Routing

Expand all | Collapse all

BGP and the BOGON/MARTIAN listings

Jump to Best Answer
  • 1.  BGP and the BOGON/MARTIAN listings

     
    Posted 03-07-2018 01:55

    Hi,

     

    I wish to ensure that we have full protection at the eBGP upstream peer and therefore need to protect, dynamically, against the bogon/martian IPv4 and IPv6 listings.

     

    I have contacted the "Cymru" guys who deal with this and have been given the required peering credentials. I have currently, manually, configured this with the following:

    set policy-options policy-statement ebgp-martian term reserved from route-filter 0.0.0.0/0 exact reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 0.0.0.0/8 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 10.0.0.0/8 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 127.0.0.0/8 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 128.0.0.0/16 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 172.16.0.0/12 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 191.255.0.0/16 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 192.0.2.0/24 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 223.255.255.0/24 orlonger reject
    set policy-options policy-statement ebgp-martian term reserved from route-filter 224.0.0.0/3 orlonger reject

     

    set protocols bgp group external-peers import ebgp-martian

     

    As this list is always changing, depending on the prefixs allocated and their usage, this is a rather defunct way of approach. Therefore the dynamic approach is much better.

     

    My question is how can I achieve this once I have the peering?

     

     

     



  • 2.  RE: BGP and the BOGON/MARTIAN listings

     
    Posted 03-07-2018 02:56

    Hi Clive,

     

    The ideal way would to term accept the routes/prefixes from known set of peers only & term reject everything else.

     

     

     

     

     



  • 3.  RE: BGP and the BOGON/MARTIAN listings

     
    Posted 03-07-2018 03:13

    Hi Karand,

     

    Yes. I did look at that option. But we are then relying on the upstream provider to ensure that they are not passing on any Bogons/Martians.

     

    I have no problem with the peering process to the Cymru servers. They have already supplied all the required information. I guess I am referring to how it is dealt with from a Juniper perspective compared to Cisco.

     

    In Cisco, we set the access lists for the bogons to deny and then send this information to the Null0 interface. Is the approach by Juniper the same or is it merely "reject"?

     

    Thanks

     

     



  • 4.  RE: BGP and the BOGON/MARTIAN listings

     
    Posted 03-07-2018 04:01

     

    On Juniper, you can try create a static route for each next-hop used for blackholed routes
    Select either discard or reject as the next-hop action:

     

    labroot@re0> show configuration routing-options           
    static {
    route 192.0.2.101/32 discard;
    route 192.0.2.103/32 reject;
    route 192.0.2.105/32 discard;
    }

    labroot@re0# show interfaces dsc
    unit 0 {
        family inet {
            address 192.0.2.102/32 {
                destination 192.0.2.101;
            }
            address 193.0.2.104/32 {
                destination 192.0.2.103;
            }
            address 192.0.2.106/32 {
                destination 192.0.2.105;
            }
        }
    }

    labroot@re0# run show interfaces terse dsc
    Interface               Admin Link Proto    Local                 Remote
    dsc                     up    up
    dsc.0                   up    up   inet     192.0.2.102         --> 192.0.2.101
                                                192.0.2.106         --> 192.0.2.105
                                                193.0.2.104         --> 192.0.2.103

    protocols {
    bgp {
    import blackhole-by-route;
    }
    }
    policy-options {
    policy-statement blackhole-by-route {
    term specific-routes {
    from {
    route-filter 10.10.10.1/32 exact;
    route-filter 10.20.20.2/32 exact;
    route-filter 10.30.30.3/32 exact;
    route-filter 10.40.40.4/32 exact;
    }
    then {
    next-hop 192.0.2.101
    }
    }
    }
    }
     
    Refer to the following doc:
     
     


  • 5.  RE: BGP and the BOGON/MARTIAN listings
    Best Answer

    Posted 03-07-2018 04:24

    Hello,


    @adgwytc wrote:

     

    In Cisco, we set the access lists for the bogons to deny and then send this information to the Null0 interface. Is the approach by Juniper the same or is it merely "reject"?

     

     

     

     


    This is not bogon prefix filtering, this is destination RTBH/filtering of packets that have dst IP faiiling within one of bogon prefixes.

    If You are after this sort of filtering , then there are config examples for JUNOS as well:

    http://www.team-cymru.org/bgp-examples.html#juniper-trad

    http://www.team-cymru.org/bgp-examples.html#juniper-full

     

    If You are after rejecting bogon prefixes, then You have to use some sort of automation to pick the prefixes from Team Cymru BGP feed and constructing/updating a prefix-list out of them. You can then apply this prefix-list on import from Your upstreams.

    HTH

    Thx
    Alex



  • 6.  RE: BGP and the BOGON/MARTIAN listings

     
    Posted 03-07-2018 05:20

    Hi,

     

    Thanks for the solution from both......

     

    Cymru are the ones that actually informed about the null0... but anyway, that's a different story 🙂

     

    Thank you to both