Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
doc:filters [2012/03/08 23:55]
Benjamin Collet created
doc:filters [2017/06/08 11:16] (current)
Benjamin Collet
Line 5: Line 5:
   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (192.168.248.0/​22 and ''​fd00:​6b64:​f3b0::/​48''​).+    * GLaNET services addresses (/32s from 192.168.248.0/​22 and /128s from ''​fd00:​6b64:​f3b0::/​48''​).
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ​===== 
-==== IPv4 ====+==== Juniper ==== 
 +<​code>​ 
 +policy-options { 
 +    prefix-list bogons { 
 +        /* "​This"​ network */ 
 +        0.0.0.0/​8;​ 
 +        /* Private-Use */ 
 +        10.0.0.0/​8;​ 
 +        /* Shared address space */ 
 +        100.64.0.0/​10;​ 
 +        /* Loopback */ 
 +        127.0.0.0/​8;​ 
 +        /* Link local */ 
 +        169.254.0.0/​16;​ 
 +        /* Private-Use */ 
 +        172.16.0.0/​12;​ 
 +        /* IETF Protocol Assignments */ 
 +        192.0.0.0/​24;​ 
 +        /* Documentation (TEST-NET-1) */ 
 +        192.0.2.0/​24;​ 
 +        /* Private-Use */ 
 +        192.168.0.0/​16;​ 
 +        /* Benchmarking */ 
 +        198.18.0.0/​15;​ 
 +        /* Documentation (TEST-NET-2) */ 
 +        198.51.100.0/​24;​ 
 +        /* Documentation (TEST-NET-3) */ 
 +        203.0.113.0/​24;​ 
 +        /* Multicast */ 
 +        224.0.0.0/​4;​ 
 +        /* Former class E */ 
 +        240.0.0.0/​4;​ 
 +        /* Limited Broadcast */ 
 +        255.255.255.255/​32;​ 
 +    } 
 +    prefix-list bogons6 { 
 +        /* Unspecified Address */ 
 +        ::/128; 
 +        /* Loopback Address */ 
 +        ::1/128; 
 +        /* IPv4-mapped Address */ 
 +        ::​ffff:​0:​0/​96;​ 
 +        /* Discard-Only Address Block */ 
 +        100::/64; 
 +        /* TEREDO */ 
 +        2001::/​32;​ 
 +        /* Benchmarking */ 
 +        2001:​2::/​48;​ 
 +        /* ORCHIDv2 */ 
 +        2001:​20::/​28;​ 
 +        /* Documentation */ 
 +        2001:​db8::/​32;​ 
 +        /* 6to4 */ 
 +        2002::/​16;​ 
 +        /* Pandora - Hack Hack Hack */ 
 +        2620:​106:​e000::/​44;​ 
 +        /* Facebook - Latency nightmare */ 
 +        2a03:​2880::/​29;​ 
 +        /* Unique-Local */ 
 +        fc00::/7; 
 +        /* Linked-Scoped Unicast */ 
 +        fe80::/​10;​ 
 +    } 
 +    prefix-list glanet-bogons { 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.0.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.8.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.100.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.200.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.252.0/​22;​ 
 +    } 
 +    prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/​22;​ 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:​e881:​1100::/​44;​ 
 +    } 
 +    policy-statement bgp-import-glanet { 
 +        term set-default { 
 +            then default-action accept; 
 +        } 
 +        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                route-filter 192.168.0.0/​16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/​24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 { 
 +            from { 
 +                route-filter fd00:​6b64:​f3b0::/​48 prefix-length-range /​128-/​128;​ 
 +            } 
 +            then next policy; 
 +        } 
 +        term bogons { 
 +            from { 
 +                route-filter 0.0.0.0/0 upto /7; 
 +                prefix-list-filter bogons orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term bogons6 { 
