Re: ISP best practices

[Dennis Dayman]

On May 21, 2009, at 3:38 PM, Philip Lavine wrote:



To all,

I am sure this has been asked 10 to the 1 millionth power times,
however may be the rules have changed. I am looking to set

up a really

small ISP with a few /24's. I want to host DNS as well. Is

there any

whitepapers/howtos/best practices on setting up multihomed

BGP and DNS

with BIND so I don't blow up the Internet.


not sure if any of these help, but you might want to also take MAAWG's  
Published Documents


http://www.maawg.org/about/publishedDocuments

-Dennis

Re: ISP best practices

[Steve Bertrand]

Barry Raveendran Greene wrote:
> The best training available on the Net for a small ISP to learn from the
> best is available . At www.nanog.org!
> 
> All the NANOGs are on VOD. Just go to the presentation archive:
> http://www.nanog.org/presentations/archive/. Put in a keyword to search (say
> "BGP Tutorial"), cook some popcorn, and sit back and enjoy the session. 

It helps also to communicate with people.

[speaking in small sp context]

If you know any of the engineers or operators of your upstream, perhaps
ask them questions from time to time. If you really know them (and are
serious about learning) ask them if they can provide you sample config
snips.

Contact the people that run your local IXP. I've found that the
operators of the exchange points are an aggregation point of 'the best
of the best from the best' information, as they generally discuss
solutions with chief engineers of all companies that connect to their
fabric.

IXP ops are a rich source not only of technical information, but also of
industry best practises relating to how other providers might prefer to
be approached, if they like or dislike feedback, and whether they care
to be approached at all.

Don't go bombarding your local IXP op with silly questions, it's just
another decent source of information, as they seem to be like
myself...if you ask a well-thought-out question, you will likely get an
answer (even if it's "I dunno, look over there").

With the books I mentioned earlier in the thread, and that others have
re-mentioned, I prefer:

- read
- lab up current environment
- implement what you read in lab
- test for breakage
- pilot lab findings into production
- update/tighten control features
- implement across network
- watch for inconsistencies, but continue to tighten rules
- read more
- rinse,repeat

Steve

ps. as always, thanks Jon.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: ISP best practices

[randal k]

I agree with this whole heartedly. Phil Smith's presentations and
papers are fantastic. I'm certain that a sizable portion of the
Internet operates because of the material that he has, and continues
to, put together.

Cheers,
Randal

On Sun, Jun 28, 2009 at 6:20 AM, Gregoire Villain wrote:
>> O Hai!
>
> I would highly advise you have a read at any presentation by Phil Smith:
> ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login)
> Read as much as you can from here 1st thing 1st - this is all solid ground
> knowledge.
>

RE: ISP best practices

[Barry Raveendran Greene]

The best training available on the Net for a small ISP to learn from the
best is available . At www.nanog.org!

All the NANOGs are on VOD. Just go to the presentation archive:
http://www.nanog.org/presentations/archive/. Put in a keyword to search (say
"BGP Tutorial"), cook some popcorn, and sit back and enjoy the session. 




> -Original Message-
> From: Gregoire Villain [mailto:na...@greg.net] 
> Sent: Sunday, June 28, 2009 5:21 AM
> To: nanog@nanog.org
> Subject: Re: ISP best practices
> 
> 
> On May 21, 2009, at 3:38 PM, Philip Lavine wrote:
> 
> >
> > To all,
> >
> > I am sure this has been asked 10 to the 1 millionth power times, 
> > however may be the rules have changed. I am looking to set 
> up a really 
> > small ISP with a few /24's. I want to host DNS as well. Is 
> there any 
> > whitepapers/howtos/best practices on setting up multihomed 
> BGP and DNS 
> > with BIND so I don't blow up the Internet.
> >
> > Thx
> >
> > Philip
> 
> O Hai!
> 
> I would highly advise you have a read at any presentation by 
> Phil Smith:
> ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login) Read 
> as much as you can from here 1st thing 1st - this is all 
> solid ground knowledge.
> 
> Then, give a quick read at Cisco's BGP Case Study online on the CCO.
> And you're OK to go.
> 
> Now if you want paper material that you can keep, I'd suggest 
> "Internet Routing Architectures" by Sam Halabi - Cisco Press, 
> even though it's getting old, I find it still very valid. 
> Make sure you have a read at team-cymru.org before you roll 
> out your  AS, for their BOGONs/Martians ACLs and peerings, as 
> it sure helps.
> 
> Bear in mind BGP is a simplistic protocol. The pain point 
> *will* be your IGP (if you want to do it correctly from start...)
> 
> Greg VILLAIN
> 
> 

