describes a class of methods of re-routing IP traffic
destined to the attacked/targeted host to a special path (tunnel) destined to the attacked/targeted host to a special path (tunnel)
where a sniffer could capture the traffic for analysis. Both these where a sniffer could capture the traffic for analysis. Both of
methods operate by setting the next-hop address of an IP packet with these methods operate by setting the next-hop address of an IP packet
a specified source or destination address to be a unicast prefix with a specified source or destination address to be a unicast prefix
which is connected locally or remotely to a router's discard, null or that is connected locally or remotely to a router's discard, null, or
tunnel interface. Typically, reachability information for this tunnel interface. Typically, reachability information for this
prefix is propagated throughout an autonomous system using a dynamic prefix is propagated throughout an autonomous system using a dynamic
routing protocol such as BGP ([RFC3882]). By deploying RTBH systems routing protocol such as BGP ([RFC3882]). By deploying RTBH systems
across a network, traffic to or from specific destinations may be across a network, traffic to or from specific destinations may be
selectively black-holed or re-routed to a sinkhole device in a manner selectively black-holed or re-routed to a sinkhole device in a manner
which is efficient, scalable and straightforward to implement. that is efficient, scalable, and straightforward to implement.
On some networks, operators configure RTBH installations using On some networks, operators configure RTBH installations using
[RFC1918] address space or the address blocks reserved for [RFC1918] address space or the address blocks reserved for
documentation in [RFC5737]. This approach is inadequate because RTBH documentation in [RFC5737]. This approach is inadequate because RTBH
configurations are not documentation, but rather operationally configurations are not documentation, but rather operationally
important features of many public-facing production networks. important features of many public-facing production networks.
Furthermore, [RFC3849] specifies that the IPv6 documentation prefix Furthermore, [RFC3849] specifies that the IPv6 documentation prefix
should be filtered in both local and public contexts. On this basis, should be filtered in both local and public contexts. On this basis,
it is suggested that both private network address blocks and the it is suggested that both private network address blocks and the
documentation prefixes described in [RFC5737] are inappropriate for documentation prefixes described in [RFC5737] are inappropriate for
RTBH configurations, and that a dedicated IPv6 prefix should be RTBH configurations and that a dedicated IPv6 prefix should be
assigned instead. assigned instead.
This document updates the IPv6 Special Purpose Address Registry This document updates the "IPv6 Special Purpose Address Registry"
[IANA-IPV6REG]. [IANA-IPV6REG].
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. A Discard Prefix for IPv6 2. A Discard Prefix for IPv6
For the purposes of implementing an IPv6 remote triggered black hole For the purposes of implementing an IPv6 RTBH configuration, a
configuration, a unicast address block is required. There are unicast address block is required. There are currently no IPv6
currently no IPv6 unicast address blocks which are specifically unicast address blocks that are specifically nominated for the
nominated for the purposes of implementing such RTBH systems. purposes of implementing such RTBH systems.
While it could be argued that there are other addresses and address While it could be argued that there are other addresses and address
prefixes which could be used for this purpose (e.g. documentation prefixes that could be used for this purpose (e.g., documentation
prefixes, private address space), or that an operator could assign an prefixes, private address space), or that an operator could assign an
address block from their own address space for this purposes, there address block from their own address space for this purpose, there is
is currently no operational clarity on what address block would be currently no operational clarity on what address block would be
appropriate or inappropriate to use for this purpose. By assigning a appropriate or inappropriate to use for this purpose. By assigning a
globally unique discard prefix for IPv6, the IETF will introduce good globally unique discard prefix for IPv6, the IETF will introduce good
practice for the implementation of IPv6 RTBH configurations and will practice for the implementation of IPv6 RTBH configurations and will
facilitate operational clarity by allowing operators to implement facilitate operational clarity by allowing operators to implement
consistent and deterministic inter-domain prefix and traffic consistent and deterministic inter-domain prefix and traffic
filtering policies for black-holed traffic. filtering policies for black-holed traffic.
As [RFC3882] and [RFC5635] describe situations where more than one As [RFC3882] and [RFC5635] describe situations where more than one
discard address may be used for implementing multiple remote discard address may be used for implementing multiple RTBH scenarios,
triggered black hole scenarios, a single address is not sufficient to a single address is not sufficient to cover all likely RTBH
cover all likely RTBH situations. Consequently, an address block is situations. Consequently, an address block is required.
required.
