10/8 gets announced at least once a day by someone somewhere. Really.
So what else is new? Smart providers explicitly filter RFC-1918 address space. ;-)
In response to an appearance in May of some 192.168/16 prefixes, Paul Vixie sent this to the NANOG list. I wrote up a gated analogue for Digital's border routers; if anyone wants one, send me mail.
Message-Id: <9605230534.AA26573@wisdom.home.vix.com> To: nanog@merit.edu Subject: Re: RFC 1597 Date: Wed, 22 May 1996 22:34:17 -0700 From: Paul A Vixie <paul@vix.com>
*> 192.168.22.0 144.228.71.5 0 1239 1800 1804 1128 1955 3337 ? *> 192.168.100.0/22 144.228.71.5 0 1239 1794 ? *> 192.168.216.0 144.228.71.5 0 1239 1800 1755 1273 ?
Shame on you 3337, 1794 and 1273.
Indeed. Since it's not my turn to be at fault for this kind of thing tonight, I guess I'll chime in with a copy of some useful goodies that Andrew Partan bestowed upon me last time CIX was caught advertising something bad:
router bgp xxxx neighbor y.y.y.y remote-as zzzz neighbor y.y.y.y distribute-list 100 in neighbor y.y.y.y distribute-list 101 out
access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any
access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 101 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 101 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 101 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 101 deny ip any 255.255.255.128 0.0.0.127 access-list 101 permit ip any any
These are currently identical, but they're split into separate access-list's in case the sending restrictions and the receiving restrictions ever have cause to differ.
Note that everybody who's anybody uses peer groups rather than duplicating this for every peer, but I'm the wrong person to try to explain peer groups so the above was intentionally kept at my "grunt, poke, listen" level.
Stephen - ----- Stephen Stuart stuart@pa.dec.com Network Systems Laboratory Digital Equipment Corporation