Internet Engineering Task Force (IETF) L. Vegoda Request for Comments: 6441 ICANN BCP: 171 November 2011 Category: Best Current Practice ISSN: 2070-1721
Internet Engineering Task Force (IETF) L. Vegoda Request for Comments: 6441 ICANN BCP: 171 November 2011 Category: Best Current Practice ISSN: 2070-1721
Time to Remove Filters for Previously Unallocated IPv4 /8s
删除以前未分配的IPv4/8s的筛选器的时间
Abstract
摘要
It has been common for network administrators to filter IP traffic from and BGP prefixes of unallocated IPv4 address space. Now that there are no longer any unallocated IPv4 /8s, this practise is more complicated, fragile, and expensive. Network administrators are advised to remove filters based on the registration status of the address space.
网络管理员经常从未分配的IPv4地址空间和BGP前缀中筛选IP流量。现在不再有任何未分配的IPv4/8s,这种做法更加复杂、脆弱和昂贵。建议网络管理员根据地址空间的注册状态删除筛选器。
This document explains why any remaining packet and BGP prefix filters for unallocated IPv4 /8s should now be removed on border routers and documents those IPv4 unicast prefixes that should not be routed across the public Internet.
本文档解释了为什么现在应在边界路由器上删除未分配IPv4/8s的任何剩余数据包和BGP前缀筛选器,并记录了不应通过公共Internet路由的IPv4单播前缀。
Status of This Memo
关于下段备忘
This memo documents an Internet Best Current Practice.
本备忘录记录了互联网最佳实践。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6441.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6441.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从该文档中提取的代码组件必须
include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
包括信托法律条款第4.e节中所述的简化BSD许可证文本,且不提供简化BSD许可证中所述的担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 3.1. No Longer Filtering Based on Address Registration Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Prefixes That Should Not be Routed across the Internet . . . . 3 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 3 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 6.2. Informative References . . . . . . . . . . . . . . . . . . 4 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 5
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Traffic Filtering Options . . . . . . . . . . . . . . . . . . . 3 3.1. No Longer Filtering Based on Address Registration Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Continuing to Filter Traffic from Unallocated IPv4 Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Prefixes That Should Not be Routed across the Internet . . . . 3 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 3 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 6.2. Informative References . . . . . . . . . . . . . . . . . . 4 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 5
It has been common for network administrators to filter IP traffic from and BGP prefixes of unallocated IPv4 address space. Now that there are no longer any unallocated IPv4 /8s, this practise is more complicated, fragile, and expensive. Network administrators are advised to remove filters based on the registration status of the address space.
网络管理员经常从未分配的IPv4地址空间和BGP前缀中筛选IP流量。现在不再有任何未分配的IPv4/8s,这种做法更加复杂、脆弱和昂贵。建议网络管理员根据地址空间的注册状态删除筛选器。
This document explains why any remaining packet and BGP prefix filters for unallocated IPv4 /8s should now be removed on border routers and documents those IPv4 unicast prefixes that should not be routed across the public Internet.
本文档解释了为什么现在应在边界路由器上删除未分配IPv4/8s的任何剩余数据包和BGP前缀筛选器,并记录了不应通过公共Internet路由的IPv4单播前缀。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[RFC2119]中的说明进行解释。
Martians [RFC1208] is a humorous term applied to packets that turn up unexpectedly on the wrong network because of bogus routing entries. It is also used as a name for a packet that has an altogether bogus (non-registered or ill-formed) Internet address. Bogons [RFC3871] are packets sourced from addresses that have not yet been allocated
火星人[RFC1208]是一个幽默的术语,用于描述由于虚假路由条目而意外出现在错误网络上的数据包。它还用作具有完全伪造(未注册或格式错误)互联网地址的数据包的名称。Bogons[RFC3871]是来自尚未分配的地址的数据包
by IANA or the Regional Internet Registries (RIRs), or addresses reserved for private or special use by RFCs [RFC5735]. Bogons are referred to as "Dark IP" in some circles.
