IPv6 Routing Protocol Security
|
|
- Carol Doyle
- 6 years ago
- Views:
Transcription
1 IPv6 Routig Protocol Security ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese ( Last updated 31 st October
2 Ackowledgemets p This material origiated from the Cisco ISP/IXP Workshop Programme developed by Philip Smith & Barry Greee p Use of these materials is ecouraged as log as the source is fully ackowledged ad this otice remais i place p Bug fixes ad improvemets are welcomed Please workshop (at) bgp4all.com Philip Smith 2
3 Dealig with Threats Agaist Routig & Routig Protocols p Routig Protocol Security applies equally to IPv4 ad IPv6 Router Cotrol Plae Routig Protocol Neighbour Autheticatio BGP Protocol Security Remotely Triggered Black Hole Filterig Route Origi Validatio 3
4 Router Cotrol Plae 4
5 Router Security Cosideratios p Esure limited access to routers & switches across the backboe Addressig for device cotrol plae access comes from dedicated address block p Do t mix customer delegated ad backboe ifrastructure addressig Filter at etwork edge ad o device to oly allow NOC access to cotrol plae p Easier with IPv6 tha with IPv4 (ifrastructure addressig ca come out of oe /48)
6 Router Security Cosideratios p Segmet backboe to simplify route distributio p Desig etworks so outages do t affect etire etwork but oly portios of it Tue IGP parameters for fast recovergece Use techiques such as Bi-Directioal Forwardig Detectio
7 Router Security Cosideratios p Cotrol router access Watch for iteral attacks o these systems Use differet passwords for stadard ad cofiguratio access to router ad moitorig system root access. Never have role accouts p Oe accout per user, cetrally cotrolled p Scaig craze for all kids of ports this will be ever edig battle Tur off uused features ad remove ueeded cofiguratio
8 Routig Cotrol Plae p p p p p MD-5 autheticatio Some deploy at customer s request Route filters limit what routes are believed from a valid peer Packet filters limit which systems ca appear as a valid peer Limitig propagatio of ivalid routig iformatio Prefix filters AS-PATH filters (tred is leaig towards this) Route dampig (latest cosesus is that it causes more harm tha good) Not yet possible to validate whether legitimate peer has authority to sed routig update
9 Cotrol Plae (Routig) Filters p Filter traffic destied TO your core routers p Develop list of required protocols that are sourced from outside your AS ad access core routers Example: ebgp peerig, GRE, IPSec, etc. Use classificatio filters as required p Idetify core address block(s) This is the protected address space Summarizatio is critical for simpler ad shorter filter lists
10 Neighbour Autheticatio 10
11 Why Use Neighbour Autheticatio p Neighbour Autheticatio equates to data origi autheticatio ad data itegrity Otherwise uauthorised routers ca potetially compromise the etwork! p I BGP, require TCP resets to be autheticated so malicious perso ca t radomly sed TCP resets p I cases where routig iformatio traverses shared etworks, someoe might be able to alter a packet or sed a duplicate packet p Routig protocols were ot iitially created with security i mid..this eeds to chage.
12 Sample MD-5 Auth Cofiguratio (OSPFv2) iterface Loopback0 ip address ip ospf 10 area 0! iterface Serial2 ip address ip ospf 10 area 0 ip ospf message-digest-key 1 md5 mk6! router ospf 10 area 0 autheticatio message-digest iterface Loopback0 ip address ip ospf 10 area 0! iterface Serial1/0 ip address ip ospf 10 area 0 ip ospf message-digest-key 1 md5 mk6! router ospf 10 area 0 autheticatio message-digest
13 Sample OSPFv3 IPSec Cofiguratio iterface Loopback0 ipv6 address 2001:DB8::1/128 ipv6 ospf 100 area 0 iterface FastEtheret0/0 descriptio Area 0 backboe iterface ipv6 address 2001:DB8:2000::1/64 ipv6 ospf 100 area 0 iterface FastEtheret0/1 descriptio Area 1 iterface ipv6 address 2001:DB8:1000::2/64 ipv6 ospf 100 area 1 ipv6 ospf autheticatio ipsec spi 257 sha C1E A5D A D0C06015B564D400F0E C0C ipv6 router ospf 100 router-id log-adjacecy-chages detail passive-iterface Loopback0 timers spf 0 1 timers pacig flood 15 area 0 rage 2001:DB8::/64 area 0 rage 2001:DB8:2000::/64 area 1 rage 2001:DB8:1000::/64 area 0 ecryptio ipsec spi 256 esp aes-cbc F711C1E A5D557B7A A0B00075D50 4B420D0C E0E53520D D5D A195E4E C5B sha B5B565F701D1F E A D0C07005A574C42
14 Example for IS-IS p Note that eighbour autheticatio for IS-IS is IP protocol idepedet: key-chai isis-as42 key 1 key-strig as42-pass! router isis as42 autheticatio mode md5 level-2 autheticatio key-chai isis-as42 level-2! address-family ipv6 multi-topology! 14
15 BGP Security Techiques p BGP prefix filterig p BGP Commuity Filterig p MD5 Keys o the ebgp ad ibgp Peers p Max Prefix Limits p Max AS Path Legth p Prefer Customer Routes over Peer Routes (RFC 1998) p GTSM (i.e. TTL Hack) p Remote Trigger Black Hole (RTBH) Filterig
16 BGP Prefix Filterig p p Cofigurig BGP peerig without usig filters meas: All best paths o the local router are passed to the eighbour All routes aouced by the eighbour are received by the local router Ca have disastrous cosequeces Good practice is to esure that each ebgp eighbour has iboud ad outboud filter applied: router bgp eighbor remote-as eighbor prefix-list as64510-i i eighbor prefix-list as64510-out out 16
