For further community-driven RPKI information there is: https://rpki.readthedocs.io/
Along with an FAQ: https://rpki.readthedocs.io/en/latest/about/faq.html Cheers, -Alex > On 25 Jun 2019, at 17:55, BATTLES, TIM <tb2...@att.com> wrote: > > https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing > > Timothy A Battles > Chief Security Office > 314-280-4578 > tb2...@att.com > 12976 Hollenberg Dr > Bridgeton, MO 63044 > > The information contained in this e-mail, including any attachment(s), is > intended solely for use by the named addressee(s). If you are not the > intended recipient, or a person designated as responsible for delivering such > messages to the intended recipient, you are not authorized to disclose, copy, > distribute or retain this message, in whole or in part, without written > authorization from the sender. This e-mail may contain proprietary, > confidential or privileged information. If you have received this message in > error, please notify the sender immediately. > > > From: NANOG <nanog-boun...@nanog.org> On Behalf Of Tom Beecher > Sent: Tuesday, June 25, 2019 9:42 AM > To: Job Snijders <j...@ntt.net> > Cc: NANOG <nanog@nanog.org> > Subject: Re: BGP filtering study resources (Was: CloudFlare issues?) > > Job also enjoys having his ID checked. Can we get a best practices link added > to the list for that? > > On Tue, Jun 25, 2019 at 10:27 AM Job Snijders <j...@ntt.net> wrote: > Dear Stephen, > > On Tue, Jun 25, 2019 at 07:04:12AM -0700, Stephen Satchell wrote: > > On 6/25/19 2:25 AM, Katie Holly wrote: > > > Disclaimer: As much as I dislike Cloudflare (I used to complain > > > about them a lot on Twitter), this is something I am absolutely > > > agreeing with them. Verizon failed to do the most basic of network > > > security, and it will happen again, and again, and again... > > > > I used to be a quality control engineer in my career, so I have a > > question to ask from the perspective of a QC guy: what is the Best > > Practice for minimizing, if not totally preventing, this sort of > > problem? Is there a "cookbook" answer to this? > > > > (I only run edge networks now, and don't have BGP to worry about. If > > my current $dayjob goes away -- they all do -- I might have to get > > back into the BGP game, so this is not an idle query.) > > > > Somehow "just be careful and clueful" isn't the right answer. > > Here are some resources which maybe can serve as a starting point for > anyone interested in the problem space: > > presentation: Architecting robust routing policies > pdf: > https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf > video: > https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4 > > presentation: Practical Everyday BGP filtering "Peerlocking" > pdf: http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf > video: https://www.youtube.com/watch?v=CSLpWBrHy10 > > RFC 8212 ("EBGP default deny") and why we should ask our vendors like > Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be > compliant with this RFC: > slides 2-14: > http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf > skip to the rfc8212 part: https://youtu.be/V6Wsq66-f40?t=854 > compliance tracker: http://github.com/bgp/RFC8212 > > The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations > and testimonies: https://nlnog.net/nlnog-day-2018/ > > Finally, there is the NLNOG BGP Filter Guide: http://bgpfilterguide.nlnog.net/ > If you spot errors or have suggestions, please submit them via github > https://github.com/nlnog/bgpfilterguide > > Please let me or the group know should you require further information, > I love talking about this topic ;-) > > Kind regards, > > Job