Filter Bogon prefixes
Purpose
Bogon prefixes are not globally unique unicast IP prefixes. IETF didn’t intend for these to be routed on the public Internet, and Internet routers shouldn’t propagate or accept prefixes in these ranges.
IPv4 Listing
| Prefix | Description |
|---|---|
| 0.0.0.0/8 | RFC 1122 ‘this’ network |
| 10.0.0.0/8 | RFC 1918 private space |
| 100.64.0.0/10 | RFC 6598 Carrier grade nat space |
| 127.0.0.0/8 | RFC 1122 localhost |
| 169.254.0.0/16 | RFC 3927 link local |
| 172.16.0.0/12 | RFC 1918 private space |
| 192.0.2.0/24 | RFC 5737 TEST-NET-1 |
| 192.88.99.0/24 | RFC 7526 6to4 anycast relay |
| 192.168.0.0/16 | RFC 1918 private space |
| 198.18.0.0/15 | RFC 2544 benchmarking |
| 198.51.100.0/24 | RFC 5737 TEST-NET-2 |
| 203.0.113.0/24 | RFC 5737 TEST-NET-3 |
| 224.0.0.0/4 | multicast |
| 240.0.0.0/4 | reserved |
IPv6 Listing
| Prefix | Description |
|---|---|
| 0100::/64 | RFC 6666 Discard-Only |
| 2001:2::/48 | RFC 5180 BMWG |
| 2001:10::/28 | RFC 4843 ORCHID |
| 2001:db8::/32 | RFC 3849 documentation |
| 2002::/16 | RFC 7526 6to4 anycast relay |
| 3ffe::/16 | RFC 3701 old 6bone |
| fc00::/7 | RFC 4193 unique local unicast |
| fe80::/10 | RFC 4291 link local unicast |
| fec0::/10 | RFC 3879 old site local unicast |
| ff00::/8 | RFC 4291 multicast |
Configuration Examples IPv4
BIRD
define BOGON_PREFIXES = [
0.0.0.0/8+, # RFC 1122 'this' network
10.0.0.0/8+, # RFC 1918 private space
100.64.0.0/10+, # RFC 6598 Carrier grade nat space
127.0.0.0/8+, # RFC 1122 localhost
169.254.0.0/16+, # RFC 3927 link local
172.16.0.0/12+, # RFC 1918 private space
192.0.2.0/24+, # RFC 5737 TEST-NET-1
192.88.99.0/24+, # RFC 7526 6to4 anycast relay
192.168.0.0/16+, # RFC 1918 private space
198.18.0.0/15+, # RFC 2544 benchmarking
198.51.100.0/24+, # RFC 5737 TEST-NET-2
203.0.113.0/24+, # RFC 5737 TEST-NET-3
224.0.0.0/4+, # multicast
240.0.0.0/4+ ]; # reserved
function reject_bogon_prefixes()
prefix set bogon_prefixes;
{
bogon_prefixes = BOGON_PREFIXES;
if (net ~ bogon_prefixes) then {
print "Reject: Bogon prefix: ", net, " ", bgp_path;
reject;
}
}
...
filter transit_in {
reject_invalids();
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_small_prefixes();
reject_default_route();
...
honor_graceful_shutdown();
accept;
}
filter ixp_in {
reject_invalids();
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_transit_paths();
reject_small_prefixes();
reject_default_route();
...
