At 19:19 08/12/00 -0500, Lane Patterson wrote:
>I noticed neither of you included /24's of major exchange points in
>your filters, such as 192.41.177/24 [MAE-E], 195.66.224/23 [LINX],
>and a long list of others. It is common practice to filter these
>both from customers and from peers, at least for the exchange
>points your network directly connects to.
Would you like to post a list of these? I can put them in IOS Essentials,
if people would find this useful? (I'd have thought the recommendation of
filtering your directly connected exchanges would be easiest - keeping
track of the address space of all the exchange points around the world
would be a hard...?)
>Also, having recently used IANA reserved RFC 2544 space in some
>lab evaluation, I was kind of surprised to realize no one seems to
>include it in their bogon filters, including a former large ISP
>employer. I believe the history of this allocation was a direct
>reaction to a 1998 Internet meltdown that resulted from a provider's
>test BGP scenario that leaked.
I'm not sure that many people know about RFC1944/RFC2544 space. Both RFCs
list the address block incorrectly (192.18/15 in 1944, and 192.18/16 thru
198.19/16 in 2544!!!), and it isn't even clear from the ARIN record that
this really does belong to the BMWG...
Any thoughts?
philip
-->[whois.arin.net] > > Netname: NETBLK-NDTL > Netblock: 198.18.0.0 - 198.19.255.0 > > Coordinator: > Bradner, Scott (SB28-ARIN) SOB@HARVARD.EDU > (617) 495-3864 > >Cheers, >-Lane > > > -----Original Message----- > > From: Jared Mauch [mailto:jared@puck.nether.net] > > Sent: Thursday, December 07, 2000 5:30 PM > > To: Kris Amundson > > Cc: Cisco NSP > > Subject: Re: Filter subnets > > > > > > The filtering of 224.0.0.0/3 is a *bad* thing as it breaks > > multicast and protocols that use specific multicast groups. ie: ospf > > > > Anyone who doesn't take this into account will cause major > > issues as multicast (and specifically SSM) is deployed further in > > this world. > > > > there's about 8k prefixes in the multicast routing tables, and > > that continues to grow daily. > > > > Yahoo! (broadcast.com) has been helping do this with > > the providers > > who have less clueful upstreams with much success, and the clueful > > providers are doing a reasonable job in deploying it. > > > > (Verio is one notable provider that is missing from this list > > that does > > have multicast deployed > > http://www.stardust.com/multicast/providers.htm) > > > > Here's an ACL that I use, which you may find well suited > > for your application. These aren't 'well aggregated' as far > > as filters > > go, but it works well for me. > > > > - Jared > > > > no ip access-list extended bogons > > ip access-list extended bogons > > > > ! Deny TCP from multicast space > > deny tcp 224.0.0.0 0.15.255.255 any > > > > ! Deny rfc1918 space > > deny ip 0.0.0.0 0.255.255.255 any > > deny ip 1.0.0.0 0.255.255.255 any > > deny ip 10.0.0.0 0.255.255.255 any > > deny ip 23.0.0.0 0.255.255.255 any > > deny ip 31.0.0.0 0.255.255.255 any > > deny ip 172.16.0.0 0.15.255.255 