BGP Edge Security for Dummies. Layer , 2603, and others
|
|
- Kelly Henderson
- 5 years ago
- Views:
Transcription
1 BGP Edge Security for Dummies Layer , 2603, and others
2
3
4 Step 1 of 9 Question: Am I part of the problem (or the solution)? Answer: Are you currently operating a ASN with atleast one peer? (transit included)
5 Step 1 of 9 Question: Am I part of the problem (or the solution)? Answer: Are you currently operating a ASN with atleast one peer? (transit included) If yes! Then this is for you. Admit you have a problem and that you want to solve it! If no! Then dwell into s/memes ( I can recommend honestnetworker.net)
6 Step 2 of 9 Do the very needful basics. 1. Reject Bogon ASN 2. Reject Bogon Prefix
7 Step 2 of 9 Reject Bogon ASN JUNOS policy-options { as-path-group bogon-asns { /* RFC7607 */ as-path zero ".* 0.*"; /* RFC 4893 AS_TRANS */ as-path as_trans ".* *"; /* RFC 5398 and documentation/example ASNs */ as-path examples1 ".* [ ].*"; as-path examples2 ".* [ ].*"; /* RFC 6996 Private ASNs*/ as-path reserved1 ".* [ ].*"; as-path reserved2 ".* [ ].*"; /* RFC 6996 Last 16 and 32 bit ASNs */ as-path last16 ".* *"; as-path last32 ".* *"; /* RFC IANA reserved ASNs*/ as-path iana-reserved ".* [ ].*"; policy-statement import_from_ebgp { term bogon-asns { from as-path-group bogon-asns; then reject; term...
8 Step 2 of 9 Reject Bogon ASN XR as-path-set bogon-asns # RFC7607 ios-regex '_0_', # 2 to 4 byte ASN migrations passes-through '23456', # RFC5398 passes-through '[ ]', passes-through '[ ]', # RFC6996 passes-through '[ ]', passes-through '[ ]', # RFC7300 passes-through '65535', passes-through ' ', # IANA reserved passes-through '[ ]' end-set route-policy import_from_ebgp if as-path in bogon-asns then drop else... endif end-policy
9 policy-options { prefix-list BOGONS_v4 { /8; /8; /10; /8; /16; /12; /24; /24; /16; /15; /24; /24; /4; /4; policy-statement BGP_FILTER_IN { term IPv4 { from { prefix-list BOGONS_v4; then reject; Step 2 of 9 Reject Bogon Prefix JUNOS policy-statement ipv6-ebgp-relaxed { from { family inet6; route-filter 3ffe::/16 orlonger; route-filter 0000::/8 orlonger; route-filter 2001:db8::/32 orlonger; route-filter 2001::/32 exact next policy; route-filter 2001::/32 longer; route-filter 2002::/16 exact next policy; route-filter 2002::/16 longer; route-filter fe00::/9 orlonger; route-filter ff00::/8 orlonger; route-filter 2000::/3 prefix-length-range /49-/128; route-filter 0::/0 orlonger; then { trace; reject;
10 ipv6 prefix-list ipv6-ebgp-strict deny 3ffe::/16 le 128 ipv6 prefix-list ipv6-ebgp-strict permit 2001:500::/30 ge 48 le 48 ipv6 prefix-list ipv6-ebgp-strict deny 2001:db8::/32 le 128 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/32 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 35 le 35 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2001:0678::/29 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:0c00::/23 ge 48 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:13c7:6000::/36 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:13c7:7000::/36 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:43f8::/29 ge 40 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2002::/16 ipv6 prefix-list ipv6-ebgp-strict permit 2003::/16 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2400::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2600::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2610::/23 ge 24 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2620::/23 ge 40 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2800::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128 Step 2 of 9 Reject Bogon Prefix XR prefix-set BOGONS_V /8 le 32, /8 le 32, /10 le 32, /8 le 32, /16 le 32, /12 le 32, /24 le 32, /24 le 32, /16 le 32, /15 le 32, /24 le 32, /24 le 32, /4 le 32, /4 le 32 end-set! route-policy BGP_FILTER_IN if destination in BOGONS_V4 then drop endif end-policy
11 Step 3 of 9 Do the very needful basics extended version. 1. Reject small prefixes 2. Reject long AS-paths
12 Step 3 of 9 Do the very needful basics extended version. 1. Reject small prefixes 2. Reject long AS-paths
13 JUNOS Step 3 of 9 Reject Bogon Small Prefix policy-options { policy-statement bgp-import-policy { term reject_too_small_prefixes_v4 { from { route-filter /0 prefix-length-range /25-/32; then { reject; Cisco ip prefix-list peerfilter seq 5 deny /0 ip prefix-list peerfilter seq 10 permit /0 ge 8 le 24 #Use a template peer-policy that you configure for each neighbor like this:! template peer-policy ixe-v4 prefix-list peerfilter in maximum-prefix <number> exit-peer-policy!