17 BGP Prefix Filterig p If ecessary to receive prefixes from ay provider, care is required. Do t accept default (uless you eed it) Do t accept your ow prefixes p Special use prefixes for IPv4 ad IPv6: p For IPv4: Do t accept prefixes loger tha /24 (?) p p For IPv6: /24 was the historical class C Do t accept prefixes loger tha /48 (?) p /48 is the desig miimum delegated to a site 17
18 BGP Prefix Filterig p Check Team Cymru s list of bogos p For IPv4 also cosult: (BCP171) p For IPv6 also cosult: p Bogo Route Server: Supplies a BGP feed (IPv4 ad/or IPv6) of address blocks which should ot appear i the BGP table 18
19 Receivig IPv4 Prefixes router bgp 100 etwork mask eighbor remote-as 101 eighbor prefix-list i-filter i! ip prefix-list i-filter dey /0 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /10 le 32 ip prefix-list i-filter dey /19 le 32 ip prefix-list i-filter dey /8 le 32 ip prefix-list i-filter dey /16 le 32 ip prefix-list i-filter dey /12 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /16 le 32 ip prefix-list i-filter dey /15 le 32 ip prefix-list i-filter dey /24 le 32 ip prefix-list i-filter dey /24 le 32! Default! RFC1122 local host! RFC1918! RFC6598 shared address! Local prefix! Loopback! Auto-cofig! RFC1918! RFC6598 IETF protocol! TEST1! RFC7526 6to4 deprecated! RFC1918! Bechmarkig! TEST2! TEST3! Multicast & Experimetal ip prefix-list i-filter dey /3 le 32 ip prefix-list i-filter dey /0 ge 25! Prefixes >/24 ip prefix-list i-filter permit /0 le 32 19
20 Receivig IPv6 Prefixes router bgp 100 etwork 2020:3030::/32 eighbor 2020:3030::1 remote-as 101 eighbor 2020:3030::1 prefix-list v6i-filter i! ipv6 prefix-list v6i-filter permit 64:ff9b::/96! RFC6052 v4v6tras ipv6 prefix-list v6i-filter dey 2001::/23 le 128! RFC2928 IETF protocol ipv6 prefix-list v6i-filter dey 2001:2::/48 le 128! Bechmarkig ipv6 prefix-list v6i-filter dey 2001:10::/28 le 128! ORCHID ipv6 prefix-list v6i-filter dey 2001:db8::/32 le 128! Documetatio Prefix ipv6 prefix-list v6i-filter dey 2002::/16 le 128! Dey all 6to4 ipv6 prefix-list v6i-filter dey 2020:3030::/32 le 128! Local Prefix ipv6 prefix-list v6i-filter dey 3ffe::/16 le 128! Old 6boe ipv6 prefix-list v6i-filter permit 2000::/3 le 48! Global Uicast ipv6 prefix-list v6i-filter dey ::/0 le 128 Note: These filters block Teredo (serious security risk) ad 6to4 (deprecated by RFC7526) 20
21 Receivig Prefixes p Payig attetio to prefixes received from customers, peers ad trasit providers assists with: The itegrity of the local etwork The itegrity of the Iteret p Resposibility of all Network Operators to be good Iteret citizes 21
22 BGP Commuity Filterig p Network operators use BGP Commuities for: Iteral policies Policies for their customers Policies towards their upstream providers p Policies are aimed at esurig routig system itegrity withi etworks ad betwee etworks p BGP Commuity refereces: Specificatio (RFC1997) ad Example Use (RFC1998) 22
23 MD5 keys o BGP peerigs p Use passwords o all BGP sessios Not beig paraoid, VERY ecessary It s a secret shared betwee you ad your peer If arrivig packets do t have the correct MD5 hash, they are igored Helps defeat miscreats who wish to attack BGP sessios p Powerful prevetative tool, especially whe combied with filters ad GTSM router bgp 100 address-family ipv6 eighbor 2001:db8::1 remote-as 200 eighbor 2001:db8::1 descriptio Peerig with AS200 eighbor 2001:db8::1 password !
24 BGP Maximum Prefix Trackig p p Allow cofiguratio of the maximum umber of prefixes a BGP router will receive from a peer Two level cotrol: Warig threshold: log warig message Maximum: tear dow the BGP peerig, maual itervetio required to restart eighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warig-oly] p Optioal keywords: restart will restart the BGP sessio after N miutes <threshold> sets the warig level (default 75%) warig-oly oly seds warigs
25 Limitig AS Path Legth p Some BGP implemetatios have problems with log AS_PATHS Memory corruptio Memory fragmetatio p Eve usig AS_PATH prepeds, it is ot ormal to see more tha 20 ASes i a typical AS_PATH i the Iteret today The Iteret is aroud 5 ASes deep o average Largest AS_PATH is usually ASNs eighbor x.x.x.x maxas-limit 15
26 Limitig AS Path Legth p Some aoucemets have ridiculous legths of AS-paths: *> 3FFE:1600::/ i This example is a error i oe IPv6 implemetatio *>i i p This example shows 100 prepeds (for o obvious reaso) If your implemetatio supports it, limit the maximum AS-path legth you will accept
27 Customer routes vs Peer routes p Commo for ed orgaisatios to have more tha oe upstream provider p Routes heard from the customer have to be preferred over the same routes heard from a peer This is doe by icreasig BGP local preferece for customer routes Provides a degree of protectio for its customer routes 27
28 GTSM: The BGP TTL hack p Implemet RFC5082 o BGP peerigs (Geeralised TTL Security Mechaism) Neighbour sets TTL to 255 Local router expects TTL of icomig BGP packets to be 254 No oe apart from directly attached devices ca sed BGP packets which arrive with TTL of 254, so ay possible attack by a remote miscreat is dropped due to TTL mismatch ISP AS 100 TTL 254 Attacker R1 R2 TTL 253 TTL 254
29 BGP TTL hack p TTL Hack: Both eighbours must agree to use the feature TTL check is much easier to perform tha MD5 (Called BTSH BGP TTL Security Hack) p Provides security for BGP sessios I additio to packet filters of course MD5 should still be used for messages which slip through the TTL hack See for more details
