Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
doc:filters [2016/04/17 09:50]
Benjamin Collet [BGP Filter]
doc:filters [2017/06/08 11:16] (current)
Benjamin Collet
Line 7: Line 7:
     * GLaNET services addresses (/32s from 192.168.248.0/​22 and /128s from ''​fd00:​6b64:​f3b0::/​48''​).     * GLaNET services addresses (/32s from 192.168.248.0/​22 and /128s from ''​fd00:​6b64:​f3b0::/​48''​).
  
-===== Example prefix lists ===== +===== Example prefix lists (adapt to your needs) ​===== 
-==== IPv4 ==== +==== Juniper ​====
-=== Cisco/​Quagga === +
- +
-<​code>​ +
-ip prefix-list glanet-in description BGP IPv4 import filter +
-! Deny default route and too large prefixes +
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 +
-! Deny prefixes with high risk of collision within GLaNET range +
-ip prefix-list glanet-in seq 20 deny 192.168.0.0/​22 le 32 +
-ip prefix-list glanet-in seq 21 deny 192.168.8.0/​22 le 32 +
-ip prefix-list glanet-in seq 22 deny 192.168.100.0/​22 le 32 +
-ip prefix-list glanet-in seq 23 deny 192.168.200.0/​22 le 32 +
-ip prefix-list glanet-in seq 24 deny 192.168.252.0/​22 le 32 +
-! Deny other RFC1918 prefixes +
-ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 +
-ip prefix-list glanet-in seq 31 deny 172.16.0.0/​12 le 32 +
-! Deny shared address space +
-ip prefix-list glanet-in seq 40 deny 100.64.0.0/​10 le 32 +
-! Deny link-local +
-ip prefix-list glanet-in seq 50 deny 169.254.0.0/​16 le 32 +
-! Deny multicast +
-ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 +
-! Deny former class E +
-ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 +
-! Allow everything +
-ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 +
-</​code>​ +
- +
-=== BIRD === +
-<​code>​ +
-function net_martian() +
-{        +
-  return net ~ [ 169.254.0.0/​16+,​ 172.16.0.0/​12+,​ 192.168.0.0/​22+,​ +
-                 ​192.168.8.0/​22+,​ 192.168.100.0/​22+,​ 192.168.200.0/​22+,​ +
-                 ​192.168.252.0/​22+,​ 10.0.0.0/​8+,​ 100.64.0.0/​10+,​ +
-                 ​172.16.0.0/​12+,​ 224.0.0.0/​4+,​ 240.0.0.0/​4+,​ 0.0.0.0/​32-,​ +
-                 ​0.0.0.0/​0{0,​7} ]; +
-+
- +
-filter martians { +
-  if net_martian() then +
-    reject; +
-  else +
-    accept; +
-+
-</​code>​ +
- +
-=== Juniper ​===+
 <​code>​ <​code>​
 policy-options { policy-options {
     prefix-list bogons {     prefix-list bogons {
-        /* Non-GLaNET RFC1918 prefix ​*/+        /* "​This"​ network */ 
 +        0.0.0.0/​8;​ 
 +        /* Private-Use */
         10.0.0.0/8;         10.0.0.0/8;
         /* Shared address space */         /* Shared address space */
         100.64.0.0/​10;​         100.64.0.0/​10;​
 +        /* Loopback */
 +        127.0.0.0/​8;​
         /* Link local */         /* Link local */
         169.254.0.0/​16;​         169.254.0.0/​16;​
-        /* Non-GLaNET RFC1918 prefix ​*/+        /* Private-Use */
         172.16.0.0/​12;​         172.16.0.0/​12;​
 +        /* IETF Protocol Assignments */
 +        192.0.0.0/​24;​
 +        /* Documentation (TEST-NET-1) */
 +        192.0.2.0/​24;​
 +        /* Private-Use */
 +        192.168.0.0/​16;​
 +        /* Benchmarking */
 +        198.18.0.0/​15;​
 +        /* Documentation (TEST-NET-2) */
 +        198.51.100.0/​24;​
 +        /* Documentation (TEST-NET-3) */
 +        203.0.113.0/​24;​
 +        /* Multicast */
 +        224.0.0.0/​4;​
 +        /* Former class E */
 +        240.0.0.0/​4;​
 +        /* Limited Broadcast */
 +        255.255.255.255/​32;​
 +    }
 +    prefix-list bogons6 {
 +        /* Unspecified Address */
 +        ::/128;
 +        /* Loopback Address */
 +        ::1/128;
 +        /* IPv4-mapped Address */
 +        ::​ffff:​0:​0/​96;​
 +        /* Discard-Only Address Block */
 +        100::/64;
 +        /* TEREDO */
 +        2001::/32;
 +        /* Benchmarking */
 +        2001:​2::/​48;​
 +        /* ORCHIDv2 */
 +        2001:​20::/​28;​
 +        /* Documentation */
 +        2001:​db8::/​32;​
 +        /* 6to4 */
 +        2002::/16;
 +        /* Pandora - Hack Hack Hack */
 +        2620:​106:​e000::/​44;​
 +        /* Facebook - Latency nightmare */
 +        2a03:​2880::/​29;​
 +        /* Unique-Local */
 +        fc00::/7;
 +        /* Linked-Scoped Unicast */
 +        fe80::/10;
 +    }
 +    prefix-list glanet-bogons {
         /* High risk of collision within GLaNET */         /* High risk of collision within GLaNET */
         192.168.0.0/​22;​         192.168.0.0/​22;​
Line 77: Line 82:
         /* High risk of collision within GLaNET */         /* High risk of collision within GLaNET */
         192.168.252.0/​22;​         192.168.252.0/​22;​
-        /* Multicast */ 
-        224.0.0.0/​4;​ 
-        /* Former class E */ 
-        240.0.0.0/​4;​ 
     }     }
-    policy-statement bgp-import-generic ​{+    ​prefix-list as-self-glanet { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        192.168.40.0/​22;​ 
 +    } 
 +    prefix-list as-self6 { 
 +        /* REPLACE WITH YOUR OWN NETWORK */ 
 +        2a06:​e881:​1100::/​44;​ 
 +    } 
 +    ​policy-statement bgp-import-glanet ​{
         term set-default {         term set-default {
             then default-action accept;             then default-action accept;
         }         }
-        term default-route {+        term glanet-bogons { 
 +            from { 
 +                prefix-list-filter glanet-bogons orlonger; 
 +                prefix-list-filter as-self-glanet orlonger; 
 +            } 
 +            then reject; 
 +        } 
 +        term glanet { 
 +            from { 
 +                ​route-filter 192.168.0.0/​16 prefix-length-range /20-/28; 
 +                route-filter 192.168.248.0/​24 prefix-length-range /32-/32; 
 +            } 
 +            then next policy; 
 +        } 
 +        term glanet6 ​{
             from {             from {
-                route-filter ​0.0.0.0/0 upto /7 reject;+                route-filter ​fd00:​6b64:​f3b0::​/48 prefix-length-range ​/128-/128;
             }             }
 +            then next policy;
         }         }
         term bogons {         term bogons {
             from {             from {
 +                route-filter 0.0.0.0/0 upto /7;
                 prefix-list-filter bogons orlonger;                 prefix-list-filter bogons orlonger;
 +            }
 +            then reject;
 +        }
 +        term bogons6 {
 +            from {
 +                route-filter ::/0 upto /16;
 +                route-filter ::/0 prefix-length-range /61-/128;
 +                prefix-list-filter bogons6 orlonger;
 +                prefix-list-filter as-self6 orlonger;
             }             }
             then reject;             then reject;
Line 101: Line 135:
 </​code>​ </​code>​
  
