c7f2e7cdc9d3875a9b19886789e966a617ac9253
howto/OpenBGPD.md
| ... | ... | @@ -0,0 +1,58 @@ |
| 1 | +This guide describes a simple configuration for [OpenBGPD](https://openbgpd.org) running on [OpenBSD](https://openbsd.org). |
|
| 2 | +The [portable version](https://openbgpd.org/ftp.html) should run with little to no configuration changes on other operating systems as well. |
|
| 3 | + |
|
| 4 | +# Setup |
|
| 5 | +Only IPv6 is used for the sake of simplicity. |
|
| 6 | +Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's allocation. |
|
| 7 | + |
|
| 8 | +The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measurements in place. |
|
| 9 | + |
|
| 10 | +# Configuration |
|
| 11 | +[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and includes generated pieces such as ROA sets; see the `ROA` section in this guide. |
|
| 12 | + |
|
| 13 | +As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on. |
|
| 14 | + |
|
| 15 | +By default, **bgpd** listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup. |
|
| 16 | + |
|
| 17 | +## local peer |
|
| 18 | +Information such as ASN, router ID and allocated networks are required: |
|
| 19 | +``` |
|
| 20 | +# macros |
|
| 21 | +ASN="4242421234" |
|
| 22 | + |
|
| 23 | +# global configuration |
|
| 24 | +AS $ASN |
|
| 25 | +router-id 1.2.3.4 |
|
| 26 | + |
|
| 27 | +prefix-set mynetworks { |
|
| 28 | + fd00:12:34::/48 |
|
| 29 | +} |
|
| 30 | +``` |
|
| 31 | + |
|
| 32 | +These can be used in subsequent filter rules. |
|
| 33 | +The local peer's announcements is then defined as follows: |
|
| 34 | +``` |
|
| 35 | +# Generate routes for the networks our ASN will originate. |
|
| 36 | +# The communities (read 'tags') are later used to match on what |
|
| 37 | +# is announced to EBGP neighbors |
|
| 38 | +network prefix-set mynetworks set large-community $ASN:1:1 |
|
| 39 | +``` |
|
| 40 | + |
|
| 41 | +## neighbors |
|
| 42 | +For each neighbor its ASN and transfer ULA is required. |
|
| 43 | +An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers: |
|
| 44 | +``` |
|
| 45 | +$peerA-local="fd00:12:34:A::1" |
|
| 46 | +$peerA-remote="fd00:12:34:A::2" |
|
| 47 | +$peerA-ASN="4242425678" |
|
| 48 | + |
|
| 49 | +listen on $peerA-local |
|
| 50 | +neighbor $peerA-remote { |
|
| 51 | + remote-as $peerA-ASN |
|
| 52 | + descr "peerA" |
|
| 53 | +} |
|
| 54 | +``` |
|
| 55 | + |
|
| 56 | +# ROA |
|
| 57 | + |
|
| 58 | +# Looking glass |
|
| ... | ... | \ No newline at end of file |