honor_graceful_shutdown();
accept;
}
FortiOS
config router prefix-list
edit "IPv4_BOGONS"
config rule
edit 1
set prefix 0.0.0.0 255.0.0.0
set ge 9
unset le
next
edit 3
set prefix 100.64.0.0 255.192.0.0
set ge 11
unset le
next
edit 2
set prefix 10.0.0.0 255.0.0.0
set ge 9
unset le
next
edit 4
set prefix 127.0.0.0 255.0.0.0
set ge 9
unset le
next
edit 5
set prefix 169.254.0.0 255.255.0.0
set ge 17
unset le
next
edit 6
set prefix 172.16.0.0 255.240.0.0
set ge 13
unset le
next
edit 7
set prefix 192.0.2.0 255.255.255.0
unset ge
unset le
next
edit 8
set prefix 192.88.99.0 255.255.255.0
unset ge
unset le
next
edit 9
set prefix 192.168.0.0 255.255.0.0
set ge 17
unset le
next
edit 10
set prefix 198.18.0.0 255.254.0.0
set ge 16
unset le
next
edit 11
set prefix 198.51.100.0 255.255.255.0
unset ge
unset le
next
edit 12
set prefix 203.0.113.0 255.255.255.0
unset ge
unset le
next
edit 13
set prefix 224.0.0.0 240.0.0.0
set ge 5
unset le
next
edit 14
set prefix 240.0.0.0 240.0.0.0
set ge 5
unset le
next
end
next
end
config router route-map
edit "BGP_FILTER_IN"
config rule
edit 1
set action deny
set match-ip-address "IPv4_BOGONS"
next
end
next
end
OpenBGPD
Copied from openbsd examples
deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737]
deny from any prefix 192.88.99.0/24 prefixlen >= 24 # 6to4 anycast relay [RFC7526]
deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved for future use
FRR (vtysh)
ip prefix-list BOGONS_v4 deny 0.0.0.0/8 le 32
ip prefix-list BOGONS_v4 deny 10.0.0.0/8 le 32
ip prefix-list BOGONS_v4 deny 100.64.0.0/10 le 32
ip prefix-list BOGONS_v4 deny 127.0.0.0/8 le 32
ip prefix-list BOGONS_v4 deny 169.254.0.0/16 le 32
ip prefix-list BOGONS_v4 deny 172.16.0.0/12 le 32
ip prefix-list BOGONS_v4 deny 192.0.2.0/24 le 32
ip prefix-list BOGONS_v4 deny 192.88.99.0/24 le 32
ip prefix-list BOGONS_v4 deny 192.168.0.0/16 le 32
ip prefix-list BOGONS_v4 deny 198.18.0.0/15 le 32
ip prefix-list BOGONS_v4 deny 198.51.100.0/24 le 32
ip prefix-list BOGONS_v4 deny 203.0.113.0/24 le 32
ip prefix-list BOGONS_v4 deny 224.0.0.0/4 le 32
ip prefix-list BOGONS_v4 deny 240.0.0.0/4 le 32
VyOS
set policy prefix-list BOGONS-V4 rule 10 action 'permit'
set policy prefix-list BOGONS-V4 rule 10 le '32'
set policy prefix-list BOGONS-V4 rule 10 prefix '0.0.0.0/8'
set policy prefix-list BOGONS-V4 rule 20 action 'permit'
set policy prefix-list BOGONS-V4 rule 20 le '32'
set policy prefix-list BOGONS-V4 rule 20 prefix '10.0.0.0/8'
set policy prefix-list BOGONS-V4 rule 30 action 'permit'
set policy prefix-list BOGONS-V4 rule 30 le '32'
set policy prefix-list BOGONS-V4 rule 30 prefix '100.64.0.0/10'
set policy prefix-list BOGONS-V4 rule 40 action 'permit'
set policy prefix-list BOGONS-V4 rule 40 le '32'
set policy prefix-list BOGONS-V4 rule 40 prefix '127.0.0.0/8'
set policy prefix-list BOGONS-V4 rule 50 action 'permit'
set policy prefix-list BOGONS-V4 rule 50 le '32'
set policy prefix-list BOGONS-V4 rule 50 prefix '169.254.0.0/16'
set policy prefix-list BOGONS-V4 rule 60 action 'permit'
set policy prefix-list BOGONS-V4 rule 60 le '32'
set policy prefix-list BOGONS-V4 rule 60 prefix '172.16.0.0/12'
set policy prefix-list BOGONS-V4 rule 70 action 'permit'
set policy prefix-list BOGONS-V4 rule 70 le '32'
set policy prefix-list BOGONS-V4 rule 70 prefix '192.0.2.0/24'
set policy prefix-list BOGONS-V4 rule 80 action 'permit'
set policy prefix-list BOGONS-V4 rule 80 le '32'
set policy prefix-list BOGONS-V4 rule 80 prefix '192.88.99.0/24'
set policy prefix-list BOGONS-V4 rule 90 action 'permit'
set policy prefix-list BOGONS-V4 rule 90 le '32'
set policy prefix-list BOGONS-V4 rule 90 prefix '192.168.0.0/16'
set policy prefix-list BOGONS-V4 rule 100 action 'permit'
set policy prefix-list BOGONS-V4 rule 100 le '32'
set policy prefix-list BOGONS-V4 rule 100 prefix '198.18.0.0/15'
set policy prefix-list BOGONS-V4 rule 110 action 'permit'
set policy prefix-list BOGONS-V4 rule 110 le '32'
set policy prefix-list BOGONS-V4 rule 110 prefix '198.51.100.0/24'
set policy prefix-list BOGONS-V4 rule 120 action 'permit'
set policy prefix-list BOGONS-V4 rule 120 le '32'
