This document discusses how multi-homing and RPKI can provide robust and secure internet connections. It explains that multi-homing with BGP allows networks to direct traffic through the most cost effective connections, improving resilience and performance. RPKI helps secure BGP routing by preventing route hijacking and mis-origination through the use of Route Origin Authorizations (ROAs) and an RPKI validator. ROAs authorize which ASNs can originate which IP prefixes. The validator checks BGP updates against ROAs to label routes as valid, invalid, or not found. This validation information can then be used to define routing policies.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
23rd PITA AGM and Conference: Internet number registry services - the next ge...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and
their importance to Internet stability and security at the 23rd Pacific Islands Telecommunications Association Annual General Meeting (PITA 23 AGM) and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
4. Routing and ASNs
• RFC 1930:
– An AS (Autonomous System) is a connected group of one or more IP
prefixes run by one or more network operators that has a SINGLE
and CLEARLY DEFINED routing policy.
– An AS has a globally unique number (sometimes referred to as an
ASN, or Autonomous System Number) associated with it. This
number is used in both the exchange of exterior routing information
(between neighbouring ASes), and as an identifier of the AS itself.
4
Source - https://tools.ietf.org/html/rfc1930
5. Connecting to the Internet
202.178.112.0/24
2400:3E00:DD::/48 202.178.112.0/24
2400:3E00:DD::/48
Multi-homed network
MAY have a need for a public ASN
Single-homed network
No need for public ASN
5
6. Why multi-home with BGP and use a
public ASN?
6
• Good interconnection strategy can lower cost of operation
by directing traffic through the most cost effective
connections wherever possible
Cost
• Looking further than next hop path diversification allows
you to better evaluate interconnection options, which in
turn could result in better network resiliency
Resilience
• Understanding where your network traffic goes and when
possible shortening of the path to your main
customers/suppliers/partners could result in better overall
network experience
Performance
13. Fat-fingers/Hijacks/Leaks
• 13,935 total incidents in 2017 (either outages or attacks like
route leaks and hijacks)
• Over 10% of all ASes on the Internet were affected
• 38% were considered routing attacks
• 3,106 ASes were a victim of at least one routing incident
• 1,546 networks caused at least one incident
Source : https://bgpstream.com/
13
14. Fat-fingers/Hijacks/Leaks
14
What is the IP of
www.mybank.com
10.0.0.1
198.51.100.x
Announced by a
less specific
route (eg: /20)
198.51.100.x
Announced by a
more specific
route (eg : /24)
What is the IP
for Mybank?
203.0.113.1
Mybank is
203.0.113.1
Mybank is
203.0.113.1
Hi MyBank, My
username and
password is..
15. How do we address these…
• Let the world know what ASNs are authorized to announce
your IP prefixes
• Check if you are announcing authorized prefixes
15
17. Benefits of RPKI
• Prevents route hijacking
– A prefix originated by an AS without authorization
– Reason: malicious intent
• Prevents mis-origination
– A prefix that is mistakenly originated by an AS which does not own it
– Also route leakage
– Reason: configuration mistakes/fat-finger
17
19. RPKI profile
19
• Resource certificates are
based on the X.509 v3
certificate format (RFC 5280)
• Extended by RFC 3779 – binds
a list of resources (IPv4/v6,
ASNs) to the subject of the
certificate
• SIA (Subject Information
Access) contains a URI that
references the directory where
it is published
X.509 cert
RFC 3779
Extension
IP resources
(addr & ASN)
SIA – URI where this
publishes
Owner’s Public Key
CA
Signedbyparent’sPRIVATEkey
20. ROA — Route Origin Authorization
• A digitally signed object that contains a list of address
prefixes and the nominated ASN
• It is an authority created by a prefix holder to authorize an
ASN to originate one or more prefixes
– Which can be verified cryptographically using RPKI
• Multiple ROAs can exist for the same prefix
20
Prefix 203.176.32.0/19
Max-length /24
Origin ASN AS17821
23. 23
Some other ways to check ROAs
# whois -h rr.ntt.net 2001:df2:ee00::/48
route6: 2001:df2:ee00::/48
descr: RPKI ROA for 2001:df2:ee00::/48
remarks: This route object represents routing data retrieved from the RPKI
remarks: The original data can be found here: https://rpki.gin.ntt.net/r/AS131107/2001:df2:ee00::/48
remarks: This route object is the result of an automated RPKI-to-IRR conversion process.
