1# $OpenBSD: bgpd.conf,v 1.15 2018/11/17 17:22:38 deraadt Exp $ 2# example bgpd configuration file, see bgpd.conf(5) 3 4# define our own ASN as a macro 5ASN="65001" 6 7# global configuration 8AS $ASN 9router-id 192.0.2.1 10 11# list of networks that may be originated by our ASN 12prefix-set mynetworks { \ 13 192.0.2.0/24 \ 14 2001:db8:abcd::/48 \ 15} 16 17# define bogon prefixes which should not be part of the DFZ 18prefix-set bogons { 19 0.0.0.0/8 or-longer # 'this' network [RFC1122] 20 10.0.0.0/8 or-longer # private space [RFC1918] 21 100.64.0.0/10 or-longer # CGN Shared [RFC6598] 22 127.0.0.0/8 or-longer # localhost [RFC1122] 23 169.254.0.0/16 or-longer # link local [RFC3927] 24 172.16.0.0/12 or-longer # private space [RFC1918] 25 192.0.2.0/24 or-longer # TEST-NET-1 [RFC5737] 26 192.88.99.0/24 or-longer # 6to4 anycast relay [RFC7526] 27 192.168.0.0/16 or-longer # private space [RFC1918] 28 198.18.0.0/15 or-longer # benchmarking [RFC2544] 29 198.51.100.0/24 or-longer # TEST-NET-2 [RFC5737] 30 203.0.113.0/24 or-longer # TEST-NET-3 [RFC5737] 31 224.0.0.0/4 or-longer # multicast 32 240.0.0.0/4 or-longer # reserved for future use 33 ::/8 or-longer # RFC 4291 IPv4-compatible, loopback, et al 34 0100::/64 or-longer # Discard-Only [RFC6666] 35 2001:2::/48 or-longer # BMWG [RFC5180] 36 2001:10::/28 or-longer # ORCHID [RFC4843] 37 2001:db8::/32 or-longer # docu range [RFC3849] 38 2002::/16 or-longer # 6to4 anycast relay [RFC7526] 39 3ffe::/16 or-longer # old 6bone 40 fc00::/7 or-longer # unique local unicast 41 fe80::/10 or-longer # link local unicast 42 fec0::/10 or-longer # old site local unicast 43 ff00::/8 or-longer # multicast 44} 45 46# Generate routes for the networks our ASN will originate. 47# The communities (read 'tags') are later used to match on what 48# is announced to EBGP neighbors 49network prefix-set mynetworks set large-community $ASN:1:1 50 51# assume simple network with 3 routers in IBGP full mesh 52group "ibgp mesh v4" { 53 remote-as $ASN 54 # use loopback for IBGP sessions, assume its distributed in OSPF 55 local-address 192.0.2.1 56 neighbor 192.0.2.2 # router 2 ipv4 57 neighbor 192.0.2.3 # router 3 ipv4 58} 59# define the IPv6 IBGP sessions 60group "ibgp mesh v6" { 61 remote-as $ASN 62 local-address 2001:db8:abcd::1 63 neighbor 2001:db8:abcd::2 # router 2 ipv6 64 neighbor 2001:db8:abcd::3 # router 3 ipv6 65} 66 67# upstream providers 68group "upstreams" { 69 neighbor 203.0.113.1 { 70 remote-as 65002 71 descr "IPv4 Transit Provider A" 72 } 73 neighbor 198.51.100.0 { 74 remote-as 65123 75 descr "IPv4 Transit provider B" 76 } 77 neighbor 2001:db8:666::2 { 78 remote-as 65123 79 descr "IPv6 Transit provider B" 80 } 81} 82 83## rules section 84 85# uncomment the following two lines to accept a default route from upstreams 86#allow from group upstreams prefix 0.0.0.0/0 87#allow from group upstreams prefix ::/0 88 89### for simple BGP setups, no editing below this line is required ### 90 91# Outbound EBGP: only allow self originated networks to ebgp peers 92# Don't leak any routes from upstream or peering sessions. This is done 93# by checking for routes that are tagged with the large-community $ASN:1:1 94allow to ebgp prefix-set mynetworks large-community $ASN:1:1 95 96# deny more-specifics of our own originated prefixes 97deny quick from ebgp prefix-set mynetworks or-longer 98 99# IBGP: allow all updates to and from our IBGP neighbors 100allow from ibgp 101allow to ibgp 102 103# Scrub normal and large communities relevant to our ASN from EBGP neighbors 104# https://tools.ietf.org/html/rfc7454#section-11 105match from ebgp set { community delete $ASN:* } 106match from ebgp set { large-community delete $ASN:*:* } 107 108# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 109# and longer than 48 or shorter than 16 bits for IPv6. 110allow from any inet prefixlen 8 - 24 111allow from any inet6 prefixlen 16 - 48 112 113# Honor requests to gracefully shutdown BGP sessions 114# https://tools.ietf.org/html/rfc8326 115match from any community GRACEFUL_SHUTDOWN set { localpref 0 } 116 117deny quick from any prefix-set bogons 118 119# filter bogon AS numbers 120# AS_TRANS (23456) is not supposed to show up in any path and indicates a 121# missconfiguration. Additionally Private or Reserved ASNs have no place in 122# the public DFZ. http://www.iana.org/assignments/as-numbers/as-numbers.xhtml 123deny quick from any AS 23456 124deny quick from any AS 64496 - 131071 125deny quick from any AS 4200000000 - 4294967295 126 127# filter out too long paths 128deny from any max-as-len 100 129