path: root/usr.sbin/bgpd/bgpd.conf.5

.\" $OpenBSD: bgpd.conf.5,v 1.27 2004/05/23 23:05:31 jmc Exp $
.\"
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd March 10, 2004
.Dt BGPD.CONF 5
.Os
.Sh NAME
.Nm bgpd.conf
.Nd Border Gateway Protocol daemon configuration file
.Sh DESCRIPTION
The
.Ar bgpd
daemon implements the Border Gateway Protocol version 4 as described
in RFC 1771.
.Sh SECTIONS
The
.Nm
config file is divided into four main sections.
.Bl -tag -width xxxx
.It Cm Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Cm Global configuration
Global settings for the bgpd daemon.
.It Cm Neighbors and Groups
.Ar bgpd
establishes sessions with
.Ar neighbors .
The neighbor definition and properties are set in this section, as well as
grouping neighbors for the ease of configuration.
.It Cm Filter
Filter rules for incoming and outgoing
.Em UPDATES .
.El
.Pp
With the exception of
.Cm macros
the sections should be grouped and appear in
.Nm
in the order shown above.
.Sh MACROS
Much like
.Xr cpp 1
or
.Xr m4 1 ,
macros can be defined that will later be expanded in context.
Macro names must start with a letter, and may contain letters, digits
and underscores.
Macro names may not be reserved words (for example
.Ar AS ,
.Ar neighbor ,
.Ar group ) .
Macros are not expanded inside quotes.
.Pp
For example,
.Bd -literal -offset indent
c7206="1.2.3.4"
neighbor $c7206 {
	remote-as 65001
}
.Ed
.Sh GLOBAL CONFIGURATION
There are quite a few settings that affect the operation of the
.Ar bgpd
daemon globally.
.Bl -tag -width xxxxxxxx
.It Ar AS
Set the local Autonomous System number.
The AS numbers are assigned by local RIRs, such as
.Pp
.Bl -tag -width xxxxx -compact
.It Ar RIPE
for Europe,
.It Ar ARIN
for America and
.It Ar APNIC
for the Asian-Pacific region.
.El
.Pp
For example,
.Bd -literal -offset indent
AS 65001
.Ed
.Pp
sets the local
.Ar AS
to 65001.
.It Ar dump
.Ar bgpd
is capable of dumping the
.Em RIB ,
aka the Routing Information Base and all
.Em bgp
messages in
.Em mrt
format.
Dumping the
.Em RIB
is normally an expensive operation, but it should not influence the session
handling.
Dumping too often may result in a slow update speed.
.Pp
This will dump all 300 seconds of the
.Em RIB
table to the
.Xr strftime 3
expanded filename.
The timeout is optional.
.Bd -literal -offset indent
dump table "/tmp/rib-dump-%H%M" 300
.Ed
.Pp
Similar to the table dump but this time all
.Em bgp
messages and
.Em state
transitions are dumped to the specified file:
.Bd -literal -offset indent
dump all in "/tmp/all-in-%H%M" 300
.Ed
.Pp
As before, but only the
.Em UPDATE
messages are dumped to the file:
.Bd -literal -offset indent
dump updates in "/tmp/updates-in-%H%M" 300
.Ed
.Pp
It is also possible to dump outgoing messages:
.Bd -literal -offset indent
dump all out "/tmp/all-out-%H%M" 300
.Ed
.Pp
or
.Bd -literal -offset indent
dump updates out "/tmp/updates-out-%H%M" 300
.Ed
.It Ar fib-update
If set to
.Em no ,
do not update the Forward Information Base aka the kernel
routing table.
The default is
.Em yes .
.It Ar holdtime
Sets the holdtime in seconds.
The holdtime is reset to its initial value every time either a
.Em KEEPALIVE
or an
.Em UPDATE
message is received from the neighbor.
If the holdtime expires the session is dropped.
The default is 90 seconds.
Neighboring systems negotiate the holdtime used when the connection is
established in the
.Em OPEN
messages.
Each neighbor announces its configured holdtime, the smaller one is
then agreed on.
.It Ar holdtime min
The minimal accepted holdtime in seconds.
Must be greater or equal to 3.
.It Ar listen on
Specify the local IP address the
.Ar bgpd
daemon should listen on.
.Bd -literal -offset indent
listen on 127.0.0.1
.Ed
.It Ar log updates
Log received and sent updates.
.It Ar network
Announce the specified network as belonging to our
.Em AS .
.Bd -literal -offset indent
network 192.168.7.0/24
.Ed
.Pp
It is possible to set default
.Em AS path attributes
per
.Ar network
statement:
.Bd -literal -offset indent
network 192.168.7.0/24 set localpref 220
.Ed
.Pp
See also the
.Sx ATTRIBUTE SET
section.
.It Ar route-collector
If set to
.Em yes ,
the route selection process is turned off.
The default is
.Em no .
.It Ar router-id
Set the router id to the given IP address which must be local to the
machine.
.Bd -literal -offset indent
router-id 10.0.0.1
.Ed
.Pp
If not given the bgp id is determined as the biggest IP address assigned
to the local machine.
.El
.Sh NEIGHBORS AND GROUPS
.Ar bgpd
establishes TCP connections to other BGP speakers, called neighbors.
Each neighbor is specified by a neighbor section, specifying properties for
that neighbor:
.Bd -literal -offset indent
neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}
.Ed
.Pp
Multiple neighbors can be grouped together by a group section.
Each neighbor statement within the group section inherits all properties
from the group section.
.Bd -literal -offset indent
group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}
.Ed
.Pp
Instead of the neighbor's IP address an address/netmask pair may be given.
.Bd -literal -offset indent
neighbor 10.0.0.0/8
.Ed
.Pp
In this case, the neighbor specification becomes a
.Em template ,
and if a neighbor connects from an IP address within the given network,
the template is
.Em cloned ,
inheriting everything from the template but the remote address which is
replaced by the connecting neighbor's address.
With a template specification it is valid to omit
.Ar remote-as ,
.Ar bgpd
will accept any AS the neighbor presents in the
.Em OPEN
message then.
.Pp
There are several neighbor properties:
.Bl -tag -width xxxxxxxx
.It Ar announce
If set to
.Em none ,
no
.Em UPDATE
messages will be sent to the neighbor.
If set to
.Em all ,
all generated
.Em UPDATE
messages will be sent to the neighbor.
This is usually used for transit
.Em AS's
and
.Em IBGP
peers.
The default value
for
.Em EBGP
peers is
.Em self
which limits the sent
.Em UPDATE
messages to announcements of the local
.Em AS .
The default for
.Em IBGP
peers is
.Em all .
.It Ar descr
Add a description.
The description is used when logging neighbor events and in status
reports etc and has no further meaning to
.Ar bgpd .
.It Ar dump
Do a peer specific mrt dump.
Peer specific dumps are limited to
.Em all
and
.Em updates .
See also the
.Em dump
section in
.Sx GLOBAL CONFIGURATION .
.It Ar enforce neighbor-AS
If set to
.Em yes ,
.Em AS paths
whose
.Em leftmost AS
is not equal to the
.Em remote AS
of the
.Em neighbor
are rejected and a
.Em NOTIFICATION
is sent back.
The default value for
.Em IBGP
peers is
.Em no
otherwise the default is
.Em yes .
.It Ar holdtime
Set the holdtime in seconds.
Inherited from the global configuration if not given.
.It Ar holdtime min
Set the minimal acceptable holdtime.
Inherited from the global configuration if not given.
.It Ar ipsec (ah|esp) (in|out) spi <number> <authspec> [<encspec>]
Enable IPsec with static keying.
There have to be at least two "ipsec" statements per peer with manual
keying, one per direction.
.Ar authspec
specifies the authentication algorithm and key.
