SlideShare a Scribd company logo
Internet Society © 1992–2019
What is the problem? And what are we trying to fix?
Routing Security – Its importance and status in South
Asia
Aftab Siddiqui
Senior Manager, Internet Technology
siddiqui@isoc.org
Presentation title – Client name
1
The Routing Problem
2
2/3 Napkin Protocol
3
https://computerhistory.org/blog/the-two-napkin-protocol/
1989
2/3 Napkin Protocol
In 1989. Kirk Lougheed and Len Bosack of Cisco and Yakov Rekhter of IBM were having lunch in a meeting
hall cafeteria at an Internet Engineering Task Force (IETF) conference.
They wrote a new routing protocol that became RFC 1105, the Border Gateway Protocol (BGP), known to
many as the “two—napkin protocol” — in reference to the napkins they used to capture their thoughts.
4
• BGP-1 – RFC 1105, June 1989
• BGP-3 – RFC1267, October 1991
• BGP-4 – RFC 1654, July 1994
The Routing Problem Caption 10/12pt
Caption body copy
5
Border Gateway Protocol (BGP) is
based entirely on unverified trust
between networks
• No built-in validation that updates are
legitimate
• Anyone can announce anything
• Lack of reliable resource data
Routing Security
You must be thinking that building a “Global Network” on the assumption
of TRUST, that everyone who uses it is ”Trustworthy” was not a really bad
idea?
May be or May be not – I can’t make the judgement call…
But Lets hear from Geoff Huston…
"The internet is now busted, and to be perfectly frank, it's totally unclear
how we can fix it. We can't make it better,"
"I actually want to apologise for my small part in this mess we find
ourselves in, because it all turned out so horrendously badly."
6
The routing system is constantly under attack – incidents every day
7
http://bgpstream.com/
The routing system is constantly under attack – incidents every day
8
http://bgpstream.com/
0
2
4
6
8
10
12
14
16
10/1/20 10/2/20 10/3/20 10/4/20 10/5/20 10/6/20 10/7/20 10/8/20 10/9/20 10/10/20 10/11/20
Possible BGP Hijacks
Routing Security
Global routing system is a complex, decentralized system consist of ~70,000
individual networks that have implemented BGP to communicate with each
other.
Despite its strengths, its prone to incidents. Just as water main breaks,
broken pipes, and sewage mix-up can disrupt life in a city, routing incidents
like route leaks, route hijacks, and IP-address spoofing each have the
potential to slow down Internet speeds or even to make parts of the
Internet unreachable.
9
Common Problems
1
0
Prefix/Route
Hijacking
Route Leaks
IP address
spoofing
Common Problems
Finding out after the fact that
• Big chunk of your internet traffic has been incorrectly routed
through a hostile network operator.
• Some of your internet traffic has been going to another
network operator.
None of the above 2 options are great news to anyone!
11
Routing Incidents Cause Real World Problems
1
2
Prefix/Route
Hijacking
Route Leaks
IP address
spoofing
Filtering Source Address Validation
BGP Operations and Security
February 2015
BCP 194 – RFC7454
13
Filtering
Why Filtering
• Your first line of defence
• You can [MUST] control what you are announcing
• You have no control over what other networks announce
• To avoid issues, you have to decide what to accept from other
networks
[ahem ahem RPKI]
14
BCP 194 – Filtering
Inbound and Outbound Filtering
filters SHOULD be applied to make sure advertisements strictly conform to what is
declared in routing registries. This varies across the registries and regions of the
Internet.
Max Prefix Filtering
It is RECOMMENDED to configure a limit on the number of routes to be accepted from a
peer
AS Path Filtering
Network administrators SHOULD accept from customers only 2-byte or 4-byte AS paths
containing ASNs belonging to (or authorized to transit through) the customer.
15
BCP 194 – Filtering
Data Sources
The biggest issue in filtering is to find out the
best/cleanest/workable/scalable aka MAGICAL data source.
• IRRs (Internet Routing Registry)
• Bogons lists (IPv6 & IPv4)
• PeeringDB (For AS-Sets)
• RPKI
16
Status of South Asia and Bangladesh
17
South Asia (as per APNIC)
18
https://stats.apnic.net/delegations/Southern%20Asia
South Asia (UN region)
19
https://observatory.manrs.org/#/overview
Bangladesh
20
Why Filtering is Important? Example 1
Network Next Hop Metric LocPrf Weight Path
103.209.80.0/24 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i
103.209.81.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 i
103.209.82.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i
103.209.83.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i
203.96.178.0 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i
21
aut-num: AS135100
as-name: MOL-AS-AP
descr: Maxnet Online Limited
country: BD
org: ORG-MOL1-AP
Why Filtering is Important? Example 1
22
Why Filtering is Important? Example 2
23
AS: 59365 BD-NETWORKS-AS-AP BD Networks, BD
AS: 59356 - VMCENTRAL-AS-AP VMCENTRAL Cloud Services, AU
Why Routing Security?
• Your Cyber Security Strategy is incomplete without Routing Security
• Build Threat intelligence, improve your network’s situational awareness
• Create a Audit Checklist for infrastructure security
• Align infrastructure security across divisions
• Prevent reputational damage (Google PTCL + Youtube)
24
Questions ?
25
Email: siddiqui@isoc.org
Twitter: @aftabsiddiqui

