BGP Filter

  • Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route1), inbound and outbound.
  • It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
    • Non-RFC1918 addresses reachable via GLaNET.
    • GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from fd00:6b64:f3b0::/48).

Example prefix lists (adapt to your needs)

Juniper

policy-options {
    prefix-list bogons {
        /* "This" network */
        0.0.0.0/8;
        /* Private-Use */
        10.0.0.0/8;
        /* Shared address space */
        100.64.0.0/10;
        /* Loopback */
        127.0.0.0/8;
        /* Link local */
        169.254.0.0/16;
        /* Private-Use */
        172.16.0.0/12;
        /* IETF Protocol Assignments */
        192.0.0.0/24;
        /* Documentation (TEST-NET-1) */
        192.0.2.0/24;
        /* Private-Use */
        192.168.0.0/16;
        /* Benchmarking */
        198.18.0.0/15;
        /* Documentation (TEST-NET-2) */
        198.51.100.0/24;
        /* Documentation (TEST-NET-3) */
        203.0.113.0/24;
        /* Multicast */
        224.0.0.0/4;
        /* Former class E */
        240.0.0.0/4;
        /* Limited Broadcast */
        255.255.255.255/32;
    }
    prefix-list bogons6 {
        /* Unspecified Address */
        ::/128;
        /* Loopback Address */
        ::1/128;
        /* IPv4-mapped Address */
        ::ffff:0:0/96;
        /* Discard-Only Address Block */
        100::/64;
        /* TEREDO */
        2001::/32;
        /* Benchmarking */
        2001:2::/48;
        /* ORCHIDv2 */
        2001:20::/28;
        /* Documentation */
        2001:db8::/32;
        /* 6to4 */
        2002::/16;
        /* Pandora - Hack Hack Hack */
        2620:106:e000::/44;
        /* Facebook - Latency nightmare */
        2a03:2880::/29;
        /* Unique-Local */
        fc00::/7;
        /* Linked-Scoped Unicast */
        fe80::/10;
    }
    prefix-list glanet-bogons {
        /* High risk of collision within GLaNET */
        192.168.0.0/22;
        /* High risk of collision within GLaNET */
        192.168.8.0/22;
        /* High risk of collision within GLaNET */
        192.168.100.0/22;
        /* High risk of collision within GLaNET */
        192.168.200.0/22;
        /* High risk of collision within GLaNET */
        192.168.252.0/22;
    }
    prefix-list as-self-glanet {
        /* REPLACE WITH YOUR OWN NETWORK */
        192.168.40.0/22;
    }
    prefix-list as-self6 {
        /* REPLACE WITH YOUR OWN NETWORK */
        2a06:e881:1100::/44;
    }
    policy-statement bgp-import-glanet {
        term set-default {
            then default-action accept;
        }
        term glanet-bogons {
            from {
                prefix-list-filter glanet-bogons orlonger;
                prefix-list-filter as-self-glanet orlonger;
            }
            then reject;
        }
        term glanet {
            from {
                route-filter 192.168.0.0/16 prefix-length-range /20-/28;
                route-filter 192.168.248.0/24 prefix-length-range /32-/32;
            }
            then next policy;
        }
        term glanet6 {
            from {
                route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128;
            }
            then next policy;
        }
        term bogons {
            from {
                route-filter 0.0.0.0/0 upto /7;
                prefix-list-filter bogons orlonger;
            }
            then reject;
        }
        term bogons6 {
            from {
                route-filter ::/0 upto /16;
                route-filter ::/0 prefix-length-range /61-/128;
                prefix-list-filter bogons6 orlonger;
                prefix-list-filter as-self6 orlonger;
            }
            then reject;
        }
    }
}

Cisco/Quagga

These filters may be outdated.

IPv4

ip prefix-list glanet-in description BGP IPv4 import filter
! Deny default route and too large prefixes
ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7
! Deny prefixes with high risk of collision within GLaNET range
ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32
ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32
ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32
ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32
! Deny other RFC1918 prefixes
ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
! Deny shared address space
ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
! Deny link-local
ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
! Deny multicast
ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
! Deny former class E
ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
! Allow everything
ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32

IPv6

! Deny default route and too large prefixes
ipv6 prefix-list glanet6-in deny 0::/0 le 15
! Deny 6bone prefix (not used anymore)
ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
! Deny documentation prefix
ipv6 prefix-list glanet6-in deny 2001:db8::/32 le 128
! Teredo prefix must be exactly 32-bit long
ipv6 prefix-list glanet6-in permit 2001::/32
ipv6 prefix-list glanet6-in deny 2001::/32 le 128
! 6to4 prefix must be exactly 16-bit long
ipv6 prefix-list glanet6-in permit 2002::/16
ipv6 prefix-list glanet6-in deny 2002::/16 le 128
! Deny loopback/unspecified/v4-mapped prefix
ipv6 prefix-list glanet6-in deny 0000::/8 le 128
! Deny multicast prefixes
ipv6 prefix-list glanet6-in deny ff00::/8 le 128
! Permit everything else but small prefixes
ipv6 prefix-list glanet6-in permit 0::/0 le 64

BIRD

These filters may be outdated.

IPv4

function net_martian()
{       
  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
                 0.0.0.0/0{0,7} ];
}

filter martians {
  if net_martian() then
    reject;
  else
    accept;
}

IPv6

function net_martian()
{
  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,
                 fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ];
}

filter martians {
  if net_martian() then
    reject;
  else
    accept;
}
1)
IPv4: 0.0.0.0/0 | IPv6: ::0/0