RPKI-Based Origin Validation, Routers, & Caches discusses the technical background and deployment of RPKI (Resource Public Key Infrastructure) and RPKI-based origin validation. It explains how RPKI uses X.509 certificates signed by regional internet registries to prove IP prefix and AS number ownership. It also describes how routers can obtain ROA (Route Origin Authorization) data from RPKI caches to mark BGP updates as valid, invalid, or not found based on prefix and origin AS matching. This helps prevent route hijacking and origin misconfigurations.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
The document discusses IPv6 multicast and protocols used to support it such as PIM and MLD. It provides details on:
- PIM sparse mode operation, including building shared and shortest path trees using joins and registers.
- The roles of the rendezvous point, designated router, and MLD querier.
- MLD version 1 and 2, including query types, report messages, and handling group membership changes.
Mavenir: Monetizing RCS through Innovation on Cloud Native NetworkMavenir
A Rich Communication Services (RCS) market overview, how RCS is adding value to mobile networks, and the RCS evolution.
Presentation from Rakuten Showcase at Mobile World Congress 2019.
The document discusses the evolution from 4G's point-to-point core network architecture to 5G's service-based architecture. It describes the need for change driven by new 5G use cases requiring network slicing and easier integration of new features. The current 3GPP Release 15 5G service-based architecture is presented, including its protocol layering using HTTP/2 and JSON, API design principles, and support for network slicing and security. Future releases will enhance the architecture for massive IoT, ultra-reliable low latency communication, and other use cases.
Spatial Division Multiplexing (SDM) is a new submarine cable paradigm that allows for higher total cable capacity by increasing the number of fiber pairs in a cable, even if capacity per pair is lower. SDM cables sacrifice spectral efficiency per pair in order to add more pairs and compensate with a higher cable capacity overall. This approach helps maximize capacity as we near the limits imposed by Shannon's law. Initial SDM cables deployed around 12-24 fiber pairs and achieved cable capacities over 300Tbps. Future SDM designs could scale to 32 or even 40 fiber pairs to support petabit cable systems.
PCRF-Policy Charging System-Functional AnalysisBiju M R
The document discusses policy charging and management in 3GPP networks. It introduces key concepts like the PCRF which generates policy and QoS rules based on subscriber and service information from other network nodes. The objectives of policy management are to prioritize traffic to meet SLAs, personalize services to individual subscribers, and create new revenue opportunities. The document outlines the roles of various network nodes involved in policy enforcement like PCEF, BBERF, SPR. It also describes the Gx, Gxx, Rx and Sy reference points used on the interfaces between PCRF and other policy related nodes.
Senior Training Officer, Sheryl (Shane) Hermoso, outlines the importance of securing Internet routing to prevent route hijacking and prefix mis-origination with RPKI at the recent VNIX/NOG event in Ha Noi in November 2016.
The document discusses IPv6 multicast and protocols used to support it such as PIM and MLD. It provides details on:
- PIM sparse mode operation, including building shared and shortest path trees using joins and registers.
- The roles of the rendezvous point, designated router, and MLD querier.
- MLD version 1 and 2, including query types, report messages, and handling group membership changes.
Mavenir: Monetizing RCS through Innovation on Cloud Native NetworkMavenir
A Rich Communication Services (RCS) market overview, how RCS is adding value to mobile networks, and the RCS evolution.
Presentation from Rakuten Showcase at Mobile World Congress 2019.
The document discusses the evolution from 4G's point-to-point core network architecture to 5G's service-based architecture. It describes the need for change driven by new 5G use cases requiring network slicing and easier integration of new features. The current 3GPP Release 15 5G service-based architecture is presented, including its protocol layering using HTTP/2 and JSON, API design principles, and support for network slicing and security. Future releases will enhance the architecture for massive IoT, ultra-reliable low latency communication, and other use cases.
Spatial Division Multiplexing (SDM) is a new submarine cable paradigm that allows for higher total cable capacity by increasing the number of fiber pairs in a cable, even if capacity per pair is lower. SDM cables sacrifice spectral efficiency per pair in order to add more pairs and compensate with a higher cable capacity overall. This approach helps maximize capacity as we near the limits imposed by Shannon's law. Initial SDM cables deployed around 12-24 fiber pairs and achieved cable capacities over 300Tbps. Future SDM designs could scale to 32 or even 40 fiber pairs to support petabit cable systems.
PCRF-Policy Charging System-Functional AnalysisBiju M R
The document discusses policy charging and management in 3GPP networks. It introduces key concepts like the PCRF which generates policy and QoS rules based on subscriber and service information from other network nodes. The objectives of policy management are to prioritize traffic to meet SLAs, personalize services to individual subscribers, and create new revenue opportunities. The document outlines the roles of various network nodes involved in policy enforcement like PCEF, BBERF, SPR. It also describes the Gx, Gxx, Rx and Sy reference points used on the interfaces between PCRF and other policy related nodes.
This document discusses the evosip platform, which uses Docker and Kubernetes to provide a scalable VoIP infrastructure based on Kamailio, Asterisk, and RTPEngine. Key aspects include:
- Using containers and Kubernetes for fast, automatic scaling with no limits and distributed architecture.
