MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!
|
|
- Charlotte Young
- 5 years ago
- Views:
Transcription
1 15 October 2018 Internet2 Technology Exchange MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society
2 How big is the problem? Some Facts & Figures 2
3 Routing Incidents Cause Real World Problems Event Explanation Repercussions Example Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack April 2018 Amazon Route 53 hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for a MITM, including traffic inspection, modification and reconnaissance. September VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system. The root cause of reflection DDoS attacks March 1, Memcached 1.3Tb/s reflectionamplificationattack reported by Akamai 3
4 The routing system is constantly under attack 13,935 total incidents (either outages or attacks like route leaks and hijacks) Five months of routing incidents (2018) Over 10% of all Autonomous Systems on the Internet were affected 3,106 Autonomous Systems were a victim of at least one routing incident 1576, 30% 1,546 networks were responsible for 5304 routing incidents 547 networks were responsible for 1576 routing incidents 3668, 70% Source: Outage Routing incident 4
5 No Day Without an Incident 6 month of suspicious activity Hijack Leak /1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 5
6 Outages 2017 % of networks affected by an outage BR US IR IN ID RU 8.83 UA AR NG BD Source: 6
7 Potential culprits 2017 Number of AS's in a country responsible for a routing incident (a route leak or hijack) Percent of AS's in a country responsible for a routing incident (a route leak or hijack) BR US RU GB BR US RU GB IN HK DE ID IR NL IN HK DE ID IR NL Source: 7
8 Positive dynamics % of AS's in a country responsible for a routing incident US BR RU IN BD ID DE IR GB HK
9 Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common threats in the global routing system Based on collaboration among participants and shared responsibility for the Internet infrastructure 9
10 MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and ASpath granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least singlehomed stub customer networks, their own endusers, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate 10
11 Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks Use an IRR (e.g. APINIC IRR) In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object. AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters 11
12 Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks Use RPKI In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to get RPKI certificates from APNIC and create ROAs for their expected announcements AS64500 will do the same AS64500 can use RPKI validator to directly tag the announcements, e.g. route-map rpki permit 10 match rpki valid set local-preference
13 Anti-spoofing: Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Use ingress ACLs ip access-list extended customer1-in-ipv4 permit ip any! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any! interface x ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Convince the customer to egress-filter Interface y ip access-group egress-provider out 13
14 Anti-spoofing: Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Use urpf ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Convince the customer to egress-filter Interface y ip access-group egress-provider out 14
15 Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information MyAPNIC Portal mntner role Inetnum Inet6num. aut-num as-set route-set Abuse Policy Technical NOC Public Relations Sales Network Operations Center Support Team Abuse Team Security Team 15
16 Global Validation: Facilitate validation of routing information on a global scale Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties aut-num: AS64500 mp-import: from AS64501 accept AS64501 mp-export: to AS64501 announce ANY... mp-import: from AS64511 accept AS64511:AS- ALL route: route6: /24 mp-export: to AS64511 origin: announce AS :db8:1000::/ :AS-ALL... source: 6 APNIC source: APNIC origin: as-set: AS64500 AS64500:AS-ALL source: members: APNIC AS64500 route: /24 members: AS64501, AS64502 route6: 2001:db8:1001::/48 origin: AS64501 origin: route: AS /24source: APNIC source: origin: route6: APNIC AS :db8:2002::/48 source: origin: APNIC AS64502 source: APNIC source: APNIC ROA: ROA: ROA: ROA: 2001:db8:2002::/4 2001:db8:2002::/ :db8:2002::/ :db8:2002::/4 origin: 8 origin: 8 AS64502 AS64502 origin: AS64502 origin: AS
17 MANRS Implementation Guide If you re not ready to join yet, implementation guidance is available to help you. Based on Best Current Operational Practices deployed by network operators around the world Recognition from the RIPE community by being published as RIPE
18 MANRS Training Tutorials and Hands-on Lab 6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. About to begin training moderators for online classes (43 applications received!) The prototype lab is ready, finalizing the production version. 18
19 Measuring Routing Security: MANRS Observatory - Impartial benchmarking of MANRS members to improve reputation and transparency - Provide factual state of security and resilience of Internet routing system over time - Support the problem statement with data - Self-assessment purposes and automating sign-up - How to Measure? - Transparent - Use publicly available data sources and open source code - Passive - No cooperation is required from a network - Metrics - Measure the rate of member (ASN) commitment (0 non-compliant to 100 fully compliant) 19
20 MANRS Member Report and MANRS Observatory 20
21 MANRS Audit Process Actions Checks Tools Filtering Check the description to ensure that prefix filters are generated for the customer cone dynamically, and not only static bogon filters are in place. Usually this is done by using recursive AS-SETs (IRR). Anti-Spoofing Check that the ASN does not announce bogons Check that the ASN was not implicated in recent incidents. If it was - ask for the explanation Check that ASN does not show up in CAIDA spoofer database as an ASN or as a provider Run Spoofer test in two of infrastructure network segments (not behind a NAT) Coordination Check the spoofer results Global Validation Check that contacts are in the whois Check that contact info is registered iin the PeeringDB (arobach/hyferuupu@wi3m) Check that routing information is registered in an IRR If ROAs are registered - it is a plus
22 MANRS increasing adoption I believe only 20 major network operators need to start doing Route Origin Validation in order to greatly improve routing security and achieve big benefits. - Job Snijders, NLNOG
23 Total ASNs versus Stub ASNs Source: 23
24 MANRS Participants as of October Network Operators - 21 R&E networks and institutions Autonomous Systems (ASes) - 24 Internet Exchange Points - Internet2/ESnet community Internet2, ESnet, CAAREN, Connecticut Education Network, DePaul University, GWU, Indiana University & KanREN 24
25 Why Research & Education Networks Should Join MANRS - To show technical leadership and distinguish you from commercial ISPs - Customers increasing willing to pay more for secure services - To add competitive value and enhance operational effectiveness - Growing demand from customers for managed security services - -To show security proficiency and commitment to your customers - Promote MANRS compliance to security-focused customers - To help solve global network problems - NRENs are often early adopters of new developments. Lead by example - Being part of the MANRS community can strengthen enterprise security credentials 25
26 MANRS IXP Programme There is synergy between MANRS and IXPs IXPs form a community with a common operational objective MANRS is a reference point with a global presence useful for building a safe neighborhood How can IXPs contribute? Implement a set of Actions that demonstrate the IXP commitment and also bring significant improvement to the resilience and security of the routing system 26
27 MANRS IXP Program launched on April 23! 27
28 MANRS IXP Actions Action 1 Prevent propagation of incorrect routing information Action 2 Promote MANRS to the IXP membership Action 3 Protect the peering platform Action 4 Facilitate global operational communication and coordination Action 5 Provide monitoring and debugging tools to the members. This mandatory action requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions. This action requires that the IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. The IXP facilitates communication among members by providing necessary mailing lists and member directories. The IXP provides a looking glass for its members. 28
29 MANRS Community 29
30 MANRS needs to be community driven MANRS should be (and is) a collaborative initiative of Internet operators Internet operators undertaking MANRS principles need to encourage use of best practices MANRS needs to be driven by leaders within their communities who strongly believe that routing security is an essential component for the future well being of the Internet Generate MANRS awareness through word-of-mouth, presentations and social media in their communities + running workshops on routing security Bring forward feedback and recommendations for improving MANRS principles, tools and disseminating best practices, e.g. MANRS observatory, network monitoring tools, and training materials Internet Society can help with presentations, informational materials and merchandise (shirts and stickers) 30
31 Join Us Visit Fill out the sign up form with as much detail as possible. We may ask questions and run tests Get Involved in the Community Members support the initiative and implement the actions in their own networks Members maintain and improve the manifesto and promote MANRS objectives 31
32 Thank you. Kevin Meynell Visit us at Follow Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland Wiehle Avenue, Suite 201, Reston, VA USA
MANRS Mutually Agreed Norms for Routing Security
6 July 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society 1992 2018 1 The Problem
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationRouting Is At Risk. Let's Secure It Together. Andrei Robachevsky 1
Routing Is At Risk. Let's Secure It Together Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17
More informationRouting Security We can do better!
Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationMutually Agreed Norms for Routing Security NAME
Mutually Agreed Norms for Routing Security NAME EMAIL The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks such as hijacking, leaks,
More informationMANRS Mutually Agreed Norms for Routing Security
December 2017 MANRS Mutually Agreed Norms for Routing Security Andrei Robachevsky robachevsky@isoc.org Presentation title Client name 1 Internet Society 1992 2016 The Problem A Routing Security Primer
More informationMANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui
MANRS Mutually Agreed Norms for Routing Security Aftab Siddiqui siddiqui@isoc.org The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Phil Roberts roberts@isoc.org Andrei Robachevsky www.internetsociety.org Let us look at the problem
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Andrei Robachevsky www.internetsociety.org Let us look at the problem first BGP is based on trust
More informationIXP Partnership: Improving Global Routing Security and Resilience
IXP Partnership: Improving Global Routing Security and Resilience Michuki Mwangi mwangi@isoc.org Af-IX Meeting 29 th August 2016 Dar-es-Salaam, Tanzania www.internetsociety.org Routing Resilience Manifesto,
More informationWorking together to improve routing security for all
Working together to improve routing security for all The MANRS IXP Programme Andrei Robachevsky manrs@isoc.org 1 Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions
More informationAn introduction to BGP security
An introduction to BGP security Marco d Itri @rfc1036 Seeweb s.r.l. Albanian Network Operators Group meeting - 14 November 2018 Internet: independent networks exchanging traffic The Internet
More informationWorking together to improve routing security for all
Working together to improve routing security for all The MANRS IXP Programme Aftab Siddiqui siddiqui@isoc.org 1 A bit of history 2 EURO-IX 28th Forum: What is in MANRS for an IXP? Is routing security important
More informationMANRS How to behave on the internet
MANRS How to behave on the internet Massimiliano Stucchi TOP-IX Meeting January 2017 BGP BGP is based on trust - No built-in validation - Chain of trust is hard to establish - Data scattered over different
More informationRouting Security Workshop Internet Routing Registries
Routing Security Workshop Internet Routing Registries Jeff Bartig Senior Interconnection Architect, Internet2 IRR Presentation Overview NANOG 74 Updates IRR Overview IRR Tools Internet2 Participant IRR
More informationImplementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer
Implementation of RPKI and IRR filtering on the AMS-IX platform Stavros Konstantaras NOC Engineer RIPE EDUCA 2018 Agenda AMS-IX Route Servers Architecture Features Filtering IRRdb RPKI BGP Communities
More informationAPNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationSecurity)Track) NANOG)65)
Security)Track) NANOG)65) BGPStream) Nanog65) Andree)Toonk) andree@bgpmon.net) ) BGPStream) ) ) Ques%ons(we d(like(to(answer( Someone&hijacked&my&Prefix!& ) & &Now&what?&Was&it&targeted?&Were&others&affected&as&
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationBGP Route Hijacking - What Can Be Done Today?
BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security bgreene@akamai.com @Akamai BGP - the Core Protocol that Glues all of
More informationBGP Configuration Automation on Edge Routers
BGP Configuration Automation on Edge Routers System and Network Engineering Msc. Research Project Stella Vouteva & Tarcan Turgut Supervisor: Stavros Konstantaras, NLNetLabs Introduction Big Internet Depletion
More informationLEA Workshop. Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013
LEA Workshop Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013 Agenda Introduction to APNIC Know about APNIC Internet Policy Development How the Internet Policies are developed
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationCaribNOG13. Presentation title Client name. Shernon Osepa, Manager Regional Affairs Latin America & the Caribbean
CaribNOG13 Bridgetown, Barbados 18 April 2017 ISOC @ CaribNOG13 Shernon Osepa, Manager Regional Affairs Latin America & the Caribbean osepa@isoc.org Presentation title Client name Internet Society 1992
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationPreventing Traffic with Spoofed Source IP Addresses in MikroTik
Preventing Traffic with Spoofed Source IP Addresses in MikroTik Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, mn-lab info@mn-lab.net The routing system of the
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationhttps://spoofer.caida.org/
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ DDoS PI meeting, March 9 2017 www.caida.o
More informationAPNIC Internet Routing Registry
APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC The Internet Routing Registry Global Internet Routing Registry database http://www.irr.net/
