[c-nsp] RFC 1918 on loopback?
Seth Mattinen
sethm at rollernet.us
Tue Jan 15 14:02:46 EST 2008
nachocheeze at gmail.com wrote:
> We tend to design our networks based on an idea outlined somewhat in
> this thread:
>
> http://marc.info/?l=cisco-nsp&m=113016470017015&w=2
>
> "Implementing private IP addresses on links between your routers
> violates RFC1918 unless you implement filters on your borders.
> You still originate the ICMPs and they still reach the sources
> (unless filtered). This is a very bad idea."
>
> As such, the current network I'm dealing with (campus enterprise, not
> a service provider) has public IP addresses on all core and
> distribution router node interfaces, including the loopback.
>
> There's a security push to move more IP's off public space and onto
> RFC 1918 unless there is a justification for a public IP. I've been
> asked if it's possible to move our loopback addresses to private
> space, and since currently the only purpose they currently serve is
> for IGP router-id, it seems reasonable (except on our BGP speaking
> Internet border routers).
>
1918 addressing does not equal security. If that's the primary reason
for renumbering, I'd suggest ACLs instead. That said, in the campus
environment I last worked in, 1918 addresses were used to create a
separate management network between every device.
~Seth
More information about the cisco-nsp
mailing list