From a59fd9277d7fb9de830ddc7fe642a2f633b3713e Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Thu, 18 Jan 2024 10:40:14 +0100 Subject: [PATCH 1/5] added readme --- personal-filters/wtremmel/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 personal-filters/wtremmel/README.md diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md new file mode 100644 index 0000000..e69de29 From b106d6949278cdc248bb7de2ea9c5b1b15b377b6 Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Thu, 18 Jan 2024 10:46:42 +0100 Subject: [PATCH 2/5] Update README.md --- personal-filters/wtremmel/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md index e69de29..c216408 100644 --- a/personal-filters/wtremmel/README.md +++ b/personal-filters/wtremmel/README.md @@ -0,0 +1,6 @@ +# Filters of AS196610 + +## Introduction +AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configuer its routers (well, currently only one router running CISCO IOS XR). + +So all filters are auto-generated using templates. However, all filters contain a generic part filtering out unwanted prefixes, and this one is documented here. From 24c607d9242a5e493d1c3dc6cd055e92d48d425c Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Thu, 18 Jan 2024 11:25:37 +0100 Subject: [PATCH 3/5] filters and explanation --- personal-filters/wtremmel/AS196610-iosxr.txt | 60 ++++++++++++++++++++ personal-filters/wtremmel/README.md | 29 +++++++++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 personal-filters/wtremmel/AS196610-iosxr.txt diff --git a/personal-filters/wtremmel/AS196610-iosxr.txt b/personal-filters/wtremmel/AS196610-iosxr.txt new file mode 100644 index 0000000..7cb9712 --- /dev/null +++ b/personal-filters/wtremmel/AS196610-iosxr.txt @@ -0,0 +1,60 @@ +route-policy unwanted-routes + if validation-state is invalid then + drop + endif + if destination in ipv4-unwanted then + drop + endif + if destination in ipv6-unwanted then + drop + endif + if as-path in private-as-numbers then + drop + endif + pass +end-policy +! +prefix-set ipv4-unwanted + 0.0.0.0/0 ge 25 le 32, + 0.0.0.0/8 le 32, + 0.0.0.0/0 ge 1 le 7, + 127.0.0.0/8 le 32, + 169.254.0.0/16 le 32, + 192.88.99.0/24 le 32, + 192.168.0.0/16 le 32, + 172.16.0.0/12 le 32, + 10.0.0.0/8 le 32, + 100.64.0.0/10 le 32, + 224.0.0.0/4 le 32, + 240.0.0.0/4 le 32, + 192.0.2.0/24 le 32, + 198.51.100.0/24 le 32, + 203.0.113.0/24 le 32, + 80.81.192.0/21 le 32, + 206.82.104.0/22 le 32, + 206.130.10.0/24 le 32, + 185.1.170.0/23 le 32, + 185.1.210.0/23 le 32, + 185.1.208.0/23 le 32, + 185.1.192.0/23 le 32, + 91.214.253.0/24 le 32 +end-set +! +prefix-set ipv6-unwanted + ::/0 ge 49 le 128, + ::/0 ge 1 le 18, + 2001:db8::/32 le 128, + 2001:7f8::/64 le 128, + 2001:504:36::/64 le 128, + 2001:7f8:9e::/64 le 128, + 2001:7f8:3d::/64 le 128, + 2001:7f8:44::/64 le 128, + 2a02:c50:db8::/48 le 128 +end-set +! +as-path-set private-as-numbers + ios-regex '_0_', + ios-regex '_23456_', + ios-regex '_(6449[6-9]|64[5-9][0-9]{2}|65[0-4][0-9]{2}|655[0-4][0-9]|6555[01])_', + ios-regex '_42[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_' +end-set diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md index c216408..3a3da4c 100644 --- a/personal-filters/wtremmel/README.md +++ b/personal-filters/wtremmel/README.md @@ -1,6 +1,33 @@ # Filters of AS196610 ## Introduction -AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configuer its routers (well, currently only one router running CISCO IOS XR). + +AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configuer its routers (well, currently only one router running CISCO IOS XR). So all filters are auto-generated using templates. However, all filters contain a generic part filtering out unwanted prefixes, and this one is documented here. + +## Explanation of filter + +1. We block all RPKI invalid prefixes. +1. This policy is applied to both IPv6 and IPv4 neighbors. Reason: With BGP you can easily announce IPv4 prefixes over an IPv6 session and vice versa. So from you cannot know from the type of session what prefixes need to be checked. +1. *ipv4-unwanted* contains the following: + - prefixes and more specifics of them are blocked + - no default route + - no prefixes with first digit zero + - no loopback ip + - no prefixes from the [IANA IPv4 reserved prefixes list](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml). + - no multicast IPv4 addresses + - no addresses of IXP peering LANs my AS is connected to + - block *my own* prefixes and all more specifics. +1. *ipv6-unwanted* is similar: + - no default route + - no link local, ULA etc. + - no prefixes from the [IANA IPv6 reserved prefixes list](). There is still some adjustment in IPv6 - so check this page regularly and adjust your filter! + - no prefixes from IXP peering LANs + - my own prefixes +1. The list of *private-as-numbers* looks cryptic, but thats only because Cisco uses regular expressions for these lists traditionally and not numeric ranges: + - We check against invalid AS numbers *anywhere* in the AS path + - no AS0 + - no AS23456 (this was used for the 16- to 32-bit AS transition) + - no private ASes and no ASes reserved for documentation + - again this information can be found at the [IANA AS number registry](https://www.iana.org/assignments/as-numbers/as-numbers.xhtml) From e3fc52e7f41860f628ec4c81ea0ebd2458f7b03b Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Fri, 19 Jan 2024 09:38:46 +0100 Subject: [PATCH 4/5] Update personal-filters/wtremmel/README.md Co-authored-by: mordner --- personal-filters/wtremmel/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md index 3a3da4c..3cac365 100644 --- a/personal-filters/wtremmel/README.md +++ b/personal-filters/wtremmel/README.md @@ -9,7 +9,7 @@ So all filters are auto-generated using templates. However, all filters contain ## Explanation of filter 1. We block all RPKI invalid prefixes. -1. This policy is applied to both IPv6 and IPv4 neighbors. Reason: With BGP you can easily announce IPv4 prefixes over an IPv6 session and vice versa. So from you cannot know from the type of session what prefixes need to be checked. +1. This policy is applied to both IPv6 and IPv4 neighbors. Reason: With BGP you can easily announce IPv4 prefixes over an IPv6 session and vice versa. So you cannot know from the type of session what prefixes need to be checked. 1. *ipv4-unwanted* contains the following: - prefixes and more specifics of them are blocked - no default route From c85593878ac7b23b89b86ec589970ba87642f1fe Mon Sep 17 00:00:00 2001 From: Wolfgang Tremmel Date: Fri, 19 Jan 2024 09:38:52 +0100 Subject: [PATCH 5/5] Update personal-filters/wtremmel/README.md Co-authored-by: mordner --- personal-filters/wtremmel/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal-filters/wtremmel/README.md b/personal-filters/wtremmel/README.md index 3cac365..b4cda84 100644 --- a/personal-filters/wtremmel/README.md +++ b/personal-filters/wtremmel/README.md @@ -2,7 +2,7 @@ ## Introduction -AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configuer its routers (well, currently only one router running CISCO IOS XR). +AS196610 (DE-CIX Academy) uses [Peering Manager](https://peering-manager.readthedocs.io/en/stable/) to configure its routers (well, currently only one router running CISCO IOS XR). So all filters are auto-generated using templates. However, all filters contain a generic part filtering out unwanted prefixes, and this one is documented here.