1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
# managed by Ansible
## IMPORT FILTERS
define BOGON_ASNS = [
0, # RFC 7607
23456, # RFC 4893 AS_TRANS
64496..64511, # RFC 5398 and documentation/example ASNs
64512..65534, # RFC 6996 Private ASNs
65535, # RFC 7300 Last 16 bit ASN
65536..65551, # RFC 5398 and documentation/example ASNs
65552..131071, # RFC IANA reserved ASNs
4200000000..4294967294, # RFC 6996 Private ASNs
4294967295 ]; # RFC 7300 Last 32 bit ASN
# taken from https://github.com/quantum5/bird-filter/blob/master/filter_bgp.conf
define BOGON_PREFIXES = [
::/0, # Default
::/96, # IPv4-compatible IPv6 address - deprecated by RFC4291
::/128, # Unspecified address
::1/128, # Local host loopback address
::ffff:0.0.0.0/96+, # IPv4-mapped addresses
::224.0.0.0/100+, # Compatible address (IPv4 format)
::127.0.0.0/104+, # Compatible address (IPv4 format)
::0.0.0.0/104+, # Compatible address (IPv4 format)
::255.0.0.0/104+, # Compatible address (IPv4 format)
0000::/8+, # Pool used for unspecified, loopback and embedded IPv4 addresses (RFC 4291?)
0100::/8+, # RFC 6666 - reserved for Discard-Only Address Block
0200::/7+, # OSI NSAP-mapped prefix set (RFC4548) - deprecated by RFC4048
0400::/6+, # RFC 4291 - Reserved by IETF
0800::/5+, # RFC 4291 - Reserved by IETF
1000::/4+, # RFC 4291 - Reserved by IETF
2001:2::/48+, # RFC 5180 BMWG -- https://bgpfilterguide.nlnog.net/guides/bogon_asns/
2001:10::/28+, # RFC 4843 - Deprecated (previously ORCHID)
2001:20::/28+, # RFC 7343 - ORCHIDv2
2001:db8::/32+, # Reserved by IANA for special purposes and documentation (RFC 3849)
2002::/16+, # RFC 7526 6to4 anycast relay -- https://bgpfilterguide.nlnog.net/guides/bogon_asns/
2002:e000::/20+, # Invalid 6to4 packets (IPv4 multicast)
2002:7f00::/24+, # Invalid 6to4 packets (IPv4 loopback)
2002:0000::/24+, # Invalid 6to4 packets (IPv4 default)
2002:ff00::/24+, # Invalid 6to4 packets
2002:0a00::/24+, # Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)
2002:ac10::/28+, # Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)
2002:c0a8::/32+, # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)
3ffe::/16+, # Former 6bone, now decommissioned
4000::/3+, # RFC 4291 - Reserved by IETF
5f00::/8+, # RFC 5156 - used for the 6bone but was returned
6000::/3+, # RFC 4291 - Reserved by IETF
8000::/3+, # RFC 4291 - Reserved by IETF
a000::/3+, # RFC 4291 - Reserved by IETF
c000::/3+, # RFC 4291 - Reserved by IETF
e000::/4+, # RFC 4291 - Reserved by IETF
f000::/5+, # RFC 4291 - Reserved by IETF
f800::/6+, # RFC 4291 - Reserved by IETF
fc00::/7+, # Unicast Unique Local Addresses (ULA) - RFC 4193
fe80::/10+, # Link-local Unicast (RFC 4291)
fec0::/10+, # Site-local Unicast - deprecated by RFC 3879 (replaced by ULA)
ff00::/8+ # Multicast
];
# not supported (yet???)
# -> bool {
function is_default_route() {
case net.type {
NET_IP4: return net = 0.0.0.0/0;
NET_IP6: return net = ::/0;
else: return false;
}
}
function accept_default_route() {
if is_default_route() then accept;
}
function reject_bogon_asns()
int set bogon_asns;
{
bogon_asns = BOGON_ASNS;
if ( bgp_path ~ bogon_asns ) then {
print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_BOGON_ASN);
}
}
function reject_bogon_prefixes()
prefix set bogon_prefixes;
{
bogon_prefixes = BOGON_PREFIXES;
if (net ~ bogon_prefixes) then {
print "Reject: Bogon prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_BOGON_PREFIX);
}
}
define PROBLEM_PREFIXES = [
];
function reject_problem_prefixes()
prefix set problem_prefixes;
{
problem_prefixes = PROBLEM_PREFIXES;
if (net ~ problem_prefixes) then {
print "Reject: Problematic prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_PROBLEM_PREFIX);
}
}
function reject_long_aspaths()
{
if ( bgp_path.len > 15 ) then {
clearnet_add_filter(FILTER_LONG_ASPATH);
}
}
function reject_small_prefixes()
{
if (net.len > 48 && net.type = NET_IP6) then {
print "Reject: Too small prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
}
}
function reject_roa_rpki()
{
if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
clearnet_add_filter(FILTER_ROA_RPKI);
}
}
# take the set of allowed ASes (as first AS), according to IRR
# adds filter if first AS in BGP path is not in allowed list
function reject_irr_invalid_as(int set irr_ases)
{
if (bgp_path.first !~ irr_ases) then {
print "Reject: Not in IRR AS list: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_IRR);
}
}
# take the set of allowed prefixes (prefix set), according to IRR
# adds filter if net is not in allowed list
function reject_irr_invalid_net(prefix set irr_prefixes)
{
if (net !~ irr_prefixes) then {
print "Reject: Not in IRR AS list: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_IRR);
}
}
# ... what did I think? Shortest AS path wins anyway.
# function prefer_direct_neighbor()
# {
# if (bgp_path.len = 1) then
# bgp_local_pref = bgp_local_pref + 700;
# }
function clearnet_common_import() {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_small_prefixes();
reject_problem_prefixes();
reject_roa_rpki();
#prefer_direct_neighbor();
honor_graceful_shutdown();
}
## EXPORT FILTERS
filter myas_export
{
if (proto = "myprefix") then {
accept;
}
reject;
}
# route collector
filter myas_f_rc
{
# export IXP routes after all
# if ( clearnet_is_ixp() ) then reject;
if (source = RTS_BGP) then accept;
if (proto = "myprefix") then accept;
reject;
};
|
