Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
doc:filters [2014/09/10 10:00] – Benjamin Collet | doc:filters [2020/09/05 11:53] – [Juniper] Benjamin Collet | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: | * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: | ||
- | * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions: | + | * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 61 bits((Some members have small allocations)). Of course there are exceptions: |
* Non-RFC1918 addresses reachable via GLaNET. | * Non-RFC1918 addresses reachable via GLaNET. | ||
- | * GLaNET services addresses (/32s from 192.168.248.0/ | + | * GLaNET services addresses (/32s from 192.168.248.0/ |
- | + | ||
- | ===== Example prefix lists ===== | + | |
- | ==== IPv4 ==== | + | |
- | === Cisco/ | + | |
- | < | + | ===== Example prefix lists (adapt to your needs) ===== |
- | ip prefix-list glanet-in description BGP IPv4 import filter | + | ==== Juniper |
- | ! Deny default route and too large prefixes | + | |
- | ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 | + | |
- | ! Deny prefixes with high risk of collision within GLaNET range | + | |
- | ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | + | |
- | ip prefix-list glanet-in seq 21 deny 192.168.8.0/ | + | |
- | ip prefix-list glanet-in seq 22 deny 192.168.100.0/ | + | |
- | ip prefix-list glanet-in seq 23 deny 192.168.200.0/ | + | |
- | ip prefix-list glanet-in seq 24 deny 192.168.252.0/ | + | |
- | ! Deny other RFC1918 prefixes | + | |
- | ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | + | |
- | ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | + | |
- | ! Deny shared address space | + | |
- | ip prefix-list glanet-in seq 40 deny 100.64.0.0/ | + | |
- | ! Deny link-local | + | |
- | ip prefix-list glanet-in seq 50 deny 169.254.0.0/ | + | |
- | ! Deny multicast | + | |
- | ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 | + | |
- | ! Deny former class E | + | |
- | ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 | + | |
- | ! Allow everything | + | |
- | ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | + | |
- | </ | + | |
- | + | ||
- | === BIRD === | + | |
- | < | + | |
- | function net_martian() | + | |
- | { | + | |
- | return net ~ [ 169.254.0.0/ | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | } | + | |
- | + | ||
- | filter martians { | + | |
- | if net_martian() then | + | |
- | reject; | + | |
- | else | + | |
- | accept; | + | |
- | } | + | |
- | </ | + | |
- | + | ||
- | === Juniper === | + | |
< | < | ||
policy-options { | policy-options { | ||
prefix-list bogons { | prefix-list bogons { | ||
- | /* Non-GLaNET RFC1918 prefix | + | /* " |
+ | 0.0.0.0/ | ||
+ | /* Private-Use */ | ||
10.0.0.0/8; | 10.0.0.0/8; | ||
/* Shared address space */ | /* Shared address space */ | ||
100.64.0.0/ | 100.64.0.0/ | ||
+ | /* Loopback */ | ||
+ | 127.0.0.0/ | ||
/* Link local */ | /* Link local */ | ||
169.254.0.0/ | 169.254.0.0/ | ||
- | /* Non-GLaNET RFC1918 prefix | + | /* Private-Use */ |
172.16.0.0/ | 172.16.0.0/ | ||
+ | /* IETF Protocol Assignments */ | ||
+ | 192.0.0.0/ | ||
+ | /* Documentation (TEST-NET-1) */ | ||
+ | 192.0.2.0/ | ||
+ | /* Private-Use */ | ||
+ | 192.168.0.0/ | ||
+ | /* Benchmarking */ | ||
+ | 198.18.0.0/ | ||
+ | /* Documentation (TEST-NET-2) */ | ||
+ | 198.51.100.0/ | ||
+ | /* Documentation (TEST-NET-3) */ | ||
+ | 203.0.113.0/ | ||
+ | /* Multicast */ | ||
+ | 224.0.0.0/ | ||
+ | /* Former class E */ | ||
+ | 240.0.0.0/ | ||
+ | /* Limited Broadcast */ | ||
+ | 255.255.255.255/ | ||
+ | } | ||
+ | prefix-list bogons6 { | ||
+ | /* Unspecified Address */ | ||
+ | ::/128; | ||
+ | /* Loopback Address */ | ||
+ | ::1/128; | ||
+ | /* IPv4-mapped Address */ | ||
+ | :: | ||
+ | /* Discard-Only Address Block */ | ||
+ | 100::/64; | ||
+ | /* TEREDO */ | ||
+ | 2001::/32; | ||
+ | /* Benchmarking */ | ||
+ | 2001: | ||
+ | /* ORCHIDv2 */ | ||
+ | 2001: | ||
+ | /* Documentation */ | ||
+ | 2001: | ||
+ | /* 6to4 */ | ||
+ | 2002::/16; | ||