14 Step 3 of 9 JUNOS Reject Long AS-paths policy-options { policy-statement bgp-import-policy { term no-long-paths { from as-path too-many-hops; then reject; as-path too-many-hops ".{100,"; Cisco route-policy BGP_FILTER_IN if as-path length ge 100 then drop endif end-policy
15 Step 4 of 9 1. Use maximum prefix to your advantage neighbor { description "Facebook, Inc."; import [ netnod-ix-in peering-in facebook-in ]; family inet { unicast { prefix-limit { maximum 114; teardown 80 idle-timeout 60; peer-as 32934;
16 Step 5 of 9 IRR-filtering Killing sessions leaking prefixes over IXPs
17 Step 5 of 9 IRR-filtering 1. Has inherit problems 2. Excessive filtering will most likely affect your routers in a negative way. 3. Still worth it
18 Step 5 of 9 IRR-filtering 1. Has inherit problems Not really authoritative data, many different sources of truth-ish and sometimes there is offending entries in various databases. RADB, RIPE, NTTCOM, AltDB, ARIN is examples of such IRR sources. Solutions is coming. For example having RPKI data drown out stale/conflicting IRR objects, clean out best-effort data with validated data etc. IRRd is getting updated ( to update the support and provide new functions for common IRR-aggregators such as rr.ntt.net and whois.radb.net. Most people adopting IRR-filtering today is using either of the public aggregators above.
19 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner Big configurations is bad for routers (especially Junos with its RPD monolith) Heavy Regexp-operations is Heavy it turns out.
20 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner
21 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner hugge@nl-sar-re1> show configuration count Count: lines Commit time 2-6 minutes on 15.1F6-S10.11
22 Step 5 of 9 Definite must have to filter your customers, based on atleast IRR-Data. BGPQ3 is de-facto tool to generate filters with. hugge>bgpq3 -Jl bredbandskollen-in AS-BBK policy-options { replace: prefix-list bredbandskollen-in { /24; /24; hugge>bgpq3 -l bredbandskollen-in AS-BBK no ip prefix-list bredbandskollen-in ip prefix-list bredbandskollen-in permit /24 ip prefix-list bredbandskollen-in permit /24
23 Step 5 of 9 Definite must have to filter your customers, based on atleast IRR-Data. BGPQ3 is de-facto tool to generate filters with. hugge>bgpq3 -l comhem-in -f AS-COMHEM no ip as-path access-list comhem-in ip as-path access-list comhem-in permit ^39651(_39651)*$ ip as-path access-list comhem-in permit ^39651(_[0-9]+)*_( )$ hugge>bgpq3 -l comhem-in -Jf AS-COMHEM policy-options { replace: as-path-group comhem-in { as-path a0 "^39651(39651)*$"; as-path a1 "^39651(.)*( )$";
24 Step 5 of 9 Filter peers? Yes. Maybe, Hopefully sometimes. Atleast as-path mkay. Its getting better and easier (better methods of handling large controlplaneheavy-configs, multi-threaded processing, more aggregation, better regexpengines). Prefix filters extended Prefix filters non-extended hugge>bgpq3 -A AS-HURRICANE wc -l hugge>bgpq3 -JAE AS-HURRICANE wc -l hugge>bgpq3 AS-HURRICANE wc -l AS-path filters hugge>bgpq3 -l hurricane-in -f 6939 AS-HURRICANE wc -l 2892 hugge>bgpq3 -l hurricane-in -Jf 6939 AS-HURRICANE wc -l 1451
25 Step 5 of 9 Networker Committing a new 6939 peer with prefix-filters
26 Step 5 of 9 Seems complicated? Farm out the problems to the IXPs! Most IXPs today is doing IRR-filtering on the routeservers, free automation for the lazy. Consult peering.exposed for the latest updates. Some even do RPKI-validation for you. Routeservers has typically gone from a big NAY to a big YAY on global scale in recent years. And nowadays a route-server makes sense for almost anyone that peers with open or selective policys.
