- Jordi Palet
- Job Snijders
- Luca Sani
- Winston Seah
- Geoff Huston
- Töma Gavrichenkov
- Sho Fujimura
- Franck Martin
- Barry O'Donovan
- Warren Finch
- Jonathan Brewer
- Anurag Bhatia
- Mehmet Akcin
- Matt Jansen
- Dongkyun Kim
- Marijana Novakovic
- David Huberman
- Christian Martin
- Pete Moyer
- Muhammad Durrani
- Tim Bruijnzeels
- Mircea Ulinic
- Geoff Huston
This presentation will present the major issues of typical existing Governments and Enterprise networks that need to be considered when deploying IPv6 and will depict the 12 steps needed to correctly approach the project.
Since the late 1990s, projects like RIPE NCC RIS and Route Views are collecting BGP data to monitor the inter-domain Internet evolution.During the last years the amount of data collected has increased greatly, mostly due to the introduction of new route collectors (e.g.PCH, Isolario), new BGP feeders, new BGP extensions (e.g. Multiprotocol RFC4760, ADDPATH RFC7911) and, of course, due to the natural growth of the Internet.
Most of the MRT-BGP data reader were designed when the amount of data available was smaller, and as a consequence are not able to perform efficiently with current datasets. Moreover several of them do not support most of the BGP extensions introduced in time usually because they are not properly maintained and updated.
In this presentation it is proposed to the APRICOT community BGP scanner, a new open source MRT-BGP data reader and C library implemented at IIT-CNR, which is exploited in the Isolario project. To the best of our knowledge, BGP scanner outperforms all the MRT-BGP data reader freely available online, in terms of speed and memory consumption.
It is well known that there are network traffic flows which consumeconsiderably more network resources than others, and such a flow isknown as a heavy-hitter (HH). The appropriate detection and managementof HHs are critical for maintaining network performance, presentingcritical network challenges. Yet, HH detection has been reduced to theuse of a threshold, i.e., if the flow exceeds a previously set thresholdvalue, the detector determines that the flow is an HH. To the best ofour knowledge, there is no uniform definition of the threshold value. Inthis study, we take advantage of the tools provided by machine learning(ML) for data analysis, that can categorise the flows into trafficclusters, where each cluster has different flow characteristics. Thispresentation outlines the methodology, a visualization of the relevantattribute statistics that aid in recognising cluster types and outlinehow the scheme can be implemented in a real network. We conclude with adiscussion of ongoing and future work.
We are very aware of the extent to which our online profile is being collated, analysed and monetised. The DNS can be a major source ofactivity profiling. The DNS architecture is open, chatty, and promiscuous, which seems very anomalous in this day and age. However, the DNS picture is changing and steps are being made to improve the privacy-protecting properties of name resolution. This presentation surveys the current efforts to improve the privacy of the DNS.
During the 2015 BlackHat conference, the authors presented an approach which makes it possible for an arbitrary attacker to use vulnerabilities in the Border Gateway Protocol to obtain fraudulent certificates, recognized by browsers as valid ones, for Web sites an attacker couldn't otherwise control.
As a result, the overall security of Internet PKIX, which we all rely on daily while browsing our favorite social networks and banking systems, was shown to be at risk.
Plenty of time has passed since August 2015. Researchers were digging into the issue, certificate authorities kept an eye on it, changes to Internet protocols were designed and implemented, and black hats started to exploit the method after all.
As it is now almost four years after the discovery of the initial issue, it's a good time to examine the outcome: what has been done, what's yet to be done and how long does it take for the Internet community to amend an Internet protocol even for the greater good.
Fukuoka University's NTP service continues to suffer from access overload from clients throughout the world. We are currently undergoing preparations to cease the service, and in this task after analyzing various types of traffic, we discovered the 220.127.116.11/24 request. In this session I will discuss the origin of the request and results of our analysis.
Most route server instances at internet exchanges (IXPs) perform prefix filtering based on route/route6 objects published by internet routing registries. The data quality of these IRRDB objects is often poor, with problems relating to missing, stale and incorrectly duplicated information. Resource holders often have difficulty correcting this information due to the object sets being decoupled from the RIR resource assignments.