Re: ISP best practices

[Suresh Ramasubramanian]

On Sun, Jun 28, 2009 at 5:50 PM, Gregoire Villain wrote:
> I would highly advise you have a read at any presentation by Phil Smith:
> ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login)
> Read as much as you can from here 1st thing 1st - this is all solid ground
> knowledge.

And Philip / Barry's Cisco ISP Essentials is a good buy, even if you
use non cisco gear ..
http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412

--srs

Re: ISP best practices

[Gregoire Villain]

On May 21, 2009, at 3:38 PM, Philip Lavine wrote:



To all,

I am sure this has been asked 10 to the 1 millionth power times,  
however may be the rules have changed. I am looking to set up a  
really small ISP with a few /24's. I want to host DNS as well. Is  
there any whitepapers/howtos/best practices on setting up multihomed  
BGP and DNS with BIND so I don't blow up the Internet.


Thx

Philip


O Hai!

I would highly advise you have a read at any presentation by Phil Smith:
ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login)
Read as much as you can from here 1st thing 1st - this is all solid  
ground knowledge.


Then, give a quick read at Cisco's BGP Case Study online on the CCO.
And you're OK to go.

Now if you want paper material that you can keep, I'd suggest  
"Internet Routing Architectures" by Sam Halabi - Cisco Press, even  
though it's getting old, I find it still very valid. Make sure you  
have a read at team-cymru.org before you roll out your  AS, for their  
BOGONs/Martians ACLs and peerings, as it sure helps.


Bear in mind BGP is a simplistic protocol. The pain point *will* be  
your IGP (if you want to do it correctly from start...)


Greg VILLAIN

Re: ISP best practices

[Lamar Owen]

On Thursday 21 May 2009 10:14:00 am Roland Dobbins wrote:
> On May 21, 2009, at 8:45 PM, Steve Bertrand wrote:
> > Securing IP Network Traffic Planes:
> > - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365
>
> I can't recommend this book enough - it's the current canonical
> reference on opsec-related BCPs for network infrastructure, IMHO (full
> disclosure:  I was fortunate enough to have the opportunity to provide
> some feedback to the authors as they worked on this tome, but have no
> financial interest whatsoever in its publication or sales thereof).

Ah, a good use for my Safari account.

Hmm, there's you a resource; for ~$20 per month, get access to books to read 
online, download chapters in PDF format for later perusal.  I can read this, 
and if it looks like something I want, I also get a discount ordering through 
informit.  Safari: http://my.safaribooksonline.com/home

You do need to read a lot to make it worthwhile; advantage is that you don't 
have to store or resell the book later.

Re: ISP best practices

[Seth Mattinen]

Adam Kennedy wrote:
> Bind is fully capable of IPv6. When combined with Webmin (www.webmin.com),
> I'm not sure how much easier Bind can get. Webmin will also keep DNSSEC keys
> up to date with changes, so long as you make those changes from within
> Webmin. If you make changes in CLI, you can tell Webmin to rehash the keys
> manually. It's as simple as clicking a GUI button.
> 

Does anyone still use probind?  As much as I am gung-ho command line,
managing a huge amount of DNS can get ugly.

~Seth

Re: ISP best practices

[Shane Ronan]

I have to agree.

I've been working with BIND for over 10 years, and still use webmin to  
help me keep things organized.



On May 21, 2009, at 4:58 PM, Justin Wilson - MTIN wrote:



   We have several clients using Webmin. If you don’t know command  
line
Webmin is another tool to help you learn.  You can have webmin do it  
and

then look at the config to learn.

Justin


From: Jason Bertoch 
Date: Thu, 21 May 2009 16:48:42 -0400
To: 
Subject: RE: ISP best practices


-Original Message-
From: Adam Kennedy [mailto:akenn...@cyberlinktech.com]
Sent: Thursday, May 21, 2009 4:41 PM
To: NANOG
Subject: Re: ISP best practices

...When combined with Webmin (www.webmin.com),





Jason A. Bertoch
Network Administrator
ja...@electronet.net
Electronet Broadband Communications
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771

Re: ISP best practices

[Justin Wilson - MTIN]

We have several clients using Webmin. If you don¹t know command line
Webmin is another tool to help you learn.  You can have webmin do it and
then look at the config to learn.

Justin


From: Jason Bertoch 
Date: Thu, 21 May 2009 16:48:42 -0400
To: 
Subject: RE: ISP best practices

> -Original Message-
> From: Adam Kennedy [mailto:akenn...@cyberlinktech.com]
> Sent: Thursday, May 21, 2009 4:41 PM
> To: NANOG
> Subject: Re: ISP best practices
> 
> ...When combined with Webmin (www.webmin.com),




Jason A. Bertoch
Network Administrator
ja...@electronet.net
Electronet Broadband Communications
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771

RE: ISP best practices

[Jason Bertoch]

> -Original Message-
> From: Adam Kennedy [mailto:akenn...@cyberlinktech.com]
> Sent: Thursday, May 21, 2009 4:41 PM
> To: NANOG
> Subject: Re: ISP best practices
> 
> ...When combined with Webmin (www.webmin.com),




Jason A. Bertoch
Network Administrator
ja...@electronet.net
Electronet Broadband Communications
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771

Re: ISP best practices

[Shane Ronan]

Apologies, this should have said I learned BGP initially not DNS.

Sorry!!

On May 21, 2009, at 4:38 PM, Shane Ronan wrote:

I learned DNS initially by reading some great documents by Avi  
Freedman, they are a little out dated, but still very relevant and  
posted on his website @ http://www.freedman.net/



On May 21, 2009, at 9:38 AM, Philip Lavine wrote:



To all,

I am sure this has been asked 10 to the 1 millionth power times,  
however may be the rules have changed. I am looking to set up a  
really small ISP with a few /24's. I want to host DNS as well. Is  
there any whitepapers/howtos/best practices on setting up  
multihomed BGP and DNS with BIND so I don't blow up the Internet.


Thx

Philip

Re: ISP best practices

[Adam Kennedy]

Bind is fully capable of IPv6. When combined with Webmin (www.webmin.com),
I'm not sure how much easier Bind can get. Webmin will also keep DNSSEC keys
up to date with changes, so long as you make those changes from within
Webmin. If you make changes in CLI, you can tell Webmin to rehash the keys
manually. It's as simple as clicking a GUI button.


On 5/21/09 11:06 AM, "Curtis Maurand"  wrote:

> 
> Check out www.powerdns.com as an alternative to bind.  Its faster, more
> secure, does IPV6 and easier to maintain.
> 
> Curtis
> 
> Philip Lavine wrote:
>> To all,
>> 
>> I am sure this has been asked 10 to the 1 millionth power times, however may
>> be the rules have changed. I am looking to set up a really small ISP with a
>> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
>> practices on setting up multihomed BGP and DNS with BIND so I don't blow up
>> the Internet.
>> 
>> Thx
>> 
>> Philip
>> 
>> 
>> 
>>   
>> 
>>   
> 

-- 
Adam Kennedy
Senior Network Administrator
Cyberlink Technologies, Inc.
Phone: 888-293-3693 x4352
Fax: 574-855-5761

Re: ISP best practices

[Shane Ronan]

I learned DNS initially by reading some great documents by Avi  
Freedman, they are a little out dated, but still very relevant and  
posted on his website @ http://www.freedman.net/



On May 21, 2009, at 9:38 AM, Philip Lavine wrote:



To all,

I am sure this has been asked 10 to the 1 millionth power times,  
however may be the rules have changed. I am looking to set up a  
really small ISP with a few /24's. I want to host DNS as well. Is  
there any whitepapers/howtos/best practices on setting up multihomed  
BGP and DNS with BIND so I don't blow up the Internet.


