Source Address Validation: from the Current Network Architecture to SDN-based Architecture
|
|
- Lorraine Simpson
- 5 years ago
- Views:
Transcription
1 Source Address Validation: from the Current Network Architecture to SDN-based Architecture Jun Bi Tsinghua University/CERNET GFI 2013 Nov. 20,
2 Content Source Address Validation Architecture (SAVA) SAVA solutions SAVA Implementations SAVA deployment at CNGI-CERNET2 Leveraging SDN to enhance Source Address Validation Access: Software Defined SAVI Intra-AS: SDN based CPF Inter-AS: Collaborative On-demand Spoofing Defense Conclusion 2
3 Source Address Validation Architecture (SAVA) 3
4 Source Address Spoofing Source address spoofing still a problem Arbor Network annual network security report MIT spoofer project NANOG discussions Tsinghua university / CERNET proposed: Source address validation architecture (SAVA) and solutions for IPv6 Solutions implemented, collaborating with domestic vendors Deployed at CNGI-CERENT2 backbone and 100 universities campus networks Co-funders of IETF SAVI WG RFC 5210 SAVA RFC 7039 SAVI Framework 4
5 SAVA: Source Address Validation Architecture (RFC 5210) Transit AS AS Level Granularity AS Inter-AS AS IP Prifix Prefix Level Granularity Intra-AS Access Network Access Network Interface ID Level Granularity Access Network 5
6 Access Level: SAVI-CPS (Control Packets Snooping based SAVI) SAVI-DHCP SAVI-Stateless SAVI-MIX 6
7 SAVI-CPS Implementation Huawei ZTE H3C Ruijing Digitial China Centac Bitwa L3/L2 switch, WLAN 7
8 Intra-AS Level: CPF (Calculation based Path Forwarding) SNMP collect routing table and interface table Calculate Path xflow collect sampling info Path Table Generate FTDB FTDB Telnet+Scripts configure ACL Key problem to resolve - Reduce false positive caused by urpf at partial deployment FIT Src (inif1)a1 (inif2)a2 (inifn)dst Src, Dst, inif Src, Dst, inif FIT: Flow Info Table Match (Alarm) FTDB: Filter Table DB
9 CPF Implementation Topology mgmt L3 devices mgmt Spoofing alarm SAVI user mgmt 9
10 Inter-AS Level: SMA (State Machine based Authentication) Key problem to resolve Incentive for deployment Trust Alliance ACS Each member AS has a control server to negotiate parameter of SMs of each peer to trigger the same tag (random number) sequence ASBR Add tags in IPv6 packets (in option header) and validate tags in destination Incentive source address of Each AS can t be spoofed within the Alliance 10
11 SMA Implementation Huawei NE40E core router line cards with 10G, GE ports Bitway BE12000 core router line cards with OC48, GE ports Centec special box with 10G, GE (co-located with legacy routers) 11
12 SAVA Deployment at CNGI-CERNET2 6IX Inter ISP (SMA) Inter AS (SMA) Intra-AS (CFP) AccessNet (SAVI-CPS) 12
13 SAVA Deployment at CNGI-CERNET
14 Leveraging SDN to enhance Source Address Validation 14
15 Motivations: enhancing Access Complex scenarios Address assignment methods: Manual, SLACC, DHCP, SEND, Mixed, Access methods: LAN, WLAN, DSL, 3G, Mobility: local, across-network Special cases: IPv6 transition, DNA, addr. related new stuff Solutions implemented at switches for all scenarios Complex for design and implementation Low efficiency (most scenarios are not common cases) Complex configuration Coherent configurations for ALL switch ports at SAVI perimeter in the whole access network Can we migrate complexity from switch to server?
