Internet Engineering Task Force (IETF)                           Y. Yang
Request for Comments: 6860                                     A. Retana
Updates: 2328, 5340                                               A. Roy
Category: Standards Track                            Cisco Systems, Inc.
ISSN: 2070-1721                                             January 2013
        
Internet Engineering Task Force (IETF)                           Y. Yang
Request for Comments: 6860                                     A. Retana
Updates: 2328, 5340                                               A. Roy
Category: Standards Track                            Cisco Systems, Inc.
ISSN: 2070-1721                                             January 2013
        

Hiding Transit-Only Networks in OSPF

OSPF中仅传输网络的隐藏

Abstract

摘要

A transit-only network is defined as a network connecting routers only. In OSPF, transit-only networks are usually configured with routable IP addresses, which are advertised in Link State Advertisements (LSAs) but are not needed for data traffic. In addition, remote attacks can be launched against routers by sending packets to these transit-only networks. This document presents a mechanism to hide transit-only networks to speed up network convergence and reduce vulnerability to remote attacks.

仅传输网络定义为仅连接路由器的网络。在OSPF中,仅传输网络通常配置有可路由的IP地址,这些地址在链路状态公告(LSA)中进行公告,但不需要用于数据通信。此外,通过向这些仅传输的网络发送数据包,可以对路由器发起远程攻击。本文档介绍了一种隐藏仅公交网络的机制,以加快网络融合并降低远程攻击的脆弱性。

In the context of this document, 'hiding' implies that the prefixes are not installed in the routing tables on OSPF routers. In some cases, IP addresses may still be visible when using OSPFv2.

在本文档的上下文中,“隐藏”表示前缀未安装在OSPF路由器的路由表中。在某些情况下,使用OSPFv2时,IP地址可能仍然可见。

This document updates RFCs 2328 and 5340.

本文档更新了RFCs 2328和5340。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6860.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6860.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Requirements Notation ......................................3
   2. Hiding IPv4 Transit-Only Networks in OSPFv2 .....................3
      2.1. Point-to-Point Networks ....................................3
           2.1.1. Advertising Point-to-Point Networks .................4
           2.1.2. Hiding Point-to-Point Networks ......................4
      2.2. Broadcast Networks .........................................5
           2.2.1. Advertising Broadcast Networks ......................5
           2.2.2. Hiding Broadcast Networks ...........................5
                  2.2.2.1. Sending Network-LSA ........................5
                  2.2.2.2. Receiving Network-LSA ......................6
                           2.2.2.2.1. Backward Compatibility ..........6
      2.3. Non-Broadcast Networks .....................................7
           2.3.1. NBMA ................................................7
           2.3.2. Point-to-Multipoint .................................7
                  2.3.2.1. Advertising Point-to-Multipoint Networks ...7
                  2.3.2.2. Hiding Point-to-Multipoint Networks ........8
   3. Hiding IPv6 Transit-Only Networks in OSPFv3 .....................9
      3.1. Hiding AF-Enabled Transit-Only Networks in OSPFv3 ..........9
   4. Operational Considerations ......................................9
      4.1. Forwarding Address ........................................10
      4.2. Virtual Links .............................................10
      4.3. Unnumbered Interfaces .....................................10
   5. Security Considerations ........................................11
   6. Acknowledgments ................................................11
   7. References .....................................................12
      7.1. Normative References ......................................12
      7.2. Informative References ....................................12
        
   1. Introduction ....................................................3
      1.1. Requirements Notation ......................................3
   2. Hiding IPv4 Transit-Only Networks in OSPFv2 .....................3
      2.1. Point-to-Point Networks ....................................3
           2.1.1. Advertising Point-to-Point Networks .................4
           2.1.2. Hiding Point-to-Point Networks ......................4
      2.2. Broadcast Networks .........................................5
           2.2.1. Advertising Broadcast Networks ......................5
           2.2.2. Hiding Broadcast Networks ...........................5
                  2.2.2.1. Sending Network-LSA ........................5
                  2.2.2.2. Receiving Network-LSA ......................6
                           2.2.2.2.1. Backward Compatibility ..........6
      2.3. Non-Broadcast Networks .....................................7
           2.3.1. NBMA ................................................7
           2.3.2. Point-to-Multipoint .................................7
                  2.3.2.1. Advertising Point-to-Multipoint Networks ...7
                  2.3.2.2. Hiding Point-to-Multipoint Networks ........8
   3. Hiding IPv6 Transit-Only Networks in OSPFv3 .....................9
      3.1. Hiding AF-Enabled Transit-Only Networks in OSPFv3 ..........9
   4. Operational Considerations ......................................9
      4.1. Forwarding Address ........................................10
      4.2. Virtual Links .............................................10
      4.3. Unnumbered Interfaces .....................................10
   5. Security Considerations ........................................11
   6. Acknowledgments ................................................11
   7. References .....................................................12
      7.1. Normative References ......................................12
      7.2. Informative References ....................................12
        
