Merge pull request #71 from bramwittendorp/add-ros7-examples

Add examples for RouterOS v7
NLNOG · Nov 11, 2023 · 5c5130c · 5c5130c
2 parents 15646a2 + 5540326
commit 5c5130c
Show file tree

Hide file tree

Showing 8 changed files with 143 additions and 0 deletions.
diff --git a/guides/bogon_asns.md b/guides/bogon_asns.md
@@ -207,6 +207,8 @@ bgp as-path access-list bogon-asns deny 4200000000-4294967295
 ```
 
 ## Mikrotik
+
+### RouterOS v6
 This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
 ```
 /routing filter add chain=GENERIC_PREFIX_LIST bgp-as-path="_0_" protocol=bgp action=discard comment="RFC 7607"
@@ -222,6 +224,23 @@ This is not recommanded. Mikrotik will take a very very long time to process all
 /routing filter add chain=GENERIC_PREFIX_LIST bgp-as-path="_(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-4])_" protocol=bgp action=discard comment="RFC 6996 Private ASNs"
 ```
 
+### RouterOS v7 
+```
+/routing/filter/num-list 
+add list=BOGON-AS range=0 comment="RFC 7607"
+add list=BOGON-AS range=23456 comment="RFC 4893 AS_TRANS"
+add list=BOGON-AS range=64496-64511 comment="RFC 5398"
+add list=BOGON-AS range=64512-65534 comment="RFC 6996"
+add list=BOGON-AS range=65535 comment="RFC 7300"
+add list=BOGON-AS range=65536-65551 comment="RFC 5398"
+add list=BOGON-AS range=65552-131071 comment="Reserved"
+add list=BOGON-AS range=4200000000-4294967294 comment="RFC 6996"
+add list=BOGON-AS range=4294967294 comment="RFC 7300"
+
+/routing/filter/rule 
+add chain="GENERIC_PREFIX_LIST" rule="if (bgp-as-path [[:BOGON-AS:]]){ reject }"
+```
+
 ## Huawei VRP
 ```
 route-policy TRANSIT-IN deny node 100

