This document summarizes a joint research project between JPRS and several Japanese ISPs to enhance DNS resiliency. The goals were to install DNS servers in multiple regions of Japan to distribute query load and ensure continuity of DNS services during natural disasters. ISPs configured their networks to direct queries to local DNS nodes hosted by JPRS within their networks. Evaluation found queries shifted towards local nodes, response times improved, and Internet services remained available within ISP networks even when other DNS sites were unreachable, demonstrating increased DNS resiliency.
This document discusses running a local copy of the DNS root zone on resolvers to provide additional resiliency against DDoS attacks and decrease query response times. It presents three options: running the root zone on the resolver without DNSSEC validation; running it with DNSSEC validation but requiring the use of views; and running authoritative nameservers off the resolver to serve the root zone, which is the recommended approach. Maintaining a local root copy could improve resilience but also introduces complexity, so careful consideration is required before implementation.
This document discusses Fastly's approach to managing router routing tables and peering connections to reduce the size of routing tables and ensure key routes are prioritized. It involves using smart caches and switches with BGP configuration, filtering routes based on value, and using default routes for backup. This minimum viable FIB approach focuses on high value routes and utilizes tools like sFlow and route servers to monitor traffic and carefully select important routes to optimize routing tables while relying on transit connections for lower value routes.
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
1) The document provides instructions for installing and configuring OVS DPDK on Ubuntu 17.04, including specifying hardware, installing prerequisites, configuring grub, identifying NIC ports, binding interfaces to DPDK drivers, setting up the OVS bridge and adding ports.
2) Key steps include reserving hugepages in grub, binding NICs to igb_uio or vfio-pci drivers, setting OVS configuration like datapath type and memory allocation, and adding interfaces to the OVS bridge.
3) The scripts provided automate many of these steps but additional manual configuration may still be needed and issues can occur with making interfaces persistent after reboots.
LISP + GETVPN as alternative to DMVPN+OSPF+GETVPNJobSnijders
These slide are from a presentation I gave at the Cisco NAG2010 conference about using LISP to build large VPN's over the internet instead of regular GRE or DMVPN based setups.
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OpenvSwitch
This document summarizes Red Hat's perspective on the status of OVS hardware offloading. It discusses why offloading is needed to avoid using too many CPU cores for software switching. It provides examples of performance gains seen with various NIC vendors' offloading solutions integrated into the kernel and OVS. While many vendors now have offerings, more work remains to be done and is ongoing to fully integrate offloading capabilities.
This document summarizes a presentation on DNS64 and NAT64 given by Simon Perreault. It discusses how DNS64 and NAT64 address the issues that led to the deprecation of NAT-PT as a solution for IPv6 migration. DNS64 acts as a DNS server that provides synthetic AAAA records to resolve IPv6 addresses for IPv4-only sites, while NAT64 translates between IPv6 and IPv4 at the network layer, allowing IPv6-only clients to connect to IPv4-only servers. The document outlines how DNS64 and NAT64 work together to enable this IPv6-IPv4 translation and connectivity. It also compares DNS64/NAT64 to other proposed IPv6 transition technologies and discusses deployment considerations like scaling
This document discusses running a local copy of the DNS root zone on resolvers to provide additional resiliency against DDoS attacks and decrease query response times. It presents three options: running the root zone on the resolver without DNSSEC validation; running it with DNSSEC validation but requiring the use of views; and running authoritative nameservers off the resolver to serve the root zone, which is the recommended approach. Maintaining a local root copy could improve resilience but also introduces complexity, so careful consideration is required before implementation.
This document discusses Fastly's approach to managing router routing tables and peering connections to reduce the size of routing tables and ensure key routes are prioritized. It involves using smart caches and switches with BGP configuration, filtering routes based on value, and using default routes for backup. This minimum viable FIB approach focuses on high value routes and utilizes tools like sFlow and route servers to monitor traffic and carefully select important routes to optimize routing tables while relying on transit connections for lower value routes.
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
1) The document provides instructions for installing and configuring OVS DPDK on Ubuntu 17.04, including specifying hardware, installing prerequisites, configuring grub, identifying NIC ports, binding interfaces to DPDK drivers, setting up the OVS bridge and adding ports.
2) Key steps include reserving hugepages in grub, binding NICs to igb_uio or vfio-pci drivers, setting OVS configuration like datapath type and memory allocation, and adding interfaces to the OVS bridge.
