栏目搜索
 
 
 
 
你的位置:首页 > 协议大全 > RFC4085 - Embedding Globally-Routable Internet Addresses Considered Harmful >
 

RFC4085 - Embedding Globally-Routable Internet Addresses Considered Harmful

发布者:[本站编辑] | 来源:[]

RFC4085 - Embedding Globally-Routable Internet Addresses Considered Harmful_电脑维修资料库

global routing operations d. plonkanetwork working group university of wisconsinrequest for comments: 4085 june 2005bcp: 105category: best current practiceembedding globally-routable internet addresses considered harmfulstatus of this memothis document specifies an internet best current practices for theinternet community, and requests discussion and suggestions forimprovements. distribution of this memo is unlimited.copyright noticecopyright (c) the internet society (2005).abstractthis document discourages the practice of embedding references tounique, globally-routable ip addresses in internet hosts, describessome of the resulting problems, and considers selected alternatives.this document is intended to clarify best current practices in thisregard.table of contents1. introduction ....................................................22. problems ........................................................23. recommendations .................................................43.1. disable unused features ....................................43.2. provide user interface for ip features .....................43.3. use domain names as service identifiers ....................43.4. use special-purpose, reserved ip addresses when available ..53.5. discover and utilize local services ........................63.6. avoid mentioning the ip addresses of services ..............64. security considerations .........................................65. conclusion ......................................................76. acknowledgements ................................................77. references ......................................................7appendix a. background ............................................91. introductionsome vendors of consumer electronics and network gear haveunfortunately chosen to embed, or hard-code, globally-routableinternet protocol addresses within their products' firmware. theseembedded ip addresses are typically individual server ip addresses orip subnet prefixes. thus, they are sometimes used as serviceidentifiers, to which unsolicted requests are directed, or as subnetidentifiers, specifying sets of internet addresses that the givenproduct somehow treats specially.one recent example was the embedding of the globally-routable ipaddress of a network time protocol server in the firmware of hundredsof thousands of internet hosts that are now in operation worldwide.the hosts are primarily, but are not necessarily, limited to low-costrouters and middleboxes for personal or residential use. in anothercase, ip address prefixes that had once been reserved by the internetassigned numbers authority (iana) were embedded in a router productso that it can automatically discard packets that appear to haveinvalid source ip addresses.such hard-coding of globally-routable ip addresses as identifierswithin the host's firmware presents significant problems to theoperation of the internet and to the management of its address space.ostensibly, this practice arose as an attempt to simplify ip hostconfiguration by pre-loading hosts with ip addresses. products thatrely on such embedded ip addresses initially may appear to beconvenient to the product's designer and to its operator or user, butthis dubious benefit comes at the expense of others in the internetcommunity.this document denounces the practice of embedding references tounique, globally-routable ip addresses in internet hosts, describessome of the resulting problems, and considers selected alternatives.it also reminds the internet community of the ephemeral nature ofunique, globally-routable ip addresses; the assignment and use of ipaddresses as identifiers is temporary and therefore should not beused in fixed configurations.2. problemsthe embedding of ip addresses in products has caused an increasingnumber of internet hosts to rely on a single central internetservice. this can result in a service outage when the aggregateworkload overwhelms that service. when fixed addresses are embeddedin an ever-increasing number of client ip hosts, this practice runsdirectly counter to the design intent of hierarchically deployedservices that would otherwise be robust solutions.the reliability, scalability, and performance of many internetservices require that the pool of users not access a service usingits ip address directly. instead, they typically rely on a level ofindirection provided by the domain name system, rfc 2219 <6>. whenappropriately utilized, the dns permits the service operator toreconfigure the resources for maintenance and to