1. Introduction
1. 介绍

A transit-only network is defined as a network connecting routers only. In OSPF, transit-only networks are usually configured with routable IP addresses, which are advertised in LSAs but not needed for data traffic. In addition, remote attacks can be launched against routers by sending packets to these transit-only networks. This document presents a mechanism to hide transit-only networks to speed up network convergence and reduce vulnerability to remote attacks.

仅传输网络定义为仅连接路由器的网络。在OSPF中,仅传输网络通常配置有可路由的IP地址,这些地址在LSA中公布,但不需要用于数据通信。此外,通过向这些仅传输的网络发送数据包,可以对路由器发起远程攻击。本文档介绍了一种隐藏仅公交网络的机制,以加快网络融合并降低远程攻击的脆弱性。

Hiding transit-only networks will not impact reachability to the end hosts.

隐藏仅传输网络不会影响终端主机的可达性。

In the context of this document, 'hiding' implies that the prefixes are not installed in the routing tables on OSPF routers. In [OSPFv2], the IPv4 interface addresses are still visible in the Router-LSA links and the network-LSA Link-State ID (LSID). In [OSPFv3], the router-LSAs and network-LSAs do not contain IPv6 addresses and are not visible.

在本文档的上下文中,“隐藏”表示前缀未安装在OSPF路由器的路由表中。在[OSPFv2]中,IPv4接口地址在路由器LSA链路和网络LSA链路状态ID(LSID)中仍然可见。在[OSPFv3]中,路由器LSA和网络LSA不包含IPv6地址且不可见。

This document updates [OSPFv2] and [OSPFv3] by specifying a mechanism that can be used to hide transit-only networks.

本文档通过指定可用于隐藏仅公交网络的机制来更新[OSPFv2]和[OSPFv3]。

1.1. Requirements Notation
1.1. 需求符号

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORD].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[关键字]中所述进行解释。

2. Hiding IPv4 Transit-Only Networks in OSPFv2
2. 在OSPFv2中隐藏IPv4仅传输网络

In [OSPFv2], networks are classified as point-to-point, broadcast, or non-broadcast. In the following sections, we will review how these OSPF networks are being advertised and discuss how to hide them.

在[OSPFv2]中,网络分为点对点、广播或非广播。在下面的章节中,我们将回顾这些OSPF网络是如何被宣传的,并讨论如何隐藏它们。

2.1. Point-to-Point Networks
2.1. 点对点网络

A point-to-point network joins a single pair of routers. Figure 1 shows a point-to-point network connecting routers RT1 and RT2.

点对点网络连接一对路由器。图1显示了连接路由器RT1和RT2的点对点网络。

                  +---+.1    198.51.100.0/30    .2+---+
                  |RT1|---------------------------|RT2|
                  +---+                           +---+
        
                  +---+.1    198.51.100.0/30    .2+---+
                  |RT1|---------------------------|RT2|
                  +---+                           +---+
        

Figure 1. Physical Point-to-Point Network

图1。物理点对点网络

2.1.1. Advertising Point-to-Point Networks
2.1.1. 广告点对点网络

For each numbered point-to-point network, a router has two link descriptions in its router-LSA: one Type 1 link (point-to-point) describing the neighboring router, and one Type 3 link (stub) describing the assigned IPv4 subnet.

对于每个编号的点到点网络,路由器在其路由器LSA中有两个链路描述:一个类型1链路(点到点)描述相邻路由器,另一个类型3链路(存根)描述分配的IPv4子网。

An example of a router-LSA originated by RT1 would look like the following:

RT1发起的路由器LSA示例如下所示:

        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.1         ;RT1's Router ID
        Advertising Router = 192.0.2.1    ;RT1's Router ID
        #links = 2
           Link ID = 192.0.2.2            ;RT2's Router ID
           Link Data = 198.51.100.1       ;Interface IP address
           Type = 1                       ;connects to RT2
           Metric = 10
        
        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.1         ;RT1's Router ID
        Advertising Router = 192.0.2.1    ;RT1's Router ID
        #links = 2
           Link ID = 192.0.2.2            ;RT2's Router ID
           Link Data = 198.51.100.1       ;Interface IP address
           Type = 1                       ;connects to RT2
           Metric = 10
        
