How to build a BGP looking glass with OpenBSD

Preface

A looking glass is a service that gathers routing information from your routers and thus gives you a central point to examine your sight of the Internet. Looking glasses are commonly used by ISPs and Internet exchange points and sometimes made publicly available to help others to solve routing issues. This howto focuses on BGP as it's the routing protocol amongst the various networks and autonomous systems that form the Internet.
A recent version of OpenBSD comes with OpenBGPD, an Apache webserver, and a CGI script called bgplg. These are the building blocks of our looking glass server.

Requirements

Steps

  1. Install OpenBSD as usual. I created a 9 GB root partition and a 1 GB swap area.
  2. My /etc/rc.conf.local looks like this:
    # enable ntpd
    ntpd_flags=
    # disable audio server
    sndiod_flags=NO
    # disable inetd
    inetd_flags=NO
    # enable httpd
    httpd_flags=
    # enable openbgpd
    bgpd_flags=
    
  3. My /etc/bgpd.conf looks like this:
    AS 65511
    fib-update no
    listen on 0.0.0.0
    route-collector yes
    router-id 192.168.0.25
    
    socket "/var/www/logs/bgpd.rsock" restricted
    
    neighbor 192.168.0.24 {
      remote-as 65511
      descr "Juniper MX80"
      announce none
    }
    
  4. Following the manpage bgplg, you have to:
    # chmod 0555 /var/www/cgi-bin/bgplg
    # chmod 0555 /var/www/bin/bgpctl
    
  5. Copy /etc/resolv.conf to /var/www/etc as httpd chroots itself to /var/www:
    # cp /etc/resolv.conf /var/www/etc/
    
  6. Start the webserver and openbgpd:
    # /etc/rc.d/httpd start
    # /etc/rc.d/bgpd start
    
  7. Your router's configuration should at least contain these lines:
    protocols {
        bgp {
            local-as 65511;
            group lookingglass {
                type internal;
                import reject;
                export accept;
                neighbor 192.168.0.25;
            }
        }
    }
    policy-options {
        policy-statement reject {
            then reject;
        }
        policy-statement accept {
            then accept;
        }
    }
    
  8. Now open a webbrowser and go to http://192.168.0.25/cgi-bin/bgplg (or whatever your looking glass server's address is). You should see something similiar to this: