Best practice for ptp/loopback numbering for "small" enterprise multihome setup

Fri Mar 26 22:26:34 UTC 2021

Hi Bill,

On Fri, 26 Mar 2021 at 22:16, William Herrin <bill at herrin.us> wrote:
>
> On Fri, Mar 26, 2021 at 1:42 PM Lukas Tribus <lukas at ltri.eu> wrote:
> > In production, you may be able to troubleshoot this a few months from
> > now, but how will the on-duty junior engineer handle this at 03 AM?
>
> Hi Lukas,
>
> In the network Vom describes, he is surely the only network engineer.

Actually I think it's more likely that he's a contractor/consultant,
but either way, contractor/consultant or employee ... all of them
change over time.

This falls into the kind of duct-tape "solutions" that inevitably
cause issues down the line, which then have to be diagnosed by
engineers at other networks. I'm that engineer at the other network,
diagnosing the issue because quote "it must be your fault because we
only have the issue with that single IP address of yours. Also Youtube
works just fine here."

> Vom's question was how to carve off some addresses without being stuck
> at 1/2 the allocation as his maximum subnet size. At the sacrifice of
> some complexity, it can be done. As described, you can even recapture
> 3 addresses that would normally be lost to you were you not attempting
> to carve off addresses.

Almost anything can be done by increasing complexity. But here the
cure is worse than the disease.

> > What you are suggesting is to configure public IP address space that
> > isn't yours, this should be a big nono.
>
> That's one way of looking at it. Here's a different one: It is an
> entirely legitimate network configuration to give your LAN a 0.0.0.0
> netmask and rely on proxy arp to route off of it for non-local
> addresses. Nobody does it this way, it's inefficient and gets very
> complex when there's more than one router, but it in no way implies
> configuring yourself address space which is not yours.

You are configuring a prefix that is not assigned to you and not
specifically reserved for local connectivity like 1918 (instead it is
almost certainly partially assigned to another AS for IPv4 unicast use
on the public Internet). That is the very definition of configuring
address space which is not yours, whether you're successful or not at
reducing the impact with proxy-arp.

Sure, in this specific case 0.0.0.0 and 255.255.255.255 truly will
never be used by anyone on the Internet (and also your hosts/router
will almost certainly crash, because ARP tables are not designed for
hundreds of thousands of entries), but that's not the point.

It's not legitimate in my book, when we are talking about hosts on the
public Internet which are required to connect to the rest of the
Internet, maybe even host services. If the bar is "can I be sued for
this?" than you are certainly right.

> > At the very least you can't
> > reach the public IP addresses 10.0.0.0 and 10.0.3.255 from the hosts,
> > because they won't be sending ARP requests for subnet and broadcast
> > addresses.
>
> In the described configuration, those addresses are almost guaranteed
> to be base addresses or broadcast addresses of someone else's network
> which you wouldn't be able to reach or access anyway. There is a tiny
> chance that someone else did the same thing you did or decided to use
> a /32 route to capture and use those two addresses as unicast, but
> you've a better chance of winning the lottery or being hit by
> lightning than finding those two addresses in use.

Eyeball networks assign /32 to end users including .0 and .255. Of
course the likelihood that those two addresses are actually requiring
end-to-end connectivity to this AS is not huge.

But the fact of the matter is that you are knowingly breaking a valid
configuration in other people's networks with a non-null likelihood of
it causing problems, and for what? To avoid 1918 addressing on a
single P2P link of an enterprise stub-AS? This cure truly is worse
than the disease and it would certainly be unacceptable in my book.

Now let's talk about the likelihood of the OP leaking the /22 to the
transits (which hopefully filter strictly) in the process of setting
this up. I won't need lottery or lightning analogies for that.

Lukas

Lukas