3) The scripts provided automate many of these steps but additional manual configuration may still be needed and issues can occur with making interfaces persistent after reboots.
LISP + GETVPN as alternative to DMVPN+OSPF+GETVPNJobSnijders
These slide are from a presentation I gave at the Cisco NAG2010 conference about using LISP to build large VPN's over the internet instead of regular GRE or DMVPN based setups.
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OpenvSwitch
This document summarizes Red Hat's perspective on the status of OVS hardware offloading. It discusses why offloading is needed to avoid using too many CPU cores for software switching. It provides examples of performance gains seen with various NIC vendors' offloading solutions integrated into the kernel and OVS. While many vendors now have offerings, more work remains to be done and is ongoing to fully integrate offloading capabilities.
This document summarizes a presentation on DNS64 and NAT64 given by Simon Perreault. It discusses how DNS64 and NAT64 address the issues that led to the deprecation of NAT-PT as a solution for IPv6 migration. DNS64 acts as a DNS server that provides synthetic AAAA records to resolve IPv6 addresses for IPv4-only sites, while NAT64 translates between IPv6 and IPv4 at the network layer, allowing IPv6-only clients to connect to IPv4-only servers. The document outlines how DNS64 and NAT64 work together to enable this IPv6-IPv4 translation and connectivity. It also compares DNS64/NAT64 to other proposed IPv6 transition technologies and discusses deployment considerations like scaling
This document provides an agenda and overview for a hands-on lab on using DPDK in containers. It introduces Linux containers and how they use fewer system resources than VMs. It discusses how containers still use the kernel network stack, which is not ideal for SDN/NFV usages, and how DPDK can be used in containers to address this. The hands-on lab section guides users through building DPDK and Open vSwitch, configuring them to work with containers, and running packet generation and forwarding using testpmd and pktgen Docker containers connected via Open vSwitch.
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
This document discusses implementing DNS Response Policy Zones (RPZ) to provide secure internet access for all users without requiring new hardware or client-side changes. It describes considerations for RPZ, how RPZ works to block malicious DNS resolutions, the components of a real-world implementation case study at a major Bangladeshi ISP, and monitoring results showing over 1.3 million queries to RPZ zones on the first day.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
The Open vSwitch kernel datapath may have flows offloaded to hardware using the TC Flower classifier and related actions. This is a powerful mechanism to both increase throughput and reduce CPU utilisation. This presentation will give an overview of the evolution of this offload mechanism: features available in OvS v2.8, those targeted at v2.9 and possible future directions.
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
This document discusses challenges and approaches for performing deep packet inspection (DPI) at speeds of 100 gigabits per second and beyond on x86 platforms. It begins by explaining why DPI is needed at such high speeds, for tasks like large-scale intrusion detection. It then examines the performance requirements for scanning payloads at 100Gbps rates. The document reviews different software approaches for payload matching, such as regular expressions, and hardware that can assist, such as Intel's Hyperscan technology. It also provides examples of how Hyperscan can be integrated into real-world intrusion detection and prevention systems.
This document provides an overview of IPv6 including its history, addressing formats, integration strategies with IPv4, application development considerations, and troubleshooting tips. IPv6 was developed to address the limited address space of IPv4 and enable new features. It uses a 128-bit address space compared to 32-bits in IPv4. Popular transition technologies like dual-stack, 6to4 tunnels, and Teredo tunnels are discussed for integrating IPv6 into existing IPv4 networks. Application developers need to support both address families using new socket functions and data structures.
This document discusses quality of service (QoS) capabilities in OpenStack Neutron. It provides an overview of what QoS means for networks, what is currently supported in Neutron, and how to use Neutron's QoS features. It also describes how QoS works underneath with different agent types and plans for future enhancements, including better rule validation, ingress bandwidth limiting, and integration with Horizon. Regular QoS meetings in the Neutron community discuss ongoing work.
The document discusses using DNS service discovery (DNS-SD) to automatically configure sFlow agents. It describes how SRV and TXT records are added to a DNS zone file to provide sFlow agent configuration settings. When sFlow agents perform DNS queries, they receive responses containing the IP addresses and ports of sFlow collectors as well as sampling settings. This allows for plug-and-play configuration of many heterogeneous clients using the widely supported DNS protocol.
- James Blessing is the Deputy Director of Network Architecture at Future Services. He discussed Ciena's MCP network management software, the need for automation of network provisioning through APIs, and the JiscMail NETWORK-AUTOMATION mailing list as a resource.
