Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Fri Oct 5 11:27:24 UTC 2018


> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of William
> Herrin
> Sent: Thursday, October 04, 2018 8:53 PM
>
> > - RFC 1918 for loopbacks and PTP
> >   - Immediately “protects” from the internet at large, as they aren’t
> routable.
> >   - Traceroutes are miserable.
> 
> Also breaks PMTUD which can break TCP for everybody whose packets
> transit your router. So don't do this.
> 
Only if you have lower MTU on your core links than on your edge -which is a huge design flaw.
Also most of the internet backbones out there are MPLS based meaning the traceroutes are well "sparse" to say at least, so I wouldn't worry about this that much.


> Another option is to let it be announced but filter the packets at your border.
> 
That defeats the whole purpose of this exercise.
Yes we all use infrastructure ACLs to protect our infrastructure, but if the infra-block is advertised the DDoS is still delivered to your doorstep even if you filter it at the edge interfaces the damage has been done already -as your upstream pipes are full.

If your infra-ranges are not advertised your infrastructure simply can't be targeted by any DDoS attack. 


adam 




More information about the NANOG mailing list