Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LKNOG3-Keynote

5 views

Published on

LKNOG3 Keynote by Sanjaya, DDG of APNIC

Published in: Internet
  • Be the first to comment

  • Be the first to like this

LKNOG3-Keynote

  1. 1. Strengthening the Internet Infrastructure in Sri Lanka LKNOG 3 – Colombo, 2 October 2019 Sanjaya Deputy Director General – APNIC
  2. 2. Overview • Internet infrastructure • Criteria for a strong Internet infrastructure – Robust network ecosystem – Adoption of network operations best practices • Internet Infrastructure in Sri Lanka • Network operations best practices
  3. 3. About the Internet • The Internet is an interconnecting networks – “the network of networks” • Every device on the Internet requires an address (IP address) so it can be found by other devices to send and receive data • IPv4: 66.220.144.0 • IPv6: 2a03:2880:11:2f83:face:b00c:0:25de • Independent networks manage their own IP address space, and interconnect with other networks using BGP and Autonomous System Numbers (ASN)
  4. 4. Internet Infrastructure Backbone
  5. 5. Who operate these networks? Current industry mix in AP region. Other regions may vary September 2019 Internet service provider (ISP) Hosting/Data centre Telecommunications/Mobile operator Enterprise/Manufacturing/Retail Banking/Financial Academic/Educational/Research Software vendor Government/Regulator/Municipality Media/Entertainment Industrial (construction, mining, oil) Infrastructure (transport/hospital) Non-profit/NGO/Internet community Other Internet exchange point (IXP) Hardware vendor Domain name registry/Registrar
  6. 6. What does the Internet look like? • Networks worldwide interconnect to form the Internet. They include ISPs, Data Centres, Internet Exchange Points, Universities, Corporate networks, etc. • Each dot represents an AS • There are 65,000+ ASNs currently active in the Internet Credit: Cogeco Peer 1
  7. 7. Global ASN interconnection
  8. 8. Strong Internet Infrastructure • A healthy ecosystem of inter-dependent networks – Service providers • Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content Delivery Networks, Media, Applications etc. – Consumer & corporate networks • Consumers: Mobile phones, Public WiFi, Home networks • Corporate: Office, building, campus, branch, plant, sensor networks • Network operations best practices – Adopted by all types of network
  9. 9. Networks in Sri Lanka https://stats.apnic.net/vizas/#LK
  10. 10. How does it compare with other economies?
  11. 11. By population https://en.wikipedia.org/wiki/List_of_countries_by_population_(United_Nations) – 23 Sep 2019 United Nations, World Population Prospects, 2019 revision
  12. 12. By GDP (purchasing power parity) https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(PPP) – 23 Sep 2019 IMF 2019 estimates
  13. 13. SAARC https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation – 23 Sep 2019
  14. 14. Sri Lanka Internet ecosystem • Plenty of opportunity to grow in numbers and types of – Service Providers – Consumer & Corporate networks
  15. 15. Network operations best practices • Number Registry • Internet Routing • Network Security
  16. 16. Number Registry • Internet number resource management • Accurate and updated public records (Whois/RDAP) – APNIC delegation – Customer delegation • Responsive IRT (Incident Response Team) contacts • Reverse DNS management • Awareness and compliance to policies
  17. 17. Internet Routing • Peering – Peer with as many networks (ISPs, CDNs, etc) as you can – Keep local traffic local to improve end user experience • You IPv6 peering should be a mirror of your IPv4 peering (where possible)
  18. 18. Internet Routing • BGP session – for every peer/transit – Enable BGP TTL security (RFC 5082 – Generalized TTL Security Mechanism) – At least enable BGP MD5 Auth where your router OSes don’t support TCP AO (RFC 5925 TCP Authentication Option)
  19. 19. Internet Routing • BGP announcement – Announce your aggregates – Announce more specifics only where you have traffic engineering needs • Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number of uplinks you have …. But • There is NO need to de-aggregate down to 64x/24s!
  20. 20. Internet Routing • BGP filtering – Prefix filters • For both Inbound/Outbound announcements • Set maximum prefix limit for routes received from your peers • Do not accept bogons or your own prefixes! – AS PATH filters • Do not announce/accept private ASNs (BGP customers may use private ASNs, but strip it before announcing their routes to peers and upstreams) • Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce- first-as) • Limit AS_PATH length for prefixes you receive (Current average path is about 5~7 ASNs deep)
  21. 21. Internet Routing • BGP filtering – Filter inbound announcements using RPKI ROAs • Create and publish your ROAs (Route Origin Authorizations) • Ask your downstream/peers to create ROAs for their resources • Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid ROAs)
  22. 22. Internet Routing • BGP behavior – Change from default permit to default reject to prevent route leaks – RFC 8212 • Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS (19.5.1 onwards), OpenBGPD (6.4 onwards) • Push your vendors! – If your OS does not support it • Shut the BGP session with the peer (group) during configuration • Define and apply explicit export and import policies to the eBGP peers • Then no-shut the BGP session
  23. 23. Network Security • DNSSEC (forward and reverse DNS) • MANRS (Mutually Agreed Norms for Routing Security) – BCP 46: Recommended Internet Service Provider Security Services and Procedures – BCP 38: Network Ingress Filtering – IRR • RPKI & its applications – Digital certificates – ROA – RTA
  24. 24. Network Security • DNS – DNSSEC for integrity – Last mile features like DoH/DoT for privacy – Aggressive NSEC caching to prevent DOS attacks against authoritative servers – Passive DNS
  25. 25. Network Security • Traffic filtering – BCP38 (RFC 2827) – ingress filtering • Strict uRPF is the norm – BCP84 (RFC 3704) – ingress filtering for multihomed networks • Loose uRPF is the norm
  26. 26. Network Security • Traffic filtering – IPv6 specific – Extension Headers are dangerous • But if you drop fragments, things like DNSSEC breaks – Recommendation: • Drop IPv6 fragments that that do not have upper-layer headers in the first fragment (RFC 7112/RFC 8200) • Drop fragments destined for your network nodes (but allow fragments to end users)
  27. 27. Network Security • Traffic filtering – IPv6 specific – Filtering ICMPv6 will break IPv6 • Rate limit ICMPv6 instead of dropping them! – Do what you did for IPv4 traffic with IPv6 traffic • ACLs/filters • Harden hosts and applications • Use crypto protections where necessary/critical
  28. 28. Network Security • Security concepts – Always start with zero-trust – Put your firewalls closer to or in front of your services (not in the network backbone or at the network perimeter) • Users inside your network and from outside have to go through the firewall • Firewalling in the backbone will reduce its throughput • Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G backbone bandwidths are becoming a norm. You will slow down your backbone by ~300Gbps just for security – Anycast your critical services for resiliency • E.g. your DNS
  29. 29. Network Security • Security concepts – Know the normal, to know what is abnormal • Monitor – NMS tools, IDS tools, etc – Profile your network • Netflow – Share and Learn from the community • NOGs, APRICOT/APNIC conferences

×