set policy prefix-list BOGONS-V4 rule 120 prefix '203.0.113.0/24'
set policy prefix-list BOGONS-V4 rule 130 action 'permit'
set policy prefix-list BOGONS-V4 rule 130 le '32'
set policy prefix-list BOGONS-V4 rule 130 prefix '224.0.0.0/4'
set policy prefix-list BOGONS-V4 rule 140 action 'permit'
set policy prefix-list BOGONS-V4 rule 140 le '32'
set policy prefix-list BOGONS-V4 rule 140 prefix '240.0.0.0/4'
set policy route-map MY-ROUTE-MAP rule 10 match ip address prefix-list 'BOGONS-V4'
Mikrotik
RouterOS v6
This is not recommended. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=0.0.0.0/8 prefix-length=8-32 protocol=bgp action=discard comment="RFC 1122 'this' network"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp action=discard comment="RFC 1918 private space"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=100.64.0.0/10 prefix-length=10-32 protocol=bgp action=discard comment="RFC 6598 Carrier grade nat space"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=127.0.0.0/8 prefix-length=8-32 protocol=bgp action=discard comment="RFC 1122 localhost"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp action=discard comment="RFC 3927 link local"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=172.16.0.0/12 prefix-length=12-32 protocol=bgp action=discard comment="RFC 1918 private space"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=192.0.2.0/24 prefix-length=24-32 protocol=bgp action=discard comment="RFC 5737 TEST-NET-1"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=192.88.99.0/24 prefix-length=24-32 protocol=bgp action=discard comment="RFC 7526 6to4 anycast relay"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp action=discard comment="RFC 1918 private space"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=198.18.0.0/15 prefix-length=15-32 protocol=bgp action=discard comment="RFC 2544 benchmarking"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=198.51.100.0/24 prefix-length=24-32 protocol=bgp action=discard comment="RFC 5737 TEST-NET-2"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=203.0.113.0/24 prefix-length=24-32 protocol=bgp action=discard comment="RFC 5737 TEST-NET-3"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=224.0.0.0/4 prefix-length=4-32 protocol=bgp action=discard comment="multicast"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=240.0.0.0/4 prefix-length=4-32 protocol=bgp action=discard comment="multicast"
RouterOS v7
/routing/filter/rule
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==0.0.0.0/8 && dst-len >= 8 ){ reject; }" comment="RFC 1122 'this' network"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==10.0.0.0/8 && dst-len >= 8){ reject; }" comment="RFC 1918 private space"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==100.64.0.0/10 && dst-len >= 10){ reject; }" comment="RFC 6598 Carrier grade nat space"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==127.0.0.0/8 && dst-len >= 8){ reject; }" comment="RFC 1122 localhost"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==169.254.0.0/16 && dst-len >= 16){ reject; }" comment="RFC 3927 link local"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==172.16.0.0/12 && dst-len >= 12){ reject; }" comment="RFC 1918 private space"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.0.2.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-1"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.88.99.0/24 && dst-len >= 24){ reject; }" comment="RFC 7526 6to4 anycast relay"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.168.0.0/16 && dst-len >= 16){ reject; }" comment="RFC 1918 private space"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==198.18.0.0/15 && dst-len >= 15){ reject; }" comment="RFC 2544 benchmarking"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==198.51.100.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-2"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==203.0.113.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-3"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==224.0.0.0/4 && dst-len >= 4){ reject; }" comment="multicast"
