On Thu, Oct 05, 2023 at 1:42 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
* GutierrezJ@westmancom.com (Javier Gutierrez) [Thu 05 Oct 2023, 19:25 CEST]:
I have recently encountered some operational differences at my new organization that are not what I have been exposed to before, where the loopback of the core network devices is being set from RFC1918 while on the global routing table. I'm sure this is not a major issue but I have mostly seen that ISPs use global IPs for loopbacks on devices that would and hold global routing.
My question is, what is the most used or recommended way to do this, if I continue to use RFC1918 I will save some very much desired public address space, but would this come back to bite me in the future?
The recommendation is to make Router-IDs globally unique. They're used in collision detection. What if you and a peer pick the same non globally unique address? Any session will never come up.
Yes, Router-IDs should be unique within a domain, but that doesn't mean that 1: they need to the the same as the loopback address and 2: if they are not talking to (external) peers, they don't even have to be **globally** unique. If I choose to number "core" devices from 192.168.0.0/24, and ensure that I don't give multiple devices the same (e.g 192.168.0.42) address, everything works just fine. Note that you have the same problem with non-RFC1918 space — giving multiple devices the same "public" address ends equally poorly. At one point, it was viewed by some as a feature to not use globally reachable addresses for loopbacks - the thought being that if you cannot target packets towards e.g. SSH / Telnet / whatever, you cannot attack / DoS the box as easily. However, just because you *can* use RFC1918 space for loopbacks (and in many cases Router-IDs), it doesn't mean that you *should*. Eventually you'll decide to convert some purely iBGP speaker into an eBGP device, and will discover that both you and your peer decided to do this, and both chose 10.117.236.17 for the loopback and Router-ID….
You need globally unique IP addresses on routers anyway, to send ICMP error packets from.
Weeeeeell… "Need" might be a bit strong; it seems to have decreased over time, but it used to be fairly common to see 1918 space show up in traceroute. I suspect that a fair number of ICMPs are still being sourced from 1918 space, but BCP38 and similar filters are dropping them, leading to '* * *'. Perhaps "Assuming you don't want to be a jackass, you need …"? w
-- Niels.