Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

BGP filters for rfc 1918 and other nasties

  • From: Lee Watterworth
  • Date: Fri Feb 23 10:43:30 2001

Title: BGP filters for rfc 1918 and other nasties

I have been doing some looking around for a decent access-list or prefix-list to start my inbound BGP filters.  I have found quite a few flawed examples, but none that look solid..  What do you use for ingress filters?

Found an interesting link in an ancient (12/97) Nanog post.  Those who have coffee and BGP for breakfast should take a peek.

http://www.employees.org/~tbates/cidr-report.html
  
  
http://www.lucentnps.com/knowledge/whitepapers/bgp_main_isp.asp
missing 172.16/12 ???

access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 100 deny ip any 255.255.255.128 0.0.0.127
access-list 100 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 100 permit any any

http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html

ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 67.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 68.0.0.0/6 le 32
ip prefix-list bogons seq 45 deny 72.0.0.0/6 le 32
ip prefix-list bogons seq 50 deny 76.0.0.0/6 le 32
ip prefix-list bogons seq 55 deny 80.0.0.0/6 le 32
ip prefix-list bogons seq 60 deny 84.0.0.0/6 le 32
ip prefix-list bogons seq 65 deny 88.0.0.0/6 le 32
ip prefix-list bogons seq 70 deny 92.0.0.0/6 le 32
ip prefix-list bogons seq 75 deny 96.0.0.0/6 le 32
ip prefix-list bogons seq 80 deny 100.0.0.0/6 le 32
ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32
ip prefix-list bogons seq 90 deny 108.0.0.0/6 le 32
ip prefix-list bogons seq 95 deny 112.0.0.0/6 le 32
ip prefix-list bogons seq 100 deny 116.0.0.0/6 le 32
ip prefix-list bogons seq 105 deny 120.0.0.0/6 le 32
ip prefix-list bogons seq 110 deny 124.0.0.0/7 le 32
ip prefix-list bogons seq 115 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 130 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 135 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 140 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 145 deny 198.18.0.0/16 le 32
ip prefix-list bogons seq 150 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 223.255.255.0/24 le 32
ip prefix-list bogons seq 160 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 170 permit 0.0.0.0/0 le 27





-----Original Message-----
From: Chris Davis [mailto:chris.davis@computerjobs.com]
Sent: February 22, 2001 3:39 PM
To: 'nanog@merit.edu'
Subject: rfc 1918?




Hello,

Does anyone know why I get inbound packets from 10.x.x.x coming from my ISP,
UUNet?  They're just headed for a webserver, so it's not likely that they're
up to no good.
This seems to violate rfc 1918.  Am I crazy?

Feb 22 15:29:48 computerjobs-gw 353094: Feb 22 20:30:10.439 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62438) ->
63.67.217.184(80), 1 packet
Feb 22 15:30:02 computerjobs-gw 353095: Feb 22 20:30:24.024 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62440) ->
63.67.217.184(80), 1 packet
Feb 22 15:30:06 computerjobs-gw 353096: Feb 22 20:30:28.168 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62455) ->
63.67.217.184(80), 1 packet




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.