EBGP Default Reject Policy

This chapter describes EBGP Default Reject Policy.

Topics in this chapter include:

Applicability

The information and configuration in this chapter are based on SR OS Release 20.7.R2. The eBGP default reject policy is supported in SR OS Release 19.5.R1 and later.

Overview

To improve security and reliability of Internet routing in the base router and in VPRN routing instances, a default eBGP reject policy rejects all BGP routes when no import or export policies are configured. This policy prevents accidental route leaks.

In classic CLI, for backward compatibility reasons, this approach is not followed by default (no ebgp-default-reject-policy). This insecure default to advertise and receive all routes is not compliant with RFC 8212, Default External BGP (EBGP) Route Propagation Behavior without Policies. The secure behavior must be enabled using the ebgp-default-reject-policy command, which can be configured in the general bgp context, in the BGP group context, and in the BGP neighbor context. It can be enabled for import direction only, for export direction only, or for both directions. The syntax of the command is as follows:

*A:PE-2# configure router bgp group "eBGP" ebgp-default-reject-policy
  - no ebgp-default-reject-policy
  - ebgp-default-reject-policy [import] [export]
 <import>             : keyword
 <export>             : keyword

The eBGP default reject policy is the last policy in a policy chain.

Note:

In MD-CLI, the default behavior is compliant with RFC 8212 (ebgp-default-reject-policy import/export true). However, when BGP was initially configured in classic CLI and afterward converted to MD-CLI, the insecure behavior remains for backward compatibility (ebgp-default-reject-policy import/export false).

Configuration

Example topology shows the example topology with three nodes. An eBGP session is established between PE-1 and PE-2; an iBGP session between PE-2 and PE-3.

Figure 1. Example topology

The initial configuration includes:

  • Cards, MDAs, ports

  • Router interfaces

  • SR-ISIS on PE-2 and PE-3 in AS 64500

Default in classic CLI: no eBGP default reject policy

On PE-1, BGP is configured as follows:

# on PE-1:
configure
    router Base
        bgp
            split-horizon
            group "eBGP"
                local-as 64501
                peer-as 64500
                neighbor 192.168.12.2
                    family ipv4 ipv6 label-ipv4 label-ipv6
                    export "export-10.1" "export-10.2" "export-10.131"
                                                       "export-10.132" 
                exit
            exit

On PE-2, BGP is configured as follows:

# on PE-2:
configure
    router Base
        bgp
            split-horizon
            next-hop-resolution
                labeled-routes
                    transport-tunnel
                        family label-ipv4
                            resolution-filter
                                no ldp
                                sr-isis
                            exit
                            resolution filter
                        exit
                    exit
                exit
            exit
            group "eBGP"
                local-as 64500
                peer-as 64501
                neighbor 192.168.12.1
                    family ipv4 ipv6 label-ipv4 label-ipv6
                    export "export-bgp"
                exit
            exit
            group "iBGP-IPv4"
                family ipv4 label-ipv4
                peer-as 64500
                neighbor 192.0.2.3
                    next-hop-self
                exit
            exit
            group "iBGP-IPv6"
                family ipv6 label-ipv6
                peer-as 64500
                neighbor 2001:db8::2:3
                    next-hop-self
                exit
            exit

Advertised BGP and BGP-LU IPv4 routes and Advertised BGP and BGP-LU IPv6 routes show the advertised BGP and BGP Labeled Unicast (BGP-LU) routes between PE-1 and PE-2:

Figure 2. Advertised BGP and BGP-LU IPv4 routes
Figure 3. Advertised BGP and BGP-LU IPv6 routes

By default, in classic CLI, no eBGP default reject policy is used. When no eBGP import-policy is configured on PE-2, any route received from an eBGP peer is accepted, as follows:

*A:PE-2# show router bgp neighbor 192.168.12.1 | match "Import Policy" 
Import Policy        : None Specified - Default Accept

In addition, when no iBGP export-policy is configured on PE-2, any received eBGP route is advertised to the iBGP peer (PE-3 in this example), as follows:

