This document discusses strengthening Sri Lanka's internet infrastructure by adopting best practices for network operations. It recommends that Sri Lanka develop a healthy ecosystem of interconnected networks including more service providers and consumer/corporate networks. It also provides guidance on implementing best practices for number registry, internet routing, and network security such as securing BGP configurations, implementing traffic filtering, and deploying DNSSEC. Adopting these practices would help develop a more robust internet infrastructure for Sri Lanka that is on par with other economies in the region.
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
Meredith Rose, CCIE# 4617, of Sigmanet presents on the topic of dual-homing BGP connections. Presentation for San Diego Cisco User Group hosted at Infracore.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
Topic: Border Gateway Protocol (BGP)
Outline:
# Introduction
# History
# Current version
# Uses
# Operation
# BGP infrastructure
# Problems
# Success
Introduction
BGP: The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. It is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination. BGP has worked extremely well and continues to be protocol that makes the Internet work.
History
Date Text
1994-08-15 Concluded group
1992-05-30 Changed milestone "Post the specfication of BGP 4 as an Internet-Draft.", resolved as "Done"
1991-08-30 Changed milestone "Post an Internet-Draft specifying multicast extensions to BGP.", resolved as "Done"
1990-05-01 Changed milestone "Develop a MIB for BGP Version 3.", resolved as "Done"
1990-05-01 Changed milestone "Complete development of Version 2 of the Border Gateway Protocol (BGP).", resolved as "Done"
1989-01-01 Started group
Current version
The current version of BGP is version 4 (BGP4) codified in RFC 4271 since 2006. Early versions of the protocol are widely considered obsolete and are rarely supported. RFC 4271, which went through more than 20 drafts, is based on the earlier RFC 1771 version 4. The RFC 4271 version corrected a number of errors, clarified ambiguities and brought the RFC much closer to industry practices. Version 4 of BGP has been in use on the Internet since 1994. The major enhancement in version 4 was support for Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing.
Uses
Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Compare this with Signaling System 7(SS7), which is the inter-provider core call setup protocol on the PSTN.
Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPE (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy, either to multiple access points of a single ISP or to multiple ISPs.
Operation
When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol).
Finite-state machines
BGP state machine
In order to make decisions in its operations with peers, a BGP peer uses a simple finite state machine (FSM) that consists of six states: Idle; Connect; Active; OpenSent; OpenConfirm; and Established. For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP defines the messages that each peer should exc
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
Meredith Rose, CCIE# 4617, of Sigmanet presents on the topic of dual-homing BGP connections. Presentation for San Diego Cisco User Group hosted at Infracore.
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
Topic: Border Gateway Protocol (BGP)
Outline:
# Introduction
# History
# Current version
# Uses
# Operation
# BGP infrastructure
# Problems
# Success
Introduction
BGP: The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. It is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination. BGP has worked extremely well and continues to be protocol that makes the Internet work.
History
Date Text
1994-08-15 Concluded group
1992-05-30 Changed milestone "Post the specfication of BGP 4 as an Internet-Draft.", resolved as "Done"
1991-08-30 Changed milestone "Post an Internet-Draft specifying multicast extensions to BGP.", resolved as "Done"
1990-05-01 Changed milestone "Develop a MIB for BGP Version 3.", resolved as "Done"
1990-05-01 Changed milestone "Complete development of Version 2 of the Border Gateway Protocol (BGP).", resolved as "Done"
1989-01-01 Started group
Current version
The current version of BGP is version 4 (BGP4) codified in RFC 4271 since 2006. Early versions of the protocol are widely considered obsolete and are rarely supported. RFC 4271, which went through more than 20 drafts, is based on the earlier RFC 1771 version 4. The RFC 4271 version corrected a number of errors, clarified ambiguities and brought the RFC much closer to industry practices. Version 4 of BGP has been in use on the Internet since 1994. The major enhancement in version 4 was support for Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing.
Uses
Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Compare this with Signaling System 7(SS7), which is the inter-provider core call setup protocol on the PSTN.
Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPE (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy, either to multiple access points of a single ISP or to multiple ISPs.
Operation
When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol).
Finite-state machines
BGP state machine
In order to make decisions in its operations with peers, a BGP peer uses a simple finite state machine (FSM) that consists of six states: Idle; Connect; Active; OpenSent; OpenConfirm; and Established. For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP defines the messages that each peer should exc
BGP Multihoming Techniques, by Philip Smith.
A presentation given at APRICOT 2016’s BGP Multihoming Techniques (Part 1 and 2) sessions on 24 February 2016.
A presentation to help new network operators plan a project to improve their network traffic management. Useful for inbound and outbound heavy networks. Lists the things you need to do to reach routing and peering nirvana.
A review of Autonomous System Numbers: what is it, how to get it, and why it’s important. It highlights the challenges of the 2-byte ASN run-out and adoption of 4-byte ASN, and how Indonesia fare compared to other economies. It then looks at the distribution of ASNs in Indonesia, and more importantly how the ASNs are interconnected locally and internationally. The presentation ends with how ASN usage may change in the future, and what role network operators can play in building a robust Internet by adopting best current practice in deploying and managing ASNs.
This Presentation was made by Ali Ibrahim and Aun Haider for the Class Activity purpose. We do hope that this Presentation may assist those students who are undergoing networking studies, presentation or projects in a fruitful and positive manner.
BGP Multihoming Techniques, by Philip Smith.
A presentation given at APRICOT 2016’s BGP Multihoming Techniques (Part 1 and 2) sessions on 24 February 2016.
A presentation to help new network operators plan a project to improve their network traffic management. Useful for inbound and outbound heavy networks. Lists the things you need to do to reach routing and peering nirvana.
A review of Autonomous System Numbers: what is it, how to get it, and why it’s important. It highlights the challenges of the 2-byte ASN run-out and adoption of 4-byte ASN, and how Indonesia fare compared to other economies. It then looks at the distribution of ASNs in Indonesia, and more importantly how the ASNs are interconnected locally and internationally. The presentation ends with how ASN usage may change in the future, and what role network operators can play in building a robust Internet by adopting best current practice in deploying and managing ASNs.
This Presentation was made by Ali Ibrahim and Aun Haider for the Class Activity purpose. We do hope that this Presentation may assist those students who are undergoing networking studies, presentation or projects in a fruitful and positive manner.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
(This was a Live Webinar on July 21, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time)
Watch the Replay at: bit.ly/29Mw58Q
Catch the original TV episode or any other topics at www.techwisetv.com
Description:
Networks are moving toward simplification, increased operational efficiency, and programmability using technologies such as software-defined networking. Cisco continues to demonstrate innovation by introducing the concept of segment routing in the data center, making the network more intelligent and adaptive to the applications running on top of it. Segment routing delivers application-optimized network transport. Encoding the path information directly at the source (that is, either at the virtual switch or at the top of rack) and using per-app policies, segment routing puts control in the hands of the network operators by empowering them to create secure, adaptive, and optimal paths based on the requirements of the application itself.
Please join us in the session to learn how Cisco is helping organizations increase network efficiency by allocating resources on demand and optimizing the network to better support business-critical applications, all while preserving security.
Agenda
Topics to discuss include:
- Introducing segment routing
- Why the need for application-optimized transport
- Features and benefits of segment routing
- Differences between segment routing and MPLS transport
- Relevance of segment routing in the data center
- Use cases and applicability of segment routing
- Summary and conclusion
APAN 50: RPKI industry trends and initiatives APNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng gives an overview of the RPKI, why it is important, and how to create ROAs and ROVs to secure routing announcements.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
Антон Меркушов – инструктор SkillFactory, опытный сетевой инженер и сертифицированный профессионал Cisco – о современных технологиях и протоколах, необходимых при расширении сети.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
2. Overview
• Internet infrastructure
• Criteria for a strong Internet infrastructure
– Robust network ecosystem
– Adoption of network operations best practices
• Internet Infrastructure in Sri Lanka
• Network operations best practices
3. About the Internet
• The Internet is an interconnecting networks – “the network of
networks”
• Every device on the Internet requires an address (IP address)
so it can be found by other devices to send and receive data
• IPv4: 66.220.144.0
• IPv6: 2a03:2880:11:2f83:face:b00c:0:25de
• Independent networks manage their own IP address space,
and interconnect with other networks using BGP and
Autonomous System Numbers (ASN)
5. Who operate these networks?
Current industry mix in AP region. Other regions may vary
September 2019
Internet service provider (ISP)
Hosting/Data centre
Telecommunications/Mobile operator
Enterprise/Manufacturing/Retail
Banking/Financial
Academic/Educational/Research
Software vendor
Government/Regulator/Municipality
Media/Entertainment
Industrial (construction, mining, oil)
Infrastructure (transport/hospital)
Non-profit/NGO/Internet community
Other
Internet exchange point (IXP)
Hardware vendor
Domain name registry/Registrar
6. What does the Internet look like?
• Networks worldwide
interconnect to form the
Internet. They include ISPs,
Data Centres, Internet
Exchange Points,
Universities, Corporate
networks, etc.
