Happy Sunday, NANOG!
We’ve made several updates to our sundry Bogon pages and feeds, with some
variation of the following caveat. We’re always keen to add clarity and
updates, so please feel free to reach out.
https://www.team-cymru.com/bogon-networks
Bogon filtering should be undertaken only
> On 9 Mar 2023, at 08:41, William Herrin wrote:
>
> On Wed, Mar 8, 2023 at 4:35 AM Lukas Tribus wrote:
>> Perhaps I should have started this topic with a very specific example:
>>
>> - ISP A has a residential customer "Bob" in RFC6598 space
>> - ISP A CGNATs Bob if the destination is beyond
On Wed, Mar 8, 2023 at 4:35 AM Lukas Tribus wrote:
> Perhaps I should have started this topic with a very specific example:
>
> - ISP A has a residential customer "Bob" in RFC6598 space
> - ISP A CGNATs Bob if the destination is beyond it's own IP space
> - ISP A doesn't CGNAT if the destination i
>On 3/8/23 5:35 AM, Lukas Tribus wrote:
>> Perhaps I should have started this topic with a very specific example:
>>
>> - ISP A has a residential customer "Bob" in RFC6598 space
>> - ISP A CGNATs Bob if the destination is beyond it's own IP space
>> - ISP A doesn't CGNAT if the destination is with
On 3/8/23 5:35 AM, Lukas Tribus wrote:
Perhaps I should have started this topic with a very specific example:
- ISP A has a residential customer "Bob" in RFC6598 space
- ISP A CGNATs Bob if the destination is beyond it's own IP space
- ISP A doesn't CGNAT if the destination is within its IP spac
On 3/8/23 6:17 AM, Victor Kuarsingh wrote:
This was the intention of the RFC. As this space was intended to be
used with an AS's network to service CGN needs. That CGN boundary
likely ends before a given customer and/or neighboring network, so it
would make sense that downstream and neighbori
>
> That doesn't mean publically available blocklists need to misrepresent
> their use-case.
>
>
Respectfully, this is exceptionally ignorant.
Team Cymru is not misrepresenting anything. They are very specific and
detailed about which addresses the bogons and fullbogons lists contain.
They also cl
On Wed, Mar 8, 2023 at 7:43 AM Lukas Tribus wrote:
> > The think that you have to remember to do is to exclude locally
> > significant (100.64/10, RFC 1918, et al.) from those filters /or/
> > account for them in another way.
>
> You know all this if you are the network operator.
>
> If you are t
> The think that you have to remember to do is to exclude locally
> significant (100.64/10, RFC 1918, et al.) from those filters /or/
> account for them in another way.
You know all this if you are the network operator.
If you are the customer of the ISP, let's say a datacenter/cloud
customer and
> You'll have to connect the dots for me here, I'm not seeing the
> problem. The ISP's local network is not "the public Internet."
It very much is.
An autonomous system can contain both "eyeballs" (possibly RFC6598
adressed) and services in datacenters/clouds, it's not *always* a
different ISP.
>> They talk about bogon prefixes "for hosts", provide configuration
>> examples for Cisco ASA firewalls,
>
> Which are perfectly valid use cases for some networks / situations.
Absolutely, everybody's free to drop whatever they like on their gear,
I'm sure there are networks, gear, applied and do
On 3/7/23 4:34 PM, Lukas Tribus wrote:
I'm trying to educate people that bogon lists do not belong on hosts,
firewalls or intermediate routers, despite Team-cymru's aggressive
marketing of the opposite, quote:
I don't have any problem with bogon lists being on hosts or intermediate
routers.
Dear team,
I’ve already reached out to Lukas directly, but I’ll kibitz a bit:
> They talk about bogon prefixes "for hosts", provide configuration
> examples for Cisco ASA firewalls,
>
> Which are perfectly valid use cases for some networks / situations.
Indeed! There was a time early in the li
On Tue, Mar 7, 2023 at 3:34 PM Lukas Tribus wrote:
> > A bogon prefix is a route that should never appear in the Internet
> > routing table. A packet routed over the public Internet (not including
> > over VPNs or other tunnels) *should never have an address in a
> > bogon range.* These are common
>
> They talk about bogon prefixes "for hosts", provide configuration
> examples for Cisco ASA firewalls,
>
Which are perfectly valid use cases for some networks / situations.
On Tue, Mar 7, 2023 at 6:35 PM Lukas Tribus wrote:
> On Wed, 8 Mar 2023 at 00:05, William Herrin wrote:
> > Hi Lukas,
On Wed, 8 Mar 2023 at 00:05, William Herrin wrote:
> Hi Lukas,
>
> If you're using the team cymru bogon list at your customer border,
> you're doing it wrong.
I'm not.
I'm trying to educate people that bogon lists do not belong on hosts,
firewalls or intermediate routers, despite Team-cymru's ag
On Tue, Mar 7, 2023 at 2:09 PM Lukas Tribus wrote:
> At the same time folks like team-cymru are picking up this prefix for
> their bogon lists with the following description [2]:
>
> > A packet routed over the public Internet (not including
> > over VPNs or other tunnels) should never have an addr
>
> It would be quite a bad idea to drop 100.64/10 on a firewall or
> servers, when legitimate traffic can very well hit your infrastructure
> with those source IPs.
>
>
> Thoughts?
>
Don't use bogon lists in places you shouldn't use bogon lists.
On Tue, Mar 7, 2023 at 5:10 PM Lukas Tribus wr
18 matches
Mail list logo