由IANA或区域互联网注册中心(RIR)提供,或由RFC保留供私人或特殊使用的地址[RFC5735]。在某些圈子里,博根人被称为“暗IP”。
Network administrators who implemented filters for unallocated IPv4 /8s did so in the knowledge that those /8s were not a legitimate source of traffic on the Internet and that there was a small number of bogon filters to implement. Now that there are no longer any unallocated unicast IPv4 /8s, there will be legitimate Internet traffic coming from all unicast /8s that are not reserved for special purposes in an RFC.
为未分配的IPv4/8s实施筛选器的网络管理员这样做是因为他们知道这些/8s不是Internet上的合法流量源,并且需要实施少量bogon筛选器。现在不再有任何未分配的单播IPv4/8s,将有来自所有单播/8s的合法Internet流量,这些流量在RFC中不是为特殊目的保留的。
Removing packet and prefix filters based on the registration status of the IPv4 address is a simple approach that will avoid blocking legitimate Internet traffic. Network operators SHOULD remove both ingress and egress packet filters as well as BGP prefix filters for previously unallocated IPv4 /8s.
根据IPv4地址的注册状态删除数据包和前缀筛选器是一种简单的方法,可以避免阻塞合法的Internet流量。对于以前未分配的IPv4/8s,网络运营商应删除入口和出口数据包过滤器以及BGP前缀过滤器。
Some network administrators might want to continue filtering unallocated IPv4 addresses managed by the RIRs. This requires significantly more granular ingress filters and the highly dynamic nature of the RIRs' address pools means that filters need to be updated on a daily basis to avoid blocking legitimate incoming traffic.
某些网络管理员可能希望继续筛选RIRs管理的未分配IPv4地址。这需要更细粒度的入口过滤器,RIRs地址池的高度动态性意味着过滤器需要每天更新,以避免阻塞合法的传入流量。
Network operators may deploy filters that block traffic destined for Martian prefixes. Currently, the Martian prefix table is defined by [RFC5735] which reserves each Martian prefix for some specific, special use. If the Martian prefix table ever changes, that change will be documented in an RFC that either updates or obsoletes [RFC5735].
网络运营商可能会部署过滤器,阻止发送到火星前缀的流量。目前,火星前缀表是由[RFC5735]定义的,它保留每个火星前缀用于某些特定的特殊用途。如果火星前缀表发生变化,该变化将记录在RFC中,该RFC将更新或废弃[RFC5735]。
The cessation of filters based on unallocated IPv4 /8 allocations is an evolutionary step towards reasonable security filters. While these filters are no longer necessary, and in fact harmful, this does not obviate the need to continue other security solutions. These other solutions are as necessary today as they ever were.
停止基于未分配IPv4/8分配的筛选器是迈向合理安全筛选器的一个渐进步骤。虽然这些过滤器不再是必需的,而且实际上是有害的,但这并不排除继续使用其他安全解决方案的必要性。这些其他解决方案在今天和以往一样必要。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", BCP 153, RFC 5735, January 2010.
[RFC5735]Cotton,M.和L.Vegoda,“特殊用途IPv4地址”,BCP 153,RFC 57352010年1月。
[RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", RFC 1208, March 1991.
[RFC1208]Jacobsen,O.和D.Lynch,“网络术语表”,RFC1208,1991年3月。
[RFC3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004.
[RFC3871]Jones,G.“大型互联网服务提供商(ISP)IP网络基础设施的运营安全要求”,RFC 3871,2004年9月。
Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello, and Joe Abley for helpful advice on how to focus this document. Thanks also go to Andy Davidson, Philip Smith, and Rob Thomas for early reviews and suggestions for improvements to the text, and to Carlos Pignataro for his support and comments.
感谢Kim Davies、Terry Manderson、Dave Piscitello和Joe Abley就如何聚焦本文档提供的有用建议。感谢Andy Davidson、Philip Smith和Rob Thomas对本文的早期评论和改进建议,以及Carlos Pignataro的支持和评论。
Author's Address
作者地址
Leo Vegoda Internet Corporation for Assigned Names and Numbers 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 United States of America
利奥·维戈达互联网公司,地址:美国加利福尼亚州马里纳·德雷市海军部路4676号330室,邮编:90292
Phone: +1-310-823-9358 EMail: leo.vegoda@icann.org URI: http://www.iana.org/
Phone: +1-310-823-9358 EMail: leo.vegoda@icann.org URI: http://www.iana.org/