Public addresses on a MPLS Core

Answered Question
Sep 26th, 2006
User Badges:

Hi!!!

I work for a small internet service provider and we are migrating our old core to MPLS over Cisco devices. Up to date, all links and loopbacks in the core were using public address. Now, when thinking on migration, a doubt arises. Has any sense to keep these public addressing when core links will not be reached from aoutside the core? I'd like to set up and VRF with internet access, and ditributting default routes to from VPN's in "public" VLAN, so no access from the core will be needed. Maybe this would be a good solution for enhancing security?

thanks

Correct Answer by romccallum about 10 years 10 months ago

thats really interesting javinder and tbh very surprising. I worked for Thus/Demon and due to the fact that public IP addresses werent an issue for us we decided to use them. We also decided to use public IP addressing for every managed CPE device out there. Please remember when i say public i actually only mean unique as these addresses are not routable on the internet (blocked at our edge). I would say that the best use of the addressing would be for loopbacks to be unique(public) and serials to be whatever.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
swaroop.potdar Wed, 09/27/2006 - 01:18
User Badges:
  • Blue, 1500 points or more

Yes Jorge,


You are right, the core is totally transparent to service like internet over MPLS/VPN. As you core would be like a "BGP Free COre"


Its a good practise to have your core on private IP addresing, as it would conserve space for you and also helps as one of the security measures.


EVen in a Non-MPLS scenario you can keep you InfraIP's private as you never advertise them out to the Internet, as they are just used purely for routing internet subnets internally.


HTH-Cheers,

Swaroop


romccallum Thu, 09/28/2006 - 00:34
User Badges:
  • Silver, 250 points or more

sorry swaroop but i dont agree with you there. It is imperitive that your core remain with public(unique) IP addressing. Why?


1. Your router-id's shall never clash with any other customer/provider. If they do then you are well within your right to get them to change their IP addressing as it belongs to you.

2. When you go to Inter-AS (and trust me you will one day) you have not limited your options by using say 10.x.x.x and the other provider has stupidly used the same address space. In this instance you can rule out option C peering between RR's.


HTH


To wrap it up keep your unique address space

swaroop.potdar Thu, 09/28/2006 - 01:47
User Badges:
  • Blue, 1500 points or more

well robert, I think we agree to disagree :-)

its a very debatable topic as to use private or public ip address.


Now for the reasons you mentioned, the counter reasoning goes as,


1) The router-ID would never clash with a customer, in a MPLS VPN enviornment.


2) Now going to Inter-AS analogy mentioned, OPtion C is the most open mode of Inter-AS, and is only suggested where a single entity is maintaining different AS numbers,that is when a single entity has full control on two or more AS's going in for Inter-AS then only Option C is recommended. As Option C implies a inherent trust model between the involved AS's.


And also I havent know of a large scale SP who has gone for public IP addressing in the Core.

Also when it comes to Inter-AS with another entity, most SP across are providing Inter-AS Option A or B. They are not considering C, as it requires a inherent trust which may not be present when going for this model with another entity.


So to sum it up, Private Addressing Prevails as a rule of thumb.



HTH-Cheers,

Swaroop

romccallum Thu, 09/28/2006 - 03:41
User Badges:
  • Silver, 250 points or more

Mate believe me the router-id's will and have clashed before. Take for example of bgp router id of 1.1.1.1. Along comes Mr customer and peers with your PE device. His CE device also has a bgp router id of 1.1.1.1. They shall NEVER form an adjacency. Who changes? Remember the customer is ALWAYS right :P


wrt Inter-AS i completely agree with you for now - however, why rule yourself completely out of one option in 3 just through the use of public(unique) IP addresses?

swaroop.potdar Thu, 09/28/2006 - 05:25
User Badges:
  • Blue, 1500 points or more

Well Robert, I agree with you on your point one.


But you may also want to think like this,


assume there is only one /24 private prefix available globally.(just assumption, we have although complete RFC 1918)


Now if all that was used for loopback allocation, still going by probaility of such an event happening is 1/255.


Now its your guess out of the RFC 1918 range what would be the probability of such an event happening on a given PE.

(and for all this we havent even factored the CE devices into propability who may be using BGP only)


Still would it be a problem using private range.


HTH-Cheers,

Swaroop


jorge_lopez Thu, 09/28/2006 - 06:51
User Badges:

hi!! thanks for such an interesting discussion... after reading all the post...




what about using private addressing on internal links and public just for loopback addressing? We would save for many public addresses, still being able to id every link (managing pourposes) and yet every router would be identified by a public address

swaroop.potdar Thu, 09/28/2006 - 07:46
User Badges:
  • Blue, 1500 points or more

Well Robert & me have given some idea about both methods.


Having said that you can possibly take the best call, as its your network. For me I would suggest and see no problem in using Private Range.


Still if you are really concerned about the address range you can go ahead as you have planned trying to implement both ways.


HTH-Cheers,

Swaroop

mheusinger Thu, 09/28/2006 - 07:56
User Badges:
  • Green, 3000 points or more

Hi,


imho all IP addresses visible outside your AS should be public. The rest can be RFC1918, never ever use "illegal" addresses in case you can avoid it. Getting rid of (illegal/private) IP addresses can be a very painful task.


On the core links in your MPLS environment you can use private addressing, when turning off ttl propagation. The drawback is that you can not easily turn on ttl propagation for troubleshooting inter-AS issues.


My 2 cents.


Regards, Martin

jasvinderC Thu, 09/28/2006 - 10:12
User Badges:

if i tell from my experience, i have worked with 3 big service providers, and i havent come across anyone deploying public ip in their netowrk.


expect for one medium scale ISP i know who were offering internet service and ipsec vpns and their core was completley public ip, and they migrated using the same punlic ip range to MPLS later, this was in 2002.


Thanks,

JC

siljugpillai Thu, 09/28/2006 - 22:33
User Badges:

In my opinion loopbacks can be public addresses and link address can be private address. All your services including the internet service will be in the vrf (uplink to ISP as well) so that your network is completely hidden from internet and the customers.


rgds,

Silju

Correct Answer
romccallum Fri, 09/29/2006 - 00:32
User Badges:
  • Silver, 250 points or more

thats really interesting javinder and tbh very surprising. I worked for Thus/Demon and due to the fact that public IP addresses werent an issue for us we decided to use them. We also decided to use public IP addressing for every managed CPE device out there. Please remember when i say public i actually only mean unique as these addresses are not routable on the internet (blocked at our edge). I would say that the best use of the addressing would be for loopbacks to be unique(public) and serials to be whatever.

swaroop.potdar Fri, 09/29/2006 - 06:24
User Badges:
  • Blue, 1500 points or more

Ok to summarize for and make the component by component decision easier,


1) Loopbacks:


a) Use public if you want them to be seen outside your AS, or else you are safe using private. Its a know fact you cant route private ip outside.


Having said that, you may never require to route MPLS infra routes outside. Not even in case where you extend MPLS till your internet services edge.


b) if you presume and feel that there are likely chances of loopbacks clashing then you can use Public IPs. ( you can also conisder using IANA reserved range, just to keep them unique. so you are not bothered even if IANA releases them to be routable.)


2) Infra IPs: There is no debate on this and you can surely use private IP;s.


So net effect is, as you said you are a small ISP you can easily allocate public IP for your loopbacks as thats not a large number anyway. As my justification for private IP's is purely to conserve the IP space. But thats not much applicable in your case.


If you are ok with the whole thing you can close the thread. :-)


HTH-Cheers,

Swaroop

Actions

This Discussion