From bfdd195284a17bab5632db363a1832e3e2de4b20 Mon Sep 17 00:00:00 2001 From: KyleM <103862795+ServerForge@users.noreply.github.com> Date: Sat, 4 Feb 2023 08:57:51 -0500 Subject: Add docs for RFC 9234 Added documentation for new BGP roles for RFC 9234 --- docs/configuration/protocols/bgp.rst | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'docs/configuration/protocols/bgp.rst') diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 6593730f..bef75733 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -206,6 +206,40 @@ Defining Peers peers ASN is the same as mine as specified under the :cfgcmd:`protocols bgp ` command the connection will be denied. +.. cfgcmd:: set protocols bgp neighbor local-role [strict] + + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the + new OPEN Roles Mismatch Notification <2, 11> would be sent. + The correct Role pairs are: + + Provider - Customer + + Peer - Peer + + RS-Server - RS-Client + + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This + configuration parameter is defined in RFC :rfc:`9234` and is used to + enforce the corresponding configuration at your counter-parts side. + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-clinet, or the peer local-role) will + be marked with a new Only to Customer (OTC) attribute. + + Routes with this attribute can only be sent to your neighbor if your + local-role is provider or rs-server. Routes with this attribute can + be received only if your local-role is customer or rs-client. + + In case of peer-peer relationship routes can be received only if OTC + value is equal to your neighbor AS number. + + All these rules with OTC will help to detect and mitigate route leaks + and happen automatically if local-role is set. + .. cfgcmd:: set protocols bgp neighbor shutdown This command disable the peer or peer group. To reenable the peer use -- cgit v1.2.3 From 7d97488e7c488ed50f8fea0e7cc4cb5e9b8eeb04 Mon Sep 17 00:00:00 2001 From: Kyle McClammy Date: Sat, 4 Feb 2023 14:18:22 +0000 Subject: Shortened config line to be less than 80 characters --- docs/configuration/protocols/bgp.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/configuration/protocols/bgp.rst') diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index bef75733..e6240a7d 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -206,7 +206,8 @@ Defining Peers peers ASN is the same as mine as specified under the :cfgcmd:`protocols bgp ` command the connection will be denied. -.. cfgcmd:: set protocols bgp neighbor local-role [strict] +.. cfgcmd:: set protocols bgp neighbor local-role + [strict] BGP roles are defined in RFC :rfc:`9234` and provide an easy way to add route leak prevention, detection and mitigation. The local Role -- cgit v1.2.3 From 44735a6e87d1ad2859578e8128bbd93cba5b7cf8 Mon Sep 17 00:00:00 2001 From: Kyle McClammy Date: Sun, 12 Feb 2023 03:54:06 +0000 Subject: Fixed Typo --- docs/configuration/protocols/bgp.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration/protocols/bgp.rst') diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index e6240a7d..68688b25 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -228,7 +228,7 @@ Defining Peers enforce the corresponding configuration at your counter-parts side. Routes that are sent from provider, rs-server, or the peer local-role - (or if received by customer, rs-clinet, or the peer local-role) will + (or if received by customer, rs-client, or the peer local-role) will be marked with a new Only to Customer (OTC) attribute. Routes with this attribute can only be sent to your neighbor if your -- cgit v1.2.3