[nsp] RFC2544 RE: Filter subnets

From: Lane Patterson (lpatterson@equinix.com)
Date: Fri Dec 08 2000 - 19:19:28 EST


Kudos to enabling more SSM and multicast clue, esp wrt filters.

I noticed neither of you included /24's of major exchange points in
your filters, such as 192.41.177/24 [MAE-E], 195.66.224/23 [LINX],
and a long list of others. It is common practice to filter these
both from customers and from peers, at least for the exchange
points your network directly connects to.

Also, having recently used IANA reserved RFC 2544 space in some
lab evaluation, I was kind of surprised to realize no one seems to
include it in their bogon filters, including a former large ISP
employer. I believe the history of this allocation was a direct
reaction to a 1998 Internet meltdown that resulted from a provider's
test BGP scenario that leaked.

RFC2544 (Bradner and McQuaid) - C.2.2:

        The network addresses 198.18.0.0 through 198.19.255.255
have been assigned to the BMWG by the IANA for this purpose.
This assignment was made to minimize the chance of conflict
in case a testing device were to be accidentally connected
to part of the Internet.

[whois.arin.net]

   Netname: NETBLK-NDTL
   Netblock: 198.18.0.0 - 198.19.255.0

   Coordinator:
      Bradner, Scott (SB28-ARIN) SOB@HARVARD.EDU
      (617) 495-3864

Cheers,
-Lane

> -----Original Message-----
> From: Jared Mauch [mailto:jared@puck.nether.net]
> Sent: Thursday, December 07, 2000 5:30 PM
> To: Kris Amundson
> Cc: Cisco NSP
> Subject: Re: Filter subnets
>
>
> The filtering of 224.0.0.0/3 is a *bad* thing as it breaks
> multicast and protocols that use specific multicast groups. ie: ospf
>
> Anyone who doesn't take this into account will cause major
> issues as multicast (and specifically SSM) is deployed further in
> this world.
>
> there's about 8k prefixes in the multicast routing tables, and
> that continues to grow daily.
>
> Yahoo! (broadcast.com) has been helping do this with
> the providers
> who have less clueful upstreams with much success, and the clueful
> providers are doing a reasonable job in deploying it.
>
> (Verio is one notable provider that is missing from this list
> that does
> have multicast deployed
> http://www.stardust.com/multicast/providers.htm)
>
> Here's an ACL that I use, which you may find well suited
> for your application. These aren't 'well aggregated' as far
> as filters
> go, but it works well for me.
>
> - Jared
>
> no ip access-list extended bogons
> ip access-list extended bogons
>
> ! Deny TCP from multicast space
> deny tcp 224.0.0.0 0.15.255.255 any
>
> ! Deny rfc1918 space
> deny ip 0.0.0.0 0.255.255.255 any
> deny ip 1.0.0.0 0.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 23.0.0.0 0.255.255.255 any
> deny ip 31.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 192.0.2.0 0.0.0.255 any
> deny ip 128.0.0.0 0.0.255.255 any
> deny ip 128.66.0.0 0.0.255.255 any
> deny ip 191.255.0.0 0.0.255.255 any
> deny ip 192.0.0.0 0.0.255.255 any
> deny ip 197.0.0.0 0.255.255.255 any
> deny ip 201.0.0.0 0.255.255.255 any
> deny ip 223.255.255.0 0.0.0.255 any
> ! Deny IANA reserved space - other than rfc1918 space
> !IANA (RESERVED-3) RESERVED-3
> 128.0.0.0
> ! - NET-RESERVED-2 2.0.0.0/8
> deny ip 2.0.0.0 0.255.255.255 any
> !IANA (RESERVED-7) RESERVED-7 67.0.0.0 -
> 95.255.255.255
> deny ip 67.0.0.0 0.255.255.255 any
> deny ip 68.0.0.0 1.255.255.255 any
> deny ip 70.0.0.0 1.255.255.255 any
> deny ip 72.0.0.0 1.255.255.255 any
> deny ip 74.0.0.0 1.255.255.255 any
> deny ip 76.0.0.0 1.255.255.255 any
> deny ip 78.0.0.0 1.255.255.255 any
> deny ip 80.0.0.0 1.255.255.255 any
> deny ip 82.0.0.0 1.255.255.255 any
> deny ip 84.0.0.0 1.255.255.255 any
> deny ip 86.0.0.0 1.255.255.255 any
> deny ip 88.0.0.0 1.255.255.255 any
> deny ip 90.0.0.0 1.255.255.255 any
> deny ip 92.0.0.0 1.255.255.255 any
> deny ip 94.0.0.0 1.255.255.255 any
> !
> deny ip 96.0.0.0 1.255.255.255 any
> deny ip 98.0.0.0 1.255.255.255 any
> deny ip 100.0.0.0 1.255.255.255 any
> deny ip 102.0.0.0 1.255.255.255 any
> deny ip 104.0.0.0 1.255.255.255 any
> deny ip 106.0.0.0 1.255.255.255 any
> deny ip 108.0.0.0 1.255.255.255 any
> deny ip 110.0.0.0 1.255.255.255 any
> deny ip 112.0.0.0 1.255.255.255 any
> deny ip 114.0.0.0 1.255.255.255 any
> deny ip 116.0.0.0 1.255.255.255 any
> deny ip 118.0.0.0 1.255.255.255 any
> deny ip 120.0.0.0 1.255.255.255 any
> deny ip 122.0.0.0 1.255.255.255 any
> deny ip 124.0.0.0 1.255.255.255 any
> deny ip 126.0.0.0 1.255.255.255 any
> !
> permit ip any any
> !
> end
>
> On Thu, Dec 07, 2000 at 06:42:49PM -0500, Kris Amundson wrote:
> > I'm listing standard subnets for traffic and route
> filtering for a Cisco
> > router template. Did I miss anything?
> >
> > Standard stuff:
> > 0.0.0.0/8
> > 10.0.0.0/8
> > 127.0.0.0/8
> > 169.254.0.0/16
> > 172.16.0.0/14
> > 192.0.2.0/24
> > 192.168.0.0/16
> >
> > Additional:
> > 1.0.0.0/8
> > 2.0.0.0/8
> > 5.0.0.0/8
> > 7.0.0.0/8
> > 23.0.0.0/8
> > 27.0.0.0/8
> > 31.0.0.0/8
> > 36.0.0.0/8
> > 37.0.0.0/8
> > 39.0.0.0/8
> > 41.0.0.0/8
> > 42.0.0.0/8
> > 49.0.0.0/8
> > 50.0.0.0/8
> > 58.0.0.0/7
> > 60.0.0.0/8
> > 67.0.0.0/8
> > 68.0.0.0/6
> > 72.0.0.0/5
> > 80.0.0.0/4
> > 96.0.0.0/3
> > 197.0.0.0/8
> > 218.0.0.0/7
> > 220.0.0.0/6
> > 224.0.0.0/3
> >
> > I'm unsure of all those additional subnets. I found them
> on recommended
> > filter reserved list.
>
> --
> Jared Mauch | pgp key available via finger from jared@puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements
> are only mine.
> END OF LINE | Manager of IP networks built within my own home
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:23 EDT