- The document then covered topics like Netpath services, layer 2 and 3 VPNs, network function virtualization, IPv6 adoption, the Janet end-to-end performance initiative, science DMZ principles, network performance monitoring with perfSONAR, and working with the GÉANT project.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Building and operating a global DNS content delivery anycast networkAPNIC
This document discusses Packet Clearing House's (PCH) global anycast network for content delivery of DNS services. PCH operates 118 nodes across 14 global locations and 152 internet exchange points. Anycast technology allows optimal routing of DNS queries to the closest server instance. PCH has been operating anycast DNS services since 1997 and their network has evolved to support the growth of the internet. The document describes considerations for planning new anycast nodes, and how PCH monitors and operates their global anycast network.
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
The document discusses Janet's plans to upgrade its network infrastructure using new Ciena equipment. The new infrastructure will feature a core-aggregation-access topology with Ethernet rings for protection. Key points include:
- Ciena 5170, 8700, 3903/3926/3928 equipment will be deployed at core, aggregation and access layers for up to 100G connectivity.
- G.8032 Ethernet rings will provide sub-50ms protection switching at layer 2 in the event of failures within regions.
- Services will be delivered over VLANs to sites, with options like IP, ExpressRoute, and Netpath.
- The new infrastructure is intended to improve performance, scalability
What architectures are best suited for today’s date center network? And how does Cumulus Networks make it easier to build networks? Dinesh Dutt (@ddcumulus), Chief Scientist at Cumulus Networks goes on to answer these questions in an entertaining and lively presentation. Customers need simple building blocks with simple L2 networking (MLAG) and L3 Clos. Cumulus Linux supports both, it supports additional functionality to simplify configuration (ex. PTM, IP unnumbered, L2 & L3 automation) and it is a platform that people can innovate on top of.
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet
The document contains configuration for a network device using Puppet automation. It configures items like logging, SNMP, NTP, routing, interfaces, and BGP to standardize the configuration for improved operations agility, service velocity, and configuration consistency across devices. Variables are used throughout to parameterize settings like hostnames, IP addresses, and credentials.
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
This document discusses DPDK support for new hardware offloads. It describes the Netronome Agilio SmartNIC, which has hardware accelerators and can offload tasks like cryptography and flow processing. It discusses using the SmartNIC with DPDK and OVS for improved performance over kernel-based solutions. Full flow classification and action offloading to the SmartNIC is proposed to reduce CPU usage, along with exploring eBPF/XDP offloading possibilities and virtio offloading to enable VM migration.
This document discusses the need for data-driven network operations. It begins by noting how difficult it can be to manage infrastructure using the many disparate operational tools currently available. It then argues that taking a data-driven approach by collecting, fusing, storing and analyzing network data can help network operators better understand issues, plan infrastructure changes, and provide insights for both technical and business stakeholders. Specific use cases mentioned include traffic debugging, anomaly detection, network planning, security analytics and performance analysis. The challenges of obtaining and working with network data at scale are also addressed.
This document provides an agenda and overview for a hands-on lab on using DPDK in containers. It introduces Linux containers and how they use fewer system resources than VMs. It discusses how containers still use the kernel network stack, which is not ideal for SDN/NFV usages, and how DPDK can be used in containers to address this. The hands-on lab section guides users through building DPDK and Open vSwitch, configuring them to work with containers, and running packet generation and forwarding using testpmd and pktgen Docker containers connected via Open vSwitch.
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
This document discusses implementing DNS Response Policy Zones (RPZ) to provide secure internet access for all users without requiring new hardware or client-side changes. It describes considerations for RPZ, how RPZ works to block malicious DNS resolutions, the components of a real-world implementation case study at a major Bangladeshi ISP, and monitoring results showing over 1.3 million queries to RPZ zones on the first day.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
The Open vSwitch kernel datapath may have flows offloaded to hardware using the TC Flower classifier and related actions. This is a powerful mechanism to both increase throughput and reduce CPU utilisation. This presentation will give an overview of the evolution of this offload mechanism: features available in OvS v2.8, those targeted at v2.9 and possible future directions.
