Philip Smith's Internet Development Site

User Tools

Site Tools

Trace: development
training:riso:development

This is an old revision of the document!

Workshop Development Notes

Needs to cover:

  • setting up IS-IS
    • NSAP address plan
    • setting metrics, level-2, wide metrics
    • selecting DIS
    • multi-topology
    • point-to-point ethernets
    • Notes:
      • all done in existing IS-IS Lab
  • securing IS-IS (with OSPF side example)
    • neighbour authentication
    • no IS-IS outside ASN
    • Notes:
      • all done in existing IS-IS Lab
      • need to add OSPF footnote example
  • setting up BGP securely
    • RFC8212 - filters in and out on eBGP
    • passwords on eBGP and iBGP sessions
    • RIR checks on assigned address space of customers - jwhois
    • RFC6890 filtering of bogons & Team Cymru bogon BGP feed
    • Notes:
      • 8212 needs to be explicitly mentioned in eBGP lab
      • the rest all covered in BGP Best Practices slide deck
  • BGP scalability & stability features
    • iBGP between loopbacks & next-hop-self
    • route reflector
    • deterministic-med
    • BGP distance > IGP distance
    • stable announcement of covering aggregates out of all eBGP peers
    • Notes:
      • All done in existing BGP materials & labs
  • BGP security features
    • maxas-limit
    • max-prefix
    • ttl-security aka GTSM
    • community propagated for iBGP by default, eBGP selective
    • strip private ASNs
    • Notes:
      • Needs a new lab “Securing BGP Lab”
  • Setting up Communities for BGP scaling
    • security feature → consistent policies across the ASN
  • Control plane security
    • setting up SSH on routers
    • protecting VTYs with access filters
  • uRPF
    • show how to set up
  • RTBH
    • set up within an AS
    • set up between ASNs
      • need to have done communities for this
  • BGP SEC
    • Creating ROAs (RIR dependent, but explain the process)
    • Installing and operating NLnet Labs Routinator
      • need containers on VTP for this
    • Setting up RPKI support on a router
    • Implementing route origin validation & related policies
      • Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own.
    • propagating validation state across iBGP
      • standards which vendors aren’t supporting, or DIY?
  • Troubleshooting BGP Security Operations
    • RouteViews: for analysis, monitoring, troubleshooting
    • Looking Glasses supporting ROA/ROV
      • SEACOM
      • HE BGP Tool: bgp.he.net
    • RIPE NCC: bgpplay
  • MANRS
    • conclude with summary of MANRS and what it is about

Back to Home page

training/riso/development.1562240297.txt.gz · Last modified: 2019/07/04 21:38 by philip