BGP38 egress filter on Ubuntu Server

Stephen_Satchell · June 1, 2021, 8:43pm

Before I re-invent the wheel, has anyone come up with blackhole route specifications for netplan in Ubuntu servers? Such a capability would perform the egress blocking for an edge server.

The table of blackhole routes I would set up:
IPv4
Address block Scope Description
0.0.0.0/8 Software Current network (only valid as
                                     source address).
10.0.0.0/8 Private network Used for local communications
                                     within a private network.
100.64.0.0/10 Private network Shared address space[3] for
                                     communications between a service
                                     provider and its subscribers
                                     when using a carrier-grade NAT.
127.0.0.0/8 Host Used for loopback addresses to
                                     the local host.
169.254.0.0/16 Subnet Used for link-local addresses
                                     between two hosts on a single
                                     link when no IP address is
                                     otherwise specified, such as
                                     would have normally been
                                     retrieved from a DHCP server.
172.16.0.0/12 Private network Used for local communications
                                     within a private network.
192.0.0.0/24 Private network IETF Protocol Assignments.
192.0.2.0/24 Documentation Assigned as TEST-NET-1,
                                     documentation and examples.
192.88.99.0/24 Internet Reserved. Formerly used for
                                     IPv6 to IPv4 relay
192.168.0.0/16 Private network Used for local communications
                                     within a private network.
198.18.0.0/15 Private network Used for benchmark testing of
                                     inter-network communications
                                     between two separate subnets.
198.51.100.0/24 Documentation Assigned as TEST-NET-2,
                                     documentation and examples.
203.0.113.0/24 Documentation Assigned as TEST-NET-3,
                                     documentation and examples.
224.0.0.0/4 Internet In use for IP multicast.
240.0.0.0/4 Internet Reserved for future use.
255.255.255.255/32 Subnet Reserved for the "limited
                                     broadcast" destination address.

IPv6
Address block Usage Purpose
::/0 Routing Default route.
::/128 Software Unspecified address.
::1/128 Host Loopback address to local host.
::ffff:0:0/96 Software IPv4 mapped addresses.
::ffff:0:0:0/96 Software IPv4 translated addresses.
64:ff9b::/96 Global Internet IPv4/IPv6 translation.
100::/64 Routing Discard prefix.
2001::/32 Global Internet Teredo tunneling.
2001:20::/28 Software ORCHIDv2.
2001:db8::/32 Documentation Addresses used in documentation
and example source code.
2002::/16 Global Internet The 6to4 addressing scheme
fc00::/7 Private network Unique local address.
fe80::/10 Link Link-local address.
ff00::/8 Global Internet Multicast address.

Chriztoffer_Hansen · June 1, 2021, 8:58pm

https://team-cymru.com/community-services/bogon-reference/bogon-reference-bgp/
https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/

Could be considered implemented, too. Either as EBGP multi-hop feed
from Cymru or via (scheduled cron) HTTP(s) download and distributed
internally in your network via IBGP.

Chriztoffer_Hansen · June 1, 2021, 9:02pm

I have found that pfSense uses this feed to filter traffic if 'Block
bogon networks' is enabled on the WAN interface(s).

I.e. the pfSense bogons + bogonsv6 tables match the Cymru HTTP feed.

William_Herrin · June 2, 2021, 6:39am

Hi Stephen,

I think you may be misunderstanding BCP 38. BCP 38 is about limiting
-source- addresses. What you've described is bogon filtering on
destination IP addresses. As far as I know, there's no BCP on bogon
filtering although BCP 84 offers some relevant advice.

BCP 38 is very simple:

1. If your IP address is 1.2.3.4 then drop any Internet-bound packets
which purport to be -from- any address which is not 1.2.3.4.
2. If your IP address is 1.2.3.4 then drop any packets FROM the
Internet which purport to be -from- 1.2.3.4.

That's it!

Regards,
Bill Herrin

Mailman · June 2, 2021, 8:35pm

I agree.

However I will add that it's trivial to extend the destination based filtering to be sourced based filtering by enabling reverse path filtering.

Adding the bogons as destinations to a routing table (that is processed) is compatible with reverse path filtering. Putting the bogons in IPTables / NFTables is incompatible with reverse path filtering.

Stephen: I've not done this with NetPlan but I do this on Linux and have found it to be extremely effective when combined with reverse path filtering. I have an EBGP feed from Team Cymru and augment it (additional routing tables) with (e-)DROP and federated Fail-2-Ban. I like it!