Changes in c10f175: Add basic filter rules

howto/OpenBGPD.md

@@ -12,9 +12,9 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio

 As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.

-By default, **bgpd** listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.

+By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.

-## local peer

+## local host

 Information such as ASN, router ID and allocated networks are required:

 ```

 # macros

@@ -42,17 +42,47 @@ network prefix-set mynetworks set large-community $ASN:1:1

 For each neighbor its ASN and transfer ULA is required.

 An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:

 ```

-$peerA-local="fd00:12:34:A::1"

-$peerA-remote="fd00:12:34:A::2"

-$peerA-ASN="4242425678"

+# peer A, transport over IPSec/GRE

+$A-local="fd00:12:34:A::1"

+$A-remote="fd00:12:34:A::2"

+$A-ASN="4242425678"

-listen on $peerA-local

-neighbor $peerA-remote {

- remote-as $peerA-ASN

- descr "peerA"

+listen on $A-local

+

+neighbor $A-remote {

+ remote-as $A-ASN

+ descr "A"

 }

 ```

+## filter rules

+**bgpd** blocks all BGP __UPDATE__ messages by default.

+The filter rules are evaluated in sequential order, form first to last.

+The last matching allow or deny rule decides what action is taken.

+

+Start off with basic protection and sanity rules:

+```

+# deny more-specifics of our own originated prefixes

+deny quick from ebgp prefix-set mynetworks or-longer

+

+# filter out too long paths, establish more peerings instead

+deny quick from any max-as-len 8

+```

+

+`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.

+

+Next IBGP as well as our own __UPDATES__ are allowed:

+```

+# IBGP: allow all updates to and from our IBGP neighbors

+allow from ibgp

+allow to ibgp

+

+# Outbound EBGP: only allow self originated networks to ebgp peers

+# Don't leak any routes from upstream or peering sessions. This is done

+# by checking for routes that are tagged with the large-community $ASN:1:1

+allow to ebgp prefix-set kn large-community $ASN:1:1

+```

+

 # ROA

 # Looking glass

\ No newline at end of file

...	...	@@ -12,9 +12,9 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio
12	12
13	13	As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.
14	14
15		-By default, bgpd listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
	15	+By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
16	16
17		-## local peer
	17	+## local host
18	18	Information such as ASN, router ID and allocated networks are required:
19	19	```
20	20	# macros
...	...	@@ -42,17 +42,47 @@ network prefix-set mynetworks set large-community $ASN:1:1
42	42	For each neighbor its ASN and transfer ULA is required.
43	43	An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
44	44	```
45		-$peerA-local="fd00:12:34:A::1"
46		-$peerA-remote="fd00:12:34:A::2"
47		-$peerA-ASN="4242425678"
	45	+# peer A, transport over IPSec/GRE
	46	+$A-local="fd00:12:34:A::1"
	47	+$A-remote="fd00:12:34:A::2"
	48	+$A-ASN="4242425678"
48	49
49		-listen on $peerA-local
50		-neighbor $peerA-remote {
51		- remote-as $peerA-ASN
52		- descr "peerA"
	50	+listen on $A-local
	51	+
	52	+neighbor $A-remote {
	53	+ remote-as $A-ASN
	54	+ descr "A"
53	55	}
54	56	```
55	57
	58	+## filter rules
	59	+bgpd blocks all BGP __UPDATE__ messages by default.
	60	+The filter rules are evaluated in sequential order, form first to last.
	61	+The last matching allow or deny rule decides what action is taken.
	62	+
	63	+Start off with basic protection and sanity rules:
	64	+```
	65	+# deny more-specifics of our own originated prefixes
	66	+deny quick from ebgp prefix-set mynetworks or-longer
	67	+
	68	+# filter out too long paths, establish more peerings instead
	69	+deny quick from any max-as-len 8
	70	+```
	71	+
	72	+`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
	73	+
	74	+Next IBGP as well as our own __UPDATES__ are allowed:
	75	+```
	76	+# IBGP: allow all updates to and from our IBGP neighbors
	77	+allow from ibgp
	78	+allow to ibgp
	79	+
	80	+# Outbound EBGP: only allow self originated networks to ebgp peers
	81	+# Don't leak any routes from upstream or peering sessions. This is done
	82	+# by checking for routes that are tagged with the large-community $ASN:1:1
	83	+allow to ebgp prefix-set kn large-community $ASN:1:1
	84	+```
	85	+
56	86	# ROA
57	87
58	88	# Looking glass
...	...	\ No newline at end of file