Page MenuHomePhabricator

Audit and cleanup border-in ACL on core routers
Closed, ResolvedPublic

Description

While working on the border ACL filtering, I noticed that prefix 224.0.0.0/4 (multicast) has been removed from the "special-ranges4" list in the last few years, and I'm not sure why. This means that multicast (source) traffic is no longer being filtered at our border.

Also several ranges (/24s) seem to have been added to the special-ranges4 list that don't appear to be special ranges, and may just have been added to effectively block those networks. A separate prefix list should be used for that.

Event Timeline

mark created this task.Mar 9 2017, 11:06 AM
Restricted Application added a project: Operations. · View Herald TranscriptMar 9 2017, 11:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
elukey added a subscriber: elukey.Mar 9 2017, 11:09 AM
faidon added a subscriber: faidon.Mar 14 2017, 12:54 PM

The first part is true and I couldn't figure out why -- I know why I removed the IPv6 multicast ranges (basically: NDP), but the question about 224/4 still remains. It may have been an oversight.

The second part isn't exactly true. I cleaned up special-ranges4/6 a while ago, since they were incomplete and had stale info (IIRC). In the search of something more maintainable, I based it off http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt (for IPv4) and http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt and http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt (for IPv6). These are documented in annotates around the prefix-lists.

Mentioned in SAL (#wikimedia-operations) [2017-04-04T20:00:20Z] <paravoid> rolling out a border-in4 ACL update across core routers (T160055)

faidon closed this task as Resolved.Apr 4 2017, 8:05 PM
faidon claimed this task.

I just deployed a change which puts 224/4 back to special-ranges4 and nothing seems to be broken.