- Implementing Kamailio, Asterisk, and RTPEngine as stateless services using techniques like cached dispatchers, authentication from a shared table, and storing dialogs in a database.
- Using macvlan networking to give containers direct public IPs without NAT for better performance.
- Separating data and core service networks and using Multus CNI to give containers multiple networks.
-
The document discusses the evolution of Cisco's ACI fabric and policy domains from ACI 1.0 to 3.0. It defines key ACI terminology and describes ACI MultiPod, which connects multiple pods within a fabric. ACI MultiPod supports configurations with up to 12 pods and 400 leaf switches. It also discusses ACI MultiSite, which extends ACI policies and networking across multiple availability zones or data centers using an Inter-Site Network.
This document contains information about routing protocols like EIGRP, OSPF, BGP and IPv6 routing. It discusses various topics such as configuring and tuning EIGRP parameters like timers, authentication and metrics. It also covers topics related to OSPF like network types, route filtering, summarization etc. Redistribution between protocols and IPv6 routing concepts are also mentioned. The document contains practical exercises for configuring various routing features on sample networks.
BGP Traffic Engineering with SDN Controller, by Shaowen Ma.
A presentation given at APRICOT 2016’s Software Defined Networking session on 24 February 2016.
This document summarizes new developments in 5G NR user plane protocols:
1) It introduces the work plan for 5G NR and describes non-standalone and standalone 5G NR architectures.
2) It describes new 5G NR user plane protocols including the Service Data Adaptation Protocol (SDAP), Packet Data Convergence Protocol (PDCP), Radio Link Control (RLC), and Medium Access Control (MAC) layers.
3) Key enhancements in 5G NR include support for multiple numerologies, reduced latency through changes like removal of concatenation, and improved hybrid automatic repeat request (HARQ) through code block groups.
This document discusses MPLS VPN and its three main types: point-to-point VPNs using pseudowires to encapsulate traffic between two sites; layer 2 VPNs called VPLS that provide switched VLAN services across sites; and layer 3 VPNs known as VPRN that utilize VRF tables to segment routing for each customer using BGP. It describes how MPLS VPN works using CE, PE, and P routers to forward labeled packets through the provider network and pop the label at the destination PE to deliver the packet. Finally, it provides additional resources for learning more about MPLS VPN technologies.
This document provides a summary of new features for the Nokia LTE RAN Release FDD-LTE 19, including:
1) New BTS site solutions that support mixed centralized RFMs and additional WCDMA/LTE C-RFS configurations.
2) Transmission features like physical TRS interfaces, Ethernet transport, IP transport, TRS QoS, synchronization, and TRS porting.
3) Radio resource management and telecom features.
The document contains detailed information on over 20 new AirScale products and configurations that are part of this release.
This chapter discusses implementing Border Gateway Protocol (BGP) solutions for Internet Service Provider (ISP) connectivity. It begins with an overview of BGP terminology such as autonomous systems (AS), AS numbers, and BGP peers. The chapter then covers basic BGP configuration and operation, including the exchange of routing information between BGP peers in different ASes. It also discusses considerations for connecting an enterprise network to an ISP, such as addressing, link types, redundancy, and routing protocols.
This document provides an overview of 3GPP specifications and network functions related to 2G, 3G, 4G, and 5G mobile networks. It includes abbreviations for network nodes, interfaces, and protocols across the different generations of cellular standards. Release numbers are shown for 5G network functions introduced in 3GPP specifications.
BMP (BGP Monitoring Protocol) allows routers to send BGP peer route updates and statistics to external monitoring stations. It provides access to the pre-policy routing table (Adj-RIB-In) of peers on an ongoing basis. Cisco supports BMP in IOS-XE and IOS-XR routers. OpenBMP is an open-source BMP collector that stores updates in a MySQL database for analysis.
VoLTE Basic callflows in IMS network v2 - includes Registration, Basic VoLTE Call, SDP, Interconnect, Roaming, highlights important SIP headers for session routing and user identities.
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approachCapgemini
Fixed Wireless Access (FWA) is considered to be the first promising B2C use-case for 5G, offering customers a “fiber-like” experience. Capgemini explores several deployment sceneries, an analysis of Verizon’s 5G Home launch and the momentum it’s causing in the market, as well as the key components that need to be addressed when building a 5G FWA strategy. To learn more about Capgemini Invent’s expertise in 5G, contact our experts:
Pierre Fortier
Principal Consultant, Capgemini Invent
Pierre.Fortier@capgemini.com
Marouane Bikour
Senior Consultant, Capgemini Invent
Marouane.bikour@capgemini.com
1. MPLS simplifies forwarding by introducing label switching which uses a forwarding table and label carried in each packet rather than conventional IP routing based on IP addresses.
2. MPLS establishes label switched paths between routers where each router along the path transmits the packet to the next router by means of a label. Edge routers analyze packets and assign an initial label.
3. The main benefits of MPLS include improved performance, scalability, and traffic engineering capabilities compared to conventional IP routing.
This document provides an overview of Vector Packet Processing (VPP), an open source packet processing platform developed as part of the FD.io project. VPP is based on DPDK for high performance packet processing in userspace. It includes a full networking stack and can perform L2/L3 forwarding and routing at speeds of over 14 million packets per second on a single core. VPP processing is divided into individual nodes connected by a graph. Packets are passed between nodes as vectors to support batch processing. VPP supports both single and multicore modes using different threading models. It can be used to implement routers, switches, and other network functions and topologies.
