Best Practices for Loopback addressing (Core routers & VPN CPE)

Haesu haesu at
Fri Jun 6 16:47:28 UTC 2003

> However, considering that these loopbacks are only used for routing
> protocols (OSPF,BGP, LDP)
> and for network management (SNMP, telnet, ...) and that  these addresses
> don't need to visible from public Internet
> (not seen in traceroute, not seen on Internet BGP announces ...) I am
> considering to
> use private  RFC1918 for a new Backbone deployment.

Or, you could use a seperate class C or whatever fits yoru backbone for loopbacks and router interfaces.. Just don't advertise that block. That way you use non-rfc1918 on the backbone, and yet outside people cannot get to it since you dont advertise it to the world... It's just me but i am against using rfc1918 on any part of a backbone.


> N.B. : Assumption is that e-BGP sessions with Internet peers are done on
> public interface IP, not on loopback IP.
> Is there some specific case I am missing where public loopback IP is
> required, and therefore
> private adressing would break something (maybe some Carrier-to-Carrier
> scenario ?) .
> I also plan to use RFC1918 addresses for Internet CPE routers loopbacks.
> 2) Loopback on CPE routers of the MPLS VPN customers.
> For this case, the issue is to assign the adresses in a global range for
> all the CPE of
> all the VPN customers.
> In fact, all these loopback will need to be part of the Network Management
> VPN for supervision needs.
> Using RFC 1918 addresses might create trouble as there is a very high
> chance that the VPN customers
> are already using 1918 addresses, this might generate addresses conflicts.
> Addresses unicity among all the customers is required due to the  Network
> Management VPN common
> to all the customers.
> Using public address guarantee unicity, but will create issues with public
> registries, considering that
>  these addresses are used for internal needs.
> I am considering to use the defined in RFC 2544 and listed in
> RFC 3330 as reserved for
> lab testing.
> I suppose that no VPN customer uses this prefix for its internal IP
> addressing, and as these addresses don't
> need to be announced on Internet.
> Do you suggest to use an other prefix than for this purpose ?
> If you consider your adressing policy as  touchy topic in terms of
> security, don't hesitate to reply in private ...
> Regards,

  Haesu C.
  TowardEX Technologies, Inc
  E-mail: haesu at
  Cell: (978) 394-2867

More information about the NANOG mailing list