SlideShare a Scribd company logo
1 of 32
Download to read offline
Strengthening the Internet
Infrastructure in Sri Lanka
LKNOG 3 – Colombo, 2 October 2019
Sanjaya
Deputy Director General – APNIC
Overview
• Internet infrastructure
• Criteria for a strong Internet infrastructure
– Robust network ecosystem
– Adoption of network operations best practices
• Internet Infrastructure in Sri Lanka
• Network operations best practices
About the Internet
• The Internet is an interconnecting networks – “the network of
networks”
• Every device on the Internet requires an address (IP address)
so it can be found by other devices to send and receive data
• IPv4: 66.220.144.0
• IPv6: 2a03:2880:11:2f83:face:b00c:0:25de
• Independent networks manage their own IP address space,
and interconnect with other networks using BGP and
Autonomous System Numbers (ASN)
Internet Infrastructure
Backbone
Who operate these networks?
Current industry mix in AP region. Other regions may vary
September 2019
Internet service provider (ISP)
Hosting/Data centre
Telecommunications/Mobile operator
Enterprise/Manufacturing/Retail
Banking/Financial
Academic/Educational/Research
Software vendor
Government/Regulator/Municipality
Media/Entertainment
Industrial (construction, mining, oil)
Infrastructure (transport/hospital)
Non-profit/NGO/Internet community
Other
Internet exchange point (IXP)
Hardware vendor
Domain name registry/Registrar
What does the Internet look like?
• Networks worldwide
interconnect to form the
Internet. They include ISPs,
Data Centres, Internet
Exchange Points,
Universities, Corporate
networks, etc.
• Each dot represents an AS
• There are 65,000+ ASNs
currently active in the
Internet
Credit: Cogeco Peer 1
Global ASN interconnection
Strong Internet Infrastructure
• A healthy ecosystem of inter-dependent networks
– Service providers
• Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content
Delivery Networks, Media, Applications etc.
– Consumer & corporate networks
• Consumers: Mobile phones, Public WiFi, Home networks
• Corporate: Office, building, campus, branch, plant, sensor networks
• Network operations best practices
– Adopted by all types of network
Networks in Sri Lanka
https://stats.apnic.net/vizas/#LK
How does it compare with other
economies?
By population
https://en.wikipedia.org/wiki/List_of_countries_by_population_(United_Nations) – 23 Sep 2019
United Nations, World Population Prospects, 2019 revision
By GDP (purchasing power parity)
https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(PPP) – 23 Sep 2019
IMF 2019 estimates
SAARC
https://en.wikipedia.org/wiki/South_Asian_Association_for_Regional_Cooperation – 23 Sep 2019
Sri Lanka Internet ecosystem
• Plenty of opportunity to grow in numbers and types of
– Service Providers
– Consumer & Corporate networks
Network operations best practices
• Number Registry
• Internet Routing
• Network Security
Number Registry
• Internet number resource management
• Accurate and updated public records (Whois/RDAP)
– APNIC delegation
– Customer delegation
• Responsive IRT (Incident Response Team) contacts
• Reverse DNS management
• Awareness and compliance to policies
Internet Routing
• Peering
– Peer with as many networks (ISPs, CDNs, etc) as you can
– Keep local traffic local to improve end user experience
• You IPv6 peering should be a mirror of your IPv4 peering (where possible)
Internet Routing
• BGP session – for every peer/transit
– Enable BGP TTL security (RFC 5082 – Generalized TTL Security
Mechanism)
– At least enable BGP MD5 Auth where your router OSes don’t support
