a87bfd66ca5c3d88b48097709471b37c55fd4739
howto/OpenBGPD.md
| ... | ... | @@ -8,7 +8,7 @@ Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's |
| 8 | 8 | The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measurements in place. |
| 9 | 9 | |
| 10 | 10 | # Configuration |
| 11 | -[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and includes generated pieces such as ROA sets; see the `ROA` section in this guide. |
|
| 11 | +[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and may include further (automatically generated) files, as is done in this guide. |
|
| 12 | 12 | |
| 13 | 13 | As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on. |
| 14 | 14 | |
| ... | ... | @@ -71,18 +71,40 @@ deny quick from any max-as-len 8 |
| 71 | 71 | |
| 72 | 72 | `quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped. |
| 73 | 73 | |
| 74 | -Next IBGP as well as our own __UPDATES__ are allowed: |
|
| 74 | +Allow own announcements: |
|
| 75 | 75 | ``` |
| 76 | -# IBGP: allow all updates to and from our IBGP neighbors |
|
| 77 | -allow from ibgp |
|
| 78 | -allow to ibgp |
|
| 79 | - |
|
| 80 | 76 | # Outbound EBGP: only allow self originated networks to ebgp peers |
| 81 | 77 | # Don't leak any routes from upstream or peering sessions. This is done |
| 82 | 78 | # by checking for routes that are tagged with the large-community $ASN:1:1 |
| 83 | 79 | allow to ebgp prefix-set kn large-community $ASN:1:1 |
| 84 | 80 | ``` |
| 85 | 81 | |
| 82 | +Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates: |
|
| 83 | +``` |
|
| 84 | +# enforce ROA |
|
| 85 | +allow from ebgp ovs valid |
|
| 86 | +``` |
|
| 87 | + |
|
| 88 | +Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below. |
|
| 89 | + |
|
| 90 | +### path attributes |
|
| 91 | +Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g. |
|
| 92 | +``` |
|
| 93 | +# Scrub normal and large communities relevant to our ASN from EBGP neighbors |
|
| 94 | +# https://tools.ietf.org/html/rfc7454#section-11 |
|
| 95 | +match from ebgp set { large-community delete $ASN:*:* } |
|
| 96 | + |
|
| 97 | +# Honor requests to gracefully shutdown BGP sessions |
|
| 98 | +# https://tools.ietf.org/html/rfc8326 |
|
| 99 | +match from any community GRACEFUL_SHUTDOWN set { localpref 0 } |
|
| 100 | +``` |
|
| 101 | + |
|
| 102 | +Misbehaving peers can be adjusted; for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes: |
|
| 103 | +``` |
|
| 104 | +# XXX otherwise routes are installed with ::/128 nexthop |
|
| 105 | +match from AS $A-ASN set { nexthop $A-remote } |
|
| 106 | +``` |
|
| 107 | + |
|
| 86 | 108 | # ROA |
| 87 | 109 | |
| 88 | 110 | # Looking glass |
| ... | ... | \ No newline at end of file |