perform loadbalancing, without the participation of the users and without arequirement for configuration changes in the client hosts. forinstance, one common load-balancing technique employs multiple dnsrecords with the same name; the set of answers that is returned isrotated in a round-robin fashion in successive queries. uponreceiving such a response to a query, resolvers typically will trythe answers in order, until one succeeds, thus enabling the operatorto distribute the user request load across a set of servers withdiscrete ip addresses that generally remain unknown to the user.embedding globally-unique ip addresses taints the ip address blocksin which they reside, lessening the usefulness and mobility of thoseip address blocks and increasing the cost of operation. unsolicitedtraffic may continue to be delivered to the embedded address wellafter the ip address or block has been reassigned and no longer hoststhe service for which that traffic was intended. circa 1997, theauthors of rfc 2101 <7> made this observation:due to dynamic address allocation and increasingly frequentnetwork renumbering, temporal uniqueness of ipv4 addresses is nolonger globally guaranteed, which puts their use as identifiersinto severe question.when ip addresses are embedded in the configuration of many internethosts, the ip address blocks become encumbered by their historicaluse. this may interfere with the ability of the internet assignednumbers authority (iana) and the internet registry (ir) hierarchy tousefully reallocate ip address blocks. likewise, to facilitate ipaddress reuse, rfc 2050 <1>, encourages internet service providers(isps) to treat address assignments as loans.because consumers are not necessarily experienced in the operation ofinternet hosts, they cannot be relied upon to fix problems, if andwhen they arise. therefore, a significant responsibility lies withthe manufacturer or vendor of an internet host to avoid embedding ipaddresses in ways that cause the aforementioned problems.3. recommendationsinternet host and router designers, including network productmanufacturers, should not assume that their products will be deployedand used in only the single global internet that they happen toobserve today. a myriad of private or future internetworks in whichthese products will be used may not allow those hosts to establishcommunications with arbitrary hosts on the global internet. sincethe product failure modes resulting from an unknown futureinternetwork environment cannot be fully explored, one should avoidassumptions regarding the longevity of our current internet.the following recommendations are presented as best practice today.3.1. disable unused featuresvendors should, by default, disable unnecessary features in theirproducts. this is especially true of features that generateunsolicited internet traffic. in this way, these hosts will beconservative regarding the unsolicited internet traffic they produce.for instance, one of the most common uses of embedded ip addresseshas been the hard-coding of addresses of well known public simplenetwork time protocol (sntp rfc 2030 <8>) servers in products.however, only a small fraction of users will benefit from theseproducts having some notion of the current date and time.3.2. provide user interface for ip featuresvendors should provide an operator interface for every feature thatgenerates unsolicited internet traffic. a prime example is this:the domain name system resolver should have an interface enabling theoperator to either explicitly set the choice of servers or enable astandard automated configuration protocol such as dhcp, defined byrfc 2132 <9>. these features should originally be disabled withinthe operator interface, and subsequently enabling these featuresshould alert the operator that the feature exists. this will make itmore likely that the product's owner or operator can participate inproblem determination and mitigation when problems arise.rfc 2606 <2> defines the iana-reserved example.com, example.net,and example.org domains for use in example configurations anddocumentation. these are candidate examples to be used in userinterface documentation.3.3. use domain names as service identifiersinternet hosts should use the domain name system to determine the ipaddresses associated with the internet services they require.when using domain names as service identifiers in the configurationsof deployed internet hosts, designers and vendors are encouraged tointroduce service names. these names should be within a domain thatthey either control or are permitted to utilize by an agreement withits operator (such as for public services provided by the internetcommunity). this is commonly done by introducing a service-specificprefix to the domain name.for instance, a vendor named example, inc. with the domainexample.com might configure