[35007] in North American Network Operators' Group
BGP filters for rfc 1918 and other nasties
daemon@ATHENA.MIT.EDU (Lee Watterworth)
Fri Feb 23 10:41:56 2001
Message-ID: <2E0F497E30A841408418B05A95E6651E33C821@xch04ykf.rim.net>
From: Lee Watterworth <lwatterworth@rim.net>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Fri, 23 Feb 2001 10:34:36 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C09DAE.20BF4450"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C09DAE.20BF4450
Content-Type: text/plain;
charset="iso-8859-1"
I have been doing some looking around for a decent access-list or
prefix-list to start my inbound BGP filters. I have found quite a few
flawed examples, but none that look solid.. What do you use for ingress
filters?
Found an interesting link in an ancient (12/97) Nanog post. Those who have
coffee and BGP for breakfast should take a peek.
http://www.employees.org/~tbates/cidr-report.html
http://www.lucentnps.com/knowledge/whitepapers/bgp_main_isp.asp
missing 172.16/12 ???
access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 100 deny ip any 255.255.255.128 0.0.0.127
access-list 100 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 100 permit any any
http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 67.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 68.0.0.0/6 le 32
ip prefix-list bogons seq 45 deny 72.0.0.0/6 le 32
ip prefix-list bogons seq 50 deny 76.0.0.0/6 le 32
ip prefix-list bogons seq 55 deny 80.0.0.0/6 le 32
ip prefix-list bogons seq 60 deny 84.0.0.0/6 le 32
ip prefix-list bogons seq 65 deny 88.0.0.0/6 le 32
ip prefix-list bogons seq 70 deny 92.0.0.0/6 le 32
ip prefix-list bogons seq 75 deny 96.0.0.0/6 le 32
ip prefix-list bogons seq 80 deny 100.0.0.0/6 le 32
ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32
ip prefix-list bogons seq 90 deny 108.0.0.0/6 le 32
ip prefix-list bogons seq 95 deny 112.0.0.0/6 le 32
ip prefix-list bogons seq 100 deny 116.0.0.0/6 le 32
ip prefix-list bogons seq 105 deny 120.0.0.0/6 le 32
ip prefix-list bogons seq 110 deny 124.0.0.0/7 le 32
ip prefix-list bogons seq 115 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 130 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 135 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 140 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 145 deny 198.18.0.0/16 le 32
ip prefix-list bogons seq 150 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 223.255.255.0/24 le 32
ip prefix-list bogons seq 160 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 170 permit 0.0.0.0/0 le 27
-----Original Message-----
From: Chris Davis [mailto:chris.davis@computerjobs.com]
Sent: February 22, 2001 3:39 PM
To: 'nanog@merit.edu'
Subject: rfc 1918?
Hello,
Does anyone know why I get inbound packets from 10.x.x.x coming from my ISP,
UUNet? They're just headed for a webserver, so it's not likely that they're
up to no good.
This seems to violate rfc 1918. Am I crazy?
Feb 22 15:29:48 computerjobs-gw 353094: Feb 22 20:30:10.439 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62438) ->
63.67.217.184(80), 1 packet
Feb 22 15:30:02 computerjobs-gw 353095: Feb 22 20:30:24.024 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62440) ->
63.67.217.184(80), 1 packet
Feb 22 15:30:06 computerjobs-gw 353096: Feb 22 20:30:28.168 UTC:
%SEC-6-IPACCESSLOGP: list 135 denied tcp 10.10.5.18(62455) ->
63.67.217.184(80), 1 packet
------_=_NextPart_001_01C09DAE.20BF4450
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>BGP filters for rfc 1918 and other nasties</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=3D2>I have been doing some looking around for a decent =
access-list or prefix-list to start my inbound BGP filters. I =
have found quite a few flawed examples, but none that look =
solid.. What do you use for ingress filters?</FONT></P>
<P><FONT SIZE=3D2>Found an interesting link in an ancient (12/97) Nanog =
post. Those who have coffee and BGP for breakfast should take a =
peek.</FONT></P>
<P><FONT SIZE=3D2><A =
HREF=3D"http://www.employees.org/~tbates/cidr-report.html" =
TARGET=3D"_blank">http://www.employees.org/~tbates/cidr-report.html</A><=
/FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.lucentnps.com/knowledge/whitepapers/bgp_main_isp.asp"=
=
TARGET=3D"_blank">http://www.lucentnps.com/knowledge/whitepapers/bgp_mai=
n_isp.asp</A> </FONT>
<BR><FONT SIZE=3D2>missing 172.16/12 ??? </FONT>
</P>
<P><FONT SIZE=3D2>access-list 100 deny ip 127.0.0.0 0.255.255.255 =
255.0.0.0 0.255.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 10.0.0.0 0.255.255.255 =
255.0.0.0 0.255.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 192.168.0.0 0.0.255.255 =
255.255.0.0 0.0.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 192.0.2.0 0.0.0.255 =
255.255.255.0 0.0.0.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 128.0.0.0 0.0.255.255 =
