1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
<pre>Internet Engineering Task Force (IETF) L. Vegoda
Request for Comments: 6441 ICANN
BCP: 171 November 2011
Category: Best Current Practice
ISSN: 2070-1721
<span class="h1">Time to Remove Filters for Previously Unallocated IPv4 /8s</span>
Abstract
It has been common for network administrators to filter IP traffic
from and BGP prefixes of unallocated IPv4 address space. Now that
there are no longer any unallocated IPv4 /8s, this practise is more
complicated, fragile, and expensive. Network administrators are
advised to remove filters based on the registration status of the
address space.
This document explains why any remaining packet and BGP prefix
filters for unallocated IPv4 /8s should now be removed on border
routers and documents those IPv4 unicast prefixes that should not be
routed across the public Internet.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6441">http://www.rfc-editor.org/info/rfc6441</a>.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
<span class="grey">Vegoda Best Current Practice [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6441">RFC 6441</a> Remove /8 Filters November 2011</span>
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-3">3</a>. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
3.1. No Longer Filtering Based on Address Registration
Status . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
3.2. Continuing to Filter Traffic from Unallocated IPv4
Space . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-4">4</a>. Prefixes That Should Not be Routed across the Internet . . . . <a href="#page-3">3</a>
<a href="#section-5">5</a>. Security Considerations . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-6">6</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-6.1">6.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-6.2">6.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#appendix-A">Appendix A</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
It has been common for network administrators to filter IP traffic
from and BGP prefixes of unallocated IPv4 address space. Now that
there are no longer any unallocated IPv4 /8s, this practise is more
complicated, fragile, and expensive. Network administrators are
advised to remove filters based on the registration status of the
address space.
This document explains why any remaining packet and BGP prefix
filters for unallocated IPv4 /8s should now be removed on border
routers and documents those IPv4 unicast prefixes that should not be
routed across the public Internet.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>
[<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Martians [<a href="./rfc1208" title=""Glossary of networking terms"">RFC1208</a>] is a humorous term applied to packets that turn up
unexpectedly on the wrong network because of bogus routing entries.
It is also used as a name for a packet that has an altogether bogus
(non-registered or ill-formed) Internet address. Bogons [<a href="./rfc3871" title=""Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure"">RFC3871</a>]
are packets sourced from addresses that have not yet been allocated
<span class="grey">Vegoda Best Current Practice [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6441">RFC 6441</a> Remove /8 Filters November 2011</span>
by IANA or the Regional Internet Registries (RIRs), or addresses
reserved for private or special use by RFCs [<a href="./rfc5735" title=""Special Use IPv4 Addresses"">RFC5735</a>]. Bogons are
referred to as "Dark IP" in some circles.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Traffic Filtering Options</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. No Longer Filtering Based on Address Registration Status</span>
Network administrators who implemented filters for unallocated IPv4
/8s did so in the knowledge that those /8s were not a legitimate
source of traffic on the Internet and that there was a small number
of bogon filters to implement. Now that there are no longer any
unallocated unicast IPv4 /8s, there will be legitimate Internet
traffic coming from all unicast /8s that are not reserved for special
purposes in an RFC.
Removing packet and prefix filters based on the registration status
of the IPv4 address is a simple approach that will avoid blocking
legitimate Internet traffic. Network operators SHOULD remove both
ingress and egress packet filters as well as BGP prefix filters for
previously unallocated IPv4 /8s.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Continuing to Filter Traffic from Unallocated IPv4 Space</span>
Some network administrators might want to continue filtering
unallocated IPv4 addresses managed by the RIRs. This requires
significantly more granular ingress filters and the highly dynamic
nature of the RIRs' address pools means that filters need to be
updated on a daily basis to avoid blocking legitimate incoming
traffic.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Prefixes That Should Not be Routed across the Internet</span>
Network operators may deploy filters that block traffic destined for
Martian prefixes. Currently, the Martian prefix table is defined by
[<a href="./rfc5735" title=""Special Use IPv4 Addresses"">RFC5735</a>] which reserves each Martian prefix for some specific,
special use. If the Martian prefix table ever changes, that change
will be documented in an RFC that either updates or obsoletes
[<a href="./rfc5735" title=""Special Use IPv4 Addresses"">RFC5735</a>].
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
The cessation of filters based on unallocated IPv4 /8 allocations is
an evolutionary step towards reasonable security filters. While
these filters are no longer necessary, and in fact harmful, this does
not obviate the need to continue other security solutions. These
other solutions are as necessary today as they ever were.
<span class="grey">Vegoda Best Current Practice [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6441">RFC 6441</a> Remove /8 Filters November 2011</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC5735">RFC5735</a>] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
<a href="https://www.rfc-editor.org/bcp/bcp153">BCP 153</a>, <a href="./rfc5735">RFC 5735</a>, January 2010.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-RFC1208">RFC1208</a>] Jacobsen, O. and D. Lynch, "Glossary of networking terms",
<a href="./rfc1208">RFC 1208</a>, March 1991.
[<a id="ref-RFC3871">RFC3871</a>] Jones, G., "Operational Security Requirements for Large
Internet Service Provider (ISP) IP Network
Infrastructure", <a href="./rfc3871">RFC 3871</a>, September 2004.
<span class="grey">Vegoda Best Current Practice [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6441">RFC 6441</a> Remove /8 Filters November 2011</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Acknowledgments</span>
Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello, and
Joe Abley for helpful advice on how to focus this document. Thanks
also go to Andy Davidson, Philip Smith, and Rob Thomas for early
reviews and suggestions for improvements to the text, and to Carlos
Pignataro for his support and comments.
Author's Address
Leo Vegoda
Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
United States of America
Phone: +1-310-823-9358
EMail: leo.vegoda@icann.org
URI: <a href="http://www.iana.org/">http://www.iana.org/</a>
Vegoda Best Current Practice [Page 5]
</pre>
|
