Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
bill at herrin.us
Thu Oct 4 19:53:10 UTC 2018
On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon at burn.net> wrote:
> I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
> - RFC 1918 for loopbacks and PTP
> - Immediately “protects” from the internet at large, as they aren’t routable.
> - Traceroutes are miserable.
Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.
> - Use public block that is allocated to you (i.e. PI) - but not announced.
> - Deaggregate and not announce your infra
Another option is to let it be announced but filter the packets at your border.
I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.
William Herrin ................ herrin at dirtside.com bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
More information about the NANOG