[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy
From: forest-relay-contact--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Dec 2025 22:56:37 -0000
In-reply-to: <20251203112353.518ee07d@chukanabe.hofud>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <20251203112353.518ee07d@chukanabe.hofud>
Reply-to: forest-relay-contact@xxxxxxxxxxxxx
User-agent: HyperKitty on https://lists.torproject.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

> Isn't 198.18.0.0/15 a private range, like RFC 1918?

Its RFC 2544, which contains ranges reserved for internal benchmarking.

The term here is "bogon". That is any address which should not be seen
being routed on the public internet. This includes special-purpose
addresses like CG-NAT and benchmarking addresses, as well as reserved
addresses that have not been allocated.

> Currently reserved IP ranges are not routed but may be revived later
> and have security consequences

In 2011, the IETF wrote RFC 6441 (BCP 171), in which they recommend
that unallocated ranges should no longer be considered bogons due to
the IPv4 exhaustion. Any range that are reserved for "eventual" public
use should just be considered allocated.

I don't believe Tor does any special filtering for bogons, only for
certain local addresses in tor_addr_is_internal_(), specifically:

  fc00/7
  fc80/10
  fec0/10
  ::/127

  10/8
  0/8
  127/8
  100.64/10
  169.254/16
  172.16/12
  192.168/16

With special cases for binding to 0/32 and 100.64/10.

See: https://bgpfilterguide.nlnog.net/guides/bogon_prefixes/

Regards,
forest
-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkwwC4ACgkQBh18rEKN
1gtb+w/46xOAPmcUzepMwJnqlXrLxwTMwK/NkrSbRJw+hTgO7u886vsYKZ9LykSg
IBfUzawpe9xnnTS4APdb3cXeVYEpeI2yD2P4A9QLB61LD3NkFdJsEFgRA6jDi48V
oojcfsd+3vQ4xFGKoi7CLSxFLP6vnxXclVRdN72heienQeQPoh8WmnIovrEqt2Z4
6WrbI6Cept6zvrUD83Q1YTFs4aKL9AQ9pjmGvnIIRDGAafk8xEr0CN9ugnuIYeNB
nyh2t/sZZZyl+pSuEe4qRhNv8/ypMMUKAivt+QNYVs2pJqeSTir7+xWqCt1xavIV
3UjBkZkoGhsH06EoerzW9UgI5+mVCIRgHGzGlrXArsjgQVQSrjFadoDuMUd6LJu1
hjnt0HhDD27aod8coF4jI4tA2Qh4/4bWwVZlccWA1FQwXY9v/SLcJh1qOF9URcaO
p/Lvgf8Z7SjBJWd1pXf0zo7xn/Orge4ossdNh7wjcEKNMT3efaNRwem6I5Eb8LMh
ce7SIRMXQcR4CyEi9TKrc1fVDNB6agSaljhxisSRL7A84sd2TEMASpO6AJrAcqQJ
FYWL/3qkFUQXv7inz2E4aig/qpyIrINk4ssI0GDAMcOOVD3cejtQnXWgnSHDerfr
oU9W4xiuv13r4Gqe+b++1r8hmkZ7ADgYDm2drniLcW733irbJQ==
=wq/m
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

References:
- [tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy
  - From: vm666--- via tor-relays

Prev by Author: [tor-relays] Re: Out-of-Memory-Attack & DoS from Tor-Client
Next by Author: [tor-relays] Do nameservers ever block an entire /64 if a Tor exit is in there?
Previous by thread: [tor-relays] Re: Add CGNAT 100.64.0.0/10 to Default Exit Relay Reject Policy
Next by thread: [tor-relays] My exit isn't listed at https://check.torproject.org/exit-addresses
Index(es):
- Author
- Thread