BGP Route Leak Prevention and Detection
Understanding Route Leak Prevention and Detection by using BGP roles and OTC attributes
Border Gateway Protocol (BGP) enhancements focus on preventing and detecting route leaks, which occur when routing announcements are improperly propagated beyond their intended scope. You can prevent route leaks in BGP routing by utilizing BGP roles and OTC attributes as defined in RFC 9234. The feature ensures routes from providers or peers are only propagated to customers, reducing misconfigurations and errors.
The BGP speaker automatically sets the OTC based on its configured role, and then advertises a prefix based on the OTC presence in the BGP update message, making the configuration straightforward and minimizing manual intervention. This helps you maintain intended routes and prevent issues such as network delays and Denial-of-Service (DoS) attacks.
Benefits of BGP Role and Route Leak Prevention
-
Prevents Misconfigurations—By marking routes with the OTC attribute based on negotiated BGP roles, this feature ensures that routing announcements are propagated only to intended recipients, reducing the risk of misconfigurations leading to route leaks.
-
Improves Route Security and Network Reliability—The ability to define different peering relationships for different prefixes (per-prefix OTC-local-role policy) allows for more precise control over route propagation, enhancing the route security and improving overall reliability of the network.
-
Simplifies Monitoring and Troubleshooting—New show commands for displaying OTC attributes and detecting route leak statistics enable easier monitoring and quicker identification and resolution of route leak issues.
-
When you enable per-prefix
otc-local-roleto define peering relationship with a neighbor, you must apply the same policy to both ingress and egress policies. -
Route leak detection and prevention only apples to IPv4 and IPv6 unicast address families.
See Also
Configure BGP Roles and OTC Attributes to Prevent BGP Route Leak Prevention
For BGP to prevent and detect route leaks, you need to configure BGP roles and utilize
the OTC attribute. You can set a BGP local role to customer,
provider, peer, route-server, or
route-server-client. You can also update the mode to
strict(default mode) or not-negotiated. The
strict mode makes the receipt of a BGP role capability from the
remote AS mandatory for role negotiation. The not-negotiated mode does
not require two peers to send "role" capabilities. If both routers agree on the
corresponding roles and mode configured, the BGP session will be established.
To configure BGP roles under the bgp protocol, group and neighbor level, configure the
otc-local-role statement at the following levels:
edit protocols bgp
edit protocols bgp group group
edit protocols bgp group groupneighbor neighbor
You can also configure otc-local-role as an action under policy clause
to override the per-peer local role prior to otc prosessing. You must apply the same
policy to both ingress and egress policies.
[edit policy-options policy-statement policy_name term 1]
policy-statement policy_name {
term 1 {
from {
route-filter route_filter exact;
}
then {
otc-local-role customer|provider|peer|route-server|route-server-client;
}
}Requirements
This example uses the following hardware and software components:
-
MX Series routers
-
Junos OS Release 25.2R1 or later version
The following steps shows how to configure a local otc role configuration statement
with the role set to provider and mode set to
strict for BGP at the neighbor level for a
given instance.
Step-by-Step Procedure
Configure basic device settings including IP address, loopback address, router ID, and autonomous systems number.
set interfaces interface unit 1 family inet address IP address set interfaces lo0 unit 1 family inet address loopback address set routing-options router-id routerID set routing-options autonomous-system ASnumber
Configure external BGP (EBGP) on the devices. Configure BGP peering at the group or neighbor level.
set protocols bgp group ext type external set protocols bgp group ext peer-as peerAsnumber set protocols bgp group ext neighbor neighborIPaddress
Configure BGP OTC local role with
strictmode andproviderrole.set protocols bgp group ebgp neighbor neighborIPaddress otc-local-role provider strict;
Result
From configuration mode, confirm your configuration by entering the show
interfaces, show routing-options, and show
protocols commands. If the output does not display the intended
configuration, repeat the instructions in this example to correct the
configuration.
If you are done configuring the device, enter commit from
configuration mode.
Verification
Confirm that the configuration is working properly. Use the show bgp
neighbor, show route extensive/detail, and
show route protocol bgp routedetail
operational commands to verify BGP connection established.