Skip to main content
APRICOT 2021 logo
22 February – 4 March 2021
Sun Graphics

Accepted Presentations

Keynote

Navigating the Post-Pandemic World as an Internet Community.

  • Göran Marby

Navigating the Post-Pandemic World as an Internet Community.

The COVID-19 pandemic has changed the world, from how we work, to how we interact. Everyone’s lives have been impacted in one way or another. The Internet featured even more prominently in our lives now more than ever. Göran Marby, ICANN President and CEO, will share his top concerns about today’s Internet. How secure and safe is it? Should we build more regulations and policies as the Internet welcomes the next billion Internet users onboard? How can the Internet community continue to do its work when travel and in-person meetings remain to a challenge?

Conference

DNS Privacy - An Update

  • Geoff Huston

It is time to replace MD5...with TCP-AO

  • Melchior Aelmans

BGP in 2020

  • Geoff Huston

RPKI Invalids aren't going away

  • Md Abdul Awal

Lawful Interception and the OpenLI Project

  • Shane Alcock

SEBA (SDN-enabled Broadband Access)

  • Aris Risdianto

Asia Pacific Networks in 2020

  • Shermaine Yung

No, it wasn't a hijack!!!

  • Aftab Siddiqui

Deployment of TLD Anycast node to ISPs for stability and resiliency

  • Takayasu Matsuura
  • Nagisa Yano

How ProjectBASS data Proved Useful for many applications

  • Wilson Chua

Seamless Segment Routing

  • Shraddha Hegde

People, Process and Technology, Leverage Open Source Technology to build your SOC

  • A.S.M Shamim Reza

IP Flexalgo

  • Ron Bonica

RPKI ROA push in India

  • Anurag Bhatia

Securing Your Network Using Shadowserver's Daily Network Reports

  • Piotr Kijewski

Approaching 1024k - Are there limits that can cause some incidents on the Internet ?

  • Danny Pinto

Campaign Distillery: Graph Methods for Reducing Spam Analysis

  • Renee Burton

RPKI at Hurricane Electric

  • Susan Forney

DNS Privacy - An Update

A look at the current efforts to improve aspects of privacy in the DNS and an assessment of their effectiveness. The presentation os not overly optimistic about the prospects for widespread adoption, becuase, as the presentation points out, the economy of DNS name resolution is not all that susceptible to innovation. This is perhaps the biggest barrier to adoption of any of the privacy proposals.

It is time to replace MD5...with TCP-AO

There have been many recent concerns about TCP MD5. Its use of a simple keyed hash for authentication is problematic because there have been escalating attacks on the algorithm itself. TCP MD5 also lacks both key-management and algorithm agility.

In this talk I want to present an often talked about but till now never implemented solution to this issue; The TCP Authentication Option(TCP-AO). Nokia, Cisco and Juniper now have production code available so it is time to start replacing MD5 with TCP-AO to secure BGP and other (long-lived) TCP connections.

BGP in 2020

A look at the previous year in BGP, looking at the change in the size of the routing table and its dynamic behaviours. The presentation predicts the future growth of the network in the coming years based on this data. It is intended to be a short update.

RPKI Invalids aren't going away

The presentation focuses on RPKI invalid prefixes in the South Asian region. Over the past one year there have been tremendous improvements in terms of RPKI valid prefixes but the invalid prefixes consistently existed. With some simple diagrams and examples, it has been analyzed to get more concentration of the South Asian network operators.

The presentation intends to create awareness on RPKI and routing security in general.

Lawful Interception and the OpenLI Project

Recent updates to communications and cybercrime legislation in many countries have meant that an increasing number of network operators are finding themselves having to comply with lawful interception regulations. However, this can be a very expensive and time consuming problem to solve and many network operators in the APNIC region will find that the commercial vendor solutions for lawful intercept are not affordable.

