[c-nsp] RFC 1918 on loopback?

Seth Mattinen sethm at rollernet.us
Tue Jan 15 14:02:46 EST 2008


nachocheeze at gmail.com wrote:
> We tend to design our networks based on an idea outlined somewhat in
> this thread:
> 
> http://marc.info/?l=cisco-nsp&m=113016470017015&w=2
> 
> "Implementing private IP addresses on links between your routers
> violates RFC1918 unless you implement filters on your borders.
> You still originate the ICMPs and they still reach the sources
> (unless filtered). This is a very bad idea."
> 
> As such, the current network I'm dealing with (campus enterprise, not
> a service provider) has public IP addresses on all core and
> distribution router node interfaces, including the loopback.
> 
> There's a security push to move more IP's off public space and onto
> RFC 1918 unless there is a justification for a public IP.  I've been
> asked if it's possible to move our loopback addresses to private
> space, and since currently the only purpose they currently serve is
> for IGP router-id, it seems reasonable (except on our BGP speaking
> Internet border routers).
> 

1918 addressing does not equal security. If that's the primary reason 
for renumbering, I'd suggest ACLs instead. That said, in the campus 
environment I last worked in, 1918 addresses were used to create a 
separate management network between every device.

~Seth


More information about the cisco-nsp mailing list