summaryrefslogtreecommitdiff
path: root/etc/bgpd.conf
blob: 977cbb0c52b5a1440b82fbf67e1aa644a6d1dc0c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# $OpenBSD: bgpd.conf,v 1.14 2013/06/02 14:11:38 florian Exp $
# sample bgpd configuration file
# see bgpd.conf(5)

#macros
peer1="10.1.0.2"
peer2="10.1.0.3"

# global configuration
AS 65001
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# network 10.0.1.0/24

# restricted socket for bgplg(8)
# socket "/var/www/run/bgpd.rsock" restricted

# neighbors and peers
group "peering AS65002" {
	remote-as 65002
	neighbor $peer1 {
		descr	"AS 65001 peer 1"
		announce self
		tcp md5sig password mekmitasdigoat
	}
	neighbor $peer2 {
		descr "AS 65001 peer 2"
		announce all
		local-address 10.0.0.8
		ipsec esp ike
	}
}

group "peering AS65042" {
	descr "peering AS 65042"
	local-address 10.0.0.8
	ipsec ah ike
	neighbor 10.2.0.1
	neighbor 10.2.0.2
}

neighbor 10.0.1.0 {
	remote-as	65003
	descr		upstream
	multihop	2
	local-address	10.0.0.8
	passive
	holdtime	180
	holdtime min	3
	announce	none
	tcp md5sig key	deadbeef
}

neighbor 10.0.2.0 {
	remote-as	65004
	descr		upstream2
	local-address	10.0.0.8
	ipsec ah ike
}

neighbor 10.0.0.0/24 {
	descr		"template for local peers"
}

neighbor 10.2.1.1 {
	remote-as 65023
	local-address 10.0.0.8
	ipsec esp in  spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
	    aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
	ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}

# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48

# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0

# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8		# 'this' network [RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8		# private space [RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10	# CGN Shared [RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 	# localhost [RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16	# link local [RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12	# private space [RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24	# TEST-NET-1 [RFC5737]
deny from any prefix 192.168.0.0/16 prefixlen >= 16	# private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15	# benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24	# TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24	# TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 	# multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 	# reserved

# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:2::/48 prefixlen >= 48	# BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28	# ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32	# docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16		# old 6bone
deny from any prefix fc00::/7 prefixlen >= 7		# unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10		# link local unicast
deny from any prefix fec0::/10 prefixlen >= 10		# old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8		# multicast