its product to find its sntp server bythe name sntp-server.config.example.com or even by a name that isspecific to the product and version, such as sntp-server.v1.widget.config.example.com. here the config.example.comnamespace is dedicated to that vendor's product configuration, withsubdomains introduced as deemed necessary. such special-purposedomain names enable ongoing maintenance and reconfiguration of theservices for their client hosts and can aid in the ongoingmeasurement of service usage throughout the product's lifetime.an alternative to inventing vendor-specific domain naming conventionsfor a product's service identifiers is to utilize srv resourcerecords (rrs), defined by rfc 2782 <10>. srv records are a generictype of rr that uses a service-specific prefix in combination with abase domain name. for example, an srv-cognizant sntp client mightdiscover example, inc.'s suggested ntp server by performing an srv-type query to lookup for _ntp._udp.example.com.however, note that simply hard-coding dns name service identifiersrather than ip addresses is not a panacea. entries in the domainname space are also ephemeral and can change owners for variousreasons, including acquisitions and litigation. as such, developersand vendors should explore a product's potential failure modesresulting from the loss of administrative control of a given domainfor whatever reason.3.4. use special-purpose, reserved ip addresses when availabledefault configurations, documentation, and example configurations forinternet hosts should use internet addresses that reside withinspecial blocks that have been reserved for these purposes, ratherthan unique, globally-routable ip addresses. for ipv4, rfc 3330 <3>states that the 192.0.2.0/24 block has been assigned for use indocumentation and example code. the ipv6 global unicast addressprefix 2001:db8::/32 has been similarly reserved for documentationpurposes rfc 3849 <4>. private internet addresses, as defined by rfc1918 <5>, should not be used for such purposes.3.5. discover and utilize local servicesservice providers and enterprise network operators should advertisethe identities of suitable local services, such as ntp. very oftenthese services exist, but the advertisement and automatedconfiguration of their use is missing. for instance, the dhcpprotocol, as defined by rfc 2132 <9>, enables one to configure aserver to answer client queries for service identifiers. when localservices, including ntp, are available but not pervasively advertisedusing such common protocols, designers are more likely to deploy adhoc initialization mechanisms that unnecessarily rely on centralservices.3.6. avoid mentioning the ip addresses of servicesoperators who provide public services on the global internet, such asthose in the ntp community, should deprecate the explicitadvertisement of the ip addresses of public services. theseaddresses are ephemeral. as such, their widespread citation inpublic service indexes interferes with the ability to reconfigure theservice when necessary to address unexpected, increased traffic andthe aforementioned problems.4. security considerationsembedding or hard-coding ip addresses within a host's configurationoften means that a host-based trust model is being employed, and thatthe internet host with the given address is trusted in some way. dueto the ephemeral roles of globally-routable ip addresses, thepractice of embedding them within products' firmware or defaultconfigurations presents a security risk in which unknown parties maybe trusted inadvertently.internet host designers may be tempted to implement some sort ofremote control mechanism within a product, by which its internet hostconfiguration can be changed without reliance on, interaction with,or even the knowledge of, its operator or user. this raises securityissues of its own. if such a scheme is implemented, its presenceshould be fully disclosed to the customer, operator, and user, sothat an informed decision can be made, perhaps in accordance withlocal security or privacy policy. furthermore, the significantpossibility of malicious parties exploiting such a remote controlmechanism may completely negate any potential benefit of the remotecontrol scheme. therefore, remote control mechanisms should bedisabled by default, to be subsequently enabled and disabled by theuser.5. conclusionwhen large numbers of homogeneous internet hosts are deployed, it isparticularly important that both their designers and other members ofthe internet community diligently assess host implementation qualityand reconfigurability.implementors of host services should avoid any kind of use of uniqueglobally-routable ip addresses within a fixed configuration part ofthe service implementation. if there is a requirement for pre-configured state, then care should be taken to use an appropriateservice