What do you have $my_ip4_net and $my_ip6_net set to? I assume the IPv4 and IPv6 blocks that the IX is using?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Hrvoje Popovski" <hrv...@srce.hr> To: misc@openbsd.org Sent: Wednesday, April 15, 2015 4:34:19 AM Subject: Re: OpenBGPd Route Server On 15.4.2015. 5:23, Mike Hammett wrote: > With the decline of OpenBGPd's popularity among IXPs, it's difficult to track > down examples of how IXPs are configuring their servers. I saw a couple > presentations in the 2010 - 2011 timeframe with new things that were coming > for 32 bit communities among other things. > > I have a route server config that is functional, but I'm sure I'm missing out > on things. Anything out there on current best practices for this situation? > What I have I pieced together from an AMS-IX presentation and a forum\mailing > list thread. Well, and the sample config. > > Hi, I hope that this configuration will be good enough as a starting point.... AS $my_as router-id $my_ip4 listen on $my_ip4 listen on $my_ip6 holdtime 180 holdtime min 3 fib-update no log updates nexthop qualify via bgp transparent-as yes socket "/var/www/run/bgpd.rsock" restricted group rsip4 { local-address $my_ip4 announce IPv6 none announce IPv4 unicast set nexthop no-modify enforce neighbor-as yes announce all #first_peer - IP4 neighbor $first_peer_ip4 { remote-as $first_peer_as tcp md5sig password somepassword41 max-prefix 1024 restart 5 #optional passive } #second_peer - IP4 neighbor $second_peer_ip4 { remote-as $second_peer_as tcp md5sig password somepassword42 max-prefix 1024 restart 5 #optional passive } .... } group rsip6 { local-address &my_ip6 announce IPv6 unicast announce IPv4 none set nexthop no-modify enforce neighbor-as yes announce all #first_peer - IP6 neighbor $first_peer_ip6 { remote-as $first_peer_as tcp md5sig password somepassword61 max-prefix 1024 restart 5 #optional passive } #second_peer - IP6 neighbor $second_peer_ip6 { remote-as $second_peer_as tcp md5sig password somepassword62 max-prefix 1024 restart 5 #optional passive } ... } deny from any inet prefixlen 8 >< 24 deny from any inet6 prefixlen 16 >< 48 deny from any prefix 0.0.0.0/0 deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved deny from any prefix ::/0 deny from any prefix ::/8 prefixlen >= 8 deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast deny from any prefix ff00::/8 prefixlen >= 8 # multicast # match any with community match from any set community $my_as:65000 # community politics deny to { group rsip4, group rsip6 } community $my_as:65000 deny to { group rsip4, group rsip6 } community 0:$my_as allow to { group rsip4, group rsip6} community $my_as:$my_as deny to { group rsip4, group rsip6 } community 0:neighbor-as allow to { group rsip4, group rsip6 } community $my_as:neighbor-as match to group rsip4 prefix &my_ip4_net set prepend-self 1 match to group rsip6 prefix &my_ip6_net set prepend-self 1
