Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
doc:filters [2012/03/08 22:55] – created Benjamin Collet | doc:filters [2014/09/10 10:00] – Benjamin Collet | ||
---|---|---|---|
Line 5: | Line 5: | ||
* It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions: | * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions: | ||
* Non-RFC1918 addresses reachable via GLaNET. | * Non-RFC1918 addresses reachable via GLaNET. | ||
- | * GLaNET services addresses (192.168.248.0/ | + | * GLaNET services addresses (/32s from 192.168.248.0/ |
===== Example prefix lists ===== | ===== Example prefix lists ===== | ||
==== IPv4 ==== | ==== IPv4 ==== | ||
+ | === Cisco/ | ||
< | < | ||
ip prefix-list glanet-in description BGP IPv4 import filter | ip prefix-list glanet-in description BGP IPv4 import filter | ||
- | ! Deny default route | + | ! Deny default route and too large prefixes |
- | ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 | + | ip prefix-list glanet-in seq 10 deny 0.0.0.0/ |
! Deny prefixes with high risk of collision within GLaNET range | ! Deny prefixes with high risk of collision within GLaNET range | ||
ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | ||
Line 23: | Line 24: | ||
ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | ||
ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | ||
+ | ! Deny shared address space | ||
+ | ip prefix-list glanet-in seq 40 deny 100.64.0.0/ | ||
+ | ! Deny link-local | ||
+ | ip prefix-list glanet-in seq 50 deny 169.254.0.0/ | ||
+ | ! Deny multicast | ||
+ | ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 | ||
+ | ! Deny former class E | ||
+ | ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 | ||
! Allow everything | ! Allow everything | ||
ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | ||
+ | </ | ||
+ | |||
+ | === BIRD === | ||
+ | < | ||
+ | function net_martian() | ||
+ | { | ||
+ | return net ~ [ 169.254.0.0/ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | filter martians { | ||
+ | if net_martian() then | ||
+ | reject; | ||
+ | else | ||
+ | accept; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | === Juniper === | ||
+ | < | ||
+ | policy-options { | ||
+ | prefix-list bogons { | ||
+ | /* Non-GLaNET RFC1918 prefix */ | ||
+ | 10.0.0.0/8; | ||
+ | /* Shared address space */ | ||
+ | 100.64.0.0/ | ||
+ | /* Link local */ | ||
+ | 169.254.0.0/ | ||
+ | /* Non-GLaNET RFC1918 prefix */ | ||
+ | 172.16.0.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.0.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.8.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.100.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.200.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.252.0/ | ||
+ | /* Multicast */ | ||
+ | 224.0.0.0/ | ||
+ | /* Former class E */ | ||
+ | 240.0.0.0/ | ||
+ | } | ||
+ | policy-statement bgp-import-generic { | ||
+ | term set-default { | ||
+ | then default-action accept; | ||
+ | } | ||
+ | term default-route { | ||
+ | from { | ||
+ | route-filter 0.0.0.0/0 upto /7 reject; | ||
+ | } | ||
+ | } | ||
+ | term bogons { | ||
+ | from { | ||
+ | prefix-list-filter bogons orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | } | ||
+ | } | ||
</ | </ | ||
==== IPv6 ==== | ==== IPv6 ==== | ||
+ | === Cisco/ | ||
+ | |||
< | < | ||
- | ! Deny default route | + | ! Deny default route and too large prefixes |
- | ipv6 prefix-list glanet6-in deny 0::/0 | + | ipv6 prefix-list glanet6-in deny 0::/0 le 15 |
! Deny 6bone prefix (not used anymore) | ! Deny 6bone prefix (not used anymore) | ||
ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 | ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 | ||
Line 44: | Line 120: | ||
ipv6 prefix-list glanet6-in deny 0000::/8 le 128 | ipv6 prefix-list glanet6-in deny 0000::/8 le 128 | ||
! Deny multicast prefixes | ! Deny multicast prefixes | ||
- | ipv6 prefix-list glanet6-in deny fe00::/9 le 128 | ||
ipv6 prefix-list glanet6-in deny ff00::/8 le 128 | ipv6 prefix-list glanet6-in deny ff00::/8 le 128 | ||
- | ! Permit everything else | + | ! Permit everything else but small prefixes |
- | ipv6 prefix-list glanet6-in permit 0::/0 le 128 | + | ipv6 prefix-list glanet6-in permit 0::/0 le 64 |
+ | </ | ||
+ | |||
+ | === BIRD === | ||
+ | |||
+ | < | ||
+ | function net_martian() | ||
+ | { | ||
+ | return net ~ [ 3ffe::/16+, 2001: | ||
+ | | ||
+ | } | ||
+ | |||
+ | filter martians { | ||
+ | if net_martian() then | ||
+ | reject; | ||
+ | else | ||
+ | accept; | ||
+ | } | ||
</ | </ |