Ingress filtering on transits, peers, and IX ports

• Previous message (by thread): Akamai TE Contacts
• Next message (by thread): A letter from the CEO
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As a final update to this thread, we started blocking spoofed and 
invalid traffic as of early Thursday morning Nov 19th.  So far, knock on 
wood, no reports of issues from our customer base.

In addition, I've been able to verify with the security research team's 
test tool that we are no longer responding to the spoofed DNS requests.

The ACL was implemented as follows:

Ingress

* Deny to and from bogon networks, where bogon is either source or dest
* Deny invalid TCP and UDP ports (currently only port 0) [log]
* Permit to and from transit / peer / IX connected subnets
* For IPv6, also permit link-local IPs (fe80::/10)
* Deny to and from multicast ranges 224.0.0.0/4 and ff00::/8
* Permit ICMP / traceroute over UDP to infrastructure
* Deny all other traffic to infrastructure [log]
* Permit from customer PI / PA space
* Deny from originated aggregate space [log]
* Permit all traffic to customer PI / PA space
* Permit all traffic to aggregate space
* Deny any any [log]

Egress

* Deny to and from bogon networks
* Deny invalid ports [log]
* Permit to and from transit / peer / IX connected subnets
* For IPv6, also permit link-local IPs
* Deny to and from multicast range
* Permit all traffic from any source to customer PI / PA space
* Permit all traffic from customer PI / PA space
* Permit all traffic from aggregate space
* Deny any any [log]

Below I've included the specific $VENDOR_C config I implemented for the 
filtering, sans specifics on our IP blocks.  I hope folks find this 
useful as a guide to their own efforts, and constructive criticism is 
always welcome.

Future work includes:

* Tightening the rules permitting access to/from the transit / peer / IX 
connected subnets, while keeping the ACL general enough for use on all 
Internet-facing interfaces
* Automation of updates to aggregate and customer IP blocks (looking at 
using the irrpt project for this)

Once more, to those who provided valuable input, thank you very much 
indeed!

-Brian


!-------------

! Static ACLs for Service Provider BCP 84 Compliance
! IOS XR config

! IPv4

object-group network ipv4 IPV4-BOGON
   description Invalid IPV4 networks
   0.0.0.0/8
   10.0.0.0/8
   100.64.0.0/10
   127.0.0.0/8
   169.254.0.0/16
   172.16.0.0/12
   192.0.0.0/24
   192.0.2.0/24
   192.168.0.0/16
   198.18.0.0/15
   198.51.100.0/24
   203.0.113.0/24
   240.0.0.0/4
exit

object-group network ipv4 IPV4-TRAN-WAN
   description Transit WAN PtP subnets
   [Point to point /30's go here]
exit

object-group network ipv4 IPV4-IX
   description IX subnets
   [IX /24 and /23 subnets here]
exit

object-group network ipv4 IPV4-PEER-WAN
   description Direct peer WAN PtP subnets
   [Direct peer WAN IPs go here]
exit

object-group network ipv4 IPV4-BGP-AGG
   description ARIN IPV4 Aggregate Blocks
   [Aggregated IP blocks go here]
exit

object-group network ipv4 IPV4-INFRA
   description Infrastructure subnets to be protected
   [List of loopback blocks and backbone / core PtP /30's here]
exit

object-group network ipv4 IPV4-BACKDOOR-HOSTS
   description Hosts observed to be sending valid traffic via Internet
   [One-off hosts, active TCP or UDP traffic was observed during data 
collection]
exit

object-group network ipv4 IPV4-CUST
   [full list of all customer IP blocks]
   [Includes customer PI blocks, disaggregated PA from other providers,]
   [and PA assigned from your aggregate space]
exit

object-group port TCPUDP-BLOCKED
   eq 0
   [additional ports to be generally blocked, list here]
exit

