INTERNET-DRAFT
draft-manning-dsua-04.txt
Bill
Manning
ISI
03
January 2001
Documenting Special Use IPv4
Address Blocks
that have been registered with IANA
1.
Status of this Memo
This
draft, file name draft-manning-dsua-04.txt, is intended to become
something
that might be of use to those who are interested in the
operational
requirements of an IPv4 based network.
It does not specify
an
Internet standard of any kind. Distribution of this document is
unlimited.
Comments should be sent to the author.
This
document is an Internet-Draft and is NOT offered in accordance with
Section
10 of RFC2026, and the author does not provide the IETF with any
rights
other than to publish as an Internet-Draft.
Internet-Drafts
are working documents of the Internet Engineering Task
Force
(IETF), its areas, and its working groups.
Note that other groups
may
also distribute working documents as Internet-Drafts.
Internet-Drafts
are draft documents valid for a maximum of six months and
may be
updated, replaced, or obsoleted by other documents at any time. It
is
inappropriate to use Internet-Drafts as reference material or to cite
them
other than as "work in progress."
The
list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list
of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright
Notice
Copyright (C) The Internet Society
(2000). All Rights Reserved.
2.
PREAMBLE:
This
document lists the existent special use prefixes from the IPv4 space
that
have been registered with the IANA and provides some suggestions for
operational
procedures when these prefixes are encountered. This document
does
not address IPv4 space that is not registered with the IANA for special
use or
address space that is reserved for future delegation in the
operational
Internet.
The
current list of special use prefixes:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
all D/E space
2.1
Prefix Discussion:
0.0.0.0/8
has a number of unique properties, many of which were built into
the
protocol stacks used throughout the Internet.
0.0.0.0/32 or the all-zeros
address
has been used and is still recognized as the historical broadcast
address.
This use or restriction is deprecated and modern code will treat
broadcast
correctly as an all-ones value within the subnet. It is fairly
common
practice to use 0.0.0.0 to encode the idea of "default".
Also,
many stacks will allow the system administrator to encode IP addresses
of the
form 0.0.160.57, with the presumption that historical, "natural"
masks
apply
and so this would represent a host that carries the local value of
x.x.160.57
within the /16 net-block that is in use on that media. These
properties
suggest that a prudent network manager & system admin will treat
0.0.0.0/8
as a special use net-block. Router and Host requirements documents
and
implementations treat this range with special use constraints.
127.0.0.0/8
is earmarked for what is called "loop-back". This construct is
to
allow a node to test/validate its IP stack.
Most software only uses
a
single value from this range, 127.0.0.1/32 for loop-back purposes. It
is
treated with the same levels of restriction by router and host requirements
and
implementations so it is difficult to use any other addresses within
this
block for anything other than node specific applications, generally
bootstrapping. All in all a tremendous waste of IP space.
Good thing we'll
not
likely need it.
192.0.2.0/24
is listed as the TEST-NET. This prefix is earmarked for use in
documentation
and example code. Network operations and End System
administrators
should ensure that this prefix is not coded into systems
or
routed through any infrastructure.
Since it has the appearance of a
"normal"
prefix, special precautions should be taken to ensure that this
prefix
is not propagated in either the Internet or any private networks
that
use the IP protocols. Often used in
conjunction with example.com
or
example.net in vendor and protocol documentation.
10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16 are the prefixes called out
in RFC
1918. They are only for use in private networks that wish to use
the IP
protocols. Network operations and End System administrators should
ensure
that applications do not use these ranges as source or destination
addresses
for any packets that traverse the Internet infrastructure. Since
they
have the appearance of "normal" prefixes, special precautions should
be
taken
to ensure that they are not propagated in the Internet.
169.254.0.0/16
has been ear-marked as the IP range to use for end node
auto-configuration
when a DHCP server may not be found. As such, network
operations
and administrators should be VERY aggressive in ensuring that
neither
route advertisements nor packet forwarding should occur across
any
media boundaries. This is true for the Internet as well as any
private
networks that use the IP protocols. End node administrators
should
be aware that some vendors will auto-configure and add this
prefix
to the nodes forwarding table. This will cause problems with
sites
that run router discovery or deprecated routing protocols such as
RIP.
Class D
& E space. These are parts of the IPv4 space that retain some context
of
class-fullness. They are used for identification of multicast and a range
left
unspecified. Multicast is perfectly
legal and has valid public uses but
some
care is required in understanding its appropriate use. The "E" space
is
still
unspecified and so should be avoided. This extract from RFC 1166 covers
these
ranges.
