Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:filters [2012/08/28 14:27]
Benjamin Collet
doc:filters [2017/06/08 11:16] (current)
Benjamin Collet
Line 5: Line 5:
   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (/32s from 192.168.248.0/​22 and /64s from ''​fd00:​6b64:​f3b0::/​48''​).+    * GLaNET services addresses (/32s from 192.168.248.0/​22 and /128s from ''​fd00:​6b64:​f3b0::/​48''​).
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ​===== 
-==== IPv4 ==== +==== Juniper ​==== 
-=== Cisco/​Quagga ===+<​code>​ 
 +policy-options { 
 +    prefix-list bogons { 
 +        /* "​This"​ network */ 
 +        0.0.0.0/​8;​ 
 +        /* Private-Use */ 
 +        10.0.0.0/​8;​ 
 +        /* Shared address space */ 
 +        100.64.0.0/​10;​ 
 +        /* Loopback */ 
 +        127.0.0.0/​8;​ 
 +        /* Link local */ 
 +        169.254.0.0/​16;​ 
 +        /* Private-Use */ 
 +        172.16.0.0/​12;​ 
 +        /* IETF Protocol Assignments */ 
 +        192.0.0.0/​24;​ 
 +        /* Documentation (TEST-NET-1) */ 
 +        192.0.2.0/​24;​ 
 +        /* Private-Use */ 
 +        192.168.0.0/​16;​ 
 +        /* Benchmarking */ 
 +        198.18.0.0/​15;​ 
 +        /* Documentation (TEST-NET-2) */ 
 +        198.51.100.0/​24;​ 
 +        /* Documentation (TEST-NET-3) */ 
 +        203.0.113.0/​24;​ 
 +        /* Multicast */ 
 +        224.0.0.0/​4;​ 
 +        /* Former class E */ 
 +        240.0.0.0/​4;​ 
 +        /* Limited Broadcast */ 
 +        255.255.255.255/​32;​ 
 +    } 
 +    prefix-list bogons6 { 
 +        /* Unspecified Address */ 
 +        ::/128; 
 +        /* Loopback Address */ 
 +        ::1/128; 
 +        /* IPv4-mapped Address */ 
 +        ::​ffff:​0:​0/​96;​ 
 +        /* Discard-Only Address Block */ 
 +        100::/64; 
 +        /* TEREDO */ 
 +        2001::/​32;​ 
 +        /* Benchmarking */ 
 +        2001:​2::/​48;​ 
 +        /* ORCHIDv2 */ 
 +        2001:​20::/​28;​ 
 +        /* Documentation */ 
 +        2001:​db8::/​32;​ 
 +        /* 6to4 */ 
 +        2002::/​16;​ 
 +        /* Pandora - Hack Hack Hack */ 
 +        2620:​106:​e000::/​44;​ 
 +        /* Facebook - Latency nightmare */ 
 +        2a03:​2880::/​29;​ 
 +        /* Unique-Local */ 
 +        fc00::/7; 
 +        /* Linked-Scoped Unicast */ 
 +        fe80::/​10;​ 
 +    } 
 +    prefix-list glanet-bogons { 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.0.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.8.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.100.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.200.0/​22;​ 
 +        /* High risk of collision within GLaNET */ 
 +        192.168.252.0/​22;​ 
 +    } 
 +    prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/​22;​ 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:​e881:​1100::/​44;​ 
 +    } 
 +    policy-statement bgp-import-glanet { 
 +        term set-default { 
 +            then default-action accept; 
 +        } 
 +        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                route-filter 192.168.0.0/​16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/​24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 { 
 +            from { 
 +                route-filter fd00:​6b64:​f3b0::/​48 prefix-length-range /​128-/​128;​ 
 +            } 
 +            then next policy; 
 +        } 
 +        term bogons { 
 +            from { 
 +                route-filter 0.0.0.0/0 upto /7; 
 +                prefix-list-filter bogons orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term bogons6 { 
 +            from { 
 +                route-filter ::/0 upto /16; 
 +                route-filter ::/0 prefix-length-range /61-/128; 
 +                prefix-list-filter bogons6 orlonger; 
 +                prefix-list-filter as-self6 orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +    } 
 +
 +</​code>​ 
 + 
 +==== Cisco/​Quagga ===
 + 
 +<note important>​These filters may be outdated.</​note>​
  
 +=== IPv4 ===
 <​code>​ <​code>​
 ip prefix-list glanet-in description BGP IPv4 import filter ip prefix-list glanet-in description BGP IPv4 import filter
Line 36: Line 165:
 </​code>​ </​code>​
  
-=== BIRD === +=== IPv6 ===
-<​code>​ +
-function net_martian() +
-{        +
-  return net ~ [ 169.254.0.0/​16+,​ 172.16.0.0/​12+,​ 192.168.0.0/​22+,​ +
-                 ​192.168.8.0/​22+,​ 192.168.100.0/​22+,​ 192.168.200.0/​22+,​ +
-                 ​192.168.252.0/​22+,​ 10.0.0.0/​8+,​ 100.64.0.0/​10+,​ +
-                 ​172.16.0.0/​12+,​ 224.0.0.0/​4+,​ 240.0.0.0/​4+,​ 0.0.0.0/​32-,​ +
-                 ​0.0.0.0/​0{0,​7} ]; +
-+
- +
-filter martians { +
-  if net_martian() then +
-    reject; +
-  else +
-    accept; +
-+
-</​code>​ +
- +
- +
-==== IPv6 ===+
-=== Cisco/​Quagga === +
 <​code>​ <​code>​
 ! Deny default route and too large prefixes ! Deny default route and too large prefixes
Line 80: Line 187:
 </​code>​ </​code>​
  
-=== BIRD === 
  
 +==== BIRD ====
 +
 +<note important>​These filters may be outdated.</​note>​
 +
 +=== IPv4 ===
 +<​code>​
 +function net_martian()
 +{       
 +  return net ~ [ 169.254.0.0/​16+,​ 172.16.0.0/​12+,​ 192.168.0.0/​22+,​
 +                 ​192.168.8.0/​22+,​ 192.168.100.0/​22+,​ 192.168.200.0/​22+,​
 +                 ​192.168.252.0/​22+,​ 10.0.0.0/​8+,​ 100.64.0.0/​10+,​
 +                 ​172.16.0.0/​12+,​ 224.0.0.0/​4+,​ 240.0.0.0/​4+,​ 0.0.0.0/​32-,​
 +                 ​0.0.0.0/​0{0,​7} ];
 +}
 +
 +filter martians {
 +  if net_martian() then
 +    reject;
 +  else
 +    accept;
 +}
 +</​code>​
 +
 +=== IPv6 ===
 <​code>​ <​code>​
 function net_martian() function net_martian()