27 Step 6 of 9 Bragging time
28 Step 6 of 9 Congratulations Operator, you have at least fulfilled one pillar of the Routingmanifesto / MANRS Framework. Brag about it, put the logo on your website, put it in RFQ-material. Finish the next steps and become a full MANRS-member to join in on the fun to build a better Internet! 1. Prevent propagation of incorrect routing information. 2. Prevent traffic with spoofed source IP addresses. 3. Facilitate global operational communication and coordination between network operators. 4. Facilitate validation of routing information on a global scale.
29 Step 7 of 9 Do step 4 of MANRS concept. 4. Facilitate validation of routing information on a global scale. Make sure your organisation has knowledge, operational paradigms and the technical skills needed to care, update and follow up on the following objects. aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin Caring about your ROAs is important, with recent changes in networks with big borders in combination with changes in IRRd a ROA for your prefix is one of the most effective ways of signalling to others what your intention are. If you believe you have an important Internet resource, there is almost no excuses left to not register a ROA for it. Especially since its crazy easy in RIPE-region.
30 Step 8 of 9 Support modern ebgp border operational paradigms such as Graceful Shutdown. route-policy AS64497-ebgp-inbound if community matches-any (65535:0) then set local-preference 0 endif end-policy! router bgp neighbor 2001:db8:1:2::1 remote-as address-family ipv6 unicast send-community-ebgp route-policy AS64497-ebgp-inbound in!! hugge@se-tug-re0> show configuration policy-options policy-statement peering-in term draft-ietf-grow-bgp-gshut from community GRACEFUL_SHUTDOWN; then { local-preference add 0;
31 MODERNIZE YOUR BGP BORDER FUNCTIONS ACQUIRE CURRENCY
32 Step 9 of 9 RPKI
33 Step 9 of 9 Any network with important resources should make sure they have properly sized ROAs signed and published, to help other networks to filter traffic for you and optimise your chances of having your traffic coming to you, and not someone else.
34 Step 9 of 9 1. Validating ROAs from the RIR 2. Transport information to your BGP-border using RTR 3. Implement Origin Validation in your policys and drop invalids
35 Step 9 of 9 Validator software RIPE-NCC RPKI Validator Toolkit Oldie, I have mostly encountered problems. Weird crashes and general hiccups. Java NLNET-labs Routinator Up and running in 5 minutes with the packaged containers. Not a single crash since day0 OpenBSD rpki-client(1) Currently WIP. Will most likely be a strong contender once finalized. (has received good sponsorships from IIS, SUNET, NETNOD)
36 Step 9 of 9 Talk RTR between router and Validator hugge@se-tug-re1> show validation session Session State Flaps Uptime #IPv4/IPv6 records Up 0 15w5d 21:09: /12076 {master hugge@se-tug-re1> show configuration routing-options validation group nordunet-rpki { session { port 8323; {master hugge@se-tug-re1>
37 Step 9 of 9 Implement a filter term rpki-invalids { from { protocol bgp; validation-database invalid; then { validation-state invalid; community add bgp-rpki-invalid; reject; term rpki-valids { from { protocol bgp; validation-database valid; then { validation-state valid; community add bgp-rpki-valid; next policy; term rpki-unknown { from { protocol bgp; validation-database unknown; then { validation-state unknown; community add bgp-rpki-unknown; next policy;
