BGP

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet[1]. It maintains a table of IP networks or 'prefixes' which designate network reach-ability among autonomous systems (AS). Halon Security's implementation is based on, and slightly extends, OpenBSD's OpenBGPD which makes bgpd.conf's manual page a great source of information. Currently, BGP can only be configured by altering the clear-text configuration file.

Configuration

The following sub-chapters will describe, and provide examples for, a few common scenarios. The web administration's plain-text editor or the CLI configure command can be used to add the BGP configuration to the configuration file.

Multi-homing

End-users/customers, as opposed to internet service providers (ISPs), frequently uses BGP to increase redundancy and capacity by making their services available on addresses which are available via two independent internet connections (or even ISPs). Once the end-user has acquired provider-independent[2] (PI) addresses from a regional Internet registry[3] (RIR, possibly via an ISP) and arranged the connectivity, one router can utilise both connections. Below is a rough example connecting a router to the two Swedish ISPs Telia and IP-Only.

bgp {
   AS X
   network X.X.X.X/Z
   neighbor 212.112.177.2 {
      descr "IP-only"
      remote-as 12552
      tcp md5sig password "a7!defDjKrmn/Bp"
   }
   neighbor 81.228.65.6 {
      descr "Telia"
      remote-as 3301
      multihop 10
   }
}

It's also possible to use one router per connection, using IBGP. Below is an example for one of the two routers. Please note that either OSPF or clustering (CARP) is needed on the internal interfaces in order to provide the redundant access to your network.

bgp {
   AS X
   network X.X.X.X/Z
   neighbor X.X.X.Y {
      descr "IBGP"
      remote-as X
   }
   neighbor 212.112.177.2 {
      descr "IP-only"
      remote-as 12552
      tcp md5sig password "a7!defDjKrmn/Bp"
   }
}

Filters

For security and stability reasons, it's recommended not to accept any routes offered by your BGP peers. Therefore, some sane route filters are in place. Below are the defaults as suggested by OpenBSD's default configuration.

deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
# accept a default route (since the previous rule blocks this)
allow from any prefix 0.0.0.0/0
# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 127.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 198.18.0.0/15 prefixlen >= 15
deny from any prefix 198.51.100.0/24 prefixlen >= 24
deny from any prefix 203.0.113.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:2::/48 prefixlen >= 48        # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28       # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32      # docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16          # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7            # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10          # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10          # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8            # multicast

Monitoring and administration

Most run-time information is viewed using the bgpctl program. For example, you can run bgpctl show summary to get a list of all bhp neighbors.

admin> bgpctl show summary
Neighbor          AS     MsgRcvd     MsgSent     OutQ     Up/Down    State/PrfRcvd
iBGP              XX      119828      119492        0    02w5d02h       72
Telia            XXX      134098      119494        0    2d04h39m       83