LISTSERV 16.0 - MICE-DISCUSS Archives

Arvig would also support this.


Ben Wiechman
Network Engineer IV | Arvig
Direct: 320.256.0184
Cell: 320.247.3224
Office: 320.256.7471
[log in to unmask]

On Fri, Dec 2, 2016 at 11:11 AM, Richard Laager <[log in to unmask]> wrote:

> On 12/02/2016 09:07 AM, Andrew Hoyos wrote:
> >  - reject 0/0
> >  - reject RFC1918
> >  - reject bogon ASNs
>
> Is this what you had in mind? Any changes?
>
> Specifically, is blocking AS_TRANS 23456 good or bad? I did not block
> it in the list below.
>
>
> Block (original, plus additions from David Farmer):
> _(174|209|286|701|1239|1299|2828|2914|3257|3320|3356|3549|
> 5511|6453|6461|6762|6939|7018|11164|11537|12956)_
>
> exception: remove 6939 from this list on HE's connection
>
> Block private AS using this or something with the same effect:
> _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(
> 6554[0-9])_|_(6555[0-1])_
> _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-
> 9]|5([0-2][0-9]|3[0-5])))_
> _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_
> _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_
> 130[0-9][0-9][0-9]_
> _1310[0-6][0-9]_|_13107[0-1]_
> _42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_
> _(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][
> 0-9][0-9][0-9][0-9])_
> _(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_
> _(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-5])_
>
> AS0 is a bogon AS we could block:
> _0_
>
> Block default and RFC 1918, etc.
> ip prefix-list upstream-in seq 900 deny 0.0.0.0/8 le 32
> ip prefix-list upstream-in seq 905 deny 10.0.0.0/8 le 32
> ip prefix-list upstream-in seq 910 deny 127.0.0.0/8 le 32
> ip prefix-list upstream-in seq 915 deny 169.254.0.0/16 le 32
> ip prefix-list upstream-in seq 920 deny 172.16.0.0/12 le 32
> ip prefix-list upstream-in seq 925 deny 192.0.0.0/24 le 32
> ip prefix-list upstream-in seq 930 deny 192.0.2.0/24 le 32
> ip prefix-list upstream-in seq 935 deny 192.168.0.0/16 le 32
> ip prefix-list upstream-in seq 945 deny 198.51.100.0/24 le 32
> ip prefix-list upstream-in seq 950 deny 203.0.113.0/24 le 32
> ip prefix-list upstream-in seq 955 deny 224.0.0.0/3 le 32
> ip prefix-list upstream-in seq 990 deny 0.0.0.0/0 le 7
>
> Similar for IPv6:
> ipv6 prefix-list upstream-in seq 900 deny 3ffe::/16 le 128
> ipv6 prefix-list upstream-in seq 901 deny 2001:db8::/32 le 128
> ipv6 prefix-list upstream-in seq 910 permit 2001::/32
> ipv6 prefix-list upstream-in seq 911 deny 2001::/32 le 128
> ipv6 prefix-list upstream-in seq 920 permit 2002::/16
> ipv6 prefix-list upstream-in seq 921 deny 2002::/16 le 128
> ipv6 prefix-list upstream-in seq 930 deny ::/8 le 128
> ipv6 prefix-list upstream-in seq 940 deny fe00::/9 le 128
> ipv6 prefix-list upstream-in seq 941 deny ff00::/8 le 128
>
> --
> Richard
>