[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
- Subject: Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
- From: bill at herrin.us (William Herrin)
- Date: Thu, 4 Oct 2018 15:53:10 -0400
- In-reply-to: <[email protected]>
- References: <[email protected]>
On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon at burn.net> wrote:
> Iâ??ve seen mention on this list and other places about keeping oneâ??s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I donâ??t get - is how. Iâ??m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
>
> - RFC 1918 for loopbacks and PTP
> - Immediately â??protectsâ?? from the internet at large, as they arenâ??t routable.
> - Traceroutes are miserable.
Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.
> - Use public block that is allocated to you (i.e. PI) - but not announced.
This works.
> - Deaggregate and not announce your infra
Not great.
Another option is to let it be announced but filter the packets at your border.
I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.
Regards,
Bill Herrin
--
William Herrin ................ herrin at dirtside.com bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>