[c-nsp] RFC 1918 on loopback?
David Freedman
david.freedman at uk.clara.net
Wed Jan 16 07:21:55 EST 2008
RFC1918 != security, I would ensure all loopback and transfer networks
that do not require public access (other than of course ICMP TTL exceed
messages to be sent from) be filtered at the edge.
Dave.
nachocheeze at gmail.com wrote:
> We tend to design our networks based on an idea outlined somewhat in
> this thread:
>
> http://marc.info/?l=cisco-nsp&m=113016470017015&w=2
>
> "Implementing private IP addresses on links between your routers
> violates RFC1918 unless you implement filters on your borders.
> You still originate the ICMPs and they still reach the sources
> (unless filtered). This is a very bad idea."
>
> As such, the current network I'm dealing with (campus enterprise, not
> a service provider) has public IP addresses on all core and
> distribution router node interfaces, including the loopback.
>
> There's a security push to move more IP's off public space and onto
> RFC 1918 unless there is a justification for a public IP. I've been
> asked if it's possible to move our loopback addresses to private
> space, and since currently the only purpose they currently serve is
> for IGP router-id, it seems reasonable (except on our BGP speaking
> Internet border routers).
>
> I'm trying to come up with any possible scenario where this would NOT
> be a good idea to avoid future headache with anything we might want to
> deploy later (such as interdomain multicast). Has anyone ever run into
> this and had it bite them later on down the road?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list