Page MenuHomePhabricator
Create Task
Maniphest T160055

Audit and cleanup border-in ACL on core routers
Closed, ResolvedPublic
Actions

Description

While working on the border ACL filtering, I noticed that prefix 224.0.0.0/4 (multicast) has been removed from the "special-ranges4" list in the last few years, and I'm not sure why. This means that multicast (source) traffic is no longer being filtered at our border.

Also several ranges (/24s) seem to have been added to the special-ranges4 list that don't appear to be special ranges, and may just have been added to effectively block those networks. A separate prefix list should be used for that.

Related Objects

Event Timeline

mark created this task.Mar 9 2017, 11:06 AM
Restricted Application added a project: SRE. · View Herald TranscriptMar 9 2017, 11:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
elukey subscribed.Mar 9 2017, 11:09 AM
faidon subscribed.Mar 14 2017, 12:54 PM

The first part is true and I couldn't figure out why -- I know why I removed the IPv6 multicast ranges (basically: NDP), but the question about 224/4 still remains. It may have been an oversight.

The second part isn't exactly true. I cleaned up special-ranges4/6 a while ago, since they were incomplete and had stale info (IIRC). In the search of something more maintainable, I based it off http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt (for IPv4) and http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt and http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt (for IPv6). These are documented in annotates around the prefix-lists.

Stashbot subscribed.Apr 4 2017, 8:00 PM

Mentioned in SAL (#wikimedia-operations) [2017-04-04T20:00:20Z] <paravoid> rolling out a border-in4 ACL update across core routers (T160055)

faidon closed this task as Resolved.Apr 4 2017, 8:05 PM
faidon claimed this task.

I just deployed a change which puts 224/4 back to special-ranges4 and nothing seems to be broken.

faidon mentioned this in rOHPU4790eb245bdd: Add 224.0.0/4 to special-ranges4.Oct 3 2019, 11:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits