Rethinking Path Valida/on. Russ White
|
|
- Mabel Morrison
- 6 years ago
- Views:
Transcription
1 Rethinking Path Valida/on Russ White
2 Reality Check Right now there is no US Government mandate to do anything A mandate in the origin authen9ca9on area is probably immanent A mandate in the path valida9on space will probably happen eventually Are we happy with the op9ons we have?
3 AS65000 Origin Authen/ca/on AS65002 authorized to originate 2001:db8:0:1::/64 Resource Cer/ficate (RC) 2001:db8:0:1::/64 AS65002 creates an RC signed with a private key and any addi9onal parameters Route Origin Authoriza/on (ROA) AS65002 AS65003 AS65002 places this in the RPKI database RIR (Trust Anchor)
4 AS65000 Origin Authen/ca/on AS65000 uses AS65002 s public key to validate the ROA Resource Cer/ficate (RC) 2001:db8:0:1::/64 AS65000 can check the original authoriza9on using the trust anchor s public key Route Origin Authoriza/on (ROA) AS65002 AS65003 RIR (Trust Anchor)
5 AS65000 Origin Authen/ca/on AS65003 can adver9se /24 with the AS Path [65002,65003] Resource Cer/ficate (RC) 2001:db8:0:1::/ :db8:0:1::/64 AS65000 will be none the wiser To resolve this, path valida*on of some sort is needed Route Origin Authoriza/on (ROA) AS65002 AS65003 RIR (Trust Anchor)
6 Rethinking Requirements Reuse BGP trusted and understood Address family (AF) or new message No reason to reuse current bestpath for this applica9on Reuse exis9ng policy mechanisms if possible Don t mess with origin authen9ca9on (in general) Allow replacing rsync with BGP transport
7 Notes Current bestpath in this context means current metrics, like MED, Local Pref, etc. These don t seem to apply to carrying cer9ficates A new AF can define its own metrics and bestpath algorithm Exis9ng policy mechanisms primarily means communi9es in this context Provide a common context for reachability and path security informa9on Provide a common policy that 9es reachability and path security informa9on There are concerns about the long term viability of rsync in this applica9on If we design the AF correctly, we can carry the current ROAs as well Op9onal, but poten9ally useful; leave open for further discussion in the community
8 Rethinking Requirements Solve 80% of the problem space in a deployable way Assume to be used in parallel with other mechanisms Stateful inspec9on/ids pair (separate baskets) Don t make the edge do crypto Persistence in the face of DDoS
9 Notes Any single mechanism probably isn t going to solve every problem If every problem can and should actually be solved at all Think of a stateful packet filter (firewall/spf) combined with an Intrusion Detec9on System (IDS) The SPF doesn t really catch every possible agack Instead, we put in different systems to solve different parts of the problem Given this, we should focus on solving 80% of the problems For instance, data analy9cs used across the table in near real 9me, in combina9on with DNS and traffic flow analysis, can probably catch some agacks or security problems more easily than a purely BGP based path valida9on system of any kind
10 Rethinking Requirements Hide things that aren t otherwise available Control where informa9on is adver9sed Op9onally agach peering types and other policy to specific rela9onships AS65000 AS65001 AS65002 AS65003 AS65004 AS65005
11 Notes AS65000 doesn t want to adver9se it s connec9on to AS65003 unless the routes are being adver9sed Backup routes, etc. AS65000 only wants its connec9on to AS65004 adver9sed to its peers, and not to their peers Regional rou9ng informa9on, partnering rela9onships, etc. AS65000 wants to make certain other AS know that AS65005 is not a transit customer So other AS should not see routes AS65000 adver9ses to AS65005 readver9sed
12 Rethinking Requirements Overlay carrying new informa9on Incremental deployment should add value incrementally AS65000 AS65001 AS65002 AS65003 AS65004 AS65005
13 Conceptually AS Level seman9cs Only AS level changes are reflected in the base adver9sements More detail may be included AS65002 AS65000 AS65003 Connected to AS65003 Connected to AS65002 Connected to AS65000 Connected to AS65004 Connected to AS65000 Connected to AS65004 Connected to AS65003 Connected to AS65002 AS65004
14 Conceptually (simpler version) Build a set of path pairs Each path pair can contain policy These can be used as a set of path filters at the AS edge AS65002 AS65000 AS65003 Connected to AS65003 Connected to AS65002 Connected to AS65000 Connected to AS65004 Connected to AS65000 Connected to AS65004 Connected to AS65003 Connected to AS65002 AS65004
15 Conceptually (simpler version) For instance, if an adver9sement is received with the AS path [65004,65003] at AS65000 Is AS65004 connected to AS65003? Yes Is there any policy along the path that says I shouldn t be receiving this route? No Am I connected to AS65000? Yes 80%+ certain this is a good route Leave it to reac*ve/future systems to resolve the rest
16 Conceptually (more complex version) Tree Based DAG AS are edges Connec9ons are nodes Policy hangs off nodes Path State Vector Topology AS65002 AS65000 AS65004 AS65003 AS65000 AS65002 (ME) AS65000 AS65003 AS65003 AS65004 AS65002 AS65004 Tree from AS65000
17 Conceptually (more complex version) DAG: directed acyclic graph Like an SPF, only containing all possible paths, rather than just the best path Contains loops, which is okay for this applica9on For any adver9sement received, start with the origin and walk the DAG If I can reach myself without encountering policy problems, the route is valid Leave it to reac*ve/future systems to resolve the rest
18 Route Origin Authoriza/on (ROA) Route Origina/on Resource Cer/ficate AS Connec/vity Cer/ficate 1 AS Connec/vity Cer/ficate 2 AS Connec/vity Cer/ficate 3 BGP AF ACC 1 Community Other AVributes ACC 2 Community Other AVributes
19 Notes This is one op9on for encoding this type of informa9on Treats the cer9ficate as essen9ally opaque to BGP BGP is just transpor9ng this stuff Communi9es and other agributes can be added on to supply common inter and intra AS policy Sequence number is included for freshness of informa9on Packet formats in flux at this point
20 Opera/onally AS65000 adver9ses three connec*vity sets [65000,65003] Community bound Only adver9sed when routes from AS65003 are adver9sed AS65000 AS65001 AS65002 AS65003 AS65004 AS65005
21 Opera/onally [65000,65004] Community bound to be blocked at the AS65001=>AS65002 edge [65000,65005] Marked as non- transit peering rela9onship AS65000 AS65001 AS65002 AS65003 AS65004 AS65005
22 AS65004 AVacks Resolved AS65005 adver9ses with a path of [65001,65005] AS65001 is not adver9sing a connec9on to AS65005 AS65004 can reject the route AS65003 AS65002 AS :db8:0:1::/64 AS :db8:0:1::/64
23 AS65004 AVacks Resolved AS65001 is not transit AS65002 can mark AS65001 as not transit AS65005 can drop the route based on this This is op*onal, but as more policy is exposed, more can be enforced AS65002 AS :db8:0:1::/64 AS65005 AS65001
24 Thoughts on this solu/on Would meet the objec9ves of reasonably worded government mandate Would protect 80% or more of what needs to be protected Works with exis9ng origin valida9on to stop hijacking Stops truly out of path man in the middle agacks Provides a home for some policy when desired Protects provider private links, etc.
25 Path Forward Small group formed to work on this Increasing group size over 9me as folks are interested Need to avoid boiling the ocean or building a camel if possible We need community support to build a deployable system that solves the set of problems we care about Eventually take this to the IETF If a mandate is forthcoming Hopefully we have a system in place that operators can live with
26 Ques/ons?
Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services
Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services Geoff Huston, APNIC Labs 1 If working with one protocol has its problems 2 Then just how much damage can we do by joining
More informationKey Nego(a(on Protocol & Trust Router
Key Nego(a(on Protocol & Trust Router dra6- howle:- radsec- knp ABFAB, IETF 80 31 March, Prague. Introduc(on The ABFAB architecture does not require any par(cular AAA strategy for connec(ng RPs to IdPs.