The document discusses techniques for improving BGP convergence including next hop tracking (NHT), which allows BGP to react quickly to IGP changes without waiting 60 seconds for the full BGP table scan; minimum route advertisement interval (MRAI) timers which batch route updates to peers but can also slow convergence across multiple autonomous systems; and event driven route origination which reduces CPU usage compared to the previous polling model. Faster session deactivation (FSD) also allows BGP sessions to be quickly torn down if the route to a peer is lost.
This document discusses Mellanox's ConnectX-3 Pro networking adapter, which provides hardware offloading for overlay networks like VXLAN and NVGRE. This dramatically lowers CPU overhead, allowing more virtual machines to be supported per server. Test results show that with hardware offloading, VXLAN throughput is higher and CPU utilization is lower compared to software-only implementations. Offloading also reduces capital and operating expenses through increased server utilization and efficiency.
Converting From Nexus NX-OS Mode to ACI Mode.David kankam
The document provides instructions for converting a Nexus switch from NX-OS mode to ACI mode to use the switch with the Cisco Application Centric Infrastructure (ACI). It describes checking the current software version, ensuring hardware compatibility, and upgrading the image. The key steps are to disable NX-OS mode, copy an ACI image file to the switch, boot from this image file to load ACI software, and reload the switch. Instructions are also given to revert back to NX-OS mode if needed.
APNIC Network Operations Engineer and Senior Training Officer Sheryl Hermoso gives an update on ROA and RPKI deployment in the Philippines at PhNOG 2020 in Manila, Philippines, on 24 February 2020.
1. The document provides an introduction and tutorial on RPKI (Resource Public Key Infrastructure) and how it can be used to secure Internet routing and validate route origins using digital certificates and public key cryptography.
2. It describes the goals of RPKI to reduce routing leaks and hijacks by allowing ISPs to validate the authenticity of route announcements based on IP and ASN ownership.
3. The presentation demonstrates how to create ROAs (Route Origin Authorizations) and configure routers to validate route origins and make routing decisions based on the RPKI validation results.
This document discusses the evosip platform, which uses Docker and Kubernetes to provide a scalable VoIP infrastructure based on Kamailio, Asterisk, and RTPEngine. Key aspects include:
- Using containers and Kubernetes for fast, automatic scaling with no limits and distributed architecture.
- Implementing Kamailio, Asterisk, and RTPEngine as stateless services using techniques like cached dispatchers, authentication from a shared table, and storing dialogs in a database.
- Using macvlan networking to give containers direct public IPs without NAT for better performance.
- Separating data and core service networks and using Multus CNI to give containers multiple networks.
-
The document discusses the evolution of Cisco's ACI fabric and policy domains from ACI 1.0 to 3.0. It defines key ACI terminology and describes ACI MultiPod, which connects multiple pods within a fabric. ACI MultiPod supports configurations with up to 12 pods and 400 leaf switches. It also discusses ACI MultiSite, which extends ACI policies and networking across multiple availability zones or data centers using an Inter-Site Network.
This document contains information about routing protocols like EIGRP, OSPF, BGP and IPv6 routing. It discusses various topics such as configuring and tuning EIGRP parameters like timers, authentication and metrics. It also covers topics related to OSPF like network types, route filtering, summarization etc. Redistribution between protocols and IPv6 routing concepts are also mentioned. The document contains practical exercises for configuring various routing features on sample networks.
BGP Traffic Engineering with SDN Controller, by Shaowen Ma.
A presentation given at APRICOT 2016’s Software Defined Networking session on 24 February 2016.
This document summarizes new developments in 5G NR user plane protocols:
1) It introduces the work plan for 5G NR and describes non-standalone and standalone 5G NR architectures.
2) It describes new 5G NR user plane protocols including the Service Data Adaptation Protocol (SDAP), Packet Data Convergence Protocol (PDCP), Radio Link Control (RLC), and Medium Access Control (MAC) layers.
3) Key enhancements in 5G NR include support for multiple numerologies, reduced latency through changes like removal of concatenation, and improved hybrid automatic repeat request (HARQ) through code block groups.
This document discusses MPLS VPN and its three main types: point-to-point VPNs using pseudowires to encapsulate traffic between two sites; layer 2 VPNs called VPLS that provide switched VLAN services across sites; and layer 3 VPNs known as VPRN that utilize VRF tables to segment routing for each customer using BGP. It describes how MPLS VPN works using CE, PE, and P routers to forward labeled packets through the provider network and pop the label at the destination PE to deliver the packet. Finally, it provides additional resources for learning more about MPLS VPN technologies.
This document provides a summary of new features for the Nokia LTE RAN Release FDD-LTE 19, including:
1) New BTS site solutions that support mixed centralized RFMs and additional WCDMA/LTE C-RFS configurations.
2) Transmission features like physical TRS interfaces, Ethernet transport, IP transport, TRS QoS, synchronization, and TRS porting.
3) Radio resource management and telecom features.
The document contains detailed information on over 20 new AirScale products and configurations that are part of this release.