In this talk, I will introduce the OpenLI project, which is an open-source implementation of the ETSI Lawful Intercept standards that are used throughout the world. OpenLI was created in response to a legislative change in New Zealand that required almost all network operators to be capable of producing real-time, ETSI-formatted traffic intercepts on demand. OpenLI has since been adopted by multiple New Zealand ISPs and has been attracting interest from operators in other countries as well. I will also reflect on some of the lessons we have learned along the way and how we hope to keep the project growing in the longer term.

SEBA (SDN-enabled Broadband Access)

This presentation will continue to describe a CORD (Central Office Re-architected as a Datacenter), an open-source solution for service providers, but with a different part of implementations. Presentation in previous APRICOT 2020 describes solutions for SDN/NFV-based fabrics inside the DC-like CO, called a Trellis. This presentation describes solutions to connect residential users to the CO for delivering broadband Internet access. This solution is called a SEBA, which is a lightweight platform based on a variant of R-CORD. It supports a multitude of virtualized access technologies at the edge of the carrier network, including PON, G.Fast, and eventually DOCSIS and more. SEBA supports both residential access and wireless backhaul and is optimized such that traffic can run a 'fast path' straight through to the backbone without requiring VNF processing on a server. SEBA includes NEM (Network Edge Mediator), which leverages the XOS toolchain to provide mediation to different operators' backend management/OSS systems and FCAPS support to operationalize the platform.

AT&T has deployed live field trials of SEBA in Atlanta and Irving, Texas. The operator is using the platform to provide low-latency home internet access via white-box hardware to 500 homes. The current access network uses FTTC/FTTH with a two-tiered central office architecture that leverages ONF's SEBA. With 8,000 tier 2 central offices serving approximately 30,000 customers, Turk Telekom's two SEBA deployments in Turkey and plans for ongoing commercial site integration of SEBA within TT's network to connect more than 49 million subscribers.

Asia Pacific Networks in 2020

This presentation summarises the development in network infrastructure in 2020, looking at the impacts of COVID-19, Internet bandwidth trends, colocation and on-ramps, IP transit pricing and trends, and concludes with a look at what might be next.

No, it wasn't a hijack!!!

It is very common to make mistake during configuration of BGP, specially while entering ASN for prepend. Just to find out how bad the problem is I looked up the data from MANRS Observatory [source: bgpstream.com] for last 3 years to check any possible hijack event involving ASN from 1 to 10 and any ASN which doesn't look right e.g. AS1111111.

These are mistakes but definitely considered as hijack. In this presentation I will review the data of these year and highlight major incidents.

Deployment of TLD Anycast node to ISPs for stability and resiliency

The Tokyo Olympics are scheduled to take place in 2021. However, it is necessary to prepare for large-scale cyber-attacks that may occur at every Olympics. When cyber attacks are targeted at facilities located in Tokyo and Osaka, ISPs in local areas will not be able to resolve names. The Internet could become logically divided in Japan.

The goal of this project is to enhance the DNS resiliency against logical Internet divide. In this exercise, we have deployed local nodes, so that DNS name resolution can continue even in the event of a DDoS attack on DNS servers in Tokyo and Osaka.

How ProjectBASS data Proved Useful for many applications

ProjectBASS is a mobile app used to measure internet bandwidth. As covid rampaged over the country, the data we collected proved useful for many other applications.

We not only help telcos/isp monitor their bandwidth, but also Educational, Economic, Health and other sectors as well.

Seamless Segment Routing

In order to operate networks with large numbers of devices, network operators organize networks into multiple smaller network domains. Each network domain typically runs an IGP which has complete visibility within its own domain, but limited visibility outside of its domain. Seamless Segment Routing (Seamless SR) provides flexible, scalable and reliable end-to-end connectivity for services across independent network domains. Seamless SR accommodates domains using SR, LDP, and RSVP for MPLS label distribution as well as domains running IP without MPLS (IP-Fabric).

People, Process and Technology, Leverage Open Source Technology to build your SOC

Centralized functions reduce the burden of manual data sharing, monitoring, and reporting. The optimized security operations model requires adopting a security framework that makes it easier to integrate security solutions and threat intelligence into the day-to-day process. This talk is all about working with the maturity model, People, Process, and Technology; which is basically based on the project that I have completed last May 2020 for my current organization.

IP Flexalgo

IP Flexalgo allows Intradomain Gateway Protocols (e.g., IS-IS, OSPF) to steer packets along constraint-based paths. Unlike other traffic engineering mechanisms, it does not rely on forwarding plane encapsulation. It can be deployed in the absence of MPLS and IP-in-IP encapsulation. It can also be deployed in the absence of RSVP and Segment Routing.

RPKI ROA push in India

This talk covers about RPKI ROA push in India with a focus on how we tracked signed prefixes on daily basis and ran an outreach which resulted in a jump from 12% in July 2020 to 42% now. This also covers the working of rpki.anuragbhatia.com on how it tracks countries in Asia for their RPKI ROA status.

Securing Your Network Using Shadowserver's Daily Network Reports

Securing your Network using Shadowserver Reports helps organizations learn about this unique public benefit tool.

What if there was a public benefit, free to use, security report that provided you a complete overview of your security risk? What if this tool allowed you to see what the bad guys are seeing on your network? What if this tool highlighted devices that are infected with malware? What if this tool lets you know when your devices are out of security compliance. Wouldn't that be nice if every network had access to this type of reporting?

This daily report exists today! Shadowserver's Daily Network Report is a public benefit tool that provides +80 reports on your network organization. It is a public benefit service funded by the community for the community. This session will walk through how Shadowserver builds these reports, what you receive in your daily updates, and how to effectively use these reports to secure your network. This online class will help each organization to apply to receive these reports. We will close with an example of a mobile operator who used Shadowserver's Daily Network Reports as the only source of threat intelligence to lock down their network.

Approaching 1024k - Are there limits that can cause some incidents on the Internet ?

The Global internet routing table is growing over the years and will cross the 1024k number sometime in 2022 for many operators. The objective of this presentation is to sensitize the operator community to review the state of networks and possible hardware and software limits that they may be ignoring as we approach these special numbers - 1024k and 128k

This presentation briefly goes through the event on August 12th, 2014 when the global internet routing table crossed the 512k limit. There were some incidents and observation on operator networks during the 512k event that are worth considering for future planning.

The presentation refers to some brilliant work, and research done on BGP table growth and prediction by researchers and reports from APNIC. As operator networks reach 1024k v4 prefixes and 128k v6 prefixes on their router tables, the approach suggests a proactive review and preparedness ahead of time. The focus should be on their network hardware estate to identify devices with hardware limits for v4 and v6. There is also definitive need to operator's routing configuration standards including knobs for protocols. Network operating system configuration and features though may look identical across network vendors but their behaviors can have subtle variations that are worth understanding for further actions. An example of maximum prefix limit is considered for explanation. The presentation closes with an earnest submission on need for proactive review and optimization on operator's production networks to sustain network hygiene, security and availability of Internet.

Campaign Distillery: Graph Methods for Reducing Spam Analysis

We introduce graph methods used to isolate large volumes of spam into campaigns for malware identification. This novel, but simple and intuitive approaches, reduces the burden of analysis with surprisingly high accuracy. These approaches have led to the discovery of multiple actors, including WordyThief, a Russian criminal that distributes information stealing malware via spam.

RPKI at Hurricane Electric

This talk explains how Hurricane Electric deployed RPKI ROA validation in its network and reports on the current state of RPKI, the trends in ROA creation, and how RPKI does and does not protect the Internet.

Peering Forum

National Internet Exchange of Afghanistan

  • Sherafzal Yousifzai

IXPDB Update

  • Bijal Sanghani

Beyond Technology: A look into the Philippine Data Center Ecosystem

  • TBA

Route leak and hijack detection innovation at China's first IXP in Hangzhou

  • Shicong Zhang

Peering Personals

  • SKY/AS23944
  • Globe/AS4775
  • Alibaba Cloud CDN ASN 24429
  • PCH (AS42 & AS3856)
  • Fastly (AS54113)
  • Time Dotcom (AS9930)
  • Eastern Communications (AS9658)
  • PLDT (AS9299)
  • IDC Frontier Inc (AS4694)
  • COLT (AS8220)

IXP Personals

  • NNIX
  • SGIX
  • JPIX
  • IX.br (AS26162)
  • Matrix Cable Internet Exchange (MCIX) - AS55818

IXPDB Update

During this presentation I will go through the latest developments and tools that available via the IXPDB. These tools can be used by networks, IXPs and researchers to gain real-time trusted interconnection data provided directly from IXPs.

Beyond Technology: A look into the Philippine Data Center Ecosystem

Data centers are not just about redundancies, resiliency, or continuity. It is also about the ecosystem within. In the absence of an ecosystem, it is a plain and simple real estate and power offering. The creation of value beyond space and power is the heart of the data center and the reason why it thrives.

This presentation examines the thriving datacentre ecosystem in the Philippines.

Route leak and hijack detection innovation at China's first IXP in Hangzhou

China's first IXP has been founded recently. We make a brief introduction about how it is to operate an IXP in China and the major challenges we meet from the start. Meanwhile, we would like to introduce the efforts we made to protect routing security at IXP through BGP route collection and detection.

Tutorials

Securing Internet Routing with RPKI

  • Tashi Phuntsho
  • Bayani (Bani) Benjamin Lara

Network Monitoring & Management 2.0 Tutorial

  • Hervey Allen

Wireless Deployment Tutorial

  • Sebastian Büttrich

IPv6 Deployment

  • Jordi Palet

DNSSEC Operations Tutorial

  • Phil Regnauld
  • Champika Wijayatunga

MANRS Tutorial

  • Warrick Mitchell

Realities of Today's DDoS Security Risk

  • Barry Greene

DNS is Under Attack: the Miscreant's Offensive Playbook with a Defensive Counter

  • Barry Greene

Meaningful Security Conversations with your Vendors: Can vendors ever provide secure solutions?

  • Barry Greene

IP Address for Router and Host Reachability

  • Shishio Tsuchiya

Network automation and programmability of cloud hosted network appliances

  • Toni Yannick Kalombo

BGP Introduction, Attributes and Scaling Techniques

  • Philip Smith

BGP Multihoming: Introduction and Deployment Examples

  • Philip Smith

BGP Best Current Practices

  • Philip Smith

Securing Internet Routing with RPKI

Tutorial website

Why do we keep seeing news headlines about major networks not being reachable because traffic got rerouted to somewhere else? BGP mishaps are very common and frighteningly very easy. Examples are malicious route hijacking, mis-origination (fat fingers), and bad filters (route leaks). We need better mechanism(s) to ensure no one can inject false information into the global routing system that easily. This tutorial will look at current route filtering tools/techniques, how RPKI is just a piece in the puzzle, and what we should do to secure the internet routing.

Pre-requisites

This tutorial is for delegates who manage their IP resources (tech/corp contacts). Delegates are required to come with MFA/OTP already enabled for their account and with the necessary permission from their Corp contacts, to not just demo creating ROAs, but also to sign their prefixes for use in their operations.

View More

IPv6 Deployment

This tutorial will introduce both technical and non-technical aspects, based in real experiences in hundreds of networks, for the deployment of IPv6 in your own ISP network (covering both, wireline and cellular).

This tutorial will take 8 sessions, 1 hour each, in 4 days (2 sessions per day).

