Re: Ingress filtering on transits, peers, and IX ports

2020-10-20 Thread Marcos Manoni 
Hi,

You are missing some IPv6 bogons prefixes. Check:
http://www.bgp4all.com.au/pfs/_media/workshops/05-bgp-bcp.pdf (page 51-53)
http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/#configuration-examples-ipv6

Regards.

Re: Ingress filtering on transits, peers, and IX ports

2020-10-13 Thread Marcos Manoni 
Hi, Brian

Check RFC3704/BCP84 Ingress Filtering for Multihomed Networks (Updated
by: RFC8704 Enhanced Feasible-Path uRPF).

Ingress Access Lists require typically manual maintenance, but are
the most bulletproof when done properly; typically, ingress access
lists are best fit between the edge and the ISP when the
configuration is not too dynamic if strict RPF is not an option,
between ISPs if the number of used prefixes is low, or as an
additional layer of protection


Ingress filters Best Practices
https://www.ripe.net/support/training/material/bgp-operations-and-security-training-course/BGP-Slides-Single.pdf
*Don’t accept BOGON ASNs
*Don’t accept BOGON prefixes
*Don’t accept your own prefix
*Don’t accept default (unless you requested it)
*Don’t accept prefixes that are too specific
*Don’t accept if AS Path is too long
*Create filters based on Internet Routing Registries

And also BGP Best Current Practices by Philip Smith
http://www.bgp4all.com.au/pfs/_media/workshops/05-bgp-bcp.pdf

Regards.

El mar., 13 oct. 2020 a las 19:52, Brian Knight via NANOG
() escribió:
>
> Hi Mel,
>
> My understanding of uRPF is:
>
> * Strict mode will permit a packet only if there is a route for the source IP 
> in the RIB, and that route points to the interface where the packet was 
> received
>
> * Loose mode will permit a packet if there is a route for the source IP in 
> the RIB.  It does not matter where the route is pointed.
>
> Strict mode won't work for us, because with our multi-homed transits and IX 
> peers, we will almost certainly drop a legitimate packet because the best 
> route is through another transit.
>
> Loose mode won't work for us, because all of our own prefixes are in our RIB, 
> and thus the uRPF check on a transit would never block anything.
>
> Or am I missing something?
>
> Thanks,
>
> -Brian
>
> On 2020-10-13 17:22, Mel Beckman wrote:
>
> You can also use Unicast Reverse Path Forwarding. RPF is more efficient than 
> ACLs, and has the added advantage of not requiring maintenance. In a 
> nutshell, if your router has a route to a prefix in its local RIB, then 
> incoming packets from a border interface having a matching source IP will be 
> dropped.
>
> RPF has knobs and dials to make it work for various ISP environments. 
> Implement it carefully (as is be standing next to the router involved :)
>
> Here's a Cisco brief on the topic:
>
>
> https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding
>
>
>
>
>
> I think all router vendors support this feature. Here's a similar article by 
> Juniper:
>
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html
>
>
> -mel beckman
>
> On Oct 13, 2020, at 3:15 PM, Brian Knight via NANOG  wrote:
>
> We recently received an email notice from a group of security researchers who 
> are looking at the feasibility of attacks using spoofed traffic.  Their 
> methodology, in broad strokes, was to send traffic to our DNS servers with a 
> source IP that looked like it came from our network.  Their attacks were 
> successful, and they included a summary of what they found.  So this message 
> has started an internal conversation on what traffic we should be filtering 
> and how.
>
> This security test was not about BCP 38 for ingress traffic from our 
> customers, nor was it about BGP ingress filtering.  This tested our ingress 
> filtering from the rest of the Internet.
>
> It seems to me like we should be filtering traffic with spoofed IPs on our 
> transit, IX, and peering links.  I have done this filtering in the enterprise 
> world extensively, and it's very helpful to keep out bad traffic.  BCP 84 
> also discusses ingress filtering for SP's briefly and seems to advocate for 
> it.
>
> We have about 15 IP blocks allocated to us.  With a network as small as ours, 
> I chose to go with a static ACL approach to start the conversation.  I 
> crafted a static ACL, blocking all ingress traffic sourced from any of our 
> assigned IP ranges.  I made sure to include:
>
> * Permit entries for P-t-P WAN subnets on peering links
>
> * Permit entries for IP assignments to customers running multi-homed BGP
>
> * The "permit ipv4 any any" at the end :)
>
> The questions I wanted to ask the SP community are:
>
> * What traffic filtering do you do on your transits, on IX ports, and your 
> direct peering links?
>
> * How is it accomplished?  Through static ACL or some flavor of uRPF?
>
> * If you use static ACLs, what is the administrative overhead like?  What 
> makes it easy or difficult to update?
>
> * How did you test your filters when they were implemented?
>
> Thanks a lot,
>
> -Brian
>
>

Re: CIDR cleanup

2020-10-01 Thread Marcos Manoni 
Hi,

Check https://github.com/job/aggregate6 (thank you, Job)

El jue., 1 oct. 2020 a las 10:36, John Von Essen () escribió:
>
> Sorry if this is slightly off-topic, but I am writing some code for a custom 
> GeoDNS routemap. My starting data set is a raw list of /24 subnets, no prefix 
> aggregation has been done. In other words, its the entire BGP routing table 
> in /24 prefixes - tagged by Geo region. Each region is its own txt file with 
> a dump of /24’s. As a result, these lists are HUGE. I want to aggregate the 
> prefixes as much as possible to create a smaller routemap.
>
> So right now it looks like:
>
> ...
> 105.170.72.0/24 brs
> 105.170.73.0/24 brs
> 105.170.74.0/24 brs
> 105.170.75.0/24 brs
> 105.170.76.0/24 brs
> 105.170.77.0/24 brs
> 105.170.78.0/24 brs
> 105.170.79.0/24 brs
> 105.170.80.0/24 brs
> 105.170.81.0/24 brs
> 105.170.82.0/24 brs
> 105.170.83.0/24 brs
> 105.170.84.0/24 brs
> …
>
> and so on. Obviously, 105.170.72.0/24 thru 105.170.79.0/24 can be aggregated 
> to 105.170.72.0/21 and so on. I normally use Perl, does anyone now if there 
> is a perl module that will automatically do this prefix aggregation? I tried 
> to write my code to do this, and its not trivial, just lookinh for a 
> shortcurt. I did a breif glance at some CIDR related Perl cpan modules, and 
> nothing has jumped out.
>
> Thanks
> John
>
>
>

Re: favorite network troubleshooting tools (online)

2020-07-16 Thread Marcos Manoni 
https://stat.ripe.net/ has lots of widgets https://stat.ripe.net/widget/list
http://irrexplorer.nlnog.net/ for detailed IRR info
(https://bgp.he.net also have some)

El mié., 15 jul. 2020 a las 14:41, Mehmet Akcin () escribió:
>
> hey there,
>
> I recently have come across this http://ping.pe/ website, I have no 
> association with this but it's pretty awesome. This made me wonder what other 
> tools out there which I do not know about it.
>
> what are your favorite network troubleshooting tools?
>
> In addition to ping.pe, I like https://bgp.he.net but would love to hear your 
> thought about other tool recommendations as especially the ones that are 
> distributed.
>
> Mehmet