It can be
.Bd -literal -offset indent
sha1 <key>
md5 <key>
.Ed
.Pp
.Ar encspec
specifies the encryption algorithm and key.
.Ar ah
does not support encryption.
With
.Ar esp ,
encryption is optional.
.Ar encspec
can be
.Bd -literal -offset indent
3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>
.Ed
.Pp
Keys have to be given in hexadecimal format.
.It Ar ipsec (ah|esp) ike
Enable IPsec with dynamic keying.
In this mode,
.Ar bgpd
sets up the flows, and a key management daemon such as
.Xr isakmpd 8
is responsible for the session keys.
With
.Xr isakmpd 8 ,
it is sufficient to copy the peer's public key, found in
.Pa /etc/isakmpd/private/local.pub ,
to the local machine.
It has to be stored in a file
named after the peer's IP address and has to be stored in
.Pa /etc/isakmpd/pubkeys/ipv4/ .
The local public key has to be copied to the peer in the same way.
A simple
.Pa /etc/isakmpd/isakmpd.policy
file is needed as well; it can be as simple as
.Bd -literal -offset indent
Authorizer: "POLICY"
Comment: This bare-bones assertion accepts everything
.Ed
.Pp
After starting the
.Xr isakmpd 8
and
.Ar bgpd
daemons on both sides the session should be established.
.It Ar local-address
When
.Ar bgpd
initiates the TCP connection to the neighbor system, it normally does not
bind to a specific IP address.
If a local-address is given it binds
to this address before.
.It Ar max-prefix
Limit amount of prefixes received.
No such limit is imposed by default.
.It Ar multihop
Neighbors not in the same AS as the local
.Ar bgpd
normally have to be directly connected to the local machine.
If this is not the case, the
.Ar multihop
statement defines the maximum hops the neighbor may be away.
.It Ar passive
Do not attempt to actively open a TCP connection to the neighbor system.
.It Ar remote-as
Set the AS number of the remote system.
.It Ar route-reflector
Act as an RFC 2796 route-reflector for this neighbor.
An optional cluster id can be specified; otherwise the bgp id will be used.
.It Ar set
Set the
.Em AS path attributes
to some default per
.Ar neighbor
or
.Ar group
statement:
.Bd -literal -offset indent
set localpref 300
.Ed
.Pp
See also the
.Sx ATTRIBUTE SET
section.
.It Ar tcp md5sig
Enable TCP MD5 signatures per RFC 2385.
The shared secret can either be given as a password or hexadecimal key.
.Bd -literal -offset indent
tcp md5sig password mekmidasdigoat
tcp md5sig key deadbeef
.Ed
.El
.Sh FILTER
.Ar bgpd
has the ability to
.Ar allow
and
.Ar deny
.Em UPDATES
based on
.Em prefix
or
.Em AS path attributes .
In addition,
.Em UPDATES
may also be modified by filter rules.
.Pp
For each
.Em UPDATE
processed by the filter, the filter rules are evaluated in sequential order,
from first to last.
The last matching
.Ar allow
or
.Ar deny
rule decides what action is taken.
.Pp
The following actions can be used in the filter:
.Bl -tag -width xxxxxxxx
.It Ar allow
The
.Em UPDATE
is passed.
.It Ar deny
The
.Em UPDATE
is blocked.
.It Ar match
Apply the filter attribute set without influencing the filter decision.
.El
.Sh PARAMETERS
The rule parameters specify the
.Em UPDATES
to which a rule applies.
An
.Em UPDATE
always comes from, or goes to, one neighbor.
Most parameters are optional.
If a parameter is specified, the rule only applies to packets with
matching attributes.
.Pp
.Bl -tag -width xxxxxxxx -compact
.It Ar any
.It Ar <address>
.It Ar group <descr>
This rule applies only to
.Em UPDATES
coming from, or going to, this particular neighbor.
Neighbors can be matched against their address, the group description,
or the token
.Ar any
can be used to match any neighbor.
