Ron, When we started this work we wanted to make a recommendation, because we believe that there are advantages in the approach. Quite early it has become clear that there is no consensus in the IETF on whether the link local approach actually makes life simpler or not. Some people say it doesn't, some people say it does.
So the agreement at the time was to list, factually, without any weighing of judgement, the technical aspects, pros and cons. This is what we're trying to do. We have removed all "recommend" and similar phrases. (Thanks to our reviewers, who kept us honest here). The idea is that a network operator has easy access to all the aspects to consider, potential advantages, and caveats. And this operator should now be able to say for his network: this advantage doesn't make much difference to me; the other one does. This caveat does apply to me, the other one not. And you're making those calls below; my point would be: We've seen in the early stages of this draft that it's hard to get global consensus on those. So I suggest we keep the document factual, and let operators make their own choices. This is what the document should achieve. It should not make a judgement on the value of any aspects, because those would be context-dependent. My question is: Is the document in any place not factual? Or missing facts? If so, please let us know - that should be fixed! Michael > -----Original Message----- > From: OPSEC [mailto:[email protected]] On Behalf Of Ronald Bonica > Sent: 03 December 2013 19:55 > To: [email protected] > Subject: [OPSEC] Review of draft-ietf-opsec-lla-only-05 > > Folks, > > Reading through Sections 2.2 and 2.3 of this document, I question whether > the benefits of numbering router interfaces from link-local address space > actually outweigh the cost. The document lists the following as benefits: > > 1) Smaller routing tables > 2) Simpler address management > 3) Lower configuration complexity > 4) Simpler DNS > 5) Reduced attack surface > > IMHO, advantages 1, 2 and 3 are dubious. In this draft, we consider > numbering router-to-router interfaces from link-local space. In a large > network, the number of router-to-router interfaces is dwarfed by the total > number of interfaces. So, numbering router-to-router interfaces reduces > the magnitude of some problems, but not by a significant amount. > > Advantage #5 also is dubious. If you think of an address as being "the attack > surface" of a router, then numbering selected interfaces from link-local > reduces the attack surface. But miscreants don't attack addresses. They > attack the resource that an address represents. Since all of those resources > are accessible using the box's globally routable loopback address, > numbering some interfaces from link-local really doesn't reduce the attack > surface. > > I realize that this may not be the kind of review that you want. So, I am > happy to be told that mine is the minority opinion. > > -------------------------- > Ron Bonica > vcard: www.bonica.org/ron/ronbonica.vcf > > > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
