Border Gateway Protocol (BGP)ΒΆ

The Anapaya appliance supports integration with the Border Gateway Protocol (BGP). There are two use cases for this:

  1. LAN connectivity: The local network is administered using BGP and the appliance needs to learn about reachable IP destinations in the local network via BGP.

  2. Route redistribution: The IP prefixes learned from local BGP peers are redistributed via SGRP to remote SCION ASes. Conversely, IP prefixes learned from remote SCION AS via SGRP are redistributed to local BGP peers. Accept- and announce-filters can be used to control which IP prefixes are redistributed.

For both use cases, the appliance needs to establish a BGP session with one or more local BGP peers. The BGP configuration is specified in the bgp section of the appliance configuration. It is split into the following two subsections:

global

Global configures the configures global attributes that apply to communication with all BGP peers. This includes the following fields:

  • as

    The local BGP autonomous system number of the appliance as 32-bit number from RFC 6991.

  • networks

    A list of static network prefixes advertised to all BGP peers.

  • router_id

    Id of the router - an unsigned 32-bit integer expressed in dotted quad notation. Usually, this is an IP address.

  • src_address

    The preferred source IP address that is used when entering received routes in the Linux routing table.

neighbors

Configures the BGP neighbors. For each neighbor, the following can be specified:

  • auth_password_ref

    Reference to the MD5 authentication password for use with the neighboring device.

    Please see Secret Management for information on how to provision a secret and then reference it in the configuration.

  • description

    An optional user-provided description of the neighbor.

  • enabled

    Whether the BGP peer is enabled. If this is set to false, the local BGP daemon will not initiate connections to the neighbor, and will not respond to TCP connection attempts from the neighbor. If the BGP session is established at the time that this property is set to false, it will be ceased.

  • local_as

    The local BGP autonomous system number is used to establish sessions with the peer. If this is not provided the global BGP autonomous system number is used.

  • neighbor_address

    Address of the BGP peer, either IPv4 or IPv6.

  • peer_as

    BGP autonomous system number of the peer.

  • timers.connect_retry

    Time interval in seconds between attempts to establish a session with the peer.

  • timers.hold_time

    Time interval in seconds that a BGP session will be considered active in the absence of keepalive or other messages from the peer. This is typically set to 3x the keepalive-interval.

  • timers.keepalive_interval

    Time interval in seconds between transmission of keepalive messages to the neighbor.

  • timers.minimum_advertisement_interval

    The minimum time in seconds which must elapse between subsequent UPDATE messages relating to a common set of prefixes being transmitted to a peer. This timer is referred to as MinRouteAdvertisementIntervalTimer by RFC 4271 and serves to reduce the number of UPDATE messages transmitted when a particular set of prefixes exhibit instability.

  • transport.local_address

    Set the local IPv4 address to be used for the BGP session. This may be expressed as either an IP address or the name of an interface.

  • ttl_security

    BGP Time To Live (TTL) security check. See RFC 5082 for details.

  • ebgp_multihop

    Allow eBGP sessions to be established with peers that are not directly connected. This setting is mutually exclusive with ttl_security.

  • bfd.enabled

    Enable BFD for the neighbor.

  • bfd.desired_transmission_interval

    Desired BFD transmission interval in milliseconds.

  • bfd.required_receive_interval

    Required BFD receive interval in milliseconds.

  • bfd.detection_multiplier

    BFD detection multiplier.

  • bfd.multihop

    Enable multihop for this BFD peer.

  • bfd.local_address

    Set the local IP address to be used for the BFD session. This is required for IPv6 peers.

The BGP daemon configured in the bgp section receives and announces IP prefixes from and to peers on the internal network and peers connected via legacy IP networks.

Prefixes can also be exchanged by the IP-in-SCION tunneling endpoints using SGRP. Please refer to the IP-in-SCION tunneling section documentation section for information how to configure this. IP prefixes learned and accepted from SCION remotes are entered into the local routing table with a metric of 15 (the Administrative Distance of SGRP). From there they will be picked up by the BGP service and propagated to the BGP peers. Similarly, routes learned via BGP are picked up by the IP-in-SCION tunneling endpoint and propagated to remote ASes while respecting the policies configured in the SCION tunneling section.

BGP Configuration Example

The example shows a BGP configuration with one neighbor.

{
   "bgp": {
      "global": {
        "as": 64496,
        "router_id": "10.0.0.1",
        "networks": [
          "10.31.206.120/32"
        ]
      },
      "neighbors": [
        {
          "auth_password_ref": "bgp-auth-password_10.0.0.2@1",
          "enabled": true,
          "local_as": 64510,
          "neighbor_address": "10.0.0.2",
          "peer_as": 64510
        }
      ]
   }
}