APNIC Training Delivery Manager presents an analysis on Thailand's RPKI status at ThaiNOG Day 2021, held with the BKNIX Peering Forum 2021 from 13 to 14 May 2021.
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
APNIC Training Delivery Manager Tashi Phuntsho gives a presentation on the importance of routing security at the PCTA e-Tech Show 2021, held online from 15 to 16 April 2021.
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
Protocol that allows dynamic distribution of the information needed to build tables to translate an address A in protocol P’s address space into a 48.bit Ethernet address. (RFC826)
ARP Terminology, How ARP works, and etc
Juniper policy based filter based forwardingMars Chen
1. Juniper's FBF implementation separates firewall filtering and routing instance construction.
2. Firewall filtering directs packets to specific routing instances by applying filters with interface input/output directions and match/action criteria.
3. Routing instance construction uses import policies to select specific routes for routing instances based on route attributes and filters.
This document provides an overview and summary of OSPF multi-area concepts including:
- Areas are used to divide large OSPF networks into smaller areas to reduce routing table size and limit SPF calculations.
- There are different types of areas including normal, stub, totally stubby, and NSSA areas. Routing behavior varies between area types.
- Link state advertisements (LSAs) including router LSAs, network LSAs, inter-area LSAs, and AS external LSAs are used to distribute routing information within and between areas.
Things I wish I had known about IPv6 before I startedFaelix Ltd
The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
The BIRD Internet Routing Daemon project began in 1998 as a university seminar project. It is an open source routing software and hardware alternative to Quagga/Zebra. BIRD supports many routing protocols including RIP, OSPF, BGP, and more. It is portable, has IPv4 and IPv6 support, and powerful configuration and filtering capabilities. The current stable version is 1.6.3, while version 2.0 introduces major changes like integrated IPv4 and IPv6 support. BIRD is deployed widely and the developers welcome community testing and feedback to help guide future development.
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
APNIC Training Delivery Manager Tashi Phuntsho gives a presentation on the importance of routing security at the PCTA e-Tech Show 2021, held online from 15 to 16 April 2021.
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
Protocol that allows dynamic distribution of the information needed to build tables to translate an address A in protocol P’s address space into a 48.bit Ethernet address. (RFC826)
ARP Terminology, How ARP works, and etc
Juniper policy based filter based forwardingMars Chen
1. Juniper's FBF implementation separates firewall filtering and routing instance construction.
2. Firewall filtering directs packets to specific routing instances by applying filters with interface input/output directions and match/action criteria.
3. Routing instance construction uses import policies to select specific routes for routing instances based on route attributes and filters.
This document provides an overview and summary of OSPF multi-area concepts including:
- Areas are used to divide large OSPF networks into smaller areas to reduce routing table size and limit SPF calculations.
- There are different types of areas including normal, stub, totally stubby, and NSSA areas. Routing behavior varies between area types.
- Link state advertisements (LSAs) including router LSAs, network LSAs, inter-area LSAs, and AS external LSAs are used to distribute routing information within and between areas.
Things I wish I had known about IPv6 before I startedFaelix Ltd
The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
The BIRD Internet Routing Daemon project began in 1998 as a university seminar project. It is an open source routing software and hardware alternative to Quagga/Zebra. BIRD supports many routing protocols including RIP, OSPF, BGP, and more. It is portable, has IPv4 and IPv6 support, and powerful configuration and filtering capabilities. The current stable version is 1.6.3, while version 2.0 introduces major changes like integrated IPv4 and IPv6 support. BIRD is deployed widely and the developers welcome community testing and feedback to help guide future development.
The advent of Network Function Virtualization (NFV) is dramatically changing the way in which telecommunication networks are designed and operated. Traditional specialized physical appliances are replaced with software modules, called Virtual Network functions(VNFs), running on a virtualization infrastructure made up of general purpose servers. Examples of VNFs categories are NATs (Network Address Translation), firewalls, DPIs (Deep Packet Inspection), IDSs (Intrusion Detection System), load balancers, HTTP proxies. Service Function Chaining (SFC) denotes the process of forwarding packets through the sequence of VNFs. IPv6 Segment Routing (SRv6) is a source routing paradigm that allows to steer packets through an ordered list of VNFs in a simple and scalable manner. In this slides, we present the architecture of SFC using SRv6 for both cases of SRv6-aware and SRv6-unaware VNFs. We provide an open source implementation and easy replicable testbed for the presented work.
