1# $OpenBSD: bgpd.conf,v 1.1 2014/07/11 17:10:30 henning Exp $ 2# sample bgpd configuration file 3# see bgpd.conf(5) 4 5#macros 6peer1="10.1.0.2" 7peer2="10.1.0.3" 8 9# global configuration 10AS 65001 11router-id 10.0.0.1 12# holdtime 180 13# holdtime min 3 14# listen on 127.0.0.1 15# listen on ::1 16# fib-update no 17# route-collector no 18# log updates 19# network 10.0.1.0/24 20 21# restricted socket for bgplg(8) 22# socket "/var/www/run/bgpd.rsock" restricted 23 24# neighbors and peers 25group "peering AS65002" { 26 remote-as 65002 27 neighbor $peer1 { 28 descr "AS 65001 peer 1" 29 announce self 30 tcp md5sig password mekmitasdigoat 31 } 32 neighbor $peer2 { 33 descr "AS 65001 peer 2" 34 announce all 35 local-address 10.0.0.8 36 ipsec esp ike 37 } 38} 39 40group "peering AS65042" { 41 descr "peering AS 65042" 42 local-address 10.0.0.8 43 ipsec ah ike 44 neighbor 10.2.0.1 45 neighbor 10.2.0.2 46} 47 48neighbor 10.0.1.0 { 49 remote-as 65003 50 descr upstream 51 multihop 2 52 local-address 10.0.0.8 53 passive 54 holdtime 180 55 holdtime min 3 56 announce none 57 tcp md5sig key deadbeef 58} 59 60neighbor 10.0.2.0 { 61 remote-as 65004 62 descr upstream2 63 local-address 10.0.0.8 64 ipsec ah ike 65} 66 67neighbor 10.0.0.0/24 { 68 descr "template for local peers" 69} 70 71neighbor 10.2.1.1 { 72 remote-as 65023 73 local-address 10.0.0.8 74 ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ 75 aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e 76 ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ 77 aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b 78} 79 80# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 81# and longer than 48 or shorter than 16 bits for IPv6. 82deny from any 83allow from any inet prefixlen 8 - 24 84allow from any inet6 prefixlen 16 - 48 85 86# accept a default route (since the previous rule blocks this) 87#allow from any prefix 0.0.0.0/0 88#allow from any prefix ::/0 89 90# filter bogus networks according to RFC5735 91deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] 92deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] 93deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] 94deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] 95deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] 96deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] 97deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] 98deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] 99deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] 100deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] 101deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] 102deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast 103deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved 104 105# filter bogus IPv6 networks according to IANA 106deny from any prefix ::/8 prefixlen >= 8 107deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] 108deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] 109deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] 110deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] 111deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone 112deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast 113deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast 114deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast 115deny from any prefix ff00::/8 prefixlen >= 8 # multicast 116