The configuration snippets provided for conformance check only, they are not intended as the implementation guidance. Specific set of features depend on the specific platform that is being used. Not all the products may support these features.

Description for Scenarios

ScenarioProgrammeAction

Scenario 1 Filtering

Network Operators

Action1. Prevent propagation of incorrect routing information

CDN & Cloud Providers

Scenario 2 Anti-spoofing

Network Operators

Action 2: Prevent traffic with spoofed source IP addresses

CDN & Cloud Providers

Action 2. Prevent traffic with illegitimate source IP addresses

Scenario 3 Filtering (IXP)

IXPs

Action 1. Prevent propagation of incorrect routing information. (Route Server)

Scenario 4 Protect L2 (IXP)

IXPs

Action 3. Protect the peering platform (layer 2)

Implementation of MANRS Action 1

Scenario 1 Filtering

Creating filters based on prefix lists:
Prefix list configuration:
/configure policy-options prefix-list "IPv4_BOGONS" prefix 10.0.0.0/8 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 100.64.0.0/10 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 127.0.0.0/8 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 169.254.0.0/16 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 172.16.0.0/12 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 192.0.0.0/24 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 192.0.2.0/24 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 192.88.99.0/24 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 192.168.0.0/16 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 198.18.0.0/15 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 198.51.100.0/24 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 203.0.113.0/24 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 224.0.0.0/4 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 240.0.0.0/4 type longer { }
/configure policy-options prefix-list "IPv4_BOGONS" prefix 255.255.255.255/32 type longer { }

Policy configuration:
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 { from prefix-list ["IPv4_BOGONS"] }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 { action action-type reject }
Creating filters based on as-path:
AS path group configuration:
# comment: RFC 7606 AS_0
/configure policy-options as-path-group "BOGON_ASNS" entry 5 { expression ".* 23456 .*" }
# comment: RFC 4893 AS_TRANS
/configure policy-options as-path-group "BOGON_ASNS" entry 10 { expression ".* 23456 .*" }
# comment: RFC 5398 and documentation/example ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 15 { expression ".* [64496-64511] .*" }
# comment: RFC 5398 and documentation/example ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 20 { expression ".* [65536-65551] .*" }
# comment: RFC 6996 private ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 25 { expression ".* [64512-65534] .*" }
# comment: RFC 6996 private ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 30 { expression ".* [4200000000-4294967294] .*" }
# comment: RFC 6996 last 16-bit ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 35 { expression ".* 65535 .*" }
# comment: RFC 6996 32-bit ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 40 { expression ".* 4294967295 .*" }
# comment: IANA reserved ASNs
/configure policy-options as-path-group "BOGON_ASNS" entry 45 { expression ".* [65552-131071] .*" }

Policy configuration:
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 { from as-path group "BOGON_ASNS" }
/configure policy-options policy-statement "BGP_FILTER_IN" entry 10 { action action-type reject }
Creating filters based on RPKI:
Origin validation session configuration:
/configure router "Base" origin-validation rpki-session 91.217.235.45 { admin-state enable }
/configure router "Base" origin-validation rpki-session 91.217.235.45 { description "RIPE RPKI Server" }
/configure router "Base" origin-validation rpki-session 91.217.235.45 { port 8323 }
/configure router "Base" origin-validation rpki-session 91.217.235.47 { admin-state enable }
/configure router "Base" origin-validation rpki-session 91.217.235.47 { description "Routinator RPKI Server" }
/configure router "Base" origin-validation rpki-session 91.217.235.47 { port 8323 }
/configure router "Base" origin-validation rpki-session 91.217.235.50 { admin-state enable }
/configure router "Base" origin-validation rpki-session 91.217.235.50 { description "OctoRPKI Server" }
/configure router "Base" origin-validation rpki-session 91.217.235.50 { port 8323 }

Policy configuration:
/configure policy-options community "VRP_INVALID_COMM" member "ext:4300:2"
/configure policy-options community "VRP_NOT_FOUND_COMM" member "ext:4300:1"
/configure policy-options community "VRP_VALID_COMM" member "ext:4300:0"
/configure policy-options policy-statement "ORIGIN_POLICY" entry 10 from origin-validation-state invalid
/configure policy-options policy-statement "ORIGIN_POLICY" entry 10 action action-type drop
/configure policy-options policy-statement "ORIGIN_POLICY" entry 10 action local-preference 90
/configure policy-options policy-statement "ORIGIN_POLICY" entry 10 action community add ["VRP_INVALID_COMM"]
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 20 from origin-validation-state not-found }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 20 action action-type accept }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 20 action local-preference 100 }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 20 action community add ["VRP_NOT_FOUND_COMM"] }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 30 from origin-validation-state valid }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 30 action action-type accept }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 30 action local-preference 110 }
/configure policy-options policy-statement "ORIGIN_POLICY" { entry 30 action community add ["VRP_VALID_COMM"] }