30 Remotely Triggered Black Hole Filterig p A simple techique whereby the Network Operator ca use their etire backboe to block mischievous traffic to a specific address withi their etwork or their customers etwork p Chris Morrow s presetatio at NANOG 30 i 2004 describig the techique: p Deployed ad supported by may of the world s largest etwork operators 30
31 RTBH How it works p Network Operator deploys: RTBH support across their etire backboe p Simply a ull route for a specific ext-hop address p (Router Null iterfaces simply discard packets set to them egligible overhead i moder hardware) A trigger router (usually i the NOC) p Talks ibgp with the rest of the backboe (typically as a cliet to routereflectors i the core) p Used to trigger a blackhole route activity for ay address uder attack, as requested by a customer 31
32 RTBH Backboe Cofiguratio p Network Operator sets up a ull route for the 100::1 address o all the backboe routers which participate i BGP ipv6 route 100::1/128 ull p 100::1 is part of 100::/64, the Discard Prefix, oe of the reserved IPv6 address blocks listed i the IANA registry It is ot used or routed o the public Iteret 32
33 RTBH Trigger Router (1) p Create a route-map to catch routes which eed to be blackholed Static routes ca be tagged i Cisco IOS we will tag routes to be blackholed with the value of 66 Set origi to be ibgp Set local-preferece to be 150 p higher tha ay other local-preferece set i the backboe Set commuity to be o-export ad iteral marker commuity (ASN:666) p Do t wat prefix to leak outside the AS Set ext-hop to (IPv4) or 100::1 (IPv6) 33
34 RTBH Trigger Router (2) p The whole route-map: route-map v6blackhole-trigger permit 10 descriptio Look for Route 66 match tag 66 set local-preferece 200 set origi igp set commuity o-export 100:666 set ip ext-hop 100::1! route-map v6blackhole-trigger dey 20 descriptio Nothig else gets through 34
35 RTBH Trigger Router (3) p The itroduce the route-map ito the BGP cofiguratio NB: the ibgp o the trigger router caot use ext-hop-self Cisco IOS over writes the route-map origiated ext-hop with ext-hop-self router bgp 100 address-family ipv6 redistribute static route-map v6blackhole-trigger eighbor 2001:dbd::2 remote-as 100 eighbor 2001:dbd::2 descriptio ibgp with RR1 eighbor 2001:dbd::2 update-source Loopback 0 eighbor 2001:dbd::2 sed-commuity eighbor 2001:dbd::3 remote-as 100 eighbor 2001:dbd::3 descriptio ibgp with RR2 eighbor 2001:dbd::3 update-source Loopback 0 eighbor 2001:dbd::3 sed-commuity! 35
36 RTBH Trigger Router (4) p To implemet the trigger, simply ull route whatever address or address block eeds to be blackholed With Tag 66 ipv6 route 2001:db8:f::e0/128 ull0 tag 66 Ad this esures that (for example) 2001:db8:f::e0/128 is aouced to the etire backboe with ext-hop 100::1 set 36
37 RTBH Ed Result p Prefixes which eed to be ull routed will come from the trigger router ad look like this i the BGP table: *>i 2001:DB8:F::E0/ :: i p Routig etry for 2001:db8:f::e0 is this: cr1>sh ipv6 route 2001:db8:f::e0 Routig etry for 2001:DB8:F::E0/128 Kow via "bgp 100", distace 200, metric 0, type iteral Route cout is 1/1, share cout 0 Routig paths: 100::1 MPLS label: olabel Last updated 00:00:03 ago 37
38 RTBH Ed Result p Routig etry for 100::1 is this: cr1>sh ipv6 route 100::1 Routig etry for 100::1/128 Kow via "static", distace 1, metric 0 Route cout is 1/1, share cout 0 Routig paths: directly coected via Null0 Last updated 00:05:21 ago p Traffic to 2001:db8:f::e0 is set to ull iterface 38
39 Audit ad Validate Your Routig Ifrastructures p Are appropriate paths used? Check routig tables Verify cofiguratios p Is router compromised? Check access logs
40 Routig Security Coclusios p Curret routig protocols do ot have adequate security cotrols p Mitigate risks by usig a combiatio of techiques to limit access ad autheticate data p Be vigilat i auditig ad moitorig your etwork ifrastructure p Cosider MD5 autheticatio p Always filter routig updates.especially be careful of redistributio
41 But Wait There s More p RPKI Resource Public Key Ifrastructure, the Certificate Ifrastructure to Support the other Pieces We eed to be able to authoritatively prove who ows a IP prefix ad what AS(s) may aouce it Prefix owership follows the allocatio hierarchy (IANA, RIRs, ISPs, etc) Origi Validatio p Usig the RPKI to detect ad prevet mis-origiatios of someoe else s prefixes (early 2012) AS-Path Validatio AKA BGPsec p Prevet Attacks o BGP (future work)
42 BGP Why Origi Validatio? p Prevet YouTube accidet & Far Worse p Prevets most accidetal aoucemets p Does ot prevet malicious path attacks p That requires Path Validatio ad lockig the data plae to the cotrol plae, the third step, BGPsec
43 What is RPKI? p Resource Public Key Ifrastructure (RPKI) p A robust security framework for verifyig the associatio betwee resource holder ad their Iteret resources p Created to address the issues i RFC 4593 Geeric Threats to Routig Protocols p Helps to secure Iteret routig by validatig routes Proof that prefix aoucemets are comig from the legitimate holder of the resource RFC 6480 A Ifrastructure to Support Secure Iteret Routig (Feb 2012) 43
