training:riso:development
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| training:riso:development [2019/07/04 11:39] – philip | training:riso:development [2019/07/04 12:06] (current) – [Workshop Development Notes] philip | ||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ====== Workshop Development Notes ====== | ====== Workshop Development Notes ====== | ||
| - | Needs to cover: | + | Needs to cover the following topics. |
| - | * setting | + | |
| - | * NSAP address plan | + | === Setting |
| - | * setting metrics, level-2, wide metrics | + | |
| - | * selecting DIS | + | |
| - | * multi-topology | + | * setting metrics, level-2, wide metrics |
| - | * point-to-point ethernets | + | * selecting DIS |
| - | * **Notes:** | + | * multi-topology |
| - | * **all done in existing IS-IS Lab** | + | * point-to-point ethernets |
| - | * securing | + | * **Notes:** |
| - | * neighbour authentication | + | * **all done in existing IS-IS Lab** |
| - | * no IS-IS outside ASN | + | |
| - | * **Notes:** | + | |
| - | * **all done in existing IS-IS Lab** | + | === Securing |
| - | * **need to add OSPF footnote example** | + | * neighbour authentication |
| - | * setting | + | * no IS-IS outside ASN |
| - | * RFC8212 - filters in and out on eBGP | + | * **Notes:** |
| - | * passwords on eBGP and iBGP sessions | + | * **all done in existing IS-IS Lab** |
| - | * RIR checks on assigned address space of customers - jwhois | + | * **need to add OSPF footnote example** |
| - | * RFC6890 filtering of bogons & Team Cymru bogon BGP feed | + | |
| - | * Notes: | + | === Setting |
| - | * **8212 needs to be explicitly mentioned in eBGP lab** | + | * RFC8212 - filters in and out on eBGP |
| - | * **the rest all covered in BGP Best Practices slide deck** | + | * passwords on eBGP and iBGP sessions |
| - | | + | * RIR checks on assigned address space of customers - jwhois |
| - | * iBGP between loopbacks & next-hop-self | + | * RFC6890 filtering of bogons & Team Cymru bogon BGP feed |
| - | * route reflector | + | * Notes: |
| - | * deterministic-med | + | * **8212 needs to be explicitly mentioned in eBGP lab** |
| - | * BGP distance > IGP distance | + | * **the rest all covered in BGP Best Practices slide deck** |
| - | * stable announcement of covering aggregates out of all eBGP peers | + | |
| + | === BGP scalability & stability features | ||
| + | * iBGP between loopbacks & next-hop-self | ||
| + | * route reflector | ||
| + | * deterministic-med | ||
| + | * BGP distance > IGP distance | ||
| + | * stable announcement of covering aggregates out of all eBGP peers | ||
| + | * **Notes: | ||
| + | * **All done in existing BGP materials & labs** | ||
| + | |||
| + | === BGP security features === | ||
| + | * maxas-limit | ||
| + | * max-prefix | ||
| + | * ttl-security aka GTSM | ||
| + | * community propagated for iBGP by default, eBGP selective | ||
| + | * strip private ASNs | ||
| + | * **Notes: | ||
| + | * **Needs a new lab “Securing BGP Lab”** | ||
| + | |||
| + | === Setting up Communities for BGP scaling === | ||
| + | * security feature -> consistent policies across the ASN | ||
| + | |||
| + | === Control plane security === | ||
| + | * setting up SSH on routers | ||
| + | * protecting VTYs with access filters | ||
| + | * **Notes: | ||
| + | * **Needs a new lab “Control Plane Security”** | ||
| + | |||
| + | === uRPF === | ||
| + | * show how to set up on access interfaces | ||
| + | * **Notes: | ||
| + | * **Needs a new lab “uRPF”** | ||
| + | |||
| + | === RTBH === | ||
| + | * set up within an AS | ||
| + | * set up between ASNs | ||
| + | * need to have done communities for this | ||
| * **Notes:** | * **Notes:** | ||
| - | | + | |
| - | * BGP security features | + | * **Needs a new lab “Inter-AS RTBH”** |
| - | * maxas-limit | + | |
| - | * max-prefix | + | === BGP SEC === |
| - | * ttl-security aka GTSM | + | * Creating ROAs (RIR dependent, but explain the process) |
| - | * community propagated for iBGP by default, eBGP selective | + | * Installing and operating NLnet Labs Routinator |
| - | * strip private ASNs | + | * **Note: need containers on VTP for this** |
| + | * Setting up RPKI support on a router | ||
| + | * Implementing route origin validation & related policies | ||
| + | * **Note: Need address space that has been validated** | ||
| + | * propagating validation state across | ||
| + | * **Question: standards which vendors aren’t supporting, or DIY?** | ||
| * **Notes:** | * **Notes:** | ||
| - | * **Needs a new lab “Securing BGP Lab”** | + | * **Need Validator Cache lab (install Routinator on VM per group)** |
| - | * Setting up Communities for BGP scaling | + | * **Need RPKI lab (set up router to talk to Cache)** |
| - | | + | * **Need ROV lab (propagating state, and acting |
| - | | + | |
| - | * setting | + | === Troubleshooting BGP Security Operations |
| - | * protecting VTYs with access filters | + | * RouteViews: for analysis, monitoring, troubleshooting |
| - | * uRPF | + | * Looking Glasses supporting ROA/ROV |
| - | * show how to set up | + | * SEACOM |
| - | | + | * HE BGP Tool: bgp.he.net |
| - | | + | * RIPE NCC: bgpplay |
| - | * set up between ASNs | + | * **Notes:** |
| - | * need to have done communities for this | + | |
| - | | + | * **Need Looking Glass lab - user experimentation only** |
| - | | + | * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps? |
| - | * Installing | + | |
| - | * need containers | + | === MANRS === |
| - | | + | |
| - | | + | * **Notes: |
| - | * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. | + | * **Already exists as part of BGP Origin Validation presentation** |
| - | * propagating validation state across iBGP | + | |
| - | * standards which vendors aren’t supporting, or DIY? | + | === Lab topology === |
| - | | + | * **To Do:** |
| - | * RouteViews: for analysis, monitoring, troubleshooting | + | * **Add a “customer PC” to the customer router in each group** |
| - | * Looking Glasses supporting ROA/ROV | + | * **Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)** |
| - | * SEACOM | + | |
| - | * HE BGP Tool: bgp.he.net | + | |
| - | * RIPE NCC: bgpplay | + | |
| - | * MANRS | + | |
| - | * conclude with summary of MANRS and what it is about | + | |
training/riso/development.1562240365.txt.gz · Last modified: by philip