writemem.co.uk

Go Configure!

What on Earth is a Martian Route?

3 min read
martians-en-route

Rather than the archetypal ‘little green man’, a networking martian is an IP range that is considered invalid by a device. Any route classed as ‘martian’ is blocked from entering the routing table, and traffic destined for that network will be dropped.

Juniper routers arrive pre-populated with a naughty list of common IP ranges that should not be routeable in most networks. These martian ranges can be removed from, or added to the martians list should the defaults not meet your requirements. We’ll go through that later.

Why are Martian Routes useful?

Martian routes serve two useful functions:

  • Security

Default entries in the martians table fall within address space that most bog-standard networks wouldn’t use. If these addresses are on your network without you knowing why, then it “could” be suspicious, but martians take the worry out of this as anything destined to them is dropped.

  • Avoiding misconfiguration

BGP route filtering is applied per neighbor so if you’re not using martian routes, disaster could be just one memory lapse away!

As an example of how a martian route can protect a network, imagine a scenario where a large business wants to begin advertising their PUBLIC address space out the big wide world.

The customer applies their BGP configuration, and accidentally begins advertising subnets in their PRIVATE IP space to the ISP. Additionally, the imaginary ISP has failed to implement martian routes covering the private IP space, and has no other mechanism in place to stop private networks from entering their routing table.

Bad things happen. The ISP may advertise the customer’s subnet to other customers, potentially black-holing traffic. Oops.

What a martian route is not.

To clear up any potential confusion, defining martian addresses on your router will not:

  • Act as dynamic block list service.
  • Perform virus / malware mitigation functionality.
  • Provide much in the way of security.
  • Be the primary way you should filter routes.

Let me see the naughty list!

I first came across martian routes on Juniper routers, although some other manufacturer’s also use this terminology. You may find the term ‘bogons’ sometimes used in provider circles. A bogon list performs a similar function, but are more comprehensive than the martian lists we see with enterprise class routers.

Here’s an example of the default martian routes on a Juniper router:

default martian routes
The default martian routes on a Juniper router.

Lets describe why each of the ranges is a martian; there are a couple of broad categories for these ranges.

The following ranges are reserved by the IP allocation authority, IANA:

0.0.0.0/0 exact -- allowed  <--- THIS IS NOT A MARTIAN!! It is an exception made so our default route so the route does not get dropped by the next entry...

0.0.0.0/8 orlonger -- disallowed  <--- do not allow addresses that start with 0 into routing table except the default - see above.

192.0.0.0/24 orlonger -- disallowed  <--- a reserved public range.

240.0.0.0/4 orlonger -- disallowed <--- do not allow class E (reserved for experimental use) subnets into routing table.

The below are used for a specific purpose, but don’t necessarily need to be in the default IPv4 routing table:

127.0.0.0/8 orlonger -- disallowed  <--- devices use this range as their default tcp/ip stack loopback.

224.0.0.0/4 exact -- disallowed <--- class D range used for multicast. 

224.0.0.0/24 exact -- disallowed <--- reserved for control plane functions such as routing protocol hello messages.

The suffix “exact” or “orlonger” is used in the default martians table. This refers to the specificity of the subnet mask, as shown below:

0.0.0.0/0 exact means the route ONLY matches if the subnet and mask combination is precisely as written.

0.0.0.0/8 orlonger – a route is a match if it falls between 0.0.0.0/8 and 0.0.0.0/32

Can we see martians in the Juniper routing table?

Martian routes are not visible by default in the routing table so we use the “show route table inet0 hidden” command, but this will also show you other prefixes depending on your network. It does not mean that they are all martian routes. The easiest way to spot the little green men is using “show route martians table inet.0”.

How do I amend the Martian Route list?

Take a look at my accompanying video below showing the process of adding and removing martians and understanding the subsequent behaviour:

Configuring martians in your Juniper router!

For quick reference, the commands from the above video are documented below:

To add:

configure
set routing-options martians <“your prefix”> <“exact|longer|etc”>
commit

To remove:

configure
delete routing-options martians <“your prefix”> <“exact|longer|etc”>
commit

Summary

In summary this article described the concept of martian routes and described how to configure them on a Juniper device. I hope you’ve enjoyed this gentle probe into martians, it’s been proper bo I tell thee – see you again next time!