+ | /* Unique-Local */ | ||
+ | fc00::/7; | ||
+ | /* Linked-Scoped Unicast */ | ||
+ | fe80::/10; | ||
+ | } | ||
+ | prefix-list glanet-bogons { | ||
/* High risk of collision within GLaNET */ | /* High risk of collision within GLaNET */ | ||
192.168.0.0/ | 192.168.0.0/ | ||
Line 77: | Line 78: | ||
/* High risk of collision within GLaNET */ | /* High risk of collision within GLaNET */ | ||
192.168.252.0/ | 192.168.252.0/ | ||
- | /* Multicast */ | ||
- | 224.0.0.0/ | ||
- | /* Former class E */ | ||
- | 240.0.0.0/ | ||
} | } | ||
- | policy-statement bgp-import-generic | + | |
+ | /* REPLACE WITH YOUR OWN IPv4 PUBLIC PREFIX */ | ||
+ | 192.0.2.0/ | ||
+ | } | ||
+ | prefix-list as-self-glanet { | ||
+ | /* REPLACE WITH YOUR OWN IPv4 GLANET PREFIX */ | ||
+ | 192.168.40.0/ | ||
+ | } | ||
+ | prefix-list as-self6 { | ||
+ | /* REPLACE WITH YOUR OWN IPv6 PUBLIC PREFIX */ | ||
+ | 2001: | ||
+ | } | ||
+ | | ||
term set-default { | term set-default { | ||
then default-action accept; | then default-action accept; | ||
} | } | ||
- | term default-route { | + | term glanet-bogons { |
+ | from { | ||
+ | prefix-list-filter glanet-bogons orlonger; | ||
+ | prefix-list-filter as-self-glanet orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | term glanet { | ||
+ | from { | ||
+ | | ||
+ | route-filter 192.168.248.0/ | ||
+ | } | ||
+ | then next policy; | ||
+ | } | ||
+ | term glanet6 | ||
from { | from { | ||
- | route-filter | + | route-filter |
} | } | ||
+ | then next policy; | ||
} | } | ||
term bogons { | term bogons { | ||
from { | from { | ||
+ | route-filter 0.0.0.0/0 upto /7; | ||
prefix-list-filter bogons orlonger; | prefix-list-filter bogons orlonger; | ||
+ | prefix-list-filter as-self orlonger; | ||
+ | } | ||
+ | then reject; | ||
+ | } | ||
+ | term bogons6 { | ||
+ | from { | ||
+ | route-filter ::/0 upto /16; | ||
+ | route-filter ::/0 prefix-length-range /62-/128; | ||
+ | prefix-list-filter bogons6 orlonger; | ||
+ | prefix-list-filter as-self6 orlonger; | ||
} | } | ||
then reject; | then reject; | ||
Line 101: | Line 136: | ||
</ | </ | ||
- | ==== IPv6 ==== | + | ==== Cisco/ |
- | === Cisco/ | + | |
+ | <note important> | ||
+ | |||
+ | === IPv4 === | ||
+ | < | ||
+ | ip prefix-list glanet-in description BGP IPv4 import filter | ||
+ | ! Deny default route and too large prefixes | ||
+ | ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 | ||
+ | ! Deny prefixes with high risk of collision within GLaNET range | ||
+ | ip prefix-list glanet-in seq 20 deny 192.168.0.0/ | ||
+ | ip prefix-list glanet-in seq 21 deny 192.168.8.0/ | ||
+ | ip prefix-list glanet-in seq 22 deny 192.168.100.0/ | ||
+ | ip prefix-list glanet-in seq 23 deny 192.168.200.0/ | ||
+ | ip prefix-list glanet-in seq 24 deny 192.168.252.0/ | ||
+ | ! Deny other RFC1918 prefixes | ||
+ | ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 | ||
+ | ip prefix-list glanet-in seq 31 deny 172.16.0.0/ | ||
+ | ! Deny shared address space | ||
+ | ip prefix-list glanet-in seq 40 deny 100.64.0.0/ | ||
+ | ! Deny link-local | ||
+ | ip prefix-list glanet-in seq 50 deny 169.254.0.0/ | ||
+ | ! Deny multicast | ||
+ | ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 | ||
+ | ! Deny former class E | ||
+ | ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 | ||
+ | ! Allow everything | ||
+ | ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 | ||
+ | </ | ||
+ | === IPv6 === | ||
< | < | ||
! Deny default route and too large prefixes | ! Deny default route and too large prefixes | ||
Line 125: | Line 188: | ||
</ | </ | ||
- | === BIRD === | ||
+ | ==== BIRD ==== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | === IPv4 === | ||
+ | < | ||
+ | function net_martian() | ||
+ | { | ||
+ | return net ~ [ 169.254.0.0/ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | filter martians { | ||
+ | if net_martian() then | ||
+ | reject; | ||
+ | else | ||
+ | accept; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | === IPv6 === | ||
< | < | ||
function net_martian() | function net_martian() |