TCP AO (RFC 5925 TCP Authentication Option)
Internet Routing
• BGP announcement
– Announce your aggregates
– Announce more specifics only where you have traffic engineering
needs
• Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number
of uplinks you have …. But
• There is NO need to de-aggregate down to 64x/24s!
Internet Routing
• BGP filtering
– Prefix filters
• For both Inbound/Outbound announcements
• Set maximum prefix limit for routes received from your peers
• Do not accept bogons or your own prefixes!
– AS PATH filters
• Do not announce/accept private ASNs (BGP customers may use private ASNs, but
strip it before announcing their routes to peers and upstreams)
• Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce-
first-as)
• Limit AS_PATH length for prefixes you receive (Current average path is about 5~7
ASNs deep)
Internet Routing
• BGP filtering
– Filter inbound announcements using RPKI ROAs
• Create and publish your ROAs (Route Origin Authorizations)
• Ask your downstream/peers to create ROAs for their resources
• Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid
ROAs)
Internet Routing
• BGP behavior
– Change from default permit to default reject to prevent route leaks
– RFC 8212
• Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS
(19.5.1 onwards), OpenBGPD (6.4 onwards)
• Push your vendors!
– If your OS does not support it
• Shut the BGP session with the peer (group) during configuration
• Define and apply explicit export and import policies to the eBGP peers
• Then no-shut the BGP session
Network Security
• DNSSEC (forward and reverse DNS)
• MANRS (Mutually Agreed Norms for Routing Security)
– BCP 46: Recommended Internet Service Provider Security Services and
Procedures
– BCP 38: Network Ingress Filtering
– IRR
• RPKI & its applications
– Digital certificates
– ROA
– RTA
Network Security
• DNS
– DNSSEC for integrity
– Last mile features like DoH/DoT for privacy
– Aggressive NSEC caching to prevent DOS attacks against
authoritative servers
– Passive DNS
Network Security
• Traffic filtering
– BCP38 (RFC 2827) – ingress filtering
• Strict uRPF is the norm
– BCP84 (RFC 3704) – ingress filtering for multihomed networks
• Loose uRPF is the norm
Network Security
• Traffic filtering – IPv6 specific
– Extension Headers are dangerous
• But if you drop fragments, things like DNSSEC breaks
– Recommendation:
• Drop IPv6 fragments that that do not have upper-layer headers in the first fragment
(RFC 7112/RFC 8200)
• Drop fragments destined for your network nodes (but allow fragments to end users)
Network Security
• Traffic filtering – IPv6 specific
– Filtering ICMPv6 will break IPv6
• Rate limit ICMPv6 instead of dropping them!
– Do what you did for IPv4 traffic with IPv6 traffic
• ACLs/filters
• Harden hosts and applications
• Use crypto protections where necessary/critical
Network Security
• Security concepts
– Always start with zero-trust
– Put your firewalls closer to or in front of your services (not in the network
backbone or at the network perimeter)
• Users inside your network and from outside have to go through the firewall
• Firewalling in the backbone will reduce its throughput
• Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G
backbone bandwidths are becoming a norm. You will slow down your backbone by
~300Gbps just for security
– Anycast your critical services for resiliency
• E.g. your DNS
Network Security
• Security concepts
– Know the normal, to know what is abnormal
• Monitor – NMS tools, IDS tools, etc
– Profile your network
• Netflow
– Share and Learn from the community
• NOGs, APRICOT/APNIC conferences