RPKI is a public key infrastructure framework designed to secure the internet's routing infrastructure in a way that replaces IRRs with a database where trust is assigned by the resource holder. There are still issues: the database has only a fraction of the prefix coverage as IRR databases do and there is no implemented support for features such as AS-SETs. We are now in a multi-year transition from IRR to RPKI while these issues are solved.
In the presentation, we propose a best-practice integration of RPKI into the current IX route server context which still includes IRR support. We will present the development work we have completed with IXP Manager to support RPKI and discuss our experiences at putting this live at INEX.
An overview of QR codes, what makes up a QR code, and some Proof Of Concept on ways that it can be used, maliciously or otherwise.
The presentation discusses the use of QR Codes and where it could be used maliciously. Including a review of Kali Linux and the Social Engineering Toolkit to send phishing emails. Then demonstration of the QRLJacking toolkit to hijack a whatsApp login.
Then finally looking at the technical specifications of QR codes and how to reverse engineer a QR Code.
LoRa is one of a handful of new Internet of Things radio protocolsdesigned for low power, wide area networks. It trades speed forrobustness, and its small messages can penetrate both literal & urbanjungles. LoRaWAN is an open set of protocols using LoRa to create an IoTnetwork with multiple layers of encryption and mobility. This talk willprovide a technical introduction to the protocols aimed at networkoperators.
This is an updated version 2 of my old talk about appearance of AS1, AS2 and AS3 in the routing table. It covers a check of their appearance as well what can be done to both at network operators end as well as IXPs to prevent that.
Network Atlas is a near real time submarine cable status map experiment showing the operational status of submarine cables around the world.
We have worked in the last few years to grow our global footprint at afast pace, building POPs and deploying Caches to connect to multipleISPs around the world so People can access content reliably and with thebest performance. Part of providing the best performance is to beprepare to continue providing access to Facebook's family ofapplications during disasters with zero impact to Users.
This presentation provides an overview of the importance of beingprepared for a major disaster on the Edge of Facebook's network, thatcould impact Peoples' experience, focusing our efforts on having anunderstanding how our infrastructure would react under thesecircumstances and defining the metrics, tools and improvements needed.
This talk will present SDN/ONOS-oriented computing, storage, networking orchestration architecture and its system implementation based on location and load aware virtually dedicated container networking. With a new container network interface (VDN-CNI) implemented, the system integrates containerized service resources using Kubernetes and wide-area virtual networking resources using virtually dedicated network (VDN) application on KREONET-S which is an ONOS/OpenFlow centric SDN-WAN infrastructure for R&E community in South Korea. The location and load aware orchestration system allows KREONET-S users to dynamically and rapidly manage their demanding containerized computing and storage resources coupled with high-performance virtual networks (VDNs) activated for high speed, low or zero packet loss and optimum end-to-end (or edge-to-edge) latency.
The orchestration system architecture has several key components such as orchestrator, container manager (Kubernetes), virtual network manager (VDN application), SDN controller (ONOS), and OpenFlow network devices and service resources which are deployed in eight distributed network centers in Korea (5), USA (2), and China (1). In the architecture, orchestrator intelligently decides the nearest service location to the users after receiving their service requests, by considering the load (e.g., CPU, memory, and storage usage) and VDN status information acquired from container manager and virtual network manager. Here, container manager works on k8s pods management in association with VDN-CNI which is designed to connect the provisioned pods to ONOS/VDN in a way of allocating either shared or dedicated networking for each pod. Eventually orchestrator communicates with virtual network manager to provide the requested complete set of service resources for users through manipulating virtually dedicated networks into being composed of (distributed) service pods, user end-hosts, required network gateways, and proper virtual network functions such as vDHCP and virtual network access controls (vNAC).
In this talk, the implemented orchestration system components and functions will be presented and demonstrated using a distributed k8s testbed over KREONET-S, with the overall architecture described in detail.