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
This document discusses challenges and approaches for performing deep packet inspection (DPI) at speeds of 100 gigabits per second and beyond on x86 platforms. It begins by explaining why DPI is needed at such high speeds, for tasks like large-scale intrusion detection. It then examines the performance requirements for scanning payloads at 100Gbps rates. The document reviews different software approaches for payload matching, such as regular expressions, and hardware that can assist, such as Intel's Hyperscan technology. It also provides examples of how Hyperscan can be integrated into real-world intrusion detection and prevention systems.
This document provides an overview of IPv6 including its history, addressing formats, integration strategies with IPv4, application development considerations, and troubleshooting tips. IPv6 was developed to address the limited address space of IPv4 and enable new features. It uses a 128-bit address space compared to 32-bits in IPv4. Popular transition technologies like dual-stack, 6to4 tunnels, and Teredo tunnels are discussed for integrating IPv6 into existing IPv4 networks. Application developers need to support both address families using new socket functions and data structures.
This document discusses quality of service (QoS) capabilities in OpenStack Neutron. It provides an overview of what QoS means for networks, what is currently supported in Neutron, and how to use Neutron's QoS features. It also describes how QoS works underneath with different agent types and plans for future enhancements, including better rule validation, ingress bandwidth limiting, and integration with Horizon. Regular QoS meetings in the Neutron community discuss ongoing work.
The document discusses using DNS service discovery (DNS-SD) to automatically configure sFlow agents. It describes how SRV and TXT records are added to a DNS zone file to provide sFlow agent configuration settings. When sFlow agents perform DNS queries, they receive responses containing the IP addresses and ports of sFlow collectors as well as sampling settings. This allows for plug-and-play configuration of many heterogeneous clients using the widely supported DNS protocol.
- James Blessing is the Deputy Director of Network Architecture at Future Services. He discussed Ciena's MCP network management software, the need for automation of network provisioning through APIs, and the JiscMail NETWORK-AUTOMATION mailing list as a resource.
- The document then covered topics like Netpath services, layer 2 and 3 VPNs, network function virtualization, IPv6 adoption, the Janet end-to-end performance initiative, science DMZ principles, network performance monitoring with perfSONAR, and working with the GÉANT project.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Building and operating a global DNS content delivery anycast networkAPNIC
This document discusses Packet Clearing House's (PCH) global anycast network for content delivery of DNS services. PCH operates 118 nodes across 14 global locations and 152 internet exchange points. Anycast technology allows optimal routing of DNS queries to the closest server instance. PCH has been operating anycast DNS services since 1997 and their network has evolved to support the growth of the internet. The document describes considerations for planning new anycast nodes, and how PCH monitors and operates their global anycast network.
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
The document discusses Janet's plans to upgrade its network infrastructure using new Ciena equipment. The new infrastructure will feature a core-aggregation-access topology with Ethernet rings for protection. Key points include:
- Ciena 5170, 8700, 3903/3926/3928 equipment will be deployed at core, aggregation and access layers for up to 100G connectivity.
- G.8032 Ethernet rings will provide sub-50ms protection switching at layer 2 in the event of failures within regions.
- Services will be delivered over VLANs to sites, with options like IP, ExpressRoute, and Netpath.
- The new infrastructure is intended to improve performance, scalability
What architectures are best suited for today’s date center network? And how does Cumulus Networks make it easier to build networks? Dinesh Dutt (@ddcumulus), Chief Scientist at Cumulus Networks goes on to answer these questions in an entertaining and lively presentation. Customers need simple building blocks with simple L2 networking (MLAG) and L3 Clos. Cumulus Linux supports both, it supports additional functionality to simplify configuration (ex. PTM, IP unnumbered, L2 & L3 automation) and it is a platform that people can innovate on top of.
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet
The document contains configuration for a network device using Puppet automation. It configures items like logging, SNMP, NTP, routing, interfaces, and BGP to standardize the configuration for improved operations agility, service velocity, and configuration consistency across devices. Variables are used throughout to parameterize settings like hostnames, IP addresses, and credentials.
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
This document discusses DPDK support for new hardware offloads. It describes the Netronome Agilio SmartNIC, which has hardware accelerators and can offload tasks like cryptography and flow processing. It discusses using the SmartNIC with DPDK and OVS for improved performance over kernel-based solutions. Full flow classification and action offloading to the SmartNIC is proposed to reduce CPU usage, along with exploring eBPF/XDP offloading possibilities and virtio offloading to enable VM migration.