add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==240.0.0.0/4 && dst-len >= 4){ reject; }" comment="reserved"
Junos
policy-statement reject-bogon-prefixes {
term reject-bogon-prefixes-v4 {
from {
route-filter 0.0.0.0/8 orlonger;
route-filter 10.0.0.0/8 orlonger;
route-filter 100.64.0.0/10 orlonger;
route-filter 127.0.0.0/8 orlonger;
route-filter 169.254.0.0/16 orlonger;
route-filter 172.16.0.0/12 orlonger;
route-filter 192.0.2.0/24 orlonger;
route-filter 192.88.99.0/24 orlonger;
route-filter 192.168.0.0/16 orlonger;
route-filter 198.18.0.0/15 orlonger;
route-filter 198.51.100.0/24 orlonger;
route-filter 203.0.113.0/24 orlonger;
route-filter 224.0.0.0/4 orlonger;
route-filter 240.0.0.0/4 orlonger;
}
then reject;
}
term reject-bogon-prefixes-v6 {
from {
route-filter ::/8 orlonger;
route-filter 100::/64 orlonger;
route-filter 2001:2::/48 orlonger;
route-filter 2001:10::/28 orlonger;
route-filter 2001:db8::/32 orlonger;
route-filter 3fff::/20 orlonger;
route-filter 2002::/16 orlonger;
route-filter 3ffe::/16 orlonger;
route-filter 5f00::/16 orlonger;
route-filter fc00::/7 orlonger;
route-filter fe80::/10 orlonger;
route-filter fec0::/10 orlonger;
route-filter ff00::/8 orlonger;
}
then reject;
}
}
IOS-XR
prefix-set BOGONS_V4
0.0.0.0/8 le 32,
10.0.0.0/8 le 32,
100.64.0.0/10 le 32,
127.0.0.0/8 le 32,
169.254.0.0/16 le 32,
172.16.0.0/12 le 32,
192.0.2.0/24 le 32,
192.88.99.0/24 le 32,
192.168.0.0/16 le 32,
198.18.0.0/15 le 32,
198.51.100.0/24 le 32,
203.0.113.0/24 le 32,
224.0.0.0/4 le 32,
240.0.0.0/4 le 32
end-set
!
route-policy BGP_FILTER_IN
if destination in BOGONS_V4 then
drop
endif
end-policy
Nokia SR OS
#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
policy-options
begin
prefix-list "BOGONS_V4"
prefix 0.0.0.0/8 longer
prefix 10.0.0.0/8 longer
prefix 100.64.0.0/10 longer
prefix 127.0.0.0/8 longer
prefix 169.254.0.0/16 longer
prefix 172.16.0.0/12 longer
prefix 192.0.2.0/24 longer
prefix 192.88.99.0/24 longer
prefix 192.168.0.0/16 longer
prefix 198.18.0.0/15 longer
prefix 198.51.100.0/24 longer
prefix 203.0.113.0/24 longer
prefix 224.0.0.0/4 longer
prefix 240.0.0.0/4 longer
exit
policy-statement "BGP_FILTER_IN"
entry 10
from
prefix-list "BOGONS_V4"
exit
action drop
exit
exit
exit
commit
exit
----------------------------------------------
#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options prefix-list "BOGONS_V4" prefix 0.0.0.0/8 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 10.0.0.0/8 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 100.64.0.0/10 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 127.0.0.0/8 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 169.254.0.0/16 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 172.16.0.0/12 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 192.0.2.0/24 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 192.88.99.0/24 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 192.168.0.0/16 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 198.18.0.0/15 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 198.51.100.0/24 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 203.0.113.0/24 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 224.0.0.0/4 longer
/configure router policy-options prefix-list "BOGONS_V4" prefix 240.0.0.0/4 longer
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 10 from prefix-list "BOGONS_V4"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 10 action drop
/configure router policy-options commit
#
# Model-Driven CLI (MD-CLI)
#
[gl:configure policy-options]
prefix-list "BOGONS_V4" {
prefix 0.0.0.0/8 type longer {
}
prefix 10.0.0.0/8 type longer {
}
prefix 100.64.0.0/10 type longer {
}
prefix 127.0.0.0/8 type longer {
}
prefix 169.254.0.0/16 type longer {
}
prefix 172.16.0.0/12 type longer {
}
prefix 192.0.2.0/24 type longer {
}
prefix 192.88.99.0/24 type longer {
}
prefix 192.168.0.0/16 type longer {
}
prefix 198.18.0.0/15 type longer {
}
prefix 198.51.100.0/24 type longer {
}
prefix 203.0.113.0/24 type longer {
}
prefix 224.0.0.0/4 type longer {
}
prefix 240.0.0.0/4 type longer {
}
}
policy-statement "BGP_FILTER_IN" {
entry 10 {
from {
prefix-list ["BOGONS_V4"]