Slides for lecturing in Alpha Networks Inc.
Introduce the routing mechanism in Trellis, namely Segment Routing, from the upper side of application design
and ONOS core functions, to the lower side of fabric pipelines and flows on OFDPA.
Zenith Networks is a network integration services company that has been providing LAN, WAN, routing, switching, and security services for 27 years. They are a partner of Juniper Networks and are headquartered in Philadelphia, PA. The document provides information on Zenith Networks' services and certifications, as well as background on their partner Juniper Networks. It also includes steps to access education slides on OSPF routing protocols hosted on Zenith Networks' website.
The document describes migrating from OSPF to IS-IS as an IGP. It begins by discussing the preparation needed, such as verifying OSPF configuration, deploying IS-IS across the entire backbone, and setting OSPF's administrative distance higher than IS-IS. Next, it details removing any remaining OSPF configuration and confirming IS-IS is operating correctly before fully removing OSPF. The goal is a smooth migration to using a single IGP of IS-IS for both IPv4 and IPv6 routing.
MLAG provides invisible Layer 2 redundancy across switches by making them appear as a single logical switch. It establishes dual-connected ports across switches and synchronizes MAC address tables and BPDUs to eliminate duplicate packets and prevent spanning tree loops. MLAG configuration involves bonding dual-connected ports with a common CLAG ID and running the CLAGD protocol over a peer link to synchronize state.
MUM Europe 2017 - Traffic Generator Case StudyFajar Nugroho
This document provides an overview of using MikroTik's traffic generator tool to test and evaluate network devices and systems. It discusses how the traffic generator can be used to test performance by generating and sending different types of packets. It then provides examples of setting up simple and multi-port traffic generators for testing purposes. It also demonstrates how to generate fabricated packets to test firewall rules and queue configurations.
The presentation covers the basics of packet forwarding and simplified architecture of the router. Additionally it explains what problem Cisco Express Forwarding (CEF) solves and how. At the end static routing is covered.
Delivered by Dmitry Figol, CCIE R&S #53592.
Traffic Engineering Using Segment Routing Cisco Canada
1) The document discusses using segment routing for traffic engineering. It provides an overview of segment routing technology, use cases, control and data plane operations, and how segment routing can be used for traffic engineering.
2) Key aspects covered include how segment routing works by encoding a path as an ordered list of segments, different types of segments (IGP prefixes, adjacencies, BGP), and how this allows for application-engineered end-to-end paths.
3) Traffic engineering with segment routing provides explicit routing, supports constraint-based routing without needing RSVP-TE, and uses existing IGP extensions to advertise link attributes.
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
This document discusses system integration and analysis using the ELK stack. It provides an overview of Elasticsearch for indexing and searching logs, Logstash for collecting, processing, and forwarding logs, and Kibana for visualizing logs. It then discusses using Radius, Rsyslog, Mikrotik logs, monitoring, and Netflow as sources to integrate into the ELK stack for centralized log collection, analysis, and visualization.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
MPLS SDN 2016 - Microloop avoidance with segment routingStephane Litkowski
The document discusses micro-loops in networks and how segment routing can be used to avoid them. Micro-loops are a natural phenomenon in hop-by-hop routed networks caused by transient disagreements between routers during convergence. Segment routing allows building a temporary loop-free path using a two-stage convergence - first using a precomputed loop-free label stack, then switching to the standard path once convergence is complete. This approach could help address issues caused by micro-loops like broken fast reroute and traffic loss.
Presentation about interior gateway routing protocol EIGRP which covers most of the concepts and features of the protocol.
Delivered by Dmitry Figol, CCIE R&S #53592.
