training:riso:development
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
training:riso:development [2019/07/04 21:38] – philip | training:riso:development [2019/07/04 22:06] (current) – [Workshop Development Notes] philip | ||
---|---|---|---|
Line 3: | Line 3: | ||
====== Workshop Development Notes ====== | ====== Workshop Development Notes ====== | ||
- | Needs to cover: | + | Needs to cover the following topics. |
- | * setting | + | |
- | * NSAP address plan | + | === Setting |
- | * setting metrics, level-2, wide metrics | + | |
- | * selecting DIS | + | |
- | * multi-topology | + | * setting metrics, level-2, wide metrics |
- | * point-to-point ethernets | + | * selecting DIS |
- | * Notes: | + | * multi-topology |
- | * all done in existing IS-IS Lab | + | * point-to-point ethernets |
- | | + | * **Notes:** |
- | * neighbour authentication | + | * **all done in existing IS-IS Lab** |
- | * no IS-IS outside ASN | + | |
- | * Notes: | + | |
- | * all done in existing IS-IS Lab | + | === Securing |
- | * need to add OSPF footnote example | + | * neighbour authentication |
- | | + | * no IS-IS outside ASN |
- | * RFC8212 - filters in and out on eBGP | + | * **Notes:** |
- | * passwords on eBGP and iBGP sessions | + | * **all done in existing IS-IS Lab** |
- | * RIR checks on assigned address space of customers - jwhois | + | * **need to add OSPF footnote example** |
- | * RFC6890 filtering of bogons & Team Cymru bogon BGP feed | + | |
- | * Notes: | + | === Setting |
- | * 8212 needs to be explicitly mentioned in eBGP lab | + | * RFC8212 - filters in and out on eBGP |
- | * the rest all covered in BGP Best Practices slide deck | + | * passwords on eBGP and iBGP sessions |
- | | + | * RIR checks on assigned address space of customers - jwhois |
- | * iBGP between loopbacks & next-hop-self | + | * RFC6890 filtering of bogons & Team Cymru bogon BGP feed |
- | * route reflector | + | * Notes: |
- | * deterministic-med | + | * **8212 needs to be explicitly mentioned in eBGP lab** |
- | * BGP distance > IGP distance | + | * **the rest all covered in BGP Best Practices slide deck** |
- | * stable announcement of covering aggregates out of all eBGP peers | + | |
- | * Notes: | + | === BGP scalability & stability features |
- | * All done in existing BGP materials & labs | + | * iBGP between loopbacks & next-hop-self |
- | | + | * route reflector |
- | * maxas-limit | + | * deterministic-med |
- | * max-prefix | + | * BGP distance > IGP distance |
- | * ttl-security aka GTSM | + | * stable announcement of covering aggregates out of all eBGP peers |
- | * community propagated for iBGP by default, eBGP selective | + | * **Notes:** |
- | * strip private ASNs | + | * **All done in existing BGP materials & labs** |
- | * Notes: | + | |
- | * Needs a new lab “Securing BGP Lab” | + | === BGP security features |
- | | + | * maxas-limit |
- | * security feature -> consistent policies across the ASN | + | * max-prefix |
- | | + | * ttl-security aka GTSM |
- | * setting up SSH on routers | + | * community propagated for iBGP by default, eBGP selective |
- | * protecting VTYs with access filters | + | * strip private ASNs |
- | * uRPF | + | * **Notes:** |
- | * show how to set up | + | * **Needs a new lab “Securing BGP Lab”** |
- | * RTBH | + | |
- | * set up within an AS | + | === Setting up Communities for BGP scaling |
- | * set up between ASNs | + | * security feature -> consistent policies across the ASN |
- | * need to have done communities for this | + | |
- | * BGP SEC | + | === Control plane security |
- | * Creating ROAs (RIR dependent, but explain the process) | + | * setting up SSH on routers |
- | * Installing and operating NLnet Labs Routinator | + | * protecting VTYs with access filters |
- | * need containers on VTP for this | + | * **Notes:** |
- | * Setting up RPKI support on a router | + | |
- | * Implementing route origin validation & related policies | + | |
- | * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. | + | === uRPF === |
- | * propagating validation state across iBGP | + | |
- | * standards which vendors aren’t supporting, or DIY? | + | * **Notes:** |
- | * Troubleshooting BGP Security Operations | + | |
- | * RouteViews: for analysis, monitoring, troubleshooting | + | |
- | * Looking Glasses supporting ROA/ROV | + | === RTBH === |
- | * SEACOM | + | |
- | * HE BGP Tool: bgp.he.net | + | * set up between ASNs |
- | * RIPE NCC: bgpplay | + | * need to have done communities for this |
- | * MANRS | + | * **Notes: |
- | * conclude with summary of MANRS and what it is about | + | * **Needs a new lab “Local RTBH”** |
+ | * **Needs a new lab “Inter-AS RTBH”** | ||
+ | |||
+ | === BGP SEC === | ||
+ | * Creating ROAs (RIR dependent, but explain the process) | ||
+ | * Installing and operating NLnet Labs Routinator | ||
+ | * **Note: | ||
+ | * Setting up RPKI support on a router | ||
+ | * Implementing route origin validation & related policies | ||
+ | * **Note: | ||
+ | * propagating validation state across iBGP | ||
+ | * **Question: | ||
+ | * **Notes: | ||
+ | * **Need Validator Cache lab (install Routinator on VM per group)** | ||
+ | * **Need RPKI lab (set up router to talk to Cache)** | ||
+ | * **Need ROV lab (propagating state, and acting on ROAs)** | ||
+ | |||
+ | === Troubleshooting BGP Security Operations | ||
+ | * RouteViews: for analysis, monitoring, troubleshooting | ||
+ | * Looking Glasses supporting ROA/ROV | ||
+ | * SEACOM | ||
+ | * HE BGP Tool: bgp.he.net | ||
+ | * RIPE NCC: bgpplay | ||
+ | * **Notes:** | ||
+ | | ||
+ | * **Need Looking Glass lab - user experimentation only** | ||
+ | * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps? | ||
+ | |||
+ | === MANRS === | ||
+ | | ||
+ | * **Notes: | ||
+ | * **Already exists as part of BGP Origin Validation presentation** | ||
+ | |||
+ | === Lab topology === | ||
+ | * **To Do:** | ||
+ | * **Add a “customer PC” to the customer router in each group** | ||
+ | * **Upgrade MacMini to 16.04 - use latest LXD code (compiled from source)** | ||
training/riso/development.txt · Last modified: 2019/07/04 22:06 by philip