38 Step 9 of 9 RPKI just a fad? Can I just ignore it and it will go away?
39 Step 9 of 9 RPKI just a fad? Can I just ignore it and it will go away?
40 Step 9 of 9
41 Step 9 of 9 State of route-servers AMS-IX YYCIX DE-CIX NETNOD (almost done yes?) IXP-Manager based IXPs (very soon)
42 Step 9 of 9 But RPKI without path validation is it even worth doing it? Short Answer: Yes Long Answer: Meet me at the bar (i assume I am way over time at this point)
43 Step 9 of 9 Good sources!
44 DONE! Questions?
Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut
Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut Fredrik hugge Korsbäck hugge@nordu.net hugge@sunet.se Netnod Tech Meeting 2017 1 What is BGP Graceful Shutdown? A simple procedure
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationRouting Security Roadmap
Routing Security Roadmap Job Snijders NTT Communications job@ntt.net This presentation contains projections and other forward-looking statements regarding future events or our future routing performance.
More informationIPv4/IPv6 BGP Routing Workshop. Organized by:
IPv4/IPv6 BGP Routing Workshop Organized by: Agenda Multihoming & BGP path control APNIC multihoming resource policy 2 ISP Hierarchy Default free zone Made of Tier-1 ISPs who have explicit routes to every
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationImplementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer
Implementation of RPKI and IRR filtering on the AMS-IX platform Stavros Konstantaras NOC Engineer RIPE EDUCA 2018 Agenda AMS-IX Route Servers Architecture Features Filtering IRRdb RPKI BGP Communities
More informationImproving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut
Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut Job Snijders job@ntt.net NLNOG day 2017 1 What is BGP Graceful Shutdown? A simple procedure to reduce the negative impact of
More informationRobust Routing Policy Architecture. Job Snijders NTT Communications
Robust Routing Policy Architecture Job Snijders NTT Communications job@ntt.net Robust Routing Policy Architecture Conceptual model of routing policy Routing policy terminology Routing policy design patterns
More informationAn introduction to BGP security
An introduction to BGP security Marco d Itri @rfc1036 Seeweb s.r.l. Albanian Network Operators Group meeting - 14 November 2018 Internet: independent networks exchanging traffic The Internet
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationPractical everyday BGP filtering with AS_PATH filters: Peer Locking
Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk are examples for discussion purpose only. NTT does not admit or deny any
More informationService Provider Multihoming
BGP Traffic Engineering Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit ISPs strive to balance traffic flows in both directions
More informationAPNIC Internet Routing Registry
APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC The Internet Routing Registry Global Internet Routing Registry database http://www.irr.net/
More informationMoving to default Routeserver IRR filtering... Moving to a more secure peering via the IXP routeservers
Moving to default Routeserver IRR filtering... Moving to a more secure peering via the IXP routeservers Short intro A2B Internet is a Dutch network provider. Providing datacenter connec=vity and internet
More informationInternet Routing Registry
APNIC elearning: Internet Routing Registry Issue Date: 02 July 2016 Revision: 1.0 Overview What is Routing Policy IRR Database & Objects Routing Policy Documentation in IRR Database RPSL (Routing Policy
More informationBGP Operations and Security. Training Course
BGP Operations and Security Training Course Training Services RIPE NCC December 2017 Schedule 09:00-09:30 11:00-11:15 13:00-14:00 15:30-15:45 17:30 Coffee, Tea Break Lunch Break End BGP Operations and
More informationService Provider Multihoming
Service Provider Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic?
