Changes in a87bfd6: complete filter rules

				howto/OpenBGPD.md
			
          @@ -8,7 +8,7 @@ Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's 

           The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measurements in place.

           # Configuration

          -[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and includes generated pieces such as ROA sets;  see the `ROA` section in this guide.

          +[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and may include further (automatically generated) files, as is done in this guide.

           As per the manual, configuration is divided into logical sections;  [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.

          @@ -71,18 +71,40 @@ deny quick from any max-as-len 8

           `quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.

          -Next IBGP as well as our own __UPDATES__ are allowed:

          +Allow own announcements:

           ```

          -# IBGP: allow all updates to and from our IBGP neighbors

          -allow from ibgp

          -allow to ibgp

          -

           # Outbound EBGP: only allow self originated networks to ebgp peers

           # Don't leak any routes from upstream or peering sessions. This is done

           # by checking for routes that are tagged with the large-community $ASN:1:1

           allow to ebgp prefix-set kn large-community $ASN:1:1

           ```

          +Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates:

          +```

          +# enforce ROA

          +allow from ebgp ovs valid

          +```

          +

          +Note how the `ovs` filter requires the `roa-set {...}` to be defined;  see the `ROA` section below.

          +

          +### path attributes

          +Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.

          +```

          +# Scrub normal and large communities relevant to our ASN from EBGP neighbors

          +# https://tools.ietf.org/html/rfc7454#section-11

          +match from ebgp set { large-community delete $ASN:*:* }

          +

          +# Honor requests to gracefully shutdown BGP sessions

          +# https://tools.ietf.org/html/rfc8326

          +match from any community GRACEFUL_SHUTDOWN set { localpref 0 }

          +```

          +

          +Misbehaving peers can be adjusted;  for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes:

          +```

          +# XXX otherwise routes are installed with ::/128 nexthop

          +match from AS $A-ASN set { nexthop $A-remote }

          +```

          +

           # ROA

           # Looking glass

          \ No newline at end of file

...	...	@@ -8,7 +8,7 @@ Neighbors use ULA addresses (/127 transfer net) assigned from one of the peer's
8	8	The goal is to have a small, yet complete setup for all peers with ROA validation and other safety measurements in place.
9	9
10	10	# Configuration
11		-[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and includes generated pieces such as ROA sets; see the `ROA` section in this guide.
	11	+[`/etc/bgpd.conf`](https://man.openbsd.org/bgpd.conf.5) contains all information and may include further (automatically generated) files, as is done in this guide.
12	12
13	13	As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.
14	14
...	...	@@ -71,18 +71,40 @@ deny quick from any max-as-len 8
71	71
72	72	`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
73	73
74		-Next IBGP as well as our own __UPDATES__ are allowed:
	74	+Allow own announcements:
75	75	```
76		-# IBGP: allow all updates to and from our IBGP neighbors
77		-allow from ibgp
78		-allow to ibgp
79		-
80	76	# Outbound EBGP: only allow self originated networks to ebgp peers
81	77	# Don't leak any routes from upstream or peering sessions. This is done
82	78	# by checking for routes that are tagged with the large-community $ASN:1:1
83	79	allow to ebgp prefix-set kn large-community $ASN:1:1
84	80	```
85	81
	82	+Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates:
	83	+```
	84	+# enforce ROA
	85	+allow from ebgp ovs valid
	86	+```
	87	+
	88	+Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below.
	89	+
	90	+### path attributes
	91	+Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
	92	+```
	93	+# Scrub normal and large communities relevant to our ASN from EBGP neighbors
	94	+# https://tools.ietf.org/html/rfc7454#section-11
	95	+match from ebgp set { large-community delete $ASN:: }
	96	+
	97	+# Honor requests to gracefully shutdown BGP sessions
	98	+# https://tools.ietf.org/html/rfc8326
	99	+match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
	100	+```
	101	+
	102	+Misbehaving peers can be adjusted; for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes:
	103	+```
	104	+# XXX otherwise routes are installed with ::/128 nexthop
	105	+match from AS $A-ASN set { nexthop $A-remote }
	106	+```
	107	+
86	108	# ROA
87	109
88	110	# Looking glass
...	...	\ No newline at end of file