Request comment: list of IPs to block outbound

• Previous message (by thread): Request comment: list of IPs to block outbound
• Next message (by thread): Request comment: list of IPs to block outbound
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/22/19 11:38 PM, Stephen Satchell wrote:
> So, to the reason for the comment request, you are telling me not 
> to blackhole 100.64/10 in the edge router downstream from an ISP as 
> a general rule, and to accept source addresses from this netblock. 
> Do I understand you correctly?

It depends.

I think that 100.64/10 is /only/ locally significant and would /only/ be 
used within your ISP /if/ they use 100.64/10.  If they don't use it, 
then you are probably perfectly safe considering 100.64/10 as a Bogon 
and treating it accordingly.

Even in ISPs that use 100.64/10, I'd expect minimal traffic to / from 
it.  Obviously you'll need to talk to a gateway in the 100.64/10 space. 
You /may/ need to talk to DNS servers and the likes therein.  I've not 
heard of ISPs making any other service available via CGN Bypass.

That being said, I have heard of CDNs working with ISPs to make CDN 
services available via CGN bypass.  My limited experience with that 
still uses globally routed IPs on the CDN equipment with custom routing 
in the ISPs.  So you still aren't communicating with 100.64/10 IPs 
directly.  But my ignorance of CDNs using 100.64/10 doesn't preclude 
such from being done.

The simple rules that I've used are:

1)  Don't use 100.64/10 in your own network.  Or if you do, accept the 
consequences /if/ it becomes a problem.
2)  Don't filter 100.64/10 /if/ your external IP from your ISP is a 
100.64/10 IP.
3)  Otherwise, treat 100.64/10 like a bogon.

> FWIW, I think I've received this recommendation before.  The current 
> version of my NetworkManager dispatcher-d-bcp38.sh script has the 
> creation of the blackhole route already disabled; i.e., the netblock is 
> not quarantined.

I suspect things like NetworkManager are somewhat at a disadvantage in 
that they are inherently machine local and don't have visibility beyond 
the directly attached network segments.  As such, they can't /safely/ 
filter something that may be on the other side of a router.  Thus they 
play it safe and don't do so.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191023/ef76fdb8/attachment.bin>

• Previous message (by thread): Request comment: list of IPs to block outbound
• Next message (by thread): Request comment: list of IPs to block outbound
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]