Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

[brandon at burn.net (Brandon Applegate)]

Hello,

Iâ??ve seen mention on this list and other places about keeping oneâ??s PTPs / loopbacks out of routing tables for security reasons.  Totally get this and am on board with it.  What I donâ??t get - is how.  Iâ??m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.

- RFC 1918 for loopbacks and PTP
  - Immediately â??protectsâ?? from the internet at large, as they arenâ??t routable.
  - Traceroutes are miserable.

- Use public block that is allocated to you (i.e. PI) - but not announced.
  - So would this be a totally separate (from user/customer prefixes) announcement and allocation ?  In other words, letâ??s say you were a small ISP getting started.  You manage to get a /20 from a broker (IPv6 should be â??easyâ??).  Do you also now go out and get a /23 (Iâ??m making these sizes up, obviously all of these will vary based on ISP size, growth plan, etc.).  You have the /23 registered to you (with proper rDNS delegation, WHOIS, etc.).  But you simply donâ??t announce it ? Iâ??d say I need this /23 day one to even build my network before itâ??s ready for customers.
  - On the IPv6 front - would a RIR give you your /32 and then also a /48 (for loop/PTP) ?

- Deaggregate and not announce your infra
  - Bad net behavior out of the gate with this method.  The opposite of elegant.
  - Keeping with previously made up / arbitrary prefixes - for your /20 - youâ??d end up announcing 2 x /23, 1 x /22 and 1 x /21.  Iâ??m too lazy to enumerate the IPv6 gymnastics, but with IPv6 you could â??wasteâ?? a bit more to get to boundaries that are a bit easier to work with I suppose.

Thanks in advance for insights on this.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."