
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 15 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Calibri;


        panose-1:2 15 5 2 2 2 4 3 2 4;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0in;


        margin-bottom:.0001pt;


        font-size:11.0pt;


        font-family:"Calibri",sans-serif;}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:blue;


        text-decoration:underline;}


a:visited, span.MsoHyperlinkFollowed


        {mso-style-priority:99;


        color:purple;


        text-decoration:underline;}


p.msonormal0, li.msonormal0, div.msonormal0


        {mso-style-name:msonormal;


        mso-margin-top-alt:auto;


        margin-right:0in;


        mso-margin-bottom-alt:auto;


        margin-left:0in;


        font-size:11.0pt;


        font-family:"Calibri",sans-serif;}


span.EmailStyle18


        {mso-style-type:personal-reply;


        font-family:"Calibri",sans-serif;


        color:windowtext;}


.MsoChpDefault


        {mso-style-type:export-only;


        font-family:"Calibri",sans-serif;}


@page WordSection1


        {size:8.5in 11.0in;


        margin:1.0in 1.0in 1.0in 1.0in;}


div.WordSection1


        {page:WordSection1;}


--></style><!--[if gte mso 9]><xml>


<o:shapedefaults v:ext="edit" spidmax="1026" />


</xml><![endif]--><!--[if gte mso 9]><xml>


<o:shapelayout v:ext="edit">


<o:idmap v:ext="edit" data="1" />


</o:shapelayout></xml><![endif]-->


</head>


<body lang="EN-US" link="blue" vlink="purple">


<div class="WordSection1">


<p class="MsoNormal">https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing<o:p></o:p></p>


<p class="MsoNormal"><o:p> </o:p></p>


<p class="MsoNormal">Timothy A Battles<o:p></o:p></p>


<p class="MsoNormal">Chief Security Office<o:p></o:p></p>


<p class="MsoNormal">314-280-4578<o:p></o:p></p>


<p class="MsoNormal"><a href="mailto:tb2848@att.com"><span style="color:#0563C1">tb2848@att.com</span></a><o:p></o:p></p>


<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">12976 Hollenberg Dr<o:p></o:p></span></p>


<p class="MsoNormal">Bridgeton, MO 63044<o:p></o:p></p>


<p class="MsoNormal"><o:p> </o:p></p>


<p class="MsoNormal">The information contained in this e-mail, including any attachment(s), is intended solely for use by the named addressee(s).  If you are not the intended recipient, or a person designated as responsible for delivering such messages to the


 intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in whole or in part, without written authorization from the sender.  This e-mail may contain proprietary, confidential or privileged information. If you have received


 this message in error, please notify the sender immediately. <o:p></o:p></p>


<p class="MsoNormal"><o:p> </o:p></p>


<p class="MsoNormal"><o:p> </o:p></p>


<p class="MsoNormal"><b>From:</b> NANOG <nanog-bounces@nanog.org> <b>On Behalf Of


</b>Tom Beecher<br>


<b>Sent:</b> Tuesday, June 25, 2019 9:42 AM<br>


<b>To:</b> Job Snijders <job@ntt.net><br>


<b>Cc:</b> NANOG <nanog@nanog.org><br>


<b>Subject:</b> Re: BGP filtering study resources (Was: CloudFlare issues?)<o:p></o:p></p>


<p class="MsoNormal"><o:p> </o:p></p>


<div>


<p class="MsoNormal">Job also enjoys having his ID checked. Can we get a best practices link added to the list for that?<o:p></o:p></p>


</div>


<p class="MsoNormal"><o:p> </o:p></p>


<div>


<div>


<p class="MsoNormal">On Tue, Jun 25, 2019 at 10:27 AM Job Snijders <<a href="mailto:job@ntt.net">job@ntt.net</a>> wrote:<o:p></o:p></p>


