-# $OpenBSD: bgpd.conf,v 1.13 2018/09/09 12:49:44 benno Exp $
+# $OpenBSD: bgpd.conf,v 1.14 2018/09/10 09:10:36 claudio Exp $
# example bgpd configuration file, see bgpd.conf(5)
# define our own ASN as a macro
2001:db8:abcd::/48 \
}
+# define bogon prefixes which should not be part of the DFZ
+prefix-set bogons {
+ 0.0.0.0/8 # 'this' network [RFC1122]
+ 10.0.0.0/8 # private space [RFC1918]
+ 100.64.0.0/10 # CGN Shared [RFC6598]
+ 127.0.0.0/8 # localhost [RFC1122]
+ 169.254.0.0/16 # link local [RFC3927]
+ 172.16.0.0/12 # private space [RFC1918]
+ 192.0.2.0/24 # TEST-NET-1 [RFC5737]
+ 192.88.99.0/24 # 6to4 anycast relay [RFC7526]
+ 192.168.0.0/16 # private space [RFC1918]
+ 198.18.0.0/15 # benchmarking [RFC2544]
+ 198.51.100.0/24 # TEST-NET-2 [RFC5737]
+ 203.0.113.0/24 # TEST-NET-3 [RFC5737]
+ 224.0.0.0/4 # multicast
+ 240.0.0.0/4 # reserved for future use
+ ::/8 # RFC 4291 IPv4-compatible, loopback, et al
+ 0100::/64 # Discard-Only [RFC6666]
+ 2001:2::/48 # BMWG [RFC5180]
+ 2001:10::/28 # ORCHID [RFC4843]
+ 2001:db8::/32 # docu range [RFC3849]
+ 2002::/16 # 6to4 anycast relay [RFC7526]
+ 3ffe::/16 # old 6bone
+ fc00::/7 # unique local unicast
+ fe80::/10 # link local unicast
+ fec0::/10 # old site local unicast
+ ff00::/8 # multicast
+}
+
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
-# See http://bgpfilterguide.nlnog.net/guides/bogon_prefixes/ for
-# an elaboration why each prefix is a bogon
-prefix-set bogons { \
- 0.0.0.0/8 or-longer 10.0.0.0/8 or-longer \
- 100.64.0.0/10 or-longer 127.0.0.0/8 or-longer \
- 169.254.0.0/16 or-longer 172.16.0.0/12 or-longer \
- 192.0.2.0/24 or-longer 192.88.99.0/24 or-longer \
- 192.168.0.0/16 or-longer 198.18.0.0/15 or-longer \
- 198.51.100.0/24 or-longer 203.0.113.0/24 or-longer \
- 224.0.0.0/4 or-longer 240.0.0.0/4 or-longer \
- ::/8 or-longer 0100::/64 or-longer \
- 2001:2::/48 or-longer 2001:10::/28 or-longer \
- 2001:db8::/32 or-longer 2002::/16 or-longer \
- 3ffe::/16 or-longer fc00::/7 or-longer \
- fe80::/10 or-longer fec0::/10 or-longer \
- ff00::/8 or-longer \
-}
-# use above prefix-set to reject the bogons
-deny quick from any prefix-set bogons
+# use prefix-set to reject the bogons
+deny quick from any prefix-set bogons or-longer
# filter bogon AS numbers
-# see http://bgpfilterguide.nlnog.net/guides/bogon_asns/ for more
-# information why these ASNs are bogons.
+# AS_TRANS (23456) is not supposed to show up in any path and indicates a
+# missconfiguration. Additionally Private or Reserved ASNs have no place in
+# the public DFZ. http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny quick from any AS 23456
deny quick from any AS 64496 - 131071
deny quick from any AS 4200000000 - 4294967295
+
+# filter out too long paths
+deny from any max-as-len 100
projects / openbsd / commitdiff