 +            from { 
 +                route-filter ::/0 upto /16; 
 +                route-filter ::/0 prefix-length-range /61-/128; 
 +                prefix-list-filter bogons6 orlonger; 
 +                prefix-list-filter as-self6 orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +    } 
 +
 +</​code>​ 
 + 
 +==== Cisco/​Quagga ==== 
 + 
 +<note important>​These filters may be outdated.</​note>​
  
 +=== IPv4 ===
 <​code>​ <​code>​
 ip prefix-list glanet-in description BGP IPv4 import filter ip prefix-list glanet-in description BGP IPv4 import filter
-! Deny default route +! Deny default route and too large prefixes 
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0+ip prefix-list glanet-in seq 10 deny 0.0.0.0/​0 ​le 7
 ! Deny prefixes with high risk of collision within GLaNET range ! Deny prefixes with high risk of collision within GLaNET range
 ip prefix-list glanet-in seq 20 deny 192.168.0.0/​22 le 32 ip prefix-list glanet-in seq 20 deny 192.168.0.0/​22 le 32
Line 23: Line 153:
 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
 ip prefix-list glanet-in seq 31 deny 172.16.0.0/​12 le 32 ip prefix-list glanet-in seq 31 deny 172.16.0.0/​12 le 32
 +! Deny shared address space
 +ip prefix-list glanet-in seq 40 deny 100.64.0.0/​10 le 32
 +! Deny link-local
 +ip prefix-list glanet-in seq 50 deny 169.254.0.0/​16 le 32
 +! Deny multicast
 +ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
 +! Deny former class E
 +ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
 ! Allow everything ! Allow everything
 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
 </​code>​ </​code>​
  
-==== IPv6 ====+=== IPv6 ===
 <​code>​ <​code>​
-! Deny default route +! Deny default route and too large prefixes 
-ipv6 prefix-list glanet6-in deny 0::/0+ipv6 prefix-list glanet6-in deny 0::/0 le 15
 ! Deny 6bone prefix (not used anymore) ! Deny 6bone prefix (not used anymore)
 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
Line 44: Line 182:
 ipv6 prefix-list glanet6-in deny 0000::/8 le 128 ipv6 prefix-list glanet6-in deny 0000::/8 le 128
 ! Deny multicast prefixes ! Deny multicast prefixes
-ipv6 prefix-list glanet6-in deny fe00::/9 le 128 
 ipv6 prefix-list glanet6-in deny ff00::/8 le 128 ipv6 prefix-list glanet6-in deny ff00::/8 le 128
-! Permit everything else +! Permit everything else but small prefixes 
-ipv6 prefix-list glanet6-in permit 0::/0 le 128+ipv6 prefix-list glanet6-in permit 0::/0 le 64 
 +</​code>​ 
 + 
 + 
 +==== BIRD ==== 
 + 
 +<note important>​These filters may be outdated.</​note>​ 
 + 
 +=== IPv4 === 
 +<​code>​ 
 +function net_martian() 
 +{        
 +  return net ~ [ 169.254.0.0/​16+,​ 172.16.0.0/​12+,​ 192.168.0.0/​22+,​ 
 +                 ​192.168.8.0/​22+,​ 192.168.100.0/​22+,​ 192.168.200.0/​22+,​ 
 +                 ​192.168.252.0/​22+,​ 10.0.0.0/​8+,​ 100.64.0.0/​10+,​ 
 +                 ​172.16.0.0/​12+,​ 224.0.0.0/​4+,​ 240.0.0.0/​4+,​ 0.0.0.0/​32-,​ 
 +                 ​0.0.0.0/​0{0,​7} ]; 
 +
 + 
 +filter martians { 
 +  if net_martian() then 
 +    reject; 
 +  else 
 +    accept; 
 +
 +</​code>​ 
 + 
 +=== IPv6 === 
 +<​code>​ 
 +function net_martian() 
 +
 +  return net ~ [ 3ffe::/16+, 2001:​db8::/​32+,​ 2001::/33+, 2002::/17+, 0000::/​8+,​ 
 +                 ​fe00::/​8+, ​ ::/128-, ::/0{0,15}, ::/​0{65,​128} ]; 
 +
 + 
 +filter martians { 
 +  if net_martian() then 
 +    reject; 
 +  else 
 +    accept; 
 +}
 </​code>​ </​code>​