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationNew World BGP. Geoff Huston January2010 APNIC
New World BGP Geoff Huston January2010 APNIC 16- bit AS Number Map 16- bit AS Number Map Unadvertised AS Numbers RIR Pool AS Numbers Advertised AS Numbers IANA Pool 16- bit AS Number Map Unadvertised AS
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 15 Spring 2012 March 19, 2012 Announcements HW7 due this week HW8 due 3/28 Exam 2 on 4/23 HW7 RIP (Rou)ng Informa)on Protocol) Components Forwarding Rou)ng
More informationSecuring the Internet s Foundations: Addresses and Routing
Securing the Internet s Foundations: Addresses and Routing AUSCERT 2011 Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! An Ascending Scale of Badness Port Scan for known
More informationBIER. Bit Indexed Explicit Replica0on. MBONED, IETF 92 Greg Shepherd
BIER Bit Indexed Explicit Replica0on MBONED, IETF 92 Greg Shepherd The BIER Epiphany Only encode the end- receivers in the packet header. Not the intermediate nodes. Assign end- receivers a Bit Posi0on
More informationElas%c Load Balancing, Amazon CloudWatch, and Auto Scaling Sco) Linder
Elas%c Load Balancing, Amazon, and Auto Scaling Sco) Linder Overview Elas4c Load Balancing Features/Restric4ons Connec4on Types Listeners Configura4on Op4ons Auto Scaling Launch Configura4ons Scaling Types
More informationAccurate yet long winded 1tle: Exposing network, VM edge and power topology via LLDP and BGP- LinkState - - and possible implica1ons
Accurate yet long winded 1tle: Exposing network, VM edge and power topology via and BGP- LinkState - - and possible implica1ons Brian Field / Comcast 5/23/13 BField / Comcast (NANOG June 2013) 1 Applying
More informationIP Reachability Differences: Myths and Reali<es
IP Reachability Differences: Myths and Reali
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationShim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI
Shim6: Network Operator Concerns Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Not Currently Supporting IPv6? Many parties are going forward with IPv6 Japan
More informationData-Driven Network Opera1ons. France-IX 2016 Avi Freedman
Data-Driven Network Opera1ons France-IX 2016 Avi Freedman Summary Why Data-Driven Network Opera1ons? The food: data types and sources Requirements and tool types Data Fusion Business-driven use cases:
More informationApplica'on-level protocols, AAA, Management, Security
LP-WAN BOF Applica'on-level protocols, AAA, Management, Security Rafa Mar'n Lopez (rafa@um.es) Dan García Carrillo (dan.garcia@um.es) LP-WAN network access control Only authen'cated and authorized nodes
More informationShepherd s Presentation Draft Policy Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors
59 Shepherd s Presentation Draft Policy 2013-6 Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors What s the Problem 2 There is really no policy for who is eligible to receive resources
More informationIntroduction to IP Routing. Geoff Huston
Introduction to IP Routing Geoff Huston Routing How do packets get from A to B in the Internet? A Internet B Connectionless Forwarding Each router (switch) makes a LOCAL decision to forward the packet
More informationWeb applica*on security for dynamic
Web applica*on security for dynamic languages zane@etsy.com @zanelackey Who am I? Security Engineering Manager @ Etsy Lead AppSec/NetSec/SecEng teams Formerly @ isec Partners Books/presenta*ons primarily
More informationRPKI and Origin Valida9on Deployment in Ecuador IETF 88 Vancouver
So#a Silva Berenguer sofia @ lacnic.net RPKI and Origin Valida9on Deployment in Ecuador IETF 88 Vancouver Some facts about me I prac:ce kung fu I went to a military high- school - > I know how to shoot
More informationComponent diagrams. Components Components are model elements that represent independent, interchangeable parts of a system.
