summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjob <job@cvs.openbsd.org>2018-08-28 17:52:17 +0000
committerjob <job@cvs.openbsd.org>2018-08-28 17:52:17 +0000
commite16df1ea333ca945d55f4fcb4477acf16a31ca17 (patch)
treecbfe5ba4a90a648adbca3afe221aa385977f3706
parente418eeab8fc78dd11ed4b3ef2c60156a2193a361 (diff)
Unclutter bgpd.conf example config file
We're aiming to work towards an examples/bgpd.conf file that is a good starting point for real world deployments rather than a showcase of all capabilities bgpd(8) has. OK deraadt@ claudio@
-rw-r--r--etc/examples/bgpd.conf228
1 files changed, 93 insertions, 135 deletions
diff --git a/etc/examples/bgpd.conf b/etc/examples/bgpd.conf
index 2289db5e957..d0765d1b642 100644
--- a/etc/examples/bgpd.conf
+++ b/etc/examples/bgpd.conf
@@ -1,163 +1,121 @@
-# $OpenBSD: bgpd.conf,v 1.10 2018/06/21 15:57:04 job Exp $
-# sample bgpd configuration file
-# see bgpd.conf(5)
+# $OpenBSD: bgpd.conf,v 1.11 2018/08/28 17:52:16 job Exp $
+# example bgpd configuration file, see bgpd.conf(5)
-#macros
+# define our own ASN as a macro
ASN="65001"
-peer1="10.1.0.2"
-peer2="10.1.0.3"
# global configuration
AS $ASN
-router-id 10.0.0.1
-# holdtime 180
-# holdtime min 3
-# listen on 127.0.0.1
-# listen on ::1
-# fib-update no
-# route-collector no
-# log updates
-
-# prefix set of networks that may be announced
-prefix-set mynetworks { 192.0.2.0/24 }
-
-# Announce networks, tag them with a large community to ease filtering
-# network 192.0.2.0/24 set large-community $ASN:1:1
-# network static set large-community $ASN:1:2
-
-# restricted socket for bgplg(8)
-# socket "/var/www/run/bgpd.rsock" restricted
-
-# neighbors and peers
-group "peering AS65002" {
- remote-as 65002
- neighbor $peer1 {
- descr "AS 65001 peer 1"
- tcp md5sig password mekmitasdigoat
- }
- neighbor $peer2 {
- descr "AS 65001 peer 2"
- local-address 10.0.0.8
- ipsec esp ike
- }
+router-id 192.0.2.1
+
+# Generate routes for the networks our ASN will originate.
+# The communities (read 'tags') are later used to match on what
+# is announced to EBGP neighbors
+network 192.0.2.0/24 set large-community $ASN:1:1
+network 2001:db8:abcd::/48 set large-community $ASN:1:1
+
+# list of networks that may be originated by our ASN
+prefix-set mynetworks { \
+ 192.0.2.0/24 \
+ 2001:db8:abcd::/48 \
}
-group "peering AS65042" {
- descr "peering AS 65042"
- remote-as 65042
- local-address 10.0.0.8
- ipsec ah ike
- neighbor 10.2.0.1
- neighbor 10.2.0.2
+# this prefix-set is used to protect against accepting
+# hijacks of our own originated address space
+prefix-set mynetworks_orlonger { \
+ 192.0.2.0/24 or-longer \
+ 2001:db8:abcd::/48 or-longer \
}
-neighbor 10.0.1.0 {
- remote-as 65003
- descr upstream
- multihop 2
- local-address 10.0.0.8
- passive
- holdtime 180
- holdtime min 3
- export none
- tcp md5sig key deadbeef
+# assume simple network with 3 routers in IBGP full mesh
+group "ibgp mesh v4" {
+ remote-as $ASN
+ # use loopback for IBGP sessions, assume its distributed in OSPF
+ local-address 192.0.2.1
+ neighbor 192.0.2.2 # router 2 ipv4
+ neighbor 192.0.2.3 # router 3 ipv4
}
-
-neighbor 10.0.2.0 {
- remote-as 65004
- descr upstream2
- local-address 10.0.0.8
- ipsec ah ike
+# define the IPv6 IBGP sessions
+group "ibgp mesh v6" {
+ remote-as $ASN
+ local-address 2001:db8:abcd::1
+ neighbor 2001:db8:abcd::2 # router 2 ipv6
+ neighbor 2001:db8:abcd::3 # router 3 ipv6
}
-neighbor 10.0.0.0/24 {
- descr "template for local peers"
- enforce neighbor-as no
+# upstream providers
+group "upstreams" {
+ neighbor 203.0.113.1 {
+ remote-as 65002
+ descr "IPv4 Transit Provider A"
+ }
+ neighbor 198.51.100.0 {
+ remote-as 65123
+ descr "IPv4 Transit provider B"
+ }
+ neighbor 2001:db8:666::2 {
+ remote-as 65123
+ descr "IPv6 Transit provider B"
+ }
}
-neighbor 10.2.1.1 {
- remote-as 65023
- local-address 10.0.0.8
- ipsec esp in spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
- aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
- ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
- aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
-}
+## rules section
+
+# uncomment the following two lines to accept a default route from upstreams
+#allow from group upstreams prefix 0.0.0.0/0
+#allow from group upstreams prefix ::/0
+
+### for simple BGP setups, no editing below this line is required ###
+
+# Outbound EBGP: only allow self originated networks to ebgp peers
+# Don't leak any routes from upstream or peering sessions. This is done
+# by checking for routes that are tagged with the large-community $ASN:1:1
+allow to ebgp prefix-set mynetworks large-community $ASN:1:1
-##
-## inbound rules: default is deny
-##
