+ Reply to Thread
Results 1 to 7 of 7

Thread: /31 ptp routing

  1. #1
    Join Date
    Feb 2003
    Posts
    8
    Rep Power
    0

    Default /31 ptp routing

    Anybody else want /31 routing for point to point links? We hate to lose 2 addresses every time we put up another backhaul.

    It seems like adding this feature would be pretty simple because it should only involve the nobroadcast flag when an interfaces netmask is .254 and allowing routes of /31

    It'd save us us a good many IP's.

  2. #2
    Join Date
    Oct 2002
    Location
    USA
    Posts
    1,382
    Rep Power
    17

    Default

    I use private addresses for all of my glue. The wieless network has no servers, so I could care less if the internet cannot traceroute to my customer's houses. If you do your reverse DNS work, traceroute works seamlessly for your customers, and that is all that counts. You can put private addresses on the internal servers too, things like radius, accounting, etc.

    You don't /have/ to do nat just becuse you use a private address.

    This is a better idea than using non-standard or unnumbered links. I know conserving ip's is important, but over the years I have seen a lot of equipment developed to use ip in non-standard ways to conserve ip's... The problem with this approach is they break in unpredictable ways, and since it is not really ip (if it breaks the rules, it is not IP any more) interoperation with other equipment can be difficult.

    If you are wanting to conserve ip's use private ones so you use none of your precious routable addresses. Not only does this work without violating any ip rules, it is considered industry best practice, and will score points with ARIN when it comes time for you to get your own IP blocks.

  3. #3
    Join Date
    Feb 2003
    Posts
    8
    Rep Power
    0

    Default

    I've used private ip's on our links but that doesn't work so well in our network topology.

    Our network is basically a tree structure with nodes branching off toward the communities we support. Our longest leg contains 10 nodes (and spans 75 miles) 5 of them are only ptp repeater links. Since I need to be able to administer them from outside our border routers, I've switched to public ip's.

    /31 subnets are a proposed standard
    http://www.ietf.org/rfc/rfc3021.txt

    cisco has supported them for sometime now
    http://www.cisco.com/univercd/cc/td/...2/ft31addr.htm

  4. #4
    Join Date
    Oct 2002
    Location
    Nanaimo, BC
    Posts
    12,224
    Rep Power
    10

    Default

    If it becomes a standard it will likely get support. You can use private IP on the inside and use 1:1 IP Mapping to get to the units from a public space. Also, we typically hit a unit on the edge of public space and then simply SSH to the inside private unit.
    ..a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are,in short, a perfect match..

    Try the latest 4.4.5.7-7842 release. It fixes the 11N card reset issue.
    http://www.star-os.com/ http://www.star-os.com/store

  5. #5
    Join Date
    Feb 2003
    Posts
    8
    Rep Power
    0

    Default

    DOH! I don't know why I didn't think of 1:1 mapping from the edge of the network.

    Great solution!

  6. #6
    Join Date
    Oct 2002
    Location
    USA
    Posts
    1,382
    Rep Power
    17

    Default

    I administer my machines all day long, no matter what IP they have. You should do that work with VPN tunnels, or from internal gateway machines.

    If only 1 staros box (or a convenient unix system of any other brand/flavor) has a public IP, then getting to any private address inside that portion of the network is trivial.

    You don't need to make it easy for a hacker or virus to see your whole network, just so you can log into your routers.

    If you don't like doing two hop ssh sessions, you can do a port translation, and put all of your routers on a single IP, each at a different port.

    The point is that in using a /31, you have only reduced IP consumption by 50%, where private addresses give you 100%. Any perceived difficulty in maintaining those machines from outside the network is only illusory, it is actually quite easy.

    If your objection is that you want your accounting collectors and SNMP scanners to keep working, I should point out that those are security nightmares, and really really really need to be behind a firewall, and should operate on vpn's. Those services should never be accessible from the Internet.

    If you use Cisco's on T1's, you can put ipsec tunnels between them to selectively route telemetry packets to the routers, keeping those ports safe from the Internet hackers. If you don't have cisco's, you can use a staros pptp server, or any other vpn appliance. The best cheap-but-capable vpn appliance I have tested is the draytek vigor 2200e which you can pick up for under $99 each. The 2200e supports 8 vpn tunnels in either direction (client or server), and if you put one on each remote segment, you could build a fully routed telemetry network safe from the prying eyes of the Internet. (You might be able to do this with staros too, but I have been unable to route networks through the staros pptp client, so I don't know if that is possible or not. I only tried once and quickly gave up, so my failure is not proof of anything).

    As for standards, the /31 is a better approach than some of the others I have seen... clearly broadcast addresses have no meaning on a point to point. The problem is that a lot of TCP/IP's beauty is in the binary math that gives it structure. The /31 creates an exception to the logical structure that will cause new bugs in code that hasn't been touched in 20 years. I'm a bsd guy, and it's mostly because the codebase we use was released in 1983, so most of the bugs are long gone. You young guys can have windows and linux all to yourselves, I don't have the energy to deal with the weaknesses of those systems... Perhaps I'm just being a stubborn old fart, but I'd rather not stirr the mud up on that code untill it's time to do ipv6... and hopefully I'm retired by then...

    I'm not against the /31, just pointing out that there is a solution here today tht I think is a better idea anyway, and it saves all the ip's rather than half. Not only that, but you can get creative in how you use the private space.

    For example, you can use the 10.0.0.0 space, and do things like use the second octet to indicate the city, the second octet to indicate the backhaul, and the third octet can support 64 ptp connections. This is just an example, the point is that you can create a numbering system that gives you the ability to know off the top of your head what a given router's ip is because of it's relationship in your network org chart.

    Organization can become a work of art using the private ip's.

  7. #7
    Join Date
    Feb 2003
    Posts
    8
    Rep Power
    0

    Default

    I guess the only real reason I want world visible IP's is because I like to be able to ssh in to any box directly on port 22. I suppose its time look into poptop.

    Question though if I have your ear...You ingress/egress filter out private ips at both cpe and border router right? Or do you let your customers see your private space?

Similar Threads

  1. Replies: 2
    Last Post: 06-26-2006, 07:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts