Hi, On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote:
Hi,
On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
Baldur Norddahl wrote:
Loopback interfaces should be configured as /128. How you allocate these do not matter.
..so long as there are interface ACLs on your network edge which block direct IP access to these IP addresses.
or, maybe even more efficient, assign all loopbacks from a dedicated netblock which you null-route on the edge/your border devices.
Null-routing may not be sufficient, if the edge/border router has a route to that /128
good point. I was coming from an Enterprise network perspective where - the border devices do not necessarily hold the/those 128(s) given there's a layer of stateful firewalls in between which creates an isolation boundary for routing protocols. - people do not necessarily fully trust the (outsourced) entities responsible for implementing the filters/ACLs. - this is hence a not-uncommon strategy to feel/be safer as for the (unwanted) global reachability of loopbacks, after the introduction of IPv6. best Enno ; the (forwardable) /128 entry will win from the
blackholed /64 FIB entry since it is more-specific. Applying an ingress interface ACL to each and every external facing interface will probably work best in the most common deployment scenarios.
For router-to-router linknets I recommend to configure a linknet that is as small as possible and is supported by all sides: /127, /126, /120, etc. Some vendors have put in effort to mitigate the problems related to Neighbor Discovery Protocol cache exhaustion attacks, but the fact of the matter is that on small subnets like a /127, /126 or /120 such attacks simply are non-existent.
Kind regards,
Job
-- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator =======================================================