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)anilinvns
This document provides an overview of the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) routing protocols. It describes the key characteristics of EIGRP including that it is a hybrid routing protocol that uses metrics like bandwidth and delay to determine the best path. It also explains how to configure and verify EIGRP. For OSPF, the document outlines that it is an open standard link-state protocol, defines common OSPF terminology, and describes how to configure OSPF areas and verify the protocol. Loopback interfaces and troubleshooting OSPF are also briefly covered.
Segment Routing is a source routing architecture that embeds instructions, called segments, directly in the packet. This allows packets to be steered through specific paths in the network by prepending or stitching segment IDs. Segment Routing simplifies network operations by removing the need for signaling, label distribution, and per-flow state. Paths can either be computed distributively using IGP flooding of segment IDs, or explicitly programmed by a controller. This provides flexibility to engineers while keeping the forwarding plane stateless and simple.
Segment Routing provides traffic engineering capabilities without relying on RSVP by using source routing techniques. It distributes routing and segment information using IGP extensions. There are different types of segments including node, adjacency, prefix and anycast segments. Segment Routing can provide benefits like disjoint path routing and BGP on-demand next hop selection. It can also be integrated with a path computation element for traffic engineering. Segment Routing is best suited for greenfield deployments but can also be integrated into existing MPLS cores by configuring it on select nodes and using mapping servers.
This document provides the questions and answers for CCNA 1 Chapter 6 exam. It tests knowledge of router configuration commands, IPv4 and IPv6 addressing, routing tables, router interfaces, and memory. Some key points covered are that the copy running-config startup-config command saves the router configuration, the differentiated services field defines packet priority, and NAT is not needed in IPv6 because of the huge number of available addresses.
IAA Life in Lockdown series: Securing Internet RoutingAPNIC
APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.
The advent of Network Function Virtualization (NFV) is dramatically changing the way in which telecommunication networks are designed and operated. Traditional specialized physical appliances are replaced with software modules, called Virtual Network functions(VNFs), running on a virtualization infrastructure made up of general purpose servers. Examples of VNFs categories are NATs (Network Address Translation), firewalls, DPIs (Deep Packet Inspection), IDSs (Intrusion Detection System), load balancers, HTTP proxies. Service Function Chaining (SFC) denotes the process of forwarding packets through the sequence of VNFs. IPv6 Segment Routing (SRv6) is a source routing paradigm that allows to steer packets through an ordered list of VNFs in a simple and scalable manner. In this slides, we present the architecture of SFC using SRv6 for both cases of SRv6-aware and SRv6-unaware VNFs. We provide an open source implementation and easy replicable testbed for the presented work.
Slides for lecturing in Alpha Networks Inc.
Introduce the routing mechanism in Trellis, namely Segment Routing, from the upper side of application design
and ONOS core functions, to the lower side of fabric pipelines and flows on OFDPA.
Zenith Networks is a network integration services company that has been providing LAN, WAN, routing, switching, and security services for 27 years. They are a partner of Juniper Networks and are headquartered in Philadelphia, PA. The document provides information on Zenith Networks' services and certifications, as well as background on their partner Juniper Networks. It also includes steps to access education slides on OSPF routing protocols hosted on Zenith Networks' website.
The document describes migrating from OSPF to IS-IS as an IGP. It begins by discussing the preparation needed, such as verifying OSPF configuration, deploying IS-IS across the entire backbone, and setting OSPF's administrative distance higher than IS-IS. Next, it details removing any remaining OSPF configuration and confirming IS-IS is operating correctly before fully removing OSPF. The goal is a smooth migration to using a single IGP of IS-IS for both IPv4 and IPv6 routing.
MLAG provides invisible Layer 2 redundancy across switches by making them appear as a single logical switch. It establishes dual-connected ports across switches and synchronizes MAC address tables and BPDUs to eliminate duplicate packets and prevent spanning tree loops. MLAG configuration involves bonding dual-connected ports with a common CLAG ID and running the CLAGD protocol over a peer link to synchronize state.
