In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.     We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O’Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp     Show Notes: Authentication Classic MD5 Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn’t appear commonly used GTSM, and how it can be better than the previous option in some cases Basic prefix filtering: From your customers: allow any number of their own AS prepended From the Internet: block bogons (RFC1918, class D/E, etc) To your peers: only your local space (ie, your customers) From your peers: only routes originating from their AS (any # of prepends) BCP38 Techniques for spoofing prevention Describe with a simple snail mail analogy Usually uRPF strict or loose, depending Sometimes ACLs with specific IPs as sources are used too Best suited for true customer edge, not transit/peering edge (performance) Origin Security Try to prevent the hijacking of routes Hijacking is often used by spammers, etc., to source junk The main idea is — is this AS number really tied to this address block? The RPKI

Ver todos los episodios