Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-3.6)
Apropos / Subsearch:
optional field

BGPD.CONF(5)              OpenBSD Programmer's Manual             BGPD.CONF(5)

     bgpd.conf - Border Gateway Protocol daemon configuration file

     The bgpd(8) daemon implements the Border Gateway Protocol version 4 as
     described in RFC 1771.

     The bgpd.conf config file is divided into four main sections.

           User-defined variables may be defined and used later, simplifying
           the configuration file.

     Global Configuration
           Global settings for bgpd(8).

     Neighbors and Groups
           bgpd(8) establishes sessions with neighbors.  The neighbor defini-
           tion and properties are set in this section, as well as grouping
           neighbors for the ease of configuration.

           Filter rules for incoming and outgoing UPDATES.

     With the exception of macros, the sections should be grouped and appear
     in bgpd.conf in the order shown above.

     Much like cpp(1) or m4(1), macros can be defined that will later be ex-
     panded in context.  Macro names must start with a letter, and may contain
     letters, digits and underscores.  Macro names may not be reserved words
     (for example, AS, neighbor, or group).  Macros are not expanded inside

     For example,

           neighbor $peer1 {
                   remote-as 65001

     There are quite a few settings that affect the operation of the bgpd(8)
     daemon globally.

     AS as-number
             Set the local autonomous system number to as-number.  The AS num-
             bers are assigned by local RIRs, such as

             RIPE   for Europe,
             ARIN   for America, and
             APNIC  for the Asian-Pacific region.

             For example,

                   AS 65001

             sets the local AS to 65001.

     dump (table|table-mp) file [timeout]
     dump (all|updates) (in|out) file [timeout]
             Dump the RIB, a.k.a. the routing information base, and all BGP
             messages in Multi-threaded Routing Toolkit (MRT) format.  Dumping
             the RIB is normally an expensive operation, but it should not in-
             fluence the session handling.  Excessive dumping may result in
             delayed update processing.

             For example, the following will dump the entire table to the
             strftime(3)-expanded filename.  The table-mp format is multi-pro-
             tocol capable but often not supported by 3rd-party tools.  The
             timeout is optional:

                   dump table "/tmp/rib-dump-%H%M" 300

             Similar to the table dump, but this time all BGP messages and
             state transitions will be dumped to the specified file:

                   dump all in "/tmp/all-in-%H%M" 300

             As before, but only the UPDATE messages will be dumped to the

                   dump updates in "/tmp/updates-in-%H%M" 300

             It is also possible to dump outgoing messages:

                   dump all out "/tmp/all-out-%H%M" 300
                   # or
                   dump updates out "/tmp/updates-out-%H%M" 300

     fib-update (yes|no)
             If set to no, do not update the Forward Information Base, a.k.a.
             the kernel routing table.  The default is yes.

     holdtime seconds
             Set the holdtime in seconds.  The holdtime is reset to its ini-
             tial value every time either a KEEPALIVE or an UPDATE message is
             received from the neighbor.  If the holdtime expires the session
             is dropped.  The default is 90 seconds.  Neighboring systems ne-
             gotiate the holdtime used when the connection is established in
             the OPEN messages.  Each neighbor announces its configured hold-
             time; the smaller one is then agreed upon.

     holdtime min seconds
             The minimal accepted holdtime in seconds.  This value must be
             greater than or equal to 3.

     listen on address
             Specify the local IP address bgpd(8) should listen on.

                   listen on

     log updates
             Log received and sent updates.

     network address/prefix [set ...]
             Announce the specified network as belonging to our AS.


             It is possible to set default AS path attributes per network

                   network set localpref 220

             See also the ATTRIBUTE SET section.

     route-collector (yes|no)
             If set to yes, the route selection process is turned off.  The
             default is no.

     router-id address
             Set the router ID to the given IP address, which must be local to
             the machine.


             If not given, the BGP ID is determined as the biggest IP address
             assigned to the local machine.

     bgpd(8) establishes TCP connections to other BGP speakers called
     neighbors.  Each neighbor is specified by a neighbor section, which al-
     lows properties to be set specifially for that neighbor:

           neighbor {
                   remote-as 65002
                   descr "a neighbor"

     Multiple neighbors can be grouped together by a group section.  Each
     neighbor section within the group section inherits all properties from
     its group:

           group "peering AS65002" {
                   remote-as 65002
                   neighbor {
                           descr "AS65002-p1"
                   neighbor {
                           descr "AS65002-p2"

     Instead of the neighbor's IP address, an address/netmask pair may be giv-


     In this case, the neighbor specification becomes a template, and if a
     neighbor connects from an IP address within the given network, the tem-
     plate is cloned, inheriting everything from the template but the remote
     address, which is replaced by the connecting neighbor's address.  With a
     template specification it is valid to omit remote-as; bgpd(8) will then
     accept any AS the neighbor presents in the OPEN message.