This document discusses the need for data-driven network operations. It begins by noting how difficult it can be to manage infrastructure using the many disparate operational tools currently available. It then argues that taking a data-driven approach by collecting, fusing, storing and analyzing network data can help network operators better understand issues, plan infrastructure changes, and provide insights for both technical and business stakeholders. Specific use cases mentioned include traffic debugging, anomaly detection, network planning, security analytics and performance analysis. The challenges of obtaining and working with network data at scale are also addressed.
The document discusses public key cryptography and the RSA algorithm. It explains that RSA works by using a public/private key pair, where the public key is used to encrypt messages and the private key is used to decrypt them. Finding the private key from only knowing the public key is computationally infeasible if large prime numbers are used. RSA is widely used in applications like HTTPS, PGP, and DNSSEC to provide encryption, authentication and digital signatures.
This presentation discusses the evolution of network architecture and its implications for public policy. It notes that the original Internet architecture connected computers in an open and transparent manner. However, the rise of commercial interests introduced specialization between access and transit networks. Content delivery networks now replicate content close to users, replacing the need to send data across transit networks. As a result, the role of transit providers is questionable. The Internet is evolving into private networks for content distribution rather than an open system for end-to-end communication. This has implications for concepts of universal access, net neutrality and regulatory oversight in an environment dominated by a few large content providers.
This document discusses various conditions that can result in stones or foreign bodies in the nasal cavity. It describes rhinoliths, which are stones that form around a nidus like a blood clot or inspissated secretions. Rhinoliths can grow large and irregularly, causing nasal obstruction, discharge, pain and other symptoms. Examination finds hard, irregular masses that break into pieces. CT scans are used for diagnosis. Rhinoliths are removed using various tools under local or general anesthesia. Myiasis and cerebral spinal fluid leaks into the nasal cavity from skull base fractures are also discussed.
Service Redundancy and Traffic Balancing Using AnycastSean Jain Ellis
Anycast is a method of load balancing and high availability that uses dynamic routing protocols to direct client traffic to the optimal server that shares a common IP address. Each service is assigned an IP address that is configured on the loopback interface of multiple servers. Routers then determine the best server to terminate connections based on routing metrics. This allows traffic to be load balanced across servers and for connections to failover to alternate sites when primary servers fail.
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
This document summarizes a study analyzing over 300 billion DNS queries to understand the problem of name collisions with new generic top-level domains (gTLDs). The study found that:
1) Around 12% of root server DNS traffic consisted of queries with the RD bit set to 1, which is more than expected but does not appear to be causing major problems.
2) Traffic for most new gTLDs with the RD bit set was 4 orders of magnitude lower than for existing TLDs, suggesting name collisions may not be a large problem.
3) Some isolated examples of misconfigured devices and applications accounted for abnormal traffic levels for a few new gTLDs, but overall the analysis
CloudFlare operates a global anycast content delivery network (CDN) to improve website performance and security. Their network routes web traffic through data centers located around the world, where services like caching, security filtering, and optimizations are applied. Anycast routing allows a client to connect to the closest data center, and if that location fails traffic will automatically reroute to the next closest one. Operating an anycast CDN presents challenges around efficient routing, new market deployments, and troubleshooting unusual routing behaviors between networks. Peering is important for reachability but must be considered economically in each region.
Umbrella Fabric/IXP SDN OpenFlow: The TouiX to TouSIX ExperienceAPNIC
The document discusses the migration of the Toulouse Internet Exchange Point (TouIX) in France to an OpenFlow-based fabric called TouSIX. It describes how TouSIX uses OpenFlow switches and a controller called TouSIX-Manager to provide benefits over traditional IXP fabrics like reduced broadcast traffic, improved monitoring and filtering capabilities. TouIX had 4 points of presence around Toulouse and supported 10 members, and was migrated to the new TouSIX topology with OpenFlow links to interconnect sites and connect to other IXPs like France-IX. Future work involves funding research through a PhD student and participating in the H2020 ENDEAVOUR project.
Journey to IPv6 - A Real-World deployment for MobilesAPNIC
This document provides an overview of Telstra's journey to deploying IPv6 for mobiles. It discusses why IPv6 is needed due to growth in devices and traffic, and depletion of IPv4 addresses. It covers the business and technical considerations for transitioning to IPv6. The document outlines Telstra's network architectures for IPv6 including centralised CGN, 464XLAT architecture and addressing schemes. It discusses their deployment model and experiences including growth in IPv6 usage. Lessons learned around community engagement, customer support and reporting metrics are also provided.
