Navigating the Post-Pandemic World as an Internet Community.
- Göran Marby
A look at the current efforts to improve aspects of privacy in the DNS and an assessment of their effectiveness. The presentation os not overly optimistic about the prospects for widespread adoption, becuase, as the presentation points out, the economy of DNS name resolution is not all that susceptible to innovation. This is perhaps the biggest barrier to adoption of any of the privacy proposals.
There have been many recent concerns about TCP MD5. Its use of a simple keyed hash for authentication is problematic because there have been escalating attacks on the algorithm itself. TCP MD5 also lacks both key-management and algorithm agility.
In this talk I want to present an often talked about but till now never implemented solution to this issue; The TCP Authentication Option(TCP-AO). Nokia, Cisco and Juniper now have production code available so it is time to start replacing MD5 with TCP-AO to secure BGP and other (long-lived) TCP connections.
A look at the previous year in BGP, looking at the change in the size of the routing table and its dynamic behaviours. The presentation predicts the future growth of the network in the coming years based on this data. It is intended to be a short update.
The presentation focuses on RPKI invalid prefixes in the South Asian region. Over the past one year there have been tremendous improvements in terms of RPKI valid prefixes but the invalid prefixes consistently existed. With some simple diagrams and examples, it has been analyzed to get more concentration of the South Asian network operators.
The presentation intends to create awareness on RPKI and routing security in general.
Recent updates to communications and cybercrime legislation in many countries have meant that an increasing number of network operators are finding themselves having to comply with lawful interception regulations. However, this can be a very expensive and time consuming problem to solve and many network operators in the APNIC region will find that the commercial vendor solutions for lawful intercept are not affordable.
In this talk, I will introduce the OpenLI project, which is an open-source implementation of the ETSI Lawful Intercept standards that are used throughout the world. OpenLI was created in response to a legislative change in New Zealand that required almost all network operators to be capable of producing real-time, ETSI-formatted traffic intercepts on demand. OpenLI has since been adopted by multiple New Zealand ISPs and has been attracting interest from operators in other countries as well. I will also reflect on some of the lessons we have learned along the way and how we hope to keep the project growing in the longer term.
This presentation will continue to describe a CORD (Central Office Re-architected as a Datacenter), an open-source solution for service providers, but with a different part of implementations. Presentation in previous APRICOT 2020 describes solutions for SDN/NFV-based fabrics inside the DC-like CO, called a Trellis. This presentation describes solutions to connect residential users to the CO for delivering broadband Internet access. This solution is called a SEBA, which is a lightweight platform based on a variant of R-CORD. It supports a multitude of virtualized access technologies at the edge of the carrier network, including PON, G.Fast, and eventually DOCSIS and more. SEBA supports both residential access and wireless backhaul and is optimized such that traffic can run a 'fast path' straight through to the backbone without requiring VNF processing on a server. SEBA includes NEM (Network Edge Mediator), which leverages the XOS toolchain to provide mediation to different operators' backend management/OSS systems and FCAPS support to operationalize the platform.
AT&T has deployed live field trials of SEBA in Atlanta and Irving, Texas. The operator is using the platform to provide low-latency home internet access via white-box hardware to 500 homes. The current access network uses FTTC/FTTH with a two-tiered central office architecture that leverages ONF's SEBA. With 8,000 tier 2 central offices serving approximately 30,000 customers, Turk Telekom's two SEBA deployments in Turkey and plans for ongoing commercial site integration of SEBA within TT's network to connect more than 49 million subscribers.
This presentation summarises the development in network infrastructure in 2020, looking at the impacts of COVID-19, Internet bandwidth trends, colocation and on-ramps, IP transit pricing and trends, and concludes with a look at what might be next.
It is very common to make mistake during configuration of BGP, specially while entering ASN for prepend. Just to find out how bad the problem is I looked up the data from MANRS Observatory [source: bgpstream.com] for last 3 years to check any possible hijack event involving ASN from 1 to 10 and any ASN which doesn't look right e.g. AS1111111.
These are mistakes but definitely considered as hijack. In this presentation I will review the data of these year and highlight major incidents.
The Tokyo Olympics are scheduled to take place in 2021. However, it is necessary to prepare for large-scale cyber-attacks that may occur at every Olympics. When cyber attacks are targeted at facilities located in Tokyo and Osaka, ISPs in local areas will not be able to resolve names. The Internet could become logically divided in Japan.
