12 steps for IPv6 deployment in governments and enterprises
- Jordi Palet
This presentation will present the major issues of typical existing Governments and Enterprise networks that need to be considered when deploying IPv6 and will depict the 12 steps needed to correctly approach the project.
Since the late 1990s, projects like RIPE NCC RIS and Route Views are collecting BGP data to monitor the inter-domain Internet evolution.During the last years the amount of data collected has increased greatly, mostly due to the introduction of new route collectors (e.g.PCH, Isolario), new BGP feeders, new BGP extensions (e.g. Multiprotocol RFC4760, ADDPATH RFC7911) and, of course, due to the natural growth of the Internet.
Most of the MRT-BGP data reader were designed when the amount of data available was smaller, and as a consequence are not able to perform efficiently with current datasets. Moreover several of them do not support most of the BGP extensions introduced in time usually because they are not properly maintained and updated.
In this presentation it is proposed to the APRICOT community BGP scanner, a new open source MRT-BGP data reader and C library implemented at IIT-CNR, which is exploited in the Isolario project. To the best of our knowledge, BGP scanner outperforms all the MRT-BGP data reader freely available online, in terms of speed and memory consumption.
It is well known that there are network traffic flows which consumeconsiderably more network resources than others, and such a flow isknown as a heavy-hitter (HH). The appropriate detection and managementof HHs are critical for maintaining network performance, presentingcritical network challenges. Yet, HH detection has been reduced to theuse of a threshold, i.e., if the flow exceeds a previously set thresholdvalue, the detector determines that the flow is an HH. To the best ofour knowledge, there is no uniform definition of the threshold value. Inthis study, we take advantage of the tools provided by machine learning(ML) for data analysis, that can categorise the flows into trafficclusters, where each cluster has different flow characteristics. Thispresentation outlines the methodology, a visualization of the relevantattribute statistics that aid in recognising cluster types and outlinehow the scheme can be implemented in a real network. We conclude with adiscussion of ongoing and future work.
A number of DNS software and service providers have announced that we will all cease implementing DNS resolver workarounds to accommodate DNS authoritative systems that don't follow the EDNS protocol. Each vendor has pledged to roll out this change in some version of their software by the Flag Day.
Domains served by DNS servers that are not compliant with the standard will not function reliably after February 1, 2019, and may become unavailable.
If your company's DNS zones are served by non-compliant servers, your online presence will slowly degrade or disappear as ISPs and other organizations update their resolvers. When you update your own internal DNS resolvers to versions that don't implement workarounds, some sites and email servers may become unreachable.
This talk will cover the background of the changes, potential affects on Internet users/providers and testing methodologies to ensure minimal impact.
We are very aware of the extent to which our online profile is being collated, analysed and monetised. The DNS can be a major source ofactivity profiling. The DNS architecture is open, chatty, and promiscuous, which seems very anomalous in this day and age. However, the DNS picture is changing and steps are being made to improve the privacy-protecting properties of name resolution. This presentation surveys the current efforts to improve the privacy of the DNS.
Fukuoka University's NTP service continues to suffer from access overload from clients throughout the world. We are currently undergoing preparations to cease the service, and in this task after analyzing various types of traffic, we discovered the 1.1.1.0/24 request. In this session I will discuss the origin of the request and results of our analysis.
During the 2015 BlackHat conference, the authors presented an approach which makes it possible for an arbitrary attacker to use vulnerabilities in the Border Gateway Protocol to obtain fraudulent certificates, recognized by browsers as valid ones, for Web sites an attacker couldn't otherwise control.
As a result, the overall security of Internet PKIX, which we all rely on daily while browsing our favorite social networks and banking systems, was shown to be at risk.
Plenty of time has passed since August 2015. Researchers were digging into the issue, certificate authorities kept an eye on it, changes to Internet protocols were designed and implemented, and black hats started to exploit the method after all.
As it is now almost four years after the discovery of the initial issue, it's a good time to examine the outcome: what has been done, what's yet to be done and how long does it take for the Internet community to amend an Internet protocol even for the greater good.
LinkedIn has been on a journey to support IPv6 everywhere since 2012. It started first with email, quickly followed by the website. We have seen tremendous growth in the region, for instance in India and China. But the transformation to support IPv6 is not limited to our external services, we have started to transform our internal network, offices, data centers... The goal is to deploy IPv6 everywhere but, more important, to remove IPv4.