Thx

Philip

Re: ISP best practices

[Curtis Maurand]

You're correct on the blanket statement.  apologies.

--C

Joe Abley wrote:


On 21-May-2009, at 11:06, Curtis Maurand wrote:

Check out www.powerdns.com as an alternative to bind.  Its faster, 
more secure, does IPV6 and easier to maintain.


I have heard lots of good things about PowerDNS, and I'm quite 
prepared to believe that it's a natural choice for a DNS hosting 
service where the database back-end makes for far simpler provisioning 
and control than managing a pile of config files.


However, you're not necessarily doing anybody any favours in making 
statements like "faster", "more secure" and "does IPv6". DNS servers 
are complicated beasts, and simplistic comparisons are not useful for 
much (it'd be trivial to give you examples where PowerDNS is slower 
and less secure, for example, and BIND9 has done IPv6 for the better 
part of a decade).



Joe

Re: ISP best practices

[Joe Abley]

On 21-May-2009, at 12:14, bmann...@vacation.karoshi.com wrote:


...done IPv6 for the better part of a decade...

well yeah, for some very loose definition of "doing IPv6"


You no doubt have greater expectations than I in that regard :-)


Joe

Re: ISP best practices

[bmanning]

On Thu, May 21, 2009 at 12:00:58PM -0400, Joe Abley wrote:
> 
> However, you're not necessarily doing anybody any favours in making  
> statements like "faster", "more secure" and "does IPv6". DNS servers  
> are complicated beasts, and simplistic comparisons are not useful for  
> much (it'd be trivial to give you examples where PowerDNS is slower  
> and less secure, for example, and BIND9 has done IPv6 for the better  
> part of a decade).

...done IPv6 for the better part of a decade...

well yeah, for some very loose definition of "doing IPv6"


> Joe

Re: ISP best practices

[Joe Abley]

On 21-May-2009, at 11:06, Curtis Maurand wrote:

Check out www.powerdns.com as an alternative to bind.  Its faster,  
more secure, does IPV6 and easier to maintain.


I have heard lots of good things about PowerDNS, and I'm quite  
prepared to believe that it's a natural choice for a DNS hosting  
service where the database back-end makes for far simpler provisioning  
and control than managing a pile of config files.


However, you're not necessarily doing anybody any favours in making  
statements like "faster", "more secure" and "does IPv6". DNS servers  
are complicated beasts, and simplistic comparisons are not useful for  
much (it'd be trivial to give you examples where PowerDNS is slower  
and less secure, for example, and BIND9 has done IPv6 for the better  
part of a decade).



Joe

Re: ISP best practices

[Ben Cooper]

If you want to go down the BIND route, I'd recommend using xname as a
frontend (http://source.xname.org/).

Paul E wrote:
> cmaurand> Check out www.powerdns.com as an alternative to bind.  Its
> cmaurand> faster, more secure, does IPV6 and easier to maintain.
> 
> This is purely opinion.
> 
> BIND has warts, just as any large piece of code in wide spread use and
> with lots of features will have. However, that's also one of its
> advantages. Lots of folks run it and know it and fix it when it breaks.
> 
> Works for root & gtld servers, must not totally suck.
> 
> BIND does ipV6, has since BIND8.
> 
> It is also fully DNSSEC compliant. Is powerdns yet?
> 
> Yes. Do check out all the alternatives for DNS. But if you're looking at
> ipV6 support because you want to be able to support upcoming protocols,
> make sure your DNS can do DNSSEC correctly too.
> 
> 
> 
> 

Re: ISP best practices

[Ben Cooper]

Yeah, it was a while back, but as far as I can remember it's fairly
straight forward. I think I just replaced the icons and altered the CSS
or PHP.

