JunOS Strict ISP Prefix Filter Template

v. 2.1 Updated: Jan 27, 2005

Change History:

2.1 – 124/8, 125/8, 126/8 allocated to APNIC.

2.0 – 71/8, 72/8 allocated to ARIN.

1.9 – 58/8, 59/8 allocated to APNIC.

1.8 – 85/8, 86/8, 87/8, 88/8 allocated to RIPE.

1.7 – 70/8 allocated to ARIN.

1.6 – 83/8 and 84/8 allocated to RIPE.

1.5 – Corrected typo in Phase 7 for 128.0.0.0/2 and 192.0.0.0/3.

1.4 – 223/8 returned to ARIN; 60/8 allocated to APNIC.

1.3 – 201/8 allocated to LACNIC; 173/8 - 187/8 and 189/8 – 190/8 DE-allocated by IANA.

1.2 - Updated F-Root prefix from 192.5.4.0/23 to 192.5.5.0/24

1.1 – Added several prefix entries for GTLDs

See the following URLs for Updates:

Cisco    ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/

Juniper http://www.cymru.com/gillsr/documents.html

To be applied on ingress eBGP sessions with other ISPs

Instructions: Use this template as a "get started" guide. Each provider's network has unique properties that may require some of the template statements to be commented out or tuned to the unique network requirements.

 Phase 1 - Deny Special Prefixes

 Phase 2 - Deny Your Own Blocks

 Phase 3 - Deny IXP Blocks

 Phase 4 - Deny Bogon Prefixes

 Phase 5 - Permit Critical Infrastructure Blocks

 Phase 6 - Permit RIR Blocks on the minimal allocation block to a /24

 Phase 7 - Permit the rest between /8 and /24

 

Phase 1 - Deny Special Prefixes

 

Reference Documents:

http://www.ietf.org/internet-drafts/draft-manning-dsua-08.txt

http://www.ietf.org/internet-drafts/draft-iana-special-ipv4-05.txt

 

 

/* ------------------ Begin Prefix-Filter -------------------- */

 

/* Strict Mode Prefix Filter for ISP Peers v1.1 – 12-10-2002 */

[edit policy-options policy-statement loose-prefix-filter]

/* Phase 1 - Deny Special Prefixes */

term phase-1 {

    from {

        /* Default Route */

        route-filter 0.0.0.0/0 exact reject;

        /* RFC 1918 Address Range */

        route-filter 10.0.0.0/8 orlonger reject;

        route-filter 172.16.0.0/12 orlonger reject;

        route-filter 192.168.0.0/16 orlonger reject;

        /* Multicast - remove if running multicast */

        route-filter 224.0.0.0/4 orlonger reject;

        /* Experimental */

        route-filter 240.0.0.0/4 orlonger reject;

        /* Loopback Range */

        route-filter 127.0.0.0/8 orlonger reject;

        /* Link Local Network Address */

        route-filter 169.254.0.0/16 orlonger reject;

        /* Test-Net */

        route-filter 192.0.2.0/24 orlonger reject;

        /* NeXT-Default */

        route-filter 192.42.172.0/24 orlonger reject;

        /* RFC-2544 - BMWG Addresses */

        route-filter 198.18.0.0/15 orlonger reject;

        /* Block 29-32 bit prefixes */

        route-filter 0.0.0.0/0 prefix-length-range /29-/32 reject;

        /* Block 0-5 bit prefixes from the table */

        route-filter 0.0.0.0/0 prefix-length-range /0-/5 reject;

    }

}

 

/* ------------------ snip snip  -------------------- */

 

Phase 2 - Deny Your own Prefixes

      

You may wish to keep your blocks from coming back to you with the exception of multihomed customers where more specifics might be desired.  Change this prefix to match your advertisements.

 

from route-filter XX.YY.ZZ./20 prefix-length-range /26-/32 reject;

 

One option for multihomed customers would be to limit the prefixes to a certain range of acceptable lengths to restrict large aggregates and small specifics. 

 

For example:

from route-filter XX.YY.ZZ./20 prefix-length-range /0-/20 reject;

from route-filter XX.YY.ZZ./20 prefix-length-range /26-/32 reject;

/* ------------------ snip snip  -------------------- */

 

 

/* Phase 2 - Deny Your own Prefixes */

term phase-2 {

    /* see examples */

    from {

    }

}

 

/* ------------------ snip snip  -------------------- */

 

Phase 3 - Deny IXP Prefixes

REQUIRED

 

Block IXP Prefixes from whom you connect. Other ISPs should not be sending you IXP prefixes from IXPs that you are connected. While you might want to filter other IXPs, people hijacking them will not have

a direct impact on your network. People hijacking prefixes from your IXPs will have an impact.

 

Change and un-comment this prefix(s) of IXP networks you are connected adding it to the list below.

 

 

route-filter XX.YY.ZZ.0/20 prefix-length-range /0-/32 reject;

 

OPTIONAL

 

This is a list of IXPs micro allocations that should not be globally advertised on the Internet. Putting these on the global Internet would open the door for traffic games, DOS attacks, and other mischief that would disrupt operations, services, and the interconnection of the Internet.

 

Filtering these are optional. The filter makes hijacking difficult - which protects the Internet in general. It may or may not have a direct effect on your network, while hijacking prefixes that are directly connected to your network will have a direct impact.

 

 

APNIC's IXP Allocation Block

 

route-filter 218.100.0.0/16 prefix-length-range /0-/32 reject;

 

/* ------------------ snip snip  -------------------- */

 

term phase-3 {