Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
Brandon Applegate
brandon at burn.net
Thu Oct 4 19:07:49 UTC 2018
Hello,
I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
- RFC 1918 for loopbacks and PTP
- Immediately “protects” from the internet at large, as they aren’t routable.
- Traceroutes are miserable.
- Use public block that is allocated to you (i.e. PI) - but not announced.
- So would this be a totally separate (from user/customer prefixes) announcement and allocation ? In other words, let’s say you were a small ISP getting started. You manage to get a /20 from a broker (IPv6 should be “easy”). Do you also now go out and get a /23 (I’m making these sizes up, obviously all of these will vary based on ISP size, growth plan, etc.). You have the /23 registered to you (with proper rDNS delegation, WHOIS, etc.). But you simply don’t announce it ? I’d say I need this /23 day one to even build my network before it’s ready for customers.
- On the IPv6 front - would a RIR give you your /32 and then also a /48 (for loop/PTP) ?
- Deaggregate and not announce your infra
- Bad net behavior out of the gate with this method. The opposite of elegant.
- Keeping with previously made up / arbitrary prefixes - for your /20 - you’d end up announcing 2 x /23, 1 x /22 and 1 x /21. I’m too lazy to enumerate the IPv6 gymnastics, but with IPv6 you could “waste” a bit more to get to boundaries that are a bit easier to work with I suppose.
Thanks in advance for insights on this.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."
More information about the NANOG
mailing list