The first goal is that decision makers and engineers have an overall view (mainly in the 2 first sessions), of key points such as:

  1. What happened with IPv4 and what is IPv6
  2. Why you need IPv6 in your network?
  3. What is the rest of the world doing?
  4. Do you’ve workarounds?
  5. How can I do it in my own network?
  6. What are the required upgrades?< li>
  7. What are the costs?

The tutorial will be carried out in such way that the engineers also can understand key points related to:

  • Deployment of IPv6 in the core IP backbon (session 3)
  • Deployment of IPv6 in wireline access network(xDSL, Cable, FTTx) (session 4)
  • Deployment of IPv6-only and IPv4aaS (IPv4-as-a-Service) (session 5 & 6)
  • Deployment of IPv6 in cellular networks (session 7)
  • Deployment of IPv6 in Data Centers (content hosting) (session 8)

Note that the exact match of contents and sessions may depend on the Q&A sessions.

View More

MANRS Tutorial

There are over 65,000 networks comprising the Internet that exchange reachability information using the Border Gateway Protocol (BGP), but the problem is that BGP is almost entirely based on trust with no built-in validation of the legitimacy of routing updates. This causes many problems such as IP prefix hijacking, route leaks, and IP address spoofing, and there have been a growing number of major incidents in the past few years. There are solutions to address these issues, but securing one's own network does not necessarily make it more secure as it remains reliant on other operators also implementing these solutions too.

The Mutually Assured Norms for Routing Security (MANRS) initiative therefore tries to address these problems by encouraging network operators, content providers and IXPs to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. The MANRS Observatory has recently been developed to help network operators to view routing incidents that affect their networks, to check the general routing health of networks, countries and regions, and to provide a longer-term overview on whether routing incidents are getting better or worse.

Realities of Today's DDoS Security Risk

DDoS Extortion will not go away. It is a cyclical International crime that can only be stopped with the DDoS Extortionist are arrested. In 2020, organizations woke up to a new wave for DDoS Extortion activities. These attacks caught organizations with the DDoS Guards down. They thought 'DDoS was in the past.'

This session walks through the reasons why we have DDoS Extortion, criminal behaviours behind DDoS Extortionist, and essential DDoS Preparation tools any organization can deploy to reduce their risk when a DDoS Extortionist knocks on the door.

DNS is Under Attack: the Miscreant's Offensive Playbook with a Defensive Counter

Our DNS is Under Attack is not something anyone wants to hear. DNS's critical role is a threat attacker. Taking out DNS is easier than trying to take down a web site. Smart miscreants have a playbook of offensive DNS attack techniques that they can use against any organization.

Attacks against DNS are broad, yet critical to everything on the Internet. This multi-episode series will start with the miscreant threat to DNS and then expand to many other topics. Each episode will focus on the threat, the defensive countermeasures which have proven to push back against the miscreant threat. After the miscreant threats, we will expand into a range of topics around resiliency.

  • Why would people attack the DNS Infrastructure?
  • Attack vectors miscreants use against the DNS Authoritative Infrastructure
  • Attack vectors miscreants use against the DNS Resolver Infrastructure
  • Defensive DNS Principles all organizations can use to deploy DNS Resiliency (this session will use Akamai examples as a tool to illustrate BCPs).
  • Key takeaways to help you when your DNS is Under Attack:

DNS is an attack vector that must be protected to keep the business safe.

Awareness of the types of DNS attacks used to disrupt, takedown, and abuse an organization DNS Defensive Playbook used to protect an organization from the Miscreant DNS Attacks.

This tutorial also covers an action checklist for Registrar Security. Protecting your domain names on the DNS Registrar is often overlooked, ignored, and neglected. As seen with the 2019 DNSpionage Campaign and Sea Turtle attacks, many of these attacks have goals far more sinister than merely taking a company offline or defacing a website. Expect domain name attacks to include techniques that redirect some or all of an organization's domain to gain access to protected resources, intercept traffic, and even obtain TLS certificates for that domain.

