Workshop Development Notes
Needs to cover the following topics.
Setting up IS-IS
- NSAP address plan
- setting metrics, level-2, wide metrics
- selecting DIS
- multi-topology
- point-to-point ethernets
- Notes:
- all done in existing IS-IS Lab
Securing IS-IS (with OSPF side example)
- neighbour authentication
- no IS-IS outside ASN
- Notes:
- all done in existing IS-IS Lab
- need to add OSPF footnote example
Setting up BGP securely
- RFC8212 - filters in and out on eBGP
- passwords on eBGP and iBGP sessions
- RIR checks on assigned address space of customers - jwhois
- RFC6890 filtering of bogons & Team Cymru bogon BGP feed
- Notes:
- 8212 needs to be explicitly mentioned in eBGP lab
- the rest all covered in BGP Best Practices slide deck
BGP scalability & stability features
- iBGP between loopbacks & next-hop-self
- route reflector
- deterministic-med
- BGP distance > IGP distance
- stable announcement of covering aggregates out of all eBGP peers
- Notes:
- All done in existing BGP materials & labs
BGP security features
- maxas-limit
- max-prefix
- ttl-security aka GTSM
- community propagated for iBGP by default, eBGP selective
- strip private ASNs
- Notes:
- Needs a new lab “Securing BGP Lab”
Setting up Communities for BGP scaling
- security feature → consistent policies across the ASN
Control plane security
- setting up SSH on routers
- protecting VTYs with access filters
- Notes:
- Needs a new lab “Control Plane Security”
uRPF
- show how to set up on access interfaces
- Notes:
- Needs a new lab “uRPF”
RTBH
- set up within an AS
- set up between ASNs
- need to have done communities for this
- Notes:
- Needs a new lab “Local RTBH”
- Needs a new lab “Inter-AS RTBH”
BGP SEC
- Creating ROAs (RIR dependent, but explain the process)
- Installing and operating NLnet Labs Routinator
- Note: need containers on VTP for this
- Setting up RPKI support on a router
- Implementing route origin validation & related policies
- Note: Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own.
- propagating validation state across iBGP
- Question: standards which vendors aren’t supporting, or DIY?
- Notes:
- Need Validator Cache lab (install Routinator on VM per group)
- Need RPKI lab (set up router to talk to Cache)
- Need ROV lab (propagating state, and acting on ROAs)
Troubleshooting BGP Security Operations
- RouteViews: for analysis, monitoring, troubleshooting
- Looking Glasses supporting ROA/ROV
- SEACOM
- HE BGP Tool: bgp.he.net
- RIPE NCC: bgpplay
- Notes:
- Use Routeviews User presentation
- Need Looking Glass lab - user experimentation only
- Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?
MANRS
- conclude with summary of MANRS and what it is about
- Notes:
- Already exists as part of BGP Origin Validation presentation
Lab topology
- To Do:
- Add a “customer PC” to the customer router in each group
- Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)