Differences

This shows you the differences between two versions of the page.

--- doc:filters [2014/09/10 10:00] – Benjamin Collet
+++ doc:filters [2017/06/08 09:16] – Benjamin Collet
@@ Line 5: / Line 5: @@
   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (/32s from 192.168.248.0/22 and /64s from ''fd00:6b64:f3b0::/48'').
+    * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
-===== Example prefix lists =====
-==== IPv4 ====
-=== Cisco/Quagga ===
-<code>
+===== Example prefix lists (adapt to your needs) =====
-ip prefix-list glanet-in description BGP IPv4 import filter
+==== Juniper ====
-! Deny default route and too large prefixes
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7
-! Deny prefixes with high risk of collision within GLaNET range
-ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
-ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32
-ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32
-ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32
-ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32
-! Deny other RFC1918 prefixes
-ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
-ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
-! Deny shared address space
-ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
-! Deny link-local
-ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
-! Deny multicast
-ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
-! Deny former class E
-ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
-! Allow everything
-ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
-</code>
-=== BIRD ===
-<code>
-function net_martian()
-{
-  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
-.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
-.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
-.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
-.0.0.0/0{0,7} ];
-}
-filter martians {
-  if net_martian() then
-    reject;
-  else
-    accept;
-}
-</code>
-=== Juniper ===
 <code>
 policy-options {
     prefix-list bogons {
-        /* Non-GLaNET RFC1918 prefix */
+        /* "This" network */
+.0.0.0/8;
+        /* Private-Use */
 .0.0.0/8;
         /* Shared address space */
 .64.0.0/10;
+        /* Loopback */
+.0.0.0/8;
         /* Link local */
 .254.0.0/16;
-        /* Non-GLaNET RFC1918 prefix */
+        /* Private-Use */
 .16.0.0/12;
+        /* IETF Protocol Assignments */
+.0.0.0/24;
+        /* Documentation (TEST-NET-1) */
+.0.2.0/24;
+        /* Private-Use */
+.168.0.0/16;
+        /* Benchmarking */
+.18.0.0/15;
+        /* Documentation (TEST-NET-2) */
+.51.100.0/24;
+        /* Documentation (TEST-NET-3) */
+.0.113.0/24;
+        /* Multicast */
+.0.0.0/4;
+        /* Former class E */
+.0.0.0/4;
+        /* Limited Broadcast */
+.255.255.255/32;
+    }
+    prefix-list bogons6 {
+        /* Unspecified Address */
+        ::/128;
+        /* Loopback Address */
+        ::1/128;
+        /* IPv4-mapped Address */
+        ::ffff:0:0/96;
+        /* Discard-Only Address Block */
+::/64;
+        /* TEREDO */
+::/32;
+        /* Benchmarking */
+:2::/48;
+        /* ORCHIDv2 */
+:20::/28;
+        /* Documentation */
+:db8::/32;
+        /* 6to4 */
+::/16;
+        /* Pandora - Hack Hack Hack */
+:106:e000::/44;
+        /* Facebook - Latency nightmare */
+a03:2880::/29;
+        /* Unique-Local */
+        fc00::/7;
+        /* Linked-Scoped Unicast */
+        fe80::/10;
+    }
+    prefix-list glanet-bogons {
         /* High risk of collision within GLaNET */
 .168.0.0/22;
@@ Line 77: / Line 82: @@
         /* High risk of collision within GLaNET */
 .168.252.0/22;
-        /* Multicast */
-.0.0.0/4;
-        /* Former class E */
-.0.0.0/4;
     }
-    policy-statement bgp-import-generic {
+    prefix-list as-self-glanet {
+        /* REPLACE WITH YOUR OWN NETWORK */
+.168.40.0/22;
+    }
+    prefix-list as-self6 {
+        /* REPLACE WITH YOUR OWN NETWORK */
+a06:e881:1100::/44;
+    }
+    policy-statement bgp-import-glanet {
         term set-default {
             then default-action accept;
         }
-        term default-route {
+        term glanet-bogons {
+            from {
+                prefix-list-filter glanet-bogons orlonger;
+                prefix-list-filter as-self-glanet orlonger;
+            }
+            then reject;
+        }
+        term glanet {
+            from {
+                route-filter 192.168.0.0/16 prefix-length-range /20-/28;
+                route-filter 192.168.248.0/24 prefix-length-range /32-/32;
+            }
+            then next policy;
+        }
+        term glanet6 {
             from {
-                route-filter 0.0.0.0/0 upto /7 reject;
+                route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128;
             }
+            then next policy;
         }
         term bogons {
             from {
+                route-filter 0.0.0.0/0 upto /7;
                 prefix-list-filter bogons orlonger;
+            }
+            then reject;
+        }
+        term bogons6 {
+            from {
+                route-filter ::/0 upto /16;
+                route-filter ::/0 prefix-length-range /61-/128;
+                prefix-list-filter bogons6 orlonger;
+                prefix-list-filter as-self6 orlonger;
             }
             then reject;
@@ Line 101: / Line 135: @@
 </code>
-==== IPv6 ====
+==== Cisco/Quagga ====
-=== Cisco/Quagga ===
+<note important>These filters may be outdated.</note>
+=== IPv4 ===
+<code>
+ip prefix-list glanet-in description BGP IPv4 import filter
+! Deny default route and too large prefixes
+ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7
+! Deny prefixes with high risk of collision within GLaNET range
+ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
+ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32
+ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32
+ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32
+ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32
+! Deny other RFC1918 prefixes
+ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
+ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
+! Deny shared address space
+ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
+! Deny link-local
+ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
+! Deny multicast
+ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
+! Deny former class E
+ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
+! Allow everything
+ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
+</code>
+=== IPv6 ===
 <code>
 ! Deny default route and too large prefixes
@@ Line 125: / Line 187: @@
 </code>
-=== BIRD ===
+==== BIRD ====
+<note important>These filters may be outdated.</note>
+=== IPv4 ===
+<code>
+function net_martian()
+{
+  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
+.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
+.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
+.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
+.0.0.0/0{0,7} ];
+}
+filter martians {
+  if net_martian() then
+    reject;
+  else
+    accept;
+}
+</code>
+=== IPv6 ===
 <code>
 function net_martian()