It would be quite a bad idea to drop 100.64/10 on a firewall or servers, when legitimate traffic can very well hit your infrastructure with those source IPs.
Thoughts?
Don't use bogon lists in places you shouldn't use bogon lists. On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus <lukas@ltri.eu> wrote:
Hello,
so 100.64/10 is used in CGNAT deployments requiring service providers (that is AS operators) to drop 100.64/10 on the border to other AS in BGP and in the dataplane, as per RFC6598 section #6 Security Considerations [1].
Within an AS though traffic from 100.64/10 can very well bypass CGNAT for AS local traffic to reduce state/logging. This appears to be quite common and it makes a lot of sense to me.
At the same time folks like team-cymru are picking up this prefix for their bogon lists with the following description [2]:
A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range.
It would be quite a bad idea to drop 100.64/10 on a firewall or servers, when legitimate traffic can very well hit your infrastructure with those source IPs.
Thoughts?
Lukas
[1] https://www.rfc-editor.org/rfc/rfc6598#section-6 [2] https://www.team-cymru.com/bogon-networks