}
action {
action-type reject
}
}
#
# Paste-friendly MD-CLI blob
#
/configure policy-options prefix-list "BOGONS_V4" { }
/configure policy-options prefix-list "BOGONS_V4" { prefix 0.0.0.0/8 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 10.0.0.0/8 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 100.64.0.0/10 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 127.0.0.0/8 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 169.254.0.0/16 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 172.16.0.0/12 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 192.0.2.0/24 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 192.88.99.0/24 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 192.168.0.0/16 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 198.18.0.0/15 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 198.51.100.0/24 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 203.0.113.0/24 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 224.0.0.0/4 type longer }
/configure policy-options prefix-list "BOGONS_V4" { prefix 240.0.0.0/4 type longer }
/configure policy-options policy-statement "BGP_FILTER_IN" { }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 10 }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 from prefix-list ["BOGONS_V4"]
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 action action-type reject
Arista EOS
ip prefix-list BOGONS_V4
seq 1 permit 0.0.0.0/8 le 32
seq 2 permit 10.0.0.0/8 le 32
seq 3 permit 100.64.0.0/10 le 32
seq 4 permit 127.0.0.0/8 le 32
seq 5 permit 169.254.0.0/16 le 32
seq 6 permit 172.16.0.0/12 le 32
seq 7 permit 192.0.2.0/24 le 32
seq 8 permit 192.88.99.0/24 le 32
seq 9 permit 192.168.0.0/16 le 32
seq 10 permit 198.18.0.0/15 le 32
seq 11 permit 198.51.100.0/24 le 32
seq 12 permit 203.0.113.0/24 le 32
seq 13 permit 224.0.0.0/4 le 32
seq 14 permit 240.0.0.0/4 le 32
!
route-map Import-Peer deny 20
match ip address prefix-list BOGONS_V4
!
Huawei VRP
ip ip-prefix prefix_Denied_Bogons_ipv4 index 20 permit 0.0.0.0 8 match-network greater-equal 8 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 30 permit 10.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 40 permit 100.64.0.0 10 greater-equal 10 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 50 permit 127.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 60 permit 169.254.0.0 16 greater-equal 16 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 70 permit 172.16.0.0 12 greater-equal 12 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 80 permit 192.0.2.0 24 greater-equal 24 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 90 permit 192.88.99.0 24 greater-equal 24 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 100 permit 192.168.0.0 16 greater-equal 16 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 110 permit 198.18.0.0 15 greater-equal 15 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 120 permit 198.51.100.0 24 greater-equal 24 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 130 permit 203.0.113.0 24 greater-equal 24 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 140 permit 224.0.0.0 4 greater-equal 4 less-equal 32
ip ip-prefix prefix_Denied_Bogons_ipv4 index 150 permit 240.0.0.0 4 greater-equal 4 less-equal 32
route-policy TRANSIT-V4-IN deny node 100
if-match ip-prefix prefix_Denied_Bogons_ipv4
Configuration Examples IPv6
BIRD
define BOGON_PREFIXES = [ ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
0100::/64+, # RFC 6666 Discard-Only
2001:2::/48+, # RFC 5180 BMWG
2001:10::/28+, # RFC 4843 ORCHID
2001:db8::/32+, # RFC 3849 documentation
3fff::/20+, # RFC 9637 documentation
2002::/16+, # RFC 7526 6to4 anycast relay
3ffe::/16+, # RFC 3701 old 6bone
5f00::/16+, # draft-ietf-6man-sids-06 SRv6
fc00::/7+, # RFC 4193 unique local unicast
fe80::/10+, # RFC 4291 link local unicast
fec0::/10+, # RFC 3879 old site local unicast
ff00::/8+ # RFC 4291 multicast
];
function reject_bogon_prefixes()
prefix set bogon_prefixes;
{
bogon_prefixes = BOGON_PREFIXES;
if (net ~ bogon_prefixes) then {
print "Reject: Bogon prefix: ", net, " ", bgp_path;
reject;
}
}
...
