Fincer
/
openntpd-openbsd
mirror of https://github.com/Fincer/openntpd-openbsd
1
0
Fork 0
Code Issues 0 Projects 0 Releases 61 Wiki Activity
Browse Source

Unclutter bgpd.conf example config file 

We're aiming to work towards an examples/bgpd.conf file that is a good starting
point for real world deployments rather than a showcase of all capabilities
bgpd(8) has.
OK deraadt@ claudio@
OPENBSD_6_4
job 6 years ago
parent
699153d558
commit
f224b1cfa8
1 changed files with 93 additions and 135 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +93
    -135
      src/etc/examples/bgpd.conf

+ 93
- 135
src/etc/examples/bgpd.conf View File

@ -1,163 +1,121 @@
# $OpenBSD: bgpd.conf,v 1.10 2018/06/21 15:57:04 job Exp $
# sample bgpd configuration file
# see bgpd.conf(5)
# $OpenBSD: bgpd.conf,v 1.11 2018/08/28 17:52:16 job Exp $
# example bgpd configuration file, see bgpd.conf(5)
#macros
# define our own ASN as a macro
ASN="65001" ASN="65001"
peer1="10.1.0.2"
peer2="10.1.0.3"
# global configuration # global configuration
AS $ASN AS $ASN
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# prefix set of networks that may be announced
prefix-set mynetworks { 192.0.2.0/24 }
# Announce networks, tag them with a large community to ease filtering
# network 192.0.2.0/24 set large-community $ASN:1:1
# network static set large-community $ASN:1:2
# restricted socket for bgplg(8)
# socket "/var/www/run/bgpd.rsock" restricted
# neighbors and peers
group "peering AS65002" {
remote-as 65002
neighbor $peer1 {
descr "AS 65001 peer 1"
tcp md5sig password mekmitasdigoat
}
neighbor $peer2 {
descr "AS 65001 peer 2"
local-address 10.0.0.8
ipsec esp ike
}
router-id 192.0.2.1
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
network 192.0.2.0/24 set large-community $ASN:1:1
network 2001:db8:abcd::/48 set large-community $ASN:1:1
# list of networks that may be originated by our ASN
prefix-set mynetworks { \
192.0.2.0/24 \
2001:db8:abcd::/48 \
} }
group "peering AS65042" {
descr "peering AS 65042"
remote-as 65042
local-address 10.0.0.8
ipsec ah ike
neighbor 10.2.0.1
neighbor 10.2.0.2
# this prefix-set is used to protect against accepting
# hijacks of our own originated address space
prefix-set mynetworks_orlonger { \
192.0.2.0/24 or-longer \
2001:db8:abcd::/48 or-longer \
} }
neighbor 10.0.1.0 {
remote-as 65003
descr upstream
multihop 2
local-address 10.0.0.8
passive
holdtime 180
holdtime min 3
export none
tcp md5sig key deadbeef
# assume simple network with 3 routers in IBGP full mesh
group "ibgp mesh v4" {
remote-as $ASN
# use loopback for IBGP sessions, assume its distributed in OSPF
local-address 192.0.2.1
neighbor 192.0.2.2 # router 2 ipv4
neighbor 192.0.2.3 # router 3 ipv4
} }
neighbor 10.0.2.0 {
remote-as 65004
descr upstream2
local-address 10.0.0.8
ipsec ah ike
# define the IPv6 IBGP sessions
group "ibgp mesh v6" {
remote-as $ASN
local-address 2001:db8:abcd::1
neighbor 2001:db8:abcd::2 # router 2 ipv6
neighbor 2001:db8:abcd::3 # router 3 ipv6
} }
neighbor 10.0.0.0/24 {
descr "template for local peers"
enforce neighbor-as no
# upstream providers
group "upstreams" {
neighbor 203.0.113.1 {
remote-as 65002
descr "IPv4 Transit Provider A"
}
neighbor 198.51.100.0 {
remote-as 65123
descr "IPv4 Transit provider B"
}
neighbor 2001:db8:666::2 {
remote-as 65123
descr "IPv6 Transit provider B"
}
} }
neighbor 10.2.1.1 {
remote-as 65023
local-address 10.0.0.8
ipsec esp in spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}
## rules section
# uncomment the following two lines to accept a default route from upstreams
#allow from group upstreams prefix 0.0.0.0/0
#allow from group upstreams prefix ::/0
### for simple BGP setups, no editing below this line is required ###
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
##
## inbound rules: default is deny
##
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks_orlonger
# IBGP: allow all updates from our neighbors
# IBGP: allow all updates to and from our IBGP neighbors
allow from ibgp allow from ibgp
allow to ibgp
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { community delete $ASN:* }
match from ebgp set { large-community delete $ASN:*:* }
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 # filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6. # and longer than 48 or shorter than 16 bits for IPv6.
allow from any inet prefixlen 8 - 24 allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48 allow from any inet6 prefixlen 16 - 48
# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0
#allow from any prefix ::/0
# Honor requests to gracefully shutdown BGP sessions # Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut
# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 } match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
# https://www.arin.net/announcements/2014/20140130.html
# This block will be subject to a minimum size allocation of /28 and a
# maximum size allocation of /24. ARIN should use sparse allocation when
# possible within that /10 block.
allow from any prefix 23.128.0.0/10 prefixlen 24 - 28 # ARIN IPv6 transition
# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737]
deny from any prefix 192.88.99.0/24 prefixlen >= 24 # 6to4 anycast [RFC7526]
deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved
# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 2002::/16 prefixlen >= 16 # 6to4 anycast [RFC7526]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast
# See http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/ for
# an elaboration why each prefix is a bogon
prefix-set bogons { \
0.0.0.0/8 or-longer, 10.0.0.0/8 or-longer, \
100.64.0.0/10 or-longer, 127.0.0.0/8 or-longer, \
169.254.0.0/16 or-longer, 172.16.0.0/12 or-longer, \
192.0.2.0/24 or-longer, 192.88.99.0/24 or-longer, \
192.168.0.0/16 or-longer, 198.18.0.0/15 or-longer, \
198.51.100.0/24 or-longer, 203.0.113.0/24 or-longer, \
224.0.0.0/4 or-longer, 240.0.0.0/4 or-longer, \
::/8 or-longer, 0100::/64 or-longer, \
2001:2::/48 or-longer, 2001:10::/28 or-longer, \
2001:db8::/32 or-longer, 2002::/16 or-longer, \
3ffe::/16 or-longer, fc00::/7 or-longer, \
fe80::/10 or-longer, fec0::/10 or-longer, \
ff00::/8 or-longer \
}
# use above prefix-set to reject the bogons
deny quick from any prefix-set bogons
# filter bogon AS numbers # filter bogon AS numbers
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny from any AS 23456 # AS_TRANS
deny from any AS 64496 - 64511 # Reserved for use in docs and code RFC5398
deny from any AS 64512 - 65534 # Reserved for Private Use RFC6996
deny from any AS 65535 # Reserved RFC7300
deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398
deny from any AS 65552 - 131071 # Reserved
deny from any AS 4200000000 - 4294967294 # Reserved for Private Use RFC6996
deny from any AS 4294967295 # Reserved RFC7300
##
## outbound rules: default is deny
##
# IBGP: allow all updates to our neighbors
allow to ibgp
# EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
# see http://bgpfilterguide.nlnog.net/guides/bogon_asns/ for more
# information why these ASNs are bogons.
deny quick from any AS 23456
deny quick from any AS 64496 - 131071
deny quick from any AS 4200000000 - 4294967295

Write Preview
Loading…
Cancel
Save