a87bfd66ca5c3d88b48097709471b37c55fd4739
howto/OpenBGPD.md
... | ... | @@ -8,7 +8,7 @@ Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's |
8 | 8 | The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measurements in place. |
9 | 9 | |
10 | 10 | # Configuration |
11 | -[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and includes generated pieces such as ROA sets; see the `ROA` section in this guide. |
|
11 | +[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and may include further (automatically generated) files, as is done in this guide. |
|
12 | 12 | |
13 | 13 | As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on. |
14 | 14 | |
... | ... | @@ -71,18 +71,40 @@ deny quick from any max-as-len 8 |
71 | 71 | |
72 | 72 | `quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped. |
73 | 73 | |
74 | -Next IBGP as well as our own __UPDATES__ are allowed: |
|
74 | +Allow own announcements: |
|
75 | 75 | ``` |
76 | -# IBGP: allow all updates to and from our IBGP neighbors |
|
77 | -allow from ibgp |
|
78 | -allow to ibgp |
|
79 | - |
|
80 | 76 | # Outbound EBGP: only allow self originated networks to ebgp peers |
81 | 77 | # Don't leak any routes from upstream or peering sessions. This is done |
82 | 78 | # by checking for routes that are tagged with the large-community $ASN:1:1 |
83 | 79 | allow to ebgp prefix-set kn large-community $ASN:1:1 |
84 | 80 | ``` |
85 | 81 | |
82 | +Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates: |
|
83 | +``` |
|
84 | +# enforce ROA |
|
85 | +allow from ebgp ovs valid |
|
86 | +``` |
|
87 | + |
|
88 | +Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below. |
|
89 | + |
|
90 | +### path attributes |
|
91 | +Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g. |
|
92 | +``` |
|
93 | +# Scrub normal and large communities relevant to our ASN from EBGP neighbors |
|
94 | +# https://tools.ietf.org/html/rfc7454#section-11 |
|
95 | +match from ebgp set { large-community delete $ASN:*:* } |
|
96 | + |
|
97 | +# Honor requests to gracefully shutdown BGP sessions |
|
98 | +# https://tools.ietf.org/html/rfc8326 |
|
99 | +match from any community GRACEFUL_SHUTDOWN set { localpref 0 } |
|
100 | +``` |
|
101 | + |
|
102 | +Misbehaving peers can be adjusted; for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes: |
|
103 | +``` |
|
104 | +# XXX otherwise routes are installed with ::/128 nexthop |
|
105 | +match from AS $A-ASN set { nexthop $A-remote } |
|
106 | +``` |
|
107 | + |
|
86 | 108 | # ROA |
87 | 109 | |
88 | 110 | # Looking glass |
... | ... | \ No newline at end of file |