Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
doc:filters [2012/03/08 23:55]
Benjamin Collet created
doc:filters [2020/03/21 17:09] (current)
Johan Fleury
Line 3: Line 3:
  
   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.
-  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:+  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 61 bits((Some members have small allocations)). Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (192.168.248.0/22 and ''fd00:6b64:f3b0::/48'').+    * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ===== 
-==== IPv4 ====+==== Juniper ==== 
 +<code> 
 +policy-options { 
 +    prefix-list bogons { 
 +        /* "This" network */ 
 +        0.0.0.0/8; 
 +        /* Private-Use */ 
 +        10.0.0.0/8; 
 +        /* Shared address space */ 
 +        100.64.0.0/10; 
 +        /* Loopback */ 
 +        127.0.0.0/8; 
 +        /* Link local */ 
 +        169.254.0.0/16; 
 +        /* Private-Use */ 
 +        172.16.0.0/12; 
 +        /* IETF Protocol Assignments */ 
 +        192.0.0.0/24; 
 +        /* Documentation (TEST-NET-1) */ 
 +        192.0.2.0/24; 
 +        /* Private-Use */ 
 +        192.168.0.0/16; 
 +        /* Benchmarking */ 
 +        198.18.0.0/15; 
 +        /* Documentation (TEST-NET-2) */ 
 +        198.51.100.0/24; 
 +        /* Documentation (TEST-NET-3) */ 
 +        203.0.113.0/24; 
 +        /* Multicast */ 
 +        224.0.0.0/4; 
 +        /* Former class E */ 
 +        240.0.0.0/4; 
 +        /* Limited Broadcast */ 
 +        255.255.255.255/32; 
 +    } 
 +    prefix-list bogons6 { 
 +        /* Unspecified Address */ 
 +        ::/128; 
 +        /* Loopback Address */ 
 +        ::1/128; 
 +        /* IPv4-mapped Address */ 
 +        ::ffff:0:0/96; 
 +        /* Discard-Only Address Block */ 
 +        100::/64; 
 +        /* TEREDO */ 
 +        2001::/32; 
 +        /* Benchmarking */ 
 +        2001:2::/48; 
 +        /* ORCHIDv2 */ 
 +        2001:20::/28; 
 +        /* Documentation */ 
 +        2001:db8::/32; 
 +        /* 6to4 */ 
 +        2002::/16; 
 +        /* Pandora - Hack Hack Hack */ 
 +        2620:106:e000::/44; 
 +        /* Facebook - Latency nightmare */ 
 +        2a03:2880::/29; 
 +        /* Unique-Local */ 
 +        fc00::/7; 
 +        /* Linked-Scoped Unicast */ 
 +        fe80::/10; 
 +    } 
 +    prefix-list glanet-bogons { 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.0.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.8.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.100.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.200.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.252.0/22; 
 +    } 
 +    prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/22; 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:e881:1100::/44; 
 +    } 
 +    policy-statement bgp-import-glanet { 
 +        term set-default { 
 +            then default-action accept; 
 +        } 
 +        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                route-filter 192.168.0.0/16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 { 
 +            from { 
 +                route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128; 
 +            } 
 +            then next policy; 
 +        } 
 +        term bogons { 
 +            from { 
 +                route-filter 0.0.0.0/0 upto /7; 
 +                prefix-list-filter bogons orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term bogons6 { 
 +            from { 
 +                route-filter ::/0 upto /16; 
 +                route-filter ::/0 prefix-length-range /62-/128; 
 +                prefix-list-filter bogons6 orlonger; 
 +                prefix-list-filter as-self6 orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +    } 
 +
 +</code> 
 + 
 +==== Cisco/Quagga ==== 
 + 
 +<note important>These filters may be outdated.</note>
  
 +=== IPv4 ===
 <code> <code>
 ip prefix-list glanet-in description BGP IPv4 import filter ip prefix-list glanet-in description BGP IPv4 import filter
-! Deny default route +! Deny default route and too large prefixes 
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0+ip prefix-list glanet-in seq 10 deny 0.0.0.0/le 7
 ! Deny prefixes with high risk of collision within GLaNET range ! Deny prefixes with high risk of collision within GLaNET range
 ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
Line 23: Line 153:
 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32
 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32
 +! Deny shared address space
 +ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
 +! Deny link-local
 +ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
 +! Deny multicast
 +ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
 +! Deny former class E
 +ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
 ! Allow everything ! Allow everything
 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
 </code> </code>
  
-==== IPv6 ====+=== IPv6 ===
 <code> <code>
-! Deny default route +! Deny default route and too large prefixes 
-ipv6 prefix-list glanet6-in deny 0::/0+ipv6 prefix-list glanet6-in deny 0::/0 le 15
 ! Deny 6bone prefix (not used anymore) ! Deny 6bone prefix (not used anymore)
 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
Line 44: Line 182:
 ipv6 prefix-list glanet6-in deny 0000::/8 le 128 ipv6 prefix-list glanet6-in deny 0000::/8 le 128
 ! Deny multicast prefixes ! Deny multicast prefixes
-ipv6 prefix-list glanet6-in deny fe00::/9 le 128 
 ipv6 prefix-list glanet6-in deny ff00::/8 le 128 ipv6 prefix-list glanet6-in deny ff00::/8 le 128
-! Permit everything else +! Permit everything else but small prefixes 
-ipv6 prefix-list glanet6-in permit 0::/0 le 128+ipv6 prefix-list glanet6-in permit 0::/0 le 64 
 +</code> 
 + 
 + 
 +==== BIRD ==== 
 + 
 +<note important>These filters may be outdated.</note> 
 + 
 +=== IPv4 === 
 +<code> 
 +function net_martian() 
 +{        
 +  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+, 
 +                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+, 
 +                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+, 
 +                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 
 +                 0.0.0.0/0{0,7} ]; 
 +
 + 
 +filter martians { 
 +  if net_martian() then 
 +    reject; 
 +  else 
 +    accept; 
 +
 +</code> 
 + 
 +=== IPv6 === 
 +<code> 
 +function net_martian() 
 +
 +  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+, 
 +                 fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ]; 
 +
 + 
 +filter martians { 
 +  if net_martian() then 
 +    reject; 
 +  else 
 +    accept; 
 +}
 </code> </code>