Best Practices for Loopback addressing (Core routers & VPN CPE)
haesu at towardex.com
Fri Jun 6 16:47:28 UTC 2003
> However, considering that these loopbacks are only used for routing
> protocols (OSPF,BGP, LDP)
> and for network management (SNMP, telnet, ...) and that these addresses
> don't need to visible from public Internet
> (not seen in traceroute, not seen on Internet BGP announces ...) I am
> considering to
> use private RFC1918 for a new Backbone deployment.
Or, you could use a seperate class C or whatever fits yoru backbone for loopbacks and router interfaces.. Just don't advertise that block. That way you use non-rfc1918 on the backbone, and yet outside people cannot get to it since you dont advertise it to the world... It's just me but i am against using rfc1918 on any part of a backbone.
> N.B. : Assumption is that e-BGP sessions with Internet peers are done on
> public interface IP, not on loopback IP.
> Is there some specific case I am missing where public loopback IP is
> required, and therefore
> private adressing would break something (maybe some Carrier-to-Carrier
> scenario ?) .
> I also plan to use RFC1918 addresses for Internet CPE routers loopbacks.
> 2) Loopback on CPE routers of the MPLS VPN customers.
> For this case, the issue is to assign the adresses in a global range for
> all the CPE of
> all the VPN customers.
> In fact, all these loopback will need to be part of the Network Management
> VPN for supervision needs.
> Using RFC 1918 addresses might create trouble as there is a very high
> chance that the VPN customers
> are already using 1918 addresses, this might generate addresses conflicts.
> Addresses unicity among all the customers is required due to the Network
> Management VPN common
> to all the customers.
> Using public address guarantee unicity, but will create issues with public
> registries, considering that
> these addresses are used for internal needs.
> I am considering to use the 198.18.0.0/15 defined in RFC 2544 and listed in
> RFC 3330 as reserved for
> lab testing.
> I suppose that no VPN customer uses this prefix for its internal IP
> addressing, and as these addresses don't
> need to be announced on Internet.
> Do you suggest to use an other prefix than 198.18.0.0/15 for this purpose ?
> If you consider your adressing policy as touchy topic in terms of
> security, don't hesitate to reply in private ...
TowardEX Technologies, Inc
E-mail: haesu at towardex.com
Cell: (978) 394-2867
More information about the NANOG