BGP filtering study resources (Was: CloudFlare issues?)
Tom Beecher
beecher at beecher.cc
Tue Jun 25 14:41:50 UTC 2019
Job also enjoys having his ID checked. Can we get a best practices link
added to the list for that?
On Tue, Jun 25, 2019 at 10:27 AM Job Snijders <job at ntt.net> wrote:
> Dear Stephen,
>
> On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote:
> > On 6/25/19 2:25 AM, Katie Holly wrote:
> > > Disclaimer: As much as I dislike Cloudflare (I used to complain
> > > about them a lot on Twitter), this is something I am absolutely
> > > agreeing with them. Verizon failed to do the most basic of network
> > > security, and it will happen again, and again, and again...
> >
> > I used to be a quality control engineer in my career, so I have a
> > question to ask from the perspective of a QC guy: what is the Best
> > Practice for minimizing, if not totally preventing, this sort of
> > problem? Is there a "cookbook" answer to this?
> >
> > (I only run edge networks now, and don't have BGP to worry about. If
> > my current $dayjob goes away -- they all do -- I might have to get
> > back into the BGP game, so this is not an idle query.)
> >
> > Somehow "just be careful and clueful" isn't the right answer.
>
> Here are some resources which maybe can serve as a starting point for
> anyone interested in the problem space:
>
> presentation: Architecting robust routing policies
> pdf:
> https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf
> video:
> https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4
>
> presentation: Practical Everyday BGP filtering "Peerlocking"
> pdf: http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf
> video: https://www.youtube.com/watch?v=CSLpWBrHy10
>
> RFC 8212 ("EBGP default deny") and why we should ask our vendors like
> Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be
> compliant with this RFC:
> slides 2-14:
> http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf
> skip to the rfc8212 part: https://youtu.be/V6Wsq66-f40?t=854
> compliance tracker: http://github.com/bgp/RFC8212
>
> The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations
> and testimonies: https://nlnog.net/nlnog-day-2018/
>
> Finally, there is the NLNOG BGP Filter Guide:
> http://bgpfilterguide.nlnog.net/
> If you spot errors or have suggestions, please submit them via github
> https://github.com/nlnog/bgpfilterguide
>
> Please let me or the group know should you require further information,
> I love talking about this topic ;-)
>
> Kind regards,
>
> Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190625/8c5280cc/attachment.html>
More information about the NANOG
mailing list