Component diagrams Components Components are model elements that represent independent, interchangeable parts of a system. Components are more abstract than classes and can be considered to be stand- alone
More informationScaling the Wholesale Interconnect Market. Gastón Cu0gnola Senior Sales Engineer Telco Systems
Host Sponsor Co- Sponsor Scaling the Wholesale Interconnect Market Gastón Cu0gnola Senior Sales Engineer Telco Systems 1 Presenta0on Agenda Status of Wholesale/Interconnect Environments Moving up the curve
More informationOutline Computer Networking. Inter and Intra-Domain Routing. Internet s Area Hierarchy Routing hierarchy. Internet structure
Outline 15-441 15-441 Computer Networking 15-641 Lecture 10: Inter-Domain outing Border Gateway Protocol -BGP Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 outing hierarchy Internet structure
More informationMANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH
E-Guide MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH SearchSecurity L earn how to implement appropriate security controls for endpoint management. PAGE 2 OF 7 MANAGING ENDPOINTS WITH DEFENSE-IN-DEPTH Mike
More informationInternet Inter-Domain Rou/ng Research
Internet Inter-Domain Rou/ng Research at Benno Overeinder and blatant adver3sement of ac3vi3es SOME CONTEXT Profile Research and development company 8.5 persons (4.5 SNE alumni!) not-for-profit, founda3on
More informationIPv6 Implementation Best Practices For Service Providers
IPv6 Implementation Best Practices For Service Providers Brandon Ross Chief Network Architect and CEO 2013 Utilities Telecom Council Network Utility Force www.netuf.net @NetUF RFC 6540 - IPv6 Support Required
More informationImportant Lessons From Last Lecture Computer Networking. Outline. Routing Review. Routing hierarchy. Internet structure. External BGP (E-BGP)
Important Lessons From Last Lecture 15-441 Computer Networking Inter-Domain outing BGP (Border Gateway Protocol) Every router needs to be able to forward towards any destination Forwarding table must be
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationDesign Principles & Prac4ces
Design Principles & Prac4ces Robert France Robert B. France 1 Understanding complexity Accidental versus Essen4al complexity Essen%al complexity: Complexity that is inherent in the problem or the solu4on
More informationDesigning Mul+- Tenant Data Centers using EVPN- IRB. Neeraj Malhotra, Principal Engineer, Cisco Ahmed Abeer, Technical Marke<ng Engineer, Cisco
Designing Mul+- Tenant Data Centers using EVPN- IRB Neeraj Malhotra, Principal Engineer, Cisco Ahmed Abeer, Technical Marke
More informationInternet 101. The Technical Roots of Internet Governance. Marco Hogewoning and Chris Buckridge External Relations RIPE NCC
Internet 101 The Technical Roots of Internet Governance Marco Hogewoning and Chris Buckridge External Relations RIPE NCC EuroDIG 2014 Berlin - Germany 12 June 2014 About this session 2 An overview of the
More informationCS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella
CS 640: Introduction to Computer Networks Aditya Akella Lecture 11 - Inter-Domain Routing - BGP (Border Gateway Protocol) Intra-domain routing The Story So Far Routing protocols generate the forwarding
More informationNFS 3/25/14. Overview. Intui>on. Disconnec>on. Challenges
NFS Overview Sharing files is useful Network file systems give users seamless integra>on of a shared file system with the local file system Many op>ons: NFS, SMB/CIFS, AFS, etc. Security an important considera>on
More informationTurning the Network NANOG 70. Andrew Gray IP Engineer IV Cox Communica7ons (AS22773)
Turning the Network NANOG 70 Andrew Gray IP Engineer IV Cox Communica7ons (AS22773) Who We Are Cox was built up through a number of acquisi@ons, and each market was generally allowed to operate autonomously.
More informationAn Operational Perspective on Routing Security
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC On the Internet there are many ways to be bad! there are many ways to be bad! Enlist a bot army and mount mul0- gigabit
More informationMeasuring the Adoption of Route Origin Validation and Filtering
Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias
More informationCS BGP v4. Fall 2014
CS 457 - BGP v4 Fall 2014 Autonomous Systems What is an AS? a set of routers under a single technical administration uses an interior gateway protocol (IGP) and common metrics to route packets within the
More informationConnecting to a Service Provider Using External BGP
Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationNetwork Security - ISA 656 Routing Security
Network Security - ISA 656 Angelos Stavrou December 4, 2007 What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationMultihoming Complex Cases & Caveats
Multihoming Complex Cases & Caveats ISP Workshops Last updated 6 October 2011 Complex Cases & Caveats p Complex Cases n Multiple Transits n Multi-exit backbone n Disconnected Backbone n IDC Multihoming
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationUnderstanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School
Understanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School July 6, 2011 Route Aggrega.on Child Route Unallocated Child Prefix: e.g., 10.1.33.0/24 19.1.1.2 Aggregate Route 10.1.1.0/24
More informationConnecting to a Service Provider Using External BGP
Connecting to a Service Provider Using External BGP This module describes configuration tasks that will enable your Border Gateway Protocol (BGP) network to access peer devices in external networks such
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationMeasuring IPv6 Day. Geoff Huston APNIC
Measuring IPv6 Day Geoff Huston APNIC My brief for this session... It would be great if you could consider to include following topics in your presentation:! What you observed on World IPv6 day:!! Statistics
More informationInterface The exit interface a packet will take when destined for a specific network.
