Internet Corporation for Assigned Names and Numbers

4676 Admiralty Way, Suite 330 90292 Marina del Rey, CA United States of America +1-310-823-9358 leo.vegoda@icann.org http://www.iana.org/

bogons IPv4 martians filters It has been common for network administrators to filter IP traffic from and BGP prefixes of unallocated IPv4 address space. Now that there are no longer any unallocated IPv4 /8s, this practise is more complicated, fragile and expensive. Network administrators are advised to remove filters based on the registration status of the address space. This document explains why any remaining packet and BGP prefix filters for unallocated IPv4 /8s should now be removed on border routers and documents those IPv4 unicast prefixes that should not be routed across the public Internet.

It has been common for network administrators to filter IP traffic from and BGP prefixes of unallocated IPv4 address space. Now that there are no longer any unallocated IPv4 /8s, this practise is more complicated, fragile and expensive. Network administrators are advised to remove filters based on the registration status of the address space. This document explains why any remaining packet and BGP prefix filters for unallocated IPv4 /8s should now be removed on border routers and documents those IPv4 unicast prefixes that should not be routed across the public Internet.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 . Martians is a humorous term applied to packets that turn up unexpectedly on the wrong network because of bogus routing entries. It is also used as a name for a packet which has an altogether bogus (non-registered or ill-formed) Internet address. Bogons are packets sourced from addresses that have not yet been allocated by IANA or the Regional Internet Registries (RIRs), or addresses reserved for private or special use by RFCs .Bogons are referred to as "Dark IP" in some circles. .

Network administrators who implemented filters for unallocated IPv4 /8s did so in the knowledge that those /8s were not a legitimate source of traffic on the Internet and that there was a small number of bogon filters to implement. Now that there are no longer any unallocated unicast IPv4 /8s, there will be legitimate Internet traffic coming from all unicast /8s that are not reserved for special purposes in an RFC. Removing packet and prefix filters based on the registration status of the IPv4 address is a simple approach that will avoid blocking legitimate Internet traffic. Network operators SHOULD remove both ingress and egress packet filters as well as BGP prefix filters for previously unallocated IPv4 /8s.

Some network administrators might want to continue filtering unallocated IPv4 addresses managed by the RIRs. This requires significantly more granular ingress filters and the highly dynamic nature of the RIRs' address pools means that filters need to be updated on a daily basis to avoid blocking legitimate incoming traffic.

Network operators who only wish to filter traffic originating from addresses that should never be routed across the Internet, Martians, can deploy a set of packet and prefix filters designed to block traffic from address blocks reserved for special purposes. These are: - 0.0.0.0/8 (Local identification) ; - 10.0.0.0/8 (Private use) ; - 127.0.0.0/8 (Loopback) ; - 169.254.0.0/16 (Link local) ; - 172.16.0.0/12 (Private use) ; - 192.0.2.0/24 (TEST-NET-1) ; - 192.168.0.0/16 (Private use) ; - 198.18.0.0/15 (Benchmark testing) ; - 198.51.100.0/24 (TEST-NET-2) ; - 203.0.113.0/24 (TEST-NET-3) ; - 224.0.0.0/4 (Multicast) ; and - 240.0.0.0/4 (Future use) . A full set of special use IPv4 addresses can be found in . It includes prefixes that are intended for Internet use.

The cessation of filters based on unallocated IPv4 /8 allocations is an evolutionary step towards reasonable security filters. While these filters are no longer necessary, and in fact harmful, this does not obviate the need to continue other security solutions. These other solutions are as necessary today as they ever were.

This document makes no request of IANA.

Thanks are owed to Kim Davies, Terry Manderson, Dave Piscitello and Joe Abley for helpful advice on how to focus this document. Thanks also go to Andy Davidson, Philip Smith and Rob Thomas for early reviews and suggestions for improvements to the text and Carlos Pignataro for his support and comments.