Time to Remove Filters for Previously Unallocated IPv4 /8s
Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
90292
Marina del Rey, CA
United States of America
+1-310-823-9358
leo.vegoda@icann.org
http://www.iana.org/
bogons
IPv4
martians
filters
It has been common for network administrators to filter IP traffic from
and BGP prefixes of unallocated IPv4 address space. Now that there are no
longer any unallocated IPv4 /8s, this practise is more complicated, fragile
and expensive. Network administrators are advised to remove filters
based on the registration status of the address space.
This document explains why any remaining packet and BGP prefix filters for
unallocated IPv4 /8s should now be removed on border routers and documents
those IPv4 unicast prefixes that should not be routed across the public Internet.
It has been common for network administrators to filter IP traffic from
and BGP prefixes of unallocated IPv4 address space. Now that there are no
longer any unallocated IPv4 /8s, this practise is more complicated, fragile
and expensive. Network administrators are advised to remove filters
based on the registration status of the address space.
This document explains why any remaining packet and BGP prefix filters for
unallocated IPv4 /8s should now be removed on border routers and documents
those IPv4 unicast prefixes that should not be routed across the public Internet.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14, RFC 2119 .
Bogons are packets sourced from addresses that have not yet been allocated by IANA
or the Regional Internet Registries (RIRs), or addresses reserved for private or
special use by RFCs . Martians are packets with an altogether
bogus (non-registered or ill-formed) Internet address . Bogons
are referred to as "Dark IP" in some circles.
Network administrators who implemented filters for unallocated IPv4 /8s
did so in the knowledge that those /8s were not a legitimate source of
traffic on the Internet and that there was a small number of bogon filters
to implement. Now that there are no longer any unallocated unicast IPv4
/8s, there will be legitimate Internet traffic coming from all unicast /8s
that are not reserved for special purposes in an RFC.
Removing packet and prefix filters based on the registration status of the
IPv4 address is a simple approach that will avoid blocking legitimate Internet
traffic. Network operators SHOULD remove both ingress and egress packet filters
as well as BGP prefix filters for previously unallocated IPv4 /8s.
Some network administrators might want to continue filtering unallocated IPv4
addresses managed by the RIRs. This requires significantly more granular
ingress filters and the highly dynamic nature of the RIRs' address pools means
that filters need to be updated on a daily basis to avoid blocking legitimate
incoming traffic.
Network operators who only wish to filter traffic originating from addresses that
should never be routed across the Internet, Martians, can deploy a set of packet and
prefix filters designed to block traffic from address blocks reserved for special
purposes. These are:
- 0.0.0.0/8 (Local identification) ;
- 10.0.0.0/8 (Private use) ;
- 127.0.0.0/8 (Loopback) ;
- 169.254.0.0/16 (Link local) ;
- 172.16.0.0/12 (Private use) ;
- 192.0.2.0/24 (TEST-NET-1) ;
- 192.168.0.0/16 (Private use) ;
- 198.18.0.0/15 (Benchmark testing) ;
- 198.51.100.0/24 (TEST-NET-2) ;
- 203.0.113.0/24 (TEST-NET-3) ;
- 224.0.0.0/4 (Multicast) ; and
- 240.0.0.0/4 (Future use) .
A full set of special use IPv4 addresses can be found in . It
includes prefixes that are intended for Internet use.
The cessation of filters based on unallocated IPv4 /8 allocations is an
evolutionary step towards reasonable security filters. While these
filters are no longer necessary, and in fact harmful, this does not
obviate the need to continue other security solutions. These other
solutions are as necessary today as they ever were.
This document makes no request of IANA.
Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello and Joe
Abley for helpful advice on how to focus this document. Thanks also go
to Andy Davidson, Philip Smith and Rob Thomas for early reviews and
suggestions for improvements to the text and Carlos Pignataro for his
support and comments.