Re: SP 800-189 (Draft), Resilient Interdomain Traffic Exchange

["Montgomery, Douglas C. \(Fed\) via NANOG" <nanog () nanog org>]

Sorry, finger faulted and hit send by accident.

In response to Ruediger’s comment about guidance to USG agencies / networks on the issues of BGP, there is NIST 
guidance under development that addresses this.

NIST SP.800-189 - Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

The document is out for public review.  We welcome any and all feedback.  The URL below contains links to the draft 
document as well as the process for submitting comments.

Thanks
dougm
--
DougM at NIST


From: Doug Montgomery <dougm () nist gov>
Date: Monday, October 28, 2019 at 4:03 PM
To: "nanog () nanog org" <nanog () nanog org>
Subject: SP 800-189 (Draft), Resilient Interdomain Traffic Exchange

https://csrc.nist.gov/publications/detail/sp/800-189/draft


/

This document provides technical guidance and recommendations for technologies that improve the security and robustness 
of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control 
traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. 
Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing 
using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other 
technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate 
limiting (RRL) are also recommended as part of the overall security mechanisms.

dougm
--
Doug Montgomery, Manager Internet  & Scalable Systems Research @ NIST