Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

• Previous message (by thread): Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
• Next message (by thread): Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon at burn.net> wrote:
> I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons.  Totally get this and am on board with it.  What I don’t get - is how.  I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
>
> - RFC 1918 for loopbacks and PTP
>   - Immediately “protects” from the internet at large, as they aren’t routable.
>   - Traceroutes are miserable.

Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.


> - Use public block that is allocated to you (i.e. PI) - but not announced.

This works.


> - Deaggregate and not announce your infra

Not great.


Another option is to let it be announced but filter the packets at your border.

I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.

Regards,
Bill Herrin

-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>

• Previous message (by thread): Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
• Next message (by thread): Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]