c10f1753f66fe911edbde4e94b1159207e2168d7
howto/OpenBGPD.md
... | ... | @@ -12,9 +12,9 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio |
12 | 12 | |
13 | 13 | As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on. |
14 | 14 | |
15 | -By default, **bgpd** listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup. |
|
15 | +By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup. |
|
16 | 16 | |
17 | -## local peer |
|
17 | +## local host |
|
18 | 18 | Information such as ASN, router ID and allocated networks are required: |
19 | 19 | ``` |
20 | 20 | # macros |
... | ... | @@ -42,17 +42,47 @@ network prefix-set mynetworks set large-community $ASN:1:1 |
42 | 42 | For each neighbor its ASN and transfer ULA is required. |
43 | 43 | An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers: |
44 | 44 | ``` |
45 | -$peerA-local="fd00:12:34:A::1" |
|
46 | -$peerA-remote="fd00:12:34:A::2" |
|
47 | -$peerA-ASN="4242425678" |
|
45 | +# peer A, transport over IPSec/GRE |
|
46 | +$A-local="fd00:12:34:A::1" |
|
47 | +$A-remote="fd00:12:34:A::2" |
|
48 | +$A-ASN="4242425678" |
|
48 | 49 | |
49 | -listen on $peerA-local |
|
50 | -neighbor $peerA-remote { |
|
51 | - remote-as $peerA-ASN |
|
52 | - descr "peerA" |
|
50 | +listen on $A-local |
|
51 | + |
|
52 | +neighbor $A-remote { |
|
53 | + remote-as $A-ASN |
|
54 | + descr "A" |
|
53 | 55 | } |
54 | 56 | ``` |
55 | 57 | |
58 | +## filter rules |
|
59 | +**bgpd** blocks all BGP __UPDATE__ messages by default. |
|
60 | +The filter rules are evaluated in sequential order, form first to last. |
|
61 | +The last matching allow or deny rule decides what action is taken. |
|
62 | + |
|
63 | +Start off with basic protection and sanity rules: |
|
64 | +``` |
|
65 | +# deny more-specifics of our own originated prefixes |
|
66 | +deny quick from ebgp prefix-set mynetworks or-longer |
|
67 | + |
|
68 | +# filter out too long paths, establish more peerings instead |
|
69 | +deny quick from any max-as-len 8 |
|
70 | +``` |
|
71 | + |
|
72 | +`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped. |
|
73 | + |
|
74 | +Next IBGP as well as our own __UPDATES__ are allowed: |
|
75 | +``` |
|
76 | +# IBGP: allow all updates to and from our IBGP neighbors |
|
77 | +allow from ibgp |
|
78 | +allow to ibgp |
|
79 | + |
|
80 | +# Outbound EBGP: only allow self originated networks to ebgp peers |
|
81 | +# Don't leak any routes from upstream or peering sessions. This is done |
|
82 | +# by checking for routes that are tagged with the large-community $ASN:1:1 |
|
83 | +allow to ebgp prefix-set kn large-community $ASN:1:1 |
|
84 | +``` |
|
85 | + |
|
56 | 86 | # ROA |
57 | 87 | |
58 | 88 | # Looking glass |
... | ... | \ No newline at end of file |