Observatory of Internet Resilience in France - RIPE 68 of Internet Resilience in France François...

Observatory of Internet Resilience in FranceFrançois Contat

ANSSIAgence nationale de la sécurité des systèmes d'information

http://www.ssi.gouv.fr/enRIPE 68 - May 12th, 2014

ANSSI - http://www.ssi.gouv.fr/bonnes-pratiques-bgp 1/14

ANSSI and Observatory..Created on July 7th 2009, the ANSSI is the nationalcyberdefence agency.Main missions are:

• Prevention• Defence of information systems

Internet resilience is one of its priority.In 2011, The Observatory of Internet resilience in France is created.Publications:

• Two reports of Internet status in France• BGP BCP

http://www.ssi.gouv.fr/en/

BGP Best Current Operational Practices

Motivations• BGP BCPs present in multiple documents• No single reference document• No adjustment depending on BGP interconnection type:

• Transit• Peering• Customer

ANSSI• Pierre Lorinquer (main author)• Observatory Team (G. Valadon, M. Feuillet, F. Contat)

Operators• Association Kazar• France-IX• Jaguar Network• Neo Telecoms• Orange• RENATER• SFR

First step: internal work• Classify BGP interconnections and define AS relationships• Draft a first recommendations list

Second step: collaborative work• Propose the recommendations list• Debate the importance of each recommendation

Third step: publication• Implement Operators comments• Publish on October 1st, 2013

BGP Best Current Operational PracticesDocument

Structure

Definitions• Interconnection types• As relationships

Recommendations levels

Recommendations• Description• Examples

Definitions

Interconnection types• Direct interconnection• IXP Peering• IXP Route-server• Multihop

AS relationships• Transit / Customer (leaf)• Transit / Small transit• Peering

Definitions

InternetExchangePoint

Definitions

transit AS

« small transit »AS

RecommendationsAS relationship dependant

• TCP-Authentication• AS-PATH filtering• Prefixes filtering (route objects)• Max-prefix• Private AS removing

General recommendations• Martians filtering• Bogons filtering• Default route filtering• Log• Graceful restart

Recommendation example

BCP name AS relationship Recommendationlevel Remarks

Prefixesfiltering

allocated topeer

Transit /Customer (leaf)

Transit side:

Systematicfiltering for« leaf » AS.

Customer side: -

Transit / smallTransit

Transit side:

Customer side: -

Peering

Recommendation implementation

Routers configurations• Each recommendation has configuration sample• Configuration examples for:

Operating system VersionSR-OS (Alcatel-Lucent) 10.0r5

IOS (Cisco) 15.2(4)SJunos (Juniper) 11.4R3.7

OpenBGPD (OpenBSD) 5.3• Cisco, Juniper made by ANSSI• Alcatel and openBGPd configuration given by Operators

Conclusion

How did it work?• Got feedbacks from French nog members• Minors errors hilighted by readers after publication

The next report• Translate the document in English• Propose new recommendations (ex: GTSM)• Propose route object/ROA declaration• Review old and new recommendations with operators

• Keep or remove• Change recommendation level• Update configuration examples (IOS XE/XR, etc.)• …

Questions?

Observatory of Internet Resilience in France - RIPE 68 of Internet Resilience in France François...

Documents

Transcript of Observatory of Internet Resilience in France - RIPE 68 of Internet Resilience in France François...

AFRINIC Update Adiel A. Akplogan CEO, AFRINIC RIPE-68, Warsaw (Poland) May 2014.

Policy Development in RIPE & the RIPE NCC

RIPE 68 Webinar

Workshop: Advanced RIPE Atlas Usage · Workshop: Advanced RIPE Atlas Usage — RIPE 70 Deﬁnition •RIPE Atlas = global active measurements platform •Goal: View Internet reachability

RIPE Whois Database Query Reference Manual - RIPE NCC

DDoS$Damage$Control$ Cheap$&$eﬀec3ve$ - RIPE 68€¦ · DDoS$Damage$Control$ Cheap$&$eﬀec3ve$ $ $ JobSnijders job@ins3tuut.net $$ RIPE68$

RIPE NCC Update - ENOG | RIPE NCC Regional Meeting NCC RIPE NCC Update. ... •Maintains the RIPE Database ... - Using RIPE NCC services - The RIPE Policy Development Process

State of African Interconnection & Peering RIPE 2015 Ripe.

BGP in 2013 (and a bit of 2014) Geoff Huston APNIC RIPE 68.

MAT-WG - RIPE 78 v3 · RIPE NCC Tools Update Christopher Amin | 23 May 2019 | RIPE 78. RIPE Atlas. ... functionality-for-the-ripe-atlas-measurement-detail-page. Christopher Amin |

IPv6 deployment at CERN - RIPE 68 · 1 CERN IT Department CH-1211 Genève 23 Switzerland IPv6 deployment at CERN RIPE IPv6 working group Warsaw, 15th May 2014 edoardo.martelli@cern.ch

RIPE Network Coordination Centre · IPv6 address Has Same mail ser.ers vast majority 0.60/ addresses per IPv6 address Measurements of IPv6 penetration in Hungary spect ONS RIPE 68

Building Business Resilience to Protect Against a ...€¦ · Building Business Resilience to Protect Against a Destructive Cyber Attack ... 68% of business leaders state their cyber

RIPE NCC measurement network update - RIPE 60

Redeye Report RIPE 68 · 2014-05-16 · Redeye Report RIPE 68 Paul Wilson . ... – ARM 3 with bdNOG, May 2014 14 . Infrastructure Support 15 Training and equipment for Vanuatu IXP

RIPE 79 Community Plenary v2 · RIPE 79 Community Plenary, 17 October 2019 Agenda RIPE Community Plenary • Introduction, – Hans Petter Holen, RIPE Chair • RIPE Chair Selection

RIPE NCC Activity Plan 2009 · RIPE NCC Document ID: ripe-439 Date: December 2008 Obsoletes: ripe-426 Section A: RIPE NCC Vision and Focus 1. Vision and Strategy The RIPE Network

LIR Tutorial - RIPE Network Coordination Centre · RIPE 54, Tallinn RIPE NCC Tutorial 1 RIPE Network Coordination Centre Welcome to the LIR Tutorial RIPE NCC

Euro-IX Update RIPE 68 – Warsaw Bijal Sanghani Bijal at euro-ix dot net Twitter: @euroix.

RIPE vs RIPE NCC - ENOG | RIPE NCC Regional Meeting · IPv6 Open Source RIPE NCC Services Routing Measurement, Analysis and Tools (MAT) Hans Petter Holen, RIPE 70 Opening Plenary,