Currently, there are over 420 submarine cables in service available in the world. The number of terrestrial paths is even bigger. Still, there are few initiatives in the Internet industry to share the information like this openly, especially coming from the carriers themselves. Can this be open sourced and available to everybody? What are the business or security aspects that need to be considered? The purpose of the panel would be to try to answer questions like this.
This is a 30 minute presentation describing the history and current state of the DNS's system of Root Service.
The presentation begins with a dramatic telling of the history of the DNS root server system. It shows how and why the system ceased evolving in 1997, now almost 22 years ago.
The presentation then talks about a significant effort to get the DNS Root Server system to evolve again, involving a new governance model for root service.
Next the presentation talks about threats to the root server system, outlining technical, economic, and political challenges. It gives mitigation options for these threats, and in doing so, introduces a new form of root service that ICANN is proposing: hyperlocal
This talk will cover two integrated talk tracks into a single presentation. First, a technology overview of applicable Segment Routing (SR) components for Data Center Interconnect (DCI) will be covered. This will also include EVPN technologies. Second, a discussion of how these technologies are being leveraged in the Equinix Unified Packet Fabric (UPF) architecture. The first part is not intended to be a complete SR or EVPN technology discussion; it is intended to cover the SR & EVPN capabilities that are applicable to the Equinix use cases.
Cloudflare runs a large anycast network, with over 150 deployments worldwide. Deployments of this size come with their own unique set of difficulties and challenges. One of the bigger challenges is a global change to the anycast routing. Minor mistakes or delays might have an enormous impact, as traffic can shift globally, overwhelming a single location with requests that really shouldn't be there. In the past, the network team at Cloudflare made the decision to add prepends to our prefix announcements.
At the time, this was a reasonable decision, that actually made the anycast network work as expected. These prepends had their use then, but are no longer a required piece of configuration, and haven't been for a long time. As some of you will realise, changing this piece of configuration could lead to massive problems while the change is being rolled out like overloading single locations, or overloading individual transit pipes.
Every computer has a local clock that tells the time. But how accurate is this clock? The presentation takes a quick look at time and the Network Time protocol and then describes an exercise in measuring time accuracy across the Internet and makes some conclusions as to how well time is synchronised across the Internet.
- Peter Gitau
- Raunak Maheshwari
- Bijal Sanghani
- R.P.D.C Kaushalya
Internet Exchange Point Route Server filtering actual experience and lessons learned.
Operating IX in India has many challenges on many levels. This presentation highlights those challenges.
Over the last year Euro-IX has been leading the IXPDB project. This isthe only automated database where IXPs control and can publish theircomplete member list. The database is now live and we are working onbuilding tools around that to help IXPs and Networks find informationabout each other.
Today we have 79 IXP exporting this data to the IXPDB, I hope to createawareness to encourage and motivate more IXPs to go down this route sowe can have some reliable data for the community.
This talk will include:
- Quick History of the project
- The IX-F JSON Member List
- Euro-IX tools now available
- A roadmap of new tools coming in 2019
- What the community can do to help.
I also hope to get feedback from the attendees on new ideas and tools they'd like to see.
- Paresh Khatri
- Ralph Dolmans
- Mircea Ulinic
- Jordi Palet
- Muhammad Moinur Rahman
- Alan Whinery
- Lawrence Hughes
- Jide Akintola
- Philip Paeps
The first commercial releases of 5G will be happening in 2019, with a number of APAC operators leading the way. 5G brings with it considerable change to the use of spectrum, radio access architectures, the mobile core and a diverse range of use cases. In this tutorial, we will provide an overview of these key changes and how they impact the IP/optical networks that are required in order to connect the different mobile network elements. The tutorial is targeted for IP engineers with little to no prior knowledge of mobile communications technology.
DNS privacy, or the lack thereof, gained a lot of attention in recent years. This talk will give an overview of what happened in the DNS related IETF working groups with regards to DNS privacy, how these new standards resulted in new functionality in open source DNS software, and how to configure Unbound and Stubby to protect the users' privacy as much as possible.
