[c-nsp] Best practise/security design for BGP and OSPF
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Tue May 23 05:00:52 EDT 2017
> CiscoNSP List
> Sent: Tuesday, May 23, 2017 7:45 AM
>
> Hi Everyone,
>
> Just doing a bit of a refresh of our current bgp+ospf templates to ensure
> they are inline with todays "best pracitse"
>
> (I have googled this, but majority of the exmaples are from circa 2012 or
> earlier....so hoping someone can provide some feebdack :)
>
Hi
Regarding OSPF,
Best security is to use it solely for routing PE loopbacks (i.e. no
connectivity outside the core).
Regarding BGP,
All the security needs to be implemented at the edges of your AS, all of
them, no exceptions.
Start with Internet eBGP sessions and move your way through all the other
eBGP sessions all the way down to managed CPEs.
Once you have the overall concept done then it's just about slight
alternations for each different type of eBGP session.
Best approach is to have the policy modular -that way you can for example
leave out module for blocking Martian addresses from eBGP session to CPEs
but leave it in for Internet eBGP sessions (one example of slight
modification as mentioned above).
You can use RFC7454 as guidance in designing your BGP policy modules.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the cisco-nsp
mailing list