max-len filter

What is a max-len filter?

By default, a prefix can be divided into any number of /64 blocks. By a max-len one can define the maximum size of a prefix of a subnet. For example, if you want to divide your subnet into /56 blocks, you can set the max-len to 56. This will filter all larger prefixes (e.g. /60 or /64) from that subnet.

Why is this important?

The principle of longest prefix match applies. This means that the largest and thus most accurate prefix is always selected. If an attacker now wants to hijack an IP address, one can propagate a larger prefix that contains the IP address. This means that the packets are now forwarded to them instead of the actual operator of the prefix. To fend off such attacks, it is necessary to filter more accurate prefixes. However, since each operator wants to propagate a different prefix size, the max-len can be set in the entitydb. If no max-len is specified, 64 is assumed.

Where do I have to enter this in the edb?

"route": {
  "<subnet>/48": {
    "description": "<descr>",
    "max-len": "<max-len>",
    "device": {
      "<device>": { }
    }
  }
}

Under route/IP-Address you create an attribute max-len of type string with the maximum length like 56 or 48.