I'd like a sanity check on this list of special-purpose IPv4 blocks which I'm currently forbidding in the CMU exit node's policy. I'm most uncertain about denying access to multicast (224.0.0.0/4) and 6to4 router anycast (192.88.99.0/24) -- I *think* there are no scenarios where someone would actually need to get at either of those via Tor, but I could be wrong.
# Reserved IPv4 addresses, sorted by RFC and then numerically reject 255.255.255.255/32:* # RFC 0919: "limited broadcast" reject 224.0.0.0/4:* # RFC 1112: multicast reject 240.0.0.0/4:* # RFC 1112: future addressing modes
reject 0.0.0.0/8:* # RFC 1122: "This host" source address reject 127.0.0.0/8:* # RFC 1122: Loopback
reject 10.0.0.0/8:* # RFC 1918: private use reject 172.16.0.0/12:* # " " " reject 192.168.0.0/16:* # " " "
reject 198.18.0.0/15:* # RFC 2544: test environments reject 192.88.99.0/24:* # RFC 3068: 6to4 relay anycast (???) reject 169.254.0.0/16:* # RFC 3927: link-local
reject 192.0.2.0/24:* # RFC 5737: documentation reject 198.51.100.0/24:* # " " " reject 203.0.113.0/24:* # " " "
reject 100.64.0.0/10:* # RFC 6598: "shared space"/"carrier grade NAT" reject 192.0.0.0/24:* # RFC 6890: future special purposes
TIA, zw