Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Next revisionBoth sides next revision
doc:filters [2012/03/08 22:55] – created Benjamin Colletdoc:filters [2016/04/17 07:50] – [BGP Filter] Benjamin Collet
Line 5: Line 5:
   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (192.168.248.0/22 and ''fd00:6b64:f3b0::/48'').+    * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
  
 ===== Example prefix lists ===== ===== Example prefix lists =====
 ==== IPv4 ==== ==== IPv4 ====
 +=== Cisco/Quagga ===
  
 <code> <code>
 ip prefix-list glanet-in description BGP IPv4 import filter ip prefix-list glanet-in description BGP IPv4 import filter
-! Deny default route +! Deny default route and too large prefixes 
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0+ip prefix-list glanet-in seq 10 deny 0.0.0.0/le 7
 ! Deny prefixes with high risk of collision within GLaNET range ! Deny prefixes with high risk of collision within GLaNET range
 ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
Line 23: Line 24:
 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
 +! Deny shared address space
 +ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
 +! Deny link-local
 +ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
 +! Deny multicast
 +ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
 +! Deny former class E
 +ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
 ! Allow everything ! Allow everything
 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
 +</code>
 +
 +=== BIRD ===
 +<code>
 +function net_martian()
 +{       
 +  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
 +                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
 +                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
 +                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
 +                 0.0.0.0/0{0,7} ];
 +}
 +
 +filter martians {
 +  if net_martian() then
 +    reject;
 +  else
 +    accept;
 +}
 +</code>
 +
 +=== Juniper ===
 +<code>
 +policy-options {
 +    prefix-list bogons {
 +        /* Non-GLaNET RFC1918 prefix */
 +        10.0.0.0/8;
 +        /* Shared address space */
 +        100.64.0.0/10;
 +        /* Link local */
 +        169.254.0.0/16;
 +        /* Non-GLaNET RFC1918 prefix */
 +        172.16.0.0/12;
 +        /* High risk of collision within GLaNET */
 +        192.168.0.0/22;
 +        /* High risk of collision within GLaNET */
 +        192.168.8.0/22;
 +        /* High risk of collision within GLaNET */
 +        192.168.100.0/22;
 +        /* High risk of collision within GLaNET */
 +        192.168.200.0/22;
 +        /* High risk of collision within GLaNET */
 +        192.168.252.0/22;
 +        /* Multicast */
 +        224.0.0.0/4;
 +        /* Former class E */
 +        240.0.0.0/4;
 +    }
 +    policy-statement bgp-import-generic {
 +        term set-default {
 +            then default-action accept;
 +        }
 +        term default-route {
 +            from {
 +                route-filter 0.0.0.0/0 upto /7 reject;
 +            }
 +        }
 +        term bogons {
 +            from {
 +                prefix-list-filter bogons orlonger;
 +            }
 +            then reject;
 +        }
 +    }
 +}
 </code> </code>
  
 ==== IPv6 ==== ==== IPv6 ====
 +=== Cisco/Quagga ===
 +
 <code> <code>
-! Deny default route +! Deny default route and too large prefixes 
-ipv6 prefix-list glanet6-in deny 0::/0+ipv6 prefix-list glanet6-in deny 0::/0 le 15
 ! Deny 6bone prefix (not used anymore) ! Deny 6bone prefix (not used anymore)
 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
Line 44: Line 120:
 ipv6 prefix-list glanet6-in deny 0000::/8 le 128 ipv6 prefix-list glanet6-in deny 0000::/8 le 128
 ! Deny multicast prefixes ! Deny multicast prefixes
-ipv6 prefix-list glanet6-in deny fe00::/9 le 128 
 ipv6 prefix-list glanet6-in deny ff00::/8 le 128 ipv6 prefix-list glanet6-in deny ff00::/8 le 128
-! Permit everything else +! Permit everything else but small prefixes 
-ipv6 prefix-list glanet6-in permit 0::/0 le 128+ipv6 prefix-list glanet6-in permit 0::/0 le 64 
 +</code> 
 + 
 +=== BIRD === 
 + 
 +<code> 
 +function net_martian() 
 +
 +  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+, 
 +                 fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ]; 
 +
 + 
 +filter martians { 
 +  if net_martian() then 
 +    reject; 
 +  else 
 +    accept; 
 +}
 </code> </code>