The Network Layer The Network layer (also called layer 3) manages device addressing, tracks the location of devices on the network, and determines the best way to move data, which means that the Network
More informationCSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University
CSCI 1800 Cybersecurity and Interna4onal Rela4ons Design and Opera-on of the Internet John E. Savage Brown University Outline Network security The link layer The network layer The transport layer Denial
More informationBGP Origin AS Validation
The feature helps prevent network administrators from inadvertently advertising routes to networks they do not control. This feature uses a Resource Public Key Infrastructure (RPKI) server to authenticate
More informationInternet Number Certification
Internet Number Certification Terry Manderson ICANN involvement In response to requests from the Internet community 2 What you are about to see Possibili*es of Implementa*on Technical manifesta*on of some
More informationMeasuring Adoption of RPKI Route Origin Validation and Filtering
PEERING The BGP Testbed Measuring Adoption of RPKI Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas
More informationRouting on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP
Routing on the Internet Computer Networks Lecture 17: Inter-domain Routing and BGP In the beginning there was the ARPANET: route using GGP (Gateway-to-Gateway Protocol), a distance vector routing protocol
More informationCOMP/ELEC 429 Introduction to Computer Networks
COMP/ELEC 429 Introduction to Computer Networks Lecture 11: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang T. S. Eugene Ng eugeneng at
More informationRAD, Rules, and Compatibility: What's Coming in Kuali Rice 2.0
software development simplified RAD, Rules, and Compatibility: What's Coming in Kuali Rice 2.0 Eric Westfall - Indiana University JASIG 2011 For those who don t know Kuali Rice consists of mul8ple sub-
More informationMonitoring IPv6 Content Accessibility and Reachability. Contact: R. Guerin University of Pennsylvania
Monitoring IPv6 Content Accessibility and Reachability Contact: R. Guerin (guerin@ee.upenn.edu) University of Pennsylvania Outline Goals and scope So=ware overview Func@onality, performance, and requirements
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationAdventures in RPKI (non) deployment. Wes George
Adventures in RPKI (non) deployment Wes George wesley.george@twcable.com @wesgeorge Background March 2013 FCC CSRIC III WG 6 report on Secure BGP Accurate Records, better measurements Cautious, staged
More informationCS4700/CS5700 Fundamentals of Computer Networks
CS4700/CS5700 Fundamentals of Computer Networks Lecture 12: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang Alan Mislove amislove at ccs.neu.edu
More informationServer Certificate Validation
Understanding Server Certificate Validation and 802.1X Update Kevin Koster Founder & Principal Cloudpath Networks Special Thanks To: Robert Hopley, RSA Chris Hessing, Cloudpath & OpenSEA Alex Sharaz, University
More informationObject Oriented Design (OOD): The Concept
Object Oriented Design (OOD): The Concept Objec,ves To explain how a so8ware design may be represented as a set of interac;ng objects that manage their own state and opera;ons 1 Topics covered Object Oriented
More informationACI Transit Routing, Route Peering, and EIGRP Support
ACI Transit Routing, Route Peering, and EIGRP Support ACI Transit Routing This chapter contains the following sections: ACI Transit Routing, on page 1 Transit Routing Use Cases, on page 1 ACI Fabric Route
More informationNETCONF WG IETF 96 (Berlin)
Zero Touch Provisioning for NETCONF/RESTCONF Call Home dra>-ie@-netconf-zerotouch-09 NETCONF WG IETF 96 (Berlin) Recap At IETF 95, we reviewed a significantly updated dra> and its 4 open issues. 2 issues
More informationThe state of in Mar4jn Grooten, Virus Bulle4n TROOPERS15, 19 March 2015
The state of email in 2015 Mar4jn Grooten, Virus Bulle4n TROOPERS15, 19 March 2015 Me, myself and I Anna sends an email to Bob Hi, it s here bob@hismail.com. anna@hermail.com email for bob@hismail.com.
More informationBGP Attributes and Path Selection
BGP Attributes and Path Selection ISP Training Workshops 1 BGP Attributes The tools available for the job 2 What Is an Attribute?... Next Hop AS Path MED...... Part of a BGP Update Describes the characteristics
More informationCCIE R&Sv5 Mock Lab 1 Mohamed Jaziri 3xCCIE P a g e 1
CCIE R&Sv5 Mock Lab 1 Mohamed Jaziri 3xCCIE P a g e 1 Ticket 3 - BGP Traffic Engineering R18 of the Large Office 1 must be able to reach 4 BGP networks located behind R100 in the Internet SP (AS 10000).