16 Software Defined SAVI (SDN-SAVI) Control Plane Rule Generator Data Plane Binding Rules SAVI Switch Controller NOS Message Adaptor Data Plane Binding Rules OF Messages SAVI APP1: state machine SAVI APP2: rule generator SAVI APP3: mobility SAVI APP4:.. SAVI Switch
17 Motivations: enhancing Intra-AS Complexity to deal with legacy management and control interfaces No unified MIBs (private MIBs) No unified sampling protocol (sflow, NetFlow, NetStream, etc) No friendly programmable interfaces to configure ACLs (telnet + scripts are dangerous for production nets) Performance Delay of network status update Delay of control update Require unified and realtime mgmt/ctrl interfaces
18 SDN based CPF Control Plane Global view CPF Network APP SNMP xflow TCL telnet NOS(Network OS) OpenFlow Protocol Data Plane
19 CPF Address Validation Module Filter Generator Module NOS-NAPP Rule Adaptor Module NOS Packet Sample Message Processor NOS-NAPP Protocol NOS-NAPP Network State Message Processor OpenFlow Control Rule Message Processor OpenFlow OpenRouter Switch OpenFlow+ Protocol OpenFlow Control Plane Data Plane RTM OSPF BGP RIP xflow QoS&ACL FIB
20 Filtering Rules Enforcement Delay causes false positive, reflects the filtering effect
21 Demonstrated at INFOCOM2012 InSAVO: Intra-AS IPv6 Source Address Validation Solution with OpenRouter Central Control: To get a global forwarding path and then resolve false positive of filtering information caused by asymmetric routing more than ingress filtering. Integrated Protocol: To takes place of SNMP/xFlow/Telnet in order to reduce the complication caused by multiple control interfaces with OpenFlow protocol. Evolvable Deployment: To provide software-defined abilities by extending OpenFlow, but also give a tradeoff between existing hardware and evolution cost.
22 Motivations: enhancing Inter-AS Security: SMA uses lightweight tags for verification. An attacker might monitor packets in the backbone and replay the tag with spoofed packets Solution- cryptographic tags to prevent replay Cost: Per-packet crypto marking incurs heavy data processing overhead beyond hardware capacity. Solution- on-demand defense to reduce overhead When : defend only attack is detected (cost effective) Which : define N defense functions, chosen by operators by the type of attack Who : only filtering the specific flows with self-benefit
23 CoFence: Collaborative On-demand Spoofing Defense Distributed inter-as collaboration Deployer discovery, peering and defense invocation Spoofing defense functions Against d-dos: DP and CDP (CDP uses crypto marking) Against s-dos: SP and CSP (CSP uses crypto marking) Extensible: can define more functions Function invocation Quadruple: (function, parameters, prefix, time) Function: the function to be invoked Parameters: parameters for the function (e.g., keys for crypto) Prefix: the src/dst prefix to be protected Time: the time duration for this invocation These lead to SDN-based design
24 SDN (not OpenFlow) based CoFence Higher-layer features can be added in apps, e.g., attack monitoring, traffic analysis, AS-wide policy and control, manual-config GUI and auto-config APIs for IDS. Apps Controller Controller communicates with other domains, and bridges apps with routers, using SDN interfaces. It provides CoFence-specific functionalities and maintains domain-wide information. policy monitor northbound interfaces policy loc info peer info GUI analysis on demand defense peering southbound interfaces API control east west interfaces secure C C channel Internet Apps Controller secure C R channel ibgp CoFence-d communicates with controller and manages tables to define data-plane behavior. Router SW CoFence d BGP d HW tables data flow ebgp Router AS i AS j
25 WE-Bridge proposed in FINE WE-Bridge proposed in China 863 High-tech R&D project FINE Demoed at CANS13 and SupterComputing2013 AS-1 (Doman 1) APP-1 APP-2 APP-n AS-2 (Domain 2) APP-1 APP-2 APP-n Logical View API VCP-1 IDN IDN VCP-2 NOS-1 IDN Global Physical View API WE- Bridge IDN NOS-2 Local View API DPA1 DPA2 DPAn DPA1 DPA2 DPAn Open Devices Open Devices
26 Conclusion SAVA and solutions Architecture Access level: SAVI-CPS Intra-AS level: CPF Inter-AS level: SMA Implementation, and deployment at CNGI-CERNET2 Leveraging SDN to enhance Source Address Validation Motivations Handling complexity Providing agility Improving performance Programmability is key to decoupling infrastructure and functionality (to migrate the complexity to APPs) Leveraging centralized view for access (e.g. configuration, mobility) and intra-as, and negotiated view for inter-as SAV 26
27 Thanks! 27
Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00
Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00 Liang Xia Guangying Zheng Yue Dong Huawei Huawei Huawei
More informationFuture Internet related Research Activities in China
Future Internet related Research Activities in China Jun Bi Tsinghua University China Education and Research Network (CERNET) junbi@tsinghua.edu.cn August 11, 2010 1 Contents Research Networks in China
More informationSoftware-Defined Networking (SDN) Overview
Reti di Telecomunicazione a.y. 2015-2016 Software-Defined Networking (SDN) Overview Ing. Luca Davoli Ph.D. Student Network Security (NetSec) Laboratory davoli@ce.unipr.it Luca Davoli davoli@ce.unipr.it
More informationCNGI-CERNET2 SAVI Deployment Update. China Education and Research Network (CERNET) /Tsinghua Univ. IETF77, Anaheim March 23, 2010
CNGI-CERNET2 SAVI Deployment Update China Education and Research Network (CERNET) /Tsinghua Univ. IETF77, Anaheim March 23, 2010 Outline SAVI Deployment in CNGI-CERNET2 SAVI Switches Testing SAVI Management
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationSource Address Validation Solution. Guang Yao, Jun Bi and Peiyao Xiao Network Architecture&IPv6 Lab Tsinghua University
Source Address Validation Solution with OpenFlow/NOX Architecture Guang Yao, Jun Bi and Peiyao Xiao Network Architecture&IPv6 Lab Tsinghua University Background IETF SAVI WG Formed in 2008 Anti spoofing
More informationOpenFlow: What s it Good for?
OpenFlow: What s it Good for? Apricot 2016 Pete Moyer pmoyer@brocade.com Principal Solutions Architect Agenda SDN & OpenFlow Refresher How we got here SDN/OF Deployment Examples Other practical use cases
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationCOM-208: Computer Networks - Homework 6
COM-208: Computer Networks - Homework 6. (P22) Suppose you are interested in detecting the number of hosts behind a NAT. You observe that the IP layer stamps an identification number sequentially on each
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationCSC 4900 Computer Networks: Routing Protocols
CSC 4900 Computer Networks: Routing Protocols Professor Henry Carter Fall 2017 Last Time Link State (LS) versus Distance Vector (DV) algorithms: What are some of the differences? What is an AS? Why do
More informationSoftware Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.
MOBILE COMMUNICATION AND INTERNET TECHNOLOGIES Software Defined Networks and Courtesy of: AT&T Tech Talks http://web.uettaxila.edu.pk/cms/2017/spr2017/temcitms/ MODULE OVERVIEW Motivation behind Software
More informationMigrating from OSPF to IS-IS
Migrating from OSPF to IS-IS ISP Workshops Last updated 25 th August 2015 1 Introduction p With the advent of IPv6 and dual stack networks, more ISPs expressing interest to migrate to IS-IS n Migration
More informationEngineering and Technology Innovation of the Next Generation Internet Architecture. Jianping Wu Tsinghua University June 2,2014
Engineering and Technology Innovation of the Next Generation Internet Architecture Jianping Wu Tsinghua University June 2,2014 Contents Internet:The Great Example on Engineering and Technology Innovation
More informationCERNET and CNGI-CERNET2 CERNET2
CERNET and CNGI-CERNET2 CERNET2 INET Kuala Lumpur 2009 MA Yan Beijing University of Posts and Telecommunications 2009/07/20 Agenda General information of Internet in China CERNET China Education and Research
More informationBGP-TE APPLICATION LEVEL TOPOLOGY INTELLIGENCE
BGP-TE APPLICATION LEVEL TOPOLOGY INTELLIGENCE Hannes Gredler 1 Copyright 2012 Juniper Networks, Inc. www.juniper.net MOTIVATION Look across the fence Fence being IGP area/level or AS boundary Gain visibility
More informationBack to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)
Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port numbers
More informationIPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA
Rapid Deployment () in broadband networks Allen Huotari Technical Leader ahuotari@cisco.com June 14, 2010 NANOG49 San Francisco, CA 1 Why IP Tunneling? IPv4 Tunnel Tunnel IPv4 IPv4 Retains end-end IP semantics
More informationCOMP211 Chapter 5 Network Layer: The Control Plane
COMP211 Chapter 5 Network Layer: The Control Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 Introduction to MPLS L3VPN 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 5 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationDDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,
DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG, München DECIX/ECO security event, 04.12.14, Frankfurt Agenda what are IP reflection attacks? why are they so effective
More informationCisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline
Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0 Implementing Cisco IP Routing (ROUTE) v2.0 is an instructor-led five day training course developed to help students prepare for Cisco CCNP certification.
