SP 800-189 (Draft), Resilient Interdomain Traffic Exchange
https://csrc.nist.gov/publications/detail/sp/800-189/draft / This document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms. dougm -- Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
Dear Douglas, Thanks for sharing the link. This is an impressive effort! Can you share with the group what the best way is to share feedback to effect changes in the document? Is there a difference between just emailing you or are there official channels to be considered? Kind regards, Job On Mon, Oct 28, 2019 at 16:04 Montgomery, Douglas C. (Fed) via NANOG < nanog@nanog.org> wrote:
https://csrc.nist.gov/publications/detail/sp/800-189/draft
/
This document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.
dougm
--
Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
Sorry, finger faulted and hit send by accident. In response to Ruediger’s comment about guidance to USG agencies / networks on the issues of BGP, there is NIST guidance under development that addresses this. NIST SP.800-189 - Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation The document is out for public review. We welcome any and all feedback. The URL below contains links to the draft document as well as the process for submitting comments. Thanks dougm -- DougM at NIST From: Doug Montgomery <dougm@nist.gov> Date: Monday, October 28, 2019 at 4:03 PM To: "nanog@nanog.org" <nanog@nanog.org> Subject: SP 800-189 (Draft), Resilient Interdomain Traffic Exchange https://csrc.nist.gov/publications/detail/sp/800-189/draft / This document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms. dougm -- Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
participants (2)
-
Job Snijders
-
Montgomery, Douglas C. (Fed)