LISTSERV 16.0 - MICE-DISCUSS Archives

On 12/02/2016 09:07 AM, Andrew Hoyos wrote:
>  - reject 0/0
>  - reject RFC1918
>  - reject bogon ASNs

Is this what you had in mind? Any changes?

Specifically, is blocking AS_TRANS 23456 good or bad? I did not block
it in the list below.


Block (original, plus additions from David Farmer):
_(174|209|286|701|1239|1299|2828|2914|3257|3320|3356|3549|5511|6453|6461|6762|6939|7018|11164|11537|12956)_

exception: remove 6939 from this list on HE's connection

Block private AS using this or something with the same effect:
_(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_
_6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_
_6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_
_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_
_1310[0-6][0-9]_|_13107[0-1]_
_42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_
_(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_
_(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_
_(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-5])_

AS0 is a bogon AS we could block:
_0_

Block default and RFC 1918, etc.
ip prefix-list upstream-in seq 900 deny 0.0.0.0/8 le 32
ip prefix-list upstream-in seq 905 deny 10.0.0.0/8 le 32
ip prefix-list upstream-in seq 910 deny 127.0.0.0/8 le 32
ip prefix-list upstream-in seq 915 deny 169.254.0.0/16 le 32
ip prefix-list upstream-in seq 920 deny 172.16.0.0/12 le 32
ip prefix-list upstream-in seq 925 deny 192.0.0.0/24 le 32
ip prefix-list upstream-in seq 930 deny 192.0.2.0/24 le 32
ip prefix-list upstream-in seq 935 deny 192.168.0.0/16 le 32
ip prefix-list upstream-in seq 945 deny 198.51.100.0/24 le 32
ip prefix-list upstream-in seq 950 deny 203.0.113.0/24 le 32
ip prefix-list upstream-in seq 955 deny 224.0.0.0/3 le 32
ip prefix-list upstream-in seq 990 deny 0.0.0.0/0 le 7

Similar for IPv6:
ipv6 prefix-list upstream-in seq 900 deny 3ffe::/16 le 128
ipv6 prefix-list upstream-in seq 901 deny 2001:db8::/32 le 128
ipv6 prefix-list upstream-in seq 910 permit 2001::/32
ipv6 prefix-list upstream-in seq 911 deny 2001::/32 le 128
ipv6 prefix-list upstream-in seq 920 permit 2002::/16
ipv6 prefix-list upstream-in seq 921 deny 2002::/16 le 128
ipv6 prefix-list upstream-in seq 930 deny ::/8 le 128
ipv6 prefix-list upstream-in seq 940 deny fe00::/9 le 128
ipv6 prefix-list upstream-in seq 941 deny ff00::/8 le 128

-- 
Richard