           Link ID= 198.51.100.0          ;IP network/subnet number
           Link Data = 255.255.255.252    ;Subnet's mask
           Type = 3                       ;Connects to stub network
           Metric = 10
        
           Link ID= 198.51.100.0          ;IP network/subnet number
           Link Data = 255.255.255.252    ;Subnet's mask
           Type = 3                       ;Connects to stub network
           Metric = 10
        

The Type 1 link will be used for SPF calculation, while the Type 3 link will be used to install a route to the corresponding subnet in the Routing Information Base (RIB).

类型1链路将用于SPF计算,而类型3链路将用于安装到路由信息库(RIB)中相应子网的路由。

2.1.2. Hiding Point-to-Point Networks
2.1.2. 隐藏点对点网络

To hide a transit-only point-to-point network, the Type 3 link is omitted from the router-LSA.

为了隐藏仅传输的点到点网络,路由器LSA中省略了类型3链路。

An example of a router-LSA originated by RT1, hiding the point-to-point network depicted in Figure 1, would look like the following:

RT1发起的路由器LSA的一个示例隐藏了图1所示的点到点网络,如下所示:

        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.1         ;RT1's Router ID
        Advertising Router = 192.0.2.1    ;RT1's Router ID
        #links = 1
           Link ID = 192.0.2.2            ;RT2's Router ID
           Link Data = 198.51.100.1       ;Interface IP address
           Type = 1                       ;connects to RT2
           Metric = 10
        
        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.1         ;RT1's Router ID
        Advertising Router = 192.0.2.1    ;RT1's Router ID
        #links = 1
           Link ID = 192.0.2.2            ;RT2's Router ID
           Link Data = 198.51.100.1       ;Interface IP address
           Type = 1                       ;connects to RT2
           Metric = 10
        
2.2. Broadcast Networks
2.2. 广播网络

A broadcast network joins many (more than two) routers and supports the capability to address a single physical message to all of the attached routers. Figure 2 shows a broadcast network connecting routers RT3, RT4, and RT5.

广播网络连接多个(两个以上)路由器,并支持向所有连接的路由器发送单个物理消息的能力。图2显示了连接路由器RT3、RT4和RT5的广播网络。

                       +---+                   +---+
                       |RT3|                   |RT4|
                       +---+                   +---+
                         |.3  198.51.100.0/24  .4|
                      +-----------------------------+
                                     |.5
                                   +---+
                                   |RT5|
                                   +---+
        
                       +---+                   +---+
                       |RT3|                   |RT4|
                       +---+                   +---+
                         |.3  198.51.100.0/24  .4|
                      +-----------------------------+
                                     |.5
                                   +---+
                                   |RT5|
                                   +---+
        

Figure 2. Broadcast Network

图2。广播网

2.2.1. Advertising Broadcast Networks
2.2.1. 广告广播网

A Designated Router (DR) describes a broadcast network in a network-LSA. Assuming that RT3 is elected as the DR in Figure 2, an example of the network-LSA originated by RT3 would look like

指定路由器(DR)描述网络LSA中的广播网络。假设在图2中选择RT3作为DR,则RT3发起的网络LSA示例如下

        LS age = 0                        ;newly (re)originated
        LS type = 2                       ;network-LSA
        Link State ID = 198.51.100.3      ;IP address of the DR (RT3)
        Advertising Router = 192.0.2.3    ;RT3's Router ID
        Network Mask = 255.255.255.0
           Attached Router = 192.0.2.3    ;RT3's Router ID
           Attached Router = 192.0.2.4    ;RT4's Router ID
           Attached Router = 192.0.2.5    ;RT5's Router ID
        
        LS age = 0                        ;newly (re)originated
        LS type = 2                       ;network-LSA
        Link State ID = 198.51.100.3      ;IP address of the DR (RT3)
        Advertising Router = 192.0.2.3    ;RT3's Router ID
        Network Mask = 255.255.255.0
           Attached Router = 192.0.2.3    ;RT3's Router ID
           Attached Router = 192.0.2.4    ;RT4's Router ID
           Attached Router = 192.0.2.5    ;RT5's Router ID
        

OSPF obtains the IP network number from the combination of the Link State ID and the network mask. In addition, the Link State ID is also being used for the two-way connectivity check.

