1BGPQ4(8) BSD System Manager's Manual BGPQ4(8)
2
4 bgpq4 — bgp filtering automation tool
5
7 bgpq4 [-h host[:port]] [-S sources] [-EPz] [-f asn | -F fmt | -G asn -t]
8 [-46ABbDdJjNnsXU] [-a asn] [-r len] [-R len] [-m max] [-W len]
9 OBJECTS [...] [EXCEPT OBJECTS]
10
12 The bgpq4 utility used to generate configurations (prefix-lists, extended
13 access-lists, policy-statement terms and as-path lists) based on RADB
14 data.
15 The options are as follows:
17 -4 generate IPv4 prefix/access-lists (default).
19 -6 generate IPv6 prefix/access-lists (IPv4 by default).
21 -A try to aggregate prefix-lists as much as possible (not all output
23 formats supported).
24 -a asn specify what asn shall be denied in case of empty prefix-list
26 (OpenBGPD)
27 -B generate output in OpenBGPD format (default: Cisco)
29 -b generate output in BIRD format (default: Cisco).
31 -d enable some debugging output.
33 -e generate output in Arista EOS format (default: Cisco).
35 -E generate extended access-list (Cisco), policy-statement term us‐
37 ing route-filters (Juniper), [ip|ipv6]-prefix-list (Nokia) or
38 prefix-sets (OpenBGPd).
39 -f number
41 generate input as-path access-list.
42 -F fmt generate output in user-defined format.
44 -G number
46 generate output as-path access-list.
47 -h host[:port]
49 host running IRRD database (default: rr.ntt.net).
50 -J generate config for Juniper (default: Cisco).
52 -j generate output in JSON format (default: Cisco).
54 -K generate config for Mikrotik (default: Cisco).
56 -l name
58 name of generated entry.
59 -L limit
61 limit recursion depth when expanding as-sets.
62 -m len maximum prefix-length of accepted prefixes (default: 32 for IPv4
64 and 128 for IPv6).
65 -M match
67 extra match conditions for Juniper route-filters.
68 -n generate config for Nokia SR OS MD-CLI (Cisco IOS by default)
70 -N generate config for Nokia SR OS classic CLI (Cisco IOS by de‐
72 fault).
73 -p accept routes registered for private ASNs (default: disabled)
75 -P generate prefix-list (default, backward compatibility).
77 -r len allow more specific routes starting with specified masklen too.
79 -R len allow more specific routes up to specified masklen too.
81 -s generate sequence numbers in IOS-style prefix-lists.
83 -S sources
85 use specified sources only (recommended: RADB,RIPE,APNIC).
86 -t generate as-sets for OpenBGPd, BIRD and JSON formats.
88 -T disable pipelining (not recommended).
90 -W len generate as-path strings of no more than len items (use 0 for in‐
92 ifinity).
93 -U generate config for Huawei devices (Cisco IOS by default)
95 -X generate config for Cisco IOS XR devices (plain IOS by default).
97 -z generate route-filter-lists (JunOS 16.2+).
99 OBJECTS
101 means networks (in prefix format), autonomous systems, as-sets
102 and route-sets.
103 EXCEPT OBJECTS
105 those objects will be excluded from expansion.
106
108 Generating named juniper prefix-filter for AS20597:
109 $ bgpq4 -Jl eltel AS20597
111 policy-options {
112 replace:
113 prefix-list eltel {
114 81.9.0.0/20;
115 81.9.32.0/20;
116 81.9.96.0/20;
117 81.222.128.0/20;
118 81.222.192.0/18;
119 85.249.8.0/21;
120 85.249.224.0/19;
121 89.112.0.0/19;
122 89.112.4.0/22;
123 89.112.32.0/19;
124 89.112.64.0/19;
125 217.170.64.0/20;
126 217.170.80.0/20;
127 }
128 }
129 For Cisco we can use aggregation (-A) flag to make this prefix-filter
131 more compact:
132 $ bgpq4 -Al eltel AS20597
134 no ip prefix-list eltel
135 ip prefix-list eltel permit 81.9.0.0/20
136 ip prefix-list eltel permit 81.9.32.0/20
137 ip prefix-list eltel permit 81.9.96.0/20
138 ip prefix-list eltel permit 81.222.128.0/20
139 ip prefix-list eltel permit 81.222.192.0/18
140 ip prefix-list eltel permit 85.249.8.0/21
141 ip prefix-list eltel permit 85.249.224.0/19
142 ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
143 ip prefix-list eltel permit 89.112.4.0/22
144 ip prefix-list eltel permit 89.112.64.0/19
145 ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
146 Prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into single en‐
148 try 89.112.0.0/18 ge 19 le 19.
149 Well, for Juniper we can generate even more interesting policy-options,
151 using -M <extra match conditions>, -R <len> and hierarchical names:
152 $ bgpq4 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
154 policy-options {
155 policy-statement eltel {
156 term specifics {
157 replace:
158 from {
159 community blackhole;
160 route-filter 81.9.0.0/20 prefix-length-range /29-/32;
161 route-filter 81.9.32.0/20 prefix-length-range /29-/32;
162 route-filter 81.9.96.0/20 prefix-length-range /29-/32;
163 route-filter 81.222.128.0/20 prefix-length-range /29-/32;
164 route-filter 81.222.192.0/18 prefix-length-range /29-/32;
165 route-filter 85.249.8.0/21 prefix-length-range /29-/32;
166 route-filter 85.249.224.0/19 prefix-length-range /29-/32;
167 route-filter 89.112.0.0/17 prefix-length-range /29-/32;
168 route-filter 217.170.64.0/19 prefix-length-range /29-/32;
169 }
170 }
171 }
172 }
173 generated policy-option term now allows all specifics with prefix-length
174 between /29 and /32 for eltel networks if they match with special commu‐
175 nity blackhole (defined elsewhere in configuration).
