Request comment: list of IPs to block outbound

[bellman at nsc.liu.se (Thomas Bellman)]

On 2019-10-22 22:38 -0700, Stephen Satchell wrote:

> So, to the reason for the comment request, you are telling me not to
> blackhole 100.64/10 in the edge router downstream from an ISP as a
> general rule, and to accept source addresses from this netblock.  Do I
> understand you correctly?

Depends.  If your network is a typical home network, connected via a
normal residential ISP, then you should very much expect to need to
talk to 100.64/10, and even be assigned addresses from that block.  On
the other hand, if you have a fixed public address block, be it PI or
PA space, reachable from the world, then you shouldn't see any traffic
from addresses within the CGNAT block.

So, at home I don't block such addresses.  But at work (a department
within a university, connected to the Swedish NREN), I do block the
CGNAT addresses on our border links.

> FWIW, I think I've received this recommendation before.  The current
> version of my NetworkManager dispatcher-d-bcp38.sh script has the
> creation of the blackhole route already disabled; i.e., the netblock is
> not quarantined.

If this is a laptop which you may someday connect to some guest network
somewhere in the world, then not blocking 100.64/10 is the right thing
to do.  Nor should you block RFC 1918 addresses in that situation.
(Assuming you actually want to communicate with the rest of the world. :-)


	/Bellman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191023/c8883600/attachment.sig>