identifier and to use standard mechanisms for dynamicallyresolving the identifier into an ip address. also, any suchidentifiers should be alterable in the field through a conventionalcommand and control interface for the service.6. acknowledgementsthe author thanks the following reviewers for their contributions tothis document: paul barford, geoff huston, david meyer, mikeo'connor, michael patton, tom petch, and pekka savola. haraldalvestrand, spencer dawkins, ted hardie, david kessens, and thomasnarten provided valuable feedback during ad and iesg review.7. references7.1. normative references<1> hubbard, k., kosters, m., conrad, d., karrenberg, d., and j.postel, internet registry ip allocation guidelines, bcp 12,rfc 2050, november 1996.<2> eastlake 3rd, d. and a. panitz, reserved top level dns names,bcp 32, rfc 2606, june 1999.<3> iana, special-use ipv4 addresses, rfc 3330, september 2002.<4> huston, g., lord, a., and p. smith, ipv6 address prefixreserved for documentation, rfc 3849, july 2004.<5> rekhter, y., moskowitz, b., karrenberg, d., de groot, g., and e.lear, address allocation for private internets, bcp 5, rfc1918, february 1996.7.2. informative references<6> hamilton, m. and r. wright, use of dns aliases for networkservices, bcp 17, rfc 2219, october 1997.<7> carpenter, b., crowcroft, j., and y. rekhter, ipv4 addressbehaviour today, rfc 2101, february 1997.<8> mills, d., simple network time protocol (sntp) version 4 foripv4, ipv6 and osi, rfc 2030, october 1996.<9> alexander, s. and r. droms, dhcp options and bootp vendorextensions, rfc 2132, march 1997.<10> gulbrandsen, a., vixie, p., and l. esibov, a dns rr forspecifying the location of services (dns srv), rfc 2782,february 2000.<11> plonka, d., flawed routers flood university of wisconsininternet time server, august 2003.http://www.cs.wisc.edu/~plonka/netgear-sntp/appendix a. backgroundin may 2003, the university of wisconsin discovered that a networkproduct vendor named netgear had manufactured and shipped over700,000 routers with firmware containing a hard-coded reference tothe ip address of one of the university's ntp servers:128.105.39.11, which was also known as ntp1.cs.wisc.edu, a publicstratum-2 ntp server.due to that embedded fixed configuration and an unrelated bug in thesntp client, the affected products occasionally exhibit a failuremode in which each flawed router produces one query per seconddestined for the ip address 128.105.39.11, and hence produces a largescale flood of internet traffic from hundreds of thousands of sourceaddresses, destined for the university's network, resulting insignificant operational problems.these flawed routers are widely deployed throughout the globalinternet and are likely to remain in use for years to come. as such,the university of wisconsin, with the cooperation of netgear, willbuild a new anycast time service that aims to mitigate the damagecaused by the misbehavior of these flawed routers.a technical report regarding the details of this situation isavailable on the world wide web: flawed routers flood university ofwisconsin internet time server <11>.author's addressdavid plonkauniversity of wisconsin - madisonemail: plonka@doit.wisc.eduuri: http://net.doit.wisc.edu/~plonka/full copyright statementcopyright (c) the internet society (2005).this document is subject to the rights, licenses and restrictionscontained in bcp 78, and except as set forth therein, the authorsretain all their rights.this document and the information contained herein are provided on anas is basis and the contributor, the organization he/she representsor is sponsored by (if any), the internet society and the internetengineering task force disclaim all warranties, express or implied,including but not limited to any warranty that the use of theinformation herein will not infringe any rights or any impliedwarranties of merchantability or fitness for a particular purpose.intellectual propertythe ietf takes no position regarding the validity or scope of anyintellectual property rights or other rights that might be claimed topertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. informationon the procedures with respect to rights in rfc documents can befound in bcp 78 and bcp 79.copies of ipr disclosures made to the ietf secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use ofsuch proprietary rights by implementers or users of thisspecification can be obtained from the ietf on-line ipr repository athttp://www.ietf.org/ipr.the ietf invites any interested party to bring to its attention anycopyrights, patents or patent applications, or other proprietaryrights that may cover technology that may be required to implementthis standard. please address the information to the ietf at ietf-ipr@ietf.org.acknowledgementfunding for the rfc editor function is currently provided by theinternet society.</t