.Pp
.It Ar <astype> <asnum>
This rule applies only to
.Em UPDATES
where the
.Em AS path
matches.
The
.Ar <asnum>
is matched against a part of the
.Em AS path
specified by the
.Ar <astype> .
.Ar <astype>
is one of the following operators:
.Bd -literal -offset indent
AS		(any part)
source-AS	(rightmost AS number)
transit-AS	(all but the rightmost AS number)
.Ed
.Pp
.It Ar community <as>:<num>
This rule applies only to
.Em UPDATES
where the community path attribute is present and matches.
Both
.Ar <as>
and
.Ar <num>
may be set to
.Sq *
to do an
.Dq anymatch .
.Pp
.It Ar from No or Ar to
This rule applies to incoming or outgoing
.Em UPDATES .
Either one or the other must be specified.
.Pp
.It Ar prefix <address>/<len>
This rule applies only to
.Em UPDATES
for the specified prefix.
.Pp
.It Ar prefixlen <desc>
This rule applies only to
.Em UPDATES
for prefixes where the prefixlen matches.
Prefix length ranges are specified by using these operators:
.Bd -literal -offset indent
=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)
.Ed
.Pp
>< and -
are binary operators (they take two arguments).
For instance:
.Bl -tag -width Fl
.It Ar prefixlen 8-12
means
.Sq all prefix lengths >= 8 and <= 12 ,
hence the CIDR netmasks 8, 9, 10, 11 and 12.
.It Ar prefixlen 8><12
means
.Sq all prefix lengths < 8 and > 12 ,
hence the CIDR netmasks 0-7 and 13-32.
.El
.Pp
.Ar prefixlen
can be used together with
.Ar prefix .
.Pp
This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer
than 16:
.Bd -literal -offset indent
prefix 10.0.0.0/8 prefixlen > 16
.Ed
.Pp
.It Ar quick
If an
.Em UPDATE
matches a rule which has the
.Ar quick
option set, this rule is considered the last matching rule, and evaluation
of subsequent rules is skipped.
.Pp
.It Ar set
All matching rules can set the
.Em AS path attributes
to some default.
The set of every matching rule is applied, not only the last matching one.
See also the following section.
.El
.Sh ATTRIBUTE SET
.Em AS path attributes
can be modified with
.Ar set .
.Pp
.Ar set
can be used on
.Ar network
statements, in
.Ar neighbor
or
.Ar group
blocks and on
filter rules.
Attribute sets can be expressed as list.
.Pp
The following attributes can be modified:
.Bl -tag -width xxxxxxxx
.It Ar community
Set the
.Em COMMUNITIES
AS path attribute.
Communities are specified as
.Ar asnum:local ,
where
.Ar asnum
is an AS number and
.Ar local
is a locally-significant number between zero and 0xffff.
Alternately, well-known communities may be specified by name:
.Em NO_EXPORT ,
.Em NO_ADVERTISE ,
or
.Em NO_EXPORT_SUBCONFED .
.It Ar localpref
Set the
.Em LOCAL_PREF
AS path attribute.
.It Ar med
Set the
.Em MULTI_EXIT_DISC
AS path attribute.
.It Ar nexthop
Set the
.Em NEXTHOP
AS path attribute
to a different nexthop address.
.It Ar pftable
Adds the prefix in the update to the specified
.Xr pf 4
radix table, regardless of whether or not the path was selected for routing.
This option may be useful in building realtime blacklists.
.It Ar prepend-self
Prepend the local
.Em AS
multiple times to the
.Em AS path .
.El
.Sh FILES
.Bl -tag -width "/etc/bgpd.conf" -compact
.It Pa /etc/bgpd.conf
.Nm
configuration file.
.El
.Sh SEE ALSO
.Xr strftime 3 ,
.Xr ipsec 4 ,
.Xr tcp 4 ,
.Xr bgpd 8 ,
.Xr ipsecadm 8 ,
.Xr isakmpd 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Ox 3.5 .