Arvig would also support this. Ben Wiechman Network Engineer IV | Arvig Direct: 320.256.0184 Cell: 320.247.3224 Office: 320.256.7471 [log in to unmask] On Fri, Dec 2, 2016 at 11:11 AM, Richard Laager <[log in to unmask]> wrote: > On 12/02/2016 09:07 AM, Andrew Hoyos wrote: > > - reject 0/0 > > - reject RFC1918 > > - reject bogon ASNs > > Is this what you had in mind? Any changes? > > Specifically, is blocking AS_TRANS 23456 good or bad? I did not block > it in the list below. > > > Block (original, plus additions from David Farmer): > _(174|209|286|701|1239|1299|2828|2914|3257|3320|3356|3549| > 5511|6453|6461|6762|6939|7018|11164|11537|12956)_ > > exception: remove 6939 from this list on HE's connection > > Block private AS using this or something with the same effect: > _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_( > 6554[0-9])_|_(6555[0-1])_ > _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0- > 9]|5([0-2][0-9]|3[0-5])))_ > _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_ > _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_ > 130[0-9][0-9][0-9]_ > _1310[0-6][0-9]_|_13107[0-1]_ > _42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_ > _(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][ > 0-9][0-9][0-9][0-9])_ > _(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_ > _(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-5])_ > > AS0 is a bogon AS we could block: > _0_ > > Block default and RFC 1918, etc. > ip prefix-list upstream-in seq 900 deny 0.0.0.0/8 le 32 > ip prefix-list upstream-in seq 905 deny 10.0.0.0/8 le 32 > ip prefix-list upstream-in seq 910 deny 127.0.0.0/8 le 32 > ip prefix-list upstream-in seq 915 deny 169.254.0.0/16 le 32 > ip prefix-list upstream-in seq 920 deny 172.16.0.0/12 le 32 > ip prefix-list upstream-in seq 925 deny 192.0.0.0/24 le 32 > ip prefix-list upstream-in seq 930 deny 192.0.2.0/24 le 32 > ip prefix-list upstream-in seq 935 deny 192.168.0.0/16 le 32 > ip prefix-list upstream-in seq 945 deny 198.51.100.0/24 le 32 > ip prefix-list upstream-in seq 950 deny 203.0.113.0/24 le 32 > ip prefix-list upstream-in seq 955 deny 224.0.0.0/3 le 32 > ip prefix-list upstream-in seq 990 deny 0.0.0.0/0 le 7 > > Similar for IPv6: > ipv6 prefix-list upstream-in seq 900 deny 3ffe::/16 le 128 > ipv6 prefix-list upstream-in seq 901 deny 2001:db8::/32 le 128 > ipv6 prefix-list upstream-in seq 910 permit 2001::/32 > ipv6 prefix-list upstream-in seq 911 deny 2001::/32 le 128 > ipv6 prefix-list upstream-in seq 920 permit 2002::/16 > ipv6 prefix-list upstream-in seq 921 deny 2002::/16 le 128 > ipv6 prefix-list upstream-in seq 930 deny ::/8 le 128 > ipv6 prefix-list upstream-in seq 940 deny fe00::/9 le 128 > ipv6 prefix-list upstream-in seq 941 deny ff00::/8 le 128 > > -- > Richard >