Ben

Brandon Galbraith wrote:
> Ben,
> 
> Is poweradmin easy to skin? Happy with the interface? We currently have
> several hundred domains and tens of thousands of records with dnsmadeeasy
> and we're getting ready to bring it all in house, and powerdns/poweradmin
> looks like the solution we've been looking for.
> 
> -brandon
> 
> On Thu, May 21, 2009 at 10:29 AM, Ben Cooper  wrote:
> 
>> I've deployed PowerDNS before, along with PowerAdmin
>> (https://www.poweradmin.org/trac/). Very easy to set up and manage.
>>
>> Ben
>>
>> For system or network support, please email supp...@hns.net
>>
>> Curtis Maurand wrote:
>>> Check out www.powerdns.com as an alternative to bind.  Its faster, more
>>> secure, does IPV6 and easier to maintain.
>>>
>>> Curtis
>>>
>>> Philip Lavine wrote:
 To all,

 I am sure this has been asked 10 to the 1 millionth power times,
 however may be the rules have changed. I am looking to set up a really
 small ISP with a few /24's. I want to host DNS as well. Is there any
 whitepapers/howtos/best practices on setting up multihomed BGP and DNS
 with BIND so I don't blow up the Internet.

 Thx

 Philip





>>>
>>>
>>>
>>
> 
> 

Re: ISP best practices

[Paul E]

cmaurand> Check out www.powerdns.com as an alternative to bind.  Its
cmaurand> faster, more secure, does IPV6 and easier to maintain.

This is purely opinion.

BIND has warts, just as any large piece of code in wide spread use and
with lots of features will have. However, that's also one of its
advantages. Lots of folks run it and know it and fix it when it breaks.

Works for root & gtld servers, must not totally suck.

BIND does ipV6, has since BIND8.

It is also fully DNSSEC compliant. Is powerdns yet?

Yes. Do check out all the alternatives for DNS. But if you're looking at
ipV6 support because you want to be able to support upcoming protocols,
make sure your DNS can do DNSSEC correctly too.

Re: ISP best practices

[Cody Appleby]

Have to agree on PowerDNS and PowerAdmin.

Very easy to setup, Pretty secure out of the box and management is a
breeze!

./cwa

On Thu, 21 May 2009 16:29:57 +0100, Ben Cooper  wrote:
> I've deployed PowerDNS before, along with PowerAdmin
> (https://www.poweradmin.org/trac/). Very easy to set up and manage.
> 
> Ben
> 
> For system or network support, please email supp...@hns.net
> 
> Curtis Maurand wrote:
>> 
>> Check out www.powerdns.com as an alternative to bind.  Its faster, more
>> secure, does IPV6 and easier to maintain.
>> 
>> Curtis
>> 
>> Philip Lavine wrote:
>>> To all,
>>>
>>> I am sure this has been asked 10 to the 1 millionth power times,
>>> however may be the rules have changed. I am looking to set up a really
>>> small ISP with a few /24's. I want to host DNS as well. Is there any
>>> whitepapers/howtos/best practices on setting up multihomed BGP and DNS
>>> with BIND so I don't blow up the Internet.
>>>
>>> Thx
>>>
>>> Philip
>>>
>>>
>>>
>>>  
>>>   
>> 
>> 
>> 
>>

Re: ISP best practices

[Ben Cooper]

I've deployed PowerDNS before, along with PowerAdmin
(https://www.poweradmin.org/trac/). Very easy to set up and manage.

Ben

For system or network support, please email supp...@hns.net

Curtis Maurand wrote:
> 
> Check out www.powerdns.com as an alternative to bind.  Its faster, more
> secure, does IPV6 and easier to maintain.
> 
> Curtis
> 
> Philip Lavine wrote:
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times,
>> however may be the rules have changed. I am looking to set up a really
>> small ISP with a few /24's. I want to host DNS as well. Is there any
>> whitepapers/howtos/best practices on setting up multihomed BGP and DNS
>> with BIND so I don't blow up the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>  
>>   
> 
> 
> 
> 

Re: ISP best practices

[Bret Clark]

While BGP can become a rather complex protocol to implement as a network
grows, basic BGP peering between two providers isn't really that
complex...probably talking 10 config lines at most (excluding
bogon/filtering). The first thing you want to make sure is that you're
upstream providers are implementing filtering, which most of the serious
providers do. That way all you can do is hurt yourself while keeping the
rest of us on the list here happy :).

