Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
doc:filters [2012/03/08 22:55] – created Benjamin Collet | doc:filters [2017/06/08 09:16] – Benjamin Collet | ||
---|---|---|---|
Line 5: | Line 5: | ||
* It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions: | * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions: | ||
* Non-RFC1918 addresses reachable via GLaNET. | * Non-RFC1918 addresses reachable via GLaNET. | ||
- | * GLaNET services addresses (192.168.248.0/ | + | * GLaNET services addresses (/32s from 192.168.248.0/ |
- | ===== Example prefix lists ===== | + | ===== Example prefix lists (adapt to your needs) |
- | ==== IPv4 ==== | + | ==== Juniper ==== |
+ | < | ||
+ | policy-options { | ||
+ | prefix-list bogons { | ||
+ | /* " | ||
+ | 0.0.0.0/ | ||
+ | /* Private-Use */ | ||
+ | 10.0.0.0/ | ||
+ | /* Shared address space */ | ||
+ | 100.64.0.0/ | ||
+ | /* Loopback */ | ||
+ | 127.0.0.0/ | ||
+ | /* Link local */ | ||
+ | 169.254.0.0/ | ||
+ | /* Private-Use */ | ||
+ | 172.16.0.0/ | ||
+ | /* IETF Protocol Assignments */ | ||
+ | 192.0.0.0/ | ||
+ | /* Documentation (TEST-NET-1) */ | ||
+ | 192.0.2.0/ | ||
+ | /* Private-Use */ | ||
+ | 192.168.0.0/ | ||
+ | /* Benchmarking */ | ||
+ | 198.18.0.0/ | ||
+ | /* Documentation (TEST-NET-2) */ | ||
+ | 198.51.100.0/ | ||
+ | /* Documentation (TEST-NET-3) */ | ||
+ | 203.0.113.0/ | ||
+ | /* Multicast */ | ||
+ | 224.0.0.0/ | ||
+ | /* Former class E */ | ||
+ | 240.0.0.0/ | ||
+ | /* Limited Broadcast */ | ||
+ | 255.255.255.255/ | ||
+ | } | ||
+ | prefix-list bogons6 { | ||
+ | /* Unspecified Address */ | ||
+ | ::/128; | ||
+ | /* Loopback Address */ | ||
+ | ::1/128; | ||
+ | /* IPv4-mapped Address */ | ||
+ | :: | ||
+ | /* Discard-Only Address Block */ | ||
+ | 100::/64; | ||
+ | /* TEREDO */ | ||
+ | 2001::/ | ||
+ | /* Benchmarking */ | ||
+ | 2001: | ||
+ | /* ORCHIDv2 */ | ||
+ | 2001: | ||
+ | /* Documentation */ | ||
+ | 2001: | ||
+ | /* 6to4 */ | ||
+ | 2002::/ | ||
+ | /* Pandora - Hack Hack Hack */ | ||
+ | 2620: | ||
+ | /* Facebook - Latency nightmare */ | ||
+ | 2a03: | ||
+ | /* Unique-Local */ | ||
+ | fc00::/7; | ||
+ | /* Linked-Scoped Unicast */ | ||
+ | fe80::/ | ||
+ | } | ||
+ | prefix-list glanet-bogons { | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.0.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.8.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.100.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.200.0/ | ||
+ | /* High risk of collision within GLaNET */ | ||
+ | 192.168.252.0/ | ||
+ | } | ||
+ | prefix-list as-self-glanet { | ||
+ | /* REPLACE WITH YOUR OWN NETWORK */ | ||
+ | 192.168.40.0/ | ||
+ | } | ||
+ | prefix-list as-self6 { | ||
+ | /* REPLACE WITH YOUR OWN NETWORK */ | ||
+ | 2a06: | ||
+ | } | ||
+ | policy-statement bgp-import-glanet { | ||
+ | term set-default { | ||
+ | then default-action accept; | ||
+ | } | ||
+ | term glanet-bogons { | ||
+ | from { | ||
+ | prefix-list-filter glanet-bogons orlonger; | ||
+ | prefix-list-filter as-self-glanet orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | term glanet { | ||
+ | from { | ||
+ | route-filter 192.168.0.0/ | ||
+ | route-filter 192.168.248.0/ | ||
+ | } | ||
+ | then next policy; | ||
+ | } | ||
+ | term glanet6 { | ||
+ | from { | ||
+ | route-filter fd00: | ||
