Is it a good idea to restrict access to Shared Transition Space (100.64.0.0/10) IP addresses?

Forums › Vodafone New Zealand (including Vodafone, WxC, Farmside) › Is it a good idea to restrict access to Shared Transition Space (100.64.0.0/10) IP addresses?

LikesTV

6 posts

Wannabe Geek

#250724 23-May-2019 09:28

As I understand it, the IP range 100.64.0.0/10 is restricted for use by Internet Service Providers, within their own networks.

Therefore, we should not see any traffic with destination addresses within this space on a private network that connects to a Public IP.

Examination of the logs of internal network traffic at a customer shows these destinations occasionally (e.g. one or two firewall logs in four days), mainly from iPhones and Android devices.

Should I be suspicious of this traffic?

Should I permanently block the 100.64.0.0/10 range in all firewall Policies (from both Trusted and Untrusted BYOD networks)?

Thoughts and advice, anyone?

This is posted in the Vodafone forum as the customer in question is a Vodafone customer, and there may be some VF-specific answers - but this is also a general question for any network.

Same site as this previous forum post (possibly related issue)

https://www.geekzone.co.nz/forums.asp?forumid=40&topicid=248531

richms

25269 posts

Uber Geek

Trusted

Subscriber

#2243459 23-May-2019 09:50

What about when your ISP provisions CGNAT to its customers and they want to connect to you?

Richard rich.ms

Backblaze

Affiliate link

Affiliate link: Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud.

chevrolux

4962 posts

Uber Geek
Inactive user

#2243461 23-May-2019 09:52

I didn't think 100.64.0.0/10 was publicly routable, so therefore you shouldn't see any hits from the internet with 100.64 source addresses.

richms

25269 posts

Uber Geek

Trusted

Subscriber

#2243481 23-May-2019 10:10

chevrolux:

I didn't think 100.64.0.0/10 was publicly routable, so therefore you shouldn't see any hits from the internet with 100.64 source addresses.

Internet no, same ISP yes.

Richard rich.ms

LikesTV

6 posts

Wannabe Geek

#2243576 23-May-2019 10:36

Sorry, just for clarification, this is from examining Internal traffic (i.e inside the firewall).

I am seeing traffic from Internal devices seeking to go out to Shared Address Space IPv4 addresses. I am not monitoring inbound traffic to the firewall from the Internet.

The majority of the traffic comes from Phones (roughly 50/50 split between iPhones and Androids) with a couple of dektop computers.

In most cases, only one or two logs in four days

richms

25269 posts

Uber Geek

Trusted

Subscriber

#2243580 23-May-2019 10:45

Well if you're not on an ISP that does CGNAT they will go nowhere, and if you are on one that has some customers on it then its not any different to connecting to any other client of the same ISP. Probably some app on their phone trying to open a connection somewhere for a call or something. I cant see any reason to be blocking it.

Richard rich.ms

gaddman

224 posts

Master Geek

Trusted

#2244040 23-May-2019 17:45

In the Vodafone network we use that range as CGNAT for mobiles, so that'll be why you see Android and Apple devices. Odd that you see them at all, but I guess the phone is just trying to connect using its last gateway IP. Inside your firewall it's not going to route anywhere, so if you're taking a blocklist approach I don't see any benefit in adding that range. Equally I don't see any downside in adding it. But Im not a security professional, so take that advice for what it's worth.

gaddman

224 posts

Master Geek

Trusted

#2244041 23-May-2019 17:50

richms:
chevrolux:

I didn't think 100.64.0.0/10 was publicly routable, so therefore you shouldn't see any hits from the internet with 100.64 source addresses.

Internet no, same ISP yes.

I think this will depend on the ISP. There may not be a path between customers of the same ISP without going through NAT. That's how ours operates anyway, dunno about others using CGNAT.