*A:PE-2# show router bgp neighbor 192.0.2.3 | match "Export Policy"
Export Policy        : None Specified - Default Accept

The following BGP summary on PE-2 shows that all routes received from eBGP peer 192.168.12.1 are received, accepted and advertised to PE-3:

*A:PE-2# show router bgp summary all

===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId          AS PktRcvd InQ  Up/Down   State|Rcv/Act/Sent (Addr Family)
                      PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.3
Def. Instance  64500        7    0 00h01m34s 0/0/2 (IPv4)
                           12    0           0/0/2 (Lbl-IPv4)
192.168.12.1
Def. Instance  64501       16    0 00h01m55s 2/2/1 (IPv4)
                           11    0           2/2/1 (IPv6)
                                             2/2/0 (Lbl-IPv4)
                                             2/2/0 (Lbl-IPv6)

2001:db8::2:3
Def. Instance  64500        7    0 00h01m34s 0/0/2 (IPv6)
                           12    0           0/0/2 (Lbl-IPv6)

-------------------------------------------------------------------------------

The following output shows that both received BGP routes are used:

*A:PE-2# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.2        AS:64500       Local AS:64500
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  10.1.0.1/32                                        None        None
      192.168.12.1                                       None        0
      64501                                                          -
u*>i  10.131.0.1/32                                      None        None
      192.168.12.1                                       None        0
      64501                                                          -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

In a similar way, two received routes are active for the ipv6, label-ipv4, and label-ipv6 address families.

EBGP default reject policy for import and export

On PE-1 and PE-2, the eBGP default reject policy is configured in the group "eBGP", both for import and export, as follows:

# on PE-1, PE-2:
configure
    router Base
        bgp
            group "eBGP"
                ebgp-default-reject-policy import export
            exit

Both PE-1 and PE-2 have export policies configured and the same prefixes will be advertised. However, the received routes will be rejected because no import policies are configured:

*A:PE-2# show router bgp neighbor 192.168.12.1 | match "Import Policy" 
Import Policy        : None Specified - Default Reject
*A:PE-2# show router bgp neighbor 192.168.12.1 | match "Export Policy"
Export Policy        : export-bgp

The following BGP summary on PE-2 shows that the same number of routes is received from eBGP peer 192.168.12.1, but these routes are rejected:

*A:PE-2# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId          AS PktRcvd InQ  Up/Down   State|Rcv/Act/Sent (Addr Family)
                      PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.3
Def. Instance  64500       38    0 00h17m29s 0/0/0 (IPv4)
                           44    0           0/0/0 (Lbl-IPv4)
192.168.12.1
Def. Instance  64501       48    0 00h17m50s 2/0/1 (IPv4)
                           43    0           2/0/1 (IPv6)
                                             2/0/0 (Lbl-IPv4)
                                             2/0/0 (Lbl-IPv6)
2001:db8::2:3
Def. Instance  64500       38    0 00h17m29s 0/0/0 (IPv6)
                           45    0           0/0/0 (Lbl-IPv6)
-------------------------------------------------------------------------------

The following shows that the received BGP routes are invalid:

*A:PE-2# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.2        AS:64500       Local AS:64500
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
i     10.1.0.1/32                                        None        None
      192.168.12.1                                       None        0
      64501                                                          -
i     10.131.0.1/32                                      None        None
      192.168.12.1                                       None        0
      64501                                                          -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

The status of the IPv6, BGP-LU IPv4, and BGP-LU IPv6 routes is the same. The flags for the received routes for the different address families include the 'Rejected' flag:

*A:PE-2# show router bgp routes hunt | match Flags
Flags          : Invalid IGP Rejected
Flags          : Invalid IGP Rejected

*A:PE-2# show router bgp routes ipv6 hunt | match Flags
Flags          : Invalid IGP Rejected
Flags          : Invalid IGP Rejected

*A:PE-2# show router bgp routes label-ipv4 hunt | match Flags
Flags          : Invalid IGP Rejected
Flags          : Invalid IGP Rejected

