Merge pull request #6 from wtremmel/wtremmel-personal-filter

Wtremmel personal filter

personal-filters/wtremmel/AS196610-iosxr.txt

@@ -0,0 +1,60 @@
+route-policy unwanted-routes
+  if validation-state is invalid then
+    drop
+  endif
+  if destination in ipv4-unwanted then
+    drop
+  endif
+  if destination in ipv6-unwanted then
+    drop
+  endif
+  if as-path in private-as-numbers then
+    drop
+  endif
+  pass
+end-policy
+!
+prefix-set ipv4-unwanted
+  0.0.0.0/0 ge 25 le 32,
+  0.0.0.0/8 le 32,
+  0.0.0.0/0 ge 1 le 7,
+  127.0.0.0/8 le 32,
+  169.254.0.0/16 le 32,
+  192.88.99.0/24 le 32,
+  192.168.0.0/16 le 32,
+  172.16.0.0/12 le 32,
+  10.0.0.0/8 le 32,
+  100.64.0.0/10 le 32,
+  224.0.0.0/4 le 32,
+  240.0.0.0/4 le 32,
+  192.0.2.0/24 le 32,
+  198.51.100.0/24 le 32,
+  203.0.113.0/24 le 32,
+  80.81.192.0/21 le 32,
+  206.82.104.0/22 le 32,
+  206.130.10.0/24 le 32,
+  185.1.170.0/23 le 32,
+  185.1.210.0/23 le 32,
+  185.1.208.0/23 le 32,
+  185.1.192.0/23 le 32,
+  91.214.253.0/24 le 32
+end-set
+!
+prefix-set ipv6-unwanted
+  ::/0 ge 49 le 128,
+  ::/0 ge 1 le 18,
+  2001:db8::/32 le 128,
+  2001:7f8::/64 le 128,
+  2001:504:36::/64 le 128,
+  2001:7f8:9e::/64 le 128,
+  2001:7f8:3d::/64 le 128,
+  2001:7f8:44::/64 le 128,
+  2a02:c50:db8::/48 le 128
+end-set
+!
+as-path-set private-as-numbers
+  ios-regex '_0_',
+  ios-regex '_23456_',
+  ios-regex '_(6449[6-9]|64[5-9][0-9]{2}|65[0-4][0-9]{2}|655[0-4][0-9]|6555[01])_',
+  ios-regex '_42[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_'
+end-set

personal-filters/wtremmel/README.md

@@ -0,0 +1,33 @@
+# Filters of AS196610
+
+## Introduction
+
+AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configure its routers (well, currently only one router running CISCO IOS XR).
+
+So all filters are auto-generated using templates. However, all filters contain a generic part filtering out unwanted prefixes, and this one is documented here.
+
+## Explanation of filter
+
+1. We block all RPKI invalid prefixes.
+1. This policy is applied to both IPv6 and IPv4 neighbors. Reason: With BGP you can easily announce IPv4 prefixes over an IPv6 session and vice versa. So you cannot know from the type of session what prefixes need to be checked.
+1. *ipv4-unwanted* contains the following:
+    - prefixes and more specifics of them are blocked
+    - no default route
+    - no prefixes with first digit zero
+    - no loopback ip
+    - no prefixes from the [IANA IPv4 reserved prefixes list](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml).
+    - no multicast IPv4 addresses
+    - no addresses of IXP peering LANs my AS is connected to
+    - block *my own* prefixes and all more specifics.
+1. *ipv6-unwanted* is similar:
+    - no default route
+    - no link local, ULA etc.
+    - no prefixes from the [IANA IPv6 reserved prefixes list](<https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml>). There is still some adjustment in IPv6 - so check this page regularly and adjust your filter!
+    - no prefixes from IXP peering LANs
+    - my own prefixes
+1. The list of *private-as-numbers* looks cryptic, but thats only because Cisco uses regular expressions for these lists traditionally and not numeric ranges:
+    - We check against invalid AS numbers *anywhere* in the AS path
+    - no AS0
+    - no AS23456 (this was used for the 16- to 32-bit AS transition)
+    - no private ASes and no ASes reserved for documentation
+    - again this information can be found at the [IANA AS number registry](https://www.iana.org/assignments/as-numbers/as-numbers.xhtml)