Not announcing (to the greater internet) loopbacks/PTP/infra - how ?

[Brandon Applegate <brandon () burn net>]

Hello,

I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security 
reasons.  Totally get this and am on board with it.  What I don’t get - is how.  I’m going to list some of my ideas 
below and the pros/cons/problems (that I can think of at least) for them.

- RFC 1918 for loopbacks and PTP
  - Immediately “protects” from the internet at large, as they aren’t routable.
  - Traceroutes are miserable.

- Use public block that is allocated to you (i.e. PI) - but not announced.
  - So would this be a totally separate (from user/customer prefixes) announcement and allocation ?  In other words, 
let’s say you were a small ISP getting started.  You manage to get a /20 from a broker (IPv6 should be “easy”).  Do you 
also now go out and get a /23 (I’m making these sizes up, obviously all of these will vary based on ISP size, growth 
plan, etc.).  You have the /23 registered to you (with proper rDNS delegation, WHOIS, etc.).  But you simply don’t 
announce it ? I’d say I need this /23 day one to even build my network before it’s ready for customers.
  - On the IPv6 front - would a RIR give you your /32 and then also a /48 (for loop/PTP) ?

- Deaggregate and not announce your infra
  - Bad net behavior out of the gate with this method.  The opposite of elegant.
  - Keeping with previously made up / arbitrary prefixes - for your /20 - you’d end up announcing 2 x /23, 1 x /22 and 
1 x /21.  I’m too lazy to enumerate the IPv6 gymnastics, but with IPv6 you could “waste” a bit more to get to 
boundaries that are a bit easier to work with I suppose.

Thanks in advance for insights on this.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."