Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:filters [2012/08/28 14:26]
Benjamin Collet
doc:filters [2020/03/21 17:09] (current)
Johan Fleury
Line 3: Line 3:
  
   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.
-  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:+  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 61 bits((Some members have small allocations)). Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (/32s from 192.168.248.0/22 and /64s from ''fd00:6b64:f3b0::/48'').+    * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ===== 
-==== IPv4 ==== +==== Juniper ==== 
-=== Cisco/Quagga ===+<code> 
 +policy-options { 
 +    prefix-list bogons { 
 +        /* "This" network */ 
 +        0.0.0.0/8; 
 +        /* Private-Use */ 
 +        10.0.0.0/8; 
 +        /* Shared address space */ 
 +        100.64.0.0/10; 
 +        /* Loopback */ 
 +        127.0.0.0/8; 
 +        /* Link local */ 
 +        169.254.0.0/16; 
 +        /* Private-Use */ 
 +        172.16.0.0/12; 
 +        /* IETF Protocol Assignments */ 
 +        192.0.0.0/24; 
 +        /* Documentation (TEST-NET-1) */ 
 +        192.0.2.0/24; 
 +        /* Private-Use */ 
 +        192.168.0.0/16; 
 +        /* Benchmarking */ 
 +        198.18.0.0/15; 
 +        /* Documentation (TEST-NET-2) */ 
 +        198.51.100.0/24; 
 +        /* Documentation (TEST-NET-3) */ 
 +        203.0.113.0/24; 
 +        /* Multicast */ 
 +        224.0.0.0/4; 
 +        /* Former class E */ 
 +        240.0.0.0/4; 
 +        /* Limited Broadcast */ 
 +        255.255.255.255/32; 
 +    } 
 +    prefix-list bogons6 { 
 +        /* Unspecified Address */ 
 +        ::/128; 
 +        /* Loopback Address */ 
 +        ::1/128; 
 +        /* IPv4-mapped Address */ 
 +        ::ffff:0:0/96; 
 +        /* Discard-Only Address Block */ 
 +        100::/64; 
 +        /* TEREDO */ 
 +        2001::/32; 
 +        /* Benchmarking */ 
 +        2001:2::/48; 
 +        /* ORCHIDv2 */ 
 +        2001:20::/28; 
 +        /* Documentation */ 
 +        2001:db8::/32; 
 +        /* 6to4 */ 
 +        2002::/16; 
 +        /* Pandora - Hack Hack Hack */ 
 +        2620:106:e000::/44; 
 +        /* Facebook - Latency nightmare */ 
 +        2a03:2880::/29; 
 +        /* Unique-Local */ 
 +        fc00::/7; 
 +        /* Linked-Scoped Unicast */ 
 +        fe80::/10; 
 +    } 
 +    prefix-list glanet-bogons { 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.0.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.8.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.100.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.200.0/22; 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.252.0/22; 
 +    } 
 +    prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/22; 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:e881:1100::/44; 
 +    } 
 +    policy-statement bgp-import-glanet { 
 +        term set-default { 
 +            then default-action accept; 
 +        } 
 +        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                route-filter 192.168.0.0/16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 { 
 +            from { 
 +                route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128; 
 +            } 
 +            then next policy; 
 +        } 
 +        term bogons { 
 +            from { 
 +                route-filter 0.0.0.0/0 upto /7; 
 +                prefix-list-filter bogons orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term bogons6 { 
 +            from { 
 +                route-filter ::/0 upto /16; 
 +                route-filter ::/0 prefix-length-range /62-/128; 
 +                prefix-list-filter bogons6 orlonger; 
 +                prefix-list-filter as-self6 orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +    } 
 +
 +</code> 
 + 
 +==== Cisco/Quagga ===
 + 
 +<note important>These filters may be outdated.</note>
  
 +=== IPv4 ===
 <code> <code>
 ip prefix-list glanet-in description BGP IPv4 import filter ip prefix-list glanet-in description BGP IPv4 import filter
Line 36: Line 165:
 </code> </code>
  
-=== BIRD === +=== IPv6 ===
-<code> +
-function net_martian() +
-{        +
-  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+, +
-                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+, +
-                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+, +
-                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, +
-                 0.0.0.0/0{0,7} ]; +
-+
- +
-filter martians { +
-  if net_martian() then +
-    reject; +
-  else +
-    accept; +
-+
-</code> +
- +
- +
-==== IPv6 ===+
-=== Cisco/Quagga === +
 <code> <code>
 ! Deny default route and too large prefixes ! Deny default route and too large prefixes
Line 80: Line 187:
 </code> </code>
  
-=== BIRD === 
  
 +==== BIRD ====
 +
 +<note important>These filters may be outdated.</note>
 +
 +=== IPv4 ===
 +<code>
 +function net_martian()
 +{       
 +  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
 +                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
 +                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
 +                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
 +                 0.0.0.0/0{0,7} ];
 +}
 +
 +filter martians {
 +  if net_martian() then
 +    reject;
 +  else
 +    accept;
 +}
 +</code>
 +
 +=== IPv6 ===
 <code> <code>
 function net_martian() function net_martian()
-  +
-  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,                                  +  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,
                  fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ];                  fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ];
 } }