This presentation shows the challenges we faced, the ones we are still facing, and will provide some tips and recipes if you are on the same journey.
Most route server instances at internet exchanges (IXPs) perform prefix filtering based on route/route6 objects published by internet routing registries. The data quality of these IRRDB objects is often poor, with problems relating to missing, stale and incorrectly duplicated information. Resource holders often have difficulty correcting this information due to the object sets being decoupled from the RIR resource assignments.
RPKI is a public key infrastructure framework designed to secure the internet's routing infrastructure in a way that replaces IRRs with a database where trust is assigned by the resource holder. There are still issues: the database has only a fraction of the prefix coverage as IRR databases do and there is no implemented support for features such as AS-SETs. We are now in a multi-year transition from IRR to RPKI while these issues are solved.
In the presentation, we propose a best-practice integration of RPKI into the current IX route server context which still includes IRR support. We will present the development work we have completed with IXP Manager to support RPKI and discuss our experiences at putting this live at INEX.
In 2009, we presented results from a large scale, multi-year study ofglobal Internet traffic across 110 providers and 200 Exabytes ofcommercial traffic. This original study found significant changes ininter-AS traffic patterns, an increasing consolidation of "HyperGiant"traffic volumes and an evolution of provider peering strategies.
In this talk, we revisit our work from a decade ago with an in-depthlook at the changes to traffic patterns, content delivery and Internetpeering across more than 50 providers around the world. We show howcloud, IoT and significant changes to interconnection strategies areimpacting networks in North America, Europe and Asia.
An overview of QR codes, what makes up a QR code, and some Proof Of Concept on ways that it can be used, maliciously or otherwise.
The presentation discusses the use of QR Codes and where it could be used maliciously. Including a review of Kali Linux and the Social Engineering Toolkit to send phishing emails. Then demonstration of the QRLJacking toolkit to hijack a whatsApp login.
Then finally looking at the technical specifications of QR codes and how to reverse engineer a QR Code.
LoRa is one of a handful of new Internet of Things radio protocolsdesigned for low power, wide area networks. It trades speed forrobustness, and its small messages can penetrate both literal & urbanjungles. LoRaWAN is an open set of protocols using LoRa to create an IoTnetwork with multiple layers of encryption and mobility. This talk willprovide a technical introduction to the protocols aimed at networkoperators.
New optical technologies are driving a transformation in metro networking. Open line systems enable best-in-class equipment deployment. Optimized ROADM solutions are enabling deployment simplicity, space and power efficiency, and low first-in-cost. Next-gen coherent solutions are revolutionizing metro capacity-reach options delivering significant cost savings and service flexibility.
This is an updated version 2 of my old talk about appearance of AS1, AS2 and AS3 in the routing table. It covers a check of their appearance as well what can be done to both at network operators end as well as IXPs to prevent that.
NetFlow provides network administrators with a method of letting theadministrator determines what passes thru the network. The ELK(Elasticsearch, Logstash, and Kibana) stack is a set of tools foringesting, storing and visualising massive amounts of data. Putting theNetFlow into ELK, can provide engineers with detailed information on theorigin and destination of network packets via visualisation tools,costing and usage pattern, it also can generate automated alerts onsecurity anomalies.
We have worked in the last few years to grow our global footprint at afast pace, building POPs and deploying Caches to connect to multipleISPs around the world so People can access content reliably and with thebest performance. Part of providing the best performance is to beprepare to continue providing access to Facebook's family ofapplications during disasters with zero impact to Users.
This presentation provides an overview of the importance of beingprepared for a major disaster on the Edge of Facebook's network, thatcould impact Peoples' experience, focusing our efforts on having anunderstanding how our infrastructure would react under thesecircumstances and defining the metrics, tools and improvements needed.
This talk will present SDN/ONOS-oriented computing, storage, networking orchestration architecture and its system implementation based on location and load aware virtually dedicated container networking. With a new container network interface (VDN-CNI) implemented, the system integrates containerized service resources using Kubernetes and wide-area virtual networking resources using virtually dedicated network (VDN) application on KREONET-S which is an ONOS/OpenFlow centric SDN-WAN infrastructure for R&E community in South Korea. The location and load aware orchestration system allows KREONET-S users to dynamically and rapidly manage their demanding containerized computing and storage resources coupled with high-performance virtual networks (VDNs) activated for high speed, low or zero packet loss and optimum end-to-end (or edge-to-edge) latency.
