https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6927
Bug ID: 6927
Summary: IP_PRIVATE should also include shared address space
(used in CGN, RFC 6598)
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: Libraries
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
RFC 6598 (= "Shared Address Space Request") assigns a new IPv4 address
range 100.64.0.0/10 for use by CGN (Carrier-Grade NAT, horrors!).
This address range should be treated much like private address
ranges (RFC 1918) in that such addresses are not globally routable
and have no place in public networks. Also the CYMRU lists the
RFC 6598 shared address space along with private address ranges
(Martians, http://www.team-cymru.org/Services/Bogons/ ).
RFC 6598:
1. Introduction
IPv4 address space is nearly exhausted. However, ISPs must continue
to support IPv4 growth until IPv6 is fully deployed. To that end,
many ISPs will deploy a Carrier-Grade NAT (CGN) device, such as that
described in [RFC6264]. Because CGNs are used on networks where
public address space is expected, and currently available private
address space causes operational issues when used in this context,
ISPs require a new IPv4 /10 address block. This address block will
be called the "Shared Address Space" and will be used to number the
interfaces that connect CGN devices to Customer Premises Equipment
(CPE).
Shared Address Space is similar to [RFC1918] private address space in
that it is not globally routable address space and can be used by
multiple pieces of equipment.
[...]
4. Use of Shared CGN Space
Shared Address Space is IPv4 address space designated for Service
Provider use with the purpose of facilitating CGN deployment. Also,
Shared Address Space can be used as additional non-globally routable
space on routing equipment that is able to do address translation
across router interfaces when the addresses are identical on two
different interfaces.
[...]
o routing information about Shared Address Space networks MUST NOT
be propagated across Service Provider boundaries. Service
Providers MUST filter incoming advertisements regarding Shared
Address Space.
o packets with Shared Address Space source or destination addresses
MUST NOT be forwarded across Service Provider boundaries. Service
Providers MUST filter such packets on ingress links.
o Service Providers MUST NOT include Shared Address Space in
external-facing DNS zone files.
o reverse DNS queries for Shared Address Space addresses MUST NOT be
forwarded to the global DNS infrastructure.
o DNS Providers SHOULD filter requests for Shared Address Space
reverse DNS queries on recursive nameservers.
I'm suggesting to include the 100.64.0.0/10 range in the IP_PRIVATE
regular expression (in Mail/SpamAssassin/Constants.pm ) :
--- lib/Mail/SpamAssassin/Constants.pm (revision 1466510)
+++ lib/Mail/SpamAssassin/Constants.pm (working copy)
@@ -85,2 +85,3 @@
# private-use address space 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
+# shared address space 100.64.0.0/10 (RFC 6598 - for use in CGN),
# IPv4-mapped IPv6 addresses.
@@ -93,3 +94,4 @@
172\.(?:1[6-9]|2[0-9]|3[01])| # 172.16.0.0/12 Private Use (5735, 1918)
- 192\.168 # 192.168.0.0/16 Private Use (5735, 1918)
+ 192\.168| # 192.168.0.0/16 Private Use (5735, 1918)
+ 100\.(?:6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7]) # 100.64.0.0/10 CGN (6598)
)\..*
@@ -132,3 +134,4 @@
172\.(?:1[6-9]|2[0-9]|3[01])|
- 192\.168
+ 192\.168|
+ 100\.(?:6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])
)\..*
--
You are receiving this mail because:
You are the assignee for the bug.