OSPF从链路状态ID和网络掩码的组合中获得IP网络号。此外,链路状态ID还用于双向连接检查。

2.2.2. Hiding Broadcast Networks
2.2.2. 隐藏广播网络
2.2.2.1. Sending Network-LSA
2.2.2.1. 发送网络LSA

A special subnet mask value of 255.255.255.255 MUST be used in the network-LSA to hide a transit-only broadcast network. While a broadcast network connects more than routers, using 255.255.255.255 will not hide an access broadcast network accidentally.

网络LSA中必须使用特殊的子网掩码值255.255.255.255来隐藏仅传输的广播网络。当广播网络连接多个路由器时,使用255.255.255.255不会意外隐藏访问广播网络。

As there is no change of the Link State ID, the two-way connectivity check would proceed normally.

由于链路状态ID没有变化,双向连接检查将正常进行。

An example of a network-LSA originated by RT3, hiding the broadcast network depicted in Figure 2, would look like the following:

由RT3发起的网络LSA的示例隐藏了图2中所示的广播网络,如下所示:

        LS age = 0                        ;newly (re-)originated
        LS type = 2                       ;network-LSA
        Link State ID = 198.51.100.3      ;IP address of the DR (RT3)
        Advertising Router = 192.0.2.3    ;RT3's Router ID
        Network Mask = 255.255.255.255    ;special subnet mask
           Attached Router = 192.0.2.3    ;RT3's Router ID
           Attached Router = 192.0.2.4    ;RT4's Router ID
           Attached Router = 192.0.2.5    ;RT5's Router ID
        
        LS age = 0                        ;newly (re-)originated
        LS type = 2                       ;network-LSA
        Link State ID = 198.51.100.3      ;IP address of the DR (RT3)
        Advertising Router = 192.0.2.3    ;RT3's Router ID
        Network Mask = 255.255.255.255    ;special subnet mask
           Attached Router = 192.0.2.3    ;RT3's Router ID
           Attached Router = 192.0.2.4    ;RT4's Router ID
           Attached Router = 192.0.2.5    ;RT5's Router ID
        
2.2.2.2. Receiving Network-LSA
2.2.2.2. 接收网络LSA

It is RECOMMENDED that all routers in an area be upgraded at the same time to process the modified network-LSA correctly and consistently.

建议同时升级一个区域中的所有路由器,以正确且一致地处理修改后的网络LSA。

When a router receives a network-LSA, it MUST calculate the routing table normally [OSPFv2]. However, if the network mask in the network-LSA is 255.255.255.255, the router MUST NOT install the route in the RIB.

当路由器接收到网络LSA时,它必须正常计算路由表[OSPFv2]。但是,如果网络LSA中的网络掩码为255.255.255.255,则路由器不得在RIB中安装路由。

2.2.2.2.1. Backward Compatibility
2.2.2.2.1. 向后兼容性

When a router that has not yet been upgraded receives a modified network-LSA, as specified in Section 2.2.2.1, a host route to the originating DR will be installed. This is not ideal, but it is better than the current result, which exposes the whole subnet.

当尚未升级的路由器收到第2.2.2.1节中规定的修改后的网络LSA时,将安装到发起DR的主机路由。这并不理想,但比当前的结果要好,因为当前结果公开了整个子网。

In a partial-deployment scenario, upgraded routers and routers that have not yet been upgraded may coexist. The former do not install the host route to the DR's interface, while the latter install it. Such inconsistencies create routing black holes, which should normally be avoided. In this case, however, as packets destined for the transit-only networks are dropped somewhere in the network, the black holes actually help the DRs defend themselves from remote attacks.

在部分部署场景中,升级的路由器和尚未升级的路由器可能共存。前者不安装到DR接口的主机路由,而后者安装它。这种不一致性会造成路由黑洞,这通常是应该避免的。然而,在这种情况下,由于发送到仅传输网络的数据包被丢弃在网络中的某个地方,黑洞实际上帮助DRs抵御远程攻击。

In summary, the modification of the network-LSA, as specified in Section 2.2.2.1, is backward compatible with the current specification of [OSPFv2], even in a partial-deployment scenario.

总之,第2.2.2.1节规定的网络LSA修改与[OSPFv2]的当前规范向后兼容,即使在部分部署场景中也是如此。

2.3. Non-Broadcast Networks
2.3. 非广播网络

A non-broadcast network joins many (more than two) routers but does NOT support the capability to address a single physical message to all of the attached routers. As mentioned in [OSPFv2], OSPF runs in one of two modes over non-broadcast networks: Non-Broadcast Multi-Access (NBMA) or point-to-multipoint.

