[c-nsp] IP unnumbered question. Are isp's using this alot?

Ted Mittelstaedt tedm at toybox.placo.com
Thu Jun 23 01:23:48 EDT 2005


I experimented with doing this for a few years and gave up on it.  As a
IP number
conservation strategy it really has limited usefulness.

One of the things that you try to do as an ISP is block off access to
your customers router from the Internet proper, so that attackers can't
reach the serial or ethernet interface of the customer edge router.

As a result it really doesen't matter if you have a public IP number
on the serial links to the customer edge routers so if the ISP is short
IP addresses it is perfectly fine to use private numbers.  In fact
it can help since if you use private numbers you don't have to filter
those subnets since attackers on the Internet cannot get to them,
thus it saves router CPU cycles.

For customers that are smaller and use edge routers as address
translators
in addition to T1 termination devices, what we always do is to
define a NAT pool in the router that is public.  This makes it
so that while the edge router is indeed sourcing traffic, the
source IPs are from the public subnet inside the router, rather than
the WAN interface of the router.  So once again it is easy to block off
the WAN IP number for these routers, or use private addresses.  And
an attacker attacking the IP's in the public pool inside the router
can't get at the router itself this way.

In our case we use public numbers on the WAN interfaces of the customer
edge routers, but that is only because I want to maximize our IP
number utilization to keep ARIN happy, yet still provide us with
a cushion should the crunch ever come.  Right now the number registries
are pretty neutral on the topic of using a /30 on a edge router
serial link.  They would prefer to see reductions in the allocation
sizes of subnets to ISP customers.  You save a lot more IP's cutting
a default customer subnet size from a /26 to a /27 than you do arguing
over whether to use /30's or unnumbered on serial links.

Ted


>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Joseph Jackson
>Sent: Wednesday, June 22, 2005 5:14 PM
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] IP unnumbered question. Are isp's using this alot?
>
>
>Hi all,
>
>
>
>
>
>            My company just got a new t1 line from a different
>isp than our
>main one for backup incase the primary fails.  When they gave me the ip
>address info I noticed that there wasn't anything listed for
>the wan side of
>the router.  When I called to ask about this they informed me
>that on their
>edge devices they do not give ip addresses and I must use the
>ip unnumbered
>command.  What I am getting at here is is this common for ISP's
>to do now?
>Is this a trend that has been gaining ground?  When I spoke to
>my boss about
>this he wasn't too happy.  The other circuits that we have for internet
>access all came with an ip to use for the wan interface. Even a
>circuit from
>the same company that we use for a whole other network has a
>wan ip address.
>Anyone else see this a lot?
>
>
>
>
>
>
>
>
>
>
>
>Thanks
>
>
>
>Joseph Jackson
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list