The Protecting Your Doman Names guidelines are based on ICANN recommendations and industry experiences. Most of these recommendations are based on protecting the domain name's DNS Registry, Registrar, and administrative functions.

Note: These sessions are based on the decades of DNS Security experiences, but done currently through Akamai Technologies. The recommendations apply across the industry with multiple DNS security architecture options available to organizations. The key is to focus on the DNS security principles, vectors used by the miscreants, and common-sense tools.

Meaningful Security Conversations with your Vendors: Can vendors ever provide secure solutions?

It is critical to have meaningful security conversations with your vendors. Operators depend on their vendors to supply products and solutions that are secure. As all operators have experienced, 'secure products' is almost always a vendor afterthought. This leads to an operational risk that in some cases turns deadly.

In this session, we will explore realistic expectations for 'vendor security.' These expectations are based on 25 years of operator and vendor experience - with direct experience on some of the nastiest vulnerabilities, horrendous APT abuses, and industry-wide attack vectors. We'll focus on 'meaningful conversations' every operator should be having with their vendor (& providers). The session walked through a 'conversation guide' that empowers the staff in an Operator with key questions that would drive and push the vendor to either deliver security, fix their security, or get out and sell their unsecured junk somewhere else.

The session is accompanied by a white paper 'Meaningful Security Conversions: Questions to ask vendors to gauge their commitment to 'Secure Products' and Demand Security.'

Don't sit and wait for the next expensive exploit to impact your network. You do not need an expert to have these meaningful conversations. Start with following this meaningful security conversation script.

Vendors will only respond to security issues if their customers demand them to respond to security requests. In a world that facilitates innovation, time to market and competitive pressures dominate the vendor's 'top of mind thinking.' Security is only 'top of mind' if their customers are consistently interacting with them to do their best to secure their products. These are the same products deployed on your network.

This session on meaningful security conversations provides the participants with a step-by-step conversation tool that can be used with any vendor. The object is to deliver results so that all parties can reduce risk.

IP Address for Router and Host Reachability

IP addresses are used to connect computers to each other, and routing protocols are used to carry this reachability.

Because IP addresses, a valuable resource, need to be used even between routers, point-to-point links use a 30-bit mask to indicate each node and broadcast/network, or use /31 (RFC3021).

IPv6 uses link-local addresses, perhaps because it is a bit nonsensical to consume valuable resources, even though routers are designed to carry reachability. In data centers, routing design using this feature of IPv6 and RFC5549 is gradually increasing.

In this session, based on this background, we will share IP address related topics such as RFC5309 P2P over LAN, techniques for distributing scattered host routes in the network, and considerations for using only Link Local (RFC7404). And I will update about class E.

Network automation and programmability of cloud hosted network appliances

As more organisations adopt the cloud and with the rise of iot, VNF's have found a home in the cloud. This presentation demonstrates the automation of network appliances in the cloud as well as configuring them to host software defined network functions as services in the cloud.

BGP Introduction, Attributes and Scaling Techniques

This two hour tutorial introduces the Border Gateway Protocol (BGP), what it is used for and how it is implemented, the main BGP attributes and what they are used for, and concludes by looking at some of the current best practice BGP scaling techniques. The tutorial is suitable for newcomers to BGP, or those who are looking to refresh their knowledge about the protocol.

BGP Multihoming: Introduction and Deployment Examples

This two hour tutorial covers the theory behind multihoming and looks at some simple examples to introduce the newcomer to how to connect their network to two upstream providers for redundancy and resiliency. The second half of the tutorial then looks at practical deployment examples for small end-site networks, covering what they need to do, configuration options they have, and what they need to request of their upstream providers.

BGP Best Current Practices

This two hour tutorial looks at the current industry best practices for BGP configuration and operations. Topics covered range from filtering to aggregation to configuration tricks that are implemented by many of the major networks around the world. The tutorial is an essential guide for both newcomers to BGP and for those who have used BGP for years and are wishing to refresh their skills.