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ AusNOG 2016, September 2nd 2016 www.caida.o
More informationResource Certification
Resource Certification Guide to Resource Certification in MyAPNIC Registration Guide for MyAPNIC Page 1 of 11 Table of Contents 1 Guide to Resource Certification in MyAPNIC... 3 1.1 Access to Resource
More informationBGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs
BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs aa@qrator.net Malicious Hijacks/Leaks FISHING SITES HIJACK OF HTTPS CERTIFICATES SPAM/BOTNET ACTIVITY DOS ATTACKS BGP Hijack Factory
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationAn ARIN Update. Susan Hamlin Director of Communications and Member Services
An ARIN Update Susan Hamlin Director of Communications and Member Services ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number
More informationAPNIC input to the Vietnam Ministry of Information and Communications ICT Journal on IPv6
APNIC input to the Vietnam Ministry of Information and Communications ICT Journal on IPv6 April 2013 Question One Since APNIC formally announce that Asia Pacific was the first region on the world coming
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationDenial of Service Protection Standardize Defense or Loose the War
Denial of Service Protection Standardize Defense or Loose the War ETSI : the threats, risk and opportunities 16th and 17th - Sophia-Antipolis, France By: Emir@cw.net Arslanagic Head of Security Engineering
More informationEnhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01
Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 K. Sriram and D. Montgomery OPSEC Working Group Meeting, IETF-99 July 2017 Acknowledgements: The authors are
More informationIllegitimate Source IP Addresses At Internet Exchange Points
Illegitimate Source IP Addresses At Internet Exchange Points @ DENOG8, Darmstadt Franziska Lichtblau, Florian Streibelt, Philipp Richter, Anja Feldmann 23.11.2016 Internet Network Architectures, TU Berlin
More informationSecuring Routing Information
Securing Routing Information Findings from an Internet Society Roundtable September 2009 Internet Society Galerie Jean-Malbuisson, 15 CH-1204 Geneva Switzerland Tel: +41 22 807 1444 Fax: +41 22 807 1445
More informationAPNIC Training. Internet Routing Registry (IRR)
APNIC Training Internet Routing Registry (IRR) Objectives To provide an introduction to the APNIC Routing Registry Explain concepts of the global RR Outline the benefits of the APNIC Routing Registry Discuss
More informationResource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC
Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC Target Audience Knowledge of Internet Routing(specially BGP) Fair idea on Routing Policy No need to know Cryptography Basic knowledge
More informationAPNIC Activity Highlights
APNIC Activity Highlights PacNOG 7 June 2010 Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, Pacific, APNIC Overview What is APNIC? Services Update APNIC 29 Policy Outcomes APNIC Activities
More informationUpdate from the RIPE NCC
Update from the RIPE NCC INEX Meeting, Dublin, 14 December 2011 Mirjam Kühne, RIPE NCC Outline RIPE Labs - Background, Purpose, Content, Participation IPv6 Activities and Statistics RIPE Atlas RIPEstat
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationTDC 375 Network Protocols TDC 563 P&T for Data Networks
TDC 375 Network Protocols TDC 563 P&T for Data Networks Routing Threats TDC 375/563 Spring 2013/14 John Kristoff DePaul University 1 One of two critical systems Routing (BGP) and naming (DNS) are by far
More informationAPNIC Update TWNIC OPM 1 JUL George Kuo Manager, Member Services, APNIC
APNIC Update TWNIC OPM 1 JUL 2010 George Kuo Manager, Member Services, APNIC Overview Services Update APNIC 29 Policy Outcomes APNIC Activities Technical Developments IPv6 Program Training Other News Upcoming
More informationDetecting Peering Infrastructure Outages
Detecting Peering Infrastructure Outages ENOG14, Minsk Vasileios Giotsas, Christoph Dietzel, Georgios Smaragdakis, Anja Feldmann, Arthur Berger, Emile Aben # TU Berlin CAIDA DE-CIX MIT Akamai # RIPE NCC
More informationAPNIC Update. RIPE 59 October 2009
APNIC Update RIPE 59 October 2009 Overview APNIC Services Update APNIC 28 policy outcomes APNIC Members and Stakeholder Survey Next APNIC Meetings Resource Delegations (1 Oct 09) No of /8 delegated No
More informationRIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, Analysis AMS-IX Meeting, Amsterdam, 16 Nov. 2011 Mirjam Kühne, RIPE NCC A Bit of History RIPE NCC started as the coordination centre for the RIPE community - RIPE Database,
More informationSecure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKI Srinivas (Sunny) Chendi VNIX-NOG 2018, Da Nang sunny@apnic.net Xin chào và chào buổi sáng 1 3 4 What is the fundamental Problem? An underlying problem in routing
More informationWhat s new at the RIPE NCC?
