On 2016 May 31 (Tue) at 08:10:22 +0200 (+0200), Claudio Jeker wrote: :On Mon, May 30, 2016 at 10:43:49PM +0200, Sebastian Benoit wrote: :> /Benno :> :> diff --git etc/examples/bgpd.conf etc/examples/bgpd.conf :> index 8ffa8a8..02a31f9 100644 :> --- etc/examples/bgpd.conf :> +++ etc/examples/bgpd.conf :> @@ -119,3 +119,14 @@ deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast :> deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast :> deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast :> deny from any prefix ff00::/8 prefixlen >= 8 # multicast :> + :> +# filter bogon AS numbers :> +# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml :> +deny from any AS 23456 # AS_TRANS :> +deny from any AS 64496 - 64511 # Reserved for use in docs and code RFC5398 :> +deny from any AS 64512 - 65534 # Reserved for Private Use RFC6996 :> +deny from any AS 65535 # Reserved RFC7300 :> +deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398 :> +deny from any AS 65552 - 131071 # Reserved :> +deny from any AS 4200000000 - 4294967294 # Reserved for Private Use RFC6996 :> +deny from any AS 4294967295 # Reserved RFC7300 : : :Did you check how many pathes in a regular feed hit any of those rules? :I have seen a few pathes with private or AS_TRANS ASs in them in the wild. :For a default filterset this may be a bit too restrictive. :
This feature came about because of a talk from Job at NTT during RIPE72, where they will be introducing exactly this ruleset on all of their links starting in July. -- This life is a test. It is only a test. Had this been an actual life, you would have received further instructions as to what to do and where to go.