ipv4 access-list IPV4-INET-IN
   10 remark BCP 84 for transits, IX, and peering
   101 remark *** Block bogon networks as src or dest ***
   110 deny ipv4 net-group IPV4-BOGON any
   111 deny ipv4 any net-group IPV4-BOGON
   201 remark *** Blocked protocols ***
   210 deny udp any port-group TCPUDP-BLOCKED any log
   211 deny udp any any port-group TCPUDP-BLOCKED log
   212 deny tcp any port-group TCPUDP-BLOCKED any log
   213 deny tcp any any port-group TCPUDP-BLOCKED log
   301 remark *** Transit, IX, peer connected networks ***
   310 permit ipv4 net-group IPV4-PEER-WAN any
   311 permit ipv4 any net-group IPV4-PEER-WAN
   312 permit ipv4 net-group IPV4-TRAN-WAN any
   313 permit ipv4 any net-group IPV4-TRAN-WAN
   314 permit ipv4 net-group IPV4-IX any
   315 permit ipv4 any net-group IPV4-IX
   401 remark *** Block multicast ***
   410 deny ipv4 224.0.0.0/4 any
   411 deny ipv4 any 224.0.0.0/4
   501 remark *** Protect infrastructure subnets ***
   510 deny icmp any net-group IPV4-INFRA fragments log
   511 permit icmp any net-group IPV4-INFRA
   512 permit udp any range 1024 65535 net-group IPV4-INFRA range 33435 
33535
   513 permit udp any range 33435 33535 net-group IPV4-INFRA range 1024 
65535
   515 deny ipv4 any net-group IPV4-INFRA
   601 remark *** Customer Inet BGP Announced Prefixes ***
   620 permit ipv4 net-group IPV4-CUST any
   640 permit ipv4 net-group IPV4-BACKDOOR-HOSTS any
   701 remark *** Block originated networks ***
   710 deny ipv4 net-group IPV4-BGP-AGG any log
   801 remark *** Permit traffic only to networks we announce ***
   820 permit ipv4 any net-group IPV4-BGP-AGG
   840 permit ipv4 any net-group IPV4-CUST
   901 remark *** Deny all other traffic ***
   910 deny ipv4 any any log
exit

ipv4 access-list IPV4-INET-OUT
   10 remark BCP 84 for transits, IX, and peering
   101 remark *** Block bogon networks as src or dest ***
   110 deny ipv4 net-group IPV4-BOGON any
   111 deny ipv4 any net-group IPV4-BOGON
   201 remark *** Blocked protocols ***
   210 deny udp any port-group TCPUDP-BLOCKED any log
   211 deny udp any any port-group TCPUDP-BLOCKED log
   212 deny tcp any port-group TCPUDP-BLOCKED any log
   213 deny tcp any any port-group TCPUDP-BLOCKED log
   301 remark *** Transit, IX, peer networks ***
   310 permit ipv4 net-group IPV4-PEER-WAN any
   311 permit ipv4 any net-group IPV4-PEER-WAN
   312 permit ipv4 net-group IPV4-TRAN-WAN any
   313 permit ipv4 any net-group IPV4-TRAN-WAN
   314 permit ipv4 net-group IPV4-IX any
   315 permit ipv4 any net-group IPV4-IX
   401 remark *** Block multicast ***
   410 deny ipv4 224.0.0.0/4 any
   411 deny ipv4 any 224.0.0.0/4
   601 remark *** Customer Inet BGP Announced Prefixes ***
   620 permit ipv4 any net-group IPV4-CUST
   640 permit ipv4 any net-group IPV4-BACKDOOR-HOSTS
   801 remark *** Permit locally sourced traffic ***
   820 permit ipv4 net-group IPV4-BGP-AGG any
   840 permit ipv4 net-group IPV4-CUST any
   901 remark *** Deny all other traffic ***
   910 deny ipv4 any any log
exit

! IPv6

object-group network ipv6 IPV6-BOGON
   description Invalid IPV6 networks
   ::/3
   2001::/23
   2001:2::/48
   2001:10::/28
   2001:db8::/32
   2002::/16
   3ffe::/16
   4000::/3
   6000::/3
   8000::/3
   a000::/3
   c000::/3
   e000::/4
   f000::/5
   f800::/6
   fc00::/7
   fe00::/9
   fec0::/10
exit

object-group network ipv6 IPV6-TRAN-WAN
   description Transit WAN PtP subnets
   [Point to point /126's go here]
exit

object-group network ipv6 IPV6-IX
   description IX subnets
   [IX /64 subnets here]
exit

object-group network ipv6 IPV6-PEER-WAN
   description Direct peer WAN PtP subnets
   [Direct peer WAN /126's go here]
exit

object-group network ipv6 IPV6-BGP-AGG
   description ARIN IPV6 Aggregate Blocks
   [Aggregated IP blocks go here]
exit

object-group network ipv6 IPV6-INFRA
   description Infrastructure subnets to be protected
   [List of loopback blocks and backbone / core PtP WAN IPs here]
exit

