Huawei Technologies Co., Ltd.

Equipment Vendors Participants Huawei Technologies Co., Ltd.

The configuration snippets provided for conformance check only, they are not intended as the implementation guidance. Specific set of features depend on the specific platform that is being used. Not all the products may support these features.

Description for Scenarios

Scenario	Programme	Action
Scenario 1 Filtering	Network Operators	Action1. Prevent propagation of incorrect routing information
Scenario 1 Filtering	CDN & Cloud Providers
Scenario 2 Anti-spoofing	Network Operators	Action 2: Prevent traffic with spoofed source IP addresses
Scenario 2 Anti-spoofing	CDN & Cloud Providers	Action 2. Prevent traffic with illegitimate source IP addresses
Scenario 3 Filtering (IXP)	IXPs	Action 1. Prevent propagation of incorrect routing information. (Route Server)
Scenario 4 Protect L2 (IXP)	IXPs	Action 3. Protect the peering platform (layer 2)

Implementation of MANRS Action 1

Scenario 1 Filtering

Creating filters based on prefix lists:

OS/Product line: VRP8

//Defined the prefix lists named Filter_Prefix:
#
ip ip-prefix Filter_Prefix index 10 permit 10.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix Filter_Prefix index 20 permit 127.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix Filter_Prefix index 30 permit 172.16.0.0 12 greater-equal 12 less-equal 32
ip ip-prefix Filter_Prefix index 40 permit 192.168.0.0 16 greater-equal 16 less-equal 32
ip ip-prefix Filter_Prefix index 50 permit 224.0.0.0 4 greater-equal 4 less-equal 32
#

//Define the policy named BGP_Route_Filter:
#
route-policy BGP_Route_Filter deny node 10
     if-match Filter_Prefix
#

Creating filters based on as-path:

OS/Product line: VRP8

//Define as-path filters named Filtered_As_Path:
#
ip as-path-filter Filtered_As_Path index 10 permit ^6451[2-9]_
ip as-path-filter Filtered_As_Path index 20 permit ^645[2-9][0-9]_
ip as-path-filter Filtered_As_Path index 30 permit ^64[6-9][0-9][0-9]_
ip as-path-filter Filtered_As_Path index 40 permit ^65[0-9][0-9][0-9]_…
#

//Define the policy named BGP_AS_Path_Filter:
#
route-policy BGP_AS_Path_Filter deny node 10
  if-match as-path-filter Filtered_As_Path
#

Creating filters based on RPKI:

OS/Product line: VRP8

//Define the policy for different validation results with the policy name of Route_Validation if-match rpki origin-as-validation valid
apply local-preference 110
#
route-policy Route_Validation permit node 10
if-match rpki origin-as-validation not-found
apply local-preference 100
#
route-policy Route_Validation deny node 20
if-match rpki origin-as-validation invalid
#

Applicability:

Configuring BGP Filters:
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172366185&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fvrp%2525252Fdc_vrp_bgp_cfg_3024.html&p=t&fe=1&ui=3&keyword=Configuring%25252BBGP%25252BFilters 
Configuring RPKI:
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172366288&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fvrp%2525252Fdc_vrp_bgp_cfg_3099.html&p=t&fe=1&ui=3&keyword=Configuring%25252BRPKI

Scenario 2 Anti-spoofing

Creating filters based on prefix lists:

OS/Product line: VRP8

//Apply the URPF to interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 172.19.139.1 255.255.255.252
 ip urpf strict allow-default
#
// In addition to strict mode, flow-based mode matching specified IP Prefix, BGP-peer-based mode  and loose mode can be supported.

Implementing source address validation using access lists:

OS/Product line: VRP8

//define  ACL and specify IP Prefix
#
acl number 2001
 rule 5 permit source 172.19.139.0  0.0.0.255
#

//Define the traffic classifier named as Spoofed_Source_IP and match acl
#
traffic classifier Spoofed_Source_IP operator or
  if-match acl 2001
#

//define traffic behavior named as Deny_Traffic
#
traffic behavior  Deny_Traffic
 deny
#

//define the traffic policy by combining the defined classifier and behavior
#
traffic policy Prevent_Spoofed_Source_IP
 classifier Spoofed_Source_IP behavior Deny_Traffic precedence 1
#

//Apply the traffic policy in the inbound direction of the interface 
#
interface GigabitEthernet1/0/0
 undo shutdown
 traffic-policy Prevent_Spoofed_Source_IP inbound
#

Applicability:

Configuring URPF:
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172372092&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fne%2525252Fdc_ne_urpf_cfg_0000.html&p=t&fe=1&ui=3&keyword=URPF