-==== IPv6 ==== +==== Cisco/​Quagga ​==== 
-=== Cisco/​Quagga ​===+ 
 +<note important>​These filters may be outdated.</​note>​ 
 + 
 +=== IPv4 === 
 +<​code>​ 
 +ip prefix-list glanet-in description BGP IPv4 import filter 
 +! Deny default route and too large prefixes 
 +ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7 
 +! Deny prefixes with high risk of collision within GLaNET range 
 +ip prefix-list glanet-in seq 20 deny 192.168.0.0/​22 le 32 
 +ip prefix-list glanet-in seq 21 deny 192.168.8.0/​22 le 32 
 +ip prefix-list glanet-in seq 22 deny 192.168.100.0/​22 le 32 
 +ip prefix-list glanet-in seq 23 deny 192.168.200.0/​22 le 32 
 +ip prefix-list glanet-in seq 24 deny 192.168.252.0/​22 le 32 
 +! Deny other RFC1918 prefixes 
 +ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 
 +ip prefix-list glanet-in seq 31 deny 172.16.0.0/​12 le 32 
 +! Deny shared address space 
 +ip prefix-list glanet-in seq 40 deny 100.64.0.0/​10 le 32 
 +! Deny link-local 
 +ip prefix-list glanet-in seq 50 deny 169.254.0.0/​16 le 32 
 +! Deny multicast 
 +ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32 
 +! Deny former class E 
 +ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32 
 +! Allow everything 
 +ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32 
 +</​code>​
  
 +=== IPv6 ===
 <​code>​ <​code>​
 ! Deny default route and too large prefixes ! Deny default route and too large prefixes
Line 125: Line 187:
 </​code>​ </​code>​
  
-=== BIRD === 
  
 +==== BIRD ====
 +
 +<note important>​These filters may be outdated.</​note>​
 +
 +=== IPv4 ===
 +<​code>​
 +function net_martian()
 +{       
 +  return net ~ [ 169.254.0.0/​16+,​ 172.16.0.0/​12+,​ 192.168.0.0/​22+,​
 +                 ​192.168.8.0/​22+,​ 192.168.100.0/​22+,​ 192.168.200.0/​22+,​
 +                 ​192.168.252.0/​22+,​ 10.0.0.0/​8+,​ 100.64.0.0/​10+,​
 +                 ​172.16.0.0/​12+,​ 224.0.0.0/​4+,​ 240.0.0.0/​4+,​ 0.0.0.0/​32-,​
 +                 ​0.0.0.0/​0{0,​7} ];
 +}
 +
 +filter martians {
 +  if net_martian() then
 +    reject;
 +  else
 +    accept;
 +}
 +</​code>​
 +
 +=== IPv6 ===
 <​code>​ <​code>​
 function net_martian() function net_martian()