1BGPQ4(8)                  BSD System Manager's Manual                 BGPQ4(8)
2

NAME

4     bgpq4 — bgp filtering automation tool
5

SYNOPSIS

7     bgpq4 [-h host[:port]] [-S sources] [-EPz] [-f asn | -F fmt | -G asn -t]
8           [-46ABbDdJjNnsXU] [-a asn] [-r len] [-R len] [-m max] [-W len]
9           OBJECTS [...] [EXCEPT OBJECTS]
10

DESCRIPTION

12     The bgpq4 utility used to generate configurations (prefix-lists, extended
13     access-lists, policy-statement terms and as-path lists) based on RADB
14     data.
15
16     The options are as follows:
17
18     -4      generate IPv4 prefix/access-lists (default).
19
20     -6      generate IPv6 prefix/access-lists (IPv4 by default).
21
22     -A      try to aggregate prefix-lists as much as possible (not all output
23             formats supported).
24
25     -a asn  specify what asn shall be denied in case of empty prefix-list
26             (OpenBGPD)
27
28     -B      generate output in OpenBGPD format (default: Cisco)
29
30     -b      generate output in BIRD format (default: Cisco).
31
32     -d      enable some debugging output.
33
34     -e      generate output in Arista EOS format (default: Cisco).
35
36     -E      generate extended access-list (Cisco), policy-statement term us‐
37             ing route-filters (Juniper), [ip|ipv6]-prefix-list (Nokia) or
38             prefix-sets (OpenBGPd).
39
40     -f number
41             generate input as-path access-list.
42
43     -F fmt  generate output in user-defined format.
44
45     -G number
46             generate output as-path access-list.
47
48     -h host[:port]
49             host running IRRD database (default: rr.ntt.net).
50
51     -J      generate config for Juniper (default: Cisco).
52
53     -j      generate output in JSON format (default: Cisco).
54
55     -K      generate config for Mikrotik (default: Cisco).
56
57     -l name
58             name of generated entry.
59
60     -L limit
61             limit recursion depth when expanding as-sets.
62
63     -m len  maximum prefix-length of accepted prefixes (default: 32 for IPv4
64             and 128 for IPv6).
65
66     -M match
67             extra match conditions for Juniper route-filters.
68
69     -n      generate config for Nokia SR OS MD-CLI (Cisco IOS by default)
70
71     -N      generate config for Nokia SR OS classic CLI (Cisco IOS by de‐
72             fault).
73
74     -p      accept routes registered for private ASNs (default: disabled)
75
76     -P      generate prefix-list (default, backward compatibility).
77
78     -r len  allow more specific routes starting with specified masklen too.
79
80     -R len  allow more specific routes up to specified masklen too.
81
82     -s      generate sequence numbers in IOS-style prefix-lists.
83
84     -S sources
85             use specified sources only (recommended: RADB,RIPE,APNIC).
86
87     -t      generate as-sets for OpenBGPd, BIRD and JSON formats.
88
89     -T      disable pipelining (not recommended).
90
91     -W len  generate as-path strings of no more than len items (use 0 for in‐
92             ifinity).
93
94     -U      generate config for Huawei devices (Cisco IOS by default)
95
96     -X      generate config for Cisco IOS XR devices (plain IOS by default).
97
98     -z      generate route-filter-lists (JunOS 16.2+).
99
100     OBJECTS
101             means networks (in prefix format), autonomous systems, as-sets
102             and route-sets.
103
104     EXCEPT OBJECTS
105             those objects will be excluded from expansion.
106