This chapter discusses implementing Border Gateway Protocol (BGP) solutions for Internet Service Provider (ISP) connectivity. It begins with an overview of BGP terminology such as autonomous systems (AS), AS numbers, and BGP peers. The chapter then covers basic BGP configuration and operation, including the exchange of routing information between BGP peers in different ASes. It also discusses considerations for connecting an enterprise network to an ISP, such as addressing, link types, redundancy, and routing protocols.
This document provides an overview of 3GPP specifications and network functions related to 2G, 3G, 4G, and 5G mobile networks. It includes abbreviations for network nodes, interfaces, and protocols across the different generations of cellular standards. Release numbers are shown for 5G network functions introduced in 3GPP specifications.
BMP (BGP Monitoring Protocol) allows routers to send BGP peer route updates and statistics to external monitoring stations. It provides access to the pre-policy routing table (Adj-RIB-In) of peers on an ongoing basis. Cisco supports BMP in IOS-XE and IOS-XR routers. OpenBMP is an open-source BMP collector that stores updates in a MySQL database for analysis.
VoLTE Basic callflows in IMS network v2 - includes Registration, Basic VoLTE Call, SDP, Interconnect, Roaming, highlights important SIP headers for session routing and user identities.
5G Fixed Wireless Access: Trends we’re seeing and Capgemini’s approachCapgemini
Fixed Wireless Access (FWA) is considered to be the first promising B2C use-case for 5G, offering customers a “fiber-like” experience. Capgemini explores several deployment sceneries, an analysis of Verizon’s 5G Home launch and the momentum it’s causing in the market, as well as the key components that need to be addressed when building a 5G FWA strategy. To learn more about Capgemini Invent’s expertise in 5G, contact our experts:
Pierre Fortier
Principal Consultant, Capgemini Invent
Pierre.Fortier@capgemini.com
Marouane Bikour
Senior Consultant, Capgemini Invent
Marouane.bikour@capgemini.com
1. MPLS simplifies forwarding by introducing label switching which uses a forwarding table and label carried in each packet rather than conventional IP routing based on IP addresses.
2. MPLS establishes label switched paths between routers where each router along the path transmits the packet to the next router by means of a label. Edge routers analyze packets and assign an initial label.
3. The main benefits of MPLS include improved performance, scalability, and traffic engineering capabilities compared to conventional IP routing.
This document provides an overview of Vector Packet Processing (VPP), an open source packet processing platform developed as part of the FD.io project. VPP is based on DPDK for high performance packet processing in userspace. It includes a full networking stack and can perform L2/L3 forwarding and routing at speeds of over 14 million packets per second on a single core. VPP processing is divided into individual nodes connected by a graph. Packets are passed between nodes as vectors to support batch processing. VPP supports both single and multicore modes using different threading models. It can be used to implement routers, switches, and other network functions and topologies.
The document discusses techniques for improving BGP convergence including next hop tracking (NHT), which allows BGP to react quickly to IGP changes without waiting 60 seconds for the full BGP table scan; minimum route advertisement interval (MRAI) timers which batch route updates to peers but can also slow convergence across multiple autonomous systems; and event driven route origination which reduces CPU usage compared to the previous polling model. Faster session deactivation (FSD) also allows BGP sessions to be quickly torn down if the route to a peer is lost.
This document discusses Mellanox's ConnectX-3 Pro networking adapter, which provides hardware offloading for overlay networks like VXLAN and NVGRE. This dramatically lowers CPU overhead, allowing more virtual machines to be supported per server. Test results show that with hardware offloading, VXLAN throughput is higher and CPU utilization is lower compared to software-only implementations. Offloading also reduces capital and operating expenses through increased server utilization and efficiency.
Converting From Nexus NX-OS Mode to ACI Mode.David kankam
The document provides instructions for converting a Nexus switch from NX-OS mode to ACI mode to use the switch with the Cisco Application Centric Infrastructure (ACI). It describes checking the current software version, ensuring hardware compatibility, and upgrading the image. The key steps are to disable NX-OS mode, copy an ACI image file to the switch, boot from this image file to load ACI software, and reload the switch. Instructions are also given to revert back to NX-OS mode if needed.
APNIC Network Operations Engineer and Senior Training Officer Sheryl Hermoso gives an update on ROA and RPKI deployment in the Philippines at PhNOG 2020 in Manila, Philippines, on 24 February 2020.
1. The document provides an introduction and tutorial on RPKI (Resource Public Key Infrastructure) and how it can be used to secure Internet routing and validate route origins using digital certificates and public key cryptography.
2. It describes the goals of RPKI to reduce routing leaks and hijacks by allowing ISPs to validate the authenticity of route announcements based on IP and ASN ownership.
3. The presentation demonstrates how to create ROAs (Route Origin Authorizations) and configure routers to validate route origins and make routing decisions based on the RPKI validation results.
The document discusses BGP (Border Gateway Protocol) and provides an overview of BGP configuration and a lab exercise. It begins with an introduction to BGP and the differences between iBGP and eBGP. Requirements for BGP configuration are outlined along with key commands. Finally, a lab diagram and steps for setting up BGP between two routers are described.
The document provides an overview of the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents like hijacking and misdirection. It discusses how RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that an Autonomous System is authorized to originate routes for specific IP address blocks. The key components of RPKI include Certificate Authorities, Relying Parties, and routers configured with RPKI support to filter routes based on validation of origin AS authorization. Deployment status at the Regional Internet Registries and an APNIC RPKI service are also covered.
