Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)

Wed Oct 10 08:36:29 UTC 2001

On Tue, 9 Oct 2001, Grant A. Kirkwood wrote:

> I'm currently in the process of setting up a new border router, and the
> recent debate on the above topic got me wondering what the best practice
> filtering policy is? Is there one?

I don't think so. If you want to filter to keep your routing table small,
filtering out all /24s is the way to go. These are 60% of the routing
table. Even in class A and B space 40% of the announcements is individual
/24s. Most people that announce a /24 are also reachable over an aggregate
so you wouldn't break too much connectivity.

If you want to filter against bad aggregation, you should look at class A
and B space and 192/8, there is a lot of that going on there, but usually
on "valid" prefix lengths such as /20 in A and /16 in B. So if you want to
filter those routes you'll have to do it on AS number, and you break
connectivity. But you can refuse to peer with ASes that don't aggregate
without having a good reason. (And if there is one for what's going on in
24/8, I'd like to know.)

> And what do people put in place in terms of anti-spoofing ACLs and such?
> There's a wealth of information on these topics, but no real consensus.

Depends on your paranoia level. You should always refuse incoming packets
with local source addresses. Outgoing packets with non-local source
addresses are bad, and incoming ICMP redirects aren't good either.  You
should probably have filters that implement all of this at your border
routers, disable source routing and directed broadcasts (on every
interface of every router!) and route 10/8, 127/8, 172.16/12 and
192.168/16 to the null interface. That should be enough for most people.

Others like to filter more aggressively, for instance all non-allocated
address blocks and things like the official test network 192.0.2.0.

Iljitsch van Beijnum