Philip Smith's Internet Development Site

User Tools

Site Tools

Trace: development
training:riso:development

Workshop Development Notes

Needs to cover the following topics.

Setting up IS-IS

  • NSAP address plan
  • setting metrics, level-2, wide metrics
  • selecting DIS
  • multi-topology
  • point-to-point ethernets
  • Notes:
    • all done in existing IS-IS Lab

Securing IS-IS (with OSPF side example)

  • neighbour authentication
  • no IS-IS outside ASN
  • Notes:
    • all done in existing IS-IS Lab
    • need to add OSPF footnote example

Setting up BGP securely

  • RFC8212 - filters in and out on eBGP
  • passwords on eBGP and iBGP sessions
  • RIR checks on assigned address space of customers - jwhois
  • RFC6890 filtering of bogons & Team Cymru bogon BGP feed
  • Notes:
    • 8212 needs to be explicitly mentioned in eBGP lab
    • the rest all covered in BGP Best Practices slide deck

BGP scalability & stability features

  • iBGP between loopbacks & next-hop-self
  • route reflector
  • deterministic-med
  • BGP distance > IGP distance
  • stable announcement of covering aggregates out of all eBGP peers
  • Notes:
    • All done in existing BGP materials & labs

BGP security features

  • maxas-limit
  • max-prefix
  • ttl-security aka GTSM
  • community propagated for iBGP by default, eBGP selective
  • strip private ASNs
  • Notes:
    • Needs a new lab “Securing BGP Lab”

Setting up Communities for BGP scaling

  • security feature → consistent policies across the ASN

Control plane security

  • setting up SSH on routers
  • protecting VTYs with access filters
  • Notes:
    • Needs a new lab “Control Plane Security”

uRPF

  • show how to set up on access interfaces
  • Notes:
    • Needs a new lab “uRPF”

RTBH

  • set up within an AS
  • set up between ASNs
    • need to have done communities for this
    • Notes:
      • Needs a new lab “Local RTBH”
      • Needs a new lab “Inter-AS RTBH”

BGP SEC

  • Creating ROAs (RIR dependent, but explain the process)
  • Installing and operating NLnet Labs Routinator
    • Note: need containers on VTP for this
  • Setting up RPKI support on a router
  • Implementing route origin validation & related policies
    • Note: Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own.
  • propagating validation state across iBGP
    • Question: standards which vendors aren’t supporting, or DIY?
    • Notes:
      • Need Validator Cache lab (install Routinator on VM per group)
      • Need RPKI lab (set up router to talk to Cache)
      • Need ROV lab (propagating state, and acting on ROAs)

Troubleshooting BGP Security Operations

  • RouteViews: for analysis, monitoring, troubleshooting
  • Looking Glasses supporting ROA/ROV
    • SEACOM
    • HE BGP Tool: bgp.he.net
  • RIPE NCC: bgpplay
  • Notes:
    • Use Routeviews User presentation
    • Need Looking Glass lab - user experimentation only
    • Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?

MANRS

  • conclude with summary of MANRS and what it is about
  • Notes:
    • Already exists as part of BGP Origin Validation presentation

Lab topology

  • To Do:
    • Add a “customer PC” to the customer router in each group
    • Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)

Back to Home page

training/riso/development.txt · Last modified: 2019/07/04 22:06 by philip