Saltar a contenido

OpenBGPD BGP Router

Introduction

Border Gateway Protocol (BGP) is the routing protocol that holds the internet together. It's how you can view this document regardless of who your Internet Service Provider is.

OpenBGPD is OpenBSD's cross-platform BGP implementation. The author uses it personally on their network.

Prerequisites

  • A server, virtual machine, or lab network with BGP connectivity
  • An AS number from your Regional Internet Registry
  • An owned or leased IPv4 or IPv6 block
  • Knowledge of network administration

Installing packages

As OpenBGPD is not in the default repositories, first install the EPEL repository (Extra Packages for Enterprise Linux):

dnf install -y epel-release

Subsequently, install OpenBGPD

dnf install -y openbgpd

Setting up OpenBGPD

Let's start with a fresh OpenBGPD configuration:

rm /etc/bgpd.conf
touch /etc/bgpd.conf
chmod 0600 /etc/bgpd.conf

Then, add the following to /etc/bgpd.conf:

AS YOUR_ASN
router-id YOUR_IPV4

listen on 127.0.0.1
listen on YOUR_IPV4
listen on ::1
listen on YOUR_IPV6
log updates
network IPV4_TO_ADVERTISE/MASK
network IPV6_TO_ADVERTISE/MASK

allow to ebgp prefix { IPV4_TO_ADVERTISE/MASK IPV6_TO_ADVERTISE/MASK }

neighbor PEER_IPV4 {
    remote-as               PEER_ASN
    announce IPv4           unicast
    announce IPv6           none
    local-address           YOUR_IPV4
}

neighbor PEER_IPV6 {
    remote-as               PEER_ASN
    announce IPv4           none
    announce IPv6           unicast
    local-address           YOUR_IPV6
}

Replace the following information:

  • YOUR_ASN with your AS number.
  • YOUR_IPV4 with your server's IPv4 address.
  • YOUR_IPV6 with your server's IPv6 address.
  • PEER_ASN with your upstream ISP's AS number.
  • PEER_IPV4 with your upstream ISP's IPv4 address.
  • PEER_IPV6 with your upstream ISP's IPv6 address.

The above lines mean the following:

  • The AS line contains your BGP AS number.
  • The router-id line contains your BGP router ID. This is an IPv4 address but can be a dummy non-routable address (e.g. 169.254.x.x) if you are doing IPv6-only BGP.
  • The listen on line tells which interfaces to listen to. We should listen on all interfaces speaking BGP.
  • The network lines add the networks we want to advertise.
  • The allow to ebgp prefix line adds RFC8212 compliance for routing security. Some hosting companies, such as BuyVM, require this.
  • The neighbor blocks specify each IPv4 and IPv6 peer.
  • The remote-as line specifies the upstream's AS number.
  • The announce IPv4 line specifies whether we should announce unicast IPv4 routes or none. This should be none on an IPv6 upstream.
  • The announce IPv6 line specifies whether we should announce unicast IPv6 routes or none. This should be none on an IPv4 upstream.
  • The local-address line is the upstream's IPv4 or IPv6 address.

Some upstreams may use an MD5 password or BGP multihop. Should that be the case, your neighbor blocks will look like this:

neighbor PEER_IPV4 {
    remote-as               PEER_ASN
    announce IPv4           unicast
    announce IPv6           none
    local-address           YOUR_IPV4
    multihop                2
    local-address           203.0.113.123
}

neighbor PEER_IPV6 {
    remote-as               PEER_ASN
    announce IPv4           none
    announce IPv6           unicast
    local-address           YOUR_IPV6
    multihop                2
    local-address           2001:DB8:1000::1
}

You will need to enable IP forwarding by setting these sysctl values:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Now, we should enable OpenBGPD and forwarding:

sysctl -p /etc/sysctl.conf
systemctl enable --now bgpd

Checking BGP status

Once OpenBGPD is enabled, you can see the BGP status:

bgpctl show

You will see the output:

Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
BGP_PEER             PEER_ASN       164         68     0 00:32:04      0

You can also see the BGP advertised routes:

bgpctl show rib

If working correctly, you should see the BGP routing table:

flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
       S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
aspa validation state: ? = unknown, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags  vs destination          gateway          lpref   med aspath origin
AI*>  N-? YOUR_IPV4/24         0.0.0.0           100     0 i
AI*>  N-? YOUR_IPV6::/48       ::                100     0 i

Conclusion

While BGP may seem daunting initially, once you master it, you can get your piece of the internet routing table. OpenBGPD's simplicity makes having a software router or anycast server even easier. Enjoy!

Author: Neel Chauhan

Contributors: Steven Spencer, Ganna Zhyrnova