James' Martian Filtering Page - martians.org.uk  
    BGP Filtering  | Packet Filtering  | Flap Dampening  | contact me

what is this?  

martians.org.uk, jottings down of useful sanity checking for network configurations.

references  
RFC1918
   Address Allocation for Private Internets
RFC2827 / BCP38
   Network Ingress Filtering
IANA Special Use Blocks
   Bill Manning draft document
RIPE-228
   Recommendations for Flap Dampening Parameters
IANA IP blocks (v4) (v6)
   List of all IANA IPv4 and IPv6 blocks and organisation assigned to
AFRINIC CIDR Blocks
   Smallest allocations from AFRINIC CIDR Blocks (not documented on website, but appears to be /22 from 41/8, and /24 from 196/8)
APNIC CIDR Blocks
   Smallest allocations from APNIC CIDR Blocks
ARIN CIDR Blocks
   Smallest allocations from ARIN CIDR Blocks
LACNIC CIDR Blocks
   Smallest allocations from LACNIC CIDR Blocks
RIPE CIDR Blocks
   Smallest allocations from RIPE CIDR Blocks
Secure BGP Template
   A more inclusive prefix-list (which will need maintaining as new CIDR blocks become allocated to prevent loss of reachability)

 

BGP Filter  

 

no ip prefix-list nomartians
ip prefix-list nomartians seq 1 deny 0.0.0.0/0 #no default
ip prefix-list nomartians seq 5 deny 224.0.0.0/3 le 32 #no class D/E or specifics
ip prefix-list nomartians seq 10 deny 0.0.0.0/8 le 32 #nothing in 0/8 or specifics
ip prefix-list nomartians seq 15 deny 127.0.0.0/8 le 32 #nothing in 127/8 or specifics
ip prefix-list nomartians seq 20 deny 10.0.0.0/8 le 32 #RFC1918
ip prefix-list nomartians seq 25 deny 172.16.0.0/12 le 32 #RFC1918
ip prefix-list nomartians seq 30 deny 192.168.0.0/16 le 32 #RFC1918
ip prefix-list nomartians seq 35 deny 169.254.0.0/16 le 32 #IANA reserved
ip prefix-list nomartians seq 40 deny 192.0.2.0/24 le 32 #IANA reserved
ip prefix-list nomartians seq 45 deny 195.66.224.0/23 ge 24 #LINX Specifics
ip prefix-list nomartians seq 47 deny 195.66.226.0/23 ge 24 #LINX Specifics
ip prefix-list nomartians seq 50 deny 80.81.192.0/23 ge 24 #DECIX Specifics
ip prefix-list nomartians seq 55 deny 212.121.32.0/23 ge 24 #MaNAP Specifics
ip prefix-list nomartians seq 60 deny 24.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 65 deny 63.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 70 deny 64.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 75 deny 65.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 80 deny 66.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 85 deny 67.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 90 deny 68.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 91 deny 69.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 92 deny 70.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 105 deny 196.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 110 deny 198.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 115 deny 199.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 125 deny 204.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 130 deny 205.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 135 deny 206.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 140 deny 207.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 145 deny 208.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 150 deny 209.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 155 deny 216.0.0.0/8 #Arin CIDR Block
ip prefix-list nomartians seq 160 deny 62.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 165 deny 80.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 170 deny 81.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 175 deny 193.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 180 deny 194.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 185 deny 195.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 190 deny 212.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 195 deny 213.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 200 deny 217.0.0.0/8 #Ripe CIDR Block
ip prefix-list nomartians seq 300 permit 0.0.0.0/0 ge 7 le 24 #what to permit

 

 

Packet Filter  

access-list 2026 deny ip 224.0.0.0 31.255.255.255 any #should never see packets FROM this range
access-list 2026 deny icmp any any redirect #redirects have no business coming into your network
access-list 2026 permit icmp any any ttl-exceeded #dont break traceroute through RFC1918 numbered infrastructure
access-list 2026 permit icmp any any packet-too-big #dont break PMTUD through RFC1918 numbered infrastructure
access-list 2026 deny ip 10.0.0.0 0.255.255.255 any #RFC2267
access-list 2026 deny ip 172.16.0.0 0.15.255.255 any #RFC2267
access-list 2026 deny ip 192.168.0.0 0.0.255.255 any #RFC2267
access-list 2026 deny ip 0.0.0.0 0.255.255.255 any #RFC2267
access-list 2026 deny ip 127.0.0.0 0.255.255.255 any #RFC2267
access-list 2026 deny ip 169.254.0.0 0.0.255.255 any #IANA Reserved
access-list 2026 deny ip 192.0.2.0 0.0.0.255 any #IANA Reserved
access-list 2026 permit icmp any any echo #this and next few permits for traffic classification
access-list 2026 permit icmp any any echo-reply
access-list 2026 permit udp any any eq echo
access-list 2026 permit udp any eq echo any
access-list 2026 permit tcp any any established
access-list 2026 permit tcp any any
access-list 2026 permit ip any any

 

Flap Damp  

ip prefix-list rootservers seq 5 permit 198.41.0.0/24
ip prefix-list rootservers seq 10 permit 128.9.0.0/16
ip prefix-list rootservers seq 15 permit 192.33.4.0/24
ip prefix-list rootservers seq 20 permit 128.8.0.0/16
ip prefix-list rootservers seq 25 permit 192.203.230.0/24
ip prefix-list rootservers seq 30 permit 192.5.4.0/23
ip prefix-list rootservers seq 35 permit 192.112.36.0/24
ip prefix-list rootservers seq 40 permit 128.63.0.0/16
ip prefix-list rootservers seq 45 permit 192.36.148.0/24
ip prefix-list rootservers seq 50 permit 193.0.14.0/24
ip prefix-list rootservers seq 55 permit 198.32.64.0/24
ip prefix-list rootservers seq 60 permit 202.12.27.0/24

!

ip prefix-list damplongprefixes seq 5 permit 0.0.0.0/0 ge 24
ip prefix-list dampmediumprefixes seq 5 permit 0.0.0.0/0 ge 22 le 23
ip prefix-list dampshortprefixes seq 5 permit 0.0.0.0/0 le 21
!
route-map graded-flap-damping deny 10
match ip address prefix-list rootservers
!
route-map graded-flap-damping permit 20
match ip address prefix-list damplongprefixes
set dampening 15 820 3000 30
!
route-map graded-flap-damping permit 30
match ip address prefix-list dampmediumprefixes
set dampening 15 750 3000 45
!
route-map graded-flap-damping permit 40
match ip address prefix-list dampshortprefixes
set dampening 10 1500 3000 30
!
router bgp xxx
bgp dampening route-map graded-flap-damping

 

contact me?   Comments.. Suggestions..

Any omissions, suggestions, comments, email james at martians dot org dot uk.

 
Martians Just say no!





Copyright © 2001 James Rice - All Rights Reserved