Folks, Reading through Sections 2.2 and 2.3 of this document, I question whether the benefits of numbering router interfaces from link-local address space actually outweigh the cost. The document lists the following as benefits:
1) Smaller routing tables 2) Simpler address management 3) Lower configuration complexity 4) Simpler DNS 5) Reduced attack surface IMHO, advantages 1, 2 and 3 are dubious. In this draft, we consider numbering router-to-router interfaces from link-local space. In a large network, the number of router-to-router interfaces is dwarfed by the total number of interfaces. So, numbering router-to-router interfaces reduces the magnitude of some problems, but not by a significant amount. Advantage #5 also is dubious. If you think of an address as being "the attack surface" of a router, then numbering selected interfaces from link-local reduces the attack surface. But miscreants don't attack addresses. They attack the resource that an address represents. Since all of those resources are accessible using the box's globally routable loopback address, numbering some interfaces from link-local really doesn't reduce the attack surface. I realize that this may not be the kind of review that you want. So, I am happy to be told that mine is the minority opinion. -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
