├── 00.general.routing.security.md ├── 01.data.plane.md ├── 02.management.plane.md ├── 03.control.plane.md ├── 04.bgp.techniques.md └── README.md /00.general.routing.security.md: -------------------------------------------------------------------------------- 1 | ## General routing security 2 | 3 | * [IOS XR hardening](https://tools.cisco.com/security/center/resources/increase_security_ios_xr_devices.html) 4 | * [IOS XR LTPS on ASR 9000](https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp) 5 | 6 | ## Service Provider security groups, forums, projects and associations 7 | 8 | * [MANRS, Mutually Agreed Network Routing Security ISP guides](https://www.manrs.org/isps/guide/) 9 | 10 | ## Service Provider Network Operating Groups 11 | 12 | * [NANOG](https://www.nanog.org/) 13 | * [PLNOG](https://plnog.pl/en/) 14 | * [RIPE](https://ripe.net) 15 | 16 | ## Training materials 17 | 18 | * [RIPE training repo](https://www.ripe.net/support/training/material/) 19 | 20 | ## Hardening and best practices guides 21 | 22 | * [BGP Filtering Guidance (NLNOG)](https://bgpfilterguide.nlnog.net/) 23 | * [BGP Best Practices (NSA)](https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-guide-to-border-gateway-protocol-best-practices.pdf) 24 | * [BGP Best Practices (ENISA)](https://www.enisa.europa.eu/publications/7-steps-to-shore-up-bgp/@@download/fullReport) 25 | * [BGP Best Practices (ANSSI)](https://www.ssi.gouv.fr/uploads/2016/03/bgp-configuration-best-practices.pdf) 26 | -------------------------------------------------------------------------------- /01.data.plane.md: -------------------------------------------------------------------------------- 1 | ## Data plane 2 | 3 | ### unicast Reverse Path Filtering (uRPF) 4 | 5 | * [RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://datatracker.ietf.org/doc/html/rfc2827) 6 | * [RFC 3704: Ingress Filtering for Multihomed Networks](https://datatracker.ietf.org/doc/html/rfc3704) 7 | * [Unicast Reverse Path Forwarding for the ISPs](https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf) 8 | * [Ivan Pepelnjak - Does uRPF Make Sense in Internet Service Provider Networks?](https://blog.ipspace.net/2014/01/does-urpf-make-sense-in-internet.html) 9 | 10 | ### MACsec 11 | 12 | * [Juniper Deploying MACsec](https://www.juniper.net/documentation/en_US/day-one-books/DO_MACsec_UR.pdf) 13 | -------------------------------------------------------------------------------- /02.management.plane.md: -------------------------------------------------------------------------------- 1 | ## Management plane 2 | 3 | * [Management Plane Protection for Cisco IOS/IOS-XE](https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html) 4 | * [Management Plane Protection for Cisco XR](https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/security/b-system-security-cr-cisco8000/management-plane-protection-commands.html) 5 | * [BSI recommendations for vendors of CPE routers](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03148/TR03148.pdf;jsessionid=01F54E80B004E9BFB194DBC00DE9B961.2_cid360?__blob=publicationFile&v=2) 6 | -------------------------------------------------------------------------------- /03.control.plane.md: -------------------------------------------------------------------------------- 1 | ## Control plane 2 | 3 | ### RFCs 4 | 5 | * [RFC 3882: Configuring BGP to Block Denial-of-Service Attacks](https://datatracker.ietf.org/doc/html/rfc3882) 6 | * [RFC 5635: Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding](https://datatracker.ietf.org/doc/html/rfc5635) 7 | * [RFC 6192: Protecting the Router Control Plane](https://datatracker.ietf.org/doc/html/rfc6192) 8 | * [RFC 6666: BGP blackholing discard prefix for IPv6](https://datatracker.ietf.org/doc/html/rfc6666) 9 | * [RFC 7454: BGP Operations and Security](https://tools.ietf.org/html/rfc7454) 10 | * [RFC 7999: BGP BLACKHOLE community](https://datatracker.ietf.org/doc/html/rfc7999) 11 | * [RFC 8212: Default external BGP Route Propagation Behavior without Policies](https://datatracker.ietf.org/doc/html/rfc8212) 12 | 13 | ### BGP 14 | 15 | * [Cisco: Deploying BGP FlowSpec on IOS XR](https://community.cisco.com/t5/service-providers-documents/asr9000-xr-understanding-bgp-flowspec-bgp-fs/ta-p/3139916) 16 | * [Cisco: BGP FlowSpec on NCS 5500 implementation notes](https://xrdocs.io/ncs5500/tutorials/bgp-flowspec-on-ncs5500/) 17 | * [Juniper: Deploying Secure BGP](https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_SecureRouting2.0.pdf) 18 | * [Juniper: Deploying BGP FlowSpec](https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_FLowspec.pdf) 19 | 20 | ### BGP RFCs 21 | 22 | * [RFC 1997 - BGP Community](https://datatracker.ietf.org/doc/html/rfc1997) 23 | * [RFC 4360 - BGP Extended Community](https://datatracker.ietf.org/doc/html/rfc4360) 24 | * [RFC 8092 - BGP Large Community](https://datatracker.ietf.org/doc/html/rfc8092) 25 | 26 | ### Hardening guides and whitepapers 27 | 28 | * [Cisco: Security Control Plane](https://www.ciscopress.com/articles/article.asp?p=2928193&seqNum=3) 29 | * [Cisco: IOS/IOS-XE hardening guide](https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html) 30 | * [Cisco: IOS XR hardening guide](https://tools.cisco.com/security/center/resources/increase_security_ios_xr_devices.html) 31 | * [Cisco: IOS XR LPTS on ASR 9000](https://community.cisco.com/t5/service-providers-documents/asr9000-xr-local-packet-transport-services-lpts-copp/ta-p/3123792) 32 | * [Cisco: IOS XR NCS 5500](https://xrdocs.io/ncs5500/tutorials/introduction-to-ncs55xx-and-ncs5xx-lpts/) 33 | * [Cisco: NX-OS hardening guide](https://tools.cisco.com/security/center/resources/securing_nx_os.html) 34 | * [Cisco: 6500/6800 Supervisor 2T Control Plane configuration](https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/118806-config-catalyst-00.html) 35 | * [Juniper: Protecting Routing Engine Day One](https://kb.juniper.net/library/CUSTOMERSERVICE/Securing_RouteEngine2.pdf) 36 | * [Juniper: Hardening JunOS devices](https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip) 37 | 38 | ### Device architecture resources 39 | 40 | * [Juniper: MX 3D Packet Walkthrough book](https://www.juniper.net/documentation/en_US/day-one-books/TW_MX3D_PacketWalkthrough.pdf) 41 | * [Juniper: M, MX and T series Packet Walkthrough book](https://www.juniper.net/documentation/en_US/day-one-books/Packet_Walkthrough.zip) 42 | -------------------------------------------------------------------------------- /04.bgp.techniques.md: -------------------------------------------------------------------------------- 1 | ### BGP blackholing 2 | 3 | * [S/RTBH with ASR 9000 and Cisco IOS XR](https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116386-configure-asr9000-00.html) 4 | * [S/RTBH and D/RTBH on Cisco IOS and IOS-XE](https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf) 5 | * [S/RTBH and D/RTBH on Cisco XR with IPv4 and IPv6](https://community.cisco.com/t5/service-providers-documents/using-destination-and-source-based-bgp-rtbh-on-ios-xr-platforms/ta-p/3130673) 6 | * [BGP blackholing, sinkholing and FlowSec usage](https://lukasz.bromirski.net/docs/prezos/certee2017/BGP_Security_101.pdf) 7 | * [BGP blackholing in MPLS VPN](https://community.cisco.com/t5/service-providers-documents/using-bgp-rtbh-in-vpnv4/ta-p/3118265) 8 | 9 | ### BGP sinkholing 10 | 11 | * [NANOG #28: Sinkholes](https://archive.nanog.org/meetings/nanog28/presentations/sink.pdf) 12 | * [APRICOT 2015: Sinkholes](https://www.senki.org/wp-content/uploads/2015/03/009-Sink-Holes-2012-02-25.pdf) 13 | 14 | ### BGP QPPB (QoS-Policy Propagation with BGP) 15 | 16 | * [Configuring BGP QPPB on Cisco ASR 9000](https://community.cisco.com/t5/service-providers-documents/asr9000-xr-implementing-qos-policy-propagation-for-bgp-qppb/ta-p/3136639) 17 | * [QPPB in Cisco IOS and IOS-XE](http://ptgmedia.pearsoncmg.com/images/9781587201240/appendix/QPPBSection.pdf) 18 | 19 | ### BGP FlowSpec 20 | 21 | * [BGP FlowSpec in IOS XR](https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs) 22 | 23 | ### BGP RPKI 24 | 25 | * [RIPE RPKI tools](https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/tools-and-resources) 26 | * [BGP RPKI with IOS XR](https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/217020-bgp-rpki-with-xr7-cisco8000-whitepaper.html) 27 | * [BGP RPKI with JunOS](https://www.juniper.net/documentation/en_US/release-independent/nce/topics/topic-map/nce-187-bgp-rpki-tn-overview.html) 28 | * [BGP RPKI NIST monitor](https://rpki-monitor.antd.nist.gov/) 29 | * [BGP RPKI RIPE per-country stats](https://stat.ripe.net/widget/country-routing-stats) 30 | * [BGP RPKI Internet Society tools](https://www.internetsociety.org/deploy360/securing-bgp/statistics/) 31 | 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Service Provider security reference materials 2 | 3 | Collected, groomed and maintained by Łukasz Bromirski. Feel free to use and share :) 4 | 5 | Copy of the https://null0.pl repository. 6 | 7 | * [General routing security](https://github.com/lukasz-bromirski/sp-security/blob/main/00.general.routing.security.md) 8 | * Logical planes - protections 9 | * [Control plane](https://github.com/lukasz-bromirski/sp-security/blob/main/03.control.plane.md) 10 | * [Management plane](https://github.com/lukasz-bromirski/sp-security/blob/main/02.management.plane.md) 11 | * [Data plane](https://github.com/lukasz-bromirski/sp-security/blob/main/01.data.plane.md) 12 | * BGP 13 | * [Techniques for routing security](https://github.com/lukasz-bromirski/sp-security/blob/main/04.bgp.techniques.md) 14 | --------------------------------------------------------------------------------