blob: 89de1a9e994591b9eaeef10d1a41377007ed0bf9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# $OpenBSD: bgpd.conf,v 1.21 2021/02/02 00:34:03 danj Exp $
# example bgpd configuration file, see bgpd.conf(5)
# define our own ASN as a macro
ASN="65001"
# global configuration
AS $ASN
router-id 192.0.2.1
# list of networks that may be originated by our ASN
prefix-set mynetworks {
192.0.2.0/24
2001:db8:abcd::/48
}
include "/var/db/rpki-client/openbgpd"
# define bogon prefixes which should not be part of the DFZ
prefix-set bogons {
0.0.0.0/8 or-longer # 'this' network [RFC1122]
10.0.0.0/8 or-longer # private space [RFC1918]
100.64.0.0/10 or-longer # CGN Shared [RFC6598]
127.0.0.0/8 or-longer # localhost [RFC1122]
169.254.0.0/16 or-longer # link local [RFC3927]
172.16.0.0/12 or-longer # private space [RFC1918]
192.0.2.0/24 or-longer # TEST-NET-1 [RFC5737]
192.88.99.0/24 or-longer # 6to4 anycast relay [RFC7526]
192.168.0.0/16 or-longer # private space [RFC1918]
198.18.0.0/15 or-longer # benchmarking [RFC2544]
198.51.100.0/24 or-longer # TEST-NET-2 [RFC5737]
203.0.113.0/24 or-longer # TEST-NET-3 [RFC5737]
224.0.0.0/4 or-longer # multicast
240.0.0.0/4 or-longer # reserved for future use
::/8 or-longer # RFC 4291 IPv4-compatible, loopback, et al
0100::/64 or-longer # Discard-Only [RFC6666]
2001:2::/48 or-longer # BMWG [RFC5180]
2001:10::/28 or-longer # ORCHID [RFC4843]
2001:db8::/32 or-longer # docu range [RFC3849]
2002::/16 or-longer # 6to4 anycast relay [RFC7526]
3ffe::/16 or-longer # old 6bone
fc00::/7 or-longer # unique local unicast
fe80::/10 or-longer # link local unicast
fec0::/10 or-longer # old site local unicast
ff00::/8 or-longer # multicast
}
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
network prefix-set mynetworks set large-community $ASN:1:1
# assume simple network with 3 routers in IBGP full mesh
group "ibgp mesh" {
remote-as $ASN
# use loopback for IBGP sessions, assume it's distributed in OSPF
local-address 192.0.2.1
local-address 2001:db8:abcd::1
neighbor 192.0.2.2 # router 2 ipv4
neighbor 2001:db8:abcd::2 # router 2 ipv6
neighbor 192.0.2.3 # router 3 ipv4
neighbor 2001:db8:abcd::3 # router 3 ipv6
}
# upstream providers
group "upstreams" {
neighbor 203.0.113.1 {
remote-as 65002
descr "upstream1"
}
neighbor 198.51.100.0 {
remote-as 65123
descr "upstream2-4"
}
neighbor 2001:db8:666::2 {
remote-as 65123
descr "upstream2-6"
}
}
## rules section
# uncomment the following two lines to accept a default route from upstreams
#allow from group upstreams prefix 0.0.0.0/0
#allow from group upstreams prefix ::/0
### for simple BGP setups, no editing below this line is required ###
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer
# IBGP: allow all updates to and from our IBGP neighbors
allow from ibgp
allow to ibgp
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { community delete $ASN:* }
match from ebgp set { large-community delete $ASN:*:* }
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
# Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
deny quick from any prefix-set bogons
# deny RPKI invalid, built by rpki-client(8), see root crontab
deny quick from ebgp ovs invalid
# filter bogon AS numbers
# AS_TRANS (23456) is not supposed to show up in any path and indicates a
# misconfiguration. Additionally Private or Reserved ASNs have no place in
# the public DFZ. https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny quick from any AS 23456
deny quick from any AS 64496 - 131071
deny quick from any AS 4200000000 - 4294967295
# filter out too long paths
deny from any max-as-len 100
|