More Related Content

What's hot

pps Matters
pps Matterspps Matters
EVPN Introduction
EVPN IntroductionEVPN Introduction
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
MyNOG
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2
Bertrand Duvivier
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5
newbie2019
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
Bertrand Duvivier
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
Bertrand Duvivier
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment Routing
APNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7
newbie2019
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
APNIC
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project  by Shaowen MaCloud Traffic Engineer – Google Espresso Project  by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
newbie2019
 
Ccna rse chp2
Ccna rse chp2Ccna rse chp2
Ccna rse chp2
newbie2019
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
Rasoul Mesghali, CCIE RS
 

What's hot (20)

pps Matters
pps Matterspps Matters
pps Matters
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment Routing
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project  by Shaowen MaCloud Traffic Engineer – Google Espresso Project  by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
 
Ccna rse chp2
Ccna rse chp2Ccna rse chp2
Ccna rse chp2
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
 

Similar to Routing Security - its importance and status in South Asia

768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?
Dhiman Chowdhury
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
Bangladesh Network Operators Group
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
LKNOG
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
APNIC
 
Manrs 7_sept__indonesia
Manrs  7_sept__indonesiaManrs  7_sept__indonesia
Manrs 7_sept__indonesia
NaveenLakshman
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
APNIC
 
Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023
Chris Grundemann
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN
 
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
APNIC
 
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Đồng Quốc Vương
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
Pace IT at Edmonds Community College
 
Chapter 5 Routing.pptx
Chapter 5 Routing.pptxChapter 5 Routing.pptx
Chapter 5 Routing.pptx
AyaanMohamed4
 
Respond 3 of your colleagues postings in one or more of the fol.docx
 Respond  3 of your colleagues postings in one or more of the fol.docx Respond  3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docx
aryan532920
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
GeoffHuston
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
APNIC
 

Similar to Routing Security - its importance and status in South Asia (20)

768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
Manrs 7_sept__indonesia
Manrs  7_sept__indonesiaManrs  7_sept__indonesia
Manrs 7_sept__indonesia
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
 
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 
Chapter 5 Routing.pptx
Chapter 5 Routing.pptxChapter 5 Routing.pptx
Chapter 5 Routing.pptx
 
Respond 3 of your colleagues postings in one or more of the fol.docx
 Respond  3 of your colleagues postings in one or more of the fol.docx Respond  3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docx
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
Bangladesh Network Operators Group
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
Bangladesh Network Operators Group
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
Bangladesh Network Operators Group
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
Bangladesh Network Operators Group
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
Bangladesh Network Operators Group
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
Bangladesh Network Operators Group
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
Bangladesh Network Operators Group
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?
Bangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?
 