Introduction to RPKI by Sheryl (Shane) HermosoMyNOG
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
The document discusses the Resource Public Key Infrastructure (RPKI) which aims to address routing incidents caused by IP prefix hijacking and misorigination. It provides an overview of RPKI technical details, components, and deployment status. RPKI uses digital certificates and Route Origin Authorizations (ROAs) to validate that IP prefixes are announced by their legitimate holders and prevent unauthorized route announcements. Major RPKI components include Certificate Authorities (CAs), Relying Parties (RPs), and routers configured to use RPKI data to validate BGP routes.
This document provides a summary of Bangladesh's network status and security landscape. It finds that many ports are open and vulnerable, including ports 53, 161, 2000, and 80 on Mikrotik devices. IPv6 deployment is growing, led by Cloudflare, Zen-ECN, and telecom companies. RPKI validation of IP addresses is largely invalid. DDoS attacks target both network and application layers. Route leaks and hijacks occur. Shodan data shows many vulnerabilities. Emerging threats include 5G, IoT, supply chain attacks, and more. The document provides references for network and device hardening.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
The document provides an introduction to internet routing, BGP hijacking, and the Resource Public Key Infrastructure (RPKI) system for securing internet routing. It discusses how BGP works and how hijacks can occur when more specific routes are announced. The document then summarizes the RPKI framework for validating route origins using Route Origin Authorizations (ROAs) and filtering routes based on their validation state. It provides examples of implementing RPKI on routers to help secure internet routing.
Global routing validation involves facilitating the validation of routing information on a global scale through two main systems - the Internet Routing Registries (IRR) and the Resource Public Key Infrastructure (RPKI). Routing information such as routing policies, autonomous system numbers, and IP prefixes should be publicly available in a common format to allow for global validation. The RPKI system uses digital certificates to authoritatively associate network resources like IP addresses and autonomous system numbers to their legitimate owners and allows identification of which autonomous systems have permission to originate those addresses. Implementing RPKI and origin validation helps secure routing and prevent route hijacking.
RPKI is a system that provides validation of IP address and AS number ownership through the use of digital certificates. It aims to reduce routing leaks and hijacking by allowing routers to verify that the origin AS of a route matches what is published in the RPKI database. The key components of RPKI are trust anchors maintained by Regional Internet Registries, Route Origin Authorizations (ROA) that are published by network operators, and validators that check BGP routes against the ROA database.
This document provides an introduction to RPKI (Resource Public Key Infrastructure) including its history, goals, and how it works. It discusses how RPKI uses public key cryptography and digital certificates to validate route origins and reduce routing leaks. It also covers how RPKI is implemented in practice through certificate authorities, repositories, route collectors, and router integration to filter BGP routes.
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
Protocol that allows dynamic distribution of the information needed to build tables to translate an address A in protocol P’s address space into a 48.bit Ethernet address. (RFC826)
ARP Terminology, How ARP works, and etc
Krzysztof Mazepa (Cisco Systems Poland) – architekt sieci / konsultant pracujący z najwiekszymi polskimi operatorami przewodowymi i kablowymi. Jego misją jest „tłumaczenie” wymogów businessowych klientów na oferowane rozwiązania technologiczne. Jego duże doświadczenie, 16 lat pracy w środowisku operatorskim, pozwala mu dostrzeć specyficzne wymagania tego rynku i zaproponować oczekiwane rozwiązanie.
Krzysztof jest częstym prelegentem na konferencjach PLNOG (Polish Network Operator Group), Cisco Forum, EURONOG (European Network Operator’s Group) oraz Cisco Live.
Posiada certyfikaty CCIE (Cisco Certified Internetwork Expert) #18 662, JNCIE (Juniper Networks Certified Internet Expert) #137, VMware Certified Professional 4 #99432 i wiele innych.
Krzysztof jest mieszkańcem Warszawy, w wolnym czasie ćwiczy biegi długodystansowe oraz gra w tenisa.
Temat prezentacji: BGP FlowSpec
Język prezentacji: Polski
Abstrakt: Celem sesji jest pokazanie podstaw działania BGP FlowSpec. Przedstawione zostaną podstawy teoretyczne oraz sposób wykorzystania przez operatorów SP do eliminowania ataków DDoS. Działanie rozwiązania zostanie zaprezentowane w wirtualnym środowisku korzystając z oprogramowania IOS XRv.
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
APNIC Director General Paul Wilson gives a presentation on the latest developments in IP address registry services, and their importance to Internet stability and security at the ICANN APAC-TWNIC Engagement Forum in Taipei, Taiwan from 16 to 17 April. 2019
Xerrada a càrrec de Paolo Lucente, de NTT Communications, sobre el BGP Monitoring Protocol (BMP), prèvia a la reunió número 44 de la Comissió Tècnica del CATNIX del 2 de juliol de 2021.
Digital Realty operates over 310 data centers globally with a presence in major metro and edge markets. It supports customers' global footprints through multi-tenant data center coverage, capacity, connectivity and control via its PlatformDIGITAL®. It has connectivity to ecosystems in third party facilities and implements best-of-breed infrastructure and services in multiple metros globally. Contact information is provided for representatives in cloud and digital cloud as well as network service providers.
