On 2019-10-22 22:38 -0700, Stephen Satchell wrote:
So, to the reason for the comment request, you are telling me not to blackhole 100.64/10 in the edge router downstream from an ISP as a general rule, and to accept source addresses from this netblock. Do I understand you correctly?
Depends. If your network is a typical home network, connected via a normal residential ISP, then you should very much expect to need to talk to 100.64/10, and even be assigned addresses from that block. On the other hand, if you have a fixed public address block, be it PI or PA space, reachable from the world, then you shouldn't see any traffic from addresses within the CGNAT block. So, at home I don't block such addresses. But at work (a department within a university, connected to the Swedish NREN), I do block the CGNAT addresses on our border links.
FWIW, I think I've received this recommendation before. The current version of my NetworkManager dispatcher-d-bcp38.sh script has the creation of the blackhole route already disabled; i.e., the netblock is not quarantined.
If this is a laptop which you may someday connect to some guest network somewhere in the world, then not blocking 100.64/10 is the right thing to do. Nor should you block RFC 1918 addresses in that situation. (Assuming you actually want to communicate with the rest of the world. :-) /Bellman