*A:PE-2# show router bgp routes label-ipv6 hunt | match Flags
Flags          : Invalid IGP Rejected
Flags          : Invalid IGP Rejected

Import policy

When an import policy is configured, it is possible that some of these routes are accepted. The following import policy accepts incoming routes with communities "1:1" or "2:2":

# on PE-2:
configure
    router Base
        policy-options
            begin
            community "1:1"
                members "1:1"
            exit
            community "2:2"
                members "2:2"
            exit
            policy-statement "import-1:1-2:2"
                entry 10
                    from
                        community "1:1"
                    exit
                    action accept
                    exit
                exit
                entry 20
                    from
                        community "2:2"
                    exit
                    action accept
                    exit
                exit
            exit
            commit
        exit
        bgp
            group "eBGP"
                import "import-1:1-2:2"
            exit

PE-2 accepts BGP route 10.1.0.1/32 with community "1:1", but it rejects route 10.131.0.1/32 because this route has no communities:

*A:PE-2# show router bgp routes
===============================================================================
 BGP Router ID:192.0.2.2        AS:64500       Local AS:64500
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  10.1.0.1/32                                        None        None
      192.168.12.1                                       None        0
      64501                                                          -
i     10.131.0.1/32                                      None        None
      192.168.12.1                                       None        0
      64501                                                          -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

The BGP summary on PE-2 shows that one route is accepted and one route is rejected for the IPv4, IPv6, BGP-LU IPv4, and BGP-LU IPv6 address families:

*A:PE-2# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId          AS PktRcvd InQ  Up/Down   State|Rcv/Act/Sent (Addr Family)
                      PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.3
Def. Instance  64500       81    0 00h38m35s 0/0/1 (IPv4)
                           94    0           0/0/1 (Lbl-IPv4)
192.168.12.1
Def. Instance  64501       90    0 00h38m56s 2/1/1 (IPv4)
                           85    0           2/1/1 (IPv6)
                                             2/1/0 (Lbl-IPv4)
                                             2/1/0 (Lbl-IPv6)
2001:db8::2:3
Def. Instance  64500       81    0 00h38m35s 0/0/1 (IPv6)
                           96    0           0/0/1 (Lbl-IPv6)
-------------------------------------------------------------------------------

The following shows that the routes with communities "1:1" or "2:2" are accepted while the other routes are rejected. For each of the address families, there are two routes in the RIB-IN: a first one with community "1:1" or "2:2" (with flags "Used Valid Best IGP") and second one with "No community members" (with flags "Invalid IGP Rejected"), as follows:

*A:PE-2# show router bgp routes hunt | match expression "Comm|Flags"
Community      : 1:1
Flags          : Used Valid Best IGP
Community      : No Community Members
Flags          : Invalid IGP Rejected
Community      : 1:1                        # RIB-OUT
Community      : No Community Members       # RIB-OUT (172.31.0.1/32)
*A:PE-2# show router bgp routes ipv6 hunt | match expression "Comm|Flags"
Community      : 1:1
Flags          : Used Valid Best IGP
Community      : No Community Members
Flags          : Invalid IGP Rejected
Community      : 1:1                        # RIB-OUT
Community      : No Community Members       # RIB-OUT (172.31.0.1/32)
*A:PE-2# show router bgp routes label-ipv4 hunt | match expression "Comm|Flags"
Community      : 2:2
Flags          : Used Valid Best IGP
Community      : No Community Members
Flags          : Invalid IGP Rejected
Community      : 2:2                        # RIB-OUT
*A:PE-2# show router bgp routes label-ipv6 hunt | match expression "Comm|Flags"
Community      : 2:2
Flags          : Used Valid Best IGP
Community      : No Community Members
Flags          : Invalid IGP Rejected
Community      : 2:2                        # RIB-OUT

Conclusion

The eBGP default reject policy is used to improve the security and reliability of Internet routing. The eBGP default reject policy can be combined with other policies and is always evaluated last in the list of policies.