- Embedded CDNs involve placing CDN servers within ISP networks to serve local end-users. This can improve performance by locating content closer to users.
- Many major CDNs and content providers now offer embedded servers, including Akamai, Netflix, Google, Amazon, and Facebook. Traffic from embedded servers accounts for around 14% of total CDN traffic based on one study.
- Benefits for ISPs include offloading external traffic and improving performance for end-users. CDNs use techniques like BGP, DNS, and geolocation to map users to the closest embedded server.
- The document discusses moving carrier networks towards a virtualized edge model using open-source containers and software-defined networking. This allows centralized orchestration and dynamic allocation of network resources.
- It proposes virtualizing traditional network services like MPLS and hosting them on virtualized edge nodes to add value for wholesale and enterprise customers. This could also enable use cases like secure SD-WAN connectivity and edge caching.
- Edge virtualization opens opportunities to host third-party and customer services on the edge through APIs. Examples include regional packet gateways, security services, and CDN expansion. The next steps outlined are to standardize key scenarios and conduct proofs-of-concept.
Equinix is expanding its global footprint with new data centers in Johor, Malaysia and Chennai, India. The Johor data center, called JH1, will have an initial capacity of 500 cabinets and 2.4MW of power, with a targeted launch in Q1 2024. Equinix is also expanding in Chennai with a new data center called CN1 that will provide over 4,960 cabinets and more than 16MW of power capacity upon full build out. In Malaysia, Equinix envisions developing a strong interconnection ecosystem in Johor to position the state as a data center hub to benefit from capacity constraints in neighboring Singapore.
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
1) The document discusses securing 5G cloud native infrastructure using the Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP).
2) SPK provides ingress and egress services for telco protocols like HTTP/2, Diameter, and SIP to secure Kubernetes deployments. SCP simplifies and secures communications between network functions.
3) SCP and SPK work together to provide a secure "onion model" architecture for distributed 5G core deployments using mutual TLS and traffic management capabilities.
The document discusses the concept of a hierarchical network controller that can abstract and provide control over complex multi-domain, multi-vendor SDN transport networks. A hierarchical network controller sits above domain-specific SDN controllers and provides an end-to-end view of the network, combining capabilities from different network domains like IP, optical, and others. This allows domain controllers to focus on domain-specific functions while the hierarchical controller provides cross-domain intelligence and optimization for end-to-end services across technology and vendor boundaries. The document also presents a case study of Vodafone using such a hierarchical approach to manage its European transport network.
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
The document discusses Aether, an open source 5G/LTE connected edge cloud platform from the Open Networking Foundation (ONF). It aims to enable digital transformation through a cloud-native platform that supports disaggregated and virtualized mobile networks. Aether provides a common, neutral platform for building distributed edge applications and allows enterprises to deploy private 4G/5G networks. It has global deployments across multiple continents and edges that are centrally orchestrated from the cloud.
This document discusses reducing invalid routes in the RPKI system by cleaning up RPKI invalids. It provides information on ROA adoption rates in Southeast Asia, including a table showing the rates for several countries. It then reviews what RPKI and ROAs are, how route origin validation works, and examples of valid and invalid validation results. The document suggests tools and services like ROA prevalidation, routing status alerts, and ROA alert filters that can help clean up RPKI invalids. It also provides a summary of creating ROAs and notes continuous improvements are being made to documentation.
1) DE-CIX implemented a new "Peering LAN 2.0" architecture using an ARP/ND agent to reduce broadcast traffic and prevent IP spoofing in their peering LANs.
2) Previously, broadcast, unknown unicast, and multicast traffic exceeded 1.5 Mbps in DE-CIX Frankfurt's peering LAN using the old "Flood and Learn" method.
3) The new EVPN-based architecture with a centralized ARP/ND agent has significantly reduced this broadcast noise by over 90% according to testing results presented.
This document outlines an upcoming presentation on Kubernetes autoscaling and load balancing. The presentation will cover setting up pod and node autoscaling in Kubernetes, load balancing Kubernetes pods using services, and provide use cases for how network operators can take advantage of Kubernetes' scaling and load balancing capabilities for workloads like network operations, AIOps, and 5G functions. The agenda includes introductions to Kubernetes, networking models, capacity planning, horizontal pod and node autoscaling, and load balancing within pods using services.
The document discusses securing internet routing through Border Gateway Protocol (BGP) by:
1. Filtering incoming BGP routes on Google's network using routing data from Internet Routing Registries (IRRs) and Route Origin Validation (ROV) based on the Resource Public Key Infrastructure (RPKI) to validate route origins.
2. Monitoring for route disruptions using first and third party monitoring to detect BGP hijacks and leaks in external networks.
