Best practice for ptp/loopback numbering for "small" enterprise multihome setup

[vom513 <vom513 () gmail com>]

Hello,

tl;dr - If I only have a /24 PI - is there any way to use this and not “chop it up / deagg” to use for ptp/loopbacks ?

Hopefully I can explain this in a manner that makes sense.

Say I have a vanilla dual router/dual upstream setup (think enterprise internet edge).

It’s basically an “H” shape:

- Two ISPs
- Two routers (“crosslink” is the middle of the H - iBGP)
- Each router has at least a link downstream into my public “outside” segment.  I run an FHRP here.  This is where my 
DMZ firewalls, VPN endpoints etc. have their outside interfaces.

Let’s also say I only have a /24 of PI.

I need to number the crosslink and the loopbacks.  The upstreams will use their own /30 / /31 let’s say for the top of 
the H.  My downstream interfaces will have my /24 (or parts of it) on the bottom of the H.

My understanding and instinct is that at least the crosslink should be numbered with public addresses.  One scenario 
where this might matter is if router2 loses his inside interface (ex: switch failure) - he still needs to be able to 
deliver traffic via crosslink via router1 and onward downstream.  When this traffic traverses here, if there is any 
kind of error (i.e. router is sourcing an ICMP packet of some kind) - this will be sourced from router1’s crosslink yes 
(assuming router1 is generating the error of course) ?

Loopback’s may be negotiable, as only router1/2 are using these to pin up iBGP.  Nevertheless, my instinct would be to 
also use public addresses here.

As I said in the tl;dr - my main point of contention here is breaking up my /24 I.e. use the very top /30s / /31s for 
ptp/loop.  I would then have at most the bottom /25 to use contig. on my “lan” - and I would need to use the next /26, 
/27 and so on in some manner for the space to be useable...

Here are some other options, and my understanding of the pros/cons:

- Use RFC1918
        Makes my eye twitch out of the gate.  Not to mention packets sourced from here *should* get blocked by my 
upstreams by way of uRPF.  Likely to be filtered at other points and directions as well…

- Get a /29 from one of the ISPs for ptp/loops
        Better than RFC1918.  Kind of weird.  If this is from isp1 - should have no issues sourcing toward them.  Might 
have issues (uRPF) toward isp2.  Announce this via BGP / no-export to both ISPs ?  Now it’s getting even weirder…

- Use my own PI space
        Should have no filtering issues at all.  Now I have to deagg my /24 and use the pieces (largest /25).

Am I making too big of a deal of this ?  If you’ve read this far - I do appreciate it.  Anxious to hear feedback on 
this.

PS: I would likely ACL on my upstream interfaces to block direct packets to my routers themselves as well.