More information32-bit ASNs. Philip Smith. MENOG 5, Beirut, 29th October 2009
32-bit ASNs Philip Smith MENOG 5, Beirut, 29th October 2009 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and
More informationSecuring BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho
Securing BGP - RPKI ThaiNOG2018 - Bangkok 21 May 2018 Tashi Phuntsho (tashi@apnic.net) 1 Fat-finger/Hijacks/Leaks Amazon (AS16509) Route53 hijack April2018 AS10279 (enet) announced/originated more specifics
More informationMANRS How to behave on the internet
MANRS How to behave on the internet Massimiliano Stucchi TOP-IX Meeting January 2017 BGP BGP is based on trust - No built-in validation - Chain of trust is hard to establish - Data scattered over different
More informationBGP route filtering and advanced features
2015/07/23 23:33 1/13 BGP route filtering and advanced features BGP route filtering and advanced features Objective: Using the network configured in Module 6, use various configuration methods on BGP peerings
More informationI Commands. Send comments to
This chapter describes the Cisco NX-OS Border Gateway Protocol (BGP) commands that begin with I. UCR-73 ip as-path access-list ip as-path access-list To configure an access-list filter for Border Gateway
More informationMultihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.
Multihoming Techniques bdnog8 May 4 8, 2018 Jashore, Bangladesh. 2 ISP Hierarchy Default free zone Internet Routers that have explicit routes to every network on the Internet Regional /Access Providers
More informationRouting Security Workshop Internet Routing Registries
Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 IRR Presentation Overview NANOG 74 Updates IRR Overview IRR Tools Internet2 Participant IRR
More informationBGP Policy Control. ISP Workshops
BGP Policy Control ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationIPv6 Module 16 An IPv6 Internet Exchange Point
IPv6 Module 16 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12, 14 and 15, and the Exchange Points Presentation
More informationBGP Bugs, Hiccups and weird stuff: Issues seen by RT-BGP Toolkit. AfPIF 2018 Martin Winter, Hurricane Electric
BGP Bugs, Hiccups and weird stuff: Issues seen by RT-BGP Toolkit AfPIF 2018 Martin Winter, Hurricane Electric 1 ? Real-Time BGP Toolkit A quick Introduction 2 Traditional Looking Glass Classic Looking
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationBGP Graceful Shutdown
The feature reduces or eliminates the loss of traffic along a link being shut down for maintenance. Routers always have a valid route available during the convergence process. This feature is used primarily
More informationBGP Multihoming ISP/IXP Workshops
BGP Multihoming ISP/IXP 1 Why Multihome? Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WAN media (physical failure, carrier failure)
More informationBGP Route Hijacking - What Can Be Done Today?
BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security bgreene@akamai.com @Akamai BGP - the Core Protocol that Glues all of
More information32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria
32-bit ASNs Philip Smith AfNOG 2007 23rd April 1st May Abuja, Nigeria Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership,
More information32-bit ASNs. Greg Hankins Chris Malayter APRICOT 2009 APRICOT /02/25
32-bit ASNs Greg Hankins ghankins@force10networks.com Chris Malayter cmalayter@switchanddata.com APRICOT 2009 APRICOT 2009 2009/02/25 ASN Terminology Soup What??? 2-octet, 2-byte, 16-bit, ASN16, and OLD
More informationBGP Configuration for a Transit ISP
BGP Configuration for a Transit ISP ISP Workshops Last updated 24 April 2013 1 Definitions p Transit carrying traffic across a network, usually for a fee n traffic and prefixes originating from one AS
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationIRR 101. Job Snijders, DKNOG 8 1 / 35
IRR 101 Job Snijders, DKNOG 8 job@ntt.net 1 / 35 What is this about Just a refresher on how things work today Using RPKI in context of provisioning 2 / 35 Filtering recap 1) Reject RFC 1918 (private) IP
