Successfully reported this slideshow.
Your SlideShare is downloading. ×

LKNOG3-Keynote

Oct. 08, 2019
0 likes 81 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
MyIX Updates
MyIX Updates
Loading in …3
×

Check these out next

Part1
cisconetworker
Community tools to fight against DDoS, SANOG 27
APNIC
SGNOG2 - Using communities for multihoming ISP workshop
APNIC
BGP Multihoming Techniques
APNIC
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
Indonesia Network Operators Group
RPKI: An Operator’s Implementation
MyNOG
Bgp
Raghu Kiran
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
1 of 32 Ad

LKNOG3-Keynote

Oct. 08, 2019
0 likes 81 views

Download to read offline

Internet

LKNOG3 Keynote by Sanjaya, DDG of APNIC

LKNOG3 Keynote by Sanjaya, DDG of APNIC

Internet
Advertisement

Recommended

MyIX Updates
MyNOG
1.1k views
20 slides
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
31.1k views
25 slides
How BGP Works
ThousandEyes
9.2k views
18 slides
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
151 views
27 slides
BGP persistence
Bertrand Duvivier
1.8k views
13 slides
IPv6 Deployment Update
Bangladesh Network Operators Group
440 views
18 slides
BGP
Totan Banik
466 views
14 slides
Study Notes BGP Exam
Duane Bodle
2.7k views
13 slides
Advertisement

More Related Content

Slideshows for you (20)

Part1
cisconetworker
2.2k views
Community tools to fight against DDoS, SANOG 27
APNIC
1.4k views
SGNOG2 - Using communities for multihoming ISP workshop
APNIC
758 views
BGP Multihoming Techniques
APNIC
4.3k views
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
Indonesia Network Operators Group
642 views
RPKI: An Operator’s Implementation
MyNOG
919 views
Bgp
Raghu Kiran
1.4k views
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
14.5k views
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
11.7k views
BGP Advance Technique by Steven & James
Febrian ‎
10.6k views
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
Indonesia Network Operators Group
1.2k views
bgp(border gateway protocol)
Noor Ul Hudda Memon
1k views
APNIC Updates
MyNOG
773 views
Service Provider Architectures for Tomorrow by Chow Khay Kid
MyNOG
1.7k views
An Overview of Border Gateway Protocol (BGP)
Jasim Alam
4.1k views
Ipv6 routing
srikrishna mallavarapu
132 views
Bgp (1)
Vamsidhar Naidu
1.9k views
Bgp multihoming
ee38sp
2.8k views
Secure BGP and Operational Report of Bangladesh
Bangladesh Network Operators Group
536 views
Bgp training
Aun Haider
309 views
Part1
cisconetworker
2.2k views
101 slides
Community tools to fight against DDoS, SANOG 27
APNIC
1.4k views
29 slides
SGNOG2 - Using communities for multihoming ISP workshop
APNIC
758 views
63 slides
BGP Multihoming Techniques
APNIC
4.3k views
219 slides
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
Indonesia Network Operators Group
642 views
31 slides
RPKI: An Operator’s Implementation
MyNOG
919 views
25 slides

Similar to LKNOG3-Keynote (20)

IDNOG 2: AS interconnection in indonesia
APNIC
1.1k views
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
1.3k views
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
385 views
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
1.3k views
IX Best Practices by Tay Chee Yong
MyNOG
5.6k views
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
254 views
Manrs 7_sept__indonesia
NaveenLakshman
98 views
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
MyNOG
1.8k views
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG
861 views
APAN 50: RPKI industry trends and initiatives
APNIC
791 views
IPv6 Deployment: Why and Why not? - HostingCon 2013
APNIC
895 views
MANRS for Network Operators
Bangladesh Network Operators Group
40 views
IPv6 Deployment: Why and Why not?
apnic_slides
843 views
RPKI with rpki.net Tools
Bangladesh Network Operators Group
1.2k views
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
APNIC
511 views
BGP evolution -from SDN perspective
Miya Kohno
144 views
Wrou01
tanawan44
627 views
E rou01 routing_basics
tanawan44
489 views
Технологии построения крупных сетей
SkillFactory
1.5k views
Kinber ipv6-education-healthcare
Network Utility Force
806 views
IDNOG 2: AS interconnection in indonesia
APNIC
1.1k views
43 slides
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
1.3k views
36 slides
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
APNIC
385 views
37 slides
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
1.3k views
41 slides
IX Best Practices by Tay Chee Yong
MyNOG
5.6k views
22 slides
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
254 views
25 slides
Advertisement

