> > It would be quite a bad idea to drop 100.64/10 on a firewall or > servers, when legitimate traffic can very well hit your infrastructure > with those source IPs. > > > Thoughts? >
Don't use bogon lists in places you shouldn't use bogon lists. On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus <lu...@ltri.eu> wrote: > Hello, > > > so 100.64/10 is used in CGNAT deployments requiring service providers > (that is AS operators) to drop 100.64/10 on the border to other AS in > BGP and in the dataplane, as per RFC6598 section #6 Security > Considerations [1]. > > Within an AS though traffic from 100.64/10 can very well bypass CGNAT > for AS local traffic to reduce state/logging. This appears to be quite > common and it makes a lot of sense to me. > > At the same time folks like team-cymru are picking up this prefix for > their bogon lists with the following description [2]: > > > A packet routed over the public Internet (not including > > over VPNs or other tunnels) should never have an address > > in a bogon range. > > It would be quite a bad idea to drop 100.64/10 on a firewall or > servers, when legitimate traffic can very well hit your infrastructure > with those source IPs. > > > Thoughts? > > > Lukas > > > [1] https://www.rfc-editor.org/rfc/rfc6598#section-6 > [2] https://www.team-cymru.com/bogon-networks >