diff --git a/src/etc/examples/bgpd.conf b/src/etc/examples/bgpd.conf
index 2289db5e..d0765d1b 100644
--- a/src/etc/examples/bgpd.conf
+++ b/src/etc/examples/bgpd.conf
@@ -1,163 +1,121 @@
-# $OpenBSD: bgpd.conf,v 1.10 2018/06/21 15:57:04 job Exp $
-# sample bgpd configuration file
-# see bgpd.conf(5)
+# $OpenBSD: bgpd.conf,v 1.11 2018/08/28 17:52:16 job Exp $
+# example bgpd configuration file, see bgpd.conf(5)
 
-#macros
+# define our own ASN as a macro
 ASN="65001"
-peer1="10.1.0.2"
-peer2="10.1.0.3"
 
 # global configuration
 AS $ASN
-router-id 10.0.0.1
-# holdtime 180
-# holdtime min 3
-# listen on 127.0.0.1
-# listen on ::1
-# fib-update no
-# route-collector no
-# log updates
-
-# prefix set of networks that may be announced
-prefix-set mynetworks { 192.0.2.0/24 }
-
-# Announce networks, tag them with a large community to ease filtering
-# network 192.0.2.0/24 set large-community $ASN:1:1
-# network static set large-community $ASN:1:2
-
-# restricted socket for bgplg(8)
-# socket "/var/www/run/bgpd.rsock" restricted
-
-# neighbors and peers
-group "peering AS65002" {
-	remote-as 65002
-	neighbor $peer1 {
-		descr	"AS 65001 peer 1"
-		tcp md5sig password mekmitasdigoat
-	}
-	neighbor $peer2 {
-		descr "AS 65001 peer 2"
-		local-address 10.0.0.8
-		ipsec esp ike
-	}
+router-id 192.0.2.1
+
+# Generate routes for the networks our ASN will originate.
+# The communities (read 'tags') are later used to match on what
+# is announced to EBGP neighbors
+network 192.0.2.0/24 set large-community $ASN:1:1
+network 2001:db8:abcd::/48 set large-community $ASN:1:1
+
+# list of networks that may be originated by our ASN
+prefix-set mynetworks {		\
+	192.0.2.0/24		\
+	2001:db8:abcd::/48	\
 }
 
-group "peering AS65042" {
-	descr "peering AS 65042"
-	remote-as 65042
-	local-address 10.0.0.8
-	ipsec ah ike
-	neighbor 10.2.0.1
-	neighbor 10.2.0.2
+# this prefix-set is used to protect against accepting
+# hijacks of our own originated address space
+prefix-set mynetworks_orlonger {	\
+	192.0.2.0/24 or-longer		\
+	2001:db8:abcd::/48 or-longer	\
 }
 
-neighbor 10.0.1.0 {
-	remote-as	65003
-	descr		upstream
-	multihop	2
-	local-address	10.0.0.8
-	passive
-	holdtime	180
-	holdtime min	3
-	export		none
-	tcp md5sig key	deadbeef
+# assume simple network with 3 routers in IBGP full mesh
+group "ibgp mesh v4" {
+	remote-as $ASN
+	# use loopback for IBGP sessions, assume its distributed in OSPF
+	local-address 192.0.2.1
+	neighbor 192.0.2.2		# router 2 ipv4
+	neighbor 192.0.2.3		# router 3 ipv4
 }
-
-neighbor 10.0.2.0 {
-	remote-as	65004
-	descr		upstream2
-	local-address	10.0.0.8
-	ipsec ah ike
+# define the IPv6 IBGP sessions
+group "ibgp mesh v6" {
+	remote-as $ASN
+	local-address 2001:db8:abcd::1
+	neighbor 2001:db8:abcd::2	# router 2 ipv6
+	neighbor 2001:db8:abcd::3	# router 3 ipv6
 }
 
-neighbor 10.0.0.0/24 {
-	descr		"template for local peers"
-	enforce neighbor-as no
+# upstream providers
+group "upstreams" {
+	neighbor 203.0.113.1 {
+		remote-as 65002
+		descr "IPv4 Transit Provider A"
+	}
+	neighbor 198.51.100.0 {
+		remote-as 65123
+		descr "IPv4 Transit provider B"
+	}
+	neighbor 2001:db8:666::2 {
+		remote-as 65123
+		descr "IPv6 Transit provider B"
+	}
 }
 
-neighbor 10.2.1.1 {
-	remote-as 65023
-	local-address 10.0.0.8
-	ipsec esp in  spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
-	    aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
-	ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
-	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
-}
+## rules section
+
+# uncomment the following two lines to accept a default route from upstreams
+#allow from group upstreams prefix 0.0.0.0/0
+#allow from group upstreams prefix ::/0
+
+### for simple BGP setups, no editing below this line is required ###
+
+# Outbound EBGP: only allow self originated networks to ebgp peers
+# Don't leak any routes from upstream or peering sessions. This is done
+# by checking for routes that are tagged with the large-community $ASN:1:1
+allow to ebgp prefix-set mynetworks large-community $ASN:1:1
 
-##
-## inbound rules: default is deny
-##
+# deny more-specifics of our own originated prefixes
+deny quick from ebgp prefix-set mynetworks_orlonger
 
-# IBGP: allow all updates from our neighbors
+# IBGP: allow all updates to and from our IBGP neighbors
 allow from ibgp
+allow to ibgp
+
+# Scrub normal and large communities relevant to our ASN from EBGP neighbors
+# https://tools.ietf.org/html/rfc7454#section-11
+match from ebgp set { community delete $ASN:* }
+match from ebgp set { large-community delete $ASN:*:* }
 
 # filter out prefixes longer than 24 or shorter than 8 bits for IPv4
 # and longer than 48 or shorter than 16 bits for IPv6.
 allow from any inet prefixlen 8 - 24
 allow from any inet6 prefixlen 16 - 48
 