Recently uploaded (20)

Polygon vs Ethereum.pdf
Techugo
0 views
Outside photo shoot with Anthony Locke Media Management
Anthony Locke
0 views
The research paper will be on Rostov Ripper Provide a.docx
scottharry3
2 views
Where a firm intends to build its facilities is of.docx
scottharry3
2 views
Prime Numbers.pptx
JoseBermudez356997
2 views
There are several efforts directed at teenagers that try to.docx
4934bk
2 views
Please turn in an assessment paper about the occupational hazards.docx
studywriters
0 views
The term big data refers to the vast amounts of.docx
4934bk
2 views
wright a 3 to 4 page reflection on brene brown.docx
write4
0 views
Week 7 Discussion Supply Chain Security For your initial discuss.docx
scottharry3
2 views
Post summary of Jones Thomas Schwarzbaum Section chapter 5 Sto.docx
4934bk
2 views
Internet Safety
AlvinDawod1
0 views
Your fourth milestone submission should address the following.docx
4934bk
2 views
slide the topic was chosen your topic impacts nursing practi.docx
studywriters
2 views
This assignment is designed to assist you to begin to.docx
scottharry3
0 views
Blockchain in PSU v1.pdf
SwapnilSaurav7
0 views
Use the book Rotten English edited by DOHRA AHMAD you.docx
4934bk
2 views
This essay is an argument Only pages and the detailed.docx
sdfghj21
2 views
What does these quotes mean to you Why do you.docx
4934bk
2 views
Students will investigate i.docx
scottharry3
2 views
Polygon vs Ethereum.pdf
Techugo
0 views
6 slides
Outside photo shoot with Anthony Locke Media Management
Anthony Locke
0 views
1 slide
The research paper will be on Rostov Ripper Provide a.docx
scottharry3
2 views
1 slide
Where a firm intends to build its facilities is of.docx
scottharry3
2 views
1 slide
Prime Numbers.pptx
JoseBermudez356997
2 views
10 slides
There are several efforts directed at teenagers that try to.docx
4934bk
2 views
1 slide