More Related Content

What's hot

BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
Febrian ‎
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
Jasim Alam
 
Bgp multihoming
Bgp multihomingBgp multihoming
Bgp multihoming
ee38sp
 

What's hot (20)

Part1
Part1Part1
Part1
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshop
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
06 (IDNOG02) IPv4 Address Transfer by Wita Laksono
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
 
Bgp
BgpBgp
Bgp
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya 01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
01 (IDNOG02) ASN distribution and interconnection in Indonesia by Sanjaya
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
Service Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay KidService Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay Kid
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
 
Ipv6 routing
Ipv6 routingIpv6 routing
Ipv6 routing
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
Bgp multihoming
Bgp multihomingBgp multihoming
Bgp multihoming
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
 
Bgp training
Bgp trainingBgp training
Bgp training
 

Similar to LKNOG3-Keynote

TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 

Similar to LKNOG3-Keynote (20)

IDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesia
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
IX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee YongIX Best Practices by Tay Chee Yong
IX Best Practices by Tay Chee Yong
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
Manrs 7_sept__indonesia
Manrs  7_sept__indonesiaManrs  7_sept__indonesia
Manrs 7_sept__indonesia
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project  by Shaowen MaCloud Traffic Engineer – Google Espresso Project  by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
IPv6 Deployment: Why and Why not?
IPv6 Deployment: Why and Why not?IPv6 Deployment: Why and Why not?
IPv6 Deployment: Why and Why not?
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
Wrou01
Wrou01Wrou01
Wrou01
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 
Технологии построения крупных сетей
Технологии построения крупных сетейТехнологии построения крупных сетей
Технологии построения крупных сетей
 
Kinber ipv6-education-healthcare
Kinber ipv6-education-healthcareKinber ipv6-education-healthcare
Kinber ipv6-education-healthcare
 

Recently uploaded

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
apekaom
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
AS
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
ZurliaSoop
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
A
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理
F
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
AS
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
AS
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
AS
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
Obat Cytotec
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
AS
 

Recently uploaded (20)

