IPv4 Bogons

Introduction

BGP Best Practice Recommendation documented in RFC 7454 and discussed in “BGP Best Practices or Dissecting RFC 7454” article mandates the use of inbound prefix-list filtering to discard bogus route-advertisements to and from BGP peers. It is strongly recommended that you implement aforementioned filtering if you accept the full or partial BGP view from your peers.

You do not need to maintain inbound bogus route filtering if the only route you are planning to accept from your service providers is the default 0.0.0.0/0 prefix. In this scenario, you should configure an explicit prefix-filter permitting 0.0.0.0/0 route and rejecting all other advertisements.

Bogons, Martians, Bogus Advertisements

Over the years, networking professions have used various terms to refer to the same thing. These “bad” advertisements might be referred to as Bogons, Martian Lists, Bogus Advertisements, etc.

The current list is comprised of IP Blocks that are used for some kind of special use, such as RFC1918 space, Loopback block, etc. Sometime ago this list also included valid IPv4 prefixes that have not been allocated by The Internet Assigned Numbers Authority (IANA). IPv4 Space Exhaustion put stop to this. For the majority of ISPs and Enterprises, it is no longer feasible to include remaining unallocated blocks to the Bogons least, as this IPv4 space is small and constantly changing. The situation is very different when it comes to IPv6 space, and it will be discussed in IPv6 Martians article.

Importance of Bogons

The main reason for filtering-out Bogon advertisements is the Internet security. Bad things might begin to happen if you allow Bogon blocks to be accepted into your BGP domain. Let’s consider a few scenarios where hackers were able to advertise RFC1918 block to your network.

  • Firewall filters might consider RFC1918 blocks “trusted” space and permit dataflows that otherwise would be rejected
  • Spammers might send out email messages from servers in RFC1918 space, making it nearly impossible to track them back
  • Similar to Spam, DDoS Attacks from RFC1918 space are impossible to track
  • Your network might attract large volume of bogus traffic destined to RFC1918 space, such as portscans, vulnerability scans, etc

Current IPv4 Bogons List

Source: http://www.radb.net/query/?keywords=fltr-martian

  • 0.0.0/8
  • 10.0.0.0/8
  • 100.64.0.0/10
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/3

Cisco Configuration

ip prefix-list martians seq 10 deny 0.0.0.0/8 le 32

ip prefix-list martians seq 20 deny 10.0.0.0/8 le 32

ip prefix-list martians seq 30 deny 100.64.0.0/10 le 32

ip prefix-list martians seq 40 deny 127.0.0.0/8 le 32

ip prefix-list martians seq 50 deny 169.254.0.0/16 le 32

ip prefix-list martians seq 60 deny 172.16.0.0/12 le 32

ip prefix-list martians seq 70 deny 192.0.0.0/24 le 32

ip prefix-list martians seq 80 deny 192.0.2.0/24 le 32

ip prefix-list martians seq 90 deny 192.168.0.0/16 le 32

ip prefix-list martians seq 100 deny 198.18.0.0/15 le 32

ip prefix-list martians seq 110 deny 198.51.100.0/24 le 32

ip prefix-list martians seq 120 deny 203.0.113.0/24 le 32

ip prefix-list martians seq 130 deny 224.0.0.0/3 le 32

ip prefix-list martians seq 9999 permit 0.0.0.0/0 le 32




router bgp 111100

  ...

  neighbor 120.0.4.17 prefix-list martians in

 

Juniper Configuration

Set Format:

set policy-options policy-statement martians-ipv4  from route-filter 0.0.0.0/8 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 10.0.0.0/8 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 100.64.0.0/10 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 127.0.0.0/8 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 169.254.0.0/16 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 172.16.0.0/12 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 192.0.0.0/24 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 192.0.2.0/24 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 192.168.0.0/16 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 198.18.0.0/15 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 198.51.100.0/24 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 203.0.113.0/24 orlonger reject

set policy-options policy-statement martians-ipv4  from route-filter 224.0.0.0/3 orlonger reject

set policy-options policy-statement martians-ipv4  then accept




set protocols bgp group ebgp import martians-ipv4

Curly Braces format:

policy-statement martians-ipv4 {
 from {
  route-filter 0.0.0.0/8 orlonger reject;
  route-filter 10.0.0.0/8 orlonger reject;
  route-filter 100.64.0.0/10 orlonger reject;
  route-filter 127.0.0.0/8 orlonger reject;
  route-filter 169.254.0.0/16 orlonger reject;
  route-filter 172.16.0.0/12 orlonger reject;
  route-filter 192.0.0.0/24 orlonger reject;
  route-filter 192.0.2.0/24 orlonger reject;
  route-filter 192.168.0.0/16 orlonger reject;
  route-filter 198.18.0.0/15 orlonger reject;
  route-filter 198.51.100.0/24 orlonger reject;
  route-filter 203.0.113.0/24 orlonger reject;
  route-filter 224.0.0.0/3 orlonger reject;
  }
 then accept;
}

protocols {
 bgp {
   group ebgp {
    import martians-ipv4;
    ...
   } 
 }
}

 

Leave a Reply

Your email address will not be published. Required fields are marked *