The goal of this talk is to inform operators about the privacy impact of DNS transaction and educate them on how to turn their DNS (stub) resolvers in privacy aware resolvers. This will be done by showing configuration examples and clarifying the impact these new features have on the DNS traffic.
One of the major challenges in networking is the diversity of data representation, often vendor specific. Vendors APIs are inconsistent and incomplete, some mainstream platforms are closed and custom software is not allowed on your device.
By combining Salt proxy minions with third-party libraries such as NAPALM, which presents the data in a vendor-agnostic shape, we are able to leverage the DevOps methodologies in networking.
NAPALM support is now integrated in the official Salt releases, beginning with Carbon and improved in Nitrogen. Beyond cross-vendor configuration management, reaction to internal and external network events becomes easy and there are no orchestration boundaries.
In this tutorial, we will learn how we can leverage Salt for event-driven automation, reacting with configuration changes, alerts, or different types of notifications (email, SMS, web hooks, etc.) in response to network state changes. While Salt is flexible enough to be extended for any business logic and ingest the events from any resource, in this session we will focus on exploiting the syslog messages received from the network devices via a third-party, open source daemon, napalm-logs which provides the platform abstractisation for the syslog messages.
This tutorial will introduce the different IPv6-only transition technologies that apply to both, broadband and cellular networks, comparing them and discussing the required steps to deploy IPv6-only with IPv4-as-a-service (IPv4aaS) in an ISP/enterprise network.
The transition mechanisms will include:
- Tunnelling (6RD, DS-Lite, lw4o6, MAP-E)
- Translation (MAP-T, 464XLAT, NAT64)
The main effort will be devoted to how to IPv4aaS and in the hands-on, to setup NAT64, DNS64 and 464XLAT and the implications for DNSSEC and possible solution approaches, based on the IETF work:
90 minutes will be used for the tutorial part and in the 2nd 90 minutes to allow the participants do their own labs.
Although many visible IPv6 deployment metrics show small-percentage prevalence of IPv6 connectivity, the proportion of popular resources that are available to IPv6 clients on a well-connected dual stack network can exceed 50%. Popular content spheres, such as Google, YouTube NetFlix, Yahoo, Wikipedia, and various CDN offer content over IPv6, and for many users, those providers comprise a large percentage of requested content. If we are at the point of getting IPv4 and IPv6 in similar proportions, the question arises as to whether an organization can make the jump to running an IPv6-only network, and delivering IPv4 as a service. Our experience has shown that a well tuned IPv6-Only network can be indistinguishable from a dual-stack or IPv4-only network. This tutorial provides details into how to build DNS64//NAT64/464XLAT networks, reports on experiences from universities that have already deployed and spent time with such networks, and first-hand experiences of an IPv6-Only wireless network in the tutorial.
This tutorial was presented at Internet2 Technology Exchanges in 2017 and 2018.
Details on how DNS works and how it is secured by digitally signing all resource records. Also covers how keys are managed and verified, including key rollover. I was the architect on SolidDNS, hence have a deep understanding of this subject. Also includes how a DNS appliance can do instant prefix renumbering.
There has been an explosion of data center technologies over the past few years driven by the advent of cloud and SDN. The aim of this session is to walkthrough VXLAN BGP EVPN technology building blocks used to build highly scalable and reliable data center.
ZFS is known as 'the last word in filesystems'. This tutorial will get your hands dirty with installing, configuring and managing reliable and scalable storage systems with ZFS on FreeBSD. We will cover pool-based storage, optimising storage systems for performance and redundancy and practise zero-downtime recovery from common storage events such as failing disks or running out of space. Participants should bring a laptop with either VirtualBox or VMware installed.
- Mark Tinka
- Aftab Siddiqui
With ever growing routing related incidents happening on daily basisthere is a need to have an open and candid discussion among the networkoperators community to find the possible way forward. To address this Iwould like to propose a Routing Security BoF, where operators can sharetheir approach in securing their own infrastructure and keeping theinternet routing table clean as well.
Also, this will provide a platform to discuss how operators are lookingat RPKI and what are the roadblocks and will try to find out if anyonehas implemented ROV.