More informationPREREQUISITES TARGET AUDIENCE. Length Days: 5
Cisco Implementing Cisco IP Routing v2.0 (ROUTE) ROUTE v2.0 includes major updates and follows an updated blueprint. However, note that this course does not cover all items listed on the blueprint. Some
More informationTEQUILA Engineering Approach
TEQUILA Approach David Griffin University College London, UK Premium IP Cluster Joint Review, 3-4 April 2001 Overview Service Subscription GUI Forecast Service Subscription LDAP Service Subscriptions Repository
More informationChina Unicom SDN Practice in WAN. Lv Chengjin/Ma Jichun, China Unicom
China Unicom SDN Practice in WAN Lv Chengjin/Ma Jichun, China Unicom What Will Operator SDN Do? Two development directions Operator Softwaredefined networking (SDN) 1. Cloudify traditional services 2.
More information(Submit to Bright Internet Global Summit - BIGS)
Reviewing Technological Solutions of Source Address Validation (Submit to Bright Internet Global Summit - BIGS) Jongbok Byun 1 Business School, Sungkyunkwan University Seoul, Korea Christopher P. Paolini
More informationRemote Access MPLS-VPNs
First Published: August 12, 2002 Last Updated: May 4, 2009 The feature allows the service provider to offer a scalable end-to-end Virtual Private Network (VPN) service to remote users. This feature integrates
More informationCisco Implementing Cisco IP Routing v2.0 (ROUTE)
Course Overview ROUTE v2.0, a five-day ILT course, includes major updates and follows an updated blueprint. (However, note that this course does not cover all items listed on the blueprint.) Some older
More informationIPv6 in Campus Networks
IPv6 in Campus Networks Dave Twinam Manager, Technical Marketing Engineering Internet Systems Business Unit dtwinam@cisco.com Cisco Twinam IPv6 Summit 2003 Cisco Systems, Inc. All rights reserved. 1 IPv6
More informationQUESTION: 1 When limit-learning is configured on a port and the limit is reached the following traffic still flows to the port.
QUESTION: 1 When limit-learning is configured on a port and the limit is reached the following traffic still flows to the port. A. Packets destined for the active Mac addresses B. Broadcast traffic C.