The goal of this project is to enhance the DNS resiliency against logical Internet divide. In this exercise, we have deployed local nodes, so that DNS name resolution can continue even in the event of a DDoS attack on DNS servers in Tokyo and Osaka.
ProjectBASS is a mobile app used to measure internet bandwidth. As covid rampaged over the country, the data we collected proved useful for many other applications.
We not only help telcos/isp monitor their bandwidth, but also Educational, Economic, Health and other sectors as well.
In order to operate networks with large numbers of devices, network operators organize networks into multiple smaller network domains. Each network domain typically runs an IGP which has complete visibility within its own domain, but limited visibility outside of its domain. Seamless Segment Routing (Seamless SR) provides flexible, scalable and reliable end-to-end connectivity for services across independent network domains. Seamless SR accommodates domains using SR, LDP, and RSVP for MPLS label distribution as well as domains running IP without MPLS (IP-Fabric).
Centralized functions reduce the burden of manual data sharing, monitoring, and reporting. The optimized security operations model requires adopting a security framework that makes it easier to integrate security solutions and threat intelligence into the day-to-day process. This talk is all about working with the maturity model, People, Process, and Technology; which is basically based on the project that I have completed last May 2020 for my current organization.
IP Flexalgo allows Intradomain Gateway Protocols (e.g., IS-IS, OSPF) to steer packets along constraint-based paths. Unlike other traffic engineering mechanisms, it does not rely on forwarding plane encapsulation. It can be deployed in the absence of MPLS and IP-in-IP encapsulation. It can also be deployed in the absence of RSVP and Segment Routing.
This talk covers about RPKI ROA push in India with a focus on how we tracked signed prefixes on daily basis and ran an outreach which resulted in a jump from 12% in July 2020 to 42% now. This also covers the working of rpki.anuragbhatia.com on how it tracks countries in Asia for their RPKI ROA status.
Securing your Network using Shadowserver Reports helps organizations learn about this unique public benefit tool.
What if there was a public benefit, free to use, security report that provided you a complete overview of your security risk? What if this tool allowed you to see what the bad guys are seeing on your network? What if this tool highlighted devices that are infected with malware? What if this tool lets you know when your devices are out of security compliance. Wouldn't that be nice if every network had access to this type of reporting?
This daily report exists today! Shadowserver's Daily Network Report is a public benefit tool that provides +80 reports on your network organization. It is a public benefit service funded by the community for the community. This session will walk through how Shadowserver builds these reports, what you receive in your daily updates, and how to effectively use these reports to secure your network. This online class will help each organization to apply to receive these reports. We will close with an example of a mobile operator who used Shadowserver's Daily Network Reports as the only source of threat intelligence to lock down their network.
The Global internet routing table is growing over the years and will cross the 1024k number sometime in 2022 for many operators. The objective of this presentation is to sensitize the operator community to review the state of networks and possible hardware and software limits that they may be ignoring as we approach these special numbers - 1024k and 128k
This presentation briefly goes through the event on August 12th, 2014 when the global internet routing table crossed the 512k limit. There were some incidents and observation on operator networks during the 512k event that are worth considering for future planning.
The presentation refers to some brilliant work, and research done on BGP table growth and prediction by researchers and reports from APNIC. As operator networks reach 1024k v4 prefixes and 128k v6 prefixes on their router tables, the approach suggests a proactive review and preparedness ahead of time. The focus should be on their network hardware estate to identify devices with hardware limits for v4 and v6. There is also definitive need to operator's routing configuration standards including knobs for protocols. Network operating system configuration and features though may look identical across network vendors but their behaviors can have subtle variations that are worth understanding for further actions. An example of maximum prefix limit is considered for explanation. The presentation closes with an earnest submission on need for proactive review and optimization on operator's production networks to sustain network hygiene, security and availability of Internet.
We introduce graph methods used to isolate large volumes of spam into campaigns for malware identification. This novel, but simple and intuitive approaches, reduces the burden of analysis with surprisingly high accuracy. These approaches have led to the discovery of multiple actors, including WordyThief, a Russian criminal that distributes information stealing malware via spam.
