[3424] in North American Network Operators' Group
Re: 10/8 announced ?
daemon@ATHENA.MIT.EDU (Stephen Stuart)
Thu Jul 11 01:35:09 1996
To: nanog@merit.edu
Cc: stuart@pa.dec.com
In-Reply-To: Your message of Wed, 10 Jul 96 21:46:00 -0400.
<199607110147.SAA07530@lint.cisco.com>
Date: Wed, 10 Jul 96 22:20:09 -0700
From: Stephen Stuart <stuart@pa.dec.com>
> 10/8 gets announced at least once a day by someone somewhere. Really.
>
> So what else is new? Smart providers explicitly filter RFC-1918 address
> space. ;-)
In response to an appearance in May of some 192.168/16 prefixes, Paul
Vixie sent this to the NANOG list. I wrote up a gated analogue for
Digital's border routers; if anyone wants one, send me mail.
> Message-Id: <9605230534.AA26573@wisdom.home.vix.com>
> To: nanog@merit.edu
> Subject: Re: RFC 1597
> Date: Wed, 22 May 1996 22:34:17 -0700
> From: Paul A Vixie <paul@vix.com>
>
> > *> 192.168.22.0 144.228.71.5 0 1239 1800 1804 1128 1955 3337 ?
> > *> 192.168.100.0/22 144.228.71.5 0 1239 1794 ?
> > *> 192.168.216.0 144.228.71.5 0 1239 1800 1755 1273 ?
> >
> > Shame on you 3337, 1794 and 1273.
>
> Indeed. Since it's not my turn to be at fault for this kind of thing tonight,
> I guess I'll chime in with a copy of some useful goodies that Andrew Partan
> bestowed upon me last time CIX was caught advertising something bad:
>
> router bgp xxxx
> neighbor y.y.y.y remote-as zzzz
> neighbor y.y.y.y distribute-list 100 in
> neighbor y.y.y.y distribute-list 101 out
>
> access-list 100 deny ip host 0.0.0.0 any
> access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
> access-list 100 deny ip any 255.255.255.128 0.0.0.127
> access-list 100 permit ip any any
>
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 101 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 101 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 101 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 101 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 101 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 101 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 101 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 101 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 101 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
> access-list 101 deny ip any 255.255.255.128 0.0.0.127
> access-list 101 permit ip any any
>
> These are currently identical, but they're split into separate access-list's
> in case the sending restrictions and the receiving restrictions ever have
> cause to differ.
>
> Note that everybody who's anybody uses peer groups rather than duplicating
> this for every peer, but I'm the wrong person to try to explain peer groups
> so the above was intentionally kept at my "grunt, poke, listen" level.
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