176 Of course, this version supports IPv6 (-6):
178 $ bgpq4 -6l as-retn-6 AS-RETN6
180 no ipv6 prefix-list as-retn-6
181 ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
182 ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
183 [....]
184 and assumes your device supports 32-bit ASNs
185 $ bgpq4 -Jf 112 AS-SPACENET
187 policy-options {
188 replace:
189 as-path-group NN {
190 as-path a0 "^112(112)*$";
191 as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
192 as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
193 as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
194 }
195 }
196 see `AS196611` in the end of the list ? That's a 32-bit ASN.
197
199 If you want to generate configuration not for routers, but for some other
200 programs/systems, you may use user-defined formatting, like in example
201 below:
202 $ bgpq4 -F "ipfw add pass all from %n/%l to any\n" as3254
204 ipfw add pass all from 62.244.0.0/18 to any
205 ipfw add pass all from 91.219.29.0/24 to any
206 ipfw add pass all from 91.219.30.0/24 to any
207 ipfw add pass all from 193.193.192.0/19 to any
208 Recognized format sequences are:
210 %n network
212 %l mask length
213 %a aggregate low mask length
214 %A aggregate high mask length
215 %N object name
216 %m object mask
217 %i inversed mask
218 \n new line
219 \t tabulation
220 Please note that no new lines inserted automatically after each sentence,
222 you have to add them into format string manually, elsewhere output will
223 be in one line (sometimes it makes sense):
224 $ bgpq4 -6F "%n/%l; " as-eltel
226 2001:1b00::/32; 2620:4f:8000::/48; 2a04:bac0::/29; 2a05:3a80::/48;
227
229 By default bgpq4 trusts to data from all databases mirrored into NTT's
230 IRR service. Unfortunately, not all these databases are equal in how
231 much can we trust their data. RIR maintained databases (AFRINIC, ARIN,
232 APNIC, LACNIC and RIPE) shall be trusted more than the others because
233 they are indeed have the knowledge about which address space allocated to
234 this or that ASn, other databases lack this knowledge and can (and, actu‐
235 ally, do) contain some stale data: noone but RIRs care to remove outdated
236 route-objects when address space revoked from one ASn and allocated to
237 another. In order to keep their filters both compact and actual, bgpq4
238 users are encouraged to use '-S' flag to limit database sources to only
239 ones they trust.
240 General recommendations:
242 Use minimal set of RIR databases (only those in which you and your cus‐
244 tomers have registered route-objects).
245 Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted source: these
247 records were created in database but for address space allocated to dif‐
248 ferent RIR, so the NONAUTH databases have no chance to confirm validity
249 of this route object.
250 $ bgpq4 -S RIPE,RADB as-space
252 no ip prefix-list NN
253 ip prefix-list NN permit 195.190.32.0/19
254 $ bgpq4 -S RADB,RIPE as-space
256 no ip prefix-list NN
257 ip prefix-list NN permit 45.4.4.0/22
258 ip prefix-list NN permit 45.4.132.0/22
259 ip prefix-list NN permit 45.6.128.0/22
260 ip prefix-list NN permit 45.65.184.0/22
261 [...]
262
264 To improve `bgpq4` performance when expanding extra-large AS-SETs you
265 shall tune OS settings to enlarge TCP send buffer.
266 FreeBSD can be tuned in the following way:
268 sysctl -w net.inet.tcp.sendbuf_max=2097152
270 Linux can be tuned in the following way:
272 sysctl -w net.ipv4.tcp_window_scaling=1
274 sysctl -w net.core.rmem_max=2097152
275 sysctl -w net.core.wmem_max=2097152
276 sysctl -w net.ipv4.tcp_rmem="4096 87380 2097152"
277 sysctl -w net.ipv4.tcp_wmem="4096 65536 2097152"
278
280 This project uses autotools. If you are building from the repository, run
281 the following command to prepare the build system:
282 ./bootstrap
284 In order to compile the software, run:
286 ./configure
288 make
289 make install
290 If you wish to remove the generated build system files from your working
292 tree, run:
293 make maintainer-clean
295 In order to create a distribution archive, run:
297 make dist
299
301 When everything is OK, bgpq4 generates access-list to standard output and
302 exits with status == 0. In case of errors they are printed to stderr and
303 program exits with non-zero status.
304
306 Alexandre Snarskii, Christian David, Claudio Jeker, Job Snijders, Massim‐
307 iliano Stucchi, Michail Litvak, Peter Schoenmaker, Roelf Wichertjes, and
308 contributions from many others.
309
311 https://github.com/bgp/bgpq4 BGPQ4 on Github.
312 http://bgpfilterguide.nlnog.net/ NLNOG's BGP Filter Guide.
314 https://tcp0.com/cgi-bin/mailman/listinfo/bgpq4 Users and interested par‐
316 ties can subscribe to the BGPQ4 mailing list bgpq4@tcp0.com
317
319 Job Snijders <job@sobornost.net>
320BSD December 23, 2020 BSD