+ | } | ||
+ | then next policy; | ||
+ | } | ||
+ | term bogons { | ||
+ | from { | ||
+ | route-filter 0.0.0.0/0 upto /7; | ||
+ | prefix-list-filter bogons orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | term bogons6 { | ||
+ | from { | ||
+ | route-filter ::/0 upto /16; | ||
+ | route-filter ::/0 prefix-length-range /61-/128; | ||
+ | prefix-list-filter bogons6 orlonger; | ||
+ | prefix-list-filter as-self6 orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Cisco/ | ||
+ | |||
+ | <note important> | ||
+ | === IPv4 === | ||
< | < | ||
ip prefix-list glanet-in description BGP IPv4 import filter | ip prefix-list glanet-in description BGP IPv4 import filter | ||
- | ! Deny default route | + | ! Deny default route and too large prefixes |
- | ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 | + | ip prefix-list glanet-in seq 10 deny 0.0.0.0/ |
! Deny prefixes with high risk of collision within GLaNET range | ! Deny prefixes with high risk of collision within GLaNET range | ||
ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | ||
Line 23: | Line 153: | ||
ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | ||
ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | ||
+ | ! Deny shared address space | ||
+ | ip prefix-list glanet-in seq 40 deny 100.64.0.0/ | ||
+ | ! Deny link-local | ||
+ | ip prefix-list glanet-in seq 50 deny 169.254.0.0/ | ||
+ | ! Deny multicast | ||
+ | ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 | ||
+ | ! Deny former class E | ||
+ | ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 | ||
! Allow everything | ! Allow everything | ||
ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | ||
</ | </ | ||
- | ==== IPv6 ==== | + | === IPv6 === |
< | < | ||
- | ! Deny default route | + | ! Deny default route and too large prefixes |
- | ipv6 prefix-list glanet6-in deny 0::/0 | + | ipv6 prefix-list glanet6-in deny 0::/0 le 15 |
! Deny 6bone prefix (not used anymore) | ! Deny 6bone prefix (not used anymore) | ||
ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 | ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 | ||
Line 44: | Line 182: | ||
ipv6 prefix-list glanet6-in deny 0000::/8 le 128 | ipv6 prefix-list glanet6-in deny 0000::/8 le 128 | ||
! Deny multicast prefixes | ! Deny multicast prefixes | ||
- | ipv6 prefix-list glanet6-in deny fe00::/9 le 128 | ||
ipv6 prefix-list glanet6-in deny ff00::/8 le 128 | ipv6 prefix-list glanet6-in deny ff00::/8 le 128 | ||
- | ! Permit everything else | + | ! Permit everything else but small prefixes |
- | ipv6 prefix-list glanet6-in permit 0::/0 le 128 | + | ipv6 prefix-list glanet6-in permit 0::/0 le 64 |
+ | </ | ||
+ | |||
+ | |||
+ | ==== BIRD ==== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | === IPv4 === | ||
+ | < | ||
+ | function net_martian() | ||
+ | { | ||
+ | return net ~ [ 169.254.0.0/ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | filter martians { | ||
+ | if net_martian() then | ||
+ | reject; | ||
+ | else | ||
+ | accept; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | === IPv6 === | ||
+ | < | ||
+ | function net_martian() | ||
+ | { | ||
+ | return net ~ [ 3ffe::/16+, 2001: | ||
+ | | ||
+ | } | ||
+ | |||
+ | filter martians { | ||
+ | if net_martian() then | ||
+ | reject; | ||
+ | else | ||
+ | accept; | ||
+ | } | ||
</ | </ |