1 / 26

The Pros and Cons of “Going Unnumbered”

The Pros and Cons of “Going Unnumbered”. Kireeti Kompella Juniper Fellow. Agenda. Does an IP router require IP addresses? for the data plane? for the control plane? Issues with address assignment Issues with going unnumbered What else can be done?. A Word on the Confusing Terminology.

tomb
Download Presentation

The Pros and Cons of “Going Unnumbered”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Pros and Cons of “Going Unnumbered” Kireeti Kompella Juniper Fellow

  2. Agenda • Does an IP router require IP addresses? • for the data plane? • for the control plane? • Issues with address assignment • Issues with going unnumbered • What else can be done?

  3. A Word on the Confusing Terminology • IP addresses were often called “IP numbers” • An interface with an IP address was said to be “numbered”; consequently, one without an IP address was called “unnumbered” (no IP number) • Funnily enough, an unnumbered interface has a numerical index (the interface index) • In this presentation, we will stay with this terminology, paradoxical as it might seem

  4. Caveats • We will only consider point-to-point interfaces as candidates for unnumbering • There are issues in addressing end-points on a multi-drop (multipoint, LAN) interfaces without IP addresses • Typically, one uses some form of ARP to resolve this, but for this to work, one needs IP addresses • Also, we assume that a router willhave at least one IP address, the loopback address

  5. Why Have IP Addresses on Routers? • Does a router need IP addresses on each interface to forward transit packets? • Ignore source-routed packets :-) • Packets are generally not addressed to the router itself • In this case, the addresses on the router (or lack thereof) are mostly irrelevant • Even if packets are addressed to the router itself, they are usually addressed to • the loopback address (for administration, iBGP, …) • a well-known multicast address (for most IGPs)

  6. Forwarding Path Exceptions • ICMP often requires interface addresses • Redirects only apply to multipoint interfaces • Most other ICMP packets (TTL expiry, DF, …) can be modified to use the loopback address • This may provide less information than using the interface address, so this is a trade-off to consider carefully • For example, if one has a small MTU on one interface, one may want to identify the exact interface, not the router as a whole

  7. What About a Router’s Control Plane? • Most routing protocols have been updated to accommodate unnumbered interfaces • OSPFv2 and v3 have supported unnumbered point-to-point interfaces from the beginning • IS-IS only carries IP addresses as ballast • iBGP peering is to the loopback address • RSVP-TE and LDP also support unnumbered i/fs • PIM? • IGMP is mostly used on multipoint interfaces, which is outside the scope of this talk

  8. Routers with unnumbered interfaces (IP addresses only for loopback) OSPF with unnumbered interfaces Packet forwarding through routed network i-BGP peering between loopbacks Unnumbered Operation

  9. What About “External” Interfaces? • The one glaring exception is eBGP, whose peering is typically to an interface address • We’ll come back to this issue • First, let’s see why we should reconsider having IP addresses on interfaces

  10. Issues With Address Assignment • Management of addresses and subnets • Simplifying configuration of routers • Protection of router addresses

  11. Reconfiguration of router topology requires re-numbering interfaces Must allocate addresses in same subnet for both ends (/31 subnets help) Every interface needs a unique address Address Management Sometimes, address scarcity also plays a factor; if a single address block doesn’t cover all interface addresses, this can lead to more complexity

  12. Simplifying Configuration • One can (roughly) categorize a router’s configuration into • Infrastructure (what the router needs to operate) • Security (ACLs and policies) • Services (QoS/CoS, peering, VPNs, …) • Infrastructure configuration consists of protocols, interfaces and self-protective ACLs • A significant portion of this configuration accrues from having interface addresses

  13. Numbered Infrastructure Config • Every interface needs its own unique IP address • IP addresses at both ends of an interface must also be configured consistently • Each such address needs to be entered into the self-protective ACLs, to protect the router against DoS attacks • Careful management of router interface address spaces can make this easier, but then address assignment becomes harder

  14. Unnumbered Infrastructure Config • Interface configuration can be “cookie-cutter” • A template mechanism allows one to configure all interfaces with (say) a PPP encapsulation, and supporting network protocols of IPv4, ISIS and MPLS • Not having interface addresses means having to configure much fewer self-protective ACLs • Just have to protect the loopback address, and this need be done only once • Managing an address space for loopbacks is quite easy, as these are /32s (no fragmentation)

  15. Protection of Router Addresses • IP routing is often viewed as insecure • The reason is largely the same as IP’s success: the global nature of IP addressing • ATM/Frame Relay, on the other hand, are viewed as secure, because the addresses are link-local, and attacks on the control plane are much harder • Aside: remember the OSPF vs. IS-IS debate? One argument in favor of IS-IS was that OSPF was more vulnerable to DoS attacks • Unnumbered interfaces go a long way towards redressing this issue -- i/f indices are link-local

  16. Alternatives to Unnumbering • Use private addresses for interfaces • Use independent /32s for each interface • Automatically assign interface addresses (IPv6) • Establish IGP adjacencies over numbered interfaces, but don’t inject interface addresses into IGP • Interfaces have addresses, but not reachability

  17. Private Interface Addresses • This solves many of the issues with interface addresses • Protection (most ISPs won’t forward packets with private addresses) • Address management -- much larger address blocks are available, making management simpler • Configuration is still needed, however • Redoing the topology still requires a fair amount of work

  18. Independent /32s for Interfaces • This means that there is no relation between the addresses on the two ends of an interface • This relies on the IGP to provide this relationship • This significantly reduces the burden of address management and synchronization • Also, reconfiguration of topology is much easier • Protection of router addresses is still an issue • If one combines the previous approach (private /32s for interfaces), this offers a fairly good solution

  19. Automatic Address Assignment • This is unfortunately not an option for IPv4, because of address scarcity • However, for IPv6, this works quite well • The issues of address management and configuration disappear • Protection of interface addresses is also a non-issue • Reconfiguration of topology is automatically handled • In a sense, unnumbered interfaces attempt to do for IPv4 what link-local addresses offer IPv6

  20. Unadvertised Interface Addresses • The option of assigning interface addresses, but not advertising them into the IGP is being used by a few Service Providers • This alleviates most of the protection issues of address assignment • However, the other issues remain • Again, one can use this in conjunction with other techniques

  21. Back to eBGP • We’ve left the issue of eBGP hanging • It’s important to keep in mind the balance between “infrastructure” and “services” • what’s inside the network and what’s outside • Running eBGP only to interface addresses allows a great deal more control and protection • One doesn’t have to expose router loopbacks to peers • External interfaces also need public addresses

  22. Summary • Why have IP addresses on interfaces? • Why not? • Infrastructure plug-and-play

  23. Why IP Addresses on Interfaces? • For one, we are used to this • This may not seem a good reason, but change is hard • In many cases, this is required for management • Many implementations of SNMP-based tools assume that interfaces have addresses, and use common subnets to associate both ends of an interface • This is ironic, as SNMP itself uses interface indices (not addresses) to identify interfaces!

  24. Why not? • We’ve seen several reasons, including • simplified configuration • address management • router self-protection • But let’s talk about one more: “plug-and-play”

  25. Infrastructure Plug-and-Play • For IP routing, reconfiguration of topology is fairly complex and configuration intensive • For Ethernet switching, however, topology reconfiguration is trivial, thanks to plug-and-play • Can we make IP reconfiguration as easy? • Going unnumbered would be a very important step if we decide that this would be a Good Thing • Should we? • Automatic P&P in the infrastructure may be good; P&P on the edge would be dangerous

  26. Thank you!

More Related