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationCCIE Service Provider
CCIE Service Provider 1.0 Core Routing 25% 30% 1.1. Interior Gateway Protocol 1.1.a. Describe, implement, and troubleshoot IS-IS 1.1.b. Describe, implement, and troubleshoot OSPFv2 and OSPFv3 1.1.c. Describe
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationIP Fabric Reference Architecture
IP Fabric Reference Architecture Technical Deep Dive jammon@brocade.com Feng Shui of Data Center Design 1. Follow KISS Principle Keep It Simple 2. Minimal features 3. Minimal configuration 4. Configuration
More informationBROCADE S IPV6 SOLUTIONS
BROCADE S IPV6 SOLUTIONS Wes Medley, Principal Architect wmedley@brocade.com Brocade NetIron Ipv6 Solutions Company Proprietary Information Agenda Brocade L 2/3 Product IPv6 Functionality UNH IPv6 Testing
More informationUsing SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P. Tran-Gia Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall comnet.informatik.uni-wuerzburg.de SarDiNe
More informationHuawei CloudEngine Series. VXLAN Technology White Paper. Issue 06 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 06 Date 2016-07-28 HUAWEI TECHNOLOGIES CO., LTD. 2016. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 4 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information advertisement 8 Inter-AS VPN
More informationdraft-ietf-v6ops-tunnel-loops - Update and Status
draft-ietf-v6ops-tunnel-loops - Update and Status IETF V6OPS WG - March 31, 2011 Fred L. Templin Boeing Research & Technology fred.l.templin@boeing.com BOEING is a trademark of Boeing Management Company.
More informationUsing Event-Driven SDN for Dynamic DDoS Mitigation
Using Event-Driven SDN for Dynamic DDoS Mitigation Craig Hill Distinguished SE, US Federal crhill@cisco.com CCIE #1628 1 Concept and Content Creators The Cisco Engineering Team: Jason King Steven Carter
More informationThe Layer-2 Security Issues and the Mitigation
The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All
More informationCERNET2. CERNET2 Design Goals CERNET2 Backbone. CERNET2 Operation Current Status. Why Next Generation Internet in
China Testbed CERNET2 (Next Generation China Education and Research Network ) "We were e a learner e and follower owe in the edeveop development e of the first generation e Inter net, but we have caught
More informationRouting Basics. ISP Workshops. Last updated 10 th December 2015
Routing Basics ISP Workshops Last updated 10 th December 2015 1 Routing Concepts p IPv4 & IPv6 p Routing p Forwarding p Some definitions p Policy options p Routing Protocols 2 IPv4 p Internet still uses
More informationMPLS L3VPN. The MPLS L3VPN model consists of three kinds of devices: PE CE Site 2. Figure 1 Network diagram for MPLS L3VPN model
is a kind of PE-based L3VPN technology for service provider VPN solutions. It uses BGP to advertise VPN routes and uses to forward VPN packets on service provider backbones. provides flexible networking
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationSDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged
SDN Use-Cases internet exchange, home networks TELE4642: Week8 Materials from Prof. Nick Feamster is gratefully acknowledged Overview n SDX: A Software-Defined Internet Exchange n SDN-enabled Home Networks
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : EW0-300 Title : Extreme Networks Specialist... Vendors : Extreme Networks Version : DEMO Get Latest & Valid EW0-300 Exam's Question
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : H12-221 Title : HCNP-R&S-IERN (Huawei Certified Network Professional-Implementing Enterprise Routing Network) Vendor
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationReducing FIB Size with Virtual Aggregation (VA)
Reducing FIB Size with Virtual Aggregation (VA) Paul Francis, MPI-SWS Xiaohu Xu, Huawei, Hitesh Ballani, Cornell Dan Jen, UCLA Robert Raszuk, Cisco Lixia Zhang, UCLA ISPs often want to extend the life
More informationA use-case based analysis of network managment functions in the ONF SDN model
A use-case based analysis of network managment functions in the ONF SDN model Alisa Devlic (Ericsson Research) Wolfgang John (Ericsson Research) Pontus Sköldström (Acreo) Funded by the EU FP7 project SPARC
More informationMigrating from OSPF to IS-IS
Migrating from OSPF to IS-IS Philip Smith philip@nsrc.org SAFNOG 2 7 th -8 th April 2015 Mbabane Last updated 27 March 2014 1 Presentation slides p Available at: n http://bgp4all.com/ftp/seminars/safnog2-
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More information2610:f8:ffff:2010:04:13:0085:1
2610:f8:ffff:2010:04:13:0085:1 Qwest IPv6 Implementation Experience Shawn Carroll 2610:f8:ffff:2010:04:13:0085:55 Previous Qwest Implementation Work Obtained 6bone Pseudo Next Level Aggregator (pnla) from
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationGLOSSARY. See ACL. access control list.
