# managed by Ansible ## IMPORT FILTERS define BOGON_ASNS = [ 0, # RFC 7607 23456, # RFC 4893 AS_TRANS 64496..64511, # RFC 5398 and documentation/example ASNs 64512..65534, # RFC 6996 Private ASNs 65535, # RFC 7300 Last 16 bit ASN 65536..65551, # RFC 5398 and documentation/example ASNs 65552..131071, # RFC IANA reserved ASNs 4200000000..4294967294, # RFC 6996 Private ASNs 4294967295 ]; # RFC 7300 Last 32 bit ASN # taken from https://github.com/quantum5/bird-filter/blob/master/filter_bgp.conf define BOGON_PREFIXES = [ ::/0, # Default ::/96, # IPv4-compatible IPv6 address - deprecated by RFC4291 ::/128, # Unspecified address ::1/128, # Local host loopback address ::ffff:0.0.0.0/96+, # IPv4-mapped addresses ::224.0.0.0/100+, # Compatible address (IPv4 format) ::127.0.0.0/104+, # Compatible address (IPv4 format) ::0.0.0.0/104+, # Compatible address (IPv4 format) ::255.0.0.0/104+, # Compatible address (IPv4 format) 0000::/8+, # Pool used for unspecified, loopback and embedded IPv4 addresses (RFC 4291?) 0100::/8+, # RFC 6666 - reserved for Discard-Only Address Block 0200::/7+, # OSI NSAP-mapped prefix set (RFC4548) - deprecated by RFC4048 0400::/6+, # RFC 4291 - Reserved by IETF 0800::/5+, # RFC 4291 - Reserved by IETF 1000::/4+, # RFC 4291 - Reserved by IETF 2001:2::/48+, # RFC 5180 BMWG -- https://bgpfilterguide.nlnog.net/guides/bogon_asns/ 2001:10::/28+, # RFC 4843 - Deprecated (previously ORCHID) 2001:20::/28+, # RFC 7343 - ORCHIDv2 2001:db8::/32+, # Reserved by IANA for special purposes and documentation (RFC 3849) 2002::/16+, # RFC 7526 6to4 anycast relay -- https://bgpfilterguide.nlnog.net/guides/bogon_asns/ 2002:e000::/20+, # Invalid 6to4 packets (IPv4 multicast) 2002:7f00::/24+, # Invalid 6to4 packets (IPv4 loopback) 2002:0000::/24+, # Invalid 6to4 packets (IPv4 default) 2002:ff00::/24+, # Invalid 6to4 packets 2002:0a00::/24+, # Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network) 2002:ac10::/28+, # Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network) 2002:c0a8::/32+, # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network) 3ffe::/16+, # Former 6bone, now decommissioned 4000::/3+, # RFC 4291 - Reserved by IETF 5f00::/8+, # RFC 5156 - used for the 6bone but was returned 6000::/3+, # RFC 4291 - Reserved by IETF 8000::/3+, # RFC 4291 - Reserved by IETF a000::/3+, # RFC 4291 - Reserved by IETF c000::/3+, # RFC 4291 - Reserved by IETF e000::/4+, # RFC 4291 - Reserved by IETF f000::/5+, # RFC 4291 - Reserved by IETF f800::/6+, # RFC 4291 - Reserved by IETF fc00::/7+, # Unicast Unique Local Addresses (ULA) - RFC 4193 fe80::/10+, # Link-local Unicast (RFC 4291) fec0::/10+, # Site-local Unicast - deprecated by RFC 3879 (replaced by ULA) ff00::/8+ # Multicast ]; # not supported (yet???) # -> bool { function is_default_route() { case net.type { NET_IP4: return net = 0.0.0.0/0; NET_IP6: return net = ::/0; else: return false; } } function accept_default_route() { if is_default_route() then accept; } function reject_bogon_asns() int set bogon_asns; { bogon_asns = BOGON_ASNS; if ( bgp_path ~ bogon_asns ) then { print "Reject: bogon AS_PATH: ", net, " ", bgp_path; clearnet_add_filter(FILTER_BOGON_ASN); } } function reject_bogon_prefixes() prefix set bogon_prefixes; { bogon_prefixes = BOGON_PREFIXES; if (net ~ bogon_prefixes) then { print "Reject: Bogon prefix: ", net, " ", bgp_path; clearnet_add_filter(FILTER_BOGON_PREFIX); } } define PROBLEM_PREFIXES = [ ]; function reject_problem_prefixes() prefix set problem_prefixes; { problem_prefixes = PROBLEM_PREFIXES; if (net ~ problem_prefixes) then { print "Reject: Problematic prefix: ", net, " ", bgp_path; clearnet_add_filter(FILTER_PROBLEM_PREFIX); } } function reject_long_aspaths() { if ( bgp_path.len > 15 ) then { clearnet_add_filter(FILTER_LONG_ASPATH); } } function reject_small_prefixes() { if (net.len > 48 && net.type = NET_IP6) then { print "Reject: Too small prefix: ", net, " ", bgp_path; clearnet_add_filter(FILTER_SMALL_V6_PREFIX); } } function reject_roa_rpki() { if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then { clearnet_add_filter(FILTER_ROA_RPKI); } } # take the set of allowed ASes (as first AS), according to IRR # adds filter if first AS in BGP path is not in allowed list function reject_irr_invalid_as(int set irr_ases) { if (bgp_path.first !~ irr_ases) then { print "Reject: Not in IRR AS list: ", net, " ", bgp_path; clearnet_add_filter(FILTER_IRR); } } # take the set of allowed prefixes (prefix set), according to IRR # adds filter if net is not in allowed list function reject_irr_invalid_net(prefix set irr_prefixes) { if (net !~ irr_prefixes) then { print "Reject: Not in IRR AS list: ", net, " ", bgp_path; clearnet_add_filter(FILTER_IRR); } } # ... what did I think? Shortest AS path wins anyway. # function prefer_direct_neighbor() # { # if (bgp_path.len = 1) then # bgp_local_pref = bgp_local_pref + 700; # } function clearnet_common_import() { reject_bogon_asns(); reject_bogon_prefixes(); reject_long_aspaths(); reject_small_prefixes(); reject_problem_prefixes(); reject_roa_rpki(); #prefer_direct_neighbor(); honor_graceful_shutdown(); } ## EXPORT FILTERS filter myas_export { if (proto = "myprefix") then { accept; } reject; } # route collector filter myas_f_rc { # export IXP routes after all # if ( clearnet_is_ixp() ) then reject; if (source = RTS_BGP) then accept; if (proto = "myprefix") then accept; reject; };