255.255.0.0 0.0.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 191.255.0.0 0.0.255.255 =
255.255.0.0 0.0.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 192.0.0.0 0.0.0.255 =
255.255.255.0 0.0.0.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 223.255.255.0 0.0.0.255 =
255.255.255.0 0.0.0.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 224.0.0.0 31.255.255.255 =
224.0.0.0 31.255.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip any 255.255.255.128 =
0.0.0.127</FONT>
<BR><FONT SIZE=3D2>access-list 100 deny ip 0.0.0.0 0.255.255.255 =
0.0.0.0 255.255.255.255</FONT>
<BR><FONT SIZE=3D2>access-list 100 permit any any</FONT>
</P>
<P><FONT SIZE=3D2><A =
HREF=3D"http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.htm=
l" =
TARGET=3D"_blank">http://www.cymru.com/~robt/Docs/Articles/secure-bgp-te=
mplate.html</A> </FONT>
</P>
<P><FONT SIZE=3D2>ip prefix-list bogons description Bogon networks we =
won't accept.</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 5 deny 0.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 10 deny 1.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 15 deny 2.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 20 deny 10.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 25 deny 23.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 30 deny 31.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 35 deny 67.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 40 deny 68.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 45 deny 72.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 50 deny 76.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 55 deny 80.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 60 deny 84.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 65 deny 88.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 70 deny 92.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 75 deny 96.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 80 deny 100.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32</=
FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 90 deny 108.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 95 deny 112.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 100 deny 116.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 105 deny 120.0.0.0/6 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 110 deny 124.0.0.0/7 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 115 deny 126.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 120 deny 127.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 125 deny 169.254.0.0/16 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 130 deny 172.16.0.0/12 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 135 deny 192.0.2.0/24 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 140 deny 192.168.0.0/16 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 145 deny 198.18.0.0/16 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 150 deny 201.0.0.0/8 le =
32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 155 deny 223.255.255.0/24 =
le 32</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 160 deny 224.0.0.0/3 le =
32</FONT>
<BR><FONT SIZE=3D2>! Allow all prefixes up to /27. Your mileage may =
vary,</FONT>
<BR><FONT SIZE=3D2>! so adjust this to fit your specific =
requirements.</FONT>
<BR><FONT SIZE=3D2>ip prefix-list bogons seq 170 permit 0.0.0.0/0 le =
27</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Chris Davis [<A =
HREF=3D"mailto:chris.davis@computerjobs.com">mailto:chris.davis@computer=
jobs.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: February 22, 2001 3:39 PM</FONT>
<BR><FONT SIZE=3D2>To: 'nanog@merit.edu'</FONT>
<BR><FONT SIZE=3D2>Subject: rfc 1918?</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>Hello,</FONT>
</P>
<P><FONT SIZE=3D2>Does anyone know why I get inbound packets from =
10.x.x.x coming from my ISP,</FONT>
<BR><FONT SIZE=3D2>UUNet? They're just headed for a webserver, so =
it's not likely that they're</FONT>
<BR><FONT SIZE=3D2>up to no good.</FONT>
<BR><FONT SIZE=3D2>This seems to violate rfc 1918. Am I =
crazy?</FONT>
</P>
<P><FONT SIZE=3D2>Feb 22 15:29:48 computerjobs-gw 353094: Feb 22 =
20:30:10.439 UTC:</FONT>
<BR><FONT SIZE=3D2>%SEC-6-IPACCESSLOGP: list 135 denied tcp =
10.10.5.18(62438) -></FONT>
<BR><FONT SIZE=3D2>63.67.217.184(80), 1 packet </FONT>
<BR><FONT SIZE=3D2>Feb 22 15:30:02 computerjobs-gw 353095: Feb 22 =
20:30:24.024 UTC:</FONT>
<BR><FONT SIZE=3D2>%SEC-6-IPACCESSLOGP: list 135 denied tcp =
10.10.5.18(62440) -></FONT>
<BR><FONT SIZE=3D2>63.67.217.184(80), 1 packet </FONT>
<BR><FONT SIZE=3D2>Feb 22 15:30:06 computerjobs-gw 353096: Feb 22 =
20:30:28.168 UTC:</FONT>
<BR><FONT SIZE=3D2>%SEC-6-IPACCESSLOGP: list 135 denied tcp =
10.10.5.18(62455) -></FONT>
<BR><FONT SIZE=3D2>63.67.217.184(80), 1 packet </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C09DAE.20BF4450--
