training:riso:development
This is an old revision of the document!
Workshop Development Notes
Needs to cover the following topics.
Setting up IS-IS
- NSAP address plan
- setting metrics, level-2, wide metrics
- selecting DIS
- multi-topology
- point-to-point ethernets
- Notes:
- all done in existing IS-IS Lab
Securing IS-IS (with OSPF side example)
- neighbour authentication
- no IS-IS outside ASN
- Notes:
- all done in existing IS-IS Lab
- need to add OSPF footnote example
Setting up BGP securely
- RFC8212 - filters in and out on eBGP
- passwords on eBGP and iBGP sessions
- RIR checks on assigned address space of customers - jwhois
- RFC6890 filtering of bogons & Team Cymru bogon BGP feed
- Notes:
- 8212 needs to be explicitly mentioned in eBGP lab
- the rest all covered in BGP Best Practices slide deck
BGP scalability & stability features
- iBGP between loopbacks & next-hop-self
- route reflector
- deterministic-med
- BGP distance > IGP distance
- stable announcement of covering aggregates out of all eBGP peers
- Notes:
- All done in existing BGP materials & labs
BGP security features
- maxas-limit
- max-prefix
- ttl-security aka GTSM
- community propagated for iBGP by default, eBGP selective
- strip private ASNs
- Notes:
- Needs a new lab “Securing BGP Lab”
Setting up Communities for BGP scaling
- security feature → consistent policies across the ASN
Control plane security
- setting up SSH on routers
- protecting VTYs with access filters
uRPF
- show how to set up on access interfaces
RTBH
- set up within an AS
- set up between ASNs
- need to have done communities for this
BGP SEC
- Creating ROAs (RIR dependent, but explain the process)
- Installing and operating NLnet Labs Routinator
- Note: need containers on VTP for this
- Setting up RPKI support on a router
- Implementing route origin validation & related policies
- Note: Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own.
- propagating validation state across iBGP
- standards which vendors aren’t supporting, or DIY?
Troubleshooting BGP Security Operations
- RouteViews: for analysis, monitoring, troubleshooting
- Looking Glasses supporting ROA/ROV
- SEACOM
- HE BGP Tool: bgp.he.net
- RIPE NCC: bgpplay
MANRS
- conclude with summary of MANRS and what it is about
training/riso/development.1562241603.txt.gz · Last modified: 2019/07/04 22:00 by philip