Hi, On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote: > Hi, > > On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote: > > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > > > Baldur Norddahl wrote: > > > > Loopback interfaces should be configured as /128. How you allocate > > > > these do > > > > not matter. > > > > > > ..so long as there are interface ACLs on your network edge which block > > > direct IP access to these IP addresses. > > > > or, maybe even more efficient, assign all loopbacks from a dedicated > > netblock which you null-route on the edge/your border devices. > > Null-routing may not be sufficient, if the edge/border router has a > route to that /128; the (forwardable) /128 entry will win from the > blackholed /64 FIB entry since it is more-specific.
just thought about it a bit. As mentioned (in other post) I was thinking of a specific use case/setting, but wouldn't a static null-route (of a blackholed /64) win over a /128 learned from a RP anyway (given the better AD)? Am I missing sth here? thanks Enno Applying an ingress > interface ACL to each and every external facing interface will probably > work best in the most common deployment scenarios. > > For router-to-router linknets I recommend to configure a linknet that is > as small as possible and is supported by all sides: /127, /126, /120, > etc. Some vendors have put in effort to mitigate the problems related to > Neighbor Discovery Protocol cache exhaustion attacks, but the fact of > the matter is that on small subnets like a /127, /126 or /120 such > attacks simply are non-existent. > > Kind regards, > > Job -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator =======================================================