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationModule 16 An Internet Exchange Point
ISP Workshop Lab Module 16 An Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12 and 13, and the Exchange Points Presentation
More informationBGP Operations and Security. Training Course
Training Course Training Services RIPE NCC January 2019 Schedule 09:00-09:30 11:00-11:15 13:00-14:00 15:30-15:45 17:30 Coffee, Tea Break Lunch Break End!2 Introductions Name Experience - Routing - BGP
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationLab Guide 2 - BGP Configuration
IXP Workshop Lab Lab Guide 2 - BGP Configuration Objective: The focus of this lab is to connect 8 customers with IXP. Customers are connected with AS17821 as transit and received customer prefixes, also
More informationBGP Filtering Myths Legends and Reality: Peer Filtering in the Modern Backbone
BGP Filtering Myths Legends and Reality: Peer Filtering in the Modern Backbone NANOG 35 October 24, 2005 Jim Deleskie, Teleglobe Alin Popescu, Renesys Tom Scholl, SBC Internet Todd Underwood, Renesys Overview
More information32-bit ASNs. Philip Smith. Last updated February 2010
32-bit ASNs Philip Smith Last updated February 2010 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and administrative
More informationBGP Scaling (RR & Peer Group)
BGP Scaling ( & Peer Group) BGP Peer Group Problem: number of BGP updates in a ibgp mesh BGP updates generated for each neighbor individually CPU wasted on repeat calculations ibgp neighbors receive the
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationBGP security. 19 april 2018 Copenhagen
BGP security 19 april 2018 Copenhagen Agenda 14:30 Welcome and registration 15:00 Presentation 17:00 Questions 17:30 Beer & Burgers & 2 Who are we? Lucas Senior network engineer @ NL-ix in ISP business
More informationBGP Multihoming. ISP/IXP Workshops
BGP Multihoming ISP/IXP Workshops 1 Why Multihome? Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WAN media (physical failure,
More informationBGP Attributes and Path Selection
BGP Attributes and Path Selection ISP Training Workshops 1 BGP Attributes The tools available for the job 2 What Is an Attribute?... Next Hop AS Path MED...... Part of a BGP Update Describes the characteristics
More informationService Provider Multihoming
Service Provider Multihoming ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last
More informationBGP Origin AS Validation
The feature helps prevent network administrators from inadvertently advertising routes to networks they do not control. This feature uses a Resource Public Key Infrastructure (RPKI) server to authenticate
More informationBGP Policy Control. ISP Workshops. Last updated 17 May 2014
BGP Policy Control ISP Workshops Last updated 17 May 2014 1 Applying Policy with BGP p Policy-based on AS path, community or the prefix p Rejecting/accepting selected routes p Set attributes to influence
More informationBGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs
BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs aa@qrator.net Malicious Hijacks/Leaks FISHING SITES HIJACK OF HTTPS CERTIFICATES SPAM/BOTNET ACTIVITY DOS ATTACKS BGP Hijack Factory
More informationBGP Configuration Automation on Edge Routers
BGP Configuration Automation on Edge Routers System and Network Engineering Msc. Research Project Stella Vouteva & Tarcan Turgut Supervisor: Stavros Konstantaras, NLNetLabs Introduction Big Internet Depletion
More informationAPNIC Training. Internet Routing Registry (IRR)
APNIC Training Internet Routing Registry (IRR) Objectives To provide an introduction to the APNIC Routing Registry Explain concepts of the global RR Outline the benefits of the APNIC Routing Registry Discuss
More informationLARGE SCALE IP ROUTING
Building ISP Networks Xantaro Page 1 / 18 TABLE OF CONTENTS 1. LAB ACCESS 4 1.1 Accessing the Jumphost... 4 1.2 Access to your routers... 4 1.3 Local Network Topology... 5 1.4 Global Network Topology...