44 Beefits of RPKI - Routig p Prevets route hijackig A prefix origiated by a AS without authorizatio Reaso: malicious itet p Prevets mis-origiatio A prefix that is mistakely origiated by a AS which does ot ow it Also route leakage Reaso: cofiguratio mistake / fat figer 44
45 BGP Security (BGPsec) p Extesio to BGP that provides improved security for BGP routig p Beig worked o by the SIDR Workig Group at IETF p Implemeted via a ew optioal o-trasitive BGP attribute that cotais a digital sigature p Two compoets: BGP Prefix Origi Validatio (usig RPKI) BGP Path Validatio 45
46 Issuig Party p Iteret Registries (RIR, NIR, Large LIRs) p Acts as a Certificate Authority ad issues certificates for customers p Provides a web iterface to issue ROAs for customer prefixes p Publishes the ROA records APNIC RPKI Egie publicatio Repository rpki.apic.et MyAPNIC GUI Courtesy of APNIC: 46
47 Relyig Party (RP) IANA Repo APNIC Repo LIR Repo LIR Repo RIPE Repo rpki.ripe.et RP Cache (gather) Validated Cache RPKI-Rtr Protocol Software which gathers data from CAs Also called RP cache or validator Courtesy of APNIC: 47
48 RPKI Compoets Trust Achor rpki.ripe.et MyAPNIC GUI APNIC RPKI Egie publicatio Trust Achor rpki.apic.et RP CACHE RPKI-Rtr Protocol Trust Achor ca0.rpki.et Courtesy of APNIC: 48
49 Route Origi Authorizatio (ROA) p A digital object that cotais a list of address prefixes ad oe AS umber p It is a authority created by a prefix holder to authorize a AS Number to origiate oe or more specific route advertisemets p Publish a ROA usig MyAPNIC 49
50 Router Origi Validatio p Router must support RPKI p Checks a RP cache / validator p Validatio returs 3 states: Valid = whe authorizatio is foud for prefix X Ivalid = whe authorizatio is foud for prefix X but ot from ASN Y Ukow = whe o authorizatio data is foud p Vedor support: Cisco IOS available i release 15.2 Cisco IOS/XR available i release Juiper available i release 12.2 Nokia available i release R12.0R4 Huawei ewly available release TBA 50
51 Build a RP Cache p Dowload ad istall from Istructios here: p The RP cache has a web iterface 51
52 Cofigure Router to Use Cache p Poit router to the local RPKI cache Server listes o port Cisco IOS example: router bgp bgp rpki server tcp port refresh 60 52
53 Some commads p show ip bgp rpki servers Provide coectio status to the RPKI server p show ip bgp rpki table Shows the VRPs (validated ROA payloads) p show ip bgp Shows the BGP table with status idicatio ext to the prefix 53
54 Check Server lg-01-jb.za>sh ip bgp rpki servers BGP SOVC eighbor is /43779 coected to port Flags 64, Refresh time is 300, Serial umber is IQ has 0 messages, OutQ has 0 messages, formatted msg 493 Sessio IO flags 3, Sessio flags 4008 Neighbor Statistics: Prefixes Coectio attempts: Coectio failures: 351 Errors set: 35 Errors received: 0 Coectio state is ESTAB, I/O status: 1, uread iput bytes: 0 Coectio is ECN Disabled Miium icomig TTL 0, Outgoig TTL 255 Local host: , Local port: Foreig host: , Foreig port: Coectio tableid (VRF): 0 Courtesy of SEACOM: 54
55 RPKI Table (IPv4) BGP sovc etwork etries usig bytes of memory BGP sovc record etries usig bytes of memory Network Maxle Origi-AS Source Neighbor / / / / / / / / / / / / / / / / / / / / / / / / / / / / Courtesy of SEACOM: 55
56 RPKI Table (IPv6) 3115 BGP sovc etwork etries usig bytes of memory 3249 BGP sovc record etries usig bytes of memory Network Maxle Origi-AS Source Neighbor 2001:240::/ C0F:FEB0:B:1::2/ :348::/ C0F:FEB0:B:1::2/ :500:4::/ C0F:FEB0:B:1::2/ :500:13::/ C0F:FEB0:B:1::2/ :500:30::/ C0F:FEB0:B:1::2/ :500:31::/ C0F:FEB0:B:1::2/ :500:F0::/ C0F:FEB0:B:1::2/ :504:32::/ C0F:FEB0:B:1::2/ :608::/ C0F:FEB0:B:1::2/ :610::/ C0F:FEB0:B:1::2/ :610:240::/ C0F:FEB0:B:1::2/ :620::/ C0F:FEB0:B:1::2/ :620::/ C0F:FEB0:B:1::2/ :630::/ C0F:FEB0:B:1::2/ Courtesy of SEACOM: 56
57 BGP Table (IPv4) RPKI validatio codes: V valid, I ivalid, N Not foud Network Metric LocPrf Path N*> / i N*> / i... V*> / i N*> / i N*> / i... V*> / i N*> / i N*> / {38266} i... I* / i I* / i I* / i I* / i... Courtesy of SEACOM: 57
58 BGP Table (IPv6) RPKI validatio codes: V valid, I ivalid, N Not foud Network Metric LocPrf Path N*> 2001::/ i N* 2001:4:112::/ i... V*> 2001:240::/ i N*> 2001:250::/ N*> 2001:250::/ i... V*> 2001:348::/ i N*> 2001:350::/ i N*> 2001:358::/ i... I* 2001:1218:101::/ i I* 2001:1218:104::/ i N* 2001:1221::/ i N*> 2001:1228::/ i... Courtesy of SEACOM: 58
59 RPKI BGP State: Valid BGP routig table etry for 2001:240::/32, versio Paths: (2 available, best #2, table default) Not advertised to ay peer Refresh Epoch C0F:FEB0:11:2::1 (FE80::2A8A:1C00:1560:5BC0) from 2C0F:FEB0:11:2::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral, best Commuity: 37100: : : :22060 path 0828B828 RPKI State valid rx pathid: 0, tx pathid: 0x0 Courtesy of SEACOM: 59
60 RPKI BGP State: Ivalid BGP routig table etry for 2001:1218:101::/48, versio Paths: (2 available, o best path) Not advertised to ay peer Refresh Epoch C0F:FEB0:B:3::1 (FE80::86B5:9C00:15F5:7C00) from 2C0F:FEB0:B:3::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral Commuity: 37100: :12 path 0DA7D4FC RPKI State ivalid rx pathid: 0, tx pathid: 0 Courtesy of SEACOM: 60
61 RPKI BGP State: Not Foud BGP routig table etry for 2001:200::/32, versio Paths: (2 available, best #2, table default) Not advertised to ay peer Refresh Epoch C0F:FEB0:11:2::1 (FE80::2A8A:1C00:1560:5BC0) from 2C0F:FEB0:11:2::1 ( ) Origi IGP, metric 0, localpref 100, valid, exteral, best Commuity: 37100: :13 path 19D90E68 RPKI State ot foud rx pathid: 0, tx pathid: 0x0 Courtesy of SEACOM: 61
