Re: Route Server Filtering

On 12/02/2016 09:07 AM, Andrew Hoyos wrote:

- reject 0/0 - reject RFC1918 - reject bogon ASNs

Is this what you had in mind? Any changes? Specifically, is blocking AS_TRANS 23456 good or bad? I did not block it in the list below. Block (original, plus additions from David Farmer): _(174|209|286|701|1239|1299|2828|2914|3257|3320|3356|3549|5511|6453|6461|6762|6939|7018|11164|11537|12956)_ exception: remove 6939 from this list on HE's connection Block private AS using this or something with the same effect: _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_ _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_ _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_ _1310[0-6][0-9]_|_13107[0-1]_ _42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_ _(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_ _(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_ _(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-5])_ AS0 is a bogon AS we could block: _0_ Block default and RFC 1918, etc. ip prefix-list upstream-in seq 900 deny 0.0.0.0/8 le 32 ip prefix-list upstream-in seq 905 deny 10.0.0.0/8 le 32 ip prefix-list upstream-in seq 910 deny 127.0.0.0/8 le 32 ip prefix-list upstream-in seq 915 deny 169.254.0.0/16 le 32 ip prefix-list upstream-in seq 920 deny 172.16.0.0/12 le 32 ip prefix-list upstream-in seq 925 deny 192.0.0.0/24 le 32 ip prefix-list upstream-in seq 930 deny 192.0.2.0/24 le 32 ip prefix-list upstream-in seq 935 deny 192.168.0.0/16 le 32 ip prefix-list upstream-in seq 945 deny 198.51.100.0/24 le 32 ip prefix-list upstream-in seq 950 deny 203.0.113.0/24 le 32 ip prefix-list upstream-in seq 955 deny 224.0.0.0/3 le 32 ip prefix-list upstream-in seq 990 deny 0.0.0.0/0 le 7 Similar for IPv6: ipv6 prefix-list upstream-in seq 900 deny 3ffe::/16 le 128 ipv6 prefix-list upstream-in seq 901 deny 2001:db8::/32 le 128 ipv6 prefix-list upstream-in seq 910 permit 2001::/32 ipv6 prefix-list upstream-in seq 911 deny 2001::/32 le 128 ipv6 prefix-list upstream-in seq 920 permit 2002::/16 ipv6 prefix-list upstream-in seq 921 deny 2002::/16 le 128 ipv6 prefix-list upstream-in seq 930 deny ::/8 le 128 ipv6 prefix-list upstream-in seq 940 deny fe00::/9 le 128 ipv6 prefix-list upstream-in seq 941 deny ff00::/8 le 128 -- Richard