<div dir="ltr">Job also enjoys having his ID checked. Can we get a best practices link added to the list for that?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 25, 2019 at 10:27 AM Job Snijders <<a href="mailto:job@ntt.net">job@ntt.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dear Stephen,<br>
<br>
On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote:<br>
> On 6/25/19 2:25 AM, Katie Holly wrote:<br>
> > Disclaimer: As much as I dislike Cloudflare (I used to complain<br>
> > about them a lot on Twitter), this is something I am absolutely<br>
> > agreeing with them. Verizon failed to do the most basic of network<br>
> > security, and it will happen again, and again, and again...<br>
> <br>
> I used to be a quality control engineer in my career, so I have a<br>
> question to ask from the perspective of a QC guy: what is the Best<br>
> Practice for minimizing, if not totally preventing, this sort of<br>
> problem? Is there a "cookbook" answer to this?<br>
> <br>
> (I only run edge networks now, and don't have BGP to worry about. If<br>
> my current $dayjob goes away -- they all do -- I might have to get<br>
> back into the BGP game, so this is not an idle query.)<br>
> <br>
> Somehow "just be careful and clueful" isn't the right answer.<br>
<br>
Here are some resources which maybe can serve as a starting point for<br>
anyone interested in the problem space:<br>
<br>
presentation: Architecting robust routing policies<br>
pdf: <a href="https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf" rel="noreferrer" target="_blank">https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf</a><br>
video: <a href="https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4" rel="noreferrer" target="_blank">https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4</a><br>
<br>
presentation: Practical Everyday BGP filtering "Peerlocking"<br>
pdf: <a href="http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf" rel="noreferrer" target="_blank">http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf</a><br>
video: <a href="https://www.youtube.com/watch?v=CSLpWBrHy10" rel="noreferrer" target="_blank">https://www.youtube.com/watch?v=CSLpWBrHy10</a><br>
<br>
RFC 8212 ("EBGP default deny") and why we should ask our vendors like<br>
Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be<br>
compliant with this RFC:<br>
slides 2-14: <a href="http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf" rel="noreferrer" target="_blank">http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf</a><br>
skip to the rfc8212 part: <a href="https://youtu.be/V6Wsq66-f40?t=854" rel="noreferrer" target="_blank">https://youtu.be/V6Wsq66-f40?t=854</a><br>
compliance tracker: <a href="http://github.com/bgp/RFC8212" rel="noreferrer" target="_blank">http://github.com/bgp/RFC8212</a><br>
<br>
The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations<br>
and testimonies: <a href="https://nlnog.net/nlnog-day-2018/" rel="noreferrer" target="_blank">https://nlnog.net/nlnog-day-2018/</a><br>
<br>
Finally, there is the NLNOG BGP Filter Guide: <a href="http://bgpfilterguide.nlnog.net/" rel="noreferrer" target="_blank">http://bgpfilterguide.nlnog.net/</a><br>
If you spot errors or have suggestions, please submit them via github<br>
<a href="https://github.com/nlnog/bgpfilterguide" rel="noreferrer" target="_blank">https://github.com/nlnog/bgpfilterguide</a><br>
<br>
Please let me or the group know should you require further information,<br>
I love talking about this topic ;-)<br>
<br>
Kind regards,<br>
<br>
Job<br>
</blockquote></div>