Workshop: Routing Security
Type : Workshop
Instructors : Aftab Siddiqui & Tashi Phuntsho
Event : SANOG 42
Duration : 4 Days
Date : 22-25 October, 2024
Location : Islamabad, Pakistan
Venue : Islamabad Marriott Hotel
Level of Study : Beginner/Intermediate
Maximum number of attendees : 30 delegates
Synopsis
The SANOG Routing Security Workshop is a comprehensive four-day training aimed at equipping participants with practical knowledge and hands-on skills necessary to secure Border Gateway Protocol (BGP) routing infrastructure. This workshop will cover foundational BGP concepts, advanced routing security techniques, and best practices to mitigate threats such as route hijacking, route leaks, and man-in-the-middle attacks.
Participants will dive into critical topics like Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), and Route Origin Validation (ROV), learning how to implement these technologies to secure real-world networks. The workshop will also address the latest developments in BGP security, including RPKI ASPA and BGPSec, and provide hands-on lab sessions to reinforce the learning experience. By the end of the workshop, attendees will have gained the expertise to enhance routing security and contribute to global security initiatives.
Target Audience
The Routing Security Workshop is ideal for network engineers, system administrators, and IT professionals responsible for managing and securing internet routing. This workshop will benefit both intermediate and advanced participants who seek to deepen their understanding of BGP operations and routing security. It is also designed for security specialists aiming to enhance their network security strategies with a focus on securing BGP infrastructures.
Pre-requisites
To maximize the learning experience, participants should have a fundamental understanding of networking concepts and experience with BGP configurations. While the workshop is structured to cater to a range of experience levels, prior exposure to routing protocols, network security, and hands-on configurations will help attendees engage more deeply with the advanced topics and labs.
Course outline may consist of:
Day 1: BGP Fundamentals and Refresher
• Introduction to BGP
• Overview of Border Gateway Protocol (BGP)
• BGP peering relationships and types (iBGP, eBGP)
• BGP Attributes
• Path selection process
• BGP attributes (AS_PATH, NEXT_HOP, MED, LOCAL_PREF, etc.)
• BGP Best Practices
• Filtering, prefix lists, and route maps
• Use of BGP communities for policy control
• Traffic Engineering with BGP
• Influencing outbound and inbound traffic
• MED and Local Preference
• Hands-on Lab 1: Configuring BGP Peers and Attributes
• Configuring BGP peers
• Testing BGP attributes and path selection in a lab environment
• Case Studies and Discussion
Day 2: Routing Security Essentials
• Recap and Warm-Up
• BGP Security Concepts & Threats
• BGP Hijacking, Route Leaks
• Man-in-the-Middle attacks
• RFC7959 Concepts
• Secure BGP practices (using RFC 7959)
• Path validation and origin validation techniques
• Anti-Spoofing Techniques
• Implementing BCP 38 (Network Ingress Filtering)
• Preventing IP spoofing in networks
• Hands-on Lab 2: Implementing Security Filters
• Configuring prefix lists, route maps, and implementing GTSM
• Using bgpq4
• Case Studies and Discussions: BGP Security Incidents
Day 3: RPKI and ROA Implementation
• Recap and Warm-Up
• Introduction to RPKI (Resource Public Key Infrastructure)
• What is RPKI and why is it critical for BGP security?
• Route Origin Authorization (ROA) overview
• ROA Creation
• Practical session on generating ROAs
• Deployment strategies in real-world networks
• ROV Implementation (Route Origin Validation)
• How ROV works and its importance
• Configuring ROV in router platforms
• Hands-on Lab 3: Deploying RPKI, ROA, and ROV
• Setting up RPKI validators
• Enabling ROA and configuring ROV in a lab environment
• Case Studies and Troubleshooting RPKI Failures
• Common issues with RPKI and ROA
• Real-world case studies of RPKI-related incidents
• Discussions on Global Routing Security Initiatives
• MANRS, collaboration with peers, and IXP communities
Day 4: Full Day Hands-on Lab and Advanced Routing Security
• Recap and Lab Instructions
• Hands-on Lab 4: Advanced BGP Filtering and Policy Control
• Configuring BGP prefix filtering
• Blackholing routes for DDoS mitigation
• Hands-on Lab 5: Prefix and AS-Path Filtering
• Implementing BGP prefix and AS_PATH filters
• Hands-on Lab 6: Connecting to IXP
• Implementing secure peering policies in an IXP environment
• Understanding RPKI ASPA (Autonomous System Provider Authorization)
• Overview of ASPA and its role in path validation
• Understanding AS Cone
• Explanation of AS Cone concept in routing security
• Understanding BGPSec
• Overview of BGPSec protocol for securing BGP
• Differences between RPKI and BGPSec in routing security
• Future implementation and practical applications of BGPSec
• Reviewing lab results
Other requirements
Participants are required to bring their own laptop with administrative access to the devices.