object-group network ipv6 IPV6-CUST
   [full list of all customer IP blocks]
   [Includes customer PI blocks, disaggregated PA from other providers,]
   [and PA assigned from your aggregate space]
exit

ipv6 access-list IPV6-INET-IN
   10 remark BCP 84 for transits, IX, and peering
   101 remark *** Block bogon networks as src or dest ***
   110 deny ipv6 net-group IPV6-BOGON any
   111 deny ipv6 any net-group IPV6-BOGON
   201 remark *** Blocked protocols ***
   210 deny udp any port-group TCPUDP-BLOCKED any log
   211 deny udp any any port-group TCPUDP-BLOCKED log
   212 deny tcp any port-group TCPUDP-BLOCKED any log
   213 deny tcp any any port-group TCPUDP-BLOCKED log
   301 remark *** Transit, IX, peer connected networks ***
   310 permit ipv6 fe80::/10 any
   311 permit ipv6 net-group IPV6-PEER-WAN any
   312 permit ipv6 any net-group IPV6-PEER-WAN
   313 permit ipv6 net-group IPV6-TRAN-WAN any
   314 permit ipv6 any net-group IPV6-TRAN-WAN
   315 permit ipv6 net-group IPV6-IX any
   316 permit ipv6 any net-group IPV6-IX
   401 remark *** Block multicast ***
   410 deny ipv6 ff00::/8 any
   411 deny ipv6 any ff00::/8
   501 remark *** Protect infrastructure subnets ***
   510 deny icmp any net-group IPV6-INFRA fragments log
   511 permit icmp any net-group IPV6-INFRA
   512 permit udp any range 1024 65535 net-group IPV6-INFRA range 33435 
33535
   513 permit udp any range 33435 33535 net-group IPV6-INFRA range 1024 
65535
   515 deny ipv6 any net-group IPV6-INFRA
   601 remark *** Customer Inet BGP Announced Prefixes ***
   620 permit ipv6 net-group IPV6-CUST any
   701 remark *** Block networks we originate ***
   710 deny ipv6 net-group IPV6-BGP-AGG any log
   801 remark *** Permit traffic only to networks we announce ***
   820 permit ipv6 any net-group IPV6-BGP-AGG
   840 permit ipv6 any net-group IPV6-CUST
   901 remark *** Deny all other traffic ***
   910 deny ipv6 any any log
exit

ipv6 access-list IPV6-INET-OUT
   10 remark BCP 84 for transits, IX, and peering
   101 remark *** Block bogon networks as src or dest ***
   110 deny ipv6 net-group IPV6-BOGON any
   111 deny ipv6 any net-group IPV6-BOGON
   201 remark *** Blocked protocols ***
   210 deny udp any port-group TCPUDP-BLOCKED any log
   211 deny udp any any port-group TCPUDP-BLOCKED log
   212 deny tcp any port-group TCPUDP-BLOCKED any log
   213 deny tcp any any port-group TCPUDP-BLOCKED log
   301 remark *** Transit, IX, peer networks ***
   310 permit ipv6 fe80::/10 any
   311 permit ipv6 net-group IPV6-PEER-WAN any
   312 permit ipv6 any net-group IPV6-PEER-WAN
   313 permit ipv6 net-group IPV6-TRAN-WAN any
   314 permit ipv6 any net-group IPV6-TRAN-WAN
   315 permit ipv6 net-group IPV6-IX any
   316 permit ipv6 any net-group IPV6-IX
   401 remark *** Block multicast ***
   410 deny ipv6 ff00::/8 any
   411 deny ipv6 any ff00::/8
   601 remark *** Customer Inet BGP Announced Prefixes ***
   620 permit ipv6 any net-group IPV6-CUST
   801 remark *** Permit locally sourced traffic ***
   820 permit ipv6 net-group IPV6-BGP-AGG any
   840 permit ipv6 net-group IPV6-CUST any
   901 remark *** Deny all other traffic ***
   910 deny ipv6 any any log
exit


! On any transit, IX, or peer port
!
interface TenGigE0/0/0/0
   ipv4 access-group IPV4-INET-IN ingress
   ipv4 access-group IPV4-INET-OUT egress
   ipv6 access-group IPV6-INET-IN ingress
   ipv6 access-group IPV6-INET-OUT egress

• Previous message (by thread): Akamai TE Contacts
• Next message (by thread): A letter from the CEO
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]