The orchestration system architecture has several key components such as orchestrator, container manager (Kubernetes), virtual network manager (VDN application), SDN controller (ONOS), and OpenFlow network devices and service resources which are deployed in eight distributed network centers in Korea (5), USA (2), and China (1). In the architecture, orchestrator intelligently decides the nearest service location to the users after receiving their service requests, by considering the load (e.g., CPU, memory, and storage usage) and VDN status information acquired from container manager and virtual network manager. Here, container manager works on k8s pods management in association with VDN-CNI which is designed to connect the provisioned pods to ONOS/VDN in a way of allocating either shared or dedicated networking for each pod. Eventually orchestrator communicates with virtual network manager to provide the requested complete set of service resources for users through manipulating virtually dedicated networks into being composed of (distributed) service pods, user end-hosts, required network gateways, and proper virtual network functions such as vDHCP and virtual network access controls (vNAC).
In this talk, the implemented orchestration system components and functions will be presented and demonstrated using a distributed k8s testbed over KREONET-S, with the overall architecture described in detail.
This is a 30 minute presentation describing the history and current state of the DNS's system of Root Service.
The presentation begins with a dramatic telling of the history of the DNS root server system. It shows how and why the system ceased evolving in 1997, now almost 22 years ago.
The presentation then talks about a significant effort to get the DNS Root Server system to evolve again, involving a new governance model for root service.
Next the presentation talks about threats to the root server system, outlining technical, economic, and political challenges. It gives mitigation options for these threats, and in doing so, introduces a new form of root service that ICANN is proposing: hyperlocal
Cloudflare runs a large anycast network, with over 150 deployments worldwide. Deployments of this size come with their own unique set of difficulties and challenges. One of the bigger challenges is a global change to the anycast routing. Minor mistakes or delays might have an enormous impact, as traffic can shift globally, overwhelming a single location with requests that really shouldn't be there. In the past, the network team at Cloudflare made the decision to add prepends to our prefix announcements.
At the time, this was a reasonable decision, that actually made the anycast network work as expected. These prepends had their use then, but are no longer a required piece of configuration, and haven't been for a long time. As some of you will realise, changing this piece of configuration could lead to massive problems while the change is being rolled out like overloading single locations, or overloading individual transit pipes.
As the first Root DNSSEC KSK rollover comes to a close, a quick review of where the project stands and a look at the lessons learned - so far.
Talk on how Traffic Engineering is done in LinkedIn Backbone network, including learning and improvements done over a period. The presentation covers how to optimize Traffic engineering, so that efficiency of link utilization can be improved, also reducing the operational overhead.
Every computer has a local clock that tells the time. But how accurate is this clock? The presentation takes a quick look at time and the Network Time protocol and then describes an exercise in measuring time accuracy across the Internet and makes some conclusions as to how well time is synchronised across the Internet.
Operating IX in India has many challenges on many levels. This presentation highlights those challenges.
Over the last year Euro-IX has been leading the IXPDB project. This isthe only automated database where IXPs control and can publish theircomplete member list. The database is now live and we are working onbuilding tools around that to help IXPs and Networks find informationabout each other.
Today we have 79 IXP exporting this data to the IXPDB, I hope to createawareness to encourage and motivate more IXPs to go down this route sowe can have some reliable data for the community.
This talk will include:
I also hope to get feedback from the attendees on new ideas and tools they'd like to see.
This presentation will talk about why these new cable systems will provide critical infrastructure for meeting the future growth in collaborative research and transnational education between Australia and our Asian partners.
Located at the border between Singapore and Malaysia, Johor Bahru is not only the second largest city in Malaysia, it is also the gateway to most traffic between Singapore and the Indochina region. The Indochina countries, with its populations among the most ardent Internet users in the world, have seen tremendous Internet traffic growth over the recent years. This put Johor Bahru an increasingly important gateway for OTT players to reach the Indochina eyeballs. This presentation serves to explain how the OTT and eyeball players can take advantage of JB to improve cost and network efficiency.
The first commercial releases of 5G will be happening in 2019, with a number of APAC operators leading the way. 5G brings with it considerable change to the use of spectrum, radio access architectures, the mobile core and a diverse range of use cases. In this tutorial, we will provide an overview of these key changes and how they impact the IP/optical networks that are required in order to connect the different mobile network elements. The tutorial is targeted for IP engineers with little to no prior knowledge of mobile communications technology.