非广播网络连接多个(两个以上)路由器,但不支持向所有连接的路由器发送单个物理消息。如[OSPFv2]所述,OSPF在非广播网络上以两种模式之一运行:非广播多址(NBMA)或点对多点。

2.3.1. NBMA
2.3.1. NBMA

In NBMA mode, OSPF emulates operation over a broadcast network: a Designated Router is elected for the NBMA network, and the Designated Router originates an LSA for the network.

在NBMA模式下,OSPF模拟广播网络上的操作:为NBMA网络选择指定路由器,指定路由器为网络发起LSA。

To hide an NBMA transit-only network, OSPF adopts the same modification as that used over the broadcast transit-only network (see Section 2.2.2).

为了隐藏NBMA仅传输网络,OSPF采用与广播仅传输网络相同的修改(见第2.2.2节)。

2.3.2. Point-to-Multipoint
2.3.2. 点对多点

In point-to-multipoint mode, OSPF treats the non-broadcast network as a collection of point-to-point links.

在点对多点模式下,OSPF将非广播网络视为点对点链路的集合。

Figure 3 shows a non-broadcast network connecting routers RT6, RT7, RT8, and RT9. In this network, all routers can communicate directly, except for routers RT7 and RT8.

图3显示了连接路由器RT6、RT7、RT8和RT9的非广播网络。在这个网络中,除了路由器RT7和RT8之外,所有的路由器都可以直接通信。

                       +---+                   +---+
                       |RT6|                   |RT7|
                       +---+                   +---+
                         |.6  198.51.100.0/24  .7|
                      +----------------------------+
                         |.8                   .9|
                       +---+                   +---+
                       |RT8|                   |RT9|
                       +---+                   +---+
        
                       +---+                   +---+
                       |RT6|                   |RT7|
                       +---+                   +---+
                         |.6  198.51.100.0/24  .7|
                      +----------------------------+
                         |.8                   .9|
                       +---+                   +---+
                       |RT8|                   |RT9|
                       +---+                   +---+
        

Figure 3. Non-Broadcast Network

图3。非广播网络

2.3.2.1. Advertising Point-to-Multipoint Networks
2.3.2.1. 广告点对多点网络

For a point-to-multipoint network, a router has multiple link descriptions in its router-LSA, one Type 1 link (point-to-point) for EACH directly communicable router, and one Type 3 link (stub) advertising its interface IPv4 address with a subnet mask of 255.255.255.255.

对于点对多点网络,路由器在其路由器LSA中有多个链路描述,每个直接可通信的路由器有一个1型链路(点对点),还有一个3型链路(存根),用255.255.255子网掩码公布其接口IPv4地址。

An example of a router-LSA originated by RT7 would look like the following:

RT7发起的路由器LSA示例如下所示:

        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.7         ;RT7's Router ID
        Advertising Router = 192.0.2.7    ;RT7's Router ID
        #links = 3
           Link ID = 192.0.2.6            ;RT6's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT6
           Metric = 10
        
        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.7         ;RT7's Router ID
        Advertising Router = 192.0.2.7    ;RT7's Router ID
        #links = 3
           Link ID = 192.0.2.6            ;RT6's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT6
           Metric = 10
        
           Link ID = 192.0.2.9            ;RT9's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT9
           Metric = 10
        
           Link ID = 192.0.2.9            ;RT9's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT9
           Metric = 10
        
           Link ID= 198.51.100.7          ;Interface IP address
           Link Data = 255.255.255.255    ;Subnet's mask
           Type = 3                       ;Connects to stub network
           Metric = 0
        
           Link ID= 198.51.100.7          ;Interface IP address
           Link Data = 255.255.255.255    ;Subnet's mask
           Type = 3                       ;Connects to stub network
           Metric = 0
        
2.3.2.2. Hiding Point-to-Multipoint Networks
2.3.2.2. 隐藏点对多点网络

To hide a transit-only point-to-multipoint network, the Type 3 link is omitted from the router-LSA.

