[c-nsp] RFC 1918 on loopback?

Tom Storey tom at snnap.net
Tue Jan 15 19:44:02 EST 2008 

> On Tue, Jan 15, 2008 at 10:20:40AM -0600, nachocheeze at gmail.com wrote:
>>
>> There's a security push to move more IP's off public space and onto
>> RFC 1918 unless there is a justification for a public IP.  I've been
>> asked if it's possible to move our loopback addresses to private
>> space, and since currently the only purpose they currently serve is
>> for IGP router-id, it seems reasonable (except on our BGP speaking
>> Internet border routers).
>
> The right question to ask is "What are the security goals?"
> Then: "How does using RFC1918 addresses meet or not meet these goals?"
> Then: "Is there some other way to meet these goals?"
>
>> I'm trying to come up with any possible scenario where this would NOT
>> be a good idea to avoid future headache with anything we might want to
>> deploy later (such as interdomain multicast). Has anyone ever run into
>> this and had it bite them later on down the road?
>
> Yes, the bigest problems I see (and have seen) with RFC1918 addresses on
> a production network (not a lab) are:
>
> - Merger/acquisition/interconnection with another entity which uses them
>   and there's an overlap.  ("That will never happen" are the words which
>

One would hope that each party kept adequate documentation (for their own
sake) which would make it quite easy to determine whether there is going
to be any overlap.

Everyone keeps good network documentation, right? :-)

> - Ambiguity of source IP addresses.  If you're receiving log messages or
>   doing packet traces, you want a good level of confidence that the
>   source address is from the device you think it is and not some other
>   stuff leaking into your domain.
>
> - Reverse DNS.  Possible to do right but rarely done so.
>
> There is NO DOUBT that using these addresses has operational costs and
> risks.  If there are security goals, I'd wager that there is a way to
> meet those goals using unique address space without those costs and
> risks.
>
> Tony
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list