Re: Updated prefix filtering
In message CAA93jw7NrW7D7YOM7gWj+2up3xPFZdv5u=9c3ctdm+wtagt...@mail.gmail.com , Dave Taht writes: On Fri, May 8, 2015 at 3:41 PM, Chaim Rieger chaim.rie...@gmail.com wrote= : Best example I=E2=80=99ve found is located at http://jonsblog.lewis.org/= http://jonsblog.lewis.org/ I too ran out of space, Brocade, not Cisco though, and am looking to filt= er prefixes. did anybody do a more recent or updated filter list since 200= 8 ? Offlist is fine. Oh and happy friday to all. I have had a piece long on the spike on how we implemented bcp38 for linux (openwrt) devices using the ipset facility. We had a different use case (preventing all possible internal rfc1918 network addresses from escaping, while still allowing punching through one layer of nat ), but the underlying ipset facility was easily extendible to actually do bcp38 and fast to use, so that is what we ended up calling the openwrt package. Please contact me offlist if you would like a peek at that piece, because the article had some structural problems and we never got around to finishing/publishing it, and I would like to has there been a bcp38 equivalent published for ipv6? Yes, BCP 38. BCP 38 is address family agnostic. Just because the examples use IPv4 addresses doesn't mean that the concepts don't just map straight over onto IPv6. Source based routing is really only needed because BCP 38 filtering is being poorly implemented. Rather than collecting the full set of legitimate source addresses ISP's are only accepting the set of source addresses that they have allocated to the customer. With SIDR it should be possible to pass certs to the other ISP's that say I am a legitimate source of these addresses and do this all automatically. Along the way source specific routing showed up for ipv6 and we ended up obsoleting the concept of an ipv6 global default route entirely on a linux based CPE router. see: http://arxiv.org/pdf/1403.0445.pdf and some relevant homenet wg stuff. d@nuc-client:~/babeld-1.6.0 $ ip -6 route default from 2001:558:6045:e9:251a:738a:ac86:eaf6 via fe80::28c6:8eff:febb:9ff0 dev eth0 proto babel metric 1024 default from 2601:9:4e00:4cb0::/60 via fe80::28c6:8eff:febb:9ff0 dev eth0 proto babel metric 1024 default from fde5:dfb9:df90:fff0::/60 via fe80::225:90ff:fef4:a5c5 dev eth0 proto babel metric 1024 So this box will not forward any ipv6 not in the from(src) table. --=20 Dave T=C3=A4ht https://plus.google.com/u/0/explore/makewififast -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Updated prefix filtering
Hello Dave, On Sun, May 10, 2015 at 1:49 AM, Dave Taht dave.t...@gmail.com wrote: I have had a piece long on the spike on how we implemented bcp38 for linux (openwrt) devices using the ipset facility. We had a different use case (preventing all possible internal rfc1918 network addresses from escaping, while still allowing punching through one layer of nat ), but the underlying ipset facility was easily extendible to actually do bcp38 and fast to use, so that is what we ended up calling the openwrt package. Please contact me offlist if you would like a peek at that piece, because the article had some structural problems and we never got around to finishing/publishing it, and I would like to has there been a bcp38 equivalent published for ipv6? I don't see how this is related to the OPs problem. But there's the rpfilter iptables module which can be used for BCP38 IPv4 and IPv6 implementations on linux routers.
Re: Updated prefix filtering
On Fri, May 8, 2015 at 3:41 PM, Chaim Rieger chaim.rie...@gmail.com wrote: Best example I’ve found is located at http://jonsblog.lewis.org/ http://jonsblog.lewis.org/ I too ran out of space, Brocade, not Cisco though, and am looking to filter prefixes. did anybody do a more recent or updated filter list since 2008 ? Offlist is fine. Oh and happy friday to all. I have had a piece long on the spike on how we implemented bcp38 for linux (openwrt) devices using the ipset facility. We had a different use case (preventing all possible internal rfc1918 network addresses from escaping, while still allowing punching through one layer of nat ), but the underlying ipset facility was easily extendible to actually do bcp38 and fast to use, so that is what we ended up calling the openwrt package. Please contact me offlist if you would like a peek at that piece, because the article had some structural problems and we never got around to finishing/publishing it, and I would like to has there been a bcp38 equivalent published for ipv6? Along the way source specific routing showed up for ipv6 and we ended up obsoleting the concept of an ipv6 global default route entirely on a linux based CPE router. see: http://arxiv.org/pdf/1403.0445.pdf and some relevant homenet wg stuff. d@nuc-client:~/babeld-1.6.0 $ ip -6 route default from 2001:558:6045:e9:251a:738a:ac86:eaf6 via fe80::28c6:8eff:febb:9ff0 dev eth0 proto babel metric 1024 default from 2601:9:4e00:4cb0::/60 via fe80::28c6:8eff:febb:9ff0 dev eth0 proto babel metric 1024 default from fde5:dfb9:df90:fff0::/60 via fe80::225:90ff:fef4:a5c5 dev eth0 proto babel metric 1024 So this box will not forward any ipv6 not in the from(src) table. -- Dave Täht https://plus.google.com/u/0/explore/makewififast
Re: Updated prefix filtering
On Sat, May 9, 2015 at 2:22 AM, Faisal Imtiaz fai...@snappytelecom.net wrote: Not sure if you missed it.. there was a discussion on this topic in the recent past... I am taking the liberty of re-posting below.. you may find it useful. You can find the complete thread here: http://mailman.nanog.org/pipermail/nanog/2015-April/074425.html Depending on whether you're RIB and/or FIB limited there are a couple of options. Regards, Frederik Kriewitz
Updated prefix filtering
Best example I’ve found is located at http://jonsblog.lewis.org/ http://jonsblog.lewis.org/ I too ran out of space, Brocade, not Cisco though, and am looking to filter prefixes. did anybody do a more recent or updated filter list since 2008 ? Offlist is fine. Oh and happy friday to all.
Re: Updated prefix filtering
Not sure if you missed it.. there was a discussion on this topic in the recent past... I am taking the liberty of re-posting below.. you may find it useful. -- Hi Freddy, As Paul has mentioned, you could check the David's project - SIR, look at his presentation: https://www.youtube.com/watch?v=o1njanXhQqM We've also developed a platform for the BGP monitoring and routing optimization which could solve your problem. It would inject to the border routers only TOP X prefixes with which you exchange most of the traffic. The added value would be that route orders point to best performing transit (low latency, 0 packet loss) per distant prefix. If you are interested to know more about our software please contact me off-list. -- Regards, Pawel Rybczyk Regional Manager BORDER 6 sp. z o.o. pawel.rybc...@border6.com office: +48 22 242 89 51 (ext.103) mobile: +48 664 300 375 == Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Chaim Rieger chaim.rie...@gmail.com To: NANOG list nanog@nanog.org Sent: Friday, May 8, 2015 6:41:34 PM Subject: Updated prefix filtering Best example I’ve found is located at http://jonsblog.lewis.org/ http://jonsblog.lewis.org/ I too ran out of space, Brocade, not Cisco though, and am looking to filter prefixes. did anybody do a more recent or updated filter list since 2008 ? Offlist is fine. Oh and happy friday to all.
