Using RFC1918 on Global table as Loopbacks

• Previous message (by thread): Using RFC1918 on Global table as Loopbacks
• Next message (by thread): Using RFC1918 on Global table as Loopbacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 05, 2023 at 1:42 PM, Niels Bakker <niels=nanog at bakker.net>
wrote:

> * GutierrezJ at westmancom.com (Javier Gutierrez) [Thu 05 Oct 2023, 19:25
> CEST]:
>
> I have recently encountered some operational differences at my new
> organization that are not what I have been exposed to before, where the
> loopback of the core network devices is being set from RFC1918 while on the
> global routing table. I'm sure this is not a major issue but I have mostly
> seen that ISPs use global IPs for loopbacks on devices that would and hold
> global routing.
>
> My question is, what is the most used or recommended way to do this, if I
> continue to use RFC1918 I will save some very much desired public address
> space, but would this come back to bite me in the future?
>
> The recommendation is to make Router-IDs globally unique. They're used in
> collision detection. What if you and a peer pick the same non globally
> unique address? Any session will never come up.
>


Yes, Router-IDs should be unique within a domain, but that doesn't mean
that 1: they need to the the same as the loopback address and 2: if they
are not talking to (external) peers, they don't even have to be
**globally** unique.

If I choose to number "core" devices from 192.168.0.0/24, and ensure that I
don't give multiple devices the same (e.g 192.168.0.42) address, everything
works just fine. Note that you have the same problem with non-RFC1918 space
— giving multiple devices the same "public" address ends equally poorly.

At one point, it was viewed by some as a feature to not use globally
reachable addresses for loopbacks - the thought being that if you cannot
target packets towards e.g. SSH / Telnet / whatever, you cannot attack /
DoS the box as easily.

However, just because you *can* use RFC1918 space for loopbacks (and in
many cases Router-IDs), it doesn't mean that you *should*. Eventually
you'll decide to convert some purely iBGP speaker into an eBGP device, and
will discover that both you and your peer decided to do this, and both
chose 10.117.236.17 for the loopback and Router-ID….


> You need globally unique IP addresses on routers anyway, to send ICMP
> error packets from.
>


Weeeeeell… "Need" might be a bit strong; it seems to have decreased over
time, but it used to be fairly common to see 1918 space show up in
traceroute. I suspect that a fair number of ICMPs are still being sourced
from 1918 space, but BCP38 and similar filters are dropping them, leading
to '* * *'. Perhaps "Assuming you don't want to be a jackass, you need …"?

w



> -- Niels.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231006/e7da33a9/attachment.html>

• Previous message (by thread): Using RFC1918 on Global table as Loopbacks
• Next message (by thread): Using RFC1918 on Global table as Loopbacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]