3. Collaborating with internet peers and customers through initiatives like the Mutually Agreed Norms for Routing Security (MANRS) to accelerate progress on securing internet routing.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
RPKI Introduction by Randy Bush
1. RPKI-Based Origin
Validation, Routers,
& Caches
MYNOG / Kuala Lampur
2013.11.28
Randy Bush <randy@psg.com>
Rob Austein <sra@hactrn.net>
Michael Elkins <me@sigpipe.org>
2013.11.28 MYNOG RPKI
1
2. Agenda
• Some Technical Background
• Mis-Origination - YouTube Incident
• The RPKI – Needed Infrastructure
• RPKI-Based Origin Validation
• Use the GUI to make ROAs and
look at the result on a router
• Build your own Relying Party Server
• Discussion
2013.11.28 MYNOG RPKI
2
3. This is Not New
• 1986 – Bellovin & Perlman identify the
vulnerability in DNS and Routing
• 1999 - National Academies study called it out
• 2000 – S-BGP – X.509 PKI to support Secure
BGP - Kent, Lynn, et al.
• 2003 – NANOG S-BGP Workshop
• 2006 – RPKI.NET(for ARIN) & APNIC start
work on RPKI. RIPE starts in 2008.
• 2009 – RPKI.NET Open Testbed and running
code in test routers
2013.11.28 MYNOG RPKI
3
4. What is an AS?
An ISP or End Site
Sprint
Verizon
AS 701
2013.11.28 MYNOG RPKI
AS
1239
Big ISPs ‘Peering’
IIJ
AS
2497
4
5. What is an AS?
An ISP or End Site
Sprint
Verizon
AS 701
Amazon
AS
16509
2013.11.28 MYNOG RPKI
AS
1239
Big ISPs ‘Peering’
IIJ
AS
2497
GoJ
Customers buy ‘Transit’
AS 234
Sakura
AS
9370
5
6. An IP Prefix is
Announced & Propagated
Sprint
Verizon
AS 701
Amazon
AS
16509
2013.11.28 MYNOG RPKI
AS
1239
Big ISPs ‘Peering’
IIJ
AS
2497
147.28.0.0/16
GoJ
Customers buy ‘Transit’
AS 234
Sakura
AS
9370
6
7. From Inside a Router
BGP routing table entry for 147.28.0.0/16
Origin AS
16509
1239
2497
234
The AS-Path
2013.11.28 MYNOG RPKI
7
8. Of Course it’s Uglier J
r1.iad#sh ip bgp 147.28.0.0/16
BGP routing table entry for 147.28.0.0/16, version 21440610
Paths: (2 available, best #1, table default)
Advertised to update-groups:
1
Refresh Epoch 1
16509
1239
2497
234
144.232.18.81 from 144.232.18.81 (144.228.241.254)
Origin IGP, metric 841, localpref 100, valid, external, best
Community: 3297:100 3927:380
path 67E8FFCC RPKI State valid
Refresh Epoch 1
16509
701 2497
234
129.250.10.157 (metric 11) from 198.180.150.253 (198.180.150.253)
Origin IGP, metric 95, localpref 100, valid, internal
Community: 2914:410 2914:1007 2914:2000 2914:3000 3927:380
path 699A867C RPKI State valid
2013.11.28 MYNOG RPKI
8
15. Three Pieces
• RPKI – Resource Public Key Infrastructure,
the Certificate Infrastructure to Support
the other Pieces (deployed at all RIRs)
• Origin Validation – Using the RPKI to
detect and prevent mis-originations of
someone else’s prefixes (in deployment)
• AS-Path Validation AKA BGPsec – Prevent
Path Attacks on BGP (in IETF)
2013.11.28 MYNOG RPKI
15
16. Why Origin Validation?
• Prevent YouTube accident & Far Worse
• Prevent 7007 accident, UU/Sprint 2 days!
• Prevents most accidental announcements
• Does not prevent malicious path attacks
such as the Kapela/Pilosov DefCon attack
• That requires Path Validation, the third
step, a few years away
2013.11.28 MYNOG RPKI
16
17. We Need to be Able to
Authoritatively Prove
Who Owns an IP Prefix
And What AS(s) May
Announce It
2013.11.28 MYNOG RPKI
17
24. X.509 Certificate w/ 3779 Ext
X.509 Cert
Signed
by
Parent’s
Private
Key
CA
RFC 3779
Extension
Describes IP
Resources (Addr & ASN)
SIA – URI for where this Publishes
Owner’s Public Key
2013.11.28 MYNOG RPKI
24
26. That’s Who Owns It
but
Who May Route It?
2013.11.28 MYNOG RPKI
26
27. Route Origin Authorization
(ROA)
CA
Owning Cert
98.128.0.0/16
147.28.0.0/16
EE Cert
98.128.0.0/16
End Entity Cert
can not sign certs.
