[c-nsp] RFC 1918 on loopback?

Tony Tauber ttauber at 1-4-5.net
Tue Jan 15 11:56:44 EST 2008


On Tue, Jan 15, 2008 at 10:20:40AM -0600, nachocheeze at gmail.com wrote:
> 
> There's a security push to move more IP's off public space and onto
> RFC 1918 unless there is a justification for a public IP.  I've been
> asked if it's possible to move our loopback addresses to private
> space, and since currently the only purpose they currently serve is
> for IGP router-id, it seems reasonable (except on our BGP speaking
> Internet border routers).

The right question to ask is "What are the security goals?"
Then: "How does using RFC1918 addresses meet or not meet these goals?"
Then: "Is there some other way to meet these goals?"

> I'm trying to come up with any possible scenario where this would NOT
> be a good idea to avoid future headache with anything we might want to
> deploy later (such as interdomain multicast). Has anyone ever run into
> this and had it bite them later on down the road?

Yes, the bigest problems I see (and have seen) with RFC1918 addresses on
a production network (not a lab) are:

- Merger/acquisition/interconnection with another entity which uses them
  and there's an overlap.  ("That will never happen" are the words which

- Ambiguity of source IP addresses.  If you're receiving log messages or
  doing packet traces, you want a good level of confidence that the
  source address is from the device you think it is and not some other
  stuff leaking into your domain.

- Reverse DNS.  Possible to do right but rarely done so.

There is NO DOUBT that using these addresses has operational costs and
risks.  If there are security goals, I'd wager that there is a way to
meet those goals using unique address space without those costs and
risks.

Tony




More information about the cisco-nsp mailing list