diff --git a/guides/bogon_prefixes.md b/guides/bogon_prefixes.md
@@ -117,6 +117,8 @@ ip prefix-list BOGONS_v4 deny 240.0.0.0/4 le 32
 ```
 
 ## Mikrotik
+
+### RouterOS v6
 This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
 ```
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=0.0.0.0/8 prefix-length=8-32 protocol=bgp action=discard comment="RFC 1122 'this' network"
@@ -135,6 +137,25 @@ This is not recommanded. Mikrotik will take a very very long time to process all
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ip prefix=240.0.0.0/4 prefix-length=4-32 protocol=bgp action=discard comment="multicast"
 ```
 
+### RouterOS v7
+```
+/routing/filter/rule
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==0.0.0.0/8 && dst-len >= 8 ){ reject; }" comment="RFC 1122 'this' network"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==10.0.0.0/8 && dst-len >= 8){ reject; }" comment="RFC 1918 private space"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==100.64.0.0/10 && dst-len >= 10){ reject; }" comment="RFC 6598 Carrier grade nat space"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==127.0.0.0/8 && dst-len >= 8){ rejecet; }" comment="RFC 1122 localhost"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==169.254.0.0/16 && dst-len >= 16){ reject; }" comment="RFC 3927 link local"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==172.16.0.0/12 && dst-len >= 12){ reject; }" comment="RFC 1918 private space"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.0.2.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-1"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.88.99.0/24 && dst-len >= 24){ reject; }" comment="RFC 7526 6to4 anycast relay"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==192.168.0.0/16 && dst-len >= 16){ reject; }" comment="RFC 1918 private space"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==198.18.0.0/15 && dst-len >= 15){ reject; }" comment="RFC 2544 benchmarking"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==198.51.100.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-2"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==203.0.113.0/24 && dst-len >= 24){ reject; }" comment="RFC 5737 TEST-NET-3"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==224.0.0.0/4 && dst-len >= 4){ reject; }" comment="multicast"
+add chain=GENERIC_PREFIX_LIST rule="if ( afi ipv4 && dst==240.0.0.0/4 && dst-len >= 4){ reject; }" comment="reserved"
+```
+
 ## Junos
 ```
 policy-statement reject-bogon-prefixes {
@@ -460,6 +481,8 @@ ipv6 prefix-list BOGONS_v6 deny ff00::/8 le 128
 ```
 
 ## Mikrotik
+
+### RouterOS v6
 This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
 ```
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=::/8 prefix-length=8-128 protocol=bgp action=discard comment="RFC 4291 IPv4-compatible, loopback, et al"
@@ -475,6 +498,22 @@ This is not recommanded. Mikrotik will take a very very long time to process all
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix=ff00::/8 prefix-length=8-128 protocol=bgp action=discard comment="RFC 4291 multicast"
 ```
 
+### RouterOS v7 
+```
+/routing/filter/rule
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==::/8 && dst-len >= 8 ){ reject;}" comment="RFC 4291 IPv4-compatible, loopback, et al"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==0100::/64 && dst-len >= 64 ){ reject; }" comment="RFC 6666 Discard-Only"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:2::/48 && dst-len >= 48 ){ reject; }" comment="RFC 5180 BMWG"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:10::/28 && dst-len >= 28 ){ reject; }" comment="RFC 4843 ORCHID"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2001:db8::/32 && dst-len >= 32 ){ reject; }" comment="RFC 3849 documentation"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==2002::/16 && dst-len >= 16 ){ reject; }" comment="RFC 7526 6to4 anycast relay"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==3ffe::/16 && dst-len >= 16){ reject; }" comment="RFC 3701 old 6bone"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fc00::/7 && dst-len >=7 ){ reject; }" comment="RFC 4193 unique local unicast"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fe80::/10 && dst-len >= 10){ reject; }" comment="RFC 4291 link local unicast"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==fec0::/10 && dst-len >= 10){ reject; }" comment="RFC 3879 old site local unicast"
+add chain="GENERIC_PREFIX_LIST" rule="if ( afi ipv6 && dst==ff00::/8 && dst-len >= 8) { reject; }" comment="RFC 4291 multicast"
+```
+
 ## Juniper and Cisco
 
 Gert Doering's [ipv6-filters](https://www.space.net/~gert/RIPE/ipv6-filters.html)

diff --git a/guides/default_accept.md b/guides/default_accept.md
@@ -121,3 +121,14 @@ policy-statement "BGP_FILTER_IN" {
         }
     }
 ```
+
+## Mikrotik
+### RouterOS v7
+These should be the last rules in the chain, by default RouterOS will add the new rules to the end of the list. 
+
+```
+/routing/filter/rule
+add chain="GENERIC_PREFIX_LIST" rule="set bgp-local-pref 115;"
+add chain="GENERIC_PREFIX_LIST" rule="append bgp-communities <your ASN>:<peer ASN>;"
+add chain="GENERIC_PREFIX_LIST" rule="accept"
+```
diff --git a/guides/graceful_shutdown.md b/guides/graceful_shutdown.md
@@ -184,6 +184,14 @@ policy-statement "BGP_FILTER_IN" {
 }
 ```
 
+## MikroTik 
+### RouterOS v7
+RouterOS 7 added support for several Well-known communities including graceful-shutdown. 
+```
+/routing/filter/rule 
+add chain="GENERIC_PREFIX_LIST" rule="if (bgp-communities includes graceful-shutdown) { set bgp-local-pref 0; }"
+```
+
 ## Huawei VRP
 ```
 ip community-filter basic GRACEFUL-SHUTDOWN index 10 permit 65535:0

diff --git a/guides/long_paths.md b/guides/long_paths.md
@@ -64,11 +64,19 @@ deny from any max-as-len 100
 ```
 
 ## Mikrotik
+
+### RouterOS v6
 This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
 ```
 /routing filter add chain=GENERIC_PREFIX_LIST bgp-as-path-length="65-4294967295" protocol=bgp action=discard comment=""
 ```
 
+### RouterOS v7
+```
+/routing/filter/rule
+add chain="GENERIC_PREFIX_LIST" rule="if (bgp-path-len >= 100 ){ reject }"
+```
+
 ## Nokia SR OS
 ```
 #