The fourth type of address, class D, is
used as a multicast
address [13]. The four highest-order bits are set to 1-1-1-0.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8
9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1 1 1 0| multicast address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Class D
Address
Note:
No addresses are allowed with the four highest-order bits
set to 1-1-1-1. These addresses, called "class E",
are reserved.
As a
side note, at least one vendor has hijacked an address range for
use by
its printservers. That range is 192.0.0.0/24 and the specific
address
that they use is 192.0.0.192/32. This
is not a valid delegation
to this
vendor and its use argues for re-constitution of this service
into
the link-local range or configurable with site delegated space.
3. DNS
considerations:
None of
these address prefixes, save multicast, is to be used or visible on
the
public Internet. In fact, some of these
prefixes must not appear outside
the
machine. To encourage honesty, most of these prefixes have been mapped to
authoritative
servers in the DNS at the request of the IANA. This encourages
people
to ensure that when used, these prefixes are coded with local-scope
DNS and
there will be no "leakage" to the global Internet.
4.
Access Control suggestions:
In
todays network, it is prudent to control access. In the case of these
special
use prefixes, it is generally a good idea to filter them so they
do not
propagate. After all, you don't want someone else's use of these
prefixes
to taint your environment. All of these address classes should be
invalid
as source addresses (except where negotiated in advance), and very
few
should be permitted as destination addresses (Multicast for example,
should
be permitted as a destination, just not as a source). An example of
one
form of access control is listed below:
...
access-list
100 deny ip host 0.0.0.0 any
access-list
100 deny ip 127.0.0.0 0.255.255.255
255.0.0.0 0.255.255.255
access-list
100 deny ip 10.0.0.0 0.255.255.255
255.0.0.0 0.255.255.255
access-list
100 deny ip 172.16.0.0 0.15.255.255
255.240.0.0 0.15.255.255
access-list
100 deny ip 192.168.0.0 0.0.255.255
255.255.0.0 0.0.255.255
access-list
100 deny ip 192.0.2.0 0.0.0.255
255.255.255.0 0.0.0.255
access-list
100 deny ip 169.254.0.0 0.0.255.255
255.255.0.0 0.0.255.255
access-list
100 deny ip 240.0.0.0 15.255.255.255
any
access-list
100 permit ip any any
...
5.
Security Considerations:
Use of
most of these special use prefixes open up significant opportunities
for
anonymity and ambiguity. People, being what they are, will hide behind
ambiguous
or nebulous identities to do things that are antisocial and
downright
hostile. It would be nice to have better authentication methods
in play
than an IP address which has lost its global uniqueness.
6.
References:
[DHC-IPV4-AUTOCONFIG]
- R. Troll, Automatically Choosing an IP Address
in an
Ad-Hoc IPv4 Network, Internet draft,
draft-ietf-dhc-ipv4-autoconfig-04.txt,
October 1998
[RFC1918] Y. Rekhter et.al., Address Allocation for
Private Internets,
February
1996, RFC 1918
[RFC1122]
R. Braden, Requirements for Internet
Hosts -- Communication Layers,
October
1989, RFC 1122
[RFC1166]
S.Kirkpatrick et.al, INTERNET NUMBERS, July 1990, RFC 1166
[RFC1812]
F. Baker, Requirements for IP Version 4 Routers,
June
1995, RFC 1812
[RFC2267]
P. Ferguson, D. Senie, Network Ingress Filtering:
Defeating
Denial of Service Attacks which employ IP Source Address Spoofing,
January
1998, RFC 2267
[NET-TEST]
Netname: IANA, Netnumber: 192.0.2.0, Coordinator:
Internet
Assigned Numbers Authority, 1993
[LOOPBACK]
Netname: LOOPBACK, Netnumber: 127.0.0.0, Coordinator:
Internet
Assigned Numbers Authority, 1972
[RESERVED-1]
Netname RESERVED-1, Netblock: 0.0.0.0 - 0.255.255.255,
Coordinator:
Internet Assigned Numbers Authority, 1972
8.
Author's Address
Bill Manning
PO 12317
Marina del Rey, CA. 90295
USA
bmanning@karoshi.com
310.322.8102
9. Full Copyright Statement
Copyright (C) Bill Manning (2001). All Rights Reserved.
This document and translations of it may be
copied and furnished to
others, without restriction of any
kind, provided that the above copyright
notice and this paragraph are
included on all such copies and derivative
works. However, this
document itself may not be modified in any
way.
This document and the information contained
herein is provided on an
"AS IS" basis and the author DISCLAIMS
ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR
PURPOSE.