What s new at the RIPE NCC? PLNOG, Kraków, 28 September 2011 Ferenc Csorba Trainer, RIPE NCC ferenc@ripe.net Topics - overview The Registry System IPv4 depletion IPv6 policy update and statistics RIPEstat,
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationBGP Edge Security for Dummies. Layer , 2603, and others
BGP Edge Security for Dummies hugge@sunet.se Layer 0-3 + 8 Architect @ 1653, 2603, 42649 and others Step 1 of 9 Question: Am I part of the problem (or the solution)? Answer: Are you currently operating
More information10 March Informal Expert Group for the ITU World Telecommunication Policy Forum
10 March 2009 Informal Expert Group for the ITU World Telecommunication Policy Forum The Internet Society has been actively engaged in the preparation of the next World Telecommunication Policy Forum (WTPF)
More informationRouting Security. Daniel Karrenberg RIPE NCC.
Routing Security Daniel Karrenberg RIPE NCC Who is talking: Daniel Karrenberg 1980s: helped build Internet in Europe - EUnet, Ebone, IXes,... - RIPE 1990s: helped build RIPE
More informationHelp Keep the Internet Strong and Open
www.internetsociety.org Help Keep the Internet Strong and Open Help Keep the Internet Strong and Open The Internet is a global platform for innovation, creativity, and economic opportunity. It provides
More informationRIPE NCC Academic Day. November 2016 Saudi Arabia
RIPE NCC Academic Day November 2016 Saudi Arabia Who Runs the Internet? The Short Answer is No ONE!!! 2 What is the Internet? 3 What is the Internet? 4 What is the Internet? The Internet has roughly 55,000
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationAPNIC Update. 20 May Paul Wilson. Revision:
APNIC Update 20 May 2015 Paul Wilson Issue Date: 15 Apr 2015 Revision: APNIC s Vision A global, open, stable, and secure Internet that serves the entire Asia Pacific community 2 APNIC in 2014 Serving Supporting
More informationWhat is an Internet exchange Point (IXP)?
What is an IXP? What is an Internet exchange Point (IXP)? The Internet is an interconnection of networks Each controlled by separate entities Generally called Internet Service Providers (ISPs) Grouped
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationInternet Numbers Introduction to the RIR System
Internet Numbers Introduction to the RIR System Chafic Chaya MEAC-IG Summer School, AUB - Lebanon August 2016 1 Who Runs the Internet? The short answer is NO ONE!!! Chafic Chaya MEAC-IG Summer School August
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationPeering observations on security and resiliency at IXPs Greg Hankins, AS NANOG 67
Peering observations on security and resiliency at IXPs Greg Hankins, AS 38016 NANOG 67 Image source: http://as2914.net/ 1 Nokia 2016 Public NANOG 67 2016/06/14 Agenda Introduction
More informationAPNIC Training and Technical Assistance
APNIC Training and Technical Assistance Nurul Islam Roman APNIC Training Service Well structured event calendar Allows international travel arrangements with enough lead time 99.7% confirmed events, across
More informationInternet Routing Registry Tutorial
Internet Routing Registry Tutorial July 15, 2012, Karachi, Pakistan In conjunction with Presenters Champika Wijayatunga Training Unit Manager, APNIC champika@apnic.net Vivek Nigam Internet Resource Analyst,
More informationNaMeX Route Server HOWTO
NaMeX Route Server HOWTO June 24, 2010 1 Service overview Route servers (RS) are a value-added service that can be offered by IXPs. Actually, the availability of a RS within an IXP is becoming more and
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationIPv6 Module 6x ibgp and Basic ebgp
IPv6 Module 6x ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of IS-IS, internal BGP, and external BGP. Topology : Figure 1 BGP AS Numbers
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationInternet Resource Policy - Why should I care?
Internet Resource Policy - Why should I care? Nurani Nimpuno, APNIC 3 February 2005 NZNOG 2005 1 Quick survey How many of you are involved with Internet address policy? How many get excited when you hear
More informationSecurity by BGP 101 Building distributed, BGP-based security system
Security by BGP 101 Building distributed, BGP-based security system Łukasz Bromirski lukasz@bromirski.net May 2017, CERT EE meeting Roadmap for the session BGP as security mechanism BGP blackholing project
More informationThe Spoofer Project Inferring the Extent of Source Address Filtering on the Internet
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source
More informationThe Internet Ecosystem
Internet Week Philipsburg, St. Maarten 28 October 2016 The Internet Ecosystem Shernon Osepa, Manager Regional Affairs Latin America & the Caribbean osepa@isoc.org Presentation title Client name Internet
More informationPractical everyday BGP filtering with AS_PATH filters: Peer Locking
Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk are examples for discussion purpose only. NTT does not admit or deny any
More informationRIPE NCC Technical Services
RIPE NCC Technical Services France-IX General Meeting 26 September 2013 Mirjam Kühne, Xavier Le Bris, RIPE NCC Overview What is the RIPE NCC Services for members and public services IP address policy update
More informationCSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca
CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca Based partly on lecture notes by Rob Sherwood, David Mazières, Phil Levis, John Janno? Administrivia Midterm moved up from 3/17 to 3/15 IP
More informationRouting Security Roadmap
Routing Security Roadmap Job Snijders NTT Communications job@ntt.net This presentation contains projections and other forward-looking statements regarding future events or our future routing performance.
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology internet technologies and standards Piotr Gajowniczek BGP (Border Gateway Protocol) structure of the Internet Tier 1 ISP Tier 1 ISP Google
More informationEnsuring and Accelerating Routing Security
2016 Cyber Security Division R&D SHOWCASE AND TECHNICAL WORKSHOP Ensuring and Accelerating Routing Security PARSONS, Inc Sandra Murphy 18 Feb 2016 DHS S&T Cyber Security Division 2016 R&D Showcase & Technical
More informationThe Value of Peering. ISP/IXP Workshops. Last updated 23 rd March 2015
The Value of Peering ISP/IXP Workshops Last updated 23 rd March 2015 1 The Internet p Internet is made up of ISPs of all shapes and sizes n Some have local coverage (access providers) n Others can provide
More informationRoute Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes
1 Types of prefixes in IP core network: Internal Prefixes External prefixes Downstream customers Internet prefixes 2 Internal prefixes originated in IP core network Loopback Transport Connect inter-regional
More informationRouting Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security
Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and
More informationRoute Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes
Types of prefixes in IP core network: Internal Prefixes External prefixes Downstream customers Internet prefixes Internal prefixes originated in IP core network Loopback Transport Connect inter-regional
More informationGolden Prefixes IRR Lockdown Job Snijders
Golden Prefixes IRR Lockdown Job Snijders Agenda What s the problem? IRR not ideal A possible solution: Golden prefixes Making the best of IRR: IRR Lockdown Actual Frustrations The Youtube
More informationA Measurement Study of BGP Misconfiguration
A Measurement Study of BGP Misconfiguration Ratul Mahajan, David Wetherall, and Tom Anderson University of Washington Motivation Routing protocols are robust against failures Meaning fail-stop link and
More informationRIPE NCC Services & Activities
RIPE NCC Services & Activities NaMeX Regional Meeting 2013, Paestum, Italy, 21 June 2013 Mirjam Kühne, RIPE NCC Overview What is the RIPE NCC Services for members and public services Tools and Measurements
More informationBGP Operations and Security. Training Course
BGP Operations and Security Training Course Training Services RIPE NCC December 2017 Schedule 09:00-09:30 11:00-11:15 13:00-14:00 15:30-15:45 17:30 Coffee, Tea Break Lunch Break End BGP Operations and
More informationTrends in IoT DDoSbotnets
Trends in IoT DDoSbotnets Netnod Meeting, 14-15 March2018 Steinthor Bjarnason ASERT Network Security Research Engineer sbjarnason@arbor.net 2018 ARBOR PUBLIC 7,7 MillionDuring this presentation, approx.
More informationRPKI and Routing Security
Presentation September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) What is the Purpose of
More informationResource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018
Resource PKI NetSec Tutorial NZNOG2018 - Queenstown 24 Jan 2018 1 Fat-finger/Hijacks/Leaks Bharti (AS9498) originates 103.0.0.0/10 Dec 2017 (~ 2 days) No damage more than 8K specific routes! Google brings
More informationNews from RIPE and RIPE NCC
News from RIPE and RIPE NCC FRNOG, Paris 11 December 2009 Vesna Manojlovic RIPE / RIPE NCC RIPE Operators community Develops addressing policies Working group mailing lists 2010 meetings: Prague 3-7 May
More informationDriving Global Resilience
Driving Global Resilience Steve Mellish FBCI Chairman, The Business Continuity Institute Monday December 2nd, 2013 Business & IT Resilience Summit New Delhi, India Chairman of the Business Continuity Institute
More informationBGP security. 19 april 2018 Copenhagen
BGP security 19 april 2018 Copenhagen Agenda 14:30 Welcome and registration 15:00 Presentation 17:00 Questions 17:30 Beer & Burgers & 2 Who are we? Lucas Senior network engineer @ NL-ix in ISP business
More information