It would be quite a bad idea to drop 100.64/10 on a firewall or
servers, when legitimate traffic can very well hit your infrastructure
with those source IPs.


Thoughts?

Don't use bogon lists in places you shouldn't use bogon lists. 


 

On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus <lukas@ltri.eu> wrote:
Hello,


so 100.64/10 is used in CGNAT deployments requiring service providers
(that is AS operators) to drop 100.64/10 on the border to other AS in
BGP and in the dataplane, as per RFC6598 section #6 Security
Considerations [1].

Within an AS though traffic from 100.64/10 can very well bypass CGNAT
for AS local traffic to reduce state/logging. This appears to be quite
common and it makes a lot of sense to me.

At the same time folks like team-cymru are picking up this prefix for
their bogon lists with the following description [2]:

> A packet routed over the public Internet (not including
> over VPNs or other tunnels) should never have an address
> in a bogon range.

It would be quite a bad idea to drop 100.64/10 on a firewall or
servers, when legitimate traffic can very well hit your infrastructure
with those source IPs.


Thoughts?


Lukas


[1] https://www.rfc-editor.org/rfc/rfc6598#section-6
[2] https://www.team-cymru.com/bogon-networks