Network Automation with Salt and NAPALM: a self-resilient networkAPNIC
This document discusses using Salt and NAPALM for network automation. Salt is used as an orchestrator to manage network devices at scale through NAPALM, which provides vendor-agnostic APIs and drivers. Key points include:
- Salt and NAPALM allow Cloudflare to automate tasks like deploying new network locations, reducing human errors and speeding recovery.
- NAPALM integrates with Salt to provide vendor-agnostic methods for tasks like configuration management, CLI execution, and collecting operational data from devices.
- Together Salt and NAPALM allow Cloudflare to manage thousands of devices through a single framework, deploy configurations consistently, and monitor network performance through
Jan Žorž tested DNSSEC, DANE, and TLS implementations in the Go6lab. He signed DNS zones with OpenDNSSEC and BIND9. Nearly 70% of SMTP sessions to top Alexa domains used TLS, with the majority having trusted certificates. DANE verification worked when domains and records were signed, but failed when the chain of trust was broken. Renewing Let's Encrypt certificates required keeping the underlying key to maintain valid 3.1.1 TLSA records.
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...APNIC
This document discusses community networks as an alternative paradigm for developing network infrastructures and services. It provides 3 key points:
1) Community networks are based on a common pool resource model where network infrastructure is built and managed by volunteers in a community as a shared resource, rather than by traditional network providers.
2) Successful community networks like guifi.net in Spain and AWMN in Greece have thousands of nodes and provide services like data sharing, communication tools, and entertainment through their open networks.
3) Community networks require management tools to map the network, monitor usage, coordinate funding and configure devices, as well as economic models where costs are offset through user fees, sponsors, and turning networks into social enterprises
- 3 years after the initial commercial IPv6 services, IPv6 deployment by ISPs was initially focused on mobile networks, with 16% of mobile subscribers and only 60,000 residential internet users on IPv6. Content providers have not adopted IPv6 due to the lack of IPv6-enabled content.
- South Korea has a high ICT development index and GDP per capita but only moderate IPv4 addresses per device and a IPv6 usage rate of 4.2%, showing other factors like infrastructure influence IPv6 adoption more than IP address demand.
- There is a strong positive correlation between a country's IPv6 usage rate and economic/ICT development indices, but little correlation with growth in internet devices, suggesting demand for IP
The document summarizes the TakNet community wireless mesh network (CWMN) project in Thailand. It discusses:
1) The technical background of using MANETs for emergency communications, which led to the development of DUMBONET. DUMBONET was deployed in disasters in Thailand and Myanmar.
2) Experiments with CWMNs in rural Thai villages beginning in 2013, providing internet access. Over 200 active users were reported in one village in 2015.
3) Plans for sustainability and scalability of CWMNs, including training local technicians, developing an open source platform, and exploring business models to promote digital economies in communities. However, three attempts to obtain funding failed.
4
Technical and Business Considerations for DNSSEC DeploymentAPNIC
The document discusses both technical and business considerations for deploying DNSSEC. On the technical side, it addresses issues like zone size, CPU load, traffic levels, key rotation, tooling, and use cases. On the business side, it discusses choices around signing algorithms, managing keys and signatures, monitoring, user interfaces, documentation, training, and barriers to deployment. The document provides advice to help DNS administrators better understand the deployment trade-offs and considerations involved with DNSSEC.
Major Japanese cellular carriers have announced they will start full IPv6 service in 2017, with one carrier already starting their IPv6 service. Many fixed-line ISPs have also started commercial IPv6 service for both enterprise and consumer users, and some are migrating existing IPv4-only users to dual-stack environments. While IPv6 adoption is increasing in government services and the network core, large content providers have not yet supported IPv6, though they are starting to consider implementation.
This document discusses the radiological findings of a patient. Plain radiography showed opacification and haziness in the right nasal cavity, maxillary sinus, ethmoid cells, and frontal sinus. CT imaging revealed a soft tissue density lesion in the nasal cavity extending into surrounding areas with erosion and contrast enhancement, suggesting a highly vascular tumor. MRI showed intermediate signal of the lesions on T1 images with additional soft tissue in the right orbit and extraaxial intracranial extension. T1 post-contrast images showed intense enhancement. MR angiography and conventional angiography identified the primary feeders of the lesion coming from the right external carotid artery.