It's best to get your own IP address space from ARIN if possible,
because if you use IP space from your upstream provider, it's becomes a
nightmare to change over at a later date...IP renumbering is not fun!
That was the one mistake we made when we first started. 

Personally I'm a fan of the "do it yourself" club...yeah you'll make
mistakes, but the hands-on approach is by far the best way too learn.
Bret


On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:

> To all,
> 
> I am sure this has been asked 10 to the 1 millionth power times, however may 
> be the rules have changed. I am looking to set up a really small ISP with a 
> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
> practices on setting up multihomed BGP and DNS with BIND so I don't blow up 
> the Internet.
> 
> Thx
> 
> Philip
> 
> 
> 
>   
> 

Re: ISP best practices

[Curtis Maurand]

Check out www.powerdns.com as an alternative to bind.  Its faster, more 
secure, does IPV6 and easier to maintain.


Curtis

Philip Lavine wrote:

To all,

I am sure this has been asked 10 to the 1 millionth power times, however may be 
the rules have changed. I am looking to set up a really small ISP with a few 
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the 
Internet.

Thx

Philip



  

  

Re: ISP best practices

[Steve Bertrand]

Jon Lewis wrote:

>  Still, it's
> better to get your config done right than rely on your providers to
> ignore what you shouldn't be advertising.

I have to agree completely with Jon here.

As a small SP, it is prudent to do everything you can to be a good 'netizen.

Apply your outbound prefix lists *before* you turn up your BGP
session(s). You should also ensure that you have a good grasp on BCP 38
prior to connecting yourself. This should be done no matter who your
upstreams are, large or small.

There is nothing more frustrating than seeing RFC 1918, BOGON and/or
your own IP space coming back at you eating your bandwidth from your
upstreams, so ensure you are not responsible for doing it to them.

Steve


smime.p7s
Description: S/MIME Cryptographic Signature

Re: ISP best practices

[Joel Jaeggli]

The African Network Operators Group has quite  a good set of workshop
materials for both isp routing (including v6) and DNS (seperate workshops)

weeklong course materials for the routing track are here:

http://www.ws.afnog.org/afnog2009/sie/detail.html


Bryan Campbell wrote:
> This is the Nanog list . . . 
> 
> How about some Nanog resources . . .
> 
> http://www.nanog.org/resources/tutorials/
> 
> And, yes, hiring a consultant is a good idea.  But, being an informed
> consumer is also a good idea.  Read lots!  Ask lots of questions!
> 
> Cheers!
> 
> bbc
> 
> 
> On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times, however may 
>> be the rules have changed. I am looking to set up a really small ISP with a 
>> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
>> practices on setting up multihomed BGP and DNS with BIND so I don't blow up 
>> the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>   
> 
> 

Re: ISP best practices

[Justin Wilson - MTIN]

The problem with ISP essentials is it was published in 2002. Same goes
for some of the other good Cisco books. A lot has changed  in the ISP world
since.  Sure it has good information but I wouldn¹t spend the $ for a new
copy.  Find it on half.com or somewhere.

Justin



From: Steve Bertrand 
Date: Thu, 21 May 2009 09:45:13 -0400
To: Philip Lavine 
Cc: 
Subject: Re: ISP best practices

Philip Lavine wrote:
> To all,
> 
> I am sure this has been asked 10 to the 1 millionth power times, however may
be the rules have changed. I am looking to set up a really small ISP with a few
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the
Internet.

BCP 38:
- http://www.ietf.org/rfc/rfc3704.txt

ISP Essentials:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412

Securing IP Network Traffic Planes:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

- anything and everything regarding IPv6.

...would be a VERY good start (I've read Securing IP Traffic Planes
which is also great reference, and am just finishing up ISP Essentials,
which is dated, but the principles still apply).

Steve

Re: ISP best practices

[Roland Dobbins]

On May 21, 2009, at 8:45 PM, Steve Bertrand wrote:


Securing IP Network Traffic Planes:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365


I can't recommend this book enough - it's the current canonical  
reference on opsec-related BCPs for network infrastructure, IMHO (full  
disclosure:  I was fortunate enough to have the opportunity to provide  
some feedback to the authors as they worked on this tome, but have no  
financial interest whatsoever in its publication or sales thereof).


