Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
William Herrin
bill at herrin.us
Thu Oct 4 19:53:10 UTC 2018
On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon at burn.net> wrote:
> I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
>
> - RFC 1918 for loopbacks and PTP
> - Immediately “protects” from the internet at large, as they aren’t routable.
> - Traceroutes are miserable.
Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.
> - Use public block that is allocated to you (i.e. PI) - but not announced.
This works.
> - Deaggregate and not announce your infra
Not great.
Another option is to let it be announced but filter the packets at your border.
I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.
Regards,
Bill Herrin
--
William Herrin ................ herrin at dirtside.com bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
More information about the NANOG
mailing list