LKNOG3-Keynote

  1. 1. Strengthening the Internet Infrastructure in Sri Lanka LKNOG 3 – Colombo, 2 October 2019 Sanjaya Deputy Director General – APNIC
  2. 2. Overview • Internet infrastructure • Criteria for a strong Internet infrastructure – Robust network ecosystem – Adoption of network operations best practices • Internet Infrastructure in Sri Lanka • Network operations best practices
  3. 3. About the Internet • The Internet is an interconnecting networks – “the network of networks” • Every device on the Internet requires an address (IP address) so it can be found by other devices to send and receive data • IPv4: 66.220.144.0 • IPv6: 2a03:2880:11:2f83:face:b00c:0:25de • Independent networks manage their own IP address space, and interconnect with other networks using BGP and Autonomous System Numbers (ASN)
  4. 4. Internet Infrastructure Backbone
  5. 5. Who operate these networks? Current industry mix in AP region. Other regions may vary September 2019 Internet service provider (ISP) Hosting/Data centre Telecommunications/Mobile operator Enterprise/Manufacturing/Retail Banking/Financial Academic/Educational/Research Software vendor Government/Regulator/Municipality Media/Entertainment Industrial (construction, mining, oil) Infrastructure (transport/hospital) Non-profit/NGO/Internet community Other Internet exchange point (IXP) Hardware vendor Domain name registry/Registrar
  6. 6. What does the Internet look like? • Networks worldwide interconnect to form the Internet. They include ISPs, Data Centres, Internet Exchange Points, Universities, Corporate networks, etc. • Each dot represents an AS • There are 65,000+ ASNs currently active in the Internet Credit: Cogeco Peer 1
  7. 7. Global ASN interconnection
  8. 8. Strong Internet Infrastructure • A healthy ecosystem of inter-dependent networks – Service providers • Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content Delivery Networks, Media, Applications etc. – Consumer & corporate networks • Consumers: Mobile phones, Public WiFi, Home networks • Corporate: Office, building, campus, branch, plant, sensor networks • Network operations best practices – Adopted by all types of network
  9. 9. Networks in Sri Lanka https://stats.apnic.net/vizas/#LK
  10. 10. How does it compare with other economies?
  11. 11. By population https://en.wikipedia.org/wiki/List_of_countries_by_population_(United_Nations) – 23 Sep 2019 United Nations, World Population Prospects, 2019 revision
  12. 12. By GDP (purchasing power parity) https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(PPP) – 23 Sep 2019 IMF 2019 estimates
  13. 13. SAARC https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation – 23 Sep 2019
  14. 14. Sri Lanka Internet ecosystem • Plenty of opportunity to grow in numbers and types of – Service Providers – Consumer & Corporate networks
  15. 15. Network operations best practices • Number Registry • Internet Routing • Network Security
  16. 16. Number Registry • Internet number resource management • Accurate and updated public records (Whois/RDAP) – APNIC delegation – Customer delegation • Responsive IRT (Incident Response Team) contacts • Reverse DNS management • Awareness and compliance to policies
  17. 17. Internet Routing • Peering – Peer with as many networks (ISPs, CDNs, etc) as you can – Keep local traffic local to improve end user experience • You IPv6 peering should be a mirror of your IPv4 peering (where possible)
  18. 18. Internet Routing • BGP session – for every peer/transit – Enable BGP TTL security (RFC 5082 – Generalized TTL Security Mechanism) – At least enable BGP MD5 Auth where your router OSes don’t support TCP AO (RFC 5925 TCP Authentication Option)
  19. 19. Internet Routing • BGP announcement – Announce your aggregates – Announce more specifics only where you have traffic engineering needs • Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number of uplinks you have …. But • There is NO need to de-aggregate down to 64x/24s!
  20. 20. Internet Routing • BGP filtering – Prefix filters • For both Inbound/Outbound announcements • Set maximum prefix limit for routes received from your peers • Do not accept bogons or your own prefixes! – AS PATH filters • Do not announce/accept private ASNs (BGP customers may use private ASNs, but strip it before announcing their routes to peers and upstreams) • Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce- first-as) • Limit AS_PATH length for prefixes you receive (Current average path is about 5~7 ASNs deep)
  21. 21. Internet Routing • BGP filtering – Filter inbound announcements using RPKI ROAs • Create and publish your ROAs (Route Origin Authorizations) • Ask your downstream/peers to create ROAs for their resources • Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid ROAs)
  22. 22. Internet Routing • BGP behavior – Change from default permit to default reject to prevent route leaks – RFC 8212 • Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS (19.5.1 onwards), OpenBGPD (6.4 onwards) • Push your vendors! – If your OS does not support it • Shut the BGP session with the peer (group) during configuration • Define and apply explicit export and import policies to the eBGP peers • Then no-shut the BGP session
  23. 23. Network Security • DNSSEC (forward and reverse DNS) • MANRS (Mutually Agreed Norms for Routing Security) – BCP 46: Recommended Internet Service Provider Security Services and Procedures – BCP 38: Network Ingress Filtering – IRR • RPKI & its applications – Digital certificates – ROA – RTA
  24. 24. Network Security • DNS – DNSSEC for integrity – Last mile features like DoH/DoT for privacy – Aggressive NSEC caching to prevent DOS attacks against authoritative servers – Passive DNS
  25. 25. Network Security • Traffic filtering – BCP38 (RFC 2827) – ingress filtering • Strict uRPF is the norm – BCP84 (RFC 3704) – ingress filtering for multihomed networks • Loose uRPF is the norm
  26. 26. Network Security • Traffic filtering – IPv6 specific – Extension Headers are dangerous • But if you drop fragments, things like DNSSEC breaks – Recommendation: • Drop IPv6 fragments that that do not have upper-layer headers in the first fragment (RFC 7112/RFC 8200) • Drop fragments destined for your network nodes (but allow fragments to end users)
  27. 27. Network Security • Traffic filtering – IPv6 specific – Filtering ICMPv6 will break IPv6 • Rate limit ICMPv6 instead of dropping them! – Do what you did for IPv4 traffic with IPv6 traffic • ACLs/filters • Harden hosts and applications • Use crypto protections where necessary/critical
  28. 28. Network Security • Security concepts – Always start with zero-trust – Put your firewalls closer to or in front of your services (not in the network backbone or at the network perimeter) • Users inside your network and from outside have to go through the firewall • Firewalling in the backbone will reduce its throughput • Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G backbone bandwidths are becoming a norm. You will slow down your backbone by ~300Gbps just for security – Anycast your critical services for resiliency • E.g. your DNS
  29. 29. Network Security • Security concepts – Know the normal, to know what is abnormal • Monitor – NMS tools, IDS tools, etc – Profile your network • Netflow – Share and Learn from the community • NOGs, APRICOT/APNIC conferences

×