Page MenuHomePhabricator
Create Task
Maniphest T190317

Update BGP_sanitize_in filter
Closed, ResolvedPublic
Actions

Description

From http://bgpfilterguide.nlnog.net/
TLDR:

  • Reject any v4 prefix larger than /24 (/26 currently)
  • Extend the list of Bogon ASN
  • Reject everything with 100 similar AS paths

1/ The only advertisement matching the 100 ASN, is:

208.45.214.0/24 *[BGP/170] 00:01:52, MED 0, localpref 250, from 208.80.154.196
AS path: 6939 12083 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 3450 ?

Ping/mtr shows a routing loop on their network, so I assume it's safe/sane to filter it out.

ping 208.45.214.1
From 160.36.2.98 icmp_seq=1 Time to live exceeded

2/ I didn't apply /* RFC 4893 AS_TRANS */ as-path as_trans ".* 23456 .*"; to the bogon-asns list, as we currently receive one prefix matching this regex (here seen from eqiad):

103.81.245.0/24 *[BGP/170] 11:33:00, MED 100, localpref 250
AS path: 4637 9583 23456 ?

And it's reachable from other networks (current coffee-shop):

$ ping 103.81.245.1
PING 103.81.245.1 (103.81.245.1) 56(84) bytes of data.
64 bytes from 103.81.245.1: icmp_seq=1 ttl=241 time=278 ms

Full diff:

[edit policy-options policy-statement BGP_sanitize_in]
-    /* reject advertisements that contain private AS numbers. */
-    term private-ASN {
-        from as-path private;
-        then reject;
-    }
[edit policy-options policy-statement BGP_sanitize_in term prefix-length4 from]
       route-filter 0.0.0.0/0 exact { ... }
+      route-filter 0.0.0.0/0 prefix-length-range /25-/32;
-      route-filter 0.0.0.0/0 prefix-length-range /27-/32;
[edit policy-options policy-statement BGP_sanitize_in]
     term prefix-length6 { ... }
+    term bogon-asns {
+        from as-path-group bogon-asns;
+        then reject;
+    }
+    term too-long-aspath {
+        from as-path too-many-hops;
+        then reject;
+    }
[edit policy-options]
    as-path private { ... }
+   as-path too-many-hops ".{100,}";
[edit policy-options]
    as-path-group SELECTED-PATHS { ... }
+   as-path-group bogon-asns {
+       /* RFC7607 */
+       as-path zero ".* 0 .*";
+       /* RFC 5398 and documentation/example ASNs */
+       as-path examples1 ".* [64496-64511] .*";
+       as-path examples2 ".* [65536-65551] .*";
+       /* RFC 6996 Private ASNs */
+       as-path reserved1 ".* [64512-65534] .*";
+       as-path reserved2 ".* [4200000000-4294967294] .*";
+       /* RFC 6996 Last 16 and 32 bit ASNs */
+       as-path last16 ".* 65535 .*";
+       as-path last32 ".* 4294967295 .*";
+       /* RFC IANA reserved ASNs*/
+       as-path iana-reserved ".* [65552-131071] .*";
+   }
[edit policy-options]
-   as-path private 64512-65535;

Event Timeline

ayounsi triaged this task as Medium priority.Mar 21 2018, 5:52 PM
ayounsi created this task.
Restricted Application added a project: SRE. · View Herald TranscriptMar 21 2018, 5:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
faidon added a comment.Apr 23 2018, 1:29 PM

I took a careful look at this -- it looks pretty good, but I'd suggest rolling it out slowly in phases just to be on the safe side. That could be separate phases for either the three different things it does (prefix length, bogon ASNs, long AS paths), the sites/BGP groups it's applied in, or both.

Stashbot subscribed.May 8 2018, 10:05 PM

Mentioned in SAL (#wikimedia-operations) [2018-05-08T22:05:15Z] <XioNoX> progressively push updated BGP_sanitize_in bogon ASN filters to routers - T190317

Stashbot added a comment.May 8 2018, 11:42 PM

Mentioned in SAL (#wikimedia-operations) [2018-05-08T23:42:04Z] <XioNoX> progressively push BGP_sanitize_in as-path too-many-hops to routers - T190317

ayounsi added a comment.May 9 2018, 1:30 AM

The last change to be applied:

+      route-filter 0.0.0.0/0 prefix-length-range /25-/32;
-      route-filter 0.0.0.0/0 prefix-length-range /27-/32;

Will cause 135 invalid prefixes to be unable to reach our networks (out of ~650000).
Total of /25 or /26 prefixes received: 210
Total of /25 or /26 prefixes that don't have a smaller subnet (/24 or less): 135

See the list of prefixes and the script used to figure it out:

list-of-25-26.txt3 KBDownload

orphan-25-26.py992 BDownload

Stashbot added a comment.May 9 2018, 1:36 AM

Mentioned in SAL (#wikimedia-operations) [2018-05-09T01:36:10Z] <XioNoX> progressively push updated BGP_sanitize_in prefix-length-range to routers - T190317

ayounsi closed this task as Resolved.May 9 2018, 2:08 AM

All done!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits