Re: OpenBGPD: filter bogus AS...

Sun, 17 Jul 2005 06:08:30 -0700 

Le 17 juil. 05 ` 14:14, Claudio Jeker a icrit :


On Sat, Jul 16, 2005 at 08:23:17PM +0200, Henning Brauer wrote:


* Xavier Beaudouin <[EMAIL PROTECTED]> [2005-07-16 20:04]:
I wish to add a filter to avoid that bogus AS that should be reserved 
for private network to be accepted by my router.

The problem is that :

# filter bogus AS
allow from any AS { 64512, 65534 } set nexthop blackhole
Doesn't allow ranges... Is there any better way to handle such setup ? 



no, but adding ranges might be a good idea...
Btw. you don't want to do that because there are some valid networks that 
have reserved AS numbers in their path.


Hum...


# bgpctl show rib | grep "65[0-9][0-9][0-9]" | awk '{print $2}'
194.146.116.0/24
199.222.136.0/22
200.32.76.0/24
200.32.77.0/24
200.61.32.0/20
201.30.243.0/24
203.177.192.0/24
209.125.232.0/23
209.218.6.0/23
213.154.225.0/24
213.154.230.0/24
213.154.242.0/23
213.154.242.0/24
213.154.243.0/24
216.53.126.0/23
216.217.68.0/22


Strange I have more subnet than you :

64.146.96.0/24
64.146.97.0/24
64.146.98.0/24
64.146.99.0/24
84.96.71.0/24
84.96.72.0/24
84.96.92.0/24
84.96.93.0/24
84.96.147.0/24
84.96.217.0/24
139.124.2.0/23
139.124.4.0/22
139.124.8.0/21
139.124.16.0/20
139.124.32.0/19
139.124.64.0/18
139.124.164.0/22
139.124.172.0/22
139.124.196.0/22
139.124.204.0/22
139.124.230.0/24
139.124.231.0/24
139.124.232.0/22
139.124.238.0/24
139.124.240.0/24
139.124.243.0/24
147.94.0.0/20
147.94.28.0/22
147.94.48.0/20
147.94.64.0/19
193.49.33.0/24
193.50.130.0/24
193.50.232.0/24
194.146.116.0/24
194.167.168.0/24
194.199.191.0/24
194.214.98.0/24
194.214.99.0/24
194.214.100.0/24
194.214.101.0/24
195.83.116.0/24
195.83.220.0/24
200.32.76.0/24
200.32.77.0/24
201.30.243.0/24
203.177.192.0/24
203.184.140.0/24
209.125.228.0/24
209.125.229.0/24
209.125.232.0/23
209.125.232.0/24
209.125.233.0/24
209.218.6.0/23
216.217.68.0/22
I don't know why you want to filter them out. Unless you are using these 
AS yourself internally -- in that case you should probably block the
specific AS.


This is already done on myself :)


IMO having AS number ranges does not make that much sense -- there is
almost no policy on AS number allocation.
Very strange. I got mine from ripe.net and they were very picky about that... :p 

But it is sure that this is maybe not needed for "security" purposes :)

/Xavier

Reply via email to