~~NOTOC~~
====== BGP Filter ======
* Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.
* It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 61 bits((Some members have small allocations)). Of course there are exceptions:
* Non-RFC1918 addresses reachable via GLaNET.
* GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
===== Example prefix lists (adapt to your needs) =====
==== Juniper ====
policy-options {
prefix-list bogons {
/* "This" network */
0.0.0.0/8;
/* Private-Use */
10.0.0.0/8;
/* Shared address space */
100.64.0.0/10;
/* Loopback */
127.0.0.0/8;
/* Link local */
169.254.0.0/16;
/* Private-Use */
172.16.0.0/12;
/* IETF Protocol Assignments */
192.0.0.0/24;
/* Documentation (TEST-NET-1) */
192.0.2.0/24;
/* Private-Use */
192.168.0.0/16;
/* Benchmarking */
198.18.0.0/15;
/* Documentation (TEST-NET-2) */
198.51.100.0/24;
/* Documentation (TEST-NET-3) */
203.0.113.0/24;
/* Multicast */
224.0.0.0/4;
/* Former class E */
240.0.0.0/4;
/* Limited Broadcast */
255.255.255.255/32;
}
prefix-list bogons6 {
/* Unspecified Address */
::/128;
/* Loopback Address */
::1/128;
/* IPv4-mapped Address */
::ffff:0:0/96;
/* Discard-Only Address Block */
100::/64;
/* TEREDO */
2001::/32;
/* Benchmarking */
2001:2::/48;
/* ORCHIDv2 */
2001:20::/28;
/* Documentation */
2001:db8::/32;
/* 6to4 */
2002::/16;
/* Unique-Local */
fc00::/7;
/* Linked-Scoped Unicast */
fe80::/10;
}
prefix-list glanet-bogons {
/* High risk of collision within GLaNET */
192.168.0.0/22;
/* High risk of collision within GLaNET */
192.168.8.0/22;
/* High risk of collision within GLaNET */
192.168.100.0/22;
/* High risk of collision within GLaNET */
192.168.200.0/22;
/* High risk of collision within GLaNET */
192.168.252.0/22;
}
prefix-list as-self {
/* REPLACE WITH YOUR OWN IPv4 PUBLIC PREFIX */
192.0.2.0/24;
}
prefix-list as-self-glanet {
/* REPLACE WITH YOUR OWN IPv4 GLANET PREFIX */
192.168.40.0/22;
}
prefix-list as-self6 {
/* REPLACE WITH YOUR OWN IPv6 PUBLIC PREFIX */
2001:db8::/48;
}
policy-statement bgp-import-glanet {
term set-default {
then default-action accept;
}
term glanet-bogons {
from {
prefix-list-filter glanet-bogons orlonger;
prefix-list-filter as-self-glanet orlonger;
}
then reject;
}
term glanet {
from {
route-filter 192.168.0.0/16 prefix-length-range /20-/28;
route-filter 192.168.248.0/24 prefix-length-range /32-/32;
}
then next policy;
}
term glanet6 {
from {
route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128;
}
then next policy;
}
term bogons {
from {
route-filter 0.0.0.0/0 upto /7;
prefix-list-filter bogons orlonger;
prefix-list-filter as-self orlonger;
}
then reject;
}
term bogons6 {
from {
route-filter ::/0 upto /16;
route-filter ::/0 prefix-length-range /62-/128;
prefix-list-filter bogons6 orlonger;
prefix-list-filter as-self6 orlonger;
}
then reject;
}
}
}
==== Cisco/Quagga ====
These filters may be outdated.
=== IPv4 ===
ip prefix-list glanet-in description BGP IPv4 import filter
! Deny default route and too large prefixes
ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7
! Deny prefixes with high risk of collision within GLaNET range
ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32
ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32
ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32
ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32
! Deny other RFC1918 prefixes
ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
! Deny shared address space
ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
! Deny link-local
ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
! Deny multicast
ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
! Deny former class E
ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
! Allow everything
ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
=== IPv6 ===
! Deny default route and too large prefixes
ipv6 prefix-list glanet6-in deny 0::/0 le 15
! Deny 6bone prefix (not used anymore)
ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
! Deny documentation prefix
ipv6 prefix-list glanet6-in deny 2001:db8::/32 le 128
! Teredo prefix must be exactly 32-bit long
ipv6 prefix-list glanet6-in permit 2001::/32
ipv6 prefix-list glanet6-in deny 2001::/32 le 128
! 6to4 prefix must be exactly 16-bit long
ipv6 prefix-list glanet6-in permit 2002::/16
ipv6 prefix-list glanet6-in deny 2002::/16 le 128
! Deny loopback/unspecified/v4-mapped prefix
ipv6 prefix-list glanet6-in deny 0000::/8 le 128
! Deny multicast prefixes
ipv6 prefix-list glanet6-in deny ff00::/8 le 128
! Permit everything else but small prefixes
ipv6 prefix-list glanet6-in permit 0::/0 le 64
==== BIRD ====
These filters may be outdated.
=== IPv4 ===
function net_martian()
{
return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
0.0.0.0/0{0,7} ];
}
filter martians {
if net_martian() then
reject;
else
accept;
}
=== IPv6 ===
function net_martian()
{
return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,
fe00::/8+, ::/128-, ::/0{0,15}, ::/0{65,128} ];
}
filter martians {
if net_martian() then
reject;
else
accept;
}