Philip Smith's Internet Development Site

User Tools

Site Tools

Trace:
training:riso:development

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
training:riso:development [2019/07/04 21:38] philiptraining:riso:development [2019/07/04 22:05] philip
Line 3: Line 3:
 ====== Workshop Development Notes ====== ====== Workshop Development Notes ======
  
-Needs to cover: +Needs to cover the following topics. 
-  * setting up IS-IS + 
-    * NSAP address plan +=== Setting up IS-IS === 
-    * setting metrics, level-2, wide metrics + 
-    * selecting DIS +  * NSAP address plan 
-    * multi-topology +  * setting metrics, level-2, wide metrics 
-    * point-to-point ethernets +  * selecting DIS 
-    * Notes:  +  * multi-topology 
-        * all done in existing IS-IS Lab +  * point-to-point ethernets 
-  securing IS-IS (with OSPF side example) +  * **Notes:**  
-    * neighbour authentication +    * **all done in existing IS-IS Lab*
-    * no IS-IS outside ASN + 
-    * Notes:  +=== Securing IS-IS (with OSPF side example) === 
-        * all done in existing IS-IS Lab +  * neighbour authentication 
-        * need to add OSPF footnote example +  * no IS-IS outside ASN 
-  setting up BGP securely +  * **Notes:**  
-    * RFC8212 - filters in and out on eBGP +    * **all done in existing IS-IS Lab** 
-    * passwords on eBGP and iBGP sessions +    * **need to add OSPF footnote example*
-    * RIR checks on assigned address space of customers - jwhois + 
-    * RFC6890 filtering of bogons & Team Cymru bogon BGP feed +=== Setting up BGP securely === 
-    * Notes: +  * RFC8212 - filters in and out on eBGP 
-        * 8212 needs to be explicitly mentioned in eBGP lab +  * passwords on eBGP and iBGP sessions 
-        * the rest all covered in BGP Best Practices slide deck  +  * RIR checks on assigned address space of customers - jwhois 
-  * BGP scalability & stability features +  * RFC6890 filtering of bogons & Team Cymru bogon BGP feed 
-    * iBGP between loopbacks & next-hop-self +  * Notes: 
-    * route reflector +    * **8212 needs to be explicitly mentioned in eBGP lab** 
-    * deterministic-med +    * **the rest all covered in BGP Best Practices slide deck**  
-    * BGP distance > IGP distance + 
-    * stable announcement of covering aggregates out of all eBGP peers +=== BGP scalability & stability features === 
-    * Notes: +  * iBGP between loopbacks & next-hop-self 
-        * All done in existing BGP materials & labs +  * route reflector 
-  * BGP security features +  * deterministic-med 
-    * maxas-limit +  * BGP distance > IGP distance 
-    * max-prefix +  * stable announcement of covering aggregates out of all eBGP peers 
-    * ttl-security aka GTSM +  * **Notes:** 
-    * community propagated for iBGP by default, eBGP selective +    * **All done in existing BGP materials & labs*
-    * strip private ASNs + 
-    * Notes: +=== BGP security features === 
-        * Needs a new lab “Securing BGP Lab” +  * maxas-limit 
-  * Setting up Communities for BGP scaling +  * max-prefix 
-    * security feature -> consistent policies across the ASN +  * ttl-security aka GTSM 
-  Control plane security +  * community propagated for iBGP by default, eBGP selective 
-    * setting up SSH on routers +  * strip private ASNs 
-    * protecting VTYs with access filters +  * **Notes:** 
-  * uRPF +      * **Needs a new lab “Securing BGP Lab”*
-    * show how to set up +  
-  * RTBH +=== Setting up Communities for BGP scaling === 
-    * set up within an AS +  * security feature -> consistent policies across the ASN 
-    * set up between ASNs + 
-        * need to have done communities for this +=== Control plane security === 
-  * BGP SEC +  * setting up SSH on routers 
-    * Creating ROAs (RIR dependent, but explain the process) +  * protecting VTYs with access filters 
-    * Installing and operating NLnet Labs Routinator +  * **Notes:** 
-        * need containers on VTP for this +    * **Needs a new lab “Control Plane Security”** 
-    * Setting up RPKI support on a router + 
-    * Implementing route origin validation & related policies +=== uRPF === 
-        * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. +  * show how to set up on access interfaces 
-    * propagating validation state across iBGP +  * **Notes:** 
-        * standards which vendors aren’t supporting, or DIY? +    * **Needs a new lab “uRPF”** 
-  * Troubleshooting BGP Security Operations + 
-    * RouteViews: for analysis, monitoring, troubleshooting +=== RTBH === 
-    * Looking Glasses supporting ROA/ROV +  * set up within an AS 
-        * SEACOM +  * set up between ASNs 
-        * HE BGP Tool: bgp.he.net +    * need to have done communities for this 
-    * RIPE NCC: bgpplay +    **Notes:** 
-  * MANRS +      * **Needs a new lab “Local RTBH”** 
-    * conclude with summary of MANRS and what it is about+      * **Needs a new lab “Inter-AS RTBH”** 
 + 
 +=== BGP SEC === 
 +  * Creating ROAs (RIR dependent, but explain the process) 
 +  * Installing and operating NLnet Labs Routinator 
 +    **Note: need containers on VTP for this**  
 +  * Setting up RPKI support on a router 
 +  * Implementing route origin validation & related policies 
 +    **Note: Need address space that has been validated** - APNIC offered their blocks, but longer term we should have our own. 
 +  * propagating validation state across iBGP 
 +    **Question: standards which vendors aren’t supporting, or DIY?** 
 +    **Notes:** 
 +        * **Need Validator Cache lab (install Routinator on VM per group)** 
 +        * **Need RPKI lab (set up router to talk to Cache)** 
 +        * **Need ROV lab (propagating state, and acting on ROAs)** 
 + 
 +=== Troubleshooting BGP Security Operations === 
 +  * RouteViews: for analysis, monitoring, troubleshooting 
 +  * Looking Glasses supporting ROA/ROV 
 +    * SEACOM 
 +    * HE BGP Tool: bgp.he.net 
 +  * RIPE NCC: bgpplay 
 +  * **Notes:** 
 +    * **Use Routeviews User presentation** 
 +    * **Need Looking Glass lab - user experimentation only** 
 +    * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?** 
 + 
 +=== MANRS === 
 +  * conclude with summary of MANRS and what it is about 
 +  * Notes: 
 +    * Already exists as part of BGP Origin Validation presentation 
 + 
 +=== Lab topology === 
 +  * To Do: 
 +    * Add a “customer PC” to the customer router in each group
  
  
training/riso/development.txt · Last modified: 2019/07/04 22:06 by philip