<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello Brandon,<br>
<br>
instead of not announcing it you can send it to your upstream and
tag it with no-export.<br>
That way you can still see your router in traceroutes if the source
ASN of the traceroute doesn't do uRPF.<br>
<br>
If you don't have a separate range from which you assign
PTP/loopback addresses, but your upstream offers a BGP blackhole
community you can permanently blackhole your PTPs/loopbacks/infra at
your upstream if you want to increase your security. Another way to
keep your traceroutes pretty. However, if it's thousands of /32s
then you should probably talk to your upstream before doing that. :)<br>
<br>
Regards<br>
Karl<br>
<br>
<br>
<div class="moz-cite-prefix">
<div id="rwhMsgHeader"><br>
<hr id="rwhMsgHdrDivider" style="border:0;border-top:1px solid
#B5C4DF;padding:0;margin:10px 0 5px 0;width:100%;"><span
style="margin: -1.3px 0 0 0 !important;"><font style="font:
13px Tahoma !important; color: #000000 !important;"
face="Tahoma" color="#000000"><b>From:</b> Brandon Applegate
[<a class="moz-txt-link-freetext" href="mailto:brandon@burn.net">mailto:brandon@burn.net</a>]</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 13px Tahoma !important; color: #000000
!important;" face="Tahoma" color="#000000"><b>Sent:</b> Thu,
Oct 4, 2018 9:07 PM CEST</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 13px Tahoma !important; color: #000000
!important;" face="Tahoma" color="#000000"><b>To:</b> NANOG
mailing list</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 13px Tahoma !important; color: #000000
!important;" face="Tahoma" color="#000000"><b>Subject:</b>
Not announcing (to the greater internet) loopbacks/PTP/infra
- how ?</font></span><br>
<br>
</div>
</div>
<blockquote type="cite"
cite="mid:D1EB0FC2-D342-4A00-B8B4-B8EAEAADE4F0@burn.net"
style="border:none !important; margin-left:0px !important;
margin-right:0px !important; margin-top:0px !important;
padding-left:0px !important; padding-right:0px !important">
<pre class="moz-quote-pre" wrap="">Hello,
I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
- RFC 1918 for loopbacks and PTP
- Immediately “protects” from the internet at large, as they aren’t routable.
- Traceroutes are miserable.
- Use public block that is allocated to you (i.e. PI) - but not announced.
- So would this be a totally separate (from user/customer prefixes) announcement and allocation ? In other words, let’s say you were a small ISP getting started. You manage to get a /20 from a broker (IPv6 should be “easy”). Do you also now go out and get a /23 (I’m making these sizes up, obviously all of these will vary based on ISP size, growth plan, etc.). You have the /23 registered to you (with proper rDNS delegation, WHOIS, etc.). But you simply don’t announce it ? I’d say I need this /23 day one to even build my network before it’s ready for customers.
- On the IPv6 front - would a RIR give you your /32 and then also a /48 (for loop/PTP) ?
- Deaggregate and not announce your infra
- Bad net behavior out of the gate with this method. The opposite of elegant.
- Keeping with previously made up / arbitrary prefixes - for your /20 - you’d end up announcing 2 x /23, 1 x /22 and 1 x /21. I’m too lazy to enumerate the IPv6 gymnastics, but with IPv6 you could “waste” a bit more to get to boundaries that are a bit easier to work with I suppose.
Thanks in advance for insights on this.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."
</pre>
</blockquote>
<br>
</body>
</html>