62 Usig RPKI p Network operators ca make decisios based o RPKI state: Ivalid discard the prefix Not foud let it through (maybe low local preferece) Valid let it through (high local preferece) p Some operators eve cosiderig makig ot foud a discard evet But the Iteret IPv4 BGP table would shrik to about 20k prefixes ad the IPv6 BGP table would shrik to about 3k prefixes! 62
63 RPKI Summary p All AS operators should cosider deployig p A importat step to securig the routig system Origi validatio p Does t secure the path, but that s the ext hurdle to cross p With origi validatio, the opportuities for malicious or accidetal mis-origiatio disappear 63
64 Routig Security p Implemet the recommedatios i 1. Prevet propagatio of icorrect routig iformatio p Filter BGP peers, i & out! 2. Prevet traffic with spoofed source addresses p BCP38 Uicast Reverse Path Forwardig 3. Facilitate commuicatio betwee etwork operators p NOC to NOC Commuicatio 4. Facilitate validatio of routig iformatio p Route Origi Authorisatio usig RPKI 64
65 Summary p Secure routig protocols OSPF, IS-IS, BGP p Secure access to the cotrol plae p Deploy RPKI p Filterig helps everyoe PLEASE deploy ati-spoofig filters PLEASE filter all BGP eighbours
66 IPv6 Routig Protocol Security ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa 66
BGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationTransitioning to BGP
Trasitioig to BGP ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 24 th April
More informationBGP Attributes and Path Selection. ISP Training Workshops
BGP Attributes ad Path Selectio ISP Traiig Workshops 1 BGP Attributes The tools available for the job 2 What Is a Attribute?... Next Hop AS Path MED...... p Part of a BGP Update p Describes the characteristics
More informationDeploying 32-bit ASNs
Deployig 32-bit ASNs ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 26 th September
More informationIS-IS for IPv6. ISP Workshops
IS-IS for IPv6 ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 8 th April 2018
More informationIS-IS in Detail. ISP Workshops
IS-IS i Detail ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 27 th November
More informationIntroduction to OSPF. ISP Training Workshops
Itroductio to OSPF ISP Traiig Workshops 1 OSPF p Ope Shortest Path First p Lik state or SPF techology p Developed by OSPF workig group of IETF (RFC 1247) p OSPFv2 stadard described i RFC2328 p Desiged
More informationResource Public Key Infrastructure for Secure Border Gateway Protocol
Resource Public Key Ifrastructure for Secure Border Gateway Protocol George Chag, Majid Ariaezhad, ad Ljiljaa Trajković gkchag@sfu.ca, ariaezhad@live.com, ljilja@sfu.ca Commuicatio Networks Laboratory
More informationBGP Best Current Practices. ISP Training Workshops
BGP Best Curret Practices ISP Traiig Workshops 1 Cofigurig BGP Where do we start? 2 IOS Good Practices p ISPs should start off with the followig BGP commads as a basic template: router bgp 64511 bgp determiistic-med
More informationIPv6 Routing Protocols. ISP Training Workshops
IPv6 Routig Protocols ISP Traiig Workshops 1 Iitial IPv6 Cofiguratio for Cisco IOS 2 IPv6 Cofiguratio o Cisco IOS p To eable IPv6 the followig global commads are required: Router(cofig)# ipv6 uicast-routig
More informationSimple Multihoming. ISP Training Workshops
Simple Multihomig ISP Traiig Workshops 1 Why Multihome? p Redudacy Oe coectio to iteret meas the etwork is depedet o: p Local router (cofiguratio, software, hardware) p WAN media (physical failure, carrier
More informationISP Systems Design. ISP Workshops
ISP Systems Desig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 24 th April
More informationThe Value of Peering
The Value of Peerig ISP/IXP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 25 th
More informationIS-IS for ISPs. ISP Workshops
IS-IS for ISPs ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 21 st April 2017
More informationIPv6 Deployment Planning
IPv6 Deploymet Plaig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 5 th July
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationIPv6 Deployment Planning
IPv6 Deploymet Plaig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 8 th April
More informationMessage Integrity and Hash Functions. TELE3119: Week4
Message Itegrity ad Hash Fuctios TELE3119: Week4 Outlie Message Itegrity Hash fuctios ad applicatios Hash Structure Popular Hash fuctios 4-2 Message Itegrity Goal: itegrity (ot secrecy) Allows commuicatig
More informationIntroduction to The Internet
Itroductio to The Iteret ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 13 th
More informationISP Network Design. ISP Workshops
ISP Network Desig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 27 th February
More informationSecuring BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho
Securing BGP - RPKI ThaiNOG2018 - Bangkok 21 May 2018 Tashi Phuntsho (tashi@apnic.net) 1 Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack April2018 AS10279 (enet) announced/originated more specifics
More informationBGP Best Current Practices
BGP Best Current Practices ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last
More informationThe information in this document is based on Cisco IOS Software Release 15.4 version.
Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Relevant Configuration Verify Test case 1 Test case 2 Test case 3 Troubleshoot Introduction
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationBGP Best Current Practices
BGP Best Current Practices ISP Workshops Last updated 10 th July 2015 1 Configuring BGP Where do we start? 2 IOS Good Practices p ISPs should start off with the following BGP commands as a basic template:
More informationSecurity of Bluetooth: An overview of Bluetooth Security
Versio 2 Security of Bluetooth: A overview of Bluetooth Security Marjaaa Träskbäck Departmet of Electrical ad Commuicatios Egieerig mtraskba@cc.hut.fi 52655H ABSTRACT The purpose of this paper is to give
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationK-NET bus. When several turrets are connected to the K-Bus, the structure of the system is as showns
K-NET bus The K-Net bus is based o the SPI bus but it allows to addressig may differet turrets like the I 2 C bus. The K-Net is 6 a wires bus (4 for SPI wires ad 2 additioal wires for request ad ackowledge
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationContrace: Traceroute Facility for Content- Centric Network
Cotrace: Traceroute Facility for Cotet- Cetric Network draft-asaeda-icrg-cotrace-02 Hitoshi Asaeda (NICT) Xu Shao (NICT) Thierry Turletti (Iria) 1 Cotrace Overview Protocol aalysis tool Ø Cachig poit/publisher,
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationn Learn how resiliency strategies reduce risk n Discover automation strategies to reduce risk
Chapter Objectives Lear how resiliecy strategies reduce risk Discover automatio strategies to reduce risk Chapter #16: Architecture ad Desig Resiliecy ad Automatio Strategies 2 Automatio/Scriptig Resiliet
More informationRPKI-Based Origin Validation Lab RPKI Lab Creative Commons: Attribution & Share Alike
RPKI-Based Origin Validation Lab 1 Issuing Parties Relying Parties GUI altca Publication Protocol Trust Anchor Resource PKI RCynic Gatherer Pseudo IRR route: 147.28.0.0/16! descr: 147.28.0.0/16-16! origin:
More informationBasic allocator mechanisms The course that gives CMU its Zip! Memory Management II: Dynamic Storage Allocation Mar 6, 2000.
5-23 The course that gives CM its Zip Memory Maagemet II: Dyamic Storage Allocatio Mar 6, 2000 Topics Segregated lists Buddy system Garbage collectio Mark ad Sweep Copyig eferece coutig Basic allocator
More informationMorgan Kaufmann Publishers 26 February, COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface. Chapter 5.
Morga Kaufma Publishers 26 February, 208 COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Iterface 5 th Editio Chapter 5 Virtual Memory Review: The Memory Hierarchy Take advatage of the priciple
More informationIPv6 Module 6x ibgp and Basic ebgp
IPv6 Module 6x ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of IS-IS, internal BGP, and external BGP. Topology : Figure 1 BGP AS Numbers
More informationContents. Introduction. Prerequisites. Configure. Requirements. Components Used
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Configurations CE1 CE2 PE1 PE2 Verify Case 1: Accepting and exchanging customer routes over MP-BGP Case 2: Leaking
More informationThe IPv6 Protocol & IPv6 Standards
The IPv6 Protocol & IPv6 Stadards ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated
More informationData diverse software fault tolerance techniques
Data diverse software fault tolerace techiques Complemets desig diversity by compesatig for desig diversity s s limitatios Ivolves obtaiig a related set of poits i the program data space, executig the
More informationIPv6 Module 16 An IPv6 Internet Exchange Point
IPv6 Module 16 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12, 14 and 15, and the Exchange Points Presentation
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationFirewall and IDS. TELE3119: Week8
Firewall ad IDS TELE3119: Week8 Outlie Firewalls Itrusio Detectio Systems (IDSs) Itrusio Prevetio Systems (IPSs) 8-2 Example Attacks Disclosure, modificatio, ad destructio of data Compromise a host ad
More informationCSC 220: Computer Organization Unit 11 Basic Computer Organization and Design
College of Computer ad Iformatio Scieces Departmet of Computer Sciece CSC 220: Computer Orgaizatio Uit 11 Basic Computer Orgaizatio ad Desig 1 For the rest of the semester, we ll focus o computer architecture:
More informationBGP Scaling Techniques
BGP Scaling Techniques ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationTDC 375 Network Protocols TDC 563 P&T for Data Networks
TDC 375 Network Protocols TDC 563 P&T for Data Networks Routing Threats TDC 375/563 Spring 2013/14 John Kristoff DePaul University 1 One of two critical systems Routing (BGP) and naming (DNS) are by far
More informationICS Regent. Communications Modules. Module Operation. RS-232, RS-422 and RS-485 (T3150A) PD-6002
ICS Reget Commuicatios Modules RS-232, RS-422 ad RS-485 (T3150A) Issue 1, March, 06 Commuicatios modules provide a serial commuicatios iterface betwee the cotroller ad exteral equipmet. Commuicatios modules
More informationModule 16 An Internet Exchange Point
ISP Workshop Lab Module 16 An Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12 and 13, and the Exchange Points Presentation
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationIntroduction to BGP. ISP Workshops. Last updated 30 October 2013
Introduction to BGP ISP Workshops Last updated 30 October 2013 1 Border Gateway Protocol p A Routing Protocol used to exchange routing information between different networks n Exterior gateway protocol
More informationNetwork Time Protocol (NTP)
Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2017 (Ayitey Bulley) About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the clocks of computers over a etwork.
