On 7/8/13 3:22 PM, Henrik Lund Kramshøj wrote:
In no particular order, and based on stuff I do myself.
*) DNS in auth and recursive, I always suggest keeping them in too separate "servers" (might be VMs) to ensure not opening up auth server for recursion etc.
Hi, This could be a great and useful document. I also heard that some operators also use different HW/OS platforms and different DNS server combinations (and anycast resolvers in their network) to minimize the probability that one vulnerability (OS or server) brings down all their resolvers. I think that this is also one of the good practices that could be useful to many.
*) Perhaps best current practice documents that even present BGP policies in general, like the old book "Cisco ISP Essentials (Cisco Press Networking Technology)[Paperback]" from 2002 available in free and open format would be great for getting more secure and robust networking. Having examples in some popular variants would be great Juniper, Cisco, BIRD, OpenBGPD - I also myself used the cymru web site a lot for similar stuff, http://www.team-cymru.org/ReadingRoom/Templates/
This is a good resource and should be included in a BCOP document about BGP practices in general.
*) a small subject I would like see also is ICMP filtering. We want people to know that blocking all of ICMP is bad for them and the internet. It prevents PMTU from working and is required for a lot of testing.
With practical filter examples for different firewalls from different vendors? Agree :)
So maybe some re-iteration of the ICMP and presenting also the pingable attribute in whois? (I dont use pingable myself yet, but perhaps receiving a nice BCOP doc would make me add some)
Wow, nice suggestion.
I wonder if testing is also part of this?
*) How to test your network performance, recommending some starting point for common testing inside networks, in my end of the world it seems to be iperf and smokeping that rules the land. I was pretty inspired by Jen Linkova at the RIPE65 meeting talking about creating stacked packet for testing MPLS
That is a good topic, that should be documented - and also reminds me of another one - how to measure and understand the global visibility/performance of your network. Many people don't entirely understand, that visibility from the Internet is an issue - they connect to upstreams, announce their resources and live happily ever after. Nice, practical and clear document on how to measure their visibility from other parts of the world would also help many people. Adding Job Sneiders to cc: (not sure he's on the mailinglist), Job would you be interested in adding some experience on this topic (or maybe even start a BCOP document?)? Cheers, Jan Zorz P.S: BCOP ml subscription link: https://www.ripe.net/mailman/listinfo/bcop