Page MenuHomePhabricator

Audit and cleanup border-in ACL on core routers
Closed, ResolvedPublic


While working on the border ACL filtering, I noticed that prefix (multicast) has been removed from the "special-ranges4" list in the last few years, and I'm not sure why. This means that multicast (source) traffic is no longer being filtered at our border.

Also several ranges (/24s) seem to have been added to the special-ranges4 list that don't appear to be special ranges, and may just have been added to effectively block those networks. A separate prefix list should be used for that.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

The first part is true and I couldn't figure out why -- I know why I removed the IPv6 multicast ranges (basically: NDP), but the question about 224/4 still remains. It may have been an oversight.

The second part isn't exactly true. I cleaned up special-ranges4/6 a while ago, since they were incomplete and had stale info (IIRC). In the search of something more maintainable, I based it off (for IPv4) and and (for IPv6). These are documented in annotates around the prefix-lists.

Mentioned in SAL (#wikimedia-operations) [2017-04-04T20:00:20Z] <paravoid> rolling out a border-in4 ACL update across core routers (T160055)

faidon claimed this task.

I just deployed a change which puts 224/4 back to special-ranges4 and nothing seems to be broken.