EXAMPLES

108     Generating named juniper prefix-filter for AS20597:
109
110     $ bgpq4 -Jl eltel AS20597
111     policy-options {
112     replace:
113      prefix-list eltel {
114         81.9.0.0/20;
115         81.9.32.0/20;
116         81.9.96.0/20;
117         81.222.128.0/20;
118         81.222.192.0/18;
119         85.249.8.0/21;
120         85.249.224.0/19;
121         89.112.0.0/19;
122         89.112.4.0/22;
123         89.112.32.0/19;
124         89.112.64.0/19;
125         217.170.64.0/20;
126         217.170.80.0/20;
127      }
128     }
129
130     For Cisco we can use aggregation (-A) flag to make this prefix-filter
131     more compact:
132
133     $ bgpq4 -Al eltel AS20597
134     no ip prefix-list eltel
135     ip prefix-list eltel permit 81.9.0.0/20
136     ip prefix-list eltel permit 81.9.32.0/20
137     ip prefix-list eltel permit 81.9.96.0/20
138     ip prefix-list eltel permit 81.222.128.0/20
139     ip prefix-list eltel permit 81.222.192.0/18
140     ip prefix-list eltel permit 85.249.8.0/21
141     ip prefix-list eltel permit 85.249.224.0/19
142     ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
143     ip prefix-list eltel permit 89.112.4.0/22
144     ip prefix-list eltel permit 89.112.64.0/19
145     ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
146
147     Prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into single en‐
148     try 89.112.0.0/18 ge 19 le 19.
149
150     Well, for Juniper we can generate even more interesting policy-options,
151     using -M <extra match conditions>, -R <len> and hierarchical names:
152
153     $ bgpq4 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
154     policy-options {
155      policy-statement eltel {
156       term specifics {
157     replace:
158        from {
159         community blackhole;
160         route-filter 81.9.0.0/20 prefix-length-range /29-/32;
161         route-filter 81.9.32.0/20 prefix-length-range /29-/32;
162         route-filter 81.9.96.0/20 prefix-length-range /29-/32;
163         route-filter 81.222.128.0/20 prefix-length-range /29-/32;
164         route-filter 81.222.192.0/18 prefix-length-range /29-/32;
165         route-filter 85.249.8.0/21 prefix-length-range /29-/32;
166         route-filter 85.249.224.0/19 prefix-length-range /29-/32;
167         route-filter 89.112.0.0/17 prefix-length-range /29-/32;
168         route-filter 217.170.64.0/19 prefix-length-range /29-/32;
169        }
170       }
171      }
172     }
173     generated policy-option term now allows all specifics with prefix-length
174     between /29 and /32 for eltel networks if they match with special commu‐
175     nity blackhole (defined elsewhere in configuration).
176
177     Of course, this version supports IPv6 (-6):
178
179     $ bgpq4 -6l as-retn-6 AS-RETN6
180     no ipv6 prefix-list as-retn-6
181     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
182     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
183     [....]
184     and assumes your device supports 32-bit ASNs
185
186     $ bgpq4 -Jf 112 AS-SPACENET
187     policy-options {
188     replace:
189      as-path-group NN {
190       as-path a0 "^112(112)*$";
191       as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
192       as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
193       as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
194      }
195     }
196     see `AS196611` in the end of the list ? That's a 32-bit ASN.
197

USER-DEFINED FORMAT

199     If you want to generate configuration not for routers, but for some other
200     programs/systems, you may use user-defined formatting, like in example
201     below:
202
203     $ bgpq4 -F "ipfw add pass all from %n/%l to any\n" as3254
204     ipfw add pass all from 62.244.0.0/18 to any
205     ipfw add pass all from 91.219.29.0/24 to any
206     ipfw add pass all from 91.219.30.0/24 to any
207     ipfw add pass all from 193.193.192.0/19 to any
208
209     Recognized format sequences are:
210
211           %n      network
212           %l      mask length
213           %a      aggregate low mask length
214           %A      aggregate high mask length
215           %N      object name
216           %m      object mask
217           %i      inversed mask
218           \n      new line
219           \t      tabulation
220
221     Please note that no new lines inserted automatically after each sentence,
222     you have to add them into format string manually, elsewhere output will
223     be in one line (sometimes it makes sense):
224
225     $ bgpq4 -6F "%n/%l; " as-eltel
226     2001:1b00::/32; 2620:4f:8000::/48; 2a04:bac0::/29; 2a05:3a80::/48;
227

