Philip Smith's Internet Development Site

User Tools

Site Tools

Trace: 6-securing-bgp d-static 5-securing-isis 0-setup development what_is_peering 3-securing-router 4-routing-security 2-securing-router
training:riso:development

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
training:riso:development [2019/07/04 11:38] philiptraining:riso:development [2019/07/04 12:06] (current) – [Workshop Development Notes] philip
Line 3: Line 3:
 ====== Workshop Development Notes ====== ====== Workshop Development Notes ======
  
-Needs to cover: +Needs to cover the following topics. 
-  * setting up IS-IS + 
-    * NSAP address plan +=== Setting up IS-IS === 
-    * setting metrics, level-2, wide metrics + 
-    * selecting DIS +  * NSAP address plan 
-    * multi-topology +  * setting metrics, level-2, wide metrics 
-    * point-to-point ethernets +  * selecting DIS 
-    * Notes:  +  * multi-topology 
-        * all done in existing IS-IS Lab +  * point-to-point ethernets 
-  securing IS-IS (with OSPF side example) +  * **Notes:**  
-    * neighbour authentication +    * **all done in existing IS-IS Lab*
-    * no IS-IS outside ASN + 
-    * Notes:  + 
-        * all done in existing IS-IS Lab +=== Securing IS-IS (with OSPF side example) === 
-        * need to add OSPF footnote example +  * neighbour authentication 
-  setting up BGP securely +  * no IS-IS outside ASN 
-    * RFC8212 - filters in and out on eBGP +  * **Notes:**  
-    * passwords on eBGP and iBGP sessions +    * **all done in existing IS-IS Lab** 
-    * RIR checks on assigned address space of customers - jwhois +    * **need to add OSPF footnote example*
-    * RFC6890 filtering of bogons & Team Cymru bogon BGP feed + 
-    * Notes: +=== Setting up BGP securely === 
-        * 8212 needs to be explicitly mentioned in eBGP lab +  * RFC8212 - filters in and out on eBGP 
-        * the rest all covered in BGP Best Practices slide deck  +  * passwords on eBGP and iBGP sessions 
-  * BGP scalability & stability features +  * RIR checks on assigned address space of customers - jwhois 
-    * iBGP between loopbacks & next-hop-self +  * RFC6890 filtering of bogons & Team Cymru bogon BGP feed 
-    * route reflector +  * Notes: 
-    * deterministic-med +    * **8212 needs to be explicitly mentioned in eBGP lab** 
-    * BGP distance > IGP distance +    * **the rest all covered in BGP Best Practices slide deck**  
-    * stable announcement of covering aggregates out of all eBGP peers + 
-    * Notes: +=== BGP scalability & stability features === 
-        * All done in existing BGP materials & labs +  * iBGP between loopbacks & next-hop-self 
-  * BGP security features +  * route reflector 
-    * maxas-limit +  * deterministic-med 
-    * max-prefix +  * BGP distance > IGP distance 
-    * ttl-security aka GTSM +  * stable announcement of covering aggregates out of all eBGP peers 
-    * community propagated for iBGP by default, eBGP selective +  * **Notes:** 
-    * strip private ASNs +    * **All done in existing BGP materials & labs*
-    * Notes: + 
-        * Needs a new lab “Securing BGP Lab” +=== BGP security features === 
-  * Setting up Communities for BGP scaling +  * maxas-limit 
-    * security feature -> consistent policies across the ASN +  * max-prefix 
-  Control plane security +  * ttl-security aka GTSM 
-    * setting up SSH on routers +  * community propagated for iBGP by default, eBGP selective 
-    * protecting VTYs with access filters +  * strip private ASNs 
-  * uRPF +  * **Notes:** 
-    * show how to set up +      * **Needs a new lab “Securing BGP Lab”*
-  * RTBH +  
-    * set up within an AS +=== Setting up Communities for BGP scaling === 
-    * set up between ASNs +  * security feature -> consistent policies across the ASN 
-        * need to have done communities for this + 
-  * BGP SEC +=== Control plane security === 
-    * Creating ROAs (RIR dependent, but explain the process) +  * setting up SSH on routers 
-    * Installing and operating NLnet Labs Routinator +  * protecting VTYs with access filters 
-        * need containers on VTP for this +  * **Notes:** 
-    * Setting up RPKI support on a router +    * **Needs a new lab “Control Plane Security”** 
-    * Implementing route origin validation & related policies + 
-        * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. +=== uRPF === 
-    * propagating validation state across iBGP +  * show how to set up on access interfaces 
-        * standards which vendors aren’t supporting, or DIY? +  * **Notes:** 
-  * Troubleshooting BGP Security Operations +    * **Needs a new lab “uRPF”** 
-    * RouteViews: for analysis, monitoring, troubleshooting + 
-    * Looking Glasses supporting ROA/ROV +=== RTBH === 
-        * SEACOM +  * set up within an AS 
-        * HE BGP Tool: bgp.he.net +  * set up between ASNs 
-    * RIPE NCC: bgpplay +    * need to have done communities for this 
-  * MANRS +    **Notes:** 
-    * conclude with summary of MANRS and what it is about+      * **Needs a new lab “Local RTBH”** 
 +      * **Needs a new lab “Inter-AS RTBH”** 
 + 
 +=== BGP SEC === 
 +  * Creating ROAs (RIR dependent, but explain the process) 
 +  * Installing and operating NLnet Labs Routinator 
 +    **Note: need containers on VTP for this**  
 +  * Setting up RPKI support on a router 
 +  * Implementing route origin validation & related policies 
 +    **Note: Need address space that has been validated** - APNIC offered their blocks, but longer term we should have our own. 
 +  * propagating validation state across iBGP 
 +    **Question: standards which vendors aren’t supporting, or DIY?** 
 +    **Notes:** 
 +        * **Need Validator Cache lab (install Routinator on VM per group)** 
 +        * **Need RPKI lab (set up router to talk to Cache)** 
 +        * **Need ROV lab (propagating state, and acting on ROAs)** 
 + 
 +=== Troubleshooting BGP Security Operations === 
 +  * RouteViews: for analysis, monitoring, troubleshooting 
 +  * Looking Glasses supporting ROA/ROV 
 +    * SEACOM 
 +    * HE BGP Tool: bgp.he.net 
 +  * RIPE NCC: bgpplay 
 +  * **Notes:** 
 +    * **Use Routeviews User presentation** 
 +    * **Need Looking Glass lab - user experimentation only** 
 +    * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?** 
 + 
 +=== MANRS === 
 +  * conclude with summary of MANRS and what it is about 
 +  * **Notes:** 
 +    * **Already exists as part of BGP Origin Validation presentation** 
 + 
 +=== Lab topology === 
 +  * **To Do:** 
 +    * **Add a “customer PC” to the customer router in each group** 
 +    * **Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)**
  
  
training/riso/development.1562240297.txt.gz · Last modified: by philip