GLOSSARY A access control list ACL API Application Programming Interface area AS ASN ATM autonomous system autonomous system number See ACL. access control list. application programming interface. APIs
More informationLecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011
Lecture 4: Intradomain Routing CS 598: Advanced Internetworking Matthew Caesar February 1, 011 1 Robert. How can routers find paths? Robert s local DNS server 10.1.8.7 A 10.1.0.0/16 10.1.0.1 Routing Table
More informationA SAVI Solution for DHCP. Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi dhcp 01(02).txt IETF77, Anaheim Mar
A SAVI Solution for DHCP Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi dhcp 01(02).txt IETF77, Anaheim Mar.23 2010 Outline Solution Basis Additional Features in 01(02) Version Next Step Solution
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationCustomer IPv6 Delivery
Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations
More informationSpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt
SpaceNet AG Internet Business Produkte für den Mittelstand Produkt- und Firmenpräsentation DENOG6, 20.11.14, Darmstadt DDoS made easy IP reflection attacks for fun and profit Gert Döring, SpaceNet AG,
More informationInterconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
More informationRouting Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing
Routing Concepts IPv4 Routing Routing Basics ISP/IXP Workshops Forwarding Some definitions Policy options Routing Protocols 1 2 IPv4 IPv4 address format Internet uses IPv4 addresses are 32 bits long range
More informationProgrammable BitPipe. Andreas Gladisch VP Convergent Networks and Infrastructure, Telekom Innovation Labs
Programmable BitPipe Andreas Gladisch VP Convergent Networks and Infrastructure, Telekom Innovation Labs 25.10.2012 How do you program a switch / router today? Vendor N SDK and API Vendor 3 Vendor 2 SDK
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationOpenFlow + : Extension for OpenFlow and its Implementation
OpenFlow + : Extension for OpenFlow and its Implementation Hongyu Hu, Jun Bi, Tao Feng, You Wang, Pingping Lin Network Research Center, Tsinghua University, China 4-204, FIT Building, Beijing 100084, China
More informationIPv6 Network Management
IPv6 Network Management Ralph Droms, Cisco Systems North American IPv6 Summit July, 2004 1 Cisco IPv6 Calendar IPv6 Integration & Co-Existence October 1996 Cisco IOS IPv6 Technology Preview software deployed
More informationIPv6 Deployment at the University of Pennsylvania
IPv6 Deployment at the University of Pennsylvania Jorj Bauer and Shumon Huque University of Pennsylvania Educause Mid-Atlantic Regional Conference, Philadelphia, PA January 8 th, 2009 Outline Why you should
More informationThe case for IPv6-only data centres...and how to pull it off in today's IPv4-dominated world
The case for IPv6-only data centres...and how to pull it off in today's IPv4-dominated world Tore Anderson Redpill Linpro AS PLNOG10, Warszawa, February 2013 Our traditional DC layout VLAN cust. 1 ~150
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More information/15/$ IEEE
On the Deployability of Inter-AS Spoofing Defenses Bingyang Liu and Jun Bi Abstract IP spoofing makes network attacks more destructive and harder to prevent. AS spoofing defenses mitigate these attacks
More informationA Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6
IPv6 Standards and RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments RFC 1267 A Border Gateway Protocol 3 (BGP-3) RFC 1305 Network Time Protocol (Version 3) Specification, Implementation
More informationAn IPv6 Source Address Validation Testbed and Prototype Implementation
100 JOURNAL OF NETWORKS, VOL. 4, NO. 2, APRIL 2009 An IPv6 Source Address Validation Testbed and Prototype Implementation Jun Bi, Guang Yao and Jianping Wu Tsinghua National Laboratory for Information
More informationBGP Convergence in much less than a second
BGP Convergence in much less than a second Clarence Filsfils - cf@cisco.com Presented by Martin Winter - mwinter@cisco.com 1 Down Convergence T1 Down Convergence T2 Default metric = 1 Src R R 20 F Dst
More informationA Framework for Fine-Grained Inter-Domain Routing Diversity Via SDN
A Framework for Fine-Grained Inter-Domain Routing Diversity Via SDN Yangyang Wang, Jun Bi, Keyao Zhang Institute for Network Sciences and Cyberspace, Tsinghua University Department of Computer Science,
More informationSoftware Defined Networking 2015 BROCADE COMMUNICATIONS SYSTEMS, INC.