3. Operational Implications 3. Operational Implications
This assignment MAY be carried in a dynamic routing protocol within This assignment MAY be carried in a dynamic routing protocol within
an autonomous system. The assignment SHOULD NOT be announced to or an autonomous system. The assignment SHOULD NOT be announced to or
accepted from third party autonomous systems and IPv6 traffic with a accepted from third-party autonomous systems, and IPv6 traffic with a
destination address within this prefix SHOULD NOT be forwarded to or destination address within this prefix SHOULD NOT be forwarded to or
accepted from third party autonomous systems. If the prefix or a accepted from third-party autonomous systems. If the prefix or a
subnet of the prefix is inadvertently announced to or accepted from a subnet of the prefix is inadvertently announced to or accepted from a
third party autonomous system, this may cause excessive volumes of third-party autonomous system, this may cause excessive volumes of
traffic to pass unintentionally between the the two networks, which traffic to pass unintentionally between the two networks, which would
would aggravate the effect of a denial-of-service attack. aggravate the effect of a denial-of-service attack.
On networks which implement IPv6 remote triggered black holes, some On networks that implement IPv6 remote triggered black holes, some or
or all of this network block MAY be configured with a next-hop all of this network block MAY be configured with a next-hop
destination of a discard or null interface on any or all IPv6 routers destination of a discard or null interface on any or all IPv6 routers
within the autonomous system. within the autonomous system.
4. IANA Considerations 4. IANA Considerations
This document directs IANA to record the allocation of the IPv6 Per this document, IANA has recorded the allocation of the IPv6
address prefix xxxx/64 as a discard-only prefix in the IPv6 Address address prefix 0100::/64 as a Discard-Only Prefix in the "Internet
Space registry and to add the prefix to the IPv6 Special Purpose Protocol Version 6 Address Space" and added the prefix to the "IANA
Address Registry [IANA-IPV6REG]. No end party is to be assigned this IPv6 Special Purpose Address Registry" [IANA-IPV6REG]. No end party
prefix. The prefix should be allocated from ::/3. has been assigned to this prefix. The prefix has been allocated from
::/3.
5. Security Considerations 5. Security Considerations
As the prefix specified in this document ought not normally be As the prefix specified in this document ought not normally be
transmitted or accepted over inter-domain BGP sessions for the transmitted or accepted over inter-domain BGP sessions for the
reasons described in Section 3, it is usually appropriate to include reasons described in Section 3, it is usually appropriate to include
this prefix in inter-domain BGP prefix filters [RFC3704] or otherwise this prefix in inter-domain BGP prefix filters [RFC3704] or otherwise
ensure the prefix is neither transmitted to or accepted from a third ensure the prefix is neither transmitted to nor accepted from a
party autonomous system. third-party autonomous system.
6. References 6. References
6.1. Normative References 6.1. Normative References
[IANA-IPV6REG] [IANA-IPV6REG]
Internet Assigned Numbers Authority, "IPv6 Special Purpose Internet Assigned Numbers Authority, "IPv6 Special Purpose
Address Registry", 2012, <http://www.iana.org/assignments/ Address Registry", 2012, <http://www.iana.org/assignments/
iana-ipv6-special-registry>. iana-ipv6-special-registry>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service [RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service
Attacks", RFC 3882, September 2004. Attacks", RFC 3882, September 2004.
[RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole
Filtering with Unicast Reverse Path Forwarding (uRPF)", Filtering with Unicast Reverse Path Forwarding (uRPF)",
RFC 5635, August 2009. RFC 5635, August 2009.
6.2. Informative References 6.2. Informative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996. BCP 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004. Networks", BCP 84, RFC 3704, March 2004.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, July 2004. Reserved for Documentation", RFC 3849, July 2004.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737, January 2010. Reserved for Documentation", RFC 5737, January 2010.
Authors' Addresses Authors' Addresses
Nick Hilliard Nick Hilliard
INEX INEX
4027 Kingswood Road 4027 Kingswood Road
Dublin 24 Dublin 24
IE IE
Email: nick@inex.ie EMail: nick@inex.ie
David Freedman David Freedman
Claranet Claranet
21 Southampton Row, Holborn 21 Southampton Row, Holborn
London WC1B 5HA London WC1B 5HA
UK UK
Email: david.freedman@uk.clara.net EMail: david.freedman@uk.clara.net
 End of changes. 29 change blocks. 
74 lines changed or deleted 67 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/