can sign other things
e.g. ROAs
Public Key
Public Key
ROA
This is not a Cert
It is a signed blob
98.128.0.0/16
AS 42
2013.11.28 MYNOG RPKI
27
28. How RPKI is Generated
Up / Down
to Parent
GUI
RPKI
Certificate
Engine
Publication
Protocol
Resource PKI
IP Resource Certs
ASN Resource Certs
Route Origin Attestations
Up / Down
to Child
2013.11.28 MYNOG RPKI
28
29. Issuing Parties
IANA
Publication
Protocol
GUI
Please Issue My Cert
GUI
Please Issue My Cert
GUI
Please Issue My Cert
2013.11.28 MYNOG RPKI
Up/
Down
APNIC
Up/
Down
JPNIC
Up/
Down
Trust
Anchor
Resource
PKI
Cert Issuance
Publication
Protocol
Resource
PKI
Cert Issuance
Publication
Protocol
Resource
PKI
Cert Issuance
29
38. Result of Check
• Valid – A matching/covering ROA was
found with a matching AS number
• Invalid – A covering ROA was found, but
the AS number did not match, and there
was no other matching one
• NotFound – No matching or covering
ROA was found, same as today
2013.11.28 MYNOG RPKI
38
39. Configure Router
to Get ROAs
router bgp 651nn
…
bgp rpki server tcp 192.168.179.3 port 43779 refresh 60
bgp rpki server tcp 147.28.0.84 port 93920 refresh 60
…
2013.11.28 MYNOG RPKI
39
40. Valid!
r0.sea#show bgp 192.158.248.0/24
BGP routing table entry for 192.158.248.0/24, version 3043542
Paths: (3 available, best #1, table default)
6939 27318
206.81.80.40 (metric 1) from 147.28.7.2 (147.28.7.2)
Origin IGP, metric 319, localpref 100, valid, internal,
best
Community: 3130:391
path 0F6D8B74 RPKI State valid
2914 4459 27318
199.238.113.9 from 199.238.113.9 (129.250.0.19)
Origin IGP, metric 43, localpref 100, valid, external
Community: 2914:410 2914:1005 2914:3000 3130:380
path 09AF35CC RPKI State valid
2013.11.28 MYNOG RPKI
40
41. Invalid!
r0.sea#show bgp 198.180.150.0
BGP routing table entry for 198.180.150.0/24, version 2546236
Paths: (3 available, best #2, table default)
Advertised to update-groups:
2
5
6
8
Refresh Epoch 1
1239 3927
144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2)
Origin IGP, metric 759, localpref 100, valid, internal
Community: 3130:370
path 1312CA90 RPKI State invalid
2013.11.28 MYNOG RPKI
41
42. NotFound
r0.sea#show bgp 64.9.224.0
BGP routing table entry for 64.9.224.0/20, version 35201
Paths: (3 available, best #2, table default)
Advertised to update-groups:
2
5
6
Refresh Epoch 1
1239 3356 36492
144.232.9.61 (metric 11) from 147.28.7.2 (147.28.7.2)
Origin IGP, metric 4, localpref 100, valid, internal
Community: 3130:370
path 11861AA4 RPKI State not found
2013.11.28 MYNOG RPKI
42
47. After AS-Path
route-map validity-0
match rpki not-found
set metric 100
route-map validity-1
match rpki invalid
set metric 150
route-map validity-2
set metric 50
2013.11.28 MYNOG RPKI
47
48. Set a Community
route-map validity-0
match rpki valid
set community 3130:400
route-map validity-1
match rpki invalid
set community 3130:200
route-map validity-2
set community 3130:300
2013.11.28 MYNOG RPKI
48
49. And it is All Monitored
BGP Data
BGP
Updates
mark
RPKI-Rtr
Protocol
2013.11.28 MYNOG RPKI
Valid
Invalid
NotFound
RPKI
ROAs
SNMP
syslog
N
O
C
49
50. But in the End,
You Control Your Policy
“Announcements with Invalid origins
SHOULD NOT be used, but MAY be used
to meet special operational needs. In such
circumstances, the announcement SHOULD
have a lower preference than that given to
Valid or NotFound.”
-- draft-ietf-sidr-origin-ops
2013.11.28 MYNOG RPKI
50
51. RPKI at the Registries
• RIPE seriously deployed with a few
thousand LIRs and thousands of ROAs
• APNIC is operational and moving forward,
moving to RIPE’s GUI
• ARIN is doing their best to make RPKI
deployment very hard
• LACNIC is deployed and has 100s of LIRs
• AFRINIC is deployed with O(25) LIRs
2013.11.28 MYNOG RPKI
51
52. RIPE Progress
• Policy just passed to allow registration
of legacy space without having to
become a member or sign away all rights
• Policy just passed to allow registration
of 40,000 PI allocations to end sites
without having to become a full member
• And RIPE already had thousands of RPKI
registrations
2013.11.28 MYNOG RPKI
52
53. LACNIC / Ecuador
• LACNIC working with the Ecuador
Internet Exchange
• All ISPs and lmost all address space in
Ecuador is certified and has ROAs
• All members of the exchange are using
RPKI-Rtr protocol to get ROAs from a
cache at the exchange
• Watching routers to see markings
2013.11.28 MYNOG RPKI
53
55. Router Origin Validation
• Cisco IOS – solid in 15.2
• Cisco IOS/XR – shipped in 4.3.2
• Juniper – shipped in 12.2
• AlcaLu – in development
2013.11.28 MYNOG RPKI
55
56. RPKI Implementations
• RIPE/NCC – CA (partial closed) & RP
(partial open)
• APNIC – CA only – Closed Source
• RTRlib/Berlin – RP only – Open Source
• BBN – RP Only – Open Source
• RPKI.NET – CA & RP – Open Source
2013.11.28 MYNOG RPKI
56
57. RPKI.NET / Dragon Labs
• Open Source BSD License
• CA – Hosted and Delegated Models, GUI
• RP – RPKI-RTR, NOC Tools, IRR Gen
• FreeBSD, Ubuntu, Debian, … Packaged
(docs still catching up)
2013.11.28 MYNOG RPKI
57