     There are several neighbor properties:

     announce (all|none|self|default-route)
             If set to none, no UPDATE messages will be sent to the neighbor.
             If set to default-route, only the default route will be announced
             to the neighbor.  If set to all, all generated UPDATE messages
             will be sent to the neighbor.  This is usually used for transit
             AS's and IBGP peers.  The default value for EBGP peers is self,
             which limits the sent UPDATE messages to announcements of the lo-
             cal AS.  The default for IBGP peers is all.

     descr description
             Add a description.  The description is used when logging neighbor
             events and in status reports, etc., and has no further meaning to

     dump (all|updates) (in|out) file [timeout]
             Do a peer specific MRT dump.  Peer specific dumps are limited to
             all and updates.  See also the dump section in GLOBAL

     enforce neighbor-as (yes|no)
             If set to yes, AS paths whose leftmost AS is not equal to the
             remote AS of the neighbor are rejected and a NOTIFICATION is sent
             back.  The default value for IBGP peers is no otherwise the de-
             fault is yes.

     holdtime seconds
             Set the holdtime in seconds.  Inherited from the global configu-
             ration if not given.

     holdtime min seconds
             Set the minimal acceptable holdtime.  Inherited from the global
             configuration if not given.

     ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
             Enable IPsec with static keying.  There must be at least two
             ipsec statements per peer with manual keying, one per direction.
             authspec specifies the authentication algorithm and key.  It can

                   sha1 <key>
                   md5 <key>

             encspec specifies the encryption algorithm and key.  ah does not
             support encryption.  With esp, encryption is optional.  encspec
             can be

                   3des <key>
                   3des-cbc <key>
                   aes <key>
                   aes-128-cbc <key>

             Keys must be given in hexadecimal format.

     ipsec (ah|esp) ike
             Enable IPsec with dynamic keying.  In this mode, bgpd(8) sets up
             the flows, and a key management daemon such as isakmpd(8) is re-
             sponsible for managing the session keys.  With isakmpd(8), it is
             sufficient to copy the peer's public key, found in
             /etc/isakmpd/private/local.pub, to the local machine.  It must be
             stored in a file named after the peer's IP address and must be
             stored in /etc/isakmpd/pubkeys/ipv4/.  The local public key must
             be copied to the peer in the same way.  As bgpd(8) manages the
             flows on its own, it is sufficient to restrict isakmpd(8) to only
             take care of keying by specifying the flags -Ka.  This can be
             done in rc.conf.local(8).  After starting the isakmpd(8) and
             bgpd(8) daemons on both sides, the session should be established.

     local-address address
             When bgpd(8) initiates the TCP connection to the neighbor system,
             it normally does not bind to a specific IP address.  If a local-
             address is given, bgpd(8) binds to this address first.

     max-prefix number
             Limit the amount of prefixes received.  No such limit is imposed
             by default.

     multihop hops
             Neighbors not in the same AS as the local bgpd(8) normally have
             to be directly connected to the local machine.  If this is not
             the case, the multihop statement defines the maximum hops the
             neighbor may be away.

             Do not attempt to actively open a TCP connection to the neighbor

     remote-as as-number
             Set the AS number of the remote system.

     route-reflector [address]
             Act as an RFC 2796 route-reflector for this neighbor.  An option-
             al cluster ID can be specified; otherwise the BGP ID will be

     set attribute ...
             Set the AS path attributes to some default per neighbor or group

                   set localpref 300

             See also the ATTRIBUTE SET section.

     tcp md5sig password secret
     tcp md5sig key secret
             Enable TCP MD5 signatures per RFC 2385.  The shared secret can
             either be given as a password or hexadecimal key.

                   tcp md5sig password mekmidasdigoat
                   tcp md5sig key deadbeef

     bgpd(8) has the ability to allow and deny UPDATES based on prefix or AS
     path attributes.  In addition, UPDATES may also be modified by filter

     For each UPDATE processed by the filter, the filter rules are evaluated
     in sequential order, from first to last.  The last matching allow or deny
     rule decides what action is taken.

