Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

William Herrin bill at
Thu Oct 4 19:53:10 UTC 2018

On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon at> wrote:
> I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons.  Totally get this and am on board with it.  What I don’t get - is how.  I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
> - RFC 1918 for loopbacks and PTP
>   - Immediately “protects” from the internet at large, as they aren’t routable.
>   - Traceroutes are miserable.

Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.

> - Use public block that is allocated to you (i.e. PI) - but not announced.

This works.

> - Deaggregate and not announce your infra

Not great.

Another option is to let it be announced but filter the packets at your border.

I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.

Bill Herrin

William Herrin ................ herrin at  bill at
Dirtside Systems ......... Web: <>

More information about the NANOG mailing list