RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

Lukas Tribus lukas at ltri.eu
Tue Mar 7 22:09:09 UTC 2023


Hello,


so 100.64/10 is used in CGNAT deployments requiring service providers
(that is AS operators) to drop 100.64/10 on the border to other AS in
BGP and in the dataplane, as per RFC6598 section #6 Security
Considerations [1].

Within an AS though traffic from 100.64/10 can very well bypass CGNAT
for AS local traffic to reduce state/logging. This appears to be quite
common and it makes a lot of sense to me.

At the same time folks like team-cymru are picking up this prefix for
their bogon lists with the following description [2]:

> A packet routed over the public Internet (not including
> over VPNs or other tunnels) should never have an address
> in a bogon range.

It would be quite a bad idea to drop 100.64/10 on a firewall or
servers, when legitimate traffic can very well hit your infrastructure
with those source IPs.


Thoughts?


Lukas


[1] https://www.rfc-editor.org/rfc/rfc6598#section-6
[2] https://www.team-cymru.com/bogon-networks


More information about the NANOG mailing list