NOTES ON SOURCES

229     By default bgpq4 trusts to data from all databases mirrored into NTT's
230     IRR service.  Unfortunately, not all these databases are equal in how
231     much can we trust their data.  RIR maintained databases (AFRINIC, ARIN,
232     APNIC, LACNIC and RIPE) shall be trusted more than the others because
233     they are indeed have the knowledge about which address space allocated to
234     this or that ASn, other databases lack this knowledge and can (and, actu‐
235     ally, do) contain some stale data: noone but RIRs care to remove outdated
236     route-objects when address space revoked from one ASn and allocated to
237     another.  In order to keep their filters both compact and actual, bgpq4
238     users are encouraged to use '-S' flag to limit database sources to only
239     ones they trust.
240
241     General recommendations:
242
243     Use minimal set of RIR databases (only those in which you and your cus‐
244     tomers have registered route-objects).
245
246     Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted source: these
247     records were created in database but for address space allocated to dif‐
248     ferent RIR, so the NONAUTH databases have no chance to confirm validity
249     of this route object.
250
251     $ bgpq4 -S RIPE,RADB as-space
252     no ip prefix-list NN
253     ip prefix-list NN permit 195.190.32.0/19
254
255     $ bgpq4 -S RADB,RIPE as-space
256     no ip prefix-list NN
257     ip prefix-list NN permit 45.4.4.0/22
258     ip prefix-list NN permit 45.4.132.0/22
259     ip prefix-list NN permit 45.6.128.0/22
260     ip prefix-list NN permit 45.65.184.0/22
261     [...]
262

PERFORMANCE

264     To improve `bgpq4` performance when expanding extra-large AS-SETs you
265     shall tune OS settings to enlarge TCP send buffer.
266
267     FreeBSD can be tuned in the following way:
268
269           sysctl -w net.inet.tcp.sendbuf_max=2097152
270
271     Linux can be tuned in the following way:
272
273           sysctl -w net.ipv4.tcp_window_scaling=1
274           sysctl -w net.core.rmem_max=2097152
275           sysctl -w net.core.wmem_max=2097152
276           sysctl -w net.ipv4.tcp_rmem="4096 87380 2097152"
277           sysctl -w net.ipv4.tcp_wmem="4096 65536 2097152"
278

BUILDING

280     This project uses autotools. If you are building from the repository, run
281     the following command to prepare the build system:
282
283           ./bootstrap
284
285     In order to compile the software, run:
286
287           ./configure
288           make
289           make install
290
291     If you wish to remove the generated build system files from your working
292     tree, run:
293
294           make maintainer-clean
295
296     In order to create a distribution archive, run:
297
298           make dist
299

DIAGNOSTICS

301     When everything is OK, bgpq4 generates access-list to standard output and
302     exits with status == 0.  In case of errors they are printed to stderr and
303     program exits with non-zero status.
304

AUTHORS

306     Alexandre Snarskii, Christian David, Claudio Jeker, Job Snijders, Massim‐
307     iliano Stucchi, Michail Litvak, Peter Schoenmaker, Roelf Wichertjes, and
308     contributions from many others.
309

SEE ALSO

311     https://github.com/bgp/bgpq4 BGPQ4 on Github.
312
313     http://bgpfilterguide.nlnog.net/ NLNOG's BGP Filter Guide.
314
315     https://tcp0.com/cgi-bin/mailman/listinfo/bgpq4 Users and interested par‐
316     ties can subscribe to the BGPQ4 mailing list bgpq4@tcp0.com
317

PROJECT MAINTAINER

319     Job Snijders <job@sobornost.net>
320
321BSD                            December 23, 2020                           BSD
Impressum