filter transit_in {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_small_prefixes();
reject_default_route();
honor_graceful_shutdown();
accept;
}
filter ixp_in {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_transit_paths();
reject_small_prefixes();
reject_default_route();
honor_graceful_shutdown();
accept;
}
FortiOS
config router prefix-list6
edit "BGP_IPv6_BOGONS"
config rule
edit 1
set prefix6 ::/8
set ge 9
unset le
next
edit 2
set prefix6 100::/64
set ge 65
unset le
next
edit 3
set prefix6 2001:2::/48
set ge 49
unset le
next
edit 4
set prefix6 2001:10::/28
set ge 29
unset le
next
edit 5
set prefix6 2001:db8::/32
set ge 33
unset le
next
edit 6
set prefix6 2002::/16
set ge 17
unset le
next
edit 7
set prefix6 3ffe::/16
set ge 17
unset le
next
edit 8
set prefix6 fc00::/7
set ge 8
unset le
next
edit 9
set prefix6 fe80::/10
set ge 11
unset le
next
edit 10
set prefix6 fec0::/10
set ge 11
unset le
next
edit 11
set prefix6 ff00::/8
set ge 9
unset le
next
edit 12
set prefix6 3fff::/20
set ge 21
unset le
next
edit 13
set prefix6 5f00::/16
set ge 17
unset le
next
end
next
end
config router route-map
edit "BGP_FILTER_IN"
config rule
edit 1
set action deny
set match-ip6-address "IPv6_BOGONS"
next
end
next
end
OpenBGPD
Copied from openbsd examples
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 3fff::/20 prefixlen >= 20, # docu range 2 [RFC9637]
deny from any prefix 2002::/16 prefixlen >= 16 # 6to4 anycast relay [RFC7526]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix 5f00::/16 prefixlen >= 16 # SRv6 [draft-ietf-6man-sids-06]
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast
FRR (vtysh)
ipv6 prefix-list BOGONS_v6 deny ::/8 le 128
ipv6 prefix-list BOGONS_v6 deny 100::/64 le 128
ipv6 prefix-list BOGONS_v6 deny 2001:2::/48 le 128
ipv6 prefix-list BOGONS_v6 deny 2001:10::/28 le 128
ipv6 prefix-list BOGONS_v6 deny 2001:db8::/32 le 128
ipv6 prefix-list BOGONS_v6 deny 3fff::/20 le 128
ipv6 prefix-list BOGONS_v6 deny 2002::/16 le 128
ipv6 prefix-list BOGONS_v6 deny 3ffe::/16 le 128
ipv6 prefix-list BOGONS_v6 deny 5f00::/16 le 128
ipv6 prefix-list BOGONS_v6 deny fc00::/7 le 128
ipv6 prefix-list BOGONS_v6 deny fe80::/10 le 128
ipv6 prefix-list BOGONS_v6 deny fec0::/10 le 128
ipv6 prefix-list BOGONS_v6 deny ff00::/8 le 128
VyOS
set policy prefix-list6 BOGONS-V6 rule 10 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 10 le '128'
set policy prefix-list6 BOGONS-V6 rule 10 prefix '::/8'
set policy prefix-list6 BOGONS-V6 rule 20 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 20 le '128'
set policy prefix-list6 BOGONS-V6 rule 20 prefix '100::/64'
set policy prefix-list6 BOGONS-V6 rule 30 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 30 le '128'
set policy prefix-list6 BOGONS-V6 rule 30 prefix '2001:2::/48'
set policy prefix-list6 BOGONS-V6 rule 40 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 40 le '128'
set policy prefix-list6 BOGONS-V6 rule 40 prefix '2001:10::/28'
set policy prefix-list6 BOGONS-V6 rule 50 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 50 le '128'
set policy prefix-list6 BOGONS-V6 rule 50 prefix '2001:db8::/32'
set policy prefix-list6 BOGONS-V6 rule 60 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 60 le '128'
set policy prefix-list6 BOGONS-V6 rule 60 prefix '2002::/16'
set policy prefix-list6 BOGONS-V6 rule 70 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 70 le '128'
set policy prefix-list6 BOGONS-V6 rule 70 prefix '3ffe::/16'
set policy prefix-list6 BOGONS-V6 rule 80 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 80 le '128'
set policy prefix-list6 BOGONS-V6 rule 80 prefix 'fc00::/7'
set policy prefix-list6 BOGONS-V6 rule 90 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 90 le '128'
set policy prefix-list6 BOGONS-V6 rule 90 prefix 'fe80::/10'
set policy prefix-list6 BOGONS-V6 rule 100 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 100 le '128'
set policy prefix-list6 BOGONS-V6 rule 100 prefix 'fec0::/10'
set policy prefix-list6 BOGONS-V6 rule 110 action 'permit'
set policy prefix-list6 BOGONS-V6 rule 110 le '128'
set policy prefix-list6 BOGONS-V6 rule 110 prefix 'ff00::/8'
set policy route-map MY-ROUTE-MAP rule 10 match ipv6 address prefix-list 'BOGONS-V6'
Mikrotik
RouterOS v6
