Filtering Small Prefixes

Filter Small Prefixes

Purpose

A basic filter set on any BGP configuration should include a filter of small prefixes.

This avoids more specific hijacks on /32’s or small prefixes (targetted attacks). Most of the leaked small prefixes that you will see on an Internet Exchange or transit feed are either incorrect leaks due to incorrect filtering or traffic engineering.

Usually you’ll not miss anything as you’ll see the larger prefixes via the same IXP or transit feed (the covering supernet prefix).

There are some small /29 or /28 PI prefixes, but not a lot. Such small PI prefixes get lost due to filters like these. The shortage of IPv4 address space is insufficient of a reason to weaken sanity filters like these. So be aware that you may get a question that could explain if that would happen.

Routes smaller than a /24 (IPv4) or /48 (IPv6) should not be expected to have working global routing.

Configuration Examples

BIRD

function reject_small_prefixes()
{
  if (net.len > 24) then {
    print "Reject: Too small prefix: ", net, " ", bgp_path;
    reject;
  }
}

Junos

policy-options {
  policy-statement reject_small_prefixes {
    term reject_small_prefixes_v4 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
        }
        then {
            reject;
        }
    }
    term reject_small_prefixes_v6 {
        from {
            route-filter ::0/0 prefix-length-range /49-/128;
        }
        then {
            reject;
        }
    }
  }
}

Cisco classic IOS and IOS XE

ip prefix-list peerfilter seq 5 deny 0.0.0.0/0
ip prefix-list peerfilter seq 10 permit 0.0.0.0/0 ge 8 le 24

#Use a template peer-policy that you configure for each neighbor like this:
 !
 template peer-policy ixe-v4
  prefix-list peerfilter in
  maximum-prefix <number>
 exit-peer-policy
 !
router bgp <my ASN>
 !
 address-family ipv4
neighbor 192.0.2.1 inherit peer-policy ixe-v4
neighbor 192.0.2.1 activate
!
}

OpenBGPD

deny from any inet prefixlen > 24
deny from any inet6 prefixlen > 48

FRR (vtysh)

ip prefix-list BOGONS_v4 deny 0.0.0.0/0 ge 25 le 32
ipv6 prefix-list BOGONS_v6 deny ::/0 ge 49 le 128

Mikrotik

This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.

/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv4 prefix-length=0-7 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv4 prefix-length=25-32 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix-length=0-15 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix-length=49-128 protocol=bgp action=discard comment=""

Nokia SR OS

#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
        policy-options
            begin
            prefix-list "TOO_SMALL_PREFIXES"
                prefix 0.0.0.0/0 prefix-length-range 25-32
                prefix ::/0 prefix-length-range 49-128
            exit
            policy-statement "BGP_FILTER_IN"
                entry 30
                    from
                        prefix-list "TOO_SMALL_PREFIXES"
                    exit
                    action drop
                    exit
                exit
            exit
            commit

#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 prefix-length-range 25-32
/configure router policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 prefix-length-range 49-128
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 30 from prefix-list "TOO_SMALL_PREFIXES"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 30 action drop
/configure router policy-options commit

#
# MD-CLI
#
[gl:configure policy-options]
    prefix-list "TOO_SMALL_PREFIXES" {
        prefix 0.0.0.0/0 type range {
            start-length 25
            end-length 32
        }
        prefix ::/0 type range {
            start-length 49
            end-length 128
        }
    }
    policy-statement "BGP_FILTER_IN" {
        entry 30 {
            from {
                prefix-list ["TOO_SMALL_PREFIXES"]
            }
            action {
                action-type reject
            }
        }
    }

#
# Paste-friendly MD-CLI blob
#
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" { }
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 type range start-length 25
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 type range end-length 32
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 type range start-length 49
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 type range end-length 128
/configure policy-options policy-statement "BGP_FILTER_IN" { }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 30 }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 30 from prefix-list ["TOO_SMALL_PREFIXES"]
/configure policy-options policy-statement "BGP_FILTER_IN" entry 30 action action-type reject