     The following actions can be used in the filter:

     allow     The UPDATE is passed.

     deny      The UPDATE is blocked.

     match     Apply the filter attribute set without influencing the filter

     The rule parameters specify the UPDATES to which a rule applies.  An
     UPDATE always comes from, or goes to, one neighbor.  Most parameters are
     optional, but each can appear at most once per rule.  If a parameter is
     specified, the rule only applies to packets with matching attributes.

     as-type as-number
             This rule applies only to UPDATES where the AS path matches.  The
             as-number is matched against a part of the AS path specified by
             the as-type.  as-type is one of the following operators:

             AS           (any part)
             source-as    (rightmost AS number)
             transit-as   (all but the rightmost AS number)

             Multiple as-number entries for a given type or as-type as-number
             entries may also be specified, separated by commas or whitespace,
             if enclosed in curly brackets:

                   deny from any AS { 1, 2, 3 }
                   deny from any { AS 1, source-as 2, transit-as 3 }
                   deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }

     community as-number:local
     community name
             This rule applies only to UPDATES where the community path at-
             tribute is present and matches.  Communities are specified as as-
             number:local, where as-number is an AS number and local is a lo-
             cally significant number between zero and 0xffff.  Both as-number
             and local may be set to `*' to do wildcard matching.  Alterna-
             tively, well-known communities may be given by name instead and

     (from|to) peer
             This rule applies only to UPDATES coming from, or going to, this
             particular neighbor.  This parameter must be specified.  peer is
             one of the following:

             any          Any neighbor will be matched.
             address      Neighbors with this address will be matched.
             group descr  Neighbors in this group will be matched.

             Multiple peer entries may also be specified, separated by commas
             or whitespace, if enclosed in curly brackets:

                   deny from {,, group hojo }

     prefix address/len
             This rule applies only to UPDATES for the specified prefix.

             Multiple address/len entries may be specified, separated by com-
             mas or whitespace, if enclosed in curly brackets:

                   deny from any prefix {, }

             Multiple lists can also be specified, which is useful for macro

                   good="{,, }"
                   bad="{, }"
                   ugly="{, }"

                   deny from any prefix { $good $bad $ugly }

     prefixlen range
             This rule applies only to UPDATES for prefixes where the pre-
             fixlen matches.  Prefix length ranges are specified by using
             these operators:

                   =       (equal)
                   !=      (unequal)
                   <       (less than)
                   <=      (less than or equal)
                   >       (greater than)
                   >=      (greater than or equal)
                   -       (range including boundaries)
                   ><      (except range)

             >< and - are binary operators (they take two arguments).  For in-
             stance, to match all prefix lengths >= 8 and <= 12, and hence the
             CIDR netmasks 8, 9, 10, 11 and 12:

                   prefixlen 8-12

             Or, to match all prefix lengths < 8 or > 12, and hence the CIDR
             netmasks 0-7 and 13-32:

                   prefixlen 8><12

             prefixlen can be used together with prefix.

             This will match all prefixes in the netblock with net-
             masks longer than 16:

                   prefix prefixlen > 16

     quick   If an UPDATE matches a rule which has the quick option set, this
             rule is considered the last matching rule, and evaluation of sub-
             sequent rules is skipped.

     set attribute ...
             All matching rules can set the AS path attributes to some de-
             fault.  The set of every matching rule is applied, not only the
             last matching one.  See also the following section.

     AS path attributes can be modified with set.

     set can be used on network statements, in neighbor or group blocks, and
     on filter rules.  Attribute sets can be expressed as lists.

     The following attributes can be modified:

     community as-number:local
     community name
             Set the COMMUNITIES AS path attribute.  Communities are specified
             as as-number:local, where as-number is an AS number and local is
             a locally-significant number between zero and 0xffff.  Alternate-
             ly, well-known communities may be specified by name: NO_EXPORT,

     localpref number
             Set the LOCAL_PREF AS path attribute.

     med number
             Set the MULTI_EXIT_DISC AS path attribute.

     nexthop (address|blackhole|reject)
             Set the NEXTHOP AS path attribute to a different nexthop address,
             or use blackhole or reject routes.

                   set nexthop
                   set nexthop blackhole
                   set nexthop reject

     pftable table
             Add the prefix in the update to the specified pf(4) radix table,
             regardless of whether or not the path was selected for routing.
             This option may be useful in building realtime blacklists.

     prepend-self number
             Prepend the local AS number times to the AS path.

     /etc/bgpd.conf  bgpd(8) configuration file

     strftime(3), ipsec(4), pf(4), tcp(4), bgpctl(8), bgpd(8), ipsecadm(8),
     isakmpd(8), rc.conf.local(8)

     The bgpd.conf file format first appeared in OpenBSD 3.5.

OpenBSD 3.6                     March 10, 2004                               7