Hurricane Electric Route Filtering Algorithm

This is the route filtering algorithm for peers that have explicit filtering turned on:

1. Attempt to find an as-set to use for this network.

1.1 Inspect the aut-num for this ASN to see if we can extract from their IRR policy for what they would announce to Hurricane by finding export or mp-export to AS6939, ANY, or AS-ANY.

1.2 Also see if they set what looks like a valid IRR as-set name in peeringdb.

2. Collect the received routes for all BGP sessions with this ASN. This details both accepted and filtered routes.

2.1 If there are no received routes for this AS, perform the process below using the first 10 prefixes from their IRR policy.

3. For each route, perform the following rejection tests:

3.1 Reject default routes and ::/0.

3.2 Reject paths using BGP AS_SET notation (i.e. {1} or {1 2}, etc). See draft-ietf-idr-deprecate-as-set-confed-set.

3.3 Reject prefix lengths less than minimum and greater than maximum. For IPv4 this is 8 and 24. For IPv6 this is 16 and 48.

3.4 Reject bogons (RFC1918, documentation prefix, etc).

3.5 Reject exchange prefixes for all exchanges Hurricane Electric is connected to.

3.6 Reject routes that have RPKI status INVALID_ASN or INVALID_LENGTH based on the origin AS and prefix.

4. For each route, perform the following acceptance tests:

4.1 If the origin is the neighbor AS, accept routes that have RPKI status VALID based on the origin AS and prefix.

4.2 Compare the RIR handles for the prefix and the peer AS, if they match accept the prefix.

4.3 Check if this prefix exactly matches a prefix allowed by the IRR policy of this peer.

5. Reject all prefixes not explicitly accepted