nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

From: <adamv0025 () netconsultings com>
Date: Fri, 5 Oct 2018 12:27:24 +0100
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of William
Herrin
Sent: Thursday, October 04, 2018 8:53 PM


- RFC 1918 for loopbacks and PTP
  - Immediately “protects” from the internet at large, as they aren’t

routable.

  - Traceroutes are miserable.


Also breaks PMTUD which can break TCP for everybody whose packets
transit your router. So don't do this.


Only if you have lower MTU on your core links than on your edge -which is a huge design flaw.
Also most of the internet backbones out there are MPLS based meaning the traceroutes are well "sparse" to say at least, 
so I wouldn't worry about this that much.



Another option is to let it be announced but filter the packets at your border.


That defeats the whole purpose of this exercise.
Yes we all use infrastructure ACLs to protect our infrastructure, but if the infra-block is advertised the DDoS is 
still delivered to your doorstep even if you filter it at the edge interfaces the damage has been done already -as your 
upstream pipes are full.

If your infra-ranges are not advertised your infrastructure simply can't be targeted by any DDoS attack. 


adam
Previous By Date Next
Previous By Thread Next

Current thread: