# $OpenBSD: bgpd.conf,v 1.3 2015/09/11 18:59:00 sthen Exp $ # sample bgpd configuration file # see bgpd.conf(5) #macros peer1="10.1.0.2" peer2="10.1.0.3" # global configuration AS 65001 router-id 10.0.0.1 # holdtime 180 # holdtime min 3 # listen on 127.0.0.1 # listen on ::1 # fib-update no # route-collector no # log updates # network 10.0.1.0/24 # restricted socket for bgplg(8) # socket "/var/www/run/bgpd.rsock" restricted # neighbors and peers group "peering AS65002" { remote-as 65002 neighbor $peer1 { descr "AS 65001 peer 1" announce self tcp md5sig password mekmitasdigoat } neighbor $peer2 { descr "AS 65001 peer 2" announce all local-address 10.0.0.8 ipsec esp ike } } group "peering AS65042" { descr "peering AS 65042" local-address 10.0.0.8 ipsec ah ike neighbor 10.2.0.1 neighbor 10.2.0.2 } neighbor 10.0.1.0 { remote-as 65003 descr upstream multihop 2 local-address 10.0.0.8 passive holdtime 180 holdtime min 3 announce none tcp md5sig key deadbeef } neighbor 10.0.2.0 { remote-as 65004 descr upstream2 local-address 10.0.0.8 ipsec ah ike } neighbor 10.0.0.0/24 { descr "template for local peers" } neighbor 10.2.1.1 { remote-as 65023 local-address 10.0.0.8 ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b } # filter out prefixes longer than 24 or shorter than 8 bits for IPv4 # and longer than 48 or shorter than 16 bits for IPv6. deny from any allow from any inet prefixlen 8 - 24 allow from any inet6 prefixlen 16 - 48 # accept a default route (since the previous rule blocks this) #allow from any prefix 0.0.0.0/0 #allow from any prefix ::/0 # https://www.arin.net/announcements/2014/20140130.html # This block will be subject to a minimum size allocation of /28 and a # maximum size allocation of /24. ARIN should use sparse allocation when # possible within that /10 block. allow from any prefix 23.128.0.0/10 prefixlen 24 - 28 # ARIN IPv6 transition # filter bogus networks according to RFC5735 deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved # filter bogus IPv6 networks according to IANA deny from any prefix ::/8 prefixlen >= 8 deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast deny from any prefix ff00::/8 prefixlen >= 8 # multicast