Wozney Enterprises Limited

BGP Best Practices

ACLs on the Internet facing interface

You should permit BGP only with known peers, to prevent malicious entities attempting to harm your BGP process by spoofing your neighbor’s IP.

You should permit inbound traffic only to your prefixes. There’s no sense accepting traffic for networks you don’t own.

You should deny inbound traffic from bogons.

MD5 passphrase with peers
ttl-security with peers (especially if you’re doing MD5)

Internet good naturedness
Control outbound advertisements
Use prefix lists to ensure that you only advertise your prefixes
Control inbound traffic: http://www.bcp38.info/index.php/Main_Page
Route RFC1918 traffic to null
Use URPF to ensure your outbound traffic isn’t spoofed
Disable NTP on Internet facing interface

Leave a Reply

Your email address will not be published. Required fields are marked *