BGP filters for rfc 1918 and other nasties

Mailman List Mirror (Read Only)
1

I have been doing some looking around for a decent access-list or prefix-list to start my inbound BGP filters. I have found quite a few flawed examples, but none that look solid… What do you use for ingress filters?

Found an interesting link in an ancient (12/97) Nanog post. Those who have coffee and BGP for breakfast should take a peek.

http://www.employees.org/~tbates/cidr-report.html

http://www.lucentnps.com/knowledge/whitepapers/bgp_main_isp.asp
missing 172.16/12 ???

access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 100 deny ip any 255.255.255.128 0.0.0.127
access-list 100 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 100 permit any any

http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html

ip prefix-list bogons description Bogon networks we won’t accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 67.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 68.0.0.0/6 le 32
ip prefix-list bogons seq 45 deny 72.0.0.0/6 le 32
ip prefix-list bogons seq 50 deny 76.0.0.0/6 le 32
ip prefix-list bogons seq 55 deny 80.0.0.0/6 le 32
ip prefix-list bogons seq 60 deny 84.0.0.0/6 le 32
ip prefix-list bogons seq 65 deny 88.0.0.0/6 le 32
ip prefix-list bogons seq 70 deny 92.0.0.0/6 le 32
ip prefix-list bogons seq 75 deny 96.0.0.0/6 le 32
ip prefix-list bogons seq 80 deny 100.0.0.0/6 le 32
ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32
ip prefix-list bogons seq 90 deny 108.0.0.0/6 le 32
ip prefix-list bogons seq 95 deny 112.0.0.0/6 le 32
ip prefix-list bogons seq 100 deny 116.0.0.0/6 le 32
ip prefix-list bogons seq 105 deny 120.0.0.0/6 le 32
ip prefix-list bogons seq 110 deny 124.0.0.0/7 le 32
ip prefix-list bogons seq 115 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 130 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 135 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 140 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 145 deny 198.18.0.0/16 le 32
ip prefix-list bogons seq 150 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 223.255.255.0/24 le 32
ip prefix-list bogons seq 160 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 170 permit 0.0.0.0/0 le 27