</div>


<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">


<p class="MsoNormal">Dear Stephen,<br>


<br>


On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote:<br>


> On 6/25/19 2:25 AM, Katie Holly wrote:<br>


> > Disclaimer: As much as I dislike Cloudflare (I used to complain<br>


> > about them a lot on Twitter), this is something I am absolutely<br>


> > agreeing with them. Verizon failed to do the most basic of network<br>


> > security, and it will happen again, and again, and again...<br>


> <br>


> I used to be a quality control engineer in my career, so I have a<br>


> question to ask from the perspective of a QC guy:  what is the Best<br>


> Practice for minimizing, if not totally preventing, this sort of<br>


> problem?  Is there a "cookbook" answer to this?<br>


> <br>


> (I only run edge networks now, and don't have BGP to worry about.  If<br>


> my current $dayjob goes away -- they all do -- I might have to get<br>


> back into the BGP game, so this is not an idle query.)<br>


> <br>


> Somehow "just be careful and clueful" isn't the right answer.<br>


<br>


Here are some resources which maybe can serve as a starting point for<br>


anyone interested in the problem space:<br>


<br>


presentation: Architecting robust routing policies<br>


pdf: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ripe77.ripe.net_presentations_59-2DRIPE77-5FSnijders-5FRouting-5FPolicy-5FArchitecture.pdf&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=ODEpNYQM3Oxc67pj6eCdvHWgPf1En0HiyjOkMG_Yfeg&e=" target="_blank">


https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf</a><br>


video: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ripe77.ripe.net_archive_video_Job-5FSnijders-2DB.-5FBGP-5FPolicy-5FUpdate-2D20181017-2D140440.mp4&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=SOfM7pQuVvA0h-tSkmBwJwQ0t36KgX-SwZnXRZqZvfc&e=" target="_blank">


https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4</a><br>


<br>


presentation: Practical Everyday BGP filtering "Peerlocking"<br>


pdf: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__instituut.net_-7Ejob_NANOG67-5FNTT-5Fpeerlocking-5FJobSnijders.pdf&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=IPGjlZCNVY3OwZaPbNPfKH4oYVbujIe2B274fgZ3Y08&e=" target="_blank">


http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf</a><br>


video: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DCSLpWBrHy10&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=AxMa0NAWJUjT1xn73vv5I7E5SwECQF6RV9_kKFiOdZ4&e=" target="_blank">


https://www.youtube.com/watch?v=CSLpWBrHy10</a><br>


<br>


RFC 8212 ("EBGP default deny") and why we should ask our vendors like<br>


Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be<br>


compliant with this RFC:<br>


slides 2-14: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__largebgpcommunities.net_presentations_ITNOG3-2DJob-5FSnijders-5FRecent-5FBGP-5FInnovations.pdf&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=ah2RTfckZ-s51fkzT7gk9L3_aN44yhGl3clLE2CXI7w&e=" target="_blank">


http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf</a><br>


skip to the rfc8212 part: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_V6Wsq66-2Df40-3Ft-3D854&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=_Hs_rZFkuPNN3sy6QRMeqhxsIcV2lxVKlkBbzNKNSx4&e=" target="_blank">


https://youtu.be/V6Wsq66-f40?t=854</a><br>


compliance tracker: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__github.com_bgp_RFC8212&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=mhk4WCxGewj26dk7ZG5tTg0EoNDieX0MTQuR0tJp-uk&e=" target="_blank">


http://github.com/bgp/RFC8212</a><br>


<br>


The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations<br>


and testimonies: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nlnog.net_nlnog-2Dday-2D2018_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=Uk93fuwAFjJ2Ocj73of67i8Wx9nDeKqItDyruxiGD7A&e=" target="_blank">


https://nlnog.net/nlnog-day-2018/</a><br>


<br>


Finally, there is the NLNOG BGP Filter Guide: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__bgpfilterguide.nlnog.net_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=trF2hXsOk-udqpBeDzEohsEbiqlhQnWvE7MTc6YW8IE&e=" target="_blank">


http://bgpfilterguide.nlnog.net/</a><br>


If you spot errors or have suggestions, please submit them via github<br>


<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_nlnog_bgpfilterguide&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=B3FumFykkOB2Dwz5qxjHsw&m=7spUlDmAq8LEqZ2qtr0yGE_POLHSLNqM_kfbfRguxqs&s=UCVkxMzvBtcw1tft2JQp9Oxpg5W0shcYB3CIznr69zo&e=" target="_blank">https://github.com/nlnog/bgpfilterguide</a><br>


<br>


Please let me or the group know should you require further information,<br>


I love talking about this topic ;-)<br>


<br>


Kind regards,<br>


<br>


Job<o:p></o:p></p>


</blockquote>


</div>


</div>


</body>


</html>