BGP filters for rfc 1918 and other nasties

Lee Watterworth lwatterworth at rim.net
Fri Feb 23 15:34:36 UTC 2001


I have been doing some looking around for a decent access-list or
prefix-list to start my inbound BGP filters.  I have found quite a few
flawed examples, but none that look solid..  What do you use for ingress
filters?

Found an interesting link in an ancient (12/97) Nanog post.  Those who have
coffee and BGP for breakfast should take a peek.
http://www.employees.org/~tbates/cidr-report.html
   
   
http://www.lucentnps.com/knowledge/whitepapers/bgp_main_isp.asp 
missing 172.16/12 ??? 

access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 100 deny ip any 255.255.255.128 0.0.0.127
access-list 100 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 100 permit any any

http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html 

ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 67.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 68.0.0.0/6 le 32
ip prefix-list bogons seq 45 deny 72.0.0.0/6 le 32
ip prefix-list bogons seq 50 deny 76.0.0.0/6 le 32
ip prefix-list bogons seq 55 deny 80.0.0.0/6 le 32
ip prefix-list bogons seq 60 deny 84.0.0.0/6 le 32
ip prefix-list bogons seq 65 deny 88.0.0.0/6 le 32
ip prefix-list bogons seq 70 deny 92.0.0.0/6 le 32
ip prefix-list bogons seq 75 deny 96.0.0.0/6 le 32
ip prefix-list bogons seq 80 deny 100.0.0.0/6 le 32
ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32
ip prefix-list bogons seq 90 deny 108.0.0.0/6 le 32
ip prefix-list bogons seq 95 deny 112.0.0.0/6 le 32
ip prefix-list bogons seq 100 deny 116.0.0.0/6 le 32
ip prefix-list bogons seq 105 deny 120.0.0.0/6 le 32
ip prefix-list bogons seq 110 deny 124.0.0.0/7 le 32
ip prefix-list bogons seq 115 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 130 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 135 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 140 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 145 deny 198.18.0.0/16 le 32
ip prefix-list bogons seq 150 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 223.255.255.0/24 le 32
ip prefix-list bogons seq 160 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 170 permit 0.0.0.0/0 le 27





-----Original Message-----
From: Chris Davis [mailto:chris.davis at computerjobs.com]
Sent: February 22, 2001 3:39 PM
To: 'nanog at merit.edu'
Subject: rfc 1918?




Hello,

Does anyone know why I get inbound packets from 10.x.x.x coming from my ISP,
UUNet?  They're just headed for a webserver, so it's not likely that they're
up to no good.
This seems to violate rfc 1918.  Am I crazy?

Feb 22 15:29:48 computerjobs-gw 353094: Feb 22 20:30:10.439 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62438) ->
63.67.217.184(80), 1 packet 
Feb 22 15:30:02 computerjobs-gw 353095: Feb 22 20:30:24.024 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62440) ->
63.67.217.184(80), 1 packet 
Feb 22 15:30:06 computerjobs-gw 353096: Feb 22 20:30:28.168 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62455) ->
63.67.217.184(80), 1 packet 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010223/d915268c/attachment.html>


More information about the NANOG mailing list