• Each dot represents an AS
• There are 65,000+ ASNs
currently active in the
Internet
Credit: Cogeco Peer 1
8. Strong Internet Infrastructure
• A healthy ecosystem of inter-dependent networks
– Service providers
• Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content
Delivery Networks, Media, Applications etc.
– Consumer & corporate networks
• Consumers: Mobile phones, Public WiFi, Home networks
• Corporate: Office, building, campus, branch, plant, sensor networks
• Network operations best practices
– Adopted by all types of network
19. Number Registry
• Internet number resource management
• Accurate and updated public records (Whois/RDAP)
– APNIC delegation
– Customer delegation
• Responsive IRT (Incident Response Team) contacts
• Reverse DNS management
• Awareness and compliance to policies
20. Internet Routing
• Peering
– Peer with as many networks (ISPs, CDNs, etc) as you can
– Keep local traffic local to improve end user experience
• You IPv6 peering should be a mirror of your IPv4 peering (where possible)
21. Internet Routing
• BGP session – for every peer/transit
– Enable BGP TTL security (RFC 5082 – Generalized TTL Security
Mechanism)
– At least enable BGP MD5 Auth where your router OSes don’t support
TCP AO (RFC 5925 TCP Authentication Option)
22. Internet Routing
• BGP announcement
– Announce your aggregates
– Announce more specifics only where you have traffic engineering
needs
• Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number
of uplinks you have …. But
• There is NO need to de-aggregate down to 64x/24s!
23. Internet Routing
• BGP filtering
– Prefix filters
• For both Inbound/Outbound announcements
• Set maximum prefix limit for routes received from your peers
• Do not accept bogons or your own prefixes!
– AS PATH filters
• Do not announce/accept private ASNs (BGP customers may use private ASNs, but
strip it before announcing their routes to peers and upstreams)
• Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce-
first-as)
• Limit AS_PATH length for prefixes you receive (Current average path is about 5~7
ASNs deep)
24. Internet Routing
• BGP filtering
– Filter inbound announcements using RPKI ROAs
• Create and publish your ROAs (Route Origin Authorizations)
• Ask your downstream/peers to create ROAs for their resources
• Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid
ROAs)
25. Internet Routing
• BGP behavior
– Change from default permit to default reject to prevent route leaks
– RFC 8212
• Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS
(19.5.1 onwards), OpenBGPD (6.4 onwards)
• Push your vendors!
– If your OS does not support it
• Shut the BGP session with the peer (group) during configuration
• Define and apply explicit export and import policies to the eBGP peers
• Then no-shut the BGP session
26. Network Security
• DNSSEC (forward and reverse DNS)
• MANRS (Mutually Agreed Norms for Routing Security)
– BCP 46: Recommended Internet Service Provider Security Services and
Procedures
– BCP 38: Network Ingress Filtering
– IRR
• RPKI & its applications
– Digital certificates
– ROA
– RTA
27. Network Security
• DNS
– DNSSEC for integrity
– Last mile features like DoH/DoT for privacy
– Aggressive NSEC caching to prevent DOS attacks against
authoritative servers
– Passive DNS
28. Network Security
• Traffic filtering
– BCP38 (RFC 2827) – ingress filtering
• Strict uRPF is the norm
– BCP84 (RFC 3704) – ingress filtering for multihomed networks
• Loose uRPF is the norm
29. Network Security
• Traffic filtering – IPv6 specific
– Extension Headers are dangerous
• But if you drop fragments, things like DNSSEC breaks
– Recommendation:
• Drop IPv6 fragments that that do not have upper-layer headers in the first fragment
(RFC 7112/RFC 8200)
• Drop fragments destined for your network nodes (but allow fragments to end users)
30. Network Security
• Traffic filtering – IPv6 specific
– Filtering ICMPv6 will break IPv6
• Rate limit ICMPv6 instead of dropping them!
– Do what you did for IPv4 traffic with IPv6 traffic
• ACLs/filters
• Harden hosts and applications
• Use crypto protections where necessary/critical
31. Network Security
• Security concepts
– Always start with zero-trust
– Put your firewalls closer to or in front of your services (not in the network
backbone or at the network perimeter)
• Users inside your network and from outside have to go through the firewall
• Firewalling in the backbone will reduce its throughput
• Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G
backbone bandwidths are becoming a norm. You will slow down your backbone by
~300Gbps just for security
– Anycast your critical services for resiliency
• E.g. your DNS
32. Network Security
• Security concepts
– Know the normal, to know what is abnormal
• Monitor – NMS tools, IDS tools, etc
– Profile your network
• Netflow
– Share and Learn from the community
• NOGs, APRICOT/APNIC conferences