Philip Smith's Internet Development Site

User Tools

Site Tools

Trace:
training:riso:development

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
training:riso:development [2019/07/04 21:39] philiptraining:riso:development [2019/07/04 22:05] philip
Line 3: Line 3:
 ====== Workshop Development Notes ====== ====== Workshop Development Notes ======
  
-Needs to cover: +Needs to cover the following topics. 
-  * setting up IS-IS + 
-    * NSAP address plan +=== Setting up IS-IS === 
-    * setting metrics, level-2, wide metrics + 
-    * selecting DIS +  * NSAP address plan 
-    * multi-topology +  * setting metrics, level-2, wide metrics 
-    * point-to-point ethernets +  * selecting DIS 
-    * **Notes:**  +  * multi-topology 
-        * **all done in existing IS-IS Lab** +  * point-to-point ethernets 
-  * securing IS-IS (with OSPF side example) +  * **Notes:**  
-    * neighbour authentication +    * **all done in existing IS-IS Lab** 
-    * no IS-IS outside ASN + 
-    * **Notes:**  +=== Securing IS-IS (with OSPF side example) === 
-        * **all done in existing IS-IS Lab** +  * neighbour authentication 
-        * **need to add OSPF footnote example** +  * no IS-IS outside ASN 
-  * setting up BGP securely +  * **Notes:**  
-    * RFC8212 - filters in and out on eBGP +    * **all done in existing IS-IS Lab** 
-    * passwords on eBGP and iBGP sessions +    * **need to add OSPF footnote example** 
-    * RIR checks on assigned address space of customers - jwhois + 
-    * RFC6890 filtering of bogons & Team Cymru bogon BGP feed +=== Setting up BGP securely === 
-    * Notes: +  * RFC8212 - filters in and out on eBGP 
-        * **8212 needs to be explicitly mentioned in eBGP lab** +  * passwords on eBGP and iBGP sessions 
-        * **the rest all covered in BGP Best Practices slide deck**  +  * RIR checks on assigned address space of customers - jwhois 
-  BGP scalability & stability features +  * RFC6890 filtering of bogons & Team Cymru bogon BGP feed 
-    * iBGP between loopbacks & next-hop-self +  * Notes: 
-    * route reflector +    * **8212 needs to be explicitly mentioned in eBGP lab** 
-    * deterministic-med +    * **the rest all covered in BGP Best Practices slide deck**  
-    * BGP distance > IGP distance + 
-    * stable announcement of covering aggregates out of all eBGP peers+=== BGP scalability & stability features === 
 +  * iBGP between loopbacks & next-hop-self 
 +  * route reflector 
 +  * deterministic-med 
 +  * BGP distance > IGP distance 
 +  * stable announcement of covering aggregates out of all eBGP peers 
 +  * **Notes:** 
 +    * **All done in existing BGP materials & labs** 
 + 
 +=== BGP security features === 
 +  * maxas-limit 
 +  * max-prefix 
 +  * ttl-security aka GTSM 
 +  * community propagated for iBGP by default, eBGP selective 
 +  * strip private ASNs 
 +  * **Notes:** 
 +      * **Needs a new lab “Securing BGP Lab”** 
 +  
 +=== Setting up Communities for BGP scaling === 
 +  * security feature -> consistent policies across the ASN 
 + 
 +=== Control plane security === 
 +  * setting up SSH on routers 
 +  * protecting VTYs with access filters 
 +  * **Notes:** 
 +    * **Needs a new lab “Control Plane Security”** 
 + 
 +=== uRPF === 
 +  * show how to set up on access interfaces 
 +  * **Notes:** 
 +    * **Needs a new lab “uRPF”** 
 + 
 +=== RTBH === 
 +  * set up within an AS 
 +  * set up between ASNs 
 +    * need to have done communities for this
     * **Notes:**     * **Notes:**
-        * **All done in existing BGP materials & labs** +      * **Needs a new lab “Local RTBH”** 
-  * BGP security features +      **Needs a new lab “Inter-AS RTBH”** 
-    maxas-limit + 
-    * max-prefix +=== BGP SEC === 
-    * ttl-security aka GTSM +  Creating ROAs (RIR dependent, but explain the process) 
-    community propagated for iBGP by default, eBGP selective +  * Installing and operating NLnet Labs Routinator 
-    * strip private ASNs+    * **Note: need containers on VTP for this**  
 +  * Setting up RPKI support on a router 
 +  * Implementing route origin validation & related policies 
 +    * **Note: Need address space that has been validated** APNIC offered their blocks, but longer term we should have our own. 
 +  propagating validation state across iBGP 
 +    * **Question: standards which vendors aren’t supporting, or DIY?**
     * **Notes:**     * **Notes:**
-        * **Needs a new lab “Securing BGP Lab”** +        * **Need Validator Cache lab (install Routinator on VM per group)** 
-  Setting up Communities for BGP scaling +        * **Need RPKI lab (set up router to talk to Cache)** 
-    security feature -> consistent policies across the ASN +        * **Need ROV lab (propagating state, and acting on ROAs)** 
-  Control plane security + 
-    * setting up SSH on routers +=== Troubleshooting BGP Security Operations === 
-    * protecting VTYs with access filters +  * RouteViews: for analysis, monitoring, troubleshooting 
-  * uRPF +  * Looking Glasses supporting ROA/ROV 
-    * show how to set up +    * SEACOM 
-  RTBH +    * HE BGP Tool: bgp.he.net 
-    set up within an AS +  * RIPE NCC: bgpplay 
-    * set up between ASNs +  * **Notes:** 
-        * need to have done communities for this +    * **Use Routeviews User presentation** 
-  BGP SEC +    * **Need Looking Glass lab - user experimentation only** 
-    Creating ROAs (RIR dependentbut explain the process) +    * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?** 
-    * Installing and operating NLnet Labs Routinator + 
-        * need containers on VTP for this +=== MANRS === 
-    Setting up RPKI support on a router +  * conclude with summary of MANRS and what it is about 
-    Implementing route origin validation & related policies +  * Notes: 
-        * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. +    * Already exists as part of BGP Origin Validation presentation 
-    * propagating validation state across iBGP + 
-        * standards which vendors aren’t supporting, or DIY? +=== Lab topology === 
-  * Troubleshooting BGP Security Operations +  * To Do: 
-    * RouteViews: for analysis, monitoring, troubleshooting +    * Add a “customer PC” to the customer router in each group
-    * Looking Glasses supporting ROA/ROV +
-        * SEACOM +
-        * HE BGP Tool: bgp.he.net +
-    * RIPE NCC: bgpplay +
-  * MANRS +
-    * conclude with summary of MANRS and what it is about+
  
  
training/riso/development.txt · Last modified: 2019/07/04 22:06 by philip