Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

[William Herrin <bill () herrin us>]

On Tue, Mar 7, 2023 at 2:09 PM Lukas Tribus <lukas () ltri eu> wrote:
> At the same time folks like team-cymru are picking up this prefix for
> their bogon lists with the following description [2]:
>
> > A packet routed over the public Internet (not including
> > over VPNs or other tunnels) should never have an address
> > in a bogon range.
>
> It would be quite a bad idea to drop 100.64/10 on a firewall or
> servers, when legitimate traffic can very well hit your infrastructure
> with those source IPs.
>
> Thoughts?

Hi Lukas,

If you're using the team cymru bogon list at your customer border,
you're doing it wrong. You should be using BCP38 there, which calls
for filtering source addresses not assigned to your customer.

At the Internet and peering borders, there is no legitimate traffic
which still has 100.64/10 as a source IP address.

There may be accidental traffic which has 100.64/10 (or 10/8 or
192.168/16) as a source address but it's not "legitimate." Of
particular concern, there may be ICMP type 3 (destination unreachable)
packets with these source addresses. It continues to irritate me that
vendors haven't addressed this discrepancy with tech that statelessly
translates these escapees to a public address that's legitimate for
your organization.

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/