[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: no-route

Han Boetes <han_(_at_)_mijncomputer_(_dot_)_nl> writes:

> I've heard from other gurus that blocking reserved networks is bad
> advice but without a particular reason mentioned. And I have taken it
> for granted. But I would appreciate it if someone could formulate a
> conclusive reason why it is bad advice so the counter arguments can go
> circulating around the net.

I'm hardly a guru, but one reason is the maintenance hell.

The list of reserved networks is dynamic.  Most of the networks on the
list are unallocated, which simply means that some time in the future,
they'll be allocated somewhere, and your list will block legitimate

If you're absolutely certain to have a system in place to update the
list when new netblocks are allocated to RIRs, by all means go ahead.
If you're not, don't block unallocated space.

ObWarStory: When we got our /20 allocation, a then-current unofficial
firewalling HOWTO for OpenBSD blocked our net -- and the rest of 80/8
-- in its example config.  I was not amused.

Blocking the addresses that *never* should show up on the public
Internet, such as RFC1918 space, is of course another matter
entirely.  By all means block these in both directions on your border