Exodus Filtering

Customer

2. Require customers inform us of IPs and AS Numbers

3. Prefix Filter customers

4. AS-PATH Filter customers

Peer

1. IP Filter

This ACL is used both inbound and outbound for most peers.

! Default
access-list 1 deny  0.0.0.0
! Ameritech NAP
access-list 1 deny   198.32.130.0
access-list 1 deny   206.220.240.0 0.0.3.255 
! Sprint NAP
access-list 1 deny   192.157.69.0
! PAIX
access-list 1 deny   198.32.175.0
access-list 1 deny   198.32.176.0
! PAIX-E
access-list 1 deny   198.32.190.0
! MAE East
access-list 1 deny   192.41.177.0
access-list 1 deny   198.32.186.0
! MAE West MFS
access-list 1 deny   198.32.136.0
! MAE West Ames
access-list 1 deny   198.32.184.0
! Oregon GigaPOP
access-list 1 deny   198.32.163.0
! Pacific Bell NAP
access-list 1 deny   198.32.128.0
! LINX
access-list 1 deny   195.66.224.0
access-list 1 deny   195.66.225.0
! MAE Los Angeles
access-list 1 deny   198.32.146.0
! DECIX
access-list 1 deny   194.31.232.0
! MAE Frankfurt
access-list 1 deny   192.67.199.0
! AMS-IX
access-list 1 deny   193.148.15.0
! JPIX (KDD announces this as /19)
! access-list 1 deny   210.171.224.0
! NSPIXP2
access-list 1 deny   202.249.2.0
! RFC1918 and other special use IPv4 address blocks
access-list 1 deny   0.0.0.0 0.255.255.255
access-list 1 deny   127.0.0.0 0.255.255.255
access-list 1 deny   192.0.2.0 0.0.0.255
access-list 1 deny   10.0.0.0 0.255.255.255
access-list 1 deny   172.16.0.0 0.15.255.255
access-list 1 deny   192.168.0.0 0.0.255.255
access-list 1 deny   169.254.0.0 0.0.255.255
access-list 1 permit any

no ip as-path access-list 1
ip as-path access-list 1 permit ^$
ip as-path access-list 1 permit ^4197$
ip as-path access-list 1 permit ^8709$

1. max-paths

2. Filter the 'big ASes' and Reserved ASes

Not allowing small 'peers' to leak other large peers routes (as-paths)

no ip as-path access-list 68
ip as-path access-list 68 permit 
_(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 68 permit _1_  
ip as-path access-list 68 permit _701_ 
ip as-path access-list 68 permit _1239_
ip as-path access-list 68 permit _3561_

route-map xxxxpxin deny 5
 match as-path xx


3. Filter at the /24 level


What we dont do: listen to emails from other providers (waste of our time)

Problems: Bringing up peers on a slow link could cause us to leak local routes (shutdown 
command)

Future: Filter more at the reg level



http://www.nielsen.net/people/christian/linx.html

cnielsen@exodus.net