diff options
author | job <job@cvs.openbsd.org> | 2018-08-28 17:52:17 +0000 |
---|---|---|
committer | job <job@cvs.openbsd.org> | 2018-08-28 17:52:17 +0000 |
commit | e16df1ea333ca945d55f4fcb4477acf16a31ca17 (patch) | |
tree | cbfe5ba4a90a648adbca3afe221aa385977f3706 | |
parent | e418eeab8fc78dd11ed4b3ef2c60156a2193a361 (diff) |
Unclutter bgpd.conf example config file
We're aiming to work towards an examples/bgpd.conf file that is a good starting
point for real world deployments rather than a showcase of all capabilities
bgpd(8) has.
OK deraadt@ claudio@
-rw-r--r-- | etc/examples/bgpd.conf | 228 |
1 files changed, 93 insertions, 135 deletions
diff --git a/etc/examples/bgpd.conf b/etc/examples/bgpd.conf index 2289db5e957..d0765d1b642 100644 --- a/etc/examples/bgpd.conf +++ b/etc/examples/bgpd.conf @@ -1,163 +1,121 @@ -# $OpenBSD: bgpd.conf,v 1.10 2018/06/21 15:57:04 job Exp $ -# sample bgpd configuration file -# see bgpd.conf(5) +# $OpenBSD: bgpd.conf,v 1.11 2018/08/28 17:52:16 job Exp $ +# example bgpd configuration file, see bgpd.conf(5) -#macros +# define our own ASN as a macro ASN="65001" -peer1="10.1.0.2" -peer2="10.1.0.3" # global configuration AS $ASN -router-id 10.0.0.1 -# holdtime 180 -# holdtime min 3 -# listen on 127.0.0.1 -# listen on ::1 -# fib-update no -# route-collector no -# log updates - -# prefix set of networks that may be announced -prefix-set mynetworks { 192.0.2.0/24 } - -# Announce networks, tag them with a large community to ease filtering -# network 192.0.2.0/24 set large-community $ASN:1:1 -# network static set large-community $ASN:1:2 - -# restricted socket for bgplg(8) -# socket "/var/www/run/bgpd.rsock" restricted - -# neighbors and peers -group "peering AS65002" { - remote-as 65002 - neighbor $peer1 { - descr "AS 65001 peer 1" - tcp md5sig password mekmitasdigoat - } - neighbor $peer2 { - descr "AS 65001 peer 2" - local-address 10.0.0.8 - ipsec esp ike - } +router-id 192.0.2.1 + +# Generate routes for the networks our ASN will originate. +# The communities (read 'tags') are later used to match on what +# is announced to EBGP neighbors +network 192.0.2.0/24 set large-community $ASN:1:1 +network 2001:db8:abcd::/48 set large-community $ASN:1:1 + +# list of networks that may be originated by our ASN +prefix-set mynetworks { \ + 192.0.2.0/24 \ + 2001:db8:abcd::/48 \ } -group "peering AS65042" { - descr "peering AS 65042" - remote-as 65042 - local-address 10.0.0.8 - ipsec ah ike - neighbor 10.2.0.1 - neighbor 10.2.0.2 +# this prefix-set is used to protect against accepting +# hijacks of our own originated address space +prefix-set mynetworks_orlonger { \ + 192.0.2.0/24 or-longer \ + 2001:db8:abcd::/48 or-longer \ } -neighbor 10.0.1.0 { - remote-as 65003 - descr upstream - multihop 2 - local-address 10.0.0.8 - passive - holdtime 180 - holdtime min 3 - export none - tcp md5sig key deadbeef +# assume simple network with 3 routers in IBGP full mesh +group "ibgp mesh v4" { + remote-as $ASN + # use loopback for IBGP sessions, assume its distributed in OSPF + local-address 192.0.2.1 + neighbor 192.0.2.2 # router 2 ipv4 + neighbor 192.0.2.3 # router 3 ipv4 } - -neighbor 10.0.2.0 { - remote-as 65004 - descr upstream2 - local-address 10.0.0.8 - ipsec ah ike +# define the IPv6 IBGP sessions +group "ibgp mesh v6" { + remote-as $ASN + local-address 2001:db8:abcd::1 + neighbor 2001:db8:abcd::2 # router 2 ipv6 + neighbor 2001:db8:abcd::3 # router 3 ipv6 } -neighbor 10.0.0.0/24 { - descr "template for local peers" - enforce neighbor-as no +# upstream providers +group "upstreams" { + neighbor 203.0.113.1 { + remote-as 65002 + descr "IPv4 Transit Provider A" + } + neighbor 198.51.100.0 { + remote-as 65123 + descr "IPv4 Transit provider B" + } + neighbor 2001:db8:666::2 { + remote-as 65123 + descr "IPv6 Transit provider B" + } } -neighbor 10.2.1.1 { - remote-as 65023 - local-address 10.0.0.8 - ipsec esp in spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ - aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e - ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ - aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b -} +## rules section + +# uncomment the following two lines to accept a default route from upstreams +#allow from group upstreams prefix 0.0.0.0/0 +#allow from group upstreams prefix ::/0 + +### for simple BGP setups, no editing below this line is required ### + +# Outbound EBGP: only allow self originated networks to ebgp peers +# Don't leak any routes from upstream or peering sessions. This is done +# by checking for routes that are tagged with the large-community $ASN:1:1 +allow to ebgp prefix-set mynetworks large-community $ASN:1:1 -## -## inbound rules: default is deny -## +# deny more-specifics of our own originated prefixes +deny quick from ebgp prefix-set mynetworks_orlonger -# IBGP: allow all updates from our neighbors +# IBGP: allow all updates to and from our IBGP neighbors allow from ibgp +allow to ibgp + +# Scrub normal and large communities relevant to our ASN from EBGP neighbors +# https://tools.ietf.org/html/rfc7454#section-11 +match from ebgp set { community delete $ASN:* } +match from ebgp set { large-community delete $ASN:*:* } # filter out prefixes longer than 24 or shorter than 8 bits for IPv4 # and longer than 48 or shorter than 16 bits for IPv6. allow from any inet prefixlen 8 - 24 allow from any inet6 prefixlen 16 - 48 -# accept a default route (since the previous rule blocks this) -#allow from any prefix 0.0.0.0/0 -#allow from any prefix ::/0 - # Honor requests to gracefully shutdown BGP sessions -# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut +# https://tools.ietf.org/html/rfc8326 match from any community GRACEFUL_SHUTDOWN set { localpref 0 } -# https://www.arin.net/announcements/2014/20140130.html -# This block will be subject to a minimum size allocation of /28 and a -# maximum size allocation of /24. ARIN should use sparse allocation when -# possible within that /10 block. -allow from any prefix 23.128.0.0/10 prefixlen 24 - 28 # ARIN IPv6 transition - -# filter bogus networks according to RFC5735 -deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] -deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] -deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] -deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] -deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] -deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] -deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] -deny from any prefix 192.88.99.0/24 prefixlen >= 24 # 6to4 anycast [RFC7526] -deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] -deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] -deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] -deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] -deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast -deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved - -# filter bogus IPv6 networks according to IANA -deny from any prefix ::/8 prefixlen >= 8 -deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] -deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] -deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] -deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] -deny from any prefix 2002::/16 prefixlen >= 16 # 6to4 anycast [RFC7526] -deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone -deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast -deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast -deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast -deny from any prefix ff00::/8 prefixlen >= 8 # multicast +# See http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/ for +# an elaboration why each prefix is a bogon +prefix-set bogons { \ + 0.0.0.0/8 or-longer, 10.0.0.0/8 or-longer, \ + 100.64.0.0/10 or-longer, 127.0.0.0/8 or-longer, \ + 169.254.0.0/16 or-longer, 172.16.0.0/12 or-longer, \ + 192.0.2.0/24 or-longer, 192.88.99.0/24 or-longer, \ + 192.168.0.0/16 or-longer, 198.18.0.0/15 or-longer, \ + 198.51.100.0/24 or-longer, 203.0.113.0/24 or-longer, \ + 224.0.0.0/4 or-longer, 240.0.0.0/4 or-longer, \ + ::/8 or-longer, 0100::/64 or-longer, \ + 2001:2::/48 or-longer, 2001:10::/28 or-longer, \ + 2001:db8::/32 or-longer, 2002::/16 or-longer, \ + 3ffe::/16 or-longer, fc00::/7 or-longer, \ + fe80::/10 or-longer, fec0::/10 or-longer, \ + ff00::/8 or-longer \ +} +# use above prefix-set to reject the bogons +deny quick from any prefix-set bogons # filter bogon AS numbers -# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml -deny from any AS 23456 # AS_TRANS -deny from any AS 64496 - 64511 # Reserved for use in docs and code RFC5398 -deny from any AS 64512 - 65534 # Reserved for Private Use RFC6996 -deny from any AS 65535 # Reserved RFC7300 -deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398 -deny from any AS 65552 - 131071 # Reserved -deny from any AS 4200000000 - 4294967294 # Reserved for Private Use RFC6996 -deny from any AS 4294967295 # Reserved RFC7300 - -## -## outbound rules: default is deny -## - -# IBGP: allow all updates to our neighbors -allow to ibgp - -# EBGP: only allow self originated networks to ebgp peers -# Don't leak any routes from upstream or peering sessions. This is done -# by checking for routes that are tagged with the large-community $ASN:1:1 -allow to ebgp prefix-set mynetworks large-community $ASN:1:1 +# see http://bgpfilterguide.nlnog.net/guides/bogon_asns/ for more +# information why these ASNs are bogons. +deny quick from any AS 23456 +deny quick from any AS 64496 - 131071 +deny quick from any AS 4200000000 - 4294967295 |