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 

LKNOG3-Keynote

  • 1. Strengthening the Internet Infrastructure in Sri Lanka LKNOG 3 – Colombo, 2 October 2019 Sanjaya Deputy Director General – APNIC
  • 2. Overview • Internet infrastructure • Criteria for a strong Internet infrastructure – Robust network ecosystem – Adoption of network operations best practices • Internet Infrastructure in Sri Lanka • Network operations best practices
  • 3. About the Internet • The Internet is an interconnecting networks – “the network of networks” • Every device on the Internet requires an address (IP address) so it can be found by other devices to send and receive data • IPv4: 66.220.144.0 • IPv6: 2a03:2880:11:2f83:face:b00c:0:25de • Independent networks manage their own IP address space, and interconnect with other networks using BGP and Autonomous System Numbers (ASN)
  • 5. Who operate these networks? Current industry mix in AP region. Other regions may vary September 2019 Internet service provider (ISP) Hosting/Data centre Telecommunications/Mobile operator Enterprise/Manufacturing/Retail Banking/Financial Academic/Educational/Research Software vendor Government/Regulator/Municipality Media/Entertainment Industrial (construction, mining, oil) Infrastructure (transport/hospital) Non-profit/NGO/Internet community Other Internet exchange point (IXP) Hardware vendor Domain name registry/Registrar
  • 6. What does the Internet look like? • Networks worldwide interconnect to form the Internet. They include ISPs, Data Centres, Internet Exchange Points, Universities, Corporate networks, etc. • Each dot represents an AS • There are 65,000+ ASNs currently active in the Internet Credit: Cogeco Peer 1
  • 8. Strong Internet Infrastructure • A healthy ecosystem of inter-dependent networks – Service providers • Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content Delivery Networks, Media, Applications etc. – Consumer & corporate networks • Consumers: Mobile phones, Public WiFi, Home networks • Corporate: Office, building, campus, branch, plant, sensor networks • Network operations best practices – Adopted by all types of network
  • 9. Networks in Sri Lanka https://stats.apnic.net/vizas/#LK
  • 10. How does it compare with other economies?
  • 11. By population https://en.wikipedia.org/wiki/List_of_countries_by_population_(United_Nations) – 23 Sep 2019 United Nations, World Population Prospects, 2019 revision
  • 12.
  • 13. By GDP (purchasing power parity) https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(PPP) – 23 Sep 2019 IMF 2019 estimates
  • 14.
  • 16.
  • 17. Sri Lanka Internet ecosystem • Plenty of opportunity to grow in numbers and types of – Service Providers – Consumer & Corporate networks
  • 18. Network operations best practices • Number Registry • Internet Routing • Network Security
  • 19. Number Registry • Internet number resource management • Accurate and updated public records (Whois/RDAP) – APNIC delegation – Customer delegation • Responsive IRT (Incident Response Team) contacts • Reverse DNS management • Awareness and compliance to policies
  • 20. Internet Routing • Peering – Peer with as many networks (ISPs, CDNs, etc) as you can – Keep local traffic local to improve end user experience • You IPv6 peering should be a mirror of your IPv4 peering (where possible)
  • 21. Internet Routing • BGP session – for every peer/transit – Enable BGP TTL security (RFC 5082 – Generalized TTL Security Mechanism) – At least enable BGP MD5 Auth where your router OSes don’t support TCP AO (RFC 5925 TCP Authentication Option)
  • 22. Internet Routing • BGP announcement – Announce your aggregates – Announce more specifics only where you have traffic engineering needs • Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number of uplinks you have …. But • There is NO need to de-aggregate down to 64x/24s!
  • 23. Internet Routing • BGP filtering – Prefix filters • For both Inbound/Outbound announcements • Set maximum prefix limit for routes received from your peers • Do not accept bogons or your own prefixes! – AS PATH filters • Do not announce/accept private ASNs (BGP customers may use private ASNs, but strip it before announcing their routes to peers and upstreams) • Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce- first-as) • Limit AS_PATH length for prefixes you receive (Current average path is about 5~7 ASNs deep)
  • 24. Internet Routing • BGP filtering – Filter inbound announcements using RPKI ROAs • Create and publish your ROAs (Route Origin Authorizations) • Ask your downstream/peers to create ROAs for their resources • Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid ROAs)
  • 25. Internet Routing • BGP behavior – Change from default permit to default reject to prevent route leaks – RFC 8212 • Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS (19.5.1 onwards), OpenBGPD (6.4 onwards) • Push your vendors! – If your OS does not support it • Shut the BGP session with the peer (group) during configuration • Define and apply explicit export and import policies to the eBGP peers • Then no-shut the BGP session
  • 26. Network Security • DNSSEC (forward and reverse DNS) • MANRS (Mutually Agreed Norms for Routing Security) – BCP 46: Recommended Internet Service Provider Security Services and Procedures – BCP 38: Network Ingress Filtering – IRR • RPKI & its applications – Digital certificates – ROA – RTA
  • 27. Network Security • DNS – DNSSEC for integrity – Last mile features like DoH/DoT for privacy – Aggressive NSEC caching to prevent DOS attacks against authoritative servers – Passive DNS
  • 28. Network Security • Traffic filtering – BCP38 (RFC 2827) – ingress filtering • Strict uRPF is the norm – BCP84 (RFC 3704) – ingress filtering for multihomed networks • Loose uRPF is the norm
  • 29. Network Security • Traffic filtering – IPv6 specific – Extension Headers are dangerous • But if you drop fragments, things like DNSSEC breaks – Recommendation: • Drop IPv6 fragments that that do not have upper-layer headers in the first fragment (RFC 7112/RFC 8200) • Drop fragments destined for your network nodes (but allow fragments to end users)
  • 30. Network Security • Traffic filtering – IPv6 specific – Filtering ICMPv6 will break IPv6 • Rate limit ICMPv6 instead of dropping them! – Do what you did for IPv4 traffic with IPv6 traffic • ACLs/filters • Harden hosts and applications • Use crypto protections where necessary/critical
  • 31. Network Security • Security concepts – Always start with zero-trust – Put your firewalls closer to or in front of your services (not in the network backbone or at the network perimeter) • Users inside your network and from outside have to go through the firewall • Firewalling in the backbone will reduce its throughput • Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G backbone bandwidths are becoming a norm. You will slow down your backbone by ~300Gbps just for security – Anycast your critical services for resiliency • E.g. your DNS
  • 32. Network Security • Security concepts – Know the normal, to know what is abnormal • Monitor – NMS tools, IDS tools, etc – Profile your network • Netflow – Share and Learn from the community • NOGs, APRICOT/APNIC conferences