Request comment: list of IPs to block outbound
Thomas Bellman
bellman at nsc.liu.se
Wed Oct 23 11:20:00 UTC 2019
On 2019-10-22 22:38 -0700, Stephen Satchell wrote:
> So, to the reason for the comment request, you are telling me not to
> blackhole 100.64/10 in the edge router downstream from an ISP as a
> general rule, and to accept source addresses from this netblock. Do I
> understand you correctly?
Depends. If your network is a typical home network, connected via a
normal residential ISP, then you should very much expect to need to
talk to 100.64/10, and even be assigned addresses from that block. On
the other hand, if you have a fixed public address block, be it PI or
PA space, reachable from the world, then you shouldn't see any traffic
from addresses within the CGNAT block.
So, at home I don't block such addresses. But at work (a department
within a university, connected to the Swedish NREN), I do block the
CGNAT addresses on our border links.
> FWIW, I think I've received this recommendation before. The current
> version of my NetworkManager dispatcher-d-bcp38.sh script has the
> creation of the blackhole route already disabled; i.e., the netblock is
> not quarantined.
If this is a laptop which you may someday connect to some guest network
somewhere in the world, then not blocking 100.64/10 is the right thing
to do. Nor should you block RFC 1918 addresses in that situation.
(Assuming you actually want to communicate with the rest of the world. :-)
/Bellman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191023/c8883600/attachment.sig>
More information about the NANOG
mailing list