More informationBGP Policy Control. ISP Workshops
BGP Policy Control ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationNetwork Time Protocol (NTP)
Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2018 (Michuki Mwagi) Origial slides by Ayitey Bulley About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the
More informationIPv6 Security. ISP Workshops
IPv6 Security ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 11 th April 2018
More informationAppendix D. Controller Implementation
COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Iterface 5 th Editio Appedix D Cotroller Implemetatio Cotroller Implemetatios Combiatioal logic (sigle-cycle); Fiite state machie (multi-cycle, pipelied);
More informationMorgan Kaufmann Publishers 26 February, COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface. Chapter 5
Morga Kaufma Publishers 26 February, 28 COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Iterface 5 th Editio Chapter 5 Set-Associative Cache Architecture Performace Summary Whe CPU performace icreases:
More informationBike MS: 2013 Participant Center guide
Bike MS: 2013 Participat Ceter guide bikems.org 1 Why use Olie Fudraisig Tools? Usig olie tools makes fudraisig easier Table of Cotets Participats who use persoal pages raise more moey! Bike MS $883 v.
More informationBike MS: 2014 Participant Center guide
Bike MS: 2014 Participat Ceter guide bikems.org 1 Table of Cotets Why Use Olie Fudraisig Tools... 2 Participat Ceter... 3 Guide to Olie Fudraisig... 3 Edit Persoal Page... 5 Address Book... 7 Email Messages...
More informationAnnouncements. Reading. Project #4 is on the web. Homework #1. Midterm #2. Chapter 4 ( ) Note policy about project #3 missing components
Aoucemets Readig Chapter 4 (4.1-4.2) Project #4 is o the web ote policy about project #3 missig compoets Homework #1 Due 11/6/01 Chapter 6: 4, 12, 24, 37 Midterm #2 11/8/01 i class 1 Project #4 otes IPv6Iit,
More informationWeb OS Switch Software
Web OS Switch Software BBI Quick Guide Nortel Networks Part Number: 213164, Revisio A, July 2000 50 Great Oaks Boulevard Sa Jose, Califoria 95119 408-360-5500 Mai 408-360-5501 Fax www.orteletworks.com
More informationIPv6 Protocols & Standards. ISP Training Workshops
IPv6 Protocols & Stadards ISP Traiig Workshops 1 So what has really chaged? p Expaded address space Address legth quadrupled to 16 bytes p Header Format Simplificatio Fixed legth, optioal headers are daisy-chaied
More informationOur Learning Problem, Again
Noparametric Desity Estimatio Matthew Stoe CS 520, Sprig 2000 Lecture 6 Our Learig Problem, Agai Use traiig data to estimate ukow probabilities ad probability desity fuctios So far, we have depeded o describig
More informationIntroduction to BGP. ISP/IXP Workshops
Introduction to BGP ISP/IXP Workshops 1 Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks Exterior gateway protocol Described in RFC4271 RFC4276
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationWYSE Academic Challenge Sectional Computer Science 2005 SOLUTION SET
WYSE Academic Challege Sectioal Computer Sciece 2005 SOLUTION SET 1. Correct aswer: a. Hz = cycle / secod. CPI = 2, therefore, CPI*I = 2 * 28 X 10 8 istructios = 56 X 10 8 cycles. The clock rate is 56
More informationMessage Authentication Codes. Reading: Chapter 4 of Katz & Lindell
Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice.
More informationBIKE MS: 2015 PARTICIPANT CENTER GUIDE
BIKE MS: 2015 PARTICIPANT CENTER GUIDE bikems.org 1 Table of Cotets Why Use Olie Fudraisig Tools... 2 Participat Ceter... 3 Guide to Olie Fudraisig... 3 Edit Persoal Page... 5 Address Book... 7 Email Messages...
More informationMOTIF XF Extension Owner s Manual
MOTIF XF Extesio Ower s Maual Table of Cotets About MOTIF XF Extesio...2 What Extesio ca do...2 Auto settig of Audio Driver... 2 Auto settigs of Remote Device... 2 Project templates with Iput/ Output Bus
More informationBGP Attributes and Policy Control
BGP Attributes and Policy Control ISP/IXP `2005, Cisco Systems, Inc. All rights reserved. 1 Agenda BGP Attributes BGP Path Selection Applying Policy 2 BGP Attributes The tools available for the job `2005,
More informationElementary Educational Computer
Chapter 5 Elemetary Educatioal Computer. Geeral structure of the Elemetary Educatioal Computer (EEC) The EEC coforms to the 5 uits structure defied by vo Neuma's model (.) All uits are preseted i a simplified
More informationL5355 Modbus Plus Communications Interface
L5355 Modbus Plus Commuicatios Iterface Techical Maual HA470897 Issue 2 Copyright SSD Drives Ic 2005 All rights strictly reserved. No part of this documet may be stored i a retrieval system, or trasmitted
More informationThe IPv6 Protocol & IPv6 Standards
The IPv6 Protocol & IPv6 Stadards ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated
More informationCMSC Computer Architecture Lecture 12: Virtual Memory. Prof. Yanjing Li University of Chicago
CMSC 22200 Computer Architecture Lecture 12: Virtual Memory Prof. Yajig Li Uiversity of Chicago A System with Physical Memory Oly Examples: most Cray machies early PCs Memory early all embedded systems
More informationLinux DNS (BIND), DHCP and Servers
it 8 Liux (B), HCP ad mail ervers oa Warre HCP oa Warre HCP ervice yamically assigs a P address to requestig machies P addresses are leased P addresses are leased scope of addresses ca be assiged or excluded
More informationIPv6 Addressing. ISP Workshops
IPv6 Addressig ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 12 th April 2018
More informationTerm Project Report. This component works to detect gesture from the patient as a sign of emergency message and send it to the emergency manager.
