Le jeu. 4 oct. 2018 à 21:12, Brandon Applegate <brandon@burn.net> a écrit :
I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them.
- Use public block that is allocated to you (i.e. PI) - but not announced.
this is what we do. We are lucky enough to have plenty of address space which was quite correctly assigned in the first place. This is nice, except for one thing: other networks having urpf towards us. It makes traceroutes from their side to ours useless. Other than that, we use bgpmon to monitor for the absence of advertisements /leaks for those internal prefixes. Works really well.