Hurricane Electric Route Filtering Algorithm

This is the route filtering algorithm for peers that have explicit filtering turned on:

1. Attempt to find an as-set to use for this network.

1.1 Inspect the aut-num for this ASN to see if we can extract from their IRR policy for what they would announce to Hurricane by finding export or mp-export to AS6939, ANY, or AS-ANY.

1.2 Also see if they set what looks like a valid IRR as-set name in peeringdb.

2. Collect the received routes for all BGP sessions with this ASN. This details both accepted and filtered routes.

2.1 If there are no received routes for this AS, perform the process below using the first 10 prefixes from their IRR policy.

3. For each route, perform the following rejection tests:

3.1 Reject prefix lengths less than minimum and greater than maximum. For IPv4 this is 8 and 24. For IPv6 this is 24 and 48.

3.2 Reject bogons (RFC1918, documentation prefix, default route, etc).

3.3 Reject exchange prefixes for all exchanges Hurricane Electric is connected to.

3.4 Reject routes that have RPKI status INVALID_ASN or INVALID_LENGTH based on the origin AS and prefix.

4. For each route, perform the following acceptance tests:

4.1 Accept routes that have RPKI status VALID based on the origin AS and prefix.

4.2 Compare the RIR handles for the prefix and the peer AS, if they match accept the prefix.

4.3 Check if this prefix exactly matches a prefix allowed by the IRR policy of this peer.

5. Reject all prefixes not explicitly accepted