RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

• Previous message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Next message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>On 3/8/23 5:35 AM, Lukas Tribus wrote:
>> Perhaps I should have started this topic with a very specific example:
>> 
>> - ISP A has a residential customer "Bob" in RFC6598 space
>> - ISP A CGNATs Bob if the destination is beyond it's own IP space
>> - ISP A doesn't CGNAT if the destination is within its IP space (as
>> explained in the OP, this means reducing state and logging)
>> - ISP A has a cloud customer "Alice" running mail/webservers, which is
>> of course using public IP address space
>> - when Bob access Alice's mail/webserver, the source IP will show
>> RFC6598 addressing
>> - if Alice filters RFC6598, Bob can't connect
>> - Alice should not drop RFC6598, it should threat RFC6598 just like
>> every other public IP subnet
>
>I argue that Alice should expect to not receive any traffic from 
>non-globally routed IPs UNLESS her cloud provider has informed her that 
>she should expect them.
>
I>'d say that they shouldn't send them to her without her acknowledgement 
>~> consent to receive them.

Exactly

We use CGNAT in our network unfortunately. We skip CGNAT for internal resources only, to reduce logging,  load, etc. but all outbound and/or customer to customer traffic goes through the CGNAT. Only public IP addresses are allowed to communicate between customers.

Travis

• Previous message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Next message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]