# Sources: # http://www.us.ntt.net/support/policy/routing.cfm#bogon # http://as2914.net/bogon_asns/configuration_examples.txt # https://www.de-cix.net/en/locations/germany/frankfurt/routeserver-guide # https://archive.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf # http://bgpfilterguide.nlnog.net/ # https://gitlab.labs.nic.cz/labs/bird/-/wikis/BGP_filtering function is_mine_ripe() { return net ~ [ 2a09:11c0:200::/44+, 2a0e:97c7:100::/44+, 2a09:4c2:1b::/48+, 31.47.232.64/29+ ]; } function is_mine_dn42() { return net ~ [ 172.23.156.0/23+, fd42:4dd0:ff00::/48+ ]; } function is_mine() { return is_mine_dn42() || is_mine_ripe(); } # Big transit / tier 1 ASNs for "peerlock" function is_big_asn(int asnum) { return asnum ~ [ 174, # Cogent 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018)) 701, # UUNET 702, # UUNET 1239, # Sprint 1299, # Telia 2914, # NTT Communications 3257, # GTT Backbone 3320, # Deutsche Telekom AG (DTAG) 3356, # Level3 3549, # Level3 3561, # Savvis / CenturyLink 4134, # Chinanet 5511, # Orange opentransit 6453, # Tata Communications 6461, # Zayo Bandwidth 6762, # Seabone / Telecom Italia 7018 # AT&T ]; } # Source: https://wiki.freifunk.net/AS-Nummern function is_freifunk_asn(int asnum) { return asnum ~ [ 64856..65534 ]; } # Source: https://dn42.net/services/Whois function is_dn42_asn(int asnum) { return asnum ~ [ 4242420000..4242429999 ]; } function is_bogon_asn(int asnum) { return asnum ~ [ 0, # RFC7607: Codification of AS 0 Processing 23456, # RFC6793: AS_TRANS for 32bit extendend ASN range 64496..64511, # RFC5398: Reservation for Documentation Use 16bit ASN 64512..65534, # RFC6996: Reservation for Private Use 16bit ASN 65535, # RFC7300: Reservation of Last ASNs 65536..65551, # RFC5398: Reservation for Documentation Use 32bit ASN 65552..131071, # IANA reserved ASNs https://www.mail-archive.com/uknof@lists.uknof.org.uk/msg03395.html 4200000000..4294967294, # RFC6996: Reservation for Private Use 32bit ASN 4294967295 # RFC7300: Reservation of Last ASNs ]; } # RFC 1918 function is_private_v4() { return net ~ [ 10.0.0.0/8+, 172.16.0.0/12+, 192.168.0.0/16+ ]; } function is_private_v6() { return net ~ [ fc00::/7+ # RFC4193: Unique-Local ]; } function is_peering_lan_v4() { return net ~ [ 185.1.119.0/24+, # LocIX Frankfurt 80.81.192.0/21+, # DE-CIX Frankfurt 185.1.125.0/24+, # 4IXP / 4b42 206.81.104.0/24+, # EVIX 193.189.82.0/23+ # KleyRex ]; } function is_peering_lan_v6() { return net ~ [ 2a07:1c44:61f0::/64+, # LocIX Frankfurt 2001:7f8::/64+, # DE-CIX Frankfurt 2001:7f8:d0:b901::/64+, # 4IXP / 4b42 2001:7f8:d0:4b42::/64+, # 4IXP / 4b42 2602:fed2:fff:ffff::/64, # EVIX 2001:7f8:33::/48+ # KleyRex ]; } function is_martian_v4() { # See RFC6890 return is_private_v4() || net ~ [ 0.0.0.0/8+, # RFC1122: This host on this network 100.64.0.0/10+, # RFC6598: IANA-Reserved IPv4 Prefix for Shared Address Space 127.0.0.0/8+, # RFC1122: Loopback 192.18.0.0/15+, # RFC2544: Benchmarking Methodology for Network Interconnect Devices 169.254.0.0/16+, # RFC3927: Dynamic Configuration of IPv4 Link-Local Addresses 192.0.0.0/24+, # RFC6890: IETF Protocol Assignments 192.0.0.0/29+, # RFC6333: DS-Lite 192.0.2.0/24+, # RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-1) 198.51.100.0/24+, # RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-2) 192.88.99.0/24+, # RFC3068: 6to4 Relay Anycast 203.0.113.0/24+, # RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-3) 224.0.0.0/4+, # RFC5771: IPv4 Multicast 240.0.0.0/4+, # RFC1112: Reserved for Future Use 255.255.255.255/32 # RFC0919: Limited Broadcast ]; } function is_martian_v6() { # See RFC6890 return is_private_v6() || net ~ [ ::ffff:0:0/96+, # RFC4291: IPv4-mapped Address ::ffff:0:0:0/96+, # IPv4 translated ::/128, # RFC4291: Unspecified Address ::1/128, # RFC4291: Loopback Address 64:ff9b::/96+, # RFC6052: IPv4-IPv6 Translated (NAT64) 100::/64+, # RFC6666: Discard-Only Address Block 2001::/23+, # RFC2928: IETF Protocol Assignments 2001::/32+, # RFC4380: TEREDO 2001:2::/48+, # RFC5180: Benchmarking 2001:10::/28+, # RFC4843: ORCHID 2001:db8::/32+, # RFC3849: Documentation 2002::/16+, # RFC3056: 6to4 fe80::/10+, # RFC4291: Linked-Scoped Unicast ff00::/8+ # RFC2373/3306: IPv6 Multicast ]; } function is_default_v4() { return net = 0.0.0.0/0; } function is_default_v6() { return net ~ ::/0; } function is_bogon_ebgp_v4() { if net.len > 24 then { # RFC7454 bgp_large_community.add(filtered_import_prefix_too_long); return true; } if is_martian_v4() then { return true; } if is_peering_lan_v4() then { return true; } if bgp_path.first != my_ripe_asn then { return true; } if bgp_path.len > 32 then { bgp_large_community.add(filtered_import_as_path_too_long); return true; } if net.len < 8 then { # RFC7454 bgp_large_community.add(filtered_import_prefix_too_short); return true; } return false; } function is_bogon_ebgp_v6() { if net.len > 48 then { # RFC7454 bgp_large_community.add(filtered_import_prefix_too_long); return true; } if is_martian_v6() then return true; if is_peering_lan_v6() then return true; #if is_bogon_asn() then # return true; if bgp_path.first != my_ripe_asn then { bgp_large_community.add(filtered_import_first_as_not_peer); return true; } if bgp_path.len > 32 then { bgp_large_community.add(filtered_import_as_path_too_long); return true; } if net.len < 19 then { # RFC7454 bgp_large_community.add(filtered_import_prefix_too_short); return true; } return false; }