-# accept a default route (since the previous rule blocks this)
-#allow from any prefix 0.0.0.0/0
-#allow from any prefix ::/0
-
 # Honor requests to gracefully shutdown BGP sessions
-# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut
+# https://tools.ietf.org/html/rfc8326
 match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
 
-# https://www.arin.net/announcements/2014/20140130.html
-# This block will be subject to a minimum size allocation of /28 and a
-# maximum size allocation of /24. ARIN should use sparse allocation when
-# possible within that /10 block.
-allow from any prefix 23.128.0.0/10 prefixlen 24 - 28	# ARIN IPv6 transition
-
-# filter bogus networks according to RFC5735
-deny from any prefix 0.0.0.0/8 prefixlen >= 8		# 'this' network [RFC1122]
-deny from any prefix 10.0.0.0/8 prefixlen >= 8		# private space [RFC1918]
-deny from any prefix 100.64.0.0/10 prefixlen >= 10	# CGN Shared [RFC6598]
-deny from any prefix 127.0.0.0/8 prefixlen >= 8 	# localhost [RFC1122]
-deny from any prefix 169.254.0.0/16 prefixlen >= 16	# link local [RFC3927]
-deny from any prefix 172.16.0.0/12 prefixlen >= 12	# private space [RFC1918]
-deny from any prefix 192.0.2.0/24 prefixlen >= 24	# TEST-NET-1 [RFC5737]
-deny from any prefix 192.88.99.0/24 prefixlen >= 24	# 6to4 anycast [RFC7526]
-deny from any prefix 192.168.0.0/16 prefixlen >= 16	# private space [RFC1918]
-deny from any prefix 198.18.0.0/15 prefixlen >= 15	# benchmarking [RFC2544]
-deny from any prefix 198.51.100.0/24 prefixlen >= 24	# TEST-NET-2 [RFC5737]
-deny from any prefix 203.0.113.0/24 prefixlen >= 24	# TEST-NET-3 [RFC5737]
-deny from any prefix 224.0.0.0/4 prefixlen >= 4 	# multicast
-deny from any prefix 240.0.0.0/4 prefixlen >= 4 	# reserved
-
-# filter bogus IPv6 networks according to IANA
-deny from any prefix ::/8 prefixlen >= 8
-deny from any prefix 0100::/64 prefixlen >= 64		# Discard-Only [RFC6666]
-deny from any prefix 2001:2::/48 prefixlen >= 48	# BMWG [RFC5180]
-deny from any prefix 2001:10::/28 prefixlen >= 28	# ORCHID [RFC4843]
-deny from any prefix 2001:db8::/32 prefixlen >= 32	# docu range [RFC3849]
-deny from any prefix 2002::/16 prefixlen >= 16		# 6to4 anycast [RFC7526]
-deny from any prefix 3ffe::/16 prefixlen >= 16		# old 6bone
-deny from any prefix fc00::/7 prefixlen >= 7		# unique local unicast
-deny from any prefix fe80::/10 prefixlen >= 10		# link local unicast
-deny from any prefix fec0::/10 prefixlen >= 10		# old site local unicast
-deny from any prefix ff00::/8 prefixlen >= 8		# multicast
+# See http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/ for
+# an elaboration why each prefix is a bogon
+prefix-set bogons {						\
+	0.0.0.0/8 or-longer, 10.0.0.0/8 or-longer,		\
+	100.64.0.0/10 or-longer, 127.0.0.0/8 or-longer,		\
+	169.254.0.0/16 or-longer, 172.16.0.0/12 or-longer, 	\
+	192.0.2.0/24 or-longer, 192.88.99.0/24 or-longer,	\
+	192.168.0.0/16 or-longer, 198.18.0.0/15 or-longer,	\
+	198.51.100.0/24 or-longer, 203.0.113.0/24 or-longer,	\
+	224.0.0.0/4 or-longer, 240.0.0.0/4 or-longer,		\
+	::/8 or-longer, 0100::/64 or-longer,			\
+	2001:2::/48 or-longer, 2001:10::/28 or-longer,		\
+	2001:db8::/32 or-longer, 2002::/16 or-longer,		\
+	3ffe::/16 or-longer, fc00::/7 or-longer,		\
+	fe80::/10 or-longer, fec0::/10 or-longer,		\
+	ff00::/8 or-longer					\
+}
+# use above prefix-set to reject the bogons
+deny quick from any prefix-set bogons
 
 # filter bogon AS numbers
-# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
-deny from any AS 23456				# AS_TRANS
-deny from any AS 64496 - 64511			# Reserved for use in docs and code RFC5398
-deny from any AS 64512 - 65534			# Reserved for Private Use RFC6996
-deny from any AS 65535				# Reserved RFC7300
-deny from any AS 65536 - 65551			# Reserved for use in docs and code RFC5398
-deny from any AS 65552 - 131071			# Reserved
-deny from any AS 4200000000 - 4294967294	# Reserved for Private Use RFC6996
-deny from any AS 4294967295			# Reserved RFC7300
-
-##
-## outbound rules: default is deny
-##
-
-# IBGP: allow all updates to our neighbors
-allow to ibgp
-
-# EBGP: only allow self originated networks to ebgp peers
-# Don't leak any routes from upstream or peering sessions. This is done
-# by checking for routes that are tagged with the large-community $ASN:1:1
-allow to ebgp prefix-set mynetworks large-community $ASN:1:1
+# see http://bgpfilterguide.nlnog.net/guides/bogon_asns/ for more
+# information why these ASNs are bogons.
+deny quick from any AS 23456
+deny quick from any AS 64496 - 131071
+deny quick from any AS 4200000000 - 4294967295