RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
Tom Beecher
beecher at beecher.cc
Tue Mar 7 23:02:10 UTC 2023
>
> It would be quite a bad idea to drop 100.64/10 on a firewall or
> servers, when legitimate traffic can very well hit your infrastructure
> with those source IPs.
>
>
> Thoughts?
>
Don't use bogon lists in places you shouldn't use bogon lists.
On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus <lukas at ltri.eu> wrote:
> Hello,
>
>
> so 100.64/10 is used in CGNAT deployments requiring service providers
> (that is AS operators) to drop 100.64/10 on the border to other AS in
> BGP and in the dataplane, as per RFC6598 section #6 Security
> Considerations [1].
>
> Within an AS though traffic from 100.64/10 can very well bypass CGNAT
> for AS local traffic to reduce state/logging. This appears to be quite
> common and it makes a lot of sense to me.
>
> At the same time folks like team-cymru are picking up this prefix for
> their bogon lists with the following description [2]:
>
> > A packet routed over the public Internet (not including
> > over VPNs or other tunnels) should never have an address
> > in a bogon range.
>
> It would be quite a bad idea to drop 100.64/10 on a firewall or
> servers, when legitimate traffic can very well hit your infrastructure
> with those source IPs.
>
>
> Thoughts?
>
>
> Lukas
>
>
> [1] https://www.rfc-editor.org/rfc/rfc6598#section-6
> [2] https://www.team-cymru.com/bogon-networks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230307/de4bc8e0/attachment.html>
More information about the NANOG
mailing list