Home page logo
/

nanog logo nanog mailing list archives

access-list 112
From: Sean Doran <smd () sprint net>
Date: Sat, 23 Sep 1995 18:46:01 -0400


This is probably ugly and difficult to read.

It also can be trimmed, but has been left overly-long and
overly-paranoid for readability when using "show access-list
112" and because the IOS 10.3 distribute-list caching
doesn't seem to mind the extra deny clauses all that much.

        Sean.
- --
! list 112 - deny more specifics of some prefixes
!
! IMPORTANT-TO-REMEMBER SYNTAX FOR BGP distribute-list!
! access-list <#> <permit|deny> ip <prefix> <don't care bits> <mask> <don't care bits>
!
! clear old list
!
no access-list 112
!
! this was originally ordered A, B, C and side-effects, but
! what we really want to do is put the permit clauses up front
! starting with the swamp, as this will match the most prefixes
!
!!!!! START
!
!!!! PERMITs
!
!!! C space 
!! permit /24s in 192/8-205/8.
!               (192==1100 0000, 205==1100 1101)
!   
!       allow M =< /24 in 1100 xx0x * 
!               (allow mask bits in first three octets)
!               1100xx0x == {192,193,196,197,200,201,204,205}
!
access-list 112 permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0
!
!
!       allow M =< /24 in 1100 {0010,0011,0110,0111,1010,1011}
!               (which really means 1100 {001x,011x,101x},
!               which in turn is really 1110 {x01x,011x}}
!               1100x01x == {194,195,202,203}
!               1100011x == {198,199}
!
access-list 112 permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0
access-list 112 permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0
!
!
!! hack - allow M =< /19 in 206/8
!
access-list 112 permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0
!
!        allow M =< /18 in 206/8-239/8 (1100 111x *, 1110 xxxx *)
!               (allow mask bits in first 18 bits)
!               1100111x == {206,207}
!               1110xxxx == {208-239}
!
access-list 112 permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0
access-list 112 permit ip 239.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0
!
!
!!! B space
!! permit /16s in old B-space
!               10xx xxxx * 
!               (we don't care what bits are in the first two octets 
!               of the mask; the second two octets must be 0)
!
access-list 112 permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0
!
!
!!! A space
!! permit /8s and shorter prefixes in old A-space
!                0xxx xxxx * would be simple but unsafe from 0/8 POV, so
!                we make sure that there is at least one 1 bit in the first
!                octet's last seven bits, and that the first bit is 0; 
!                we don't care what bits are set in the mask, because
!                we assume IOS won't present us with a prefix with 
!                bits set in the prefix's first octet but not in the mask,
!                unless it's a long mask...
!
!               126=01111110 (IOW, CddddddC C==CARE, d=don't care)
!               125=01111101
!                ...
!               95=01011111
!               63=00111111
! 
access-list 112 permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0
!
!
!! permit 9.20.0.0/18 and 9.2/16 by exact match
!       (both IBM early birds wrt subnets of As)
!
access-list 112 permit ip 9.2.0.0 0.0.255.255 255.255.0.0 0.0.0.0
access-list 112 permit ip 9.20.0.0 0.0.255.255 255.255.192.0 0.0.0.0
! 
!! permit exp39 /24s and shorter prefixes only
!       (no ones set in the fourth octet)
!
access-list 112 permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0
!
!
!!!! DENYs
!
!       This is super paranoia.  At this point we have permitted
!       all valid unicast prefixes and masks.
!       In theory, we could end right here with a 
!
!               access-list 112 deny ip any any
!
!       but this section below offers some degree of clarity
!       policy-wise... (at least to me, but I'm weird -- smd)
!
!       we also could have done a quick deny after each permit
!       to catch any prefixes which didn't pass the permit filters,
!       however, as noted below, I am superparanoid about
!       funny, noncontiguous masks and other weirdnesses, and
!       would like to be able to see them being caught, if
!       they ever get as far as the access-list.
!
!!! A space
!! deny 0/(9-15) - 127/(9-15)
!                deny subnets in old-style class A space, first octet
!               (if any bit set in bit 8-15 (second octet), deny)
!
!                this is a paranoid way of writing this out;
!               less paranoia would let us write:
!
!               ... deny ip 0.0.0.0 127.0.0.0 0.0.0.0 255.128.0.0
! 
!                because we believe in contiguous netmasks; so we would
!                never have a /18 if we block /17.   
!
!                However, better safe than sorry... ? 
!
!                0xxx xxxx *
!
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255
!
!!! B space
!! deny 0-127/16, 0-(17-23) - 191/(17-23)
!        deny subnets in old-style class-B space
!        and second octet of class A space.
!        (first two bits will be 00 or 10; so x0xx xxxx; 191==10111111)
!        (if any bit set in 16-23, deny)
!        we also need to zap 0xxx xxxx * /16
!
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255
!
!
!!! C space
!! deny 206/(19-23) - 239/(19-23)
!        block prefixes longer than /18 in 207/8-239/8
!        no < /18 in  1100 1110 *, 1100 1111 *, 1110 xxxx *
!
!       we block all M => /24 below and we did /17-/23 for 0/8-191/8 above,
!       so we only need to worry about 19-23 for 207/8-239/8
!
!        first, in 1100 111x (206/8, 207/8)
!        (if mask has 1 bits in third octet (bits 18-23), deny)
!
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255
!
! next in 1101 xxxx (208/8-239/8)
! (if mask has 1 bits in third octet (bits 18-23), deny)
!
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255
!
!!! all UNICAST space
!! deny ANY/24, ANY/(25-32)
!       now we block the final octet for 0/8-239/8 
!       (because we specifically allowed /24s in 192/8-205/8, we can
!       just block everything in xxxx xxxx * that has any 1 bits in 4th octet)
!
access-list 112 deny ip 0.0.0.0 255.255.255.255 255.255.255.0 0.0.0.0
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.128 255.255.255.127
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.64 255.255.255.191
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.32 255.255.255.223
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.16 255.255.255.239
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.8 255.255.255.247
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.4 255.255.255.251
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.2 255.255.255.253
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.1 255.255.255.252
!
!!! all IP space
!! deny 240/(4-32), 0/(8-32)
! finally, we get rid of any announcements that are bogons
! 240/8-255/8 and 0/8
! 1111 xxxx * and 0000 0000 * (any mask)
! we can leave this last as it's likely almost never to happen
!
access-list 112 deny ip 255.0.0.0 15.255.255.255 0.0.0.0 255.255.255.255
access-list 112 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
!
!!!!! END
end



  By Date           By Thread  

Current thread:
  • access-list 112 Sean Doran (Sep 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]