Hero mask

BGP Security

BGP Security

Many things can go wrong with BGP: the BGP connection ("session") between two routers may be disrupted, organizations may originate IP addresses that don’t belong to them, or networks may insert themselves in traffic paths where they don’t belong.

Learn about how to protect BGP sessions, protect against incorrect origination and protect against route leaks and MitM.

The theory part is explained first, the remaining time is available for participants to practice some of the techniques in a lab setup along with explanations of lab examples.

Prerequisites: knowledge of main BGP and general TCP/IP concepts.

This course is provided both online as well as at the NL-ix office. If you want to register with a group of 4+ people or arrange a BGP course at your own office, please inquire about the available options.

Please note: The course can only proceed when there are enough participants.

Price
€ 595,- excluding VAT  

The online version of BGP Expert book by Iljitsch van Beijnum, will be made available for free to all the participants.

Course Program

  • 10 minute BGP basics refresher
  • Routing security goals
    • confidentiality, integrity, availability
  • Technical aspects
    • protecting BGP sessions
    • longest match first rule issues
  • Business/governance aspects
    • transit and peering
    • "Stable internet routing without global coordination"
    • the valley-free model
    • who gets to do what?
  • Attacks vs mistakes
  • Examples of BGP outages
    • incorrect origination
    • man-in-the-middle
    • route leaks
  • Measures to protect BGP
    • protecting BGP sessions
      • MD5 option
      • IPsec and TCP Authentication Option
      • GTSM
      • addresses for BGP and filtering
    • protecting against incorrect origination
      • RPKI
      • filters based on routing registries (RIPE database)
    • protecting against route leaks and MitM
      • filters based on routing registries (RIPE database)
      • soon: ASPA
      • BGPsec, what it is and why it won’t be deployed
    • BGP monitoring
  • BGP aspects to DDoS mitigation
    • what you can do in your own network
    • what your ISP may be able to do for you
    • DDoS scrubbing services
  • Implementation examples and lab