This document summarizes the Asia Pacific Internet Exchange (APIX) association meeting. It discusses that APIX is an association of Internet exchange providers in the Asia Pacific region that aims to share technical, operational and business information between exchanges. It provides details on the 169 internet exchange points across 25 countries in the region. The document summarizes the 15th APIX meeting which was held in Vietnam, including technical discussions, membership and administrative updates, and the election of a new steering committee. It also announces a new peering event in Asia Pacific called Peering Asia 2017 that will be held in Kyoto, Japan.
IPv6 deployment experience in Japan has uncovered several key issues:
1. Early mobile networks using IPv4 experienced congestion due to limited wireless bandwidth, but IPv6 has alleviated this by allowing more efficient use of network resources.
2. Mobile carriers in Japan have taken two approaches to IPv6 deployment - some use NAT/firewalls to preserve wireless resources and protect users, while others offer a separate "pure IPv6" service for a fee.
3. A successful IPv6 rollout requires addressing challenges across many aspects of network operations, backend systems, customer support, and device compatibility to ensure a smooth transition.
NR is 3GPP's new 5G radio access technology that uses OFDM modulation. It supports both standalone and non-standalone deployment models and can operate from low to very high frequency bands between 0.4-100 GHz. NR is being developed in two phases to address different 5G use cases such as enhanced mobile broadband, massive machine type communications, and ultra-reliable low latency communications.
PLNOG 22 - Aleksandra Chećko, Robert Cieloch - 5G: wydatek czy oszczędność?PROIDEA
The document discusses the costs of 5G network deployments and compares macro cells, distributed antenna systems (DAS), small cells, and software-defined radio access networks (SD-RAN). SD-RAN offers 1.5-1.9x higher capacity than other options for the same coverage area and has total cost of ownership (TCO) that is 1.3-2.7x lower. SD-RAN provides scalable capacity expansion and more cost-efficient coverage compared to traditional macro cell networks.
Yoshihiro Nakajima presented on software stacks that enable software-defined networking (SDN) and network functions virtualization (NFV). He discussed trends in SDN and NFV, introduced the Lagopus SDN software switch project, and described how Data Plane Development Kit (DPDK) helps optimize packet processing performance. The goal of his talk was to provide an NFV/SDN-aware software stack capable of 100Gbps switching through high-performance packet processing.
Analysis of the Pending Interest Table behavior in the context of a distributed denial of service attack.
Slides presented at:
3rd ACM SIGCOMM Workshop on Information-Centric Networking (ICN 2013) - Hong Kong, China
The paper is available at:
http://conferences.sigcomm.org/sigcomm/2013/papers/icn/p67.pdf
The document discusses LTE key technologies including those from Release 9 and Release 10 of the 3GPP specifications. It describes the organizations involved in developing LTE standards and trials. The basic LTE technologies covered include OFDMA for downlink and SC-FDMA for uplink, frame structure, and peak throughput calculation methods. Key technologies added in Release 9 include enhanced dual-layer beamforming transmission to improve cell capacity and coverage using multiple layers. Release 10 features further expanded the use of multiple antennas and introduced carrier aggregation.
01 FO_BT1101_C01_1 LTE FDD Principles and Key Technologies.pptxSudheeraIndrajith
The document provides an overview of LTE principles and key technologies. It outlines objectives to understand the LTE network architecture, protocols, frame structure, and key technologies. It then covers topics including LTE network elements and interfaces, protocol structure, frame formats, and resource allocation. The goal is for readers to gain a thorough understanding of LTE fundamentals.
The document discusses how MATLAB and NI tools can be used together to optimize wireless system design processes. It describes how they allow designing, analyzing, and testing of wireless standards, applying AI techniques to wireless applications, jointly optimizing digital, RF, and antenna components, implementing designs on hardware, simulating radar applications, and providing hands-on learning resources. Specific examples discussed include 5G design at Qualcomm, linearization algorithm development at NanoSemi, and teaching wireless communications with USRPs.
Webinar: Desenvolvimento NB-IoT de baixíssimo consumoEmbarcados
Neste webinar apresentaremos todos os recursos que as redes NB-IoT possuem para permitir o desenvolvimento de dispositivos de baixíssimo consumo, assim como mostraremos na prátic
This document provides an overview of LTE (Long-Term Evolution) networks, including their architecture and evolution over time. It discusses the introduction of LTE and perspectives on its vulnerabilities. Diagrams are included showing the network architecture of LTE and its predecessors, illustrating the transition from older standards to the modern LTE architecture. The presentation this document is for includes topics on LTE introduction, perspectives and vulnerabilities.