---
Roland Dobbins  // 

Unfortunately, inefficiency scales really well.

   -- Kevin Lawton

Re: ISP best practices

[Bryan Campbell]

This is the Nanog list . . . 

How about some Nanog resources . . .

http://www.nanog.org/resources/tutorials/

And, yes, hiring a consultant is a good idea.  But, being an informed
consumer is also a good idea.  Read lots!  Ask lots of questions!

Cheers!

bbc


On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
> To all,
> 
> I am sure this has been asked 10 to the 1 millionth power times, however may 
> be the rules have changed. I am looking to set up a really small ISP with a 
> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
> practices on setting up multihomed BGP and DNS with BIND so I don't blow up 
> the Internet.
> 
> Thx
> 
> Philip
> 
> 
> 
>   

RE: ISP best practices

[Bradley Freeman]

In regards to DNS there is a great secure BIND template here
http://www.cymru.com/Documents/secure-bind-template.html which will help
stop your server from being an unneeded open resolver, or sending out root
hints which are used all the time to amplify DDOS attacks often without you
realising.

Bradley


-Original Message-
From: Philip Lavine [mailto:source_ro...@yahoo.com] 
Sent: 21 May 2009 14:39
To: nanog@nanog.org
Subject: ISP best practices


To all,

I am sure this has been asked 10 to the 1 millionth power times, however may
be the rules have changed. I am looking to set up a really small ISP with a
few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
practices on setting up multihomed BGP and DNS with BIND so I don't blow up
the Internet.

Thx

Philip



  

Re: ISP best practices

[Jon Lewis]

On Thu, 21 May 2009, Philip Lavine wrote:

I am sure this has been asked 10 to the 1 millionth power times, however 
may be the rules have changed. I am looking to set up a really small ISP 
with a few /24's. I want to host DNS as well. Is there any 
whitepapers/howtos/best practices on setting up multihomed BGP and DNS 
with BIND so I don't blow up the Internet.


A few minutes with google would probably find sample BGP multihoming 
configs.  The big things to avoid are unnecessary deaggregation and 
announcing routes received from one provider to the other.


i.e. If you have a /22 of IP space, you may use/see that as 4 /24's or a 
larger number of smaller subnets, but where eBGP is concerned, you should 
announce just the /22 route and keep your subnetting to yourself.


If you have competent providers, they won't accept routes from you that 
they're not expecting, which will stop you from offering transit to them 
by announcing routes received from your other provider.  Still, it's 
better to get your config done right than rely on your providers to ignore 
what you shouldn't be advertising.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: ISP best practices

[Steve Bertrand]

Philip Lavine wrote:
> To all,
> 
> I am sure this has been asked 10 to the 1 millionth power times, however may 
> be the rules have changed. I am looking to set up a really small ISP with a 
> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
> practices on setting up multihomed BGP and DNS with BIND so I don't blow up 
> the Internet.

BCP 38:
- http://www.ietf.org/rfc/rfc3704.txt

ISP Essentials:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412

Securing IP Network Traffic Planes:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

- anything and everything regarding IPv6.

...would be a VERY good start (I've read Securing IP Traffic Planes
which is also great reference, and am just finishing up ISP Essentials,
which is dated, but the principles still apply).

Steve


smime.p7s
Description: S/MIME Cryptographic Signature

Re: ISP best practices

[Dan White]

Philip Lavine wrote:

To all,

I am sure this has been asked 10 to the 1 millionth power times, however may be 
the rules have changed. I am looking to set up a really small ISP with a few 
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the 
Internet.

Thx

Philip
  


Highering a consultant to do your initial configuration is highly 
recommended. We took this route when we originally configured BGP and it 
allowed me to learn from and study a known 'good' configuration.


- Dan

ISP best practices

[Philip Lavine]

To all,

I am sure this has been asked 10 to the 1 millionth power times, however may be 
the rules have changed. I am looking to set up a really small ISP with a few 
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the 
Internet.

Thx

Philip