MUM Europe 2017 - Traffic Generator Case StudyFajar Nugroho
This document provides an overview of using MikroTik's traffic generator tool to test and evaluate network devices and systems. It discusses how the traffic generator can be used to test performance by generating and sending different types of packets. It then provides examples of setting up simple and multi-port traffic generators for testing purposes. It also demonstrates how to generate fabricated packets to test firewall rules and queue configurations.
The presentation covers the basics of packet forwarding and simplified architecture of the router. Additionally it explains what problem Cisco Express Forwarding (CEF) solves and how. At the end static routing is covered.
Delivered by Dmitry Figol, CCIE R&S #53592.
Traffic Engineering Using Segment Routing Cisco Canada
1) The document discusses using segment routing for traffic engineering. It provides an overview of segment routing technology, use cases, control and data plane operations, and how segment routing can be used for traffic engineering.
2) Key aspects covered include how segment routing works by encoding a path as an ordered list of segments, different types of segments (IGP prefixes, adjacencies, BGP), and how this allows for application-engineered end-to-end paths.
3) Traffic engineering with segment routing provides explicit routing, supports constraint-based routing without needing RSVP-TE, and uses existing IGP extensions to advertise link attributes.
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
This document discusses system integration and analysis using the ELK stack. It provides an overview of Elasticsearch for indexing and searching logs, Logstash for collecting, processing, and forwarding logs, and Kibana for visualizing logs. It then discusses using Radius, Rsyslog, Mikrotik logs, monitoring, and Netflow as sources to integrate into the ELK stack for centralized log collection, analysis, and visualization.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
MPLS SDN 2016 - Microloop avoidance with segment routingStephane Litkowski
The document discusses micro-loops in networks and how segment routing can be used to avoid them. Micro-loops are a natural phenomenon in hop-by-hop routed networks caused by transient disagreements between routers during convergence. Segment routing allows building a temporary loop-free path using a two-stage convergence - first using a precomputed loop-free label stack, then switching to the standard path once convergence is complete. This approach could help address issues caused by micro-loops like broken fast reroute and traffic loss.
Presentation about interior gateway routing protocol EIGRP which covers most of the concepts and features of the protocol.
Delivered by Dmitry Figol, CCIE R&S #53592.
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)anilinvns
This document provides an overview of the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) routing protocols. It describes the key characteristics of EIGRP including that it is a hybrid routing protocol that uses metrics like bandwidth and delay to determine the best path. It also explains how to configure and verify EIGRP. For OSPF, the document outlines that it is an open standard link-state protocol, defines common OSPF terminology, and describes how to configure OSPF areas and verify the protocol. Loopback interfaces and troubleshooting OSPF are also briefly covered.
Segment Routing is a source routing architecture that embeds instructions, called segments, directly in the packet. This allows packets to be steered through specific paths in the network by prepending or stitching segment IDs. Segment Routing simplifies network operations by removing the need for signaling, label distribution, and per-flow state. Paths can either be computed distributively using IGP flooding of segment IDs, or explicitly programmed by a controller. This provides flexibility to engineers while keeping the forwarding plane stateless and simple.
Segment Routing provides traffic engineering capabilities without relying on RSVP by using source routing techniques. It distributes routing and segment information using IGP extensions. There are different types of segments including node, adjacency, prefix and anycast segments. Segment Routing can provide benefits like disjoint path routing and BGP on-demand next hop selection. It can also be integrated with a path computation element for traffic engineering. Segment Routing is best suited for greenfield deployments but can also be integrated into existing MPLS cores by configuring it on select nodes and using mapping servers.
This document provides the questions and answers for CCNA 1 Chapter 6 exam. It tests knowledge of router configuration commands, IPv4 and IPv6 addressing, routing tables, router interfaces, and memory. Some key points covered are that the copy running-config startup-config command saves the router configuration, the differentiated services field defines packet priority, and NAT is not needed in IPv6 because of the huge number of available addresses.
IAA Life in Lockdown series: Securing Internet RoutingAPNIC
APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.
1. The document discusses issues with securing internet routing and BGP hijacks. It provides examples of route leaks from AS1221 and AS10990 that impacted North American networks for over an hour.
