Municipalidad de Carrillo

Implementation of MANRS Actions

• Action 1: Prevent propagation of incorrect routing information Currently, the Municipality publishes its IPv6 and IPv4 prefixes under its own autonomous system, requesting its three Internet service providers to implement filters and follow best practices with the following configurations:1. Announcement of IPv4 and IPv6 prefixes under the Municipality of Carrillo's own autonomous system (AS) (273147). 2. Application of inbound (learned routes) and outbound (advertised routes) filters according to the following basic BGP filtering best practices:- Advertise IPv4 and IPv6 prefixes in a summarized manner. - Do not accept prefixes defined in RFC 1918. - Do not accept own prefixes. - Do not accept prefixes longer than /24 in IPv4 and longer than /48 in IPv6. - Do not accept default route unless required.
• Action 2: Prevent traffic with spoofed source IP addresses In the case of the Municipality of Carrillo, the following steps will be followed to comply with this action: 1. We will validate with the ISP how they are making their announcements in BGP. 2. The use of uRPF will be recommended on the input interfaces of the CPEs installed by the ISPs. 3. In case the uRPF mechanism is not being used, information will be requested regarding the ACLs applied on the input interfaces of the CPEs installed by the ISPs, and recommendations will be given for applying new filters in both IPv4 and IPv6 if they are not currently being applied, such as: - Denying any attempt of external access with source addresses from my IPv4 and IPv6 block. - Similarly, denying any attempt of access with the IPv4 and IPv6 address configured on the input interface of the CPE. - A set of statements denying defined prefixes: anycast, documentation prefix, etc. - Once again, it is recommended to configure the denial of any other connection with IPv4 and IPv6 established with the provider. 4. The CAIDA Spoofer software will be executed in at least two network segments of the Municipality using public IP addresses, and the results should appear in the CAIDA
• Action 3: Facilitate global operational communication and coordination Currently, the Municipality of Carrillo has its contact information updated in the LACNIC Whois and in the LACNIC IRR.
• Action 4: Facilitate validation of routing information on a global scale The compliance with this action, like action number three, depends solely on the management of the Municipality of Carrillo since the implementation of this action will be achieved using the numbering resources (ASN, IPv4, and IPv6) acquired by the Municipality. Therefore, to comply with this action, we will follow the following steps:1. We will create the aut-num, route, and route6 objects in the LACNIC IRR with the following information:- aut-num: AS273147 - route: 154.197.77.0/24 - route6: 2801:195::/482. We will create route origin authorizations (ROAs) from the MiLACNIC RPKI service with the following information:• Authorized resources (ROA) 2801:195::/48-48 154.197.77.0/24-24