ROUTE FILTERING HOME

Hurricane Electric Route Filtering Algorithm

This is the route filtering algorithm for peers that have explicit filtering turned on:

1. Attempt to find an as-set to use for this network.

1.1 Inspect the aut-num for this ASN to see if we can extract from their IRR policy for what they would announce to Hurricane by finding export or mp-export to AS6939, ANY, or AS-ANY.

1.2 Also see if they set what looks like a valid IRR as-set name in peeringdb.

2. Collect the received routes for all BGP sessions with this ASN. This details both accepted and filtered routes.

2.1 If there are no received routes for this AS, perform the process below using the first 10 prefixes from their IRR policy.

3. For each route, perform the following rejection tests:

3.1 Reject prefix lengths less than mininum and greater than maximum. For IPv4 this is 8 and 24. For IPv6 this is 24 and 48.

3.2 Reject bogons (RFC1918, documentation prefix, default route, etc).

3.3 Reject exchange prefixes for all exchanges Hurricane Electric is connected to.

3.4 (to be implemented) Reject golden prefixes that are originated from the wrong network. Golden prefixes are prefixes that are locked to a specific adjacent peer.

4. For each route, perform the following acceptance tests:

4.1 Compare the RIR handles for the prefix and the peer AS, if they match accept the prefix.

4.2 Check if this prefix exactly matches a prefix allowed by the IRR policy of this peer.

4.3 (to be implemented) Check if this prefix would be accepted using RPKI.

5. Reject all prefixes not explicitly accepted