DNS privacy, or the lack thereof, gained a lot of attention in recent years. This talk will give an overview of what happened in the DNS related IETF working groups with regards to DNS privacy, how these new standards resulted in new functionality in open source DNS software, and how to configure Unbound and Stubby to protect the users' privacy as much as possible.
The goal of this talk is to inform operators about the privacy impact of DNS transaction and educate them on how to turn their DNS (stub) resolvers in privacy aware resolvers. This will be done by showing configuration examples and clarifying the impact these new features have on the DNS traffic.
One of the major challenges in networking is the diversity of data representation, often vendor specific. Vendors APIs are inconsistent and incomplete, some mainstream platforms are closed and custom software is not allowed on your device.
By combining Salt proxy minions with third-party libraries such as NAPALM, which presents the data in a vendor-agnostic shape, we are able to leverage the DevOps methodologies in networking.
NAPALM support is now integrated in the official Salt releases, beginning with Carbon and improved in Nitrogen. Beyond cross-vendor configuration management, reaction to internal and external network events becomes easy and there are no orchestration boundaries.
In this tutorial, we will learn how we can leverage Salt for event-driven automation, reacting with configuration changes, alerts, or different types of notifications (email, SMS, web hooks, etc.) in response to network state changes. While Salt is flexible enough to be extended for any business logic and ingest the events from any resource, in this session we will focus on exploiting the syslog messages received from the network devices via a third-party, open source daemon, napalm-logs which provides the platform abstractisation for the syslog messages.
This tutorial will introduce the different IPv6-only transition technologies that apply to both, broadband and cellular networks, comparing them and discussing the required steps to deploy IPv6-only with IPv4-as-a-service (IPv4aaS) in an ISP/enterprise network.
The transition mechanisms will include:
The main effort will be devoted to how to IPv4aaS and in the hands-on, to setup NAT64, DNS64 and 464XLAT and the implications for DNSSEC and possible solution approaches, based on the IETF work:
https://datatracker.ietf.org/doc/draft-palet-v6ops-nat64-deployment/
90 minutes will be used for the tutorial part and in the 2nd 90 minutes to allow the participants do their own labs.
Although many visible IPv6 deployment metrics show small-percentage prevalence of IPv6 connectivity, the proportion of popular resources that are available to IPv6 clients on a well-connected dual stack network can exceed 50%. Popular content spheres, such as Google, YouTube NetFlix, Yahoo, Wikipedia, and various CDN offer content over IPv6, and for many users, those providers comprise a large percentage of requested content. If we are at the point of getting IPv4 and IPv6 in similar proportions, the question arises as to whether an organization can make the jump to running an IPv6-only network, and delivering IPv4 as a service. Our experience has shown that a well tuned IPv6-Only network can be indistinguishable from a dual-stack or IPv4-only network. This tutorial provides details into how to build DNS64//NAT64/464XLAT networks, reports on experiences from universities that have already deployed and spent time with such networks, and first-hand experiences of an IPv6-Only wireless network in the tutorial.
This tutorial was presented at Internet2 Technology Exchanges in 2017 and 2018.
There has been an explosion of data center technologies over the past few years driven by the advent of cloud and SDN. The aim of this session is to walkthrough VXLAN BGP EVPN technology building blocks used to build highly scalable and reliable data center.
ZFS is known as 'the last word in filesystems'. This tutorial will get your hands dirty with installing, configuring and managing reliable and scalable storage systems with ZFS on FreeBSD. We will cover pool-based storage, optimising storage systems for performance and redundancy and practise zero-downtime recovery from common storage events such as failing disks or running out of space. Participants should bring a laptop with either VirtualBox or VMware installed.
ISPs often seek capital for "growth," but understanding your specific needs and stage of company lifecycle is critical to obtaining the right financing. The presentation will provide an overview of ISP financing options and key considerations for financing network expansion.
With ever growing routing related incidents happening on daily basisthere is a need to have an open and candid discussion among the networkoperators community to find the possible way forward. To address this Iwould like to propose a Routing Security BoF, where operators can sharetheir approach in securing their own infrastructure and keeping theinternet routing table clean as well.
Also, this will provide a platform to discuss how operators are lookingat RPKI and what are the roadblocks and will try to find out if anyonehas implemented ROV.