c10f1753f66fe911edbde4e94b1159207e2168d7
howto/OpenBGPD.md
| ... | ... | @@ -12,9 +12,9 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio |
| 12 | 12 | |
| 13 | 13 | As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on. |
| 14 | 14 | |
| 15 | -By default, **bgpd** listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup. |
|
| 15 | +By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup. |
|
| 16 | 16 | |
| 17 | -## local peer |
|
| 17 | +## local host |
|
| 18 | 18 | Information such as ASN, router ID and allocated networks are required: |
| 19 | 19 | ``` |
| 20 | 20 | # macros |
| ... | ... | @@ -42,17 +42,47 @@ network prefix-set mynetworks set large-community $ASN:1:1 |
| 42 | 42 | For each neighbor its ASN and transfer ULA is required. |
| 43 | 43 | An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers: |
| 44 | 44 | ``` |
| 45 | -$peerA-local="fd00:12:34:A::1" |
|
| 46 | -$peerA-remote="fd00:12:34:A::2" |
|
| 47 | -$peerA-ASN="4242425678" |
|
| 45 | +# peer A, transport over IPSec/GRE |
|
| 46 | +$A-local="fd00:12:34:A::1" |
|
| 47 | +$A-remote="fd00:12:34:A::2" |
|
| 48 | +$A-ASN="4242425678" |
|
| 48 | 49 | |
| 49 | -listen on $peerA-local |
|
| 50 | -neighbor $peerA-remote { |
|
| 51 | - remote-as $peerA-ASN |
|
| 52 | - descr "peerA" |
|
| 50 | +listen on $A-local |
|
| 51 | + |
|
| 52 | +neighbor $A-remote { |
|
| 53 | + remote-as $A-ASN |
|
| 54 | + descr "A" |
|
| 53 | 55 | } |
| 54 | 56 | ``` |
| 55 | 57 | |
| 58 | +## filter rules |
|
| 59 | +**bgpd** blocks all BGP __UPDATE__ messages by default. |
|
| 60 | +The filter rules are evaluated in sequential order, form first to last. |
|
| 61 | +The last matching allow or deny rule decides what action is taken. |
|
| 62 | + |
|
| 63 | +Start off with basic protection and sanity rules: |
|
| 64 | +``` |
|
| 65 | +# deny more-specifics of our own originated prefixes |
|
| 66 | +deny quick from ebgp prefix-set mynetworks or-longer |
|
| 67 | + |
|
| 68 | +# filter out too long paths, establish more peerings instead |
|
| 69 | +deny quick from any max-as-len 8 |
|
| 70 | +``` |
|
| 71 | + |
|
| 72 | +`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped. |
|
| 73 | + |
|
| 74 | +Next IBGP as well as our own __UPDATES__ are allowed: |
|
| 75 | +``` |
|
| 76 | +# IBGP: allow all updates to and from our IBGP neighbors |
|
| 77 | +allow from ibgp |
|
| 78 | +allow to ibgp |
|
| 79 | + |
|
| 80 | +# Outbound EBGP: only allow self originated networks to ebgp peers |
|
| 81 | +# Don't leak any routes from upstream or peering sessions. This is done |
|
| 82 | +# by checking for routes that are tagged with the large-community $ASN:1:1 |
|
| 83 | +allow to ebgp prefix-set kn large-community $ASN:1:1 |
|
| 84 | +``` |
|
| 85 | + |
|
| 56 | 86 | # ROA |
| 57 | 87 | |
| 58 | 88 | # Looking glass |
| ... | ... | \ No newline at end of file |