This talk explains how Hurricane Electric deployed RPKI ROA validation in its network and reports on the current state of RPKI, the trends in ROA creation, and how RPKI does and does not protect the Internet.
The presentation provides an update about the National Internet Exchange of Afghanistan, traffic levels, as well as the peering landscape and interconnection futures in Afghanistan.
During this presentation I will go through the latest developments and tools that available via the IXPDB. These tools can be used by networks, IXPs and researchers to gain real-time trusted interconnection data provided directly from IXPs.
Data centers are not just about redundancies, resiliency, or continuity. It is also about the ecosystem within. In the absence of an ecosystem, it is a plain and simple real estate and power offering. The creation of value beyond space and power is the heart of the data center and the reason why it thrives.
This presentation examines the thriving datacentre ecosystem in the Philippines.
China's first IXP has been founded recently. We make a brief introduction about how it is to operate an IXP in China and the major challenges we meet from the start. Meanwhile, we would like to introduce the efforts we made to protect routing security at IXP through BGP route collection and detection.
This session is an opportunity for Internet Operators, Internet Exchange Points, and DataCentres hosting Internet Exchange Points to share their coordinates and technical details with the members of the peering community.
Why do we keep seeing news headlines about major networks not being reachable because traffic got rerouted to somewhere else? BGP mishaps are very common and frighteningly very easy. Examples are malicious route hijacking, mis-origination (fat fingers), and bad filters (route leaks). We need better mechanism(s) to ensure no one can inject false information into the global routing system that easily. This tutorial will look at current route filtering tools/techniques, how RPKI is just a piece in the puzzle, and what we should do to secure the internet routing.
Pre-requisites
This tutorial is for delegates who manage their IP resources (tech/corp contacts). Delegates are required to come with MFA/OTP already enabled for their account and with the necessary permission from their Corp contacts, to not just demo creating ROAs, but also to sign their prefixes for use in their operations.
This tutorial will introduce both technical and non-technical aspects, based in real experiences in hundreds of networks, for the deployment of IPv6 in your own ISP network (covering both, wireline and cellular).
This tutorial will take 8 sessions, 1 hour each, in 4 days (2 sessions per day).
The first goal is that decision makers and engineers have an overall view (mainly in the 2 first sessions), of key points such as:
The tutorial will be carried out in such way that the engineers also can understand key points related to:
Note that the exact match of contents and sessions may depend on the Q&A sessions.
There are over 65,000 networks comprising the Internet that exchange reachability information using the Border Gateway Protocol (BGP), but the problem is that BGP is almost entirely based on trust with no built-in validation of the legitimacy of routing updates. This causes many problems such as IP prefix hijacking, route leaks, and IP address spoofing, and there have been a growing number of major incidents in the past few years. There are solutions to address these issues, but securing one's own network does not necessarily make it more secure as it remains reliant on other operators also implementing these solutions too.
The Mutually Assured Norms for Routing Security (MANRS) initiative therefore tries to address these problems by encouraging network operators, content providers and IXPs to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. The MANRS Observatory has recently been developed to help network operators to view routing incidents that affect their networks, to check the general routing health of networks, countries and regions, and to provide a longer-term overview on whether routing incidents are getting better or worse.
DDoS Extortion will not go away. It is a cyclical International crime that can only be stopped with the DDoS Extortionist are arrested. In 2020, organizations woke up to a new wave for DDoS Extortion activities. These attacks caught organizations with the DDoS Guards down. They thought 'DDoS was in the past.'
This session walks through the reasons why we have DDoS Extortion, criminal behaviours behind DDoS Extortionist, and essential DDoS Preparation tools any organization can deploy to reduce their risk when a DDoS Extortionist knocks on the door.
Our DNS is Under Attack is not something anyone wants to hear. DNS's critical role is a threat attacker. Taking out DNS is easier than trying to take down a web site. Smart miscreants have a playbook of offensive DNS attack techniques that they can use against any organization.
Attacks against DNS are broad, yet critical to everything on the Internet. This multi-episode series will start with the miscreant threat to DNS and then expand to many other topics. Each episode will focus on the threat, the defensive countermeasures which have proven to push back against the miscreant threat. After the miscreant threats, we will expand into a range of topics around resiliency.
DNS is an attack vector that must be protected to keep the business safe.