+# deny more-specifics of our own originated prefixes
+deny quick from ebgp prefix-set mynetworks_orlonger
-# IBGP: allow all updates from our neighbors
+# IBGP: allow all updates to and from our IBGP neighbors
allow from ibgp
+allow to ibgp
+
+# Scrub normal and large communities relevant to our ASN from EBGP neighbors
+# https://tools.ietf.org/html/rfc7454#section-11
+match from ebgp set { community delete $ASN:* }
+match from ebgp set { large-community delete $ASN:*:* }
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
-# accept a default route (since the previous rule blocks this)
-#allow from any prefix 0.0.0.0/0
-#allow from any prefix ::/0
-
# Honor requests to gracefully shutdown BGP sessions
-# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut
+# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
-# https://www.arin.net/announcements/2014/20140130.html
-# This block will be subject to a minimum size allocation of /28 and a
-# maximum size allocation of /24. ARIN should use sparse allocation when
-# possible within that /10 block.
-allow from any prefix 23.128.0.0/10 prefixlen 24 - 28 # ARIN IPv6 transition
-
-# filter bogus networks according to RFC5735
-deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122]
-deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918]
-deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598]
-deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122]
-deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927]
-deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918]
-deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737]
-deny from any prefix 192.88.99.0/24 prefixlen >= 24 # 6to4 anycast [RFC7526]
-deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918]
-deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544]
-deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737]
-deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737]
-deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
-deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved
-
-# filter bogus IPv6 networks according to IANA
-deny from any prefix ::/8 prefixlen >= 8
-deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666]
-deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
-deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
-deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
-deny from any prefix 2002::/16 prefixlen >= 16 # 6to4 anycast [RFC7526]
-deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
-deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
-deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
-deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
-deny from any prefix ff00::/8 prefixlen >= 8 # multicast
+# See http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/ for
+# an elaboration why each prefix is a bogon
+prefix-set bogons { \
+ 0.0.0.0/8 or-longer, 10.0.0.0/8 or-longer, \
+ 100.64.0.0/10 or-longer, 127.0.0.0/8 or-longer, \
+ 169.254.0.0/16 or-longer, 172.16.0.0/12 or-longer, \
+ 192.0.2.0/24 or-longer, 192.88.99.0/24 or-longer, \
+ 192.168.0.0/16 or-longer, 198.18.0.0/15 or-longer, \
+ 198.51.100.0/24 or-longer, 203.0.113.0/24 or-longer, \
+ 224.0.0.0/4 or-longer, 240.0.0.0/4 or-longer, \
+ ::/8 or-longer, 0100::/64 or-longer, \
+ 2001:2::/48 or-longer, 2001:10::/28 or-longer, \
+ 2001:db8::/32 or-longer, 2002::/16 or-longer, \
+ 3ffe::/16 or-longer, fc00::/7 or-longer, \
+ fe80::/10 or-longer, fec0::/10 or-longer, \
+ ff00::/8 or-longer \
+}
+# use above prefix-set to reject the bogons
+deny quick from any prefix-set bogons
# filter bogon AS numbers
-# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
-deny from any AS 23456 # AS_TRANS
-deny from any AS 64496 - 64511 # Reserved for use in docs and code RFC5398
-deny from any AS 64512 - 65534 # Reserved for Private Use RFC6996
-deny from any AS 65535 # Reserved RFC7300
-deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398
-deny from any AS 65552 - 131071 # Reserved
-deny from any AS 4200000000 - 4294967294 # Reserved for Private Use RFC6996
-deny from any AS 4294967295 # Reserved RFC7300
-
-##
-## outbound rules: default is deny
-##
-
-# IBGP: allow all updates to our neighbors
-allow to ibgp
-
-# EBGP: only allow self originated networks to ebgp peers
-# Don't leak any routes from upstream or peering sessions. This is done
-# by checking for routes that are tagged with the large-community $ASN:1:1
-allow to ebgp prefix-set mynetworks large-community $ASN:1:1
+# see http://bgpfilterguide.nlnog.net/guides/bogon_asns/ for more
+# information why these ASNs are bogons.
+deny quick from any AS 23456
+deny quick from any AS 64496 - 131071
+deny quick from any AS 4200000000 - 4294967295