Hi, On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
Baldur Norddahl wrote:
Loopback interfaces should be configured as /128. How you allocate these do not matter.
..so long as there are interface ACLs on your network edge which block direct IP access to these IP addresses.
or, maybe even more efficient, assign all loopbacks from a dedicated netblock which you null-route on the edge/your border devices.
Null-routing may not be sufficient, if the edge/border router has a route to that /128; the (forwardable) /128 entry will win from the blackholed /64 FIB entry since it is more-specific. Applying an ingress interface ACL to each and every external facing interface will probably work best in the most common deployment scenarios. For router-to-router linknets I recommend to configure a linknet that is as small as possible and is supported by all sides: /127, /126, /120, etc. Some vendors have put in effort to mitigate the problems related to Neighbor Discovery Protocol cache exhaustion attacks, but the fact of the matter is that on small subnets like a /127, /126 or /120 such attacks simply are non-existent. Kind regards, Job