为了隐藏仅传输点到多点网络,路由器LSA中省略了类型3链路。

An example of a router-LSA originated by RT7, hiding the point-to-point network depicted in Figure 3, would look like the following:

由RT7发起的路由器LSA的示例隐藏了图3所示的点对点网络,如下所示:

        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.7         ;RT7's Router ID
        Advertising Router = 192.0.2.7    ;RT7's Router ID
        #links = 2
           Link ID = 192.0.2.6            ;RT6's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT6
           Metric = 10
        
        LS age = 0                        ;newly (re-)originated
        LS type = 1                       ;router-LSA
        Link State ID = 192.0.2.7         ;RT7's Router ID
        Advertising Router = 192.0.2.7    ;RT7's Router ID
        #links = 2
           Link ID = 192.0.2.6            ;RT6's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT6
           Metric = 10
        
           Link ID = 192.0.2.9            ;RT9's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT9
           Metric = 10
        
           Link ID = 192.0.2.9            ;RT9's Router ID
           Link Data = 198.51.100.7       ;Interface IP address
           Type = 1                       ;connects to RT9
           Metric = 10
        
3. Hiding IPv6 Transit-Only Networks in OSPFv3
3. 在OSPFv3中隐藏IPv6仅传输网络

In [OSPFv3], addressing semantics have been removed from the OSPF protocol packets and the main LSA types, leaving a network-protocol-independent core.

在[OSPFv3]中,从OSPF协议包和主要LSA类型中删除了寻址语义,留下了独立于网络协议的核心。

More specifically, router-LSAs and network-LSAs no longer contain network addresses but simply express topology information. Instead, two new LSA types, link-LSA and intra-area-prefix-LSA, have been introduced. A link-LSA associates a list of IPv6 addresses to a link and has local-link flooding scope, and an intra-area-prefix-LSA either associates a list of IPv6 addresses with a router by referencing a router-LSA or associates a list of IPv6 addresses with a broadcast/NBMA network by referencing a network-LSA. In the latter case, the prefixes in the link-LSAs from adjacent neighbors are copied into the intra-area-prefix-LSA by the Designated Router.

更具体地说,路由器LSA和网络LSA不再包含网络地址,而只是表示拓扑信息。相反,引入了两种新的LSA类型,链路LSA和区域内前缀LSA。链路LSA将IPv6地址列表与链路相关联并具有本地链路泛洪作用域,并且区域内前缀LSA通过引用路由器LSA将IPv6地址列表与路由器相关联,或者通过引用网络LSA将IPv6地址列表与广播/NBMA网络相关联。在后一种情况下,来自相邻邻居的链路LSA中的前缀被指定路由器复制到区域内前缀LSA中。

To hide a transit-only network in [OSPFv3], the IPv6 address prefixes are omitted from the router-LSA. Consequently, when a Designated Router builds an intra-area-prefix-LSA referencing a network-LSA, these IPv6 address prefixes will be omitted.

为了在[OSPFv3]中隐藏仅传输的网络,路由器LSA中省略了IPv6地址前缀。因此,当指定路由器构建引用网络LSA的区域内前缀LSA时,将省略这些IPv6地址前缀。

In addition, when a router builds an intra-area-prefix-LSA that is referencing a router-LSA, the associated IPv6 address prefixes from the transit-only network MUST also be omitted from the intra-area-prefix-LSA.

此外,当路由器构建引用路由器LSA的区域内前缀LSA时,也必须从区域内前缀LSA中省略来自仅传输网络的关联IPv6地址前缀。

3.1. Hiding AF-Enabled Transit-Only Networks in OSPFv3
3.1. 在OSPFv3中隐藏支持AF的仅传输网络

[OSPF-AF] supports multiple Address Families (AFs) by mapping each AF to a separate Instance ID and OSPFv3 instance.

[OSPF-AF]通过将每个AF映射到单独的实例ID和OSPFv3实例,支持多个地址族(AFs)。

In the meantime, each prefix advertised in OSPFv3 has a prefix length field [OSPFv3], which facilitates advertising prefixes of different lengths in different AFs. The existing LSAs defined in [OSPFv3] are used for prefix advertising, and there is no need to define new LSAs.

同时,OSPFv3中公布的每个前缀都有一个前缀长度字段[OSPFv3],这有助于在不同AFs中公布不同长度的前缀。[OSPFv3]中定义的现有LSA用于前缀广告,无需定义新的LSA。

In other words, as link-LSAs and intra-area-prefix-LSAs are still being used, the same mechanism explained in Section 3 can be used to hide those AF-enabled transit-only networks as well.

换句话说,由于链路lsa和区域内前缀lsa仍在使用,第3节中解释的相同机制也可用于隐藏那些启用AF的仅传输网络。

4. Operational Considerations
4. 业务考虑

By eliminating the ability to reach transit-only networks, the ability to manage these interfaces may be reduced. In order not to reduce the functionality and capability of the overall network, it is recommended that extensions such as [UNNUMBERED] also be implemented.

