Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Grant Taylor via NANOG
On 3/7/23 4:34 PM, Lukas Tribus wrote: I'm trying to educate people that bogon lists do not belong on hosts, firewalls or intermediate routers, despite Team-cymru's aggressive marketing of the opposite, quote: I don't have any problem with bogon lists being on hosts or intermediate routers.

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Rabbi Rob Thomas
Dear team, I’ve already reached out to Lukas directly, but I’ll kibitz a bit: > They talk about bogon prefixes "for hosts", provide configuration > examples for Cisco ASA firewalls, > > Which are perfectly valid use cases for some networks / situations. Indeed! There was a time early in the

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread William Herrin
On Tue, Mar 7, 2023 at 3:34 PM Lukas Tribus wrote: > > A bogon prefix is a route that should never appear in the Internet > > routing table. A packet routed over the public Internet (not including > > over VPNs or other tunnels) *should never have an address in a > > bogon range.* These are

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Tom Beecher
> > They talk about bogon prefixes "for hosts", provide configuration > examples for Cisco ASA firewalls, > Which are perfectly valid use cases for some networks / situations. On Tue, Mar 7, 2023 at 6:35 PM Lukas Tribus wrote: > On Wed, 8 Mar 2023 at 00:05, William Herrin wrote: > > Hi Lukas,

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Lukas Tribus
On Wed, 8 Mar 2023 at 00:05, William Herrin wrote: > Hi Lukas, > > If you're using the team cymru bogon list at your customer border, > you're doing it wrong. I'm not. I'm trying to educate people that bogon lists do not belong on hosts, firewalls or intermediate routers, despite Team-cymru's

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread William Herrin
On Tue, Mar 7, 2023 at 2:09 PM Lukas Tribus wrote: > At the same time folks like team-cymru are picking up this prefix for > their bogon lists with the following description [2]: > > > A packet routed over the public Internet (not including > > over VPNs or other tunnels) should never have an

Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Tom Beecher
> > It would be quite a bad idea to drop 100.64/10 on a firewall or > servers, when legitimate traffic can very well hit your infrastructure > with those source IPs. > > > Thoughts? > Don't use bogon lists in places you shouldn't use bogon lists. On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus

RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

2023-03-07 Thread Lukas Tribus
Hello, so 100.64/10 is used in CGNAT deployments requiring service providers (that is AS operators) to drop 100.64/10 on the border to other AS in BGP and in the dataplane, as per RFC6598 section #6 Security Considerations [1]. Within an AS though traffic from 100.64/10 can very well bypass

Re: Request for comments

2023-03-07 Thread Etienne-Victor Depasquale via NANOG
The picture changes significantly when an operator's choice is weighted by his current subscriber base. Evidently, incumbents have lots of copper media, while smaller operators (more agile?) are laying fibre and mostly growing GPON on it. Rebuttals are welcome ! Unweighted data