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 7 Spring 2012 February 8, 2012 Announcements HW3 due today Start working on HW4 HW5 posted In- class student presenta)ons No TA office hours this week
More informationCS 457 Networking and the Internet. The Global Internet (Then) The Global Internet (And Now) 10/4/16. Fall 2016
CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of the Internet in 1990 The Global Internet (And Now) A simple multi-provider Internet 1 The Global Internet Some
More informationOrchestrated Network Services with LSO, SDN and NFV
Host Sponsor Co- Sponsor Orchestrated Network Services with LSO, SDN and NFV Darryl Stork Regional Director WebNMS 1 PresentaBon Agenda Overview of LSO, SDN, NFV, and the Third Network Using LSO, SDN and
More informationh7ps://bit.ly/citustutorial
Before We Start Setup a Citus Cloud account for the exercises: h7ps://bit.ly/citustutorial Designing a Mul
More informationAn introduc/on to Sir0i
Authen4ca4on and Authorisa4on for Research and Collabora4on An introduc/on to Sir0i Addressing Federated Security Incident Response Hannah Short CERN hannah.short@cern.ch TF-CSIRT May, 2016 Agenda Federated
More informationMinimizing Packet Loss
Minimizing Packet Loss Eric Osborne Russ White genda Intro What Is Convergence? Brief History Talk Talk Faster Precompute Precompute and Tunnel Current State of the rt 3 Minimizing Packet Loss with IGPs
More informationMoving to default Routeserver IRR filtering... Moving to a more secure peering via the IXP routeservers
Moving to default Routeserver IRR filtering... Moving to a more secure peering via the IXP routeservers Short intro A2B Internet is a Dutch network provider. Providing datacenter connec=vity and internet
More informationARIN Engineering Report. Mark Kosters
ARIN Engineering Report Mark Kosters Engineering Theme 2012 success is being aided by contractors (but not near as many) The search is on to fill open engineering slots Lots of work is done, but there
More informationThe Internet Ecosystem
The Internet Ecosystem How does the Internet really work? Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services Original Slides with Russ White (russ@riw.us) The Net What are the protocols
More informationPART III. Implementing Inter-Network Relationships with BGP
PART III Implementing Inter-Network Relationships with BGP ICNP 2002 Routing Protocols Autonomous System BGP-4 BGP = Border Gateway Protocol Is a Policy-Based routing protocol Is the de facto EGP of today
More informationModule 16 An Internet Exchange Point
ISP Workshop Lab Module 16 An Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12 and 13, and the Exchange Points Presentation
More informationTopic. How rou=ng protocols work with IP. The Host/Router dis=nc=on. I don t! I route. CSE 461 University of Washington 1
Topic How rou=ng protocols work with IP The Host/Router dis=nc=on I route I don t! CSE 461 University of Washington 1 Recap In the Internet: Hosts on same network have IP addresses in the same IP prefix
More informationResource Certification. Alex Band, Product Manager DENIC Technical Meeting
Resource Certification Alex Band, Product Manager DENIC Technical Meeting Internet Routing Routing is non-hierarchical, open and free Freedom comes at a price: - You can announce any address block on your
More informationRou$ng Security and RPKI
Rou$ng Security and RPKI Presenters: Sandra Murphy (sandy@$slabs.com) Parsons Channeling: Randy Bush (Randy@psg.com) Rob Austein (sra@hactrn.net) Dragon Research Michael Elkins (melkins@$slabs.com) Parsons
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationLecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011
Lecture 4: Intradomain Routing CS 598: Advanced Internetworking Matthew Caesar February 1, 011 1 Robert. How can routers find paths? Robert s local DNS server 10.1.8.7 A 10.1.0.0/16 10.1.0.1 Routing Table
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More information2610:f8:ffff:2010:04:13:0085:1
2610:f8:ffff:2010:04:13:0085:1 Qwest IPv6 Implementation Experience Shawn Carroll 2610:f8:ffff:2010:04:13:0085:55 Previous Qwest Implementation Work Obtained 6bone Pseudo Next Level Aggregator (pnla) from
More informationBGP Additional Paths. Finding Feature Information. Information About BGP Additional Paths. Problem That Additional Paths Can Solve
The feature allows the advertisement of multiple paths through the same peering session for the same prefix without the new paths implicitly replacing any previous paths. This behavior promotes path diversity
More informationInternet Measurements. Motivation
Internet Measurements Arvind Krishnamurthy Fall 2004 Motivation Types of measurements Understand the topology of the Internet Measure performance characteristics Tools: BGP Tables Traceroute measurements
More informationNFS. CSE/ISE 311: Systems Administra5on
NFS CSE/ISE 311: Systems Administra5on Sharing files is useful Overview Network file systems give users seamless integra8on of a shared file system with the local file system Many op8ons: NFS, SMB/CIFS,
More informationBGP Route Hijacking - What Can Be Done Today?
BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security bgreene@akamai.com @Akamai BGP - the Core Protocol that Glues all of
More informationStealing The Internet
Stealing The Internet An Internet-Scale Man In The Middle Attack Presented at NANOG 44 Los Angeles, CA October, 2008 Tony Kapela tk@5ninesdata.com Agenda Prior Work Hijacking Mechanics Route Filtering
More informationThinManager and FactoryTalk View SE. John Ter8n; ESE, Inc.
ThinManager and FactoryTalk View SE John Ter8n; ESE, Inc. Who Am I John Ter8n Director of Manufacturing Informa8on Systems Who We Are Founded in 1981 Headquartered in Marshfield, Wisconsin 100% Employee-
More informationINFO/CS 4302 Web Informa6on Systems
INFO/CS 4302 Web Informa6on Systems FT 2012 Week 7: RESTful Webservice APIs - Bernhard Haslhofer - 2 3 4 Source: hmp://www.blogperfume.com/new- 27- circular- social- media- icons- in- 3- sizes/ 5 Plan
More informationCon$nuous Audi$ng and Risk Management in Cloud Compu$ng
Con$nuous Audi$ng and Risk Management in Cloud Compu$ng Marcus Spies Chair of Knowledge Management LMU University of Munich Scien$fic / Technical Director of EU Integrated Research Project MUSING Cloud
More informationMulG-Vendor Key Management with KMIP
MulG-Vendor Key Management with KMIP Tim Hudson CTO Cryptso2 tjh@cryptso2.com GS13A 19-May-2016 1:35pm Key Management 1000011010100100101100101010000010101000101001101001111010001100 Key Management Standards
More informationNetwork Virtualiza/on Overlay Control Protocol Requirements
Network iza/on Overlay Control Protocol Requirements dra
More informationHigh Performance BGP Security: Algorithms and Architectures
High Performance BGP Security: Algorithms and Architectures Mehmet Adalier, Ko0kalapudi Sriram, Oliver Borchert, Kyehwan Lee, Doug Montgomery Email: madalier@antarateknik.com; ksriram@nist.gov Acknowledgements:
More informationBalancing incoming traffic over multiple links
Balancing incoming traffic over multiple links Juha Väisänen Helsinki University of Technology Laboratory for Telecommunications software and Multimedia javaisan@cc.hut.fi Abstract This paper introduces
More informationProp-083v003. Alterna(ve criteria for subsequent IPv6 alloca(ons. APNIC 31, Hong Kong. Skeeve Stevens
Prop-083v003 Alterna(ve criteria for subsequent IPv6 alloca(ons Skeeve Stevens APNIC 31, Hong Kong Introduc(on This is a proposal to enable current APNIC account holders with exis9ng IPv6 alloca9ons to
More informationLecture 13 Page 1. Lecture 13 Page 3
IPsec Network Security: IPsec CS 239 Computer Software March 2, 2005 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationConfiguring a BGP Route Server
BGP route server is a feature designed for internet exchange (IX) operators that provides an alternative to full ebgp mesh peering among the service providers who have a presence at the IX. The route server
More informationMonitoring & Analy.cs Working Group Ini.a.ve PoC Setup & Guidelines
Monitoring & Analy.cs Working Group Ini.a.ve PoC Setup & Guidelines Copyright 2017 Open Networking User Group. All Rights Reserved Confiden@al Not For Distribu@on Outline ONUG PoC Right Stuff Innova@on
More informationObjec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:
Objec&ves Security: Ø Injec&on a6acks Ø Cross-site scrip&ng Ø Insecure direct object reference Group photo Review: Security Why has the Web become such a huge target? How can you protect against security
More information