Observatory of Internet Resilience in France Franois Contat ANSSI - - PowerPoint PPT Presentation

observatory of internet resilience in france
SMART_READER_LITE
LIVE PREVIEW

Observatory of Internet Resilience in France Franois Contat ANSSI - - PowerPoint PPT Presentation

Nov 16, 2022 107 likes •291 views

Observatory of Internet Resilience in France Franois Contat ANSSI Agence nationale de la scurit des systmes d'information http://www.ssi.gouv.fr/en RIPE 68 - May 12 th , 2014 ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 1/14

slide-1
SLIDE 1

Observatory of Internet Resilience in France

François Contat

ANSSI Agence nationale de la sécurité des systèmes d'information http://www.ssi.gouv.fr/en

RIPE 68 - May 12th, 2014

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 1/14

slide-2
SLIDE 2

ANSSI and Observatory

. Created on July 7th 2009, the ANSSI is the national cyberdefence agency. Main missions are:

  • Prevention
  • Defence of information systems

Internet resilience is one of its priority. In 2011, The Observatory of Internet resilience in France is created. Publications:

  • Two reports of Internet status in France
  • BGP BCP

http://www.ssi.gouv.fr/en/

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 2/14

slide-3
SLIDE 3

BGP Best Current Operational Practices

slide-4
SLIDE 4

Why?

Motivations

  • BGP BCPs present in multiple documents
  • No single reference document
  • No adjustment depending on BGP interconnection type:
  • Transit
  • Peering
  • Customer

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 4/14

slide-5
SLIDE 5

Who?

ANSSI

  • Pierre Lorinquer (main author)
  • Observatory Team (G. Valadon, M. Feuillet, F. Contat)

Operators

  • Association Kazar
  • France-IX
  • Jaguar Network
  • Neo Telecoms
  • Orange
  • RENATER
  • SFR

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 5/14

slide-6
SLIDE 6

How?

First step: internal work

  • Classify BGP interconnections and define AS relationships
  • Draft a first recommendations list

Second step: collaborative work

  • Propose the recommendations list
  • Debate the importance of each recommendation

Third step: publication

  • Implement Operators comments
  • Publish on October 1st, 2013

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 6/14

slide-7
SLIDE 7

BGP Best Current Operational Practices Document

slide-8
SLIDE 8

Structure

Definitions

  • Interconnection types
  • As relationships

Recommendations levels Recommendations

  • Description
  • Examples

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 8/14

slide-9
SLIDE 9

Definitions

Interconnection types

  • Direct interconnection
  • IXP Peering
  • IXP Route-server
  • Multihop

AS relationships

  • Transit / Customer (leaf)
  • Transit / Small transit
  • Peering

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 9/14

slide-10
SLIDE 10

Definitions

Interconnection types

  • Direct interconnection
  • IXP Peering
  • IXP Route-server
  • Multihop

AS relationships

  • Transit / Customer (leaf)
  • Transit / Small transit
  • Peering

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 9/14

slide-11
SLIDE 11

Definitions

Interconnection types

  • Direct interconnection
  • IXP Peering
  • IXP Route-server
  • Multihop

AS relationships

  • Transit / Customer (leaf)
  • Transit / Small transit
  • Peering

Internet Exchange Point ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 9/14

slide-12
SLIDE 12

Definitions

Interconnection types

  • Direct interconnection
  • IXP Peering
  • IXP Route-server
  • Multihop

AS relationships

  • Transit / Customer (leaf)
  • Transit / Small transit
  • Peering

transit AS « small transit » AS ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 9/14

slide-13
SLIDE 13

Recommendations

AS relationship dependant

  • TCP-Authentication
  • AS-PATH filtering
  • Prefixes filtering (route objects)
  • Max-prefix
  • Private AS removing

General recommendations

  • Martians filtering
  • Bogons filtering
  • Default route filtering
  • Log
  • Graceful restart

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 10/14

slide-14
SLIDE 14

Recommendation example

BCP name AS relationship Recommendation level Remarks Prefixes filtering allocated to peer Transit / Customer (leaf) Transit side: Systematic filtering for « leaf » AS. Customer side: - Transit / small Transit Transit side: Customer side: - Peering

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 11/14

slide-15
SLIDE 15

Recommendation implementation

Routers configurations

  • Each recommendation has configuration sample
  • Configuration examples for:

Operating system Version SR-OS (Alcatel-Lucent) 10.0r5 IOS (Cisco) 15.2(4)S Junos (Juniper) 11.4R3.7 OpenBGPD (OpenBSD) 5.3

  • Cisco, Juniper made by ANSSI
  • Alcatel and openBGPd configuration given by Operators

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 12/14

slide-16
SLIDE 16

Conclusion

How did it work?

  • Got feedbacks from French nog members
  • Minors errors hilighted by readers after publication

The next report

  • Translate the document in English
  • Propose new recommendations (ex: GTSM)
  • Propose route object/ROA declaration
  • Review old and new recommendations with operators
  • Keep or remove
  • Change recommendation level
  • Update configuration examples (IOS XE/XR, etc.)

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 13/14

slide-17
SLIDE 17

Questions?

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 14/14