RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

Victor Kuarsingh victor at jvknet.com
Wed Mar 8 13:17:23 UTC 2023

On Wed, Mar 8, 2023 at 7:43 AM Lukas Tribus <lukas at ltri.eu> wrote:

> > The think that you have to remember to do is to exclude locally
> > significant (100.64/10, RFC 1918, et al.) from those filters /or/
> > account for them in another way.
> You know all this if you are the network operator.
> If you are the customer of the ISP, let's say a datacenter/cloud
> customer and you are deploying Web or Mailservices, you have no idea
> whether this ISP will route RFC6598 traffic to you or not and you
> certainly will not get informed by the ISP if that ever changes. You
> only know about this once you are dropping production traffic from
> clients in 100.64/10 and a trouble ticket has found it's way to you
> ("residential customers of the same ISP can't reach your cloud
> services").
> That is why RFC6598 is suggesting to drop this traffic on autonomous
> system borders. The RFC is not suggesting to drop this traffic
> elsewhere.

This was the intention of the RFC.  As this space was intended to be used
with an AS's network to service CGN needs.  That CGN boundary likely ends
before a given customer and/or neighboring network, so it would make sense
that downstream and neighboring networks would filter at their borders.
All that said, if for some reason, a downstream network has 100.64/10
assigned to direct links on an interconnection, that may be a problem.
That type of deployment model was not within the intention of RFC6598
(using the block for non-CGN use cases).

Trying to block RFC6598 at the host level can potentially be problematic as
the network that host is connected to may be using RFC6598 space.

> > Bogons is just a list of IPs that shouldn't be on the open Internet.
> Which, for RFC6598 is misleading because RFC6598 space is used within
> (but not beyond) ISP networks. "The internet" includes ISP networks.

It is true an ISP's network would be part of the Internet, but the part
which is servicing CGN zones would not part of the generally reachable part
of the Internet (inbound, all ports, all protocols).   The CGN zone within
the ISP network is as much part of the Internet as a home network would be
(non-routable addresses used to service an upstream NAT).

Victor Kuarsingh

> > The Team Cymru bogon's list is a tool and like all tools, it can be
> > mis-used and become a foot gun.
> Which is why proper description, documentation and education is important.
> Thanks,
> Lukas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230308/3c335ad7/attachment.html>

More information about the NANOG mailing list