This is not recommended. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=::/8 prefix-length=8-128 protocol=bgp action=discard comment="RFC 4291 IPv4-compatible, loopback, et al"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=0100::/64 prefix-length=64-128 protocol=bgp action=discard comment="RFC 6666 Discard-Only"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=2001:2::/48 prefix-length=48-128 protocol=bgp action=discard comment="RFC 5180 BMWG"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=2001:10::/28 prefix-length=28-128 protocol=bgp action=discard comment="RFC 4843 ORCHID"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=2001:db8::/32 prefix-length=32-128 protocol=bgp action=discard comment="RFC 3849 documentation"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=3fff::/20 prefix-length=20-128 protocol=bgp action=discard comment="RFC 9637 documentation"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=2002::/16 prefix-length=16-128 protocol=bgp action=discard comment="RFC 7526 6to4 anycast relay"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=3ffe::/16 prefix-length=16-128 protocol=bgp action=discard comment="RFC 3701 old 6bone"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=5f00::/16 prefix-length=16-128 protocol=bgp action=discard comment="draft-ietf-6man-sids-06 SRv6"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=fc00::/7 prefix-length=7-128 protocol=bgp action=discard comment="RFC 4193 unique local unicast"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=fe80::/10 prefix-length=10-128 protocol=bgp action=discard comment="RFC 4291 link local unicast"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=fec0::/10 prefix-length=10-128 protocol=bgp action=discard comment="RFC 3879 old site local unicast"
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=ff00::/8 prefix-length=8-128 protocol=bgp action=discard comment="RFC 4291 multicast"
RouterOS v7
/routing/filter/rule
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==::/8 && dst-len >= 8 ){ reject;}" comment="RFC 4291 IPv4-compatible, loopback, et al"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==0100::/64 && dst-len >= 64 ){ reject; }" comment="RFC 6666 Discard-Only"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:2::/48 && dst-len >= 48 ){ reject; }" comment="RFC 5180 BMWG"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:10::/28 && dst-len >= 28 ){ reject; }" comment="RFC 4843 ORCHID"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:db8::/32 && dst-len >= 32 ){ reject; }" comment="RFC 3849 documentation"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==3fff::/20 && dst-len >= 20 ){ reject; }" comment="RFC 9637 documentation"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2002::/16 && dst-len >= 16 ){ reject; }" comment="RFC 7526 6to4 anycast relay"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==3ffe::/16 && dst-len >= 16){ reject; }" comment="RFC 3701 old 6bone"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==5f00::/16 && dst-len >= 16){ reject; }" comment="draft-ietf-6man-sids-06 SRv6"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fc00::/7 && dst-len >=7 ){ reject; }" comment="RFC 4193 unique local unicast"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fe80::/10 && dst-len >= 10){ reject; }" comment="RFC 4291 link local unicast"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fec0::/10 && dst-len >= 10){ reject; }" comment="RFC 3879 old site local unicast"
add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==ff00::/8 && dst-len >= 8) { reject; }" comment="RFC 4291 multicast"
Juniper and Cisco
Gert Doering’s ipv6-filters
YAML from Coloclue
Coloclue’s network management system kees considers these the IPv6 Bogons: yaml file
Nokia SR OS
#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
policy-options
begin
prefix-list "BOGONS_V6"
prefix ::/8 longer
prefix 100::/64 longer
prefix 2001:2::/48 longer
prefix 2001:10::/28 longer
prefix 2001:db8::/32 longer
prefix 3fff::/20 longer
prefix 2002::/16 longer
prefix 3ffe::/16 longer
prefix 5f00::/16 longer
prefix fc00::/7 longer
prefix fe80::/10 longer
prefix fec0::/10 longer
prefix ff00::/8 longer
exit
policy-statement "BGP_FILTER_IN"
entry 20
from
prefix-list "BOGONS_V6"
exit
action drop
exit
exit
exit
commit
exit
