On 2019-10-22 22:38 -0700, Stephen Satchell wrote: > So, to the reason for the comment request, you are telling me not to > blackhole 100.64/10 in the edge router downstream from an ISP as a > general rule, and to accept source addresses from this netblock. Do I > understand you correctly?
Depends. If your network is a typical home network, connected via a normal residential ISP, then you should very much expect to need to talk to 100.64/10, and even be assigned addresses from that block. On the other hand, if you have a fixed public address block, be it PI or PA space, reachable from the world, then you shouldn't see any traffic from addresses within the CGNAT block. So, at home I don't block such addresses. But at work (a department within a university, connected to the Swedish NREN), I do block the CGNAT addresses on our border links. > FWIW, I think I've received this recommendation before. The current > version of my NetworkManager dispatcher-d-bcp38.sh script has the > creation of the blackhole route already disabled; i.e., the netblock is > not quarantined. If this is a laptop which you may someday connect to some guest network somewhere in the world, then not blocking 100.64/10 is the right thing to do. Nor should you block RFC 1918 addresses in that situation. (Assuming you actually want to communicate with the rest of the world. :-) /Bellman
signature.asc
Description: OpenPGP digital signature