[c-nsp] Private IP in SP Core

Saku Ytti saku at ytti.fi
Mon Mar 11 03:23:05 EDT 2013


On (2013-03-10 21:44 +0000), Gordon Bryan wrote:

> I like the concept of private addressing (core hiding being one) but having never seen it deployed in anger I'm concerned that it might not be as simple as it seems and may break other things. I've read that traceroute and PMTUD are at risk in such a scenario.

RFC1918 core links and loops and MPLS core hiding (no TTL propagation) are
two completely different issues.

If you plan to run INET in global table, don't run RFC1918 core links, you
will break traceroute.
Loopbacks should be comparatively safe to run in RFC1918, but motivation is
unclear, unless you really are running that short on IP addresses.

>From security POV, don't consider neither solution as security pro or con,
in either case you must have iACL in edge limiting traffic to your
infrastructure networks.

> Also, even in a completely private core, a PE still becomes exposed to the outside world on its PE-to-CE interface when delivering Internet services. Has anyone developed any proficient methods for locking down these interfaces and making them unresponsive/secure from the outside?

If each and every interface is in VRF you will gain certain level of added
security. But it's still not fool proof solution, if customer is L2
connected to your router, they can almost certainly get your router down
from connected VRF or INET interface. But they probably can't gain
unauthorized access to it or other VRF.


-- 
  ++ytti


More information about the cisco-nsp mailing list