|
|
# $OpenBSD: bgpd.conf,v 1.15 2013/08/14 21:25:43 claudio Exp $
|
|
|
# sample bgpd configuration file
|
|
|
# see bgpd.conf(5)
|
|
|
|
|
|
#macros
|
|
|
peer1="10.1.0.2"
|
|
|
peer2="10.1.0.3"
|
|
|
|
|
|
# global configuration
|
|
|
AS 65001
|
|
|
router-id 10.0.0.1
|
|
|
# holdtime 180
|
|
|
# holdtime min 3
|
|
|
# listen on 127.0.0.1
|
|
|
# listen on ::1
|
|
|
# fib-update no
|
|
|
# route-collector no
|
|
|
# log updates
|
|
|
# network 10.0.1.0/24
|
|
|
|
|
|
# restricted socket for bgplg(8)
|
|
|
# socket "/var/www/run/bgpd.rsock" restricted
|
|
|
|
|
|
# neighbors and peers
|
|
|
group "peering AS65002" {
|
|
|
remote-as 65002
|
|
|
neighbor $peer1 {
|
|
|
descr "AS 65001 peer 1"
|
|
|
announce self
|
|
|
tcp md5sig password mekmitasdigoat
|
|
|
}
|
|
|
neighbor $peer2 {
|
|
|
descr "AS 65001 peer 2"
|
|
|
announce all
|
|
|
local-address 10.0.0.8
|
|
|
ipsec esp ike
|
|
|
}
|
|
|
}
|
|
|
|
|
|
group "peering AS65042" {
|
|
|
descr "peering AS 65042"
|
|
|
local-address 10.0.0.8
|
|
|
ipsec ah ike
|
|
|
neighbor 10.2.0.1
|
|
|
neighbor 10.2.0.2
|
|
|
}
|
|
|
|
|
|
neighbor 10.0.1.0 {
|
|
|
remote-as 65003
|
|
|
descr upstream
|
|
|
multihop 2
|
|
|
local-address 10.0.0.8
|
|
|
passive
|
|
|
holdtime 180
|
|
|
holdtime min 3
|
|
|
announce none
|
|
|
tcp md5sig key deadbeef
|
|
|
}
|
|
|
|
|
|
neighbor 10.0.2.0 {
|
|
|
remote-as 65004
|
|
|
descr upstream2
|
|
|
local-address 10.0.0.8
|
|
|
ipsec ah ike
|
|
|
}
|
|
|
|
|
|
neighbor 10.0.0.0/24 {
|
|
|
descr "template for local peers"
|
|
|
}
|
|
|
|
|
|
neighbor 10.2.1.1 {
|
|
|
remote-as 65023
|
|
|
local-address 10.0.0.8
|
|
|
ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
|
|
|
aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
|
|
|
ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
|
|
|
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
|
|
|
}
|
|
|
|
|
|
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
|
|
|
# and longer than 48 or shorter than 16 bits for IPv6.
|
|
|
deny from any
|
|
|
allow from any inet prefixlen 8 - 24
|
|
|
allow from any inet6 prefixlen 16 - 48
|
|
|
|
|
|
# accept a default route (since the previous rule blocks this)
|
|
|
#allow from any prefix 0.0.0.0/0
|
|
|
|
|
|
# filter bogus networks according to RFC5735
|
|
|
deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122]
|
|
|
deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918]
|
|
|
deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598]
|
|
|
deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122]
|
|
|
deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927]
|
|
|
deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918]
|
|
|
deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737]
|
|
|
deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918]
|
|
|
deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544]
|
|
|
deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737]
|
|
|
deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737]
|
|
|
deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
|
|
|
deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved
|
|
|
|
|
|
# filter bogus IPv6 networks according to IANA
|
|
|
deny from any prefix ::/8 prefixlen >= 8
|
|
|
deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666]
|
|
|
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
|
|
|
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
|
|
|
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
|
|
|
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
|
|
|
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
|
|
|
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
|
|
|
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
|
|
|
deny from any prefix ff00::/8 prefixlen >= 8 # multicast
|