Configuring Class-based QoS
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172371293&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fne%2525252Fdc_ne_qos_cfg_0068.html&p=t&fe=1&ui=3&keyword=Configuration%25252BExamples%25252Bfor%25252BClass-based%25252BQoS

Scenario 3 Filtering (IXP)

Creating filters based on prefix lists:

OS/Product line: VRP8

//Defined the prefix lists named Filter_Prefix:
#
ip ip-prefix Filter_Prefix index 10 permit 10.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix Filter_Prefix index 20 permit 127.0.0.0 8 greater-equal 8 less-equal 32
ip ip-prefix Filter_Prefix index 30 permit 172.16.0.0 12 greater-equal 12 less-equal 32
ip ip-prefix Filter_Prefix index 40 permit 192.168.0.0 16 greater-equal 16 less-equal 32
ip ip-prefix Filter_Prefix index 50 permit 224.0.0.0 4 greater-equal 4 less-equal 32
#

//Define the policy named BGP_Route_Filter:
#
route-policy BGP_Route_Filter deny node 10
     if-match Filter_Prefix
#

Creating filters based on as-path:

OS/Product line: VRP8

//Define as-path filters named Filtered_As_Path:
#
ip as-path-filter Filtered_As_Path index 10 permit ^6451[2-9]_
ip as-path-filter Filtered_As_Path index 20 permit ^645[2-9][0-9]_
ip as-path-filter Filtered_As_Path index 30 permit ^64[6-9][0-9][0-9]_
ip as-path-filter Filtered_As_Path index 40 permit ^65[0-9][0-9][0-9]_…
#

//Define the policy named BGP_AS_Path_Filter:
#
route-policy BGP_AS_Path_Filter deny node 10
  if-match as-path-filter Filtered_As_Path
#

Creating filters based on RPKI:

OS/Product line: VRP8

//Define the policy for different validation results with the policy name of Route_Validation if-match rpki origin-as-validation valid
apply local-preference 110
#
route-policy Route_Validation permit node 10
if-match rpki origin-as-validation not-found
apply local-preference 100
#
route-policy Route_Validation deny node 20
if-match rpki origin-as-validation invalid
#

Applicability:

Configuring the Route Server function: 
https://support.huawei.com/enterprise/en/doc/EDOC1100146984/1f9a24b0/configuring-the-route-server-function

Configuring BGP Filters:
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172366185&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fvrp%2525252Fdc_vrp_bgp_cfg_3024.html&p=t&fe=1&ui=3&keyword=Configuring%25252BBGP%25252BFilters 

Configuring RPKI:
https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172366288&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fvrp%2525252Fdc_vrp_bgp_cfg_3099.html&p=t&fe=1&ui=3&keyword=Configuring%25252BRPKI

Scenario 4 Protect L2 (IXP)

Creating controls preventing unwanted traffic:

#
acl number 4999
  rule deny source-mac H-H-H f-f-f
  rule  deny destination-mac H-H-H f-f-f
  rule  deny type ARP
  rule  permit type 0x0800
  rule  permit type 0x86DD   //IPV6
  rule  permit type 0x8809   //LACP
  rule  deny 8021p 3

acl number 3999
  rule deny udp destination-port bootps
  rule deny udp destination-port bootpc
  rule deny udp source-port bootpc
  rule deny udp source-port dns
  rule deny udp source-port ntp
  rule deny udp source-port rip
  rule deny udp source-port tftp
  rule deny icmp source 10.1.1.1 0 destination 10.2.1.1 0
#

Applicability:

ACL Configuration: https://support.huawei.com/hedex/hdx.do?lib=EDOC1100197250AEK05239&docid=EDOC1100197250&lang=en&v=02&tocLib=EDOC1100197250AEK05239&tocV=02&id=EN-US_TASK_0172364533&tocURL=resources%2525252Fsoftware%2525252Fnev8r10_vrpv8r16%2525252Fuser%2525252Fvrp%2525252Fdc_vrp_acl4_cfg_0040.html&p=t&fe=1&ui=3&keyword=ACL%25252BConfiguration

Implementation of MANRS Action 2

Describe your implementation of Action 2-1:

Action 2-1 status: Planned

Describe your implementation of Action 2-2:

Action 2-1 status: Planned

Describe your implementation of Action 2-3:

Action 2-1 status: Implemented

Describe your implementation of Action 2-4:

Action 2-1 status: Planned

Why Huawei Technologies Co., Ltd. Supports MANRS

Routing security is crucial to Internet security, and that includes network devices (e.g., routers and IXP switches), the foundation of the Internet. Over the years, Huawei has dedicated itself to building secure and reliable network devices and has extensive capabilities and experience in the field. Huawei is honored to join MANRS as an active contributor to Internet security.

Hank Chen President of Metro Router domain of Data Communication Product Line