More informationService Provider Multihoming
Service Provider Multihoming ISP Workshops Last updated 18 September 2013 1 Service Provider Multihoming p Previous examples dealt with loadsharing inbound traffic n Of primary concern at Internet edge
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationBGP on IOS: Getting Started
BGP on IOS: Getting Started ISP Workshops Last updated 30 October 2013 1 IOS Good Practices p ISPs should start off with the following BGP commands as a basic template: router bgp 64511 bgp deterministic-med
More informationModule 10 An IPv6 Internet Exchange Point
ISP/IXP Networking Workshop Lab Module 10 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 1 to 4, and the Exchange
More informationReal-Time BGP Toolkit
Real-Time BGP Toolkit A new monitoring tool to look out for Errors and Hijacks RIPE 76 Martin Winter, Hurricane Electric 1 About me Martin Winter Researcher @ HE.NET, working on RT-BGP Otherwise working
More informationAdvanced Multihoming. BGP Traffic Engineering
Advanced Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith , Oakland 2001, Cisco Systems, Inc. All rights reserved. 1 Presentation Slides Available on NANOG Web site www.nanog.org/mtg-0110/smith.html Available
More informationBorder Gateway Protocol - BGP
BGP Fundamentals Border Gateway Protocol - BGP Runs over TCP (port 179) TCP connection required before BGP session Need to be reachable! Path vector routing protocol Best path selection based on path attributes
More informationConnecting to a Service Provider Using External BGP
Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More informationBGP and the Internet
BGP and the Internet Transit and Internet Exchange Points 1 Definitions Transit carrying traffic across a network, usually for a fee traffic and prefixes originating from one AS are carried across an intermediate
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationBGP Commands: M through N
match additional-paths advertise-set, on page 3 match as-path, on page 6 match community, on page 8 match extcommunity, on page 10 match local-preference, on page 12 match policy-list, on page 14 match
More information2016/01/17 04:05 1/19 Basic BGP Lab
2016/01/17 04:05 1/19 Basic BGP Lab Basic BGP Lab Introduction The purpose of this exercise is to: Understand the routing implications of connecting to multiple external domains Learn to configure basic
More informationEnhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01
Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 K. Sriram and D. Montgomery OPSEC Working Group Meeting, IETF-99 July 2017 Acknowledgements: The authors are
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationBGP for Internet Service Providers
BGP for Internet Service Providers Philip Smith Seoul KIOW 2002 1 BGP current status RFC1771 is quite old, and no longer reflects current operational practice nor vendor implementations
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith , Kitakyushu, Japan 2001, Cisco Systems, Inc. All rights reserved. 1 Presentation Slides Available at www.apnic.net/meetings/14/programme/docs/bgp-tutslides-pfs.pdf
More informationInterAS Option B. Information About InterAS. InterAS and ASBR
This chapter explains the different InterAS option B configuration options. The available options are InterAS option B, InterAS option B (with RFC 3107), and InterAS option B lite. The InterAS option B
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationBGP Attributes and Policy Control
BGP Attributes and Policy Control ISP/IXP `2005, Cisco Systems, Inc. All rights reserved. 1 Agenda BGP Attributes BGP Path Selection Applying Policy 2 BGP Attributes The tools available for the job `2005,
More informationBGP Attributes and Policy Control
BGP Attributes and Policy Control ISP/IXP Workshops 1 Agenda BGP Attributes BGP Path Selection Applying Policy 2 BGP Attributes The tools available for the job 3 What Is an Attribute?... Next Hop......