CS2310 Fial Project Loghao Li Term Project Report Itroductio I this project, I worked o expadig exercise 4. What I focused o is makig the real gesture recogizig sesor ad desig proper gestures ad recogizig
More informationThe Magma Database file formats
The Magma Database file formats Adrew Gaylard, Bret Pikey, ad Mart-Mari Breedt Johaesburg, South Africa 15th May 2006 1 Summary Magma is a ope-source object database created by Chris Muller, of Kasas City,
More information6053/6055 Modbus Plus Communications Interface
This maual was dowloaded o www.sdsdrives.com +44 (0)117 938 1800 - ifo@sdsdrives.com 6053/6055 Modbus Plus Commuicatios Iterface Techical Maual HA468032U001 Issue 3 Compatible with Versio 1.2 (owards)
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationCCIE Routing and Switching v4.0
Table of Cotets CCIE Routig ad Switchig v4.0 Quick Referece Brad Ellis Jacob Uecker Steve Meas Chapter 1 Geeral Networkig Theory...2 Chapter 2 Bridgig ad LAN Switchig... 11 Chapter 3 IP Addressig... 30
More informationIPv6 Transition Planning
IPv6 Trasitio Plaig ITU/APNIC/PacNOG21 IPv6 Workshop 4 th 8 th December 2017 Nuku alofa These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/)
More informationIOS Implementation of the ibgp PE CE Feature
IOS Implementation of the ibgp PE CE Feature Document ID: 117567 Contributed by Luc De Ghein, Cisco TAC Engineer. Apr 04, 2014 Contents Introduction Background Information Implement ibgp PE CE BGP Customer
More informationInternet Security: How the Internet works and some basic vulnerabilities. *Slides borrowed from Dan Boneh
Iteret Security: How the Iteret works ad some basic vulerabilities *Slides borrowed from Da Boeh Iteret Ifrastructure ISP Backboe ISP Local ad iterdomai routig TCP/IP for routig ad messagig BGP for routig
More informationSchema for the DCE Security Registry Server
Schema for the Security egistry Server Versio Date: 0/20/00 For questios or commets cocerig this documet, sed a email ote to dce-ldap@opegroup.org or call Doa Skibbie at 52 838-3896. . Itroductio...3 2.
More informationBGP Attributes and Policy Control
BGP Attributes and Policy Control ISP/IXP Workshops 1 Agenda BGP Attributes BGP Path Selection Applying Policy 2 BGP Attributes The tools available for the job 3 What Is an Attribute?... Next Hop......
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationRoute Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes
1 Types of prefixes in IP core network: Internal Prefixes External prefixes Downstream customers Internet prefixes 2 Internal prefixes originated in IP core network Loopback Transport Connect inter-regional
More informationBGP route filtering and advanced features
2015/07/23 23:33 1/13 BGP route filtering and advanced features BGP route filtering and advanced features Objective: Using the network configured in Module 6, use various configuration methods on BGP peerings
More informationGlobal Support Guide. Verizon WIreless. For the BlackBerry 8830 World Edition Smartphone and the Motorola Z6c
Verizo WIreless Global Support Guide For the BlackBerry 8830 World Editio Smartphoe ad the Motorola Z6c For complete iformatio o global services, please refer to verizowireless.com/vzglobal. Whether i
More informationUsing BGP Communities
Using BGP Communities ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationBGP Attributes and Path Selection
BGP Attributes and Path Selection ISP Training Workshops 1 BGP Attributes The tools available for the job 2 What Is an Attribute?... Next Hop AS Path MED...... Part of a BGP Update Describes the characteristics
More informationWorkflow model GM AR. Gumpy. Dynagump. At a very high level, this is what gump does. We ll be looking at each of the items described here seperately.
Workflow model GM AR Gumpy RM Dyagump At a very high level, this is what gump does. We ll be lookig at each of the items described here seperately. User edits project descriptor ad commits s maitai their
More informationModule 2 More ibgp, and Basic ebgp Configuration
ISP/IXP Networking Workshop Lab Module 2 More ibgp, and Basic ebgp Configuration Objective: Simulate four different interconnected ISP backbones using a combination of ISIS, internal BGP, and external
More informationPattern Recognition Systems Lab 1 Least Mean Squares
Patter Recogitio Systems Lab 1 Least Mea Squares 1. Objectives This laboratory work itroduces the OpeCV-based framework used throughout the course. I this assigmet a lie is fitted to a set of poits usig
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationIPv6 Deployment Study
IPv6 Deploymet Study ISP Workshops These materials are licesed uder the Creative Commos Attributio-NoCommercial 4.0 Iteratioal licese (http://creativecommos.org/liceses/by-c/4.0/) Last updated 8 th April
More informationChapter 11. Friends, Overloaded Operators, and Arrays in Classes. Copyright 2014 Pearson Addison-Wesley. All rights reserved.
Chapter 11 Frieds, Overloaded Operators, ad Arrays i Classes Copyright 2014 Pearso Addiso-Wesley. All rights reserved. Overview 11.1 Fried Fuctios 11.2 Overloadig Operators 11.3 Arrays ad Classes 11.4
More informationConnecting to a Service Provider Using External BGP
Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)
More informationIPv6 Module 6 ibgp and Basic ebgp
ISP Workshop Lab IPv6 Module 6 ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of ISIS, internal BGP, and external BGP. Prerequisites:
More information