2. Current practices for securing routes like peering agreements, LOA checks, and IRR lookups are discussed. The RPKI framework is introduced as a way to validate route origins using ROAs signed with cryptographic keys.
3. The implementation of RPKI involves generating ROAs for originated prefixes, running a validator, and enabling RTR on routers to filter routes based on validation states from the validator. Operational considerations include acting on invalid routes and propagating validation states between vendors.
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives a presentation on ROA and ROV deployment and why routing security is becoming more important than ever at the 32nd TWNIC IP OPM in Taipei from 20 to 21 June 2019.
Cisco Connect Montreal 2017 - Segment Routing - Technology Deep-dive and Adva...Cisco Canada
This document provides an overview of Segment Routing (SR) and SRv6. It begins with a recap of SR basics like segment types and how segments are encoded in MPLS labels or IPv6 headers. It then covers SRv6 which uses an IPv6 routing header to encode segments for source routing. The document explains how SRv6 simplifies networking by eliminating the need for overlay protocols and protocols like RSVP. It details the SRv6 header format and how packets are processed hop-by-hop through the segment list.
Segment Routing Technology Deep Dive and Advanced Use CasesCisco Canada
The document provides an overview of Segment Routing technologies including SRv6. It begins with a recap of Segment Routing concepts and how it simplifies network operations. It then covers SRv6 which extends Segment Routing to IPv6 networks to take advantage of growing IPv6 adoption. The document discusses how SRv6 can further simplify networks and support new services and traffic patterns from 5G, IoT, and container-based microservices.
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...APNIC
AutoIP is a mechanism for IPv6 migration and IPv4 sunsetting that dynamically creates an overlay tunnel topology using native IGPs to discover tunnel endpoints. It allows networks to transition from IPv4 to IPv6 in phases, first deploying IPv6 over IPv4 tunnels, then IPv4 over IPv6, before finally transitioning to a native IPv6 network. Cisco has implemented AutoIP in early field trial code that establishes OSPFv3-based tunnels for IPv6 and IPv4 routing using GRE tunnels.
Resource Public Key Infrastructure - A Step Towards a More Secure Internet Ro...akg1330
RPKI is a relatively new technology that permits origin validation for IP prefixes. This is an important steps towards securing the global routing infrastructure.
Presentation given during Firetalks at ShmooCon 2015:
http://youtu.be/oa8T5HLtY8I
This document discusses IPv6 security. It begins with an overview of IPv6 address types and headers. It then notes that some initial assumptions about IPv6 security being more robust have been disproven in reality. Specifically, IPv6 is now the target of around 20% of malicious attacks. The document outlines several IPv6 security threats such as address spoofing, extension header attacks, neighbor discovery spoofing, and rogue router advertisements. It recommends approaches like ingress filtering, RA guard, and SEND to help detect and mitigate these threats. Tools like NDPMon can monitor for anomalies in neighbor discovery behavior. Overall, network operators must apply similar security practices to IPv6 as with IPv4, including access controls, host hardening, and
HKNOG 12.0: RPKI Actions Required by HK NetworksAPNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng presents on the actions Hong Kong network operators need to take to deploy RPKI in their networks.
This document discusses how multi-homing and RPKI can provide robust and secure internet connections. It explains that multi-homing with BGP allows networks to direct traffic through the most cost effective connections, improving resilience and performance. RPKI helps secure BGP routing by preventing route hijacking and mis-origination through the use of Route Origin Authorizations (ROAs) and an RPKI validator. ROAs authorize which ASNs can originate which IP prefixes. The validator checks BGP updates against ROAs to label routes as valid, invalid, or not found. This validation information can then be used to define routing policies.
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...eCommConf
This document discusses how IPv6 will impact telecom systems and voice over IP (VoIP) applications. It notes that the exhaustion of IPv4 addresses means IPv6 adoption is necessary, but that IPv6 presents challenges for VoIP including longer and more complex addresses, multiple addresses per interface, and compatibility issues between IPv4 and IPv6 networks and protocols. The document recommends solutions like address compression, neighbor discovery, happy eyeballs, and protocols like SIP, SDP, ICE and STUN/TURN that help with the IPv6 transition. It also provides examples of IPv6-ready VoIP software and resources for testing IPv6 networks.
