On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate <bran...@burn.net> wrote: > I’ve seen mention on this list and other places about keeping one’s PTPs / > loopbacks out of routing tables for security reasons. Totally get this and > am on board with it. What I don’t get - is how. I’m going to list some of > my ideas below and the pros/cons/problems (that I can think of at least) for > them. > > - RFC 1918 for loopbacks and PTP > - Immediately “protects” from the internet at large, as they aren’t > routable. > - Traceroutes are miserable.
Also breaks PMTUD which can break TCP for everybody whose packets transit your router. So don't do this. > - Use public block that is allocated to you (i.e. PI) - but not announced. This works. > - Deaggregate and not announce your infra Not great. Another option is to let it be announced but filter the packets at your border. I wonder if it would be useful to ask the IETF to assign a block of "origination-only" IP addresses... IP addresses which by standard are permitted to be the source of ICMP packets but which should be unreachable by forward routing. Regards, Bill Herrin -- William Herrin ................ her...@dirtside.com b...@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