BGP configuration:
/configure router "Base" bgp best-path-selection { compare-origin-validation-state true }
/configure router "Base" bgp best-path-selection { origin-invalid-unusable true }
/configure router "Base" bgp group "EXAMPLE" { origin-validation IPv4 true }
/configure router "Base" bgp group "EXAMPLE" { origin-validation ipv6 true }
/configure router "Base" bgp group "EXAMPLE" { import policy ["ORIGIN_POLICY"] }
Applicability:
7250 IXR, 7450 ESS, 7750 SR, 7950 XRS, VSR
The bgpq4 tool with vendor targets -n (MD-CLI) and -N (classic CLI) and can generate AS path group configurations.
7250 IXR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE17438AAABTQZZA01/index.html
7450 ESS, 7750 SR, 7950 XRS and VSR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE16989AAABTQZZA/index.html

Scenario 2 Anti-spoofing

Creating filters based on prefix lists:
Product line: 7450 ESS, 7750 SR, and 7950 XRS (MD-CLI)
uRPF configuration ("strict" and "strict-no-ecmp" modes are also supported, see documentation):
/configure router "Base" interface "CUSTOMER X" ipv4 { urpf-check mode loose }
/configure router "Base" interface "CUSTOMER X" ipv6 { urpf-check mode loose }
Implementing source address validation using access lists:
Product line: 7250 IXR (MD-CLI)
 
Filter configuration:
/configure filter ip-filter "INTERFACE X" { default-action accept }
/configure filter ip-filter "INTERFACE X" { entry 10 match src-ip address 10.0.0.0 }
/configure filter ip-filter "INTERFACE X" { entry 10 match src-ip mask 255.255.255.0 }
/configure filter ip-filter "INTERFACE X" { entry 10 action drop }

Product line: 7450 ESS, 7750 SR, and 7950 XRS (MD-CLI)
 
Filter configuration:
/configure filter ip-filter "INTERFACE X" { default-action accept }
/configure filter ip-filter "INTERFACE X" { entry 10 match src-ip address 10.0.0.0 }
/configure filter ip-filter "INTERFACE X" { entry 10 match src-ip mask 255.255.255.0 }
/configure filter ip-filter "INTERFACE X" { entry 10 action drop }
/configure filter ip-filter "INTERFACE X" { entry 20 match src-ip ip-prefix-list "Infrastructure Prefixes" }
/configure filter ip-filter "INTERFACE X" { entry 20 action drop }
Applicability:
7250 IXR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE17438AAABTQZZA01/index.html
7450 ESS, 7750 SR, 7950 XRS and VSR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE16989AAABTQZZA/index.html

Scenario 4 Protect L2 (IXP)

Creating controls preventing unwanted traffic:
Product line: 7250 IXR (MD-CLI)
 
L2 protection configuration:
/configure filter mac-filter "CUSTOMER X" description "MANRS IXP Action 3: Protect the peering platform"
/configure filter mac-filter "CUSTOMER X" default-action drop
/configure filter mac-filter "CUSTOMER X" scope exclusive
/configure filter mac-filter "CUSTOMER X" filter-id 100
/configure filter mac-filter "CUSTOMER X" entry 10 { description "ARP" }
/configure filter mac-filter "CUSTOMER X" entry 10 { match etype 0x806 }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 10 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 20 { description "IPv4" }
/configure filter mac-filter "CUSTOMER X" entry 20 { match etype 0x800 }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 20 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 30 { description "IPv6 Unicast" }
/configure filter mac-filter "CUSTOMER X" entry 30 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac address 00:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac mask 01:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 40 { description "IPv6 Multicast" }
/configure filter mac-filter "CUSTOMER X" entry 40 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac address 33:33:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac mask ff:ff:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { action accept }
 
Product line: 7450 ESS, 7750 SR, and 7950 XRS (MD-CLI)
 
L2 protection configuration:
/configure filter mac-filter "CUSTOMER X" description "MANRS IXP Action 3: Protect the peering platform"
/configure filter mac-filter "CUSTOMER X" default-action drop
/configure filter mac-filter "CUSTOMER X" scope exclusive
/configure filter mac-filter "CUSTOMER X" filter-id 100
/configure filter mac-filter "CUSTOMER X" entry 10 { description "ARP" }
/configure filter mac-filter "CUSTOMER X" entry 10 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 10 { match etype 0x806 }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 10 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 20 { description "IPv4" }
/configure filter mac-filter "CUSTOMER X" entry 20 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 20 { match etype 0x800 }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 20 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 30 { description "IPv6 Unicast" }
/configure filter mac-filter "CUSTOMER X" entry 30 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 30 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac address 00:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac mask 01:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 40 { description "IPv6 Multicast" }
/configure filter mac-filter "CUSTOMER X" entry 40 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 40 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac address 33:33:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac mask ff:ff:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { action accept }
Applicability:
7250 IXR, 7450 ESS, 7750 SR, 7950 XRS

7250 IXR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE17438AAABTQZZA01/index.html
7450 ESS, 7750 SR, 7950 XRS and VSR Security Best Practices and Hardening Guide: https://documentation.nokia.com/aces/htdocs/3HE16989AAABTQZZA/index.html

Implementation of MANRS Action 2

Describe your implementation of Action 2-1:

Action 2-1 status: Not Implemented

Describe your implementation of Action 2-2:

Action 2-1 status: Implemented

Describe your implementation of Action 2-3:

Action 2-1 status: Not Implemented

Describe your implementation of Action 2-4:

Action 2-1 status: Not Implemented