Software Defined Networking 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. Agenda Business Consideration A Customer Journey Quick Overview of SDN and NFV Software Networking Solutions SDN Controller vrouter
More informationExperience with SPM in IPv6
Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn
More informationLSW GP8GC: 24 SFP Gigabit ports, 8 10/100/1000 BASE-T Ethernet ports (Combo) and two
Data Sheet DPtech LSW5600 Series DPtech LSW5600 Series Switches Product Interview The DPtech LSW5602 Series Switches which are designed for access and aggregation deployment. It is a new-generation line
More informationIntroduction to BGP ISP/IXP Workshops
Introduction to BGP ISP/IXP Workshops 1 Border Gateway Protocol Routing Protocol used to exchange routing information between networks exterior gateway protocol RFC1771 work in progress to update draft-ietf-idr-bgp4-18.txt
More informationExample: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks In an ARP spoofing attack, the attacker associates its own MAC address with the IP address of a network device
More informationMPLS VPN Inter-AS Option AB
First Published: December 17, 2007 Last Updated: September 21, 2011 The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationMPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
More informationCSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
More informationCase Study A Service Provider s Road to IPv6
Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting amir@unisonip.com The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What
More informationHuawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers
Huawei CloudFabric and ware Collaboration Innovation Solution in Data Centers ware Data Center and Cloud Computing Solution Components Extend virtual computing to all applications Transform storage networks
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o
More informationInternet Routing Basics
Internet Routing Basics Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E connectivity (app-to-app) Port
More informationCOURSE OUTLINE: Course: CCNP Route Duration: 40 Hours
COURSE OUTLINE: Course: CCNP Route 300-101 Duration: 40 Hours CCNP Route Training Day 1: Connecting Remote Locations Principles of Static Routing Configuring an IPv4 Static Route Configuring a Static Default
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationMPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution
MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution This feature lets you configure your carrier supporting carrier network to enable Border Gateway Protocol (BGP) to transport routes and Multiprotocol
More information5G Network Architecture: Standard Progress, and Tranfromation to SBA and Network Slicing. Wei Chen,
5G Network Architecture: Standard Progress, and Tranfromation to SBA and Network Slicing Wei Chen, chenweiyj@chinamobile.com China Mobile Contents 5G Network Architecture Standard Progress 5G Network funtional
More informationTable of Contents Chapter 1 MPLS L3VPN Configuration
Table of Contents Table of Contents... 1-1 1.1 MPLS L3VPN Overview... 1-1 1.1.1 MPLS L3VPN Model... 1-2 1.1.2 MPLS L3VPN Implementation... 1-5 1.1.3 Nested MPLS L3VPN Implementation... 1-7 1.1.4 Hierarchical
More informationRouting Basics. SANOG July, 2017 Gurgaon, INDIA
Routing Basics SANOG 30 14-18 July, 2017 Gurgaon, INDIA Back to basics J Application Presentation Application (HTTP, DNS, FTP) Data Application (HTTP, DNS, FTP) Session Transport Transport (TCP/UDP) E2E
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationXS26DS. L2/L3 10 G Optic Fiber Aggregation Switches. Features. Overview. XS26DS L3 10 G Optic Fiber Aggregation Switches
Features L2/L3 wire-speed switch that support all optical connections. With 10GE uplinks, 24 client ports 20x 100M/1G SFP client ports and 4x combo 100Mb/1Gb & 10/100/1000Mb client ports Extensive set
More information