On 15.4.2015. 5:23, Mike Hammett wrote:
> With the decline of OpenBGPd's popularity among IXPs, it's difficult to track
> down examples of how IXPs are configuring their servers. I saw a couple
> presentations in the 2010 - 2011 timeframe with new things that were coming
> for 32 bit communities among other things.
>
> I have a route server config that is functional, but I'm sure I'm missing out
> on things. Anything out there on current best practices for this situation?
> What I have I pieced together from an AMS-IX presentation and a forum\mailing
> list thread. Well, and the sample config.
>
>
Hi,
I hope that this configuration will be good enough as a starting point....
AS $my_as
router-id $my_ip4
listen on $my_ip4
listen on $my_ip6
holdtime 180
holdtime min 3
fib-update no
log updates
nexthop qualify via bgp
transparent-as yes
socket "/var/www/run/bgpd.rsock" restricted
group rsip4 {
local-address $my_ip4
announce IPv6 none
announce IPv4 unicast
set nexthop no-modify
enforce neighbor-as yes
announce all
#first_peer - IP4
neighbor $first_peer_ip4 {
remote-as $first_peer_as
tcp md5sig password somepassword41
max-prefix 1024 restart 5 #optional
passive
}
#second_peer - IP4
neighbor $second_peer_ip4 {
remote-as $second_peer_as
tcp md5sig password somepassword42
max-prefix 1024 restart 5 #optional
passive
}
....
}
group rsip6 {
local-address &my_ip6
announce IPv6 unicast
announce IPv4 none
set nexthop no-modify
enforce neighbor-as yes
announce all
#first_peer - IP6
neighbor $first_peer_ip6 {
remote-as $first_peer_as
tcp md5sig password somepassword61
max-prefix 1024 restart 5 #optional
passive
}
#second_peer - IP6
neighbor $second_peer_ip6 {
remote-as $second_peer_as
tcp md5sig password somepassword62
max-prefix 1024 restart 5 #optional
passive
}
...
}
deny from any inet prefixlen 8 >< 24
deny from any inet6 prefixlen 16 >< 48
deny from any prefix 0.0.0.0/0
deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network
[RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space
[RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared
[RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost
[RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local
[RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space
[RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1
[RFC5737]
deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space
[RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking
[RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2
[RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3
[RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved
deny from any prefix ::/0
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only
[RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range
[RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local
unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local
unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast
# match any with community
match from any set community $my_as:65000
# community politics
deny to { group rsip4, group rsip6 } community $my_as:65000
deny to { group rsip4, group rsip6 } community 0:$my_as
allow to { group rsip4, group rsip6} community $my_as:$my_as
deny to { group rsip4, group rsip6 } community 0:neighbor-as
allow to { group rsip4, group rsip6 } community $my_as:neighbor-as
match to group rsip4 prefix &my_ip4_net set prepend-self 1
match to group rsip6 prefix &my_ip6_net set prepend-self 1