diff --git a/guides/no_transit_leaks.md b/guides/no_transit_leaks.md
@@ -190,6 +190,33 @@ policy-statement "BGP_FILTER_IN" {
 /configure policy-options policy-statement "BGP_FILTER_IN" entry 50 action action-type reject
 ```
 
+## Mikrotik
+
+### RouterOS v7
+```
+/routing/filter/num-list
+add list="TRANSIT_ASNS" range=174 comment="Cogent" 
+add list="TRANSIT_ASNS" range=701 comment="UUNET" 
+add list="TRANSIT_ASNS" range=1299 comment="Telia" 
+add list="TRANSIT_ASNS" range=2914 comment="NTT Ltd." 
+add list="TRANSIT_ASNS" range=3257 comment="GTT Backbone" 
+add list="TRANSIT_ASNS" range=3320 comment="Deutsche Telekom AG (DTAG)" 
+add list="TRANSIT_ASNS" range=3356 comment="Level3" 
+add list="TRANSIT_ASNS" range=3491 comment="PCCW" 
+add list="TRANSIT_ASNS" range=4134 comment="Chinanet" 
+add list="TRANSIT_ASNS" range=5511 comment="Orange opentransit" 
+add list="TRANSIT_ASNS" range=6453 comment="Tata Communications" 
+add list="TRANSIT_ASNS" range=6461 comment="Zayo Bandwidth" 
+add list="TRANSIT_ASNS" range=6762 comment="Seabone / Telecom Italia" 
+add list="TRANSIT_ASNS" range=6830 comment="Liberty Global"
+add list="TRANSIT_ASNS" range=7018 comment="AT&T"  
+
+/routing/filter/rule 
+add chain="NO-TRANSIT-IN" rule="if (bgp-as-path [[:TRANSIT_ASNS:]]){ reject }"
+```
+
+
+
 ## Huawei VRP
 
 ```

diff --git a/guides/reject_invalids.md b/guides/reject_invalids.md
@@ -376,6 +376,26 @@ A:admin@br1-nyc# info
 
  ```
 
+## Mikrotik 
+
+### RouterOS v7
+Since RouterOS v7 MikroTik has added support for RPKI-validation. 
+
+Configure RTR
+```
+/routing/rpki
+add address=10.1.1.6 group=rpki-validator port=323
+```
+
+Now validate the prefixes in the EBGP ingress policy: 
+```
+/routing/filter/rule
+add chain="GENERIC_PREFIX_LIST" rule="rpki-verify rpki-validator"
+add chain="GENERIC_PREFIX_LIST" rule="if (rpki invalid){ reject }"
+```
+
+
+
 ## Huawei VRP
 
 Configure RTR and enable RPKI.

diff --git a/guides/small_prefixes.md b/guides/small_prefixes.md
@@ -97,6 +97,8 @@ ipv6 prefix-list BOGONS_v6 deny ::/0 ge 49 le 128
 ```
 
 ## Mikrotik
+
+### RouterOS v6
 This is not recommanded. Mikrotik will take a very very long time to process all those routes and has some issues with BGP.
 ```
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv4 prefix-length=0-7 protocol=bgp action=discard comment=""
@@ -105,6 +107,15 @@ This is not recommanded. Mikrotik will take a very very long time to process all
 /routing filter add chain=GENERIC_PREFIX_LIST address-family=ipv6 prefix-length=49-128 protocol=bgp action=discard comment=""
 ```
 
+### RouterOS v7 
+```
+/routing/filter/rule
+add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv4 && dst-len > 24){ reject }"
+add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv4 && dst-len < 7){ reject }" 
+add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv6 && dst-len > 48){ reject }"
+add chain="GENERIC_PREFIX_LIST" rule="if (afi ipv6 && dst-len < 15){ reject }"
+```
+
 ## Nokia SR OS
 ```
 #