The document discusses RPKI (Resource Public Key Infrastructure) deployment factors in Japan. It notes that RPKI deployment has been slower in Asia including Japan compared to Europe. It outlines some of the challenges including that router implementations are still being enhanced and operational practices need to mature. It also notes that JPNIC and JPNAP have recently launched public RPKI ROA caches to help accelerate deployment in Japan. The document closes by outlining some issues seen with RPKI validation and provides a proposed step-by-step approach to RPKI deployment.
APNIC Training Manager Tashi Phuntsho presents on why it is important to secure Internet routing and how to work towards it with good filtering practices at LkNOG 3 in Colombo, Sri Lanka from 2 to 4 October 2019.
This document discusses securing internet routing by validating route origins and paths. It describes some of the issues with the current routing system, including that there is no single authority and routing works based on rumors. It then introduces the Resource Public Key Infrastructure (RPKI) system, which uses digital signatures and certificates to validate route origins by tying IP addresses and autonomous system numbers to their legitimate holders. This allows for route origin validation using Route Origin Authorizations (ROAs). It notes that AS path validation is also needed to fully secure routing, but faces challenges in terms of resources and adoption. Basic routing security practices and industry initiatives are recommended in the meantime.
MPLS enables packets to be forwarded based on labels rather than IP addresses. PE routers add labels to incoming packets and remove labels from outgoing packets. P routers swap or pop labels to forward packets. MPLS with L3 VPN allows private networks in different locations to communicate securely over a shared infrastructure by associating routes with virtual routing instances (VRFs) and advertising them using BGP. An example configuration shows VRF and BGP configuration, along with commands to view MPLS label bindings and packet forwarding information.
APNIC Training Manager Tashi Phuntsho presents on why it is important to secure Internet routing at npNOG 5 in Kathmandu, Nepal, from 8 to 13 December 2019.
Similar to ThaiNOG Day 2021: Thailand's Route Validity (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
7. 7
7
Why do we keep seeing these?
• As always, there is no Evil (E) bit (RFC3514)
– a bad routing update does not identify itself as BAD
à Hence, approx. the GOOD
8. 8
8
Enter the RPKI framework
17821
65550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
65552
65553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
RPKI
Repo
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Validator
14. 14
14
TH Focus
INVALIDS
REGISTRY TYPE
APNIC RIPE AS ML ASML
IPv4 59 1 17 28 15
IPV6 29 NA NA 29 NA
0
1
2
3
4
5
6
7
8
9
AS ML ML ASML ASML
MUT WIN JASTEL-IDC TRUE IG THAMMASAT
55760 45223 55423 38082 37992
IPv4 (INVALID) ~ 62%
0
5
10
15
20
ML ML ML ML ML
AsiaNet DTN JasTel TRIPLE T JASTEL-
IDC
7470 9587 45629 45758 55423
IPv6 (INVALID) ~ 90%
15. 15
15
Implementation
• Sign your route origins (create your ROAs)
• ** Multiple ROAs can exist for the same prefix
Prefix 2406:6400::/32
Max-length /36
Origin ASN AS45192
16. 16
16
ROA considerations
• Max length attribute
– Minimal ROA
• ROAs to cover only those prefixes announced in BGP
• https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-03
– Reduces spoofed origin-AS attack surface
0
1000
2000
3000
4000
5000
6000
7000
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ML)
IPv4 IPv6
17. 17
17
ROA considerations
• Know your network (origin AS)
– Do you have multiple ASes?