More informationSecurity by BGP 101 Building distributed, BGP-based security system
Security by BGP 101 Building distributed, BGP-based security system Łukasz Bromirski lukasz@bromirski.net May 2017, CERT EE meeting Roadmap for the session BGP as security mechanism BGP blackholing project
More informationIPv6 Module 7 BGP Route Filtering and Advanced Features
IPv6 Module 7 BGP Route Filtering and Advanced Features Objective: Using the network configured in Module 6, use various configuration methods on BGP peerings to demonstrate neighbour filtering and more
More informationNaMeX Route Server HOWTO
NaMeX Route Server HOWTO June 24, 2010 1 Service overview Route servers (RS) are a value-added service that can be offered by IXPs. Actually, the availability of a RS within an IXP is becoming more and
More informationPEERING. A very brief introduction
PEERING A very brief introduction Types of Peering Private Peering Bi-lateral Peering Multi-lateral Peering Private Peering Dedicated circuit between two peers Can use a cross connect within a data centre;
More informationIPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. January 27th, 2004 RIPE 47, Amsterdam
IPv6 routing table Introduction 1 Impressions An overview of the global IPv6 routing table Gert Döring, SpaceNet AG, Munich January 27th, 2004 RIPE 47, Amsterdam IPv6 routing table Overview 2 Overview
More informationSimple Multihoming. ISP Workshops. Last updated 9 th December 2015
Simple Multihoming ISP Workshops Last updated 9 th December 2015 1 Agenda p Why Multihome? p The Multihoming Toolset p How to Multihome Options p Multihoming to the same AS p Multihoming to different ASes
More informationSimple Multihoming. ISP Workshops. Last updated 25 September 2013
Simple Multihoming ISP Workshops Last updated 25 September 2013 1 Why Multihome? p Redundancy n One connection to internet means the network is dependent on: p Local router (configuration, software, hardware)
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More information2015/07/23 23:32 1/8 More ibgp and Basic ebgp
2015/07/23 23:32 1/8 More ibgp and Basic ebgp More ibgp and Basic ebgp Objective: Connect your ISP to a Transit provider and the Internet Exchange Point using a combination of ISIS, internal BGP, and external
More informationNetworking 101 ISP/IXP Workshops
Networking 101 ISP/IXP Workshops 1 Network Topology and Definitions Definitions and icons Network topologies PoP topologies Interconnections and IXPs IP Addressing Gluing it all together 2 Topologies and
More informationBGP and the Internet. Why Multihome? Why Multihome? Why Multihome? Why Multihome? Why Multihome? Redundancy. Reliability
Why Multihome? BGP and the Internet Multihoming Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WN media (physical failure, carrier
More informationBGP. BGP Overview. BGP Operation. BGP Neighbors
BGP BGP Overview BGP Operation BGP Neighbors BGP Overview AS - Autonomous Systems Multihoming IGP vs. EGP When to use BGP? 2 BGP Overview AS - Autonomous Systems Multihoming IGP vs. EGP When to use BGP?
More informationIPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
More informationNetwork Configuration Example
Network Configuration Example Configuring the BGP Local Autonomous System Attribute Release NCE0045 Modified: 2016-11-08 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000
More informationMANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!
15 October 2018 Internet2 Technology Exchange MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org
More informationFiberstoreOS BGP Command Line Reference
FiberstoreOS BGP Command Line Reference Contents 1 BGP Commands...1 1.1 address-family...1 1.2 aggregate-address...2 1.3 bgp always-compare-med... 2 1.4 bgp bestpath as-path ignore...3 1.5 bgp bestpath
More informationBGP Best Current Practices. ISP/IXP Workshops
BGP Best Current Practices ISP/IXP Workshops 1 Configuring BGP Where do we start? 2 IOS Good Practices ISPs should start off with the following BGP commands as a basic template: router bgp 64511 bgp deterministic-med
More informationConfiguring Advanced BGP
CHAPTER 6 This chapter describes how to configure advanced features of the Border Gateway Protocol (BGP) on the Cisco NX-OS switch. This chapter includes the following sections: Information About Advanced
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith , Salt Lake City, Utah June 2003 1 Preliminaries Presentation has many configuration examples Uses Cisco IOS CLI Aimed at Service Providers Techniques
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith SANOG 2, Sri Lanka July 2003 1 Presentation Slides Available on ftp://ftp-eng.cisco.com/pfs/seminars/sanog2-multihoming.pdf 2 Preliminaries Presentation
More information