Awareness of the types of DNS attacks used to disrupt, takedown, and abuse an organization DNS Defensive Playbook used to protect an organization from the Miscreant DNS Attacks.
This tutorial also covers an action checklist for Registrar Security. Protecting your domain names on the DNS Registrar is often overlooked, ignored, and neglected. As seen with the 2019 DNSpionage Campaign and Sea Turtle attacks, many of these attacks have goals far more sinister than merely taking a company offline or defacing a website. Expect domain name attacks to include techniques that redirect some or all of an organization's domain to gain access to protected resources, intercept traffic, and even obtain TLS certificates for that domain.
The Protecting Your Doman Names guidelines are based on ICANN recommendations and industry experiences. Most of these recommendations are based on protecting the domain name's DNS Registry, Registrar, and administrative functions.
Note: These sessions are based on the decades of DNS Security experiences, but done currently through Akamai Technologies. The recommendations apply across the industry with multiple DNS security architecture options available to organizations. The key is to focus on the DNS security principles, vectors used by the miscreants, and common-sense tools.
It is critical to have meaningful security conversations with your vendors. Operators depend on their vendors to supply products and solutions that are secure. As all operators have experienced, 'secure products' is almost always a vendor afterthought. This leads to an operational risk that in some cases turns deadly.
In this session, we will explore realistic expectations for 'vendor security.' These expectations are based on 25 years of operator and vendor experience - with direct experience on some of the nastiest vulnerabilities, horrendous APT abuses, and industry-wide attack vectors. We'll focus on 'meaningful conversations' every operator should be having with their vendor (& providers). The session walked through a 'conversation guide' that empowers the staff in an Operator with key questions that would drive and push the vendor to either deliver security, fix their security, or get out and sell their unsecured junk somewhere else.
The session is accompanied by a white paper 'Meaningful Security Conversions: Questions to ask vendors to gauge their commitment to 'Secure Products' and Demand Security.'
Don't sit and wait for the next expensive exploit to impact your network. You do not need an expert to have these meaningful conversations. Start with following this meaningful security conversation script.
Vendors will only respond to security issues if their customers demand them to respond to security requests. In a world that facilitates innovation, time to market and competitive pressures dominate the vendor's 'top of mind thinking.' Security is only 'top of mind' if their customers are consistently interacting with them to do their best to secure their products. These are the same products deployed on your network.
This session on meaningful security conversations provides the participants with a step-by-step conversation tool that can be used with any vendor. The object is to deliver results so that all parties can reduce risk.
IP addresses are used to connect computers to each other, and routing protocols are used to carry this reachability.
Because IP addresses, a valuable resource, need to be used even between routers, point-to-point links use a 30-bit mask to indicate each node and broadcast/network, or use /31 (RFC3021).
IPv6 uses link-local addresses, perhaps because it is a bit nonsensical to consume valuable resources, even though routers are designed to carry reachability. In data centers, routing design using this feature of IPv6 and RFC5549 is gradually increasing.
In this session, based on this background, we will share IP address related topics such as RFC5309 P2P over LAN, techniques for distributing scattered host routes in the network, and considerations for using only Link Local (RFC7404). And I will update about class E.
As more organisations adopt the cloud and with the rise of iot, VNF's have found a home in the cloud. This presentation demonstrates the automation of network appliances in the cloud as well as configuring them to host software defined network functions as services in the cloud.
This two hour tutorial introduces the Border Gateway Protocol (BGP), what it is used for and how it is implemented, the main BGP attributes and what they are used for, and concludes by looking at some of the current best practice BGP scaling techniques. The tutorial is suitable for newcomers to BGP, or those who are looking to refresh their knowledge about the protocol.
This two hour tutorial covers the theory behind multihoming and looks at some simple examples to introduce the newcomer to how to connect their network to two upstream providers for redundancy and resiliency. The second half of the tutorial then looks at practical deployment examples for small end-site networks, covering what they need to do, configuration options they have, and what they need to request of their upstream providers.
This two hour tutorial looks at the current industry best practices for BGP configuration and operations. Topics covered range from filtering to aggregation to configuration tricks that are implemented by many of the major networks around the world. The tutorial is an essential guide for both newcomers to BGP and for those who have used BGP for years and are wishing to refresh their skills.