any > > deny ip 192.168.0.0 0.0.255.255 any > > deny ip 192.0.2.0 0.0.0.255 any > > deny ip 128.0.0.0 0.0.255.255 any > > deny ip 128.66.0.0 0.0.255.255 any > > deny ip 191.255.0.0 0.0.255.255 any > > deny ip 192.0.0.0 0.0.255.255 any > > deny ip 197.0.0.0 0.255.255.255 any > > deny ip 201.0.0.0 0.255.255.255 any > > deny ip 223.255.255.0 0.0.0.255 any > > ! Deny IANA reserved space - other than rfc1918 space > > !IANA (RESERVED-3) RESERVED-3 > > 128.0.0.0 > > ! - NET-RESERVED-2 2.0.0.0/8 > > deny ip 2.0.0.0 0.255.255.255 any > > !IANA (RESERVED-7) RESERVED-7 67.0.0.0 - > > 95.255.255.255 > > deny ip 67.0.0.0 0.255.255.255 any > > deny ip 68.0.0.0 1.255.255.255 any > > deny ip 70.0.0.0 1.255.255.255 any > > deny ip 72.0.0.0 1.255.255.255 any > > deny ip 74.0.0.0 1.255.255.255 any > > deny ip 76.0.0.0 1.255.255.255 any > > deny ip 78.0.0.0 1.255.255.255 any > > deny ip 80.0.0.0 1.255.255.255 any > > deny ip 82.0.0.0 1.255.255.255 any > > deny ip 84.0.0.0 1.255.255.255 any > > deny ip 86.0.0.0 1.255.255.255 any > > deny ip 88.0.0.0 1.255.255.255 any > > deny ip 90.0.0.0 1.255.255.255 any > > deny ip 92.0.0.0 1.255.255.255 any > > deny ip 94.0.0.0 1.255.255.255 any > > ! > > deny ip 96.0.0.0 1.255.255.255 any > > deny ip 98.0.0.0 1.255.255.255 any > > deny ip 100.0.0.0 1.255.255.255 any > > deny ip 102.0.0.0 1.255.255.255 any > > deny ip 104.0.0.0 1.255.255.255 any > > deny ip 106.0.0.0 1.255.255.255 any > > deny ip 108.0.0.0 1.255.255.255 any > > deny ip 110.0.0.0 1.255.255.255 any > > deny ip 112.0.0.0 1.255.255.255 any > > deny ip 114.0.0.0 1.255.255.255 any > > deny ip 116.0.0.0 1.255.255.255 any > > deny ip 118.0.0.0 1.255.255.255 any > > deny ip 120.0.0.0 1.255.255.255 any > > deny ip 122.0.0.0 1.255.255.255 any > > deny ip 124.0.0.0 1.255.255.255 any > > deny ip 126.0.0.0 1.255.255.255 any > > ! > > permit ip any any > > ! > > end > > > > On Thu, Dec 07, 2000 at 06:42:49PM -0500, Kris Amundson wrote: > > > I'm listing standard subnets for traffic and route > > filtering for a Cisco > > > router template. Did I miss anything? > > > > > > Standard stuff: > > > 0.0.0.0/8 > > > 10.0.0.0/8 > > > 127.0.0.0/8 > > > 169.254.0.0/16 > > > 172.16.0.0/14 > > > 192.0.2.0/24 > > > 192.168.0.0/16 > > > > > > Additional: > > > 1.0.0.0/8 > > > 2.0.0.0/8 > > > 5.0.0.0/8 > > > 7.0.0.0/8 > > > 23.0.0.0/8 > > > 27.0.0.0/8 > > > 31.0.0.0/8 > > > 36.0.0.0/8 > > > 37.0.0.0/8 > > > 39.0.0.0/8 > > > 41.0.0.0/8 > > > 42.0.0.0/8 > > > 49.0.0.0/8 > > > 50.0.0.0/8 > > > 58.0.0.0/7 > > > 60.0.0.0/8 > > > 67.0.0.0/8 > > > 68.0.0.0/6 > > > 72.0.0.0/5 > > > 80.0.0.0/4 > > > 96.0.0.0/3 > > > 197.0.0.0/8 > > > 218.0.0.0/7 > > > 220.0.0.0/6 > > > 224.0.0.0/3 > > > > > > I'm unsure of all those additional subnets. I found them > > on recommended > > > filter reserved list. > > > > -- > > Jared Mauch | pgp key available via finger from jared@puck.nether.net > > clue++; | http://puck.nether.net/~jared/ My statements > > are only mine. > > END OF LINE | Manager of IP networks built within my own home > >
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:23 EDT