Re: Request comment: list of IPs to block outbound

[William Herrin <bill () herrin us>]

On Sun, Oct 13, 2019 at 8:58 AM Stephen Satchell <list () satchell net> wrote:

> The following list is what I'm thinking of using for blocking traffic
> between an edge router acting as a firewall and an ISP/upstream.  This
> table is limited to address blocks only; TCP/UDP port filtering, and IP
> protocol filtering, is a separate discussion.  This is for an
> implementation of BCP-38 recommendations.

BCP-38 as it applies to outbound traffic is more about blocking SOURCE IP
addresses. You should block everything whose source IP address is not
within your assigned address space.


> 100.64.0.0/10       Private network Shared address space[3] for
>                                     communications between a service
>                                     provider and its subscribers
>                                     when using a carrier-grade NAT.

This space is set aside for your ISP to use. like RFC1918 but for ISPs. It
is not specifically CGNAT. Unless you are an ISP using this space, you
should not block destinations in this space.


> 224.0.0.0/4         Internet        In use for IP multicast.
> 240.0.0.0/4         Internet        Reserved for future use.
> 255.255.255.255/32  Subnet          Reserved for the "limited
>                                     broadcast" destination address.

This can be covered with a single rule: 224.0.0.0/3


> IPv6
> Address block       Usage           Purpose
> ::/0                Routing         Default route.

The current IPv6 Internet is 2000::/3, not ::/0 and that won't change in
the foreseeable future.  You can tighten your filter to allow just that.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/