Recently uploaded

一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 

Recently uploaded (13)

一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 

Routing Security - its importance and status in South Asia

  • 1. Internet Society © 1992–2019 What is the problem? And what are we trying to fix? Routing Security – Its importance and status in South Asia Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Presentation title – Client name 1
  • 4. 2/3 Napkin Protocol In 1989. Kirk Lougheed and Len Bosack of Cisco and Yakov Rekhter of IBM were having lunch in a meeting hall cafeteria at an Internet Engineering Task Force (IETF) conference. They wrote a new routing protocol that became RFC 1105, the Border Gateway Protocol (BGP), known to many as the “two—napkin protocol” — in reference to the napkins they used to capture their thoughts. 4 • BGP-1 – RFC 1105, June 1989 • BGP-3 – RFC1267, October 1991 • BGP-4 – RFC 1654, July 1994
  • 5. The Routing Problem Caption 10/12pt Caption body copy 5 Border Gateway Protocol (BGP) is based entirely on unverified trust between networks • No built-in validation that updates are legitimate • Anyone can announce anything • Lack of reliable resource data
  • 6. Routing Security You must be thinking that building a “Global Network” on the assumption of TRUST, that everyone who uses it is ”Trustworthy” was not a really bad idea? May be or May be not – I can’t make the judgement call… But Lets hear from Geoff Huston… "The internet is now busted, and to be perfectly frank, it's totally unclear how we can fix it. We can't make it better," "I actually want to apologise for my small part in this mess we find ourselves in, because it all turned out so horrendously badly." 6
  • 7. The routing system is constantly under attack – incidents every day 7 http://bgpstream.com/
  • 8. The routing system is constantly under attack – incidents every day 8 http://bgpstream.com/ 0 2 4 6 8 10 12 14 16 10/1/20 10/2/20 10/3/20 10/4/20 10/5/20 10/6/20 10/7/20 10/8/20 10/9/20 10/10/20 10/11/20 Possible BGP Hijacks
  • 9. Routing Security Global routing system is a complex, decentralized system consist of ~70,000 individual networks that have implemented BGP to communicate with each other. Despite its strengths, its prone to incidents. Just as water main breaks, broken pipes, and sewage mix-up can disrupt life in a city, routing incidents like route leaks, route hijacks, and IP-address spoofing each have the potential to slow down Internet speeds or even to make parts of the Internet unreachable. 9
  • 11. Common Problems Finding out after the fact that • Big chunk of your internet traffic has been incorrectly routed through a hostile network operator. • Some of your internet traffic has been going to another network operator. None of the above 2 options are great news to anyone! 11
  • 12. Routing Incidents Cause Real World Problems 1 2 Prefix/Route Hijacking Route Leaks IP address spoofing Filtering Source Address Validation
  • 13. BGP Operations and Security February 2015 BCP 194 – RFC7454 13 Filtering
  • 14. Why Filtering • Your first line of defence • You can [MUST] control what you are announcing • You have no control over what other networks announce • To avoid issues, you have to decide what to accept from other networks [ahem ahem RPKI] 14
  • 15. BCP 194 – Filtering Inbound and Outbound Filtering filters SHOULD be applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Max Prefix Filtering It is RECOMMENDED to configure a limit on the number of routes to be accepted from a peer AS Path Filtering Network administrators SHOULD accept from customers only 2-byte or 4-byte AS paths containing ASNs belonging to (or authorized to transit through) the customer. 15
  • 16. BCP 194 – Filtering Data Sources The biggest issue in filtering is to find out the best/cleanest/workable/scalable aka MAGICAL data source. • IRRs (Internet Routing Registry) • Bogons lists (IPv6 & IPv4) • PeeringDB (For AS-Sets) • RPKI 16
  • 17. Status of South Asia and Bangladesh 17
  • 18. South Asia (as per APNIC) 18 https://stats.apnic.net/delegations/Southern%20Asia
  • 19. South Asia (UN region) 19 https://observatory.manrs.org/#/overview
  • 21. Why Filtering is Important? Example 1 Network Next Hop Metric LocPrf Weight Path 103.209.80.0/24 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 103.209.81.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 i 103.209.82.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 103.209.83.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 203.96.178.0 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 21 aut-num: AS135100 as-name: MOL-AS-AP descr: Maxnet Online Limited country: BD org: ORG-MOL1-AP
  • 22. Why Filtering is Important? Example 1 22
  • 23. Why Filtering is Important? Example 2 23 AS: 59365 BD-NETWORKS-AS-AP BD Networks, BD AS: 59356 - VMCENTRAL-AS-AP VMCENTRAL Cloud Services, AU
  • 24. Why Routing Security? • Your Cyber Security Strategy is incomplete without Routing Security • Build Threat intelligence, improve your network’s situational awareness • Create a Audit Checklist for infrastructure security • Align infrastructure security across divisions • Prevent reputational damage (Google PTCL + Youtube) 24