Filtering Small Prefixes

Filter Small Prefixes

Purpose

A basic filter set on any BGP configuration should include a filter of small prefixes.

This avoids more specific hijacks on /32’s or small prefixes (targetted attacks). Most of the leaked small prefixes that you will see on an Internet Exchange or transit feed are either incorrect leaks due to incorrect filtering or traffic engineering.

Usually you’ll not miss anything as you’ll see the larger prefixes via the same IXP or transit feed (the covering supernet prefix).

There are some small /29 or /28 PI prefixes, but not a lot. Such small PI prefixes get lost due to filters like these. The shortage of IPv4 address space is insufficient of a reason to weaken sanity filters like these. So be aware that you may get a question that could explain if that would happen.

Routes smaller than a /24 (IPv4) or /48 (IPv6) should not be expected to have working global routing.

Configuration Examples

BIRD

function filter_import_v4()
{
  # do not accept too short prefixes
  if (net.len > 24) then {
    print "Reject: Too small prefix: ", net, " ", bgp_path;
    reject;
  }
  
  # TODO: add all other filtering needed.
  
  # accecpt any other routes
  else accept;
}

# include the filter in each BGP session (separate for v4 and v6)
protocol bgp NAME {
  (...)
  ipv4 {
  	# perform some filtering on received routes
    import filter filter_import_v4;
  }
}

FortiOS

config router prefix-list
    edit "IPv4_SMALL_PREFIXES"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                set ge 25
                unset le
            next
        end
    next
end

config router prefix-list6
    edit "IPv6_SMALL_PREFIXES"
        config rule
            edit 1
                set prefix6 ::/0
                set ge 49
                unset le
            next
        end
    next
end

config router route-map
    edit "BGP_FILTER_IN"
        config rule
            edit 1
                set action deny
                set match-ip-address "IPv4_SMALL_PREFIXES"
                set match-ip6-address "IPv6_SMALL_PREFIXES"
            next
        end
    next
end

Junos

policy-options {
  policy-statement reject_small_prefixes {
    term reject_small_prefixes_v4 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
        }
        then {
            reject;
        }
    }
    term reject_small_prefixes_v6 {
        from {
            route-filter ::0/0 prefix-length-range /49-/128;
        }
        then {
            reject;
        }
    }
  }
}

Cisco classic IOS and IOS XE

ip prefix-list peerfilter seq 5 deny 0.0.0.0/0
ip prefix-list peerfilter seq 10 permit 0.0.0.0/0 ge 8 le 24

#Use a template peer-policy that you configure for each neighbor like this:
 !
 template peer-policy ixe-v4
  prefix-list peerfilter in
  maximum-prefix <number>
 exit-peer-policy
 !
router bgp <my ASN>
 !
 address-family ipv4
neighbor 192.0.2.1 inherit peer-policy ixe-v4
neighbor 192.0.2.1 activate
!
}

OpenBGPD

deny from any inet prefixlen > 24
deny from any inet6 prefixlen > 48

FRR (vtysh)

ip prefix-list BOGONS_v4 deny 0.0.0.0/0 ge 25 le 32
ipv6 prefix-list BOGONS_v6 deny ::/0 ge 49 le 128

VyOS

set policy prefix-list TINY-PREFIX-V4 rule 10 action 'permit'
set policy prefix-list TINY-PREFIX-V4 rule 10 ge '25'
set policy prefix-list TINY-PREFIX-V4 rule 10 le '32'
set policy prefix-list TINY-PREFIX-V4 rule 10 prefix '0.0.0.0/0'

set policy prefix-list6 TINY-PREFIX-V6 rule 10 action 'permit'
set policy prefix-list6 TINY-PREFIX-V6 rule 10 ge '49'
set policy prefix-list6 TINY-PREFIX-V6 rule 10 le '128'
set policy prefix-list6 TINY-PREFIX-V6 rule 10 prefix '::/0'

set policy route-map INTERNET-IN rule 10 action 'deny'
set policy route-map INTERNET-IN rule 10 match ip address prefix-list 'TINY-PREFIX-V4'
set policy route-map INTERNET-IN rule 20 action 'deny'
set policy route-map INTERNET-IN rule 20 match ipv6 address prefix-list 'TINY-PREFIX-V6'

Mikrotik

RouterOS v6

This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.

/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv4 prefix-length=0-7 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv4 prefix-length=25-32 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix-length=0-15 protocol=bgp action=discard comment=""
/routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix-length=49-128 protocol=bgp action=discard comment=""

RouterOS v7

/routing/filter/rule
add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv4 && dst-len > 24){ reject }"
add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv4 && dst-len < 7){ reject }" 
add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv6 && dst-len > 48){ reject }"
add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv6 && dst-len < 15){ reject }"

Nokia SR OS

#
# Classic CLI
#
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
        policy-options
            begin
            prefix-list "TOO_SMALL_PREFIXES"
                prefix 0.0.0.0/0 prefix-length-range 25-32
                prefix ::/0 prefix-length-range 49-128
            exit
            policy-statement "BGP_FILTER_IN"
                entry 30
                    from
                        prefix-list "TOO_SMALL_PREFIXES"
                    exit
                    action drop
                    exit
                exit
            exit
            commit

#
# Paste-friendly Classic CLI blob
#
/configure router policy-options begin
/configure router policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 prefix-length-range 25-32
/configure router policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 prefix-length-range 49-128
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 30 from prefix-list "TOO_SMALL_PREFIXES"
/configure router policy-options policy-statement "BGP_FILTER_IN" entry 30 action drop
/configure router policy-options commit

#
# MD-CLI
#
[gl:configure policy-options]
    prefix-list "TOO_SMALL_PREFIXES" {
        prefix 0.0.0.0/0 type range {
            start-length 25
            end-length 32
        }
        prefix ::/0 type range {
            start-length 49
            end-length 128
        }
    }
    policy-statement "BGP_FILTER_IN" {
        entry 30 {
            from {
                prefix-list ["TOO_SMALL_PREFIXES"]
            }
            action {
                action-type reject
            }
        }
    }

#
# Paste-friendly MD-CLI blob
#
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" { }
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 type range start-length 25
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix 0.0.0.0/0 type range end-length 32
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 type range start-length 49
/configure policy-options prefix-list "TOO_SMALL_PREFIXES" prefix ::/0 type range end-length 128
/configure policy-options policy-statement "BGP_FILTER_IN" { }
/configure policy-options policy-statement "BGP_FILTER_IN" { entry 30 }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 30 from prefix-list ["TOO_SMALL_PREFIXES"]
/configure policy-options policy-statement "BGP_FILTER_IN" entry 30 action action-type reject

Arista EOS

ip prefix-list TINY-PREFIX-V4
   seq 1 permit 0.0.0.0/0 ge 25 le 32
!
ipv6 prefix-list TINY-PREFIX-V6
   seq 1 permit ::/0 ge 49 le 128
!
route-map NAME-IN-V4 deny 50
    match ip address prefix-list TINY-PREFIX-V4
!
route-map NAME-IN-V6 deny 50
    match ipv6 address prefix-list TINY-PREFIX-V6
!

Huawei VRP

ip ip-prefix default_ipv4_24 index 10 permit 0.0.0.0 0 greater-equal 8 less-equal 24

ip ipv6-prefix default_ipv6_48 index 10 permit :: 0 greater-equal 18 less-equal 48