From 1071ea17b60ceac34137510b51310eeda5441144 Mon Sep 17 00:00:00 2001 From: Axel Fischer Date: Wed, 16 Nov 2016 13:57:31 +0100 Subject: [PATCH] add bogon ASNs from NTT initiative --- personal-filters/fischa/README.rst | 6 ++--- personal-filters/fischa/reject-bad-routes-v4 | 27 ++++++++++++++++++++ personal-filters/fischa/reject-bad-routes-v6 | 27 ++++++++++++++++++++ 3 files changed, 57 insertions(+), 3 deletions(-) diff --git a/personal-filters/fischa/README.rst b/personal-filters/fischa/README.rst index 8da4882..b0526db 100644 --- a/personal-filters/fischa/README.rst +++ b/personal-filters/fischa/README.rst @@ -40,13 +40,13 @@ Verify config and apply:: commit check commit and-quit -Now you can use the filter at the beginning of your policy chain either below the peergroup or neighbor:: +Now you can use the filter at the beginning of your policy chain either below the peergroup or neighbor (don't forget to add reject-bad-as-path as well):: configure edit protocols bgp group $some_peergroup neighbor $some_neighbor - set import [ reject-bad-routes-v4 $some_policy $some_other_policy ] + set import [ reject-bad-routes-v4 reject-bad-as-path $some_policy $some_other_policy ] edit protocols bgp group $some_peergroup - set import [ reject-bad-routes-v4 $some_policy $some_other_policy ] + set import [ reject-bad-routes-v4 reject-bad-as-path $some_policy $some_other_policy ] NOTE: Remember to check if you got the right policy for IPv4 or IPv6 applied. Otherwise it won't work. diff --git a/personal-filters/fischa/reject-bad-routes-v4 b/personal-filters/fischa/reject-bad-routes-v4 index 2fe0cb3..7337b19 100644 --- a/personal-filters/fischa/reject-bad-routes-v4 +++ b/personal-filters/fischa/reject-bad-routes-v4 @@ -43,6 +43,33 @@ policy-options { prefix-list ixp-lans-v4 { 80.81.192.0/22; } + /* see http://as2914.net/bogon_asns/configuration_examples.txt */ + as-path-group bogon-asns { + /* RFC7607 */ + as-path zero ".* 0 .*"; + /* RFC 4893 AS_TRANS */ + as-path as_trans ".* 23456 .*"; + /* RFC 5398 and documentation/example ASNs */ + as-path examples1 ".* [64496-64511] .*"; + as-path examples2 ".* [65536-65551] .*"; + /* RFC 6996 Private ASNs*/ + as-path reserved1 ".* [64512-65534] .*"; + as-path reserved2 ".* [4200000000-4294967294] .*"; + /* RFC 6996 Last 32 and 64 bit ASNs */ + as-path last32 ".* 65535 .*"; + as-path last64 ".* 4294967295 .*"; + /* RFC IANA reserved ASNs*/ + as-path iana-reserved ".* [65552-131071] .*"; + } + policy-statement reject-bad-as-path { + term bogon-asns { + from as-path-group bogon-asns; + then { + trace; + reject; + } + } + } policy-statement reject-bad-routes-v4 { term reject-default-route { from { diff --git a/personal-filters/fischa/reject-bad-routes-v6 b/personal-filters/fischa/reject-bad-routes-v6 index 4986aef..bef977d 100644 --- a/personal-filters/fischa/reject-bad-routes-v6 +++ b/personal-filters/fischa/reject-bad-routes-v6 @@ -37,6 +37,33 @@ policy-options { prefix-list ixp-lans-v6 { 2001:7f8::/64; } + /* see http://as2914.net/bogon_asns/configuration_examples.txt */ + as-path-group bogon-asns { + /* RFC7607 */ + as-path zero ".* 0 .*"; + /* RFC 4893 AS_TRANS */ + as-path as_trans ".* 23456 .*"; + /* RFC 5398 and documentation/example ASNs */ + as-path examples1 ".* [64496-64511] .*"; + as-path examples2 ".* [65536-65551] .*"; + /* RFC 6996 Private ASNs*/ + as-path reserved1 ".* [64512-65534] .*"; + as-path reserved2 ".* [4200000000-4294967294] .*"; + /* RFC 6996 Last 32 and 64 bit ASNs */ + as-path last32 ".* 65535 .*"; + as-path last64 ".* 4294967295 .*"; + /* RFC IANA reserved ASNs*/ + as-path iana-reserved ".* [65552-131071] .*"; + } + policy-statement reject-bad-as-path { + term bogon-asns { + from as-path-group bogon-asns; + then { + trace; + reject; + } + } + } policy-statement reject-bad-routes-v6 { term reject-default-route { from {