diff --git a/personal-filters/wtremmel/AS196610-iosxr.txt b/personal-filters/wtremmel/AS196610-iosxr.txt new file mode 100644 index 0000000..7cb9712 --- /dev/null +++ b/personal-filters/wtremmel/AS196610-iosxr.txt @@ -0,0 +1,60 @@ +route-policy unwanted-routes + if validation-state is invalid then + drop + endif + if destination in ipv4-unwanted then + drop + endif + if destination in ipv6-unwanted then + drop + endif + if as-path in private-as-numbers then + drop + endif + pass +end-policy +! +prefix-set ipv4-unwanted + 0.0.0.0/0 ge 25 le 32, + 0.0.0.0/8 le 32, + 0.0.0.0/0 ge 1 le 7, + 127.0.0.0/8 le 32, + 169.254.0.0/16 le 32, + 192.88.99.0/24 le 32, + 192.168.0.0/16 le 32, + 172.16.0.0/12 le 32, + 10.0.0.0/8 le 32, + 100.64.0.0/10 le 32, + 224.0.0.0/4 le 32, + 240.0.0.0/4 le 32, + 192.0.2.0/24 le 32, + 198.51.100.0/24 le 32, + 203.0.113.0/24 le 32, + 80.81.192.0/21 le 32, + 206.82.104.0/22 le 32, + 206.130.10.0/24 le 32, + 185.1.170.0/23 le 32, + 185.1.210.0/23 le 32, + 185.1.208.0/23 le 32, + 185.1.192.0/23 le 32, + 91.214.253.0/24 le 32 +end-set +! +prefix-set ipv6-unwanted + ::/0 ge 49 le 128, + ::/0 ge 1 le 18, + 2001:db8::/32 le 128, + 2001:7f8::/64 le 128, + 2001:504:36::/64 le 128, + 2001:7f8:9e::/64 le 128, + 2001:7f8:3d::/64 le 128, + 2001:7f8:44::/64 le 128, + 2a02:c50:db8::/48 le 128 +end-set +! +as-path-set private-as-numbers + ios-regex '_0_', + ios-regex '_23456_', + ios-regex '_(6449[6-9]|64[5-9][0-9]{2}|65[0-4][0-9]{2}|655[0-4][0-9]|6555[01])_', + ios-regex '_42[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_' +end-set diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md new file mode 100644 index 0000000..b4cda84 --- /dev/null +++ b/personal-filters/wtremmel/README.md @@ -0,0 +1,33 @@ +# Filters of AS196610 + +## Introduction + +AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configure its routers (well, currently only one router running CISCO IOS XR). + +So all filters are auto-generated using templates. However, all filters contain a generic part filtering out unwanted prefixes, and this one is documented here. + +## Explanation of filter + +1. We block all RPKI invalid prefixes. +1. This policy is applied to both IPv6 and IPv4 neighbors. Reason: With BGP you can easily announce IPv4 prefixes over an IPv6 session and vice versa. So you cannot know from the type of session what prefixes need to be checked. +1. *ipv4-unwanted* contains the following: + - prefixes and more specifics of them are blocked + - no default route + - no prefixes with first digit zero + - no loopback ip + - no prefixes from the [IANA IPv4 reserved prefixes list](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml). + - no multicast IPv4 addresses + - no addresses of IXP peering LANs my AS is connected to + - block *my own* prefixes and all more specifics. +1. *ipv6-unwanted* is similar: + - no default route + - no link local, ULA etc. + - no prefixes from the [IANA IPv6 reserved prefixes list](). There is still some adjustment in IPv6 - so check this page regularly and adjust your filter! + - no prefixes from IXP peering LANs + - my own prefixes +1. The list of *private-as-numbers* looks cryptic, but thats only because Cisco uses regular expressions for these lists traditionally and not numeric ranges: + - We check against invalid AS numbers *anywhere* in the AS path + - no AS0 + - no AS23456 (this was used for the 16- to 32-bit AS transition) + - no private ASes and no ASes reserved for documentation + - again this information can be found at the [IANA AS number registry](https://www.iana.org/assignments/as-numbers/as-numbers.xhtml)