On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <brandon@burn.net> wrote:
I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
- RFC 1918 for loopbacks and PTP - Immediately “protects” from the internet at large, as they aren’t routable. - Traceroutes are miserable.
Also breaks PMTUD which can break TCP for everybody whose packets transit your router. So don't do this.
- Use public block that is allocated to you (i.e. PI) - but not announced.
This works.
- Deaggregate and not announce your infra
Not great. Another option is to let it be announced but filter the packets at your border. I wonder if it would be useful to ask the IETF to assign a block of "origination-only" IP addresses... IP addresses which by standard are permitted to be the source of ICMP packets but which should be unreachable by forward routing. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>