Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:filters [2016/04/17 09:50]
Benjamin Collet [BGP Filter]
doc:filters [2020/03/21 17:09] (current)
Johan Fleury
Line 3: Line 3:
  
   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.   * Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route((IPv4: ''0.0.0.0/0'' | IPv6: ''::0/0'')), inbound and outbound.
-  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:+  * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 61 bits((Some members have small allocations)). Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.     * Non-RFC1918 addresses reachable via GLaNET.
     * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').     * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ===== 
-==== IPv4 ==== +==== Juniper ====
-=== Cisco/Quagga === +
- +
-<code> +
-ip prefix-list glanet-in description BGP IPv4 import filter +
-! Deny default route and too large prefixes +
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 +
-! Deny prefixes with high risk of collision within GLaNET range +
-ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 +
-ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32 +
-ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32 +
-ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32 +
-ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32 +
-! Deny other RFC1918 prefixes +
-ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 +
-ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 +
-! Deny shared address space +
-ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32 +
-! Deny link-local +
-ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32 +
-! Deny multicast +
-ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 +
-! Deny former class E +
-ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 +
-! Allow everything +
-ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 +
-</code> +
- +
-=== BIRD === +
-<code> +
-function net_martian() +
-{        +
-  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+, +
-                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+, +
-                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+, +
-                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, +
-                 0.0.0.0/0{0,7} ]; +
-+
- +
-filter martians { +
-  if net_martian() then +
-    reject; +
-  else +
-    accept; +
-+
-</code> +
- +
-=== Juniper ===+
 <code> <code>
 policy-options { policy-options {
     prefix-list bogons {     prefix-list bogons {
-        /* Non-GLaNET RFC1918 prefix */+        /* "This" network */ 
 +        0.0.0.0/8; 
 +        /* Private-Use */
         10.0.0.0/8;         10.0.0.0/8;
         /* Shared address space */         /* Shared address space */
         100.64.0.0/10;         100.64.0.0/10;
 +        /* Loopback */
 +        127.0.0.0/8;
         /* Link local */         /* Link local */
         169.254.0.0/16;         169.254.0.0/16;
-        /* Non-GLaNET RFC1918 prefix */+        /* Private-Use */
         172.16.0.0/12;         172.16.0.0/12;
 +        /* IETF Protocol Assignments */
 +        192.0.0.0/24;
 +        /* Documentation (TEST-NET-1) */
 +        192.0.2.0/24;
 +        /* Private-Use */
 +        192.168.0.0/16;
 +        /* Benchmarking */
 +        198.18.0.0/15;
 +        /* Documentation (TEST-NET-2) */
 +        198.51.100.0/24;
 +        /* Documentation (TEST-NET-3) */
 +        203.0.113.0/24;
 +        /* Multicast */
 +        224.0.0.0/4;
 +        /* Former class E */
 +        240.0.0.0/4;
 +        /* Limited Broadcast */
 +        255.255.255.255/32;
 +    }
 +    prefix-list bogons6 {
 +        /* Unspecified Address */
 +        ::/128;
 +        /* Loopback Address */
 +        ::1/128;
 +        /* IPv4-mapped Address */
 +        ::ffff:0:0/96;
 +        /* Discard-Only Address Block */
 +        100::/64;
 +        /* TEREDO */
 +        2001::/32;
 +        /* Benchmarking */
 +        2001:2::/48;
 +        /* ORCHIDv2 */
 +        2001:20::/28;
 +        /* Documentation */
 +        2001:db8::/32;
 +        /* 6to4 */
 +        2002::/16;
 +        /* Pandora - Hack Hack Hack */
 +        2620:106:e000::/44;
 +        /* Facebook - Latency nightmare */
 +        2a03:2880::/29;
 +        /* Unique-Local */
 +        fc00::/7;
 +        /* Linked-Scoped Unicast */
 +        fe80::/10;
 +    }
 +    prefix-list glanet-bogons {
         /* High risk of collision within GLaNET */         /* High risk of collision within GLaNET */
         192.168.0.0/22;         192.168.0.0/22;
Line 77: Line 82:
         /* High risk of collision within GLaNET */         /* High risk of collision within GLaNET */
         192.168.252.0/22;         192.168.252.0/22;
-        /* Multicast */ 
-        224.0.0.0/4; 
-        /* Former class E */ 
-        240.0.0.0/4; 
     }     }
-    policy-statement bgp-import-generic {+    prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/22; 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:e881:1100::/44; 
 +    } 
 +    policy-statement bgp-import-glanet {
         term set-default {         term set-default {
             then default-action accept;             then default-action accept;
         }         }
-        term default-route {+        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                route-filter 192.168.0.0/16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 {
             from {             from {
-                route-filter 0.0.0.0/0 upto /7 reject;+                route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128;
             }             }
 +            then next policy;
         }         }
         term bogons {         term bogons {
             from {             from {
 +                route-filter 0.0.0.0/0 upto /7;
                 prefix-list-filter bogons orlonger;                 prefix-list-filter bogons orlonger;
 +            }
 +            then reject;
 +        }
 +        term bogons6 {
 +            from {
 +                route-filter ::/0 upto /16;
 +                route-filter ::/0 prefix-length-range /62-/128;
 +                prefix-list-filter bogons6 orlonger;
 +                prefix-list-filter as-self6 orlonger;
             }             }
             then reject;             then reject;
Line 101: Line 135:
 </code> </code>
  
-==== IPv6 ==== +==== Cisco/Quagga ==== 
-=== Cisco/Quagga ===+ 
 +<note important>These filters may be outdated.</note> 
 + 
 +=== IPv4 === 
 +<code> 
 +ip prefix-list glanet-in description BGP IPv4 import filter 
 +! Deny default route and too large prefixes 
 +ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 
 +! Deny prefixes with high risk of collision within GLaNET range 
 +ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 
 +ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32 
 +ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32 
 +ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32 
 +ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32 
 +! Deny other RFC1918 prefixes 
 +ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 
 +ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 
 +! Deny shared address space 
 +ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32 
 +! Deny link-local 
 +ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32 
 +! Deny multicast 
 +ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 
 +! Deny former class E 
 +ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 
 +! Allow everything 
 +ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 
 +</code>
  
 +=== IPv6 ===
 <code> <code>
 ! Deny default route and too large prefixes ! Deny default route and too large prefixes
Line 125: Line 187:
 </code> </code>
  
-=== BIRD === 
  
 +==== BIRD ====
 +
 +<note important>These filters may be outdated.</note>
 +
 +=== IPv4 ===
 +<code>
 +function net_martian()
 +{       
 +  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
 +                 192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
 +                 192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
 +                 172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
 +                 0.0.0.0/0{0,7} ];
 +}
 +
 +filter martians {
 +  if net_martian() then
 +    reject;
 +  else
 +    accept;
 +}
 +</code>
 +
 +=== IPv6 ===
 <code> <code>
 function net_martian() function net_martian()