通过消除到达仅公交网络的能力,管理这些接口的能力可能会降低。为了不降低整个网络的功能和能力,建议也实施扩展,如[未编号]。

Note that the extension defined in [UNNUMBERED] may provide the user with the IP address of an interface. If that address was hidden, as specified in this document, then even though the address is assigned to the interface, it will not be reachable.

注意,[UNNUMBERED]中定义的扩展可以向用户提供接口的IP地址。如果该地址被隐藏(如本文档中所述),则即使该地址已分配给接口,也无法访问该地址。

4.1. Forwarding Address
4.1. 转发地址

A non-zero forwarding address can be advertised in AS-external-LSAs and Not-So-Stubby Area LSAs (NSSA-LSAs) [NSSA] to achieve optimal routing to Autonomous System (AS) external routes. The matching routing table entry for the forwarding address must exist to facilitate the SPF calculation.

非零转发地址可以作为外部LSA和非短截区LSA(NSSA LSA)[NSSA]进行广告,以实现到自治系统(AS)外部路由的最佳路由。转发地址的匹配路由表条目必须存在,以便于SPF计算。

In other words, when prefix-hiding is configured on the next-hop interface, the next-hop address MUST NOT be advertised as a forwarding address.

换句话说,当在下一跳接口上配置前缀隐藏时,下一跳地址不得作为转发地址播发。

Consequently, sub-optimal routing to these AS external routes may exist when prefix-hiding is configured.

因此,当配置前缀隐藏时,可能存在到这些外部路由的次优路由。

4.2. Virtual Links
4.2. 虚拟链接

Virtual links are used to connect physically separate components of the backbone. The virtual link's viability is determined by the existence of an intra-area path between two endpoints. The matching routing table entries of the endpoints must exist to ensure the virtual link's operation.

虚拟链路用于连接主干的物理上独立的组件。虚拟链路的生存能力取决于两个端点之间是否存在区域内路径。端点的匹配路由表项必须存在,以确保虚拟链接的操作。

In other words, if prefix-hiding is configured on an interface, the virtual link endpoint MUST NOT use that interface's IP address as the virtual interface's IP address.

换句话说,如果在接口上配置了前缀隐藏,则虚拟链路端点不得将该接口的IP地址用作虚拟接口的IP地址。

4.3. Unnumbered Interfaces
4.3. 未编号的接口

Note that no host route is generated for, and no IP packets can be addressed to, interfaces to unnumbered point-to-point networks [OSPFv2]. In other words, these addresses are already hidden.

请注意,没有为未编号的点到点网络[OSPFv2]的接口生成主机路由,也没有IP数据包可以寻址。换句话说,这些地址已经被隐藏了。

However, for manageability purposes, it may be common practice to manually include the numbered interface (for example, a loopback interface to which the unnumbered interface points) in routing updates. If needed, the numbered interface's address can be hidden by using the mechanisms described in this document or by simply not advertising it.

然而,出于可管理性的目的,通常的做法是在路由更新中手动包含编号接口(例如,未编号接口指向的环回接口)。如果需要,可以使用本文档中描述的机制隐藏已编号接口的地址,或者干脆不公布它。

Before deciding to hide (or suppress the advertisement of) a numbered interface, it is very important to consider other uses that interface may have. Examples of common uses may include virtual link endpoint, inter-domain routing peering point, etc. In other words, it may not be possible to hide the address associated to an unnumbered interface due to other applications in the network.

在决定隐藏(或禁止广告)一个编号的接口之前,考虑接口可能有的其他用途是非常重要的。常见用途的示例可包括虚拟链路端点、域间路由对等点等。换句话说,由于网络中的其他应用,可能无法隐藏与未编号接口相关联的地址。

5. Security Considerations
5. 安全考虑

One motivation for this document is to reduce vulnerability to remote attacks by hiding transit-only networks. The result should then be that fewer OSPF core networks will be exposed.

本文档的一个动机是通过隐藏仅传输网络来降低远程攻击的脆弱性。结果应该是暴露的OSPF核心网络更少。

The mechanisms described above result in reachability information from transit-only networks not being installed in the routers' forwarding tables. The effect is that even if the address of a transit-only network is known, the forwarding information is not present in the routers to reach the destination. Also, in some cases, the address information is completely omitted from the LSA.

上述机制导致来自仅传输网络的可达性信息未安装在路由器的转发表中。其效果是,即使只传输网络的地址已知,路由器中也不存在到达目的地的转发信息。此外,在某些情况下,地址信息从LSA中完全省略。

Some information in the LSA (such as the OSPF Router ID) cannot be omitted. Even though the Router ID may be taken from an IPv4 address on the router, the configuration can be easily changed. Note again that having an address doesn't guarantee reachability if the information is hidden from the forwarding tables.

