Annotation of src/etc/bgpd.conf, Revision 1.11
1.11 ! claudio 1: # $OpenBSD: bgpd.conf,v 1.10 2010/10/13 08:27:44 sthen Exp $
1.1 henning 2: # sample bgpd configuration file
3: # see bgpd.conf(5)
4:
5: #macros
1.5 henning 6: peer1="10.1.0.2"
7: peer2="10.1.0.3"
1.1 henning 8:
9: # global configuration
10: AS 65001
1.2 henning 11: router-id 10.0.0.1
1.7 henning 12: # holdtime 180
13: # holdtime min 3
14: # listen on 127.0.0.1
15: # listen on ::1
16: # fib-update no
17: # route-collector no
1.2 henning 18: # log updates
1.3 henning 19: # network 10.0.1.0/24
1.10 sthen 20:
21: # restricted socket for bgplg(8)
22: # socket "/var/www/logs/bgpd.rsock" restricted
1.1 henning 23:
24: # neighbors and peers
25: group "peering AS65002" {
26: remote-as 65002
27: neighbor $peer1 {
28: descr "AS 65001 peer 1"
1.3 henning 29: announce self
30: tcp md5sig password mekmitasdigoat
1.1 henning 31: }
32: neighbor $peer2 {
1.5 henning 33: descr "AS 65001 peer 2"
1.3 henning 34: announce all
1.5 henning 35: local-address 10.0.0.8
36: ipsec esp ike
1.1 henning 37: }
38: }
39:
1.5 henning 40: group "peering AS65042" {
41: descr "peering AS 65042"
42: local-address 10.0.0.8
43: ipsec ah ike
44: neighbor 10.2.0.1
45: neighbor 10.2.0.2
46: }
47:
1.1 henning 48: neighbor 10.0.1.0 {
49: remote-as 65003
50: descr upstream
51: multihop 2
1.2 henning 52: local-address 10.0.0.8
53: passive
1.3 henning 54: holdtime 180
55: holdtime min 3
56: announce none
57: tcp md5sig key deadbeef
1.5 henning 58: }
59:
60: neighbor 10.0.2.0 {
61: remote-as 65004
62: descr upstream2
63: local-address 10.0.0.8
64: ipsec ah ike
65: }
66:
67: neighbor 10.0.0.0/24 {
68: descr "template for local peers"
1.6 henning 69: }
70:
71: neighbor 10.2.1.1 {
72: remote-as 65023
73: local-address 10.0.0.8
74: ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
75: aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
76: ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
77: aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
1.1 henning 78: }
79:
1.11 ! claudio 80: # filter out prefixes longer than 24 or shorter than 8 bits for IPv4
! 81: # and longer than 48 or shorter than 16 bits for IPv6.
1.4 henning 82: deny from any
1.8 claudio 83: allow from any inet prefixlen 8 - 24
1.11 ! claudio 84: allow from any inet6 prefixlen 16 - 48
1.4 henning 85:
1.9 claudio 86: # accept a default route (since the previous rule blocks this)
87: #allow from any prefix 0.0.0.0/0
1.4 henning 88:
1.11 ! claudio 89: # filter bogus networks according to RFC5735
! 90: deny from any prefix 0.0.0.0/8 prefixlen >= 8
1.4 henning 91: deny from any prefix 10.0.0.0/8 prefixlen >= 8
1.11 ! claudio 92: deny from any prefix 127.0.0.0/8 prefixlen >= 8
! 93: deny from any prefix 169.254.0.0/16 prefixlen >= 16
1.4 henning 94: deny from any prefix 172.16.0.0/12 prefixlen >= 12
1.11 ! claudio 95: deny from any prefix 192.0.2.0/24 prefixlen >= 24
1.4 henning 96: deny from any prefix 192.168.0.0/16 prefixlen >= 16
1.11 ! claudio 97: deny from any prefix 198.18.0.0/15 prefixlen >= 15
! 98: deny from any prefix 198.51.100.0/24 prefixlen >= 24
! 99: deny from any prefix 203.0.113.0/24 prefixlen >= 24
1.4 henning 100: deny from any prefix 224.0.0.0/4 prefixlen >= 4
101: deny from any prefix 240.0.0.0/4 prefixlen >= 4
1.11 ! claudio 102:
! 103: # filter bogus IPv6 networks according to IANA
! 104: deny from any prefix ::/8 prefixlen >= 8
! 105: deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
! 106: deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
! 107: deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
! 108: deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
! 109: deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
! 110: deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
! 111: deny from any prefix ff00::/8 prefixlen >= 8 # multicast