BGP Best Practices

ACLs on the Internet facing interface

You should permit BGP only with known peers, to prevent malicious entities attempting to harm your BGP process by spoofing your neighbor’s IP.

You should permit inbound traffic only to your prefixes. There’s no sense accepting traffic for networks you don’t own.

You should deny inbound traffic from bogons.

MD5 passphrase with peers
ttl-security with peers (especially if you’re doing MD5)

Internet good naturedness
Control outbound advertisements
Use prefix lists to ensure that you only advertise your prefixes
Control inbound traffic: http://www.bcp38.info/index.php/Main_Page
Route RFC1918 traffic to null
Use URPF to ensure your outbound traffic isn’t spoofed
Disable NTP on Internet facing interface

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s