LSA中的某些信息(如OSPF路由器ID)不能忽略。即使路由器ID可能来自路由器上的IPv4地址,配置也可以轻松更改。再次注意,如果信息隐藏在转发表中,拥有地址并不能保证可访问性。

While the steps described in this document are meant to be applied only to transit-only networks, they could be used to hide other networks as well. It is expected that the same care that users put into the configuration of other routing protocol parameters is used in the configuration of this extension.

虽然本文件中描述的步骤仅适用于仅公交网络,但也可用于隐藏其他网络。预期在配置此扩展时会使用与用户在配置其他路由协议参数时相同的注意事项。

6. Acknowledgments
6. 致谢

The idea of using a special subnet mask to hide broadcast networks in OSPF was originally introduced in the US patent "Apparatus and method to hide transit only multi-access networks in OSPF" (patent number: 7,929,524), by Yi Yang, Alvaro Retana, James Ng, Abhay Roy, Alfred Lindem, Sina Mirtorabi, Timothy Gage, and Khalid Raza.

在OSPF中使用特殊子网掩码隐藏广播网络的想法最初是由杨毅、阿尔瓦罗·雷塔纳、詹姆斯·吴、阿比·罗伊、阿尔弗雷德·林登、新浪·米尔托拉比、蒂莫西·盖奇和哈立德·拉扎在美国专利“在OSPF中隐藏仅传输多址网络的装置和方法”(专利号:7929524)中提出的。

The authors would like to thank Acee Lindem, Shraddha Hegde, Rajesh Shetty, Marek Karasek, Michael Barnes, Paul Wells, Adrian Farrel, and Stephen Farrell for their feedback on the document.

作者要感谢Acee Lindem、Shraddha Hegde、Rajesh Shetty、Marek Karasek、Michael Barnes、Paul Wells、Adrian Farrel和Stephen Farrell对该文件的反馈。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[KEYWORD] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 211997年3月。

[NSSA] Murphy, P., "The OSPF Not-So-Stubby Area (NSSA) Option", RFC 3101, January 2003.

[NSSA]Murphy,P.,“OSPF不那么短的区域(NSSA)选项”,RFC3101,2003年1月。

[OSPFv2] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.

[OSPFv2]Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月。

[OSPFv3] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF for IPv6", RFC 5340, July 2008.

[OSPFv3]Coltun,R.,Ferguson,D.,Moy,J.,和A.Lindem,“IPv6的OSPF”,RFC 53402008年7月。

[OSPF-AF] Lindem, A., Ed., Mirtorabi, S., Roy, A., Barnes, M., and R. Aggarwal, "Support of Address Families in OSPFv3", RFC 5838, April 2010.

[OSPF-AF]Lindem,A.,Ed.,Mirtorabi,S.,Roy,A.,Barnes,M.,和R.Aggarwal,“OSPFv3中地址家庭的支持”,RFC 5838,2010年4月。

7.2. Informative References
7.2. 资料性引用

[UNNUMBERED] Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed., Shen, N., and JR. Rivers, "Extending ICMP for Interface and Next-Hop Identification", RFC 5837, April 2010.

[未编号]Atlas,A.,Ed.,Bonica,R.,Ed.,Pignataro,C.,Ed.,Shen,N.,和JR.Rivers,“为接口和下一跳识别扩展ICMP”,RFC 5837,2010年4月。

Authors' Addresses

作者地址

Yi Yang Cisco Systems, Inc. 7025 Kit Creek Road RTP, NC 27709 USA

益阳思科系统有限公司,地址:美国北卡罗来纳州基特克里克路RTP 7025号,邮编:27709

   EMail: yiya@cisco.com
        
   EMail: yiya@cisco.com
        

Alvaro Retana Cisco Systems, Inc. 7025 Kit Creek Road RTP, NC 27709 USA

美国北卡罗来纳州基特克里克路RTP 7025号阿尔瓦罗·雷塔纳思科系统公司,邮编:27709

   EMail: aretana@cisco.com
        
   EMail: aretana@cisco.com
        

Abhay Roy Cisco Systems, Inc. 225 West Tasman Drive San Jose, CA 95134 USA

美国加利福尼亚州圣何塞市西塔斯曼大道225号阿比罗伊思科系统公司,邮编95134

   EMail: akr@cisco.com
        
   EMail: akr@cisco.com