Dear all, I've compiled a list of study resource references that can perhaps be a starting point for anyone interested to improve the security of their BGP perimeter:
presentation: Architecting robust routing policies pdf: https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf video: https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4 presentation: Practical Everyday BGP filtering "Peerlocking" pdf: http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf video: https://www.youtube.com/watch?v=CSLpWBrHy10 RFC 8212 ("EBGP default deny") and why we should ask our vendors like Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be compliant with this RFC: slides 2-14: http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf skip to the rfc8212 part: https://youtu.be/V6Wsq66-f40?t=854 compliance tracker: http://github.com/bgp/RFC8212 The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations and testimonies: https://nlnog.net/nlnog-day-2018/ Finally, there is the NLNOG BGP Filter Guide: http://bgpfilterguide.nlnog.net/ If you spot errors or have suggestions, please submit them via github https://github.com/nlnog/bgpfilterguide Please let me or the group know should you require further information, I love talking about this topic ;-) Kind regards, Job On Tue, Jun 25, 2019 at 5:17 PM Hisham Ibrahim <[email protected]> wrote: > > Dear all, > > Yesterday a small company in Northern Pennsylvania became a preferred path of > many Internet routes through Verizon (AS701), a major Internet transit > provider. > > The details of this of the outage can be read here. > > https://radar.qrator.net/blog/how-difficult-is-to-disrupt-a-service-nowadays > > Cloudflare, one of those effected, also published more on the issue and how > it impacted their operations. > > https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/?fbclid=IwAR11RUJU-jY-PbGMH1WjIdbR6WhqkSDcWlQR5pFU5sKsVJwPpUrTyfwJJIw > > Solution: if you have not already considered RPKI then you probably should. > > https://www.ripe.net/manage-ips-and-asns/resource-management/certification > > If you are interested in understanding more about hot to deploy RPKI please > let us know. > > Regards > Hisham > > _______________________________________________ > Menog mailing list > [email protected] > http://lists.menog.org/mailman/listinfo/menog _______________________________________________ Menog mailing list [email protected] http://lists.menog.org/mailman/listinfo/menog
