{{:training:riso:nsrc-main-medium.png?200|}}

====== Workshop Development Notes ======

Needs to cover the following topics.

=== Setting up IS-IS ===

  * NSAP address plan
  * setting metrics, level-2, wide metrics
  * selecting DIS
  * multi-topology
  * point-to-point ethernets
  * **Notes:** 
    * **all done in existing IS-IS Lab**


=== Securing IS-IS (with OSPF side example) ===
  * neighbour authentication
  * no IS-IS outside ASN
  * **Notes:** 
    * **all done in existing IS-IS Lab**
    * **need to add OSPF footnote example**

=== Setting up BGP securely ===
  * RFC8212 - filters in and out on eBGP
  * passwords on eBGP and iBGP sessions
  * RIR checks on assigned address space of customers - jwhois
  * RFC6890 filtering of bogons & Team Cymru bogon BGP feed
  * Notes:
    * **8212 needs to be explicitly mentioned in eBGP lab**
    * **the rest all covered in BGP Best Practices slide deck** 

=== BGP scalability & stability features ===
  * iBGP between loopbacks & next-hop-self
  * route reflector
  * deterministic-med
  * BGP distance > IGP distance
  * stable announcement of covering aggregates out of all eBGP peers
  * **Notes:**
    * **All done in existing BGP materials & labs**

=== BGP security features ===
  * maxas-limit
  * max-prefix
  * ttl-security aka GTSM
  * community propagated for iBGP by default, eBGP selective
  * strip private ASNs
  * **Notes:**
      * **Needs a new lab “Securing BGP Lab”**
 
=== Setting up Communities for BGP scaling ===
  * security feature -> consistent policies across the ASN

=== Control plane security ===
  * setting up SSH on routers
  * protecting VTYs with access filters
  * **Notes:**
    * **Needs a new lab “Control Plane Security”**

=== uRPF ===
  * show how to set up on access interfaces
  * **Notes:**
    * **Needs a new lab “uRPF”**

=== RTBH ===
  * set up within an AS
  * set up between ASNs
    * need to have done communities for this
    * **Notes:**
      * **Needs a new lab “Local RTBH”**
      * **Needs a new lab “Inter-AS RTBH”**

=== BGP SEC ===
  * Creating ROAs (RIR dependent, but explain the process)
  * Installing and operating NLnet Labs Routinator
    * **Note: need containers on VTP for this** 
  * Setting up RPKI support on a router
  * Implementing route origin validation & related policies
    * **Note: Need address space that has been validated** - APNIC offered their blocks, but longer term we should have our own.
  * propagating validation state across iBGP
    * **Question: standards which vendors aren’t supporting, or DIY?**
    * **Notes:**
        * **Need Validator Cache lab (install Routinator on VM per group)**
        * **Need RPKI lab (set up router to talk to Cache)**
        * **Need ROV lab (propagating state, and acting on ROAs)**

=== Troubleshooting BGP Security Operations ===
  * RouteViews: for analysis, monitoring, troubleshooting
  * Looking Glasses supporting ROA/ROV
    * SEACOM
    * HE BGP Tool: bgp.he.net
  * RIPE NCC: bgpplay
  * **Notes:**
    * **Use Routeviews User presentation**
    * **Need Looking Glass lab - user experimentation only**
    * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?**

=== MANRS ===
  * conclude with summary of MANRS and what it is about
  * **Notes:**
    * **Already exists as part of BGP Origin Validation presentation**

=== Lab topology ===
  * **To Do:**
    * **Add a “customer PC” to the customer router in each group**
    * **Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)**



[[:training:riso:start| Back to Home page]]