This is an old revision of the document!
BGP Filter
- Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route1), inbound and outbound.
- It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
- Non-RFC1918 addresses reachable via GLaNET.
- GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from
fd00:6b64:f3b0::/48).
Example prefix lists (adapt to your needs)
Juniper
policy-options {
prefix-list bogons {
/* "This" network */
0.0.0.0/8;
/* Private-Use */
10.0.0.0/8;
/* Shared address space */
100.64.0.0/10;
/* Loopback */
127.0.0.0/8;
/* Link local */
169.254.0.0/16;
/* Private-Use */
172.16.0.0/12;
/* IETF Protocol Assignments */
192.0.0.0/24;
/* Documentation (TEST-NET-1) */
192.0.2.0/24;
/* Private-Use */
192.168.0.0/16;
/* Benchmarking */
198.18.0.0/15;
/* Documentation (TEST-NET-2) */
198.51.100.0/24;
/* Documentation (TEST-NET-3) */
203.0.113.0/24;
/* Multicast */
224.0.0.0/4;
/* Former class E */
240.0.0.0/4;
/* Limited Broadcast */
255.255.255.255/32;
}
prefix-list bogons6 {
/* Unspecified Address */
::/128;
/* Loopback Address */
::1/128;
/* IPv4-mapped Address */
::ffff:0:0/96;
/* Discard-Only Address Block */
100::/64;
/* TEREDO */
2001::/32;
/* Benchmarking */
2001:2::/48;
/* ORCHIDv2 */
2001:20::/28;
/* Documentation */
2001:db8::/32;
/* 6to4 */
2002::/16;
/* Pandora - Hack Hack Hack */
2620:106:e000::/44;
/* Facebook - Latency nightmare */
2a03:2880::/29;
/* Unique-Local */
fc00::/7;
/* Linked-Scoped Unicast */
fe80::/10;
}
prefix-list glanet-bogons {
/* High risk of collision within GLaNET */
192.168.0.0/22;
/* High risk of collision within GLaNET */
192.168.8.0/22;
/* High risk of collision within GLaNET */
192.168.100.0/22;
/* High risk of collision within GLaNET */
192.168.200.0/22;
/* High risk of collision within GLaNET */
192.168.252.0/22;
}
prefix-list as-self-glanet {
/* REPLACE WITH YOUR OWN NETWORK */
192.168.40.0/22;
}
prefix-list as-self6 {
/* REPLACE WITH YOUR OWN NETWORK */
2a06:e881:1100::/44;
}
policy-statement bgp-import-glanet {
term set-default {
then default-action accept;
}
term glanet-bogons {
from {
prefix-list-filter glanet-bogons orlonger;
prefix-list-filter as-self-glanet orlonger;
}
then reject;
}
term glanet {
from {
route-filter 192.168.0.0/16 prefix-length-range /20-/28;
route-filter 192.168.248.0/24 prefix-length-range /32-/32;
}
then next policy;
}
term glanet6 {
from {
route-filter fd00:6b64:f3b0::/48 prefix-length-range /128-/128;
}
then next policy;
}
term bogons {
from {
route-filter 0.0.0.0/0 upto /7;
prefix-list-filter bogons orlonger;
}
then reject;
}
term bogons6 {
from {
route-filter ::/0 upto /16;
route-filter ::/0 prefix-length-range /61-/128;
prefix-list-filter bogons6 orlonger;
prefix-list-filter as-self6 orlonger;
}
then reject;
}
}
}
Cisco/Quagga
These filters may be outdated.
IPv4
ip prefix-list glanet-in description BGP IPv4 import filter ! Deny default route and too large prefixes ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 ! Deny prefixes with high risk of collision within GLaNET range ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32 ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32 ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32 ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32 ! Deny other RFC1918 prefixes ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 ! Deny shared address space ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32 ! Deny link-local ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32 ! Deny multicast ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 ! Deny former class E ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 ! Allow everything ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
IPv6
! Deny default route and too large prefixes ipv6 prefix-list glanet6-in deny 0::/0 le 15 ! Deny 6bone prefix (not used anymore) ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 ! Deny documentation prefix ipv6 prefix-list glanet6-in deny 2001:db8::/32 le 128 ! Teredo prefix must be exactly 32-bit long ipv6 prefix-list glanet6-in permit 2001::/32 ipv6 prefix-list glanet6-in deny 2001::/32 le 128 ! 6to4 prefix must be exactly 16-bit long ipv6 prefix-list glanet6-in permit 2002::/16 ipv6 prefix-list glanet6-in deny 2002::/16 le 128 ! Deny loopback/unspecified/v4-mapped prefix ipv6 prefix-list glanet6-in deny 0000::/8 le 128 ! Deny multicast prefixes ipv6 prefix-list glanet6-in deny ff00::/8 le 128 ! Permit everything else but small prefixes ipv6 prefix-list glanet6-in permit 0::/0 le 64
BIRD
These filters may be outdated.
IPv4
function net_martian()
{
return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
192.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
192.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
172.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
0.0.0.0/0{0,7} ];
}
filter martians {
if net_martian() then
reject;
else
accept;
}
IPv6
function net_martian()
{
return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,
fe00::/8+, ::/128-, ::/0{0,15}, ::/0{65,128} ];
}
filter martians {
if net_martian() then
reject;
else
accept;
}
1)
IPv4:
0.0.0.0/0 | IPv6: ::0/0