• Are they independent ASes? or
• Transit AS + multiple access/stub ASes?
https://blog.apnic.net/2020/04/10/rise-of-the-invalids/
0
500
1000
1500
2000
2500
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (AS)
IPv4 IPv6
18. 18
18
ROA considerations
• Know your network (ASML)
0
200
400
600
800
1000
1200
1400
1600
1800
D
e
c
'
1
9
J
a
n
'
2
0
F
e
b
'
2
0
M
a
r
'
2
0
A
p
r
'
2
0
M
a
y
'
2
0
J
u
n
'
2
0
J
u
l
y
'
2
0
A
u
g
'
2
0
S
e
p
'
2
0
O
c
t
'
2
0
N
o
v
'
2
0
D
e
c
'
2
0
J
a
n
'
2
1
F
e
b
'
2
1
M
a
r
'
2
1
A
p
r
'
2
1
M
a
y
'
2
1
INVALIDS (ASML)
IPv4 IPv6
19. 19
19
Implementation
• Run your own RPKI validator:
– ** RIPE Validator - https://github.com/RIPE-NCC/rpki-validator-3
– Routinator - https://github.com/NLnetLabs/routinator/releases/tag/v0.8.3
– OctoRPKI/GoRTR (Cloudflare’s toolkit) - https://github.com/cloudflare/cfrpki
– Fort (NIC Mexico’s Validator) - https://nicmx.github.io/FORT-validator/
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
20. 20
20
Validator considerations
• Securing the RTR session
– Plain text (TCP)
• run within your routing domain
– Other auth options
• SSH (v2)
• MD5 auth
• IPsec
• TLS
• TCP-AO
21. 21
21
Validator considerations
• When RTR session fails
– Based on the expire interval of ROA cache
• Know your platform defaults
• JunOS/SR-OS ~ 3600s, IOS-XE ~ 300s (RFC min ~ 600s)
– Defaults to NOT FOUND
• Including Invalids
– Hence, at least 2 x Validators (RTR sessions)
23. 23
23
Implementation
• Enable RTR on your routers
• eBGP speakers (border/peering/transit)
– Know your platform defaults and knobs
• Eg: IOS-XE wont use Invalids for best path selection
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>
routing-options {
autonomous-system 131107;
validation {
group rpki-validator {
session <validatorIP> {
refresh-time <secs>;
port <323/3323/8282>;
local-address X.X.X.X;
}
}
}
}
router bgp 131107
rpki server <validatorIP>
transport tcp port <323/3323/8282>
refresh-time <secs>
24. 24
24
Implementation
• Acting on the validation states
– Tag & do nothing: You have downstream/route server @IXPs
– RFC7115 – preference
– Drop Invalids
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]
[Valid > Not Found > Invalid]
IPv4 ~ 7K
IPv6 ~ 2K
27. 27
27
Operational Considerations
• iBGP state propagation ~ vendor interop?
– Ex: IOS propagating states to JunOS peers
unknown iana 4300
– Options (hack):
• Act on the states at the border, OR
• Tag/match with custom (standard) communities
28. 28
28
Other developments
• ROA with AS0 origin (RFC6483/RFC7607)
– Negative attestation
• No valid ASN has been granted authority
• Not to be routed (Eg: IXP Peering LAN prefixes)
– Overridden by another ROA (with an origin AS other than
AS0)
– APNIC’s RPKI backend supported this since Nov 2018
29. 29
29
Other developments
• Prop-132 based AS0 ROA
– APNIC is directed to publish an AS0 ROA for undelegated
and unassigned APNIC space
• ~ comparable to RFC6491 for special use/reserved/unallocated IANA
space
– APNIC implemented on 2 Sept 2020
• Separate TAL ~ opt-in (the main RPKI TAL is included in all RPs)
– Process:
• “fast to remove” (within 5mins of delegation)
• “slow to add” (undelegated/reclaimed resources added in a cron-job)
30. 30
30
Summary
• Maintain BGP OpSec hygiene – RFC7454/RFC8212
– RFC8212: BGP default reject or something similar
– Filter your customers and peers
• Prefix filters, Prefix limit
• AS-PATH filters, AS-PATH limit
• Use IRR objects (source option) or ROA-to-IRR
– Filter your upstream(s)
– Create ROAs for your resources
– Filter inbound routes based on ROAs à ROV
• Join industry initiatives like MANRS
• https://www.manrs.org/