Philip Smith's Internet Development Site

User Tools

Site Tools

Trace:
training:riso:development

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
training:riso:development [2019/07/04 21:39] philiptraining:riso:development [2019/07/04 22:05] philip
Line 3: Line 3:
 ====== Workshop Development Notes ====== ====== Workshop Development Notes ======
  
-Needs to cover: +Needs to cover the following topics. 
-  * setting up IS-IS + 
-    * NSAP address plan +=== Setting up IS-IS === 
-    * setting metrics, level-2, wide metrics + 
-    * selecting DIS +  * NSAP address plan 
-    * multi-topology +  * setting metrics, level-2, wide metrics 
-    * point-to-point ethernets +  * selecting DIS 
-    * **Notes:**  +  * multi-topology 
-        * **all done in existing IS-IS Lab** +  * point-to-point ethernets 
-  * securing IS-IS (with OSPF side example) +  * **Notes:**  
-    * neighbour authentication +    * **all done in existing IS-IS Lab** 
-    * no IS-IS outside ASN + 
-    * **Notes:**  + 
-        * **all done in existing IS-IS Lab** +=== Securing IS-IS (with OSPF side example) === 
-        * **need to add OSPF footnote example** +  * neighbour authentication 
-  * setting up BGP securely +  * no IS-IS outside ASN 
-    * RFC8212 - filters in and out on eBGP +  * **Notes:**  
-    * passwords on eBGP and iBGP sessions +    * **all done in existing IS-IS Lab** 
-    * RIR checks on assigned address space of customers - jwhois +    * **need to add OSPF footnote example** 
-    * RFC6890 filtering of bogons & Team Cymru bogon BGP feed + 
-    * Notes: +=== Setting up BGP securely === 
-        * **8212 needs to be explicitly mentioned in eBGP lab** +  * RFC8212 - filters in and out on eBGP 
-        * **the rest all covered in BGP Best Practices slide deck**  +  * passwords on eBGP and iBGP sessions 
-  BGP scalability & stability features +  * RIR checks on assigned address space of customers - jwhois 
-    * iBGP between loopbacks & next-hop-self +  * RFC6890 filtering of bogons & Team Cymru bogon BGP feed 
-    * route reflector +  * Notes: 
-    * deterministic-med +    * **8212 needs to be explicitly mentioned in eBGP lab** 
-    * BGP distance > IGP distance +    * **the rest all covered in BGP Best Practices slide deck**  
-    * stable announcement of covering aggregates out of all eBGP peers+ 
 +=== BGP scalability & stability features === 
 +  * iBGP between loopbacks & next-hop-self 
 +  * route reflector 
 +  * deterministic-med 
 +  * BGP distance > IGP distance 
 +  * stable announcement of covering aggregates out of all eBGP peers 
 +  * **Notes:** 
 +    * **All done in existing BGP materials & labs** 
 + 
 +=== BGP security features === 
 +  * maxas-limit 
 +  * max-prefix 
 +  * ttl-security aka GTSM 
 +  * community propagated for iBGP by default, eBGP selective 
 +  * strip private ASNs 
 +  * **Notes:** 
 +      * **Needs a new lab “Securing BGP Lab”** 
 +  
 +=== Setting up Communities for BGP scaling === 
 +  * security feature -> consistent policies across the ASN 
 + 
 +=== Control plane security === 
 +  * setting up SSH on routers 
 +  * protecting VTYs with access filters 
 +  * **Notes:** 
 +    * **Needs a new lab “Control Plane Security”** 
 + 
 +=== uRPF === 
 +  * show how to set up on access interfaces 
 +  * **Notes:** 
 +    * **Needs a new lab “uRPF”** 
 + 
 +=== RTBH === 
 +  * set up within an AS 
 +  * set up between ASNs 
 +    * need to have done communities for this
     * **Notes:**     * **Notes:**
-        * **All done in existing BGP materials & labs** +      * **Needs a new lab “Local RTBH”** 
-  * BGP security features +      **Needs a new lab “Inter-AS RTBH”** 
-    maxas-limit + 
-    * max-prefix +=== BGP SEC === 
-    * ttl-security aka GTSM +  Creating ROAs (RIR dependent, but explain the process) 
-    community propagated for iBGP by default, eBGP selective +  * Installing and operating NLnet Labs Routinator 
-    * strip private ASNs+    * **Note: need containers on VTP for this**  
 +  * Setting up RPKI support on a router 
 +  * Implementing route origin validation & related policies 
 +    * **Note: Need address space that has been validated** APNIC offered their blocks, but longer term we should have our own. 
 +  propagating validation state across iBGP 
 +    * **Question: standards which vendors aren’t supporting, or DIY?**
     * **Notes:**     * **Notes:**
-        * **Needs a new lab “Securing BGP Lab”** +        * **Need Validator Cache lab (install Routinator on VM per group)** 
-  Setting up Communities for BGP scaling +        * **Need RPKI lab (set up router to talk to Cache)** 
-    security feature -> consistent policies across the ASN +        * **Need ROV lab (propagating state, and acting on ROAs)** 
-  Control plane security + 
-    * setting up SSH on routers +=== Troubleshooting BGP Security Operations === 
-    * protecting VTYs with access filters +  * RouteViews: for analysis, monitoring, troubleshooting 
-  * uRPF +  * Looking Glasses supporting ROA/ROV 
-    * show how to set up +    * SEACOM 
-  RTBH +    * HE BGP Tool: bgp.he.net 
-    set up within an AS +  * RIPE NCC: bgpplay 
-    * set up between ASNs +  * **Notes:** 
-        * need to have done communities for this +    * **Use Routeviews User presentation** 
-  BGP SEC +    * **Need Looking Glass lab - user experimentation only** 
-    Creating ROAs (RIR dependentbut explain the process) +    * **Need Troubleshooting Security Presentation - distil out of Troubleshooting BGP tutorial perhaps?** 
-    * Installing and operating NLnet Labs Routinator + 
-        * need containers on VTP for this +=== MANRS === 
-    Setting up RPKI support on a router +  * conclude with summary of MANRS and what it is about 
-    Implementing route origin validation & related policies +  * Notes: 
-        * Need address space that has been validated - APNIC offered their blocks, but longer term we should have our own. +    * Already exists as part of BGP Origin Validation presentation 
-    * propagating validation state across iBGP + 
-        * standards which vendors aren’t supporting, or DIY? +=== Lab topology === 
-  * Troubleshooting BGP Security Operations +  * To Do: 
-    * RouteViews: for analysis, monitoring, troubleshooting +    * Add a “customer PC” to the customer router in each group
-    * Looking Glasses supporting ROA/ROV +
-        * SEACOM +
-        * HE BGP Tool: bgp.he.net +
-    * RIPE NCC: bgpplay +
-  * MANRS +
-    * conclude with summary of MANRS and what it is about+
  
  
training/riso/development.txt · Last modified: 2019/07/04 22:06 by philip