Sveriges mest populära poddar

Underlay

Episode 22 – Securing BGP

51 min • 21 februari 2018

In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.

 


 

We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O’Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp

 


 

Show Notes:

  • Authentication
    1. Classic MD5
    2. Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn’t appear commonly used
    3. GTSM, and how it can be better than the previous option in some cases
  • Basic prefix filtering:
    1. From your customers: allow any number of their own AS prepended
    2. From the Internet: block bogons (RFC1918, class D/E, etc)
    3. To your peers: only your local space (ie, your customers)
    4. From your peers: only routes originating from their AS (any # of prepends)
  • BCP38
    1. Techniques for spoofing prevention
    2. Describe with a simple snail mail analogy
    3. Usually uRPF strict or loose, depending
    4. Sometimes ACLs with specific IPs as sources are used too
    5. Best suited for true customer edge, not transit/peering edge (performance)
  • Origin Security
    1. Try to prevent the hijacking of routes
    2. Hijacking is often used by spammers, etc., to source junk
    3. The main idea is — is this AS number really tied to this address block?
    4. The RPKI
Kategorier
Förekommer på
00:00 -00:00