Re: BGP filtering study resources (Was: CloudFlare issues?)

[Alex Band <alex () nlnetlabs nl>]

For further community-driven RPKI information there is:

https://rpki.readthedocs.io/ 

Along with an FAQ:

https://rpki.readthedocs.io/en/latest/about/faq.html

Cheers,

-Alex

> On 25 Jun 2019, at 17:55, BATTLES, TIM <tb2848 () att com> wrote:
>
> https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing
>  
> Timothy A Battles
> Chief Security Office
> 314-280-4578
> tb2848 () att com
> 12976 Hollenberg Dr
> Bridgeton, MO 63044
>  
> The information contained in this e-mail, including any attachment(s), is intended solely for use by the named 
> addressee(s).  If you are not the intended recipient, or a person designated as responsible for delivering such 
> messages to the intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in 
> whole or in part, without written authorization from the sender.  This e-mail may contain proprietary, confidential 
> or privileged information. If you have received this message in error, please notify the sender immediately. 
>  
>  
> From: NANOG <nanog-bounces () nanog org> On Behalf Of Tom Beecher
> Sent: Tuesday, June 25, 2019 9:42 AM
> To: Job Snijders <job () ntt net>
> Cc: NANOG <nanog () nanog org>
> Subject: Re: BGP filtering study resources (Was: CloudFlare issues?)
>  
> Job also enjoys having his ID checked. Can we get a best practices link added to the list for that?
>  
> On Tue, Jun 25, 2019 at 10:27 AM Job Snijders <job () ntt net> wrote:
> Dear Stephen,
>
> On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote:
> > On 6/25/19 2:25 AM, Katie Holly wrote:
> > > Disclaimer: As much as I dislike Cloudflare (I used to complain
> > > about them a lot on Twitter), this is something I am absolutely
> > > agreeing with them. Verizon failed to do the most basic of network
> > > security, and it will happen again, and again, and again...
> >
> > I used to be a quality control engineer in my career, so I have a
> > question to ask from the perspective of a QC guy:  what is the Best
> > Practice for minimizing, if not totally preventing, this sort of
> > problem?  Is there a "cookbook" answer to this?
> >
> > (I only run edge networks now, and don't have BGP to worry about.  If
> > my current $dayjob goes away -- they all do -- I might have to get
> > back into the BGP game, so this is not an idle query.)
> >
> > Somehow "just be careful and clueful" isn't the right answer.
>
> Here are some resources which maybe can serve as a starting point for
> anyone interested in the problem space:
>
> presentation: Architecting robust routing policies
> pdf: https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf
> video: https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4
>
> presentation: Practical Everyday BGP filtering "Peerlocking"
> pdf: http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf
> video: https://www.youtube.com/watch?v=CSLpWBrHy10
>
> RFC 8212 ("EBGP default deny") and why we should ask our vendors like
> Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be
> compliant with this RFC:
> slides 2-14: http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf
> skip to the rfc8212 part: https://youtu.be/V6Wsq66-f40?t=854
> compliance tracker: http://github.com/bgp/RFC8212
>
> The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations
> and testimonies: https://nlnog.net/nlnog-day-2018/
>
> Finally, there is the NLNOG BGP Filter Guide: http://bgpfilterguide.nlnog.net/
> If you spot errors or have suggestions, please submit them via github
> https://github.com/nlnog/bgpfilterguide
>
> Please let me or the group know should you require further information,
> I love talking about this topic ;-)
>
> Kind regards,
>
> Job