#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options prefix-list "BOGONS_V6" prefix ::/8 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 100::/64 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 2001:2::/48 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 2001:10::/28 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 2001:db8::/32 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 3fff::/20 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 2002::/16 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 3ffe::/16 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix 5f00::/16 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix fc00::/7 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix fe80::/10 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix fec0::/10 longer
/configure router policy-options prefix-list "BOGONS_V6" prefix ff00::/8 longer
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 20 from prefix-list "BOGONS_V6"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 20 action drop
/configure router policy-options commit
#
# Model-driven CLI (MD-CLI)
#
[gl:configure policy-options]
prefix-list "BOGONS_V6" {
prefix ::/8 type longer {
}
prefix 100::/64 type longer {
}
prefix 2001:2::/48 type longer {
}
prefix 2001:10::/28 type longer {
}
prefix 2001:db8::/32 type longer {
}
prefix 3fff::/20 type longer {
}
prefix 2002::/16 type longer {
}
prefix 3ffe::/16 type longer {
}
prefix 5f00::/16 type longer {
}
prefix fc00::/7 type longer {
}
prefix fe80::/10 type longer {
}
prefix fec0::/10 type longer {
}
prefix ff00::/8 type longer {
}
}
policy-statement "BGP_FILTER_IN" {
entry 20 {
from {
prefix-list ["BOGONS_V6"]
}
action {
action-type reject
}
}
}
#
# Paste-friendly MD-CLI blob
#
/configure policy-options prefix-list "BOGONS_V6" { }
/configure policy-options prefix-list "BOGONS_V6" { prefix ::/8 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 100::/64 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 2001:2::/48 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 2001:10::/28 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 2001:db8::/32 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 3fff::/20 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 2002::/16 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 3ffe::/16 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix 5f00::/16 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix fc00::/7 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix fe80::/10 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix fec0::/10 type longer }
/configure policy-options prefix-list "BOGONS_V6" { prefix ff00::/8 type longer }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 20 }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 20 from prefix-list ["BOGONS_V6"]
/configure policy-options policy-statement "BGP_FILTER_IN" entry 20 action action-type reject
Arista EOS
ipv6 prefix-list BOGONS_V6
seq 1 permit 100::/64
seq 2 permit 2001:2::/48
seq 3 permit 2001:10::/28
seq 4 permit 2001:db8::/32
seq 5 permit 2002::/16
seq 6 permit 3ffe::/16
seq 7 permit fc00::/7
seq 8 permit fe80::/10
seq 9 permit fec0::/10
seq 10 permit ff00::/8
!
route-map Import-Peer deny 30
match ipv6 address prefix-list BOGONS_V6
!
Huawei VRP
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 20 permit 100:: 64 greater-equal 64 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 30 permit 2001:2:: 48 greater-equal 48 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 40 permit 2001:10:: 28 greater-equal 28 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 50 permit 2001:DB8:: 32 greater-equal 32 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 60 permit 3FFF:: 20 greater-equal 20 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 70 permit 2002:: 16 greater-equal 16 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 80 permit 3FFE:: 16 greater-equal 16 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 90 permit 5F00:: 16 greater-equal 16 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 100 permit FC00:: 7 greater-equal 7 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 110 permit FE80:: 10 greater-equal 10 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 120 permit FEC0:: 10 greater-equal 10 less-equal 128
ip ipv6-prefix prefix_Denied_Bogons_ipv6 index 130 permit FF00:: 8 greater-equal 8 less-equal 128
route-policy TRANSIT-V6-IN deny node 100
if-match ipv6 address prefix-list prefix_Denied_Bogons_ipv6