remarks: maxLength 48
origin: AS131107
mnt-by: MAINT-JOB
changed: job@ntt.net 20180802
source: RPKI # Trust Anchor: APNIC RPKI Root
24. Some other ways to check ROAs
24
# whois -h whois.bgpmon.net 2001:df2:ee00::/48
Prefix: 2001:df2:ee00::/48
Prefix description: APNICTRAINING-DC
Country code: AU
Origin AS: 131107
Origin AS Name: APNICTRAINING LAB DC
RPKI status: ROA validation successful
First seen: 2016-06-30
Last seen: 2018-01-21
Seen by #peers: 97
# whois -h whois.bgpmon.net "--roa 131107 2001:df2:ee00::/48”
------------------------
ROA Details
------------------------
Origin ASN: AS131107
Not valid Before: 2016-09-07 02:10:04
Not valid After: 2020-07-30 00:00:00 Expires in
2y190d9h34m23.2000000029802s
Trust Anchor: rpki.apnic.net
Prefixes: 2001:df2:ee00::/48 (max length /48)
202.125.96.0/24 (max length /24)
29. Origin validation
• Router gets ROA information from the RPKI cache
– Crypto is stripped (by the validator)
• The BGP process will check each received BGP update
against the ROA information and label
– Valid
– Invalid
– Not Found
29
30. RPKI states
30
VALID AS65420 10.0.0.0/16
VALID AS65420 10.0.128.0/17
INVALID AS65421 10.0.0.0/16
INVALID AS65420 10.0.10.0/24
UNKNOWN AS65430 10.0.0.0/8
65420 10.0.0.0/16 /18
Origin AS Prefix Max Length
ROA =>
31. Policies based on validation
• Define your policy based on the validation state
– Do nothing (observe)
– Tag (BGP communities)
– Modify preference values
• RFC 7115
– Drop invalid announcements (paranoid!)
• Invalid - but verify against other databases (IRR whois)
31
32. Further reading on RPKI
• RFC 5280: X.509 PKI certificates
• RFC 3779: Extensions for IP addresses and ASNs
• RFC 6481-6493: Resource Public Key Infrastructure
32
By end of 2017, BPGSTEAM reported close to 40000 routing incidents, that effected 10% of all AS number in the internet.
Note that 38% of these incidents had the characteristics of a routing attack, that is hijack or a leak.
If you have been following internet security news, you might know some of the well known organizations which were affected.
Earlier this year, Amazon route53 DNS services were attacked, End of last year, Google Japan routes were leaked causing significant delays.
Looking back few years back, YouTube was also a victim due to a route leak in Pakistan.
If you are providing services which includes sensitive data, it is possible that someone is looking at the vulnerabilities in your systems, including your routing.
Updated
Validator gathers all ROAs from the distributed RPKI database
Validates each entry’s signature (validated cache)
The validator forwards the ROAs in the validated cache to the Router through the RPKI-to-Rtr protocol, with the crypto certificates removed.
The router periodically checks the Validator (refresh) for any changes to the ROAs.
Relying Parties can configure a locally managed cache of the distributed RPKI repository and collect the set of valid ROAs [rcynic]. They can then, via the dedicated RPKI cache-to-router protocol [rpki-rtr], maintain, on a set of “client” routers the set of address prefix/originating AS authorities that are described in valid ROAs. This information can be used by the BGP-speaking router as an input to the local route decision process.