The document discusses KREONET-S*, South Korea's national research and education network transitioning to a software-defined network (SDN) architecture. It outlines KREONET-S*'s goals of providing reliable and user-driven virtualized network services. The Open Network Operating System (ONOS) is used as the SDN controller to enable applications like Virtual Dedicated Networks (VDN) and user visibility tools. Initial deployment connected two cities in 2015, with plans to expand nationally by 2017. Performance tests show throughput up to 10Gbps and low latency between sites.
The document discusses using Lagopus software-defined networking (SDN) switches to demonstrate an SDN internet exchange (IX) at the Interop Tokyo 2015 technology show. Key points:
- Two Lagopus SDN switches were deployed as the core switches in an SDN IX to enable automated provisioning of inter-autonomous system layer 2 connectivity and on-demand packet filtering between internet service providers.
- The Lagopus switches achieved an average throughput of 2Gbps with no packet drops over a week during the show, demonstrating the potential for software switches in next-generation SDNs.
- Previous work to optimize the Lagopus switch performance through techniques like hardware offloading to FPGAs helped enable its
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
DPDK Summit 2015 in San Francisco.
NTT presentation by Yoshihiro Nakajima.
For additional details and the video recording please visit www.dpdksummit.com.
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2Jaime Martin Losa
Fast RTPS is the default middleware for ROS2 that provides real-time data communication capabilities. It implements the RTPS protocol for interoperability and uses a publish-subscribe model. The presentation covered Fast RTPS features and motivation, how it powers ROS2 and FIWARE, and provided a hands-on example of creating a publisher and subscriber using Fast RTPS to communicate a simple Hello World message type.
IRJET- Performance Analysis of IP Over Optical CDMA System based on RD CodeIRJET Journal
This document presents a performance analysis of an IP over optical CDMA network system based on a random diagonal (RD) code. It proposes using spectral amplitude coding OCDMA to directly connect the IP layer to the optical layer, eliminating intermediate layers and reducing overhead. The system architecture, design steps, and simulation setup are described. Simulation results using OptiSystem show that bit error rate increases with the number of simultaneous users and data transmission capacity decreases with transmission distance as expected. The RD code OCDMA system provides a potential solution for next-generation networks by enabling intelligent functions and advanced services at the optical layer.
In this deck, Ronald P. Luijten from IBM Research in Zurich presents: DOME 64-bit μDataCenter.
I like to call it a datacenter in a shoebox. With the combination of power and energy efficiency, we believe the microserver will be of interest beyond the DOME project, particularly for cloud data centers and Big Data analytics applications."
The microserver’s team has designed and demonstrated a prototype 64-bit microserver using a PowerPC based chip from Freescale Semiconductor running Linux Fedora and IBM DB2. At 133 × 55 mm2 the microserver contains all of the essential functions of today’s servers, which are 4 to 10 times larger in size. Not only is the microserver compact, it is also very energy-efficient.
Watch the video: http://wp.me/p3RLHQ-gJM
Learn more: https://www.zurich.ibm.com/microserver/
Sign up for our insideHPC Newsletter: http://insideHPC/newsletter
The document discusses the requirements and experiences of carrier grade NAT (CGN) technology, including what CGN is, how it relates to IETF standards, managing subscriber sessions, flow analysis of subscriber behavior, logging optimization techniques like port block allocation and deterministic NAT, and the evolution of CGN including port forwarding and the new Port Control Protocol (PCP).
LTE and DPI technologies are essential for managing mobile broadband networks due to increasing bandwidth demands outpacing supply growth. DPI allows for prioritization of real-time traffic like voice and video, security measures, and new revenue opportunities through traffic analysis and service differentiation. It provides a "smart pipe" for optimized network efficiency and subscriber services. Rapid adoption of smartphones, internet video, and mobile applications is driving network traffic growth that LTE and DPI solutions can help address.
A Platform for Data Intensive Services Enabled by Next Generation Dynamic Opt...Tal Lavian Ph.D.
The new architecture is proposed for data intensive enabled by next generation dynamic optical networks
Offers a Lambda scheduling service over Lambda Grids
Supports both on-demand and scheduled data retrieval
Supports bulk data-transfer facilities using lambda-switched networks
Provides a generalized framework for high performance applications over next generation networks, not necessary optical end-to-end
Supports out-of-band tools for adaptive placement of data replicas
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.