On 2019-10-22 22:38 -0700, Stephen Satchell wrote: > So, to the reason for the comment request, you are telling me not to > blackhole 100.64/10 in the edge router downstream from an ISP as a > general rule, and to accept source addresses from this netblock. Do I > understand you correctly?
Depends. If your network is a typical home network, connected via a
normal residential ISP, then you should very much expect to need to
talk to 100.64/10, and even be assigned addresses from that block. On
the other hand, if you have a fixed public address block, be it PI or
PA space, reachable from the world, then you shouldn't see any traffic
from addresses within the CGNAT block.
So, at home I don't block such addresses. But at work (a department
within a university, connected to the Swedish NREN), I do block the
CGNAT addresses on our border links.
> FWIW, I think I've received this recommendation before. The current
> version of my NetworkManager dispatcher-d-bcp38.sh script has the
> creation of the blackhole route already disabled; i.e., the netblock is
> not quarantined.
If this is a laptop which you may someday connect to some guest network
somewhere in the world, then not blocking 100.64/10 is the right thing
to do. Nor should you block RFC 1918 addresses in that situation.
(Assuming you actually want to communicate with the rest of the world. :-)
/Bellman
signature.asc
Description: OpenPGP digital signature
