This guide describes a simple configuration for OpenBGPD running on OpenBSD. The portable version should run with little to no configuration changes on other operating systems as well.
Setup
Only IPv6 is used for the sake of simplicity. Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's allocation.
The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measures in place.
Configuration
/etc/bgpd.conf
contains all information and may include further (automatically generated) files, as is done in this guide.
As per the manual, configuration is divided into logical sections; /etc/examples/bgpd.conf
is a complete and commented example which this guide is roughly based on.
By default, bgpd(8) listens on all local addresses (on the current default routing domain
), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate this setup.
local host
Information such as ASN, router ID and allocated networks are required:
# macros
ASN="4242421234"
# global configuration
AS $ASN
router-id 1.2.3.4
prefix-set mynetworks {
fd00:12:34::/48
}
These can be used in subsequent filter rules. The local peer's announcements is then defined as follows:
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
network prefix-set mynetworks set large-community $ASN:1:1
neighbors
For each neighbor its ASN and transfer ULA is required. An optional description is provided such that bgpctl(8) for example can be used with mnemonic names instead of AS numbers:
# peer A, transport over IPSec/GRE
$A_local="fd00:12:34:A::1"
$A_remote="fd00:12:34:A::2"
$A_ASN="4242425678"
listen on $A_local
neighbor $A_remote {
remote-as $A_ASN
descr "A"
}
filter rules
bgpd blocks all BGP UPDATE messages by default. The filter rules are evaluated in sequential order, from first to last. The last matching allow or deny rule decides what action is taken.
Start off with basic protection and sanity rules:
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer
# filter out too long paths, establish more peerings instead
deny quick from any max-as-len 8
quick
rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
Allow own announcements:
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
Allow all remaining UPDATES based on Origin Validation States:
# enforce ROA
allow from ebgp ovs valid
Note how the ovs
filter requires the roa-set {...}
to be defined; see the ROA
section below.
path attributes
Besides allow
and deny
statements, filter rules can modify UPDATE messages, e.g.
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { large-community delete $ASN:*:* }
# Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
ROA
An roa-set can be generated from the registry directly or you can use the following pre-built tables.
One single roa-set
may be defined, against which bgpd will validate the origin of each prefix; this allows filter rules to use the ovs
keyword as demonstrated above.
ROA files generated by dn42regsrv are available from burble.dn42:
URL | IPv4/IPv6 |
---|---|
https://dn42.burble.com/roa/dn42_roa_obgpd_46.conf | Both |
https://dn42.burble.com/roa/dn42_roa_obgpd_4.conf | IPv4 Only |
https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf | IPv6 Only |
/etc/dn42.roa-set
is the generated set:
roa-set {
fd00:12:34::/48 source-as 4242421234
fd00:ab:cd::/44 maxlen 64 source-as 4242427890
...
}
Include it in /etc/bgpd.conf
:
# defines roat-set, see _rpki-client crontab
include "/etc/dn42.roa-set"
Looking glass
This is mostly OpenBSD specific since bgplg(8) and httpd(8) ship as part of the operating system. The bgplg manual contains the few steps and example httpd.conf(5) required to enable the looking glass.
See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.