Posts Tagged ‘filtering’

A Word About BGP Bogons Filtering

Tuesday, December 9th, 2008

BGP4 filtering is important, but how can you keep track of the prefixes and do active filtering on them?

It has been a while since my last blog post now, it’s partly because I have been (honestly) pretty lazy lately, yes, I have been trying to cool down on all my working because I started to get some problems with keeping track of my own feelings.
..and also because I have been trying to spend a little more time with the girl that actually can stand living with such a busy internet lunatic, we went to see the Norwegian setup of the musical Grease and also a Norwegian talk show named Senkveld, and along with all the xmas preparations and that it has been kind of hectic, but very very nice.
While I am still talking freely here, why is it that while I can see people reading around, I never see any comments from you guys?

Anyways, enough with the excuses and all that – on with the show, right?
[*APPLAUSE*]

The point about this post is to inform about the problems with bogon IPv4 (and probably IPv6 too, I haven’t looked at that yet) prefixes being announced into the Internet, and the problem about Internet Service Providers accepting these prefixes and adds them to their routing table. The worst case scenario would be like spam from 127.0.0.1

But, what are bogons.. or bogon prefixes?
I am glad to be asked that question sometimes, it is good – it shows that someone paid attention.
Bogon prefixes are for example unassigned prefixes, or RFC1918 networks and there are also other reserved ranges.

The assignment process for IPv4 is somewhat like this:

  1. IANA allocates a block of IPv4 addresses to a Regional Internet Registry (usually /8 to i.e. RIPE)
  2. The RIR then makes suballocations of this block to a LIR, a LIR is a Local Internet Registry (i.e. your ISP)

The ISP can then announce this IPv4 prefix in the BGP table on the Internet.
All these IANA to RIR assignments are public information, you can find it at cymru.com, they have regular updates.

The problem with bogons
The problem exists when networks listed as RESERVED or UNALLOCATED in this list are being announced and produces internet traffic.
For example, if you want to send out totally anonymous spam, what could you possibly do to ISPs without proper filtering?
Yeah, you could see someone announcing 192.168.0.0/22 and start spamming from 192.168.1.0.

Do you keep track of every announcement ever done to you? (In that case, how do you do it?)
I run a quagga router which also sees all announcements to our network and logs these to a logfile, and I am insterested to hear about other solutions – I know there are some java based applications.

To be consistent; you do not want bogons announced to you, you do not want to accept bogon networks and start routing traffic to them.

How to fix?
There’s a bogons prefix-list that Team Cymru creates that is very useful for Cisco enthusiasts like me.
They have constructed a secure BGP template.

So let us hope maybe there’s at least one extra bogon filter in place tomorrow, and let me know about it!

IPv4 and IPv6 Access Control Lists In Cisco IOS

Wednesday, November 5th, 2008

Do you feel like you are comfortable with writing ACLs? This will be refreshing!

I’ll get to IPv6 in the bottom of this, it might prove extremely useful to understand the concept at first.

What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.

The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.

There are several “classes” of Access Control Lists, the most common ones are

  1. IP Standard Access List
    List numbers 1-99, can only define source or destination, not source and destination.
  2. IP Extended Access List
    List numbers 100-199, can define both source and destination as well as port and protocol numbers.

Okay, I understand…. but how do I configure it?

A IP standard access control list with two entries is configured like this

Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255

To apply this inbound on an interface, just use

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in

The alternative way to define an access list number 5 with two entries is

Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#

To apply this one inbound on a line interface

Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in

Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?

Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.

Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this

Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in