Workshop Development Notes
Needs to cover the following topics.
Setting up IS-IS
NSAP address plan
setting metrics, level-2, wide metrics
selecting DIS
multi-topology
point-to-point ethernets
Notes:
all done in existing IS-IS Lab
Securing IS-IS (with OSPF side example)
neighbour authentication
no IS-IS outside ASN
Notes:
all done in existing IS-IS Lab
need to add OSPF footnote example
Setting up BGP securely
RFC8212 - filters in and out on eBGP
passwords on eBGP and iBGP sessions
RIR checks on assigned address space of customers - jwhois
RFC6890 filtering of bogons & Team Cymru bogon BGP feed
Notes:
8212 needs to be explicitly mentioned in eBGP lab
the rest all covered in BGP Best Practices slide deck
BGP scalability & stability features
iBGP between loopbacks & next-hop-self
route reflector
deterministic-med
BGP distance > IGP distance
stable announcement of covering aggregates out of all eBGP peers
Notes:
All done in existing BGP materials & labs
BGP security features
maxas-limit
max-prefix
ttl-security aka GTSM
community propagated for iBGP by default, eBGP selective
strip private ASNs
Notes:
Needs a new lab “Securing BGP Lab”
Setting up Communities for BGP scaling
security feature → consistent policies across the ASN
Control plane security
setting up SSH on routers
protecting VTYs with access filters
Notes:
Needs a new lab “Control Plane Security”
uRPF
show how to set up on access interfaces
Notes:
Needs a new lab “uRPF”
RTBH
set up within an AS
set up between ASNs
need to have done communities for this
Notes:
Needs a new lab “Local RTBH”
Needs a new lab “Inter-AS RTBH”
BGP SEC
Creating ROAs (RIR dependent, but explain the process)
Installing and operating NLnet Labs Routinator
Note: need containers on VTP for this
Setting up RPKI support on a router
Implementing route origin validation & related policies
Note: Need address space that has been validated
- APNIC offered their blocks, but longer term we should have our own.
propagating validation state across iBGP
Question: standards which vendors aren’t supporting, or DIY?
Notes:
Need Validator Cache lab (install Routinator on VM per group)
Need RPKI lab (set up router to talk to Cache)
Need ROV lab (propagating state, and acting on ROAs)
Troubleshooting BGP Security Operations
RouteViews: for analysis, monitoring, troubleshooting
Looking Glasses supporting ROA/ROV
SEACOM
HE BGP Tool: bgp.he.net
RIPE NCC: bgpplay
Notes:
Use Routeviews User presentation
Need Looking Glass lab - user experimentation only
Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?
MANRS
conclude with summary of MANRS and what it is about
Notes:
Already exists as part of BGP Origin Validation presentation
Lab topology
To Do:
Add a “customer PC” to the customer router in each group
Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)
Back to Home page