Are Unnumbered Interfaces Harmful?
A few weeks ago I got into an interesting discussion about the potential harm caused by unnumbered IPv4/IPv6 interfaces.
Ignoring for the moment the vendor-specific or media-specific implementation details, these two arguments usually pop up in the first 100 milliseconds (assuming engineers involved in the discussion have some hands-on operational experience):
- You cannot do hop-by-hop telnet/SSH in case your routing protocol breaks down;
- Traceroute will display box addresses (loopback addresses) instead of interface addresses.
The first argument is obviously valid in IPv4 world and no longer true in IPv6 world – link-local addresses are always available on IPv6 interface and you can use them to do hop-by-hop telnet/SSH (admittedly in a bit clunky way but nonetheless). However, do keep in mind that if you use any centralized authentication/authorization scheme and the routing protocol breaks, you won’t get into the box no matter what.
Speaking of traceroute: it might give you wrong interface information any time you happen to have asymmetrical routing or multiple equal-cost paths. Without any additional configuration, in most implementations the source IP address in the ICMP TTL exceeded reply is the IP address of the outgoing interface – the interface the router would use to reach the traceroute prober – and not the IP address of the interface through which the probe was received. Is there a box out there that’s smarter than this? I would love to hear about it!
2016-01-12: RFC 5837 specifies ICMP extensions that would make ICMP replies to traceroute probes way more useful (and accurate). However, it looks like nobody implemented it in almost five years since it was published.
Are there any other reasons to avoid unnumbered interfaces (vendor X doesn’t implement them on interface type Y doesn’t count)? Please write a comment!
Regarding traceroute, maybe it's time to come with a better set of tools to troubleshoot the network...
http://blog.ipspace.net/2015/02/bgp-configuration-made-simple-with.html
In the world of IPv6, we use link-local router-router plus GUA loopback, BFD, OSPFv3, iBGP. This works well for us.
We also run host facing IPv6 networks "nd prefix no-onlink".
Despite the initial knee-jerk reaction, I have found no real downside to using unnumbered/link-local interfaces. Getting router configs down to loopback only is quite nice...
Ivan, RFC 1812 (4.3.2.4) requires that ICMP messages be sourced from the transmit interface IP (if available). Has that "MUST" been relaxed by subsequent RFCs to allow for "smarter" replies (replies reflecting probe ingress interface) to traceroute probes?
Also, sorry! I didn't mean to put you to work!
1) Afraid the NOC won't know how to troubleshoot
2) It might mess with discovery tools (NNMI, etc.)
At a company that is so large that we have nearly exhausted RFC1918 space, you would think ip unnumbered would be as popular as beer at the beach. Even using /30's, it eats up slightly more than a /22 (v4) to address 4 spines of 9504's.
"However, do keep in mind that if you use any centralized authentication/authorization scheme and the routing protocol breaks, you won’t get into the box no matter what."
I was hoping to use this feature on server farms and cloud fabrics, so OOB _should_ save the day there.
But, in the end, it'll just another academic religious battle, like whether gateways should be .1 or .254, or whether .0 and .255 are valid host IPs on large subnets, and whether /31's are good form. If you like those battles and constantly having to justify and explain yourself, then go for it.
There's local AAA fallback for AuthA/AuthZ. Am I missing something?
Anyway, I wanted to see whether there were other considerations, and it looks like there are none (apart from NMS/autodiscovery challenges).
Any feedback on this.. I am trying to lab up this scenario and check..
It _should_ work if you're using loopback addresses in your ERO (might be implementation dependent, test it first), but obviously you can't specify the interfaces you want to have in the path (because they don't have addresses) but only nodes.
It's one of those identified things I mentioned, but it really needs customers to drive those enhancements.