Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

adamv0025 at adamv0025 at
Fri Oct 5 11:27:24 UTC 2018

> From: NANOG [mailto:nanog-bounces at] On Behalf Of William
> Herrin
> Sent: Thursday, October 04, 2018 8:53 PM
> > - RFC 1918 for loopbacks and PTP
> >   - Immediately “protects” from the internet at large, as they aren’t
> routable.
> >   - Traceroutes are miserable.
> Also breaks PMTUD which can break TCP for everybody whose packets
> transit your router. So don't do this.
Only if you have lower MTU on your core links than on your edge -which is a huge design flaw.
Also most of the internet backbones out there are MPLS based meaning the traceroutes are well "sparse" to say at least, so I wouldn't worry about this that much.

> Another option is to let it be announced but filter the packets at your border.
That defeats the whole purpose of this exercise.
Yes we all use infrastructure ACLs to protect our infrastructure, but if the infra-block is advertised the DDoS is still delivered to your doorstep even if you filter it at the edge interfaces the damage has been done already -as your upstream pipes are full.

If your infra-ranges are not advertised your infrastructure simply can't be targeted by any DDoS attack. 


More information about the NANOG mailing list