Join us in Atlanta, GA for NANOG 87

Full Abstract

An ongoing issue with Internet standards development is limited interaction between the standards developers and the network operator community. This talk is a step toward bridging that gap, highlighting ongoing work from the IETF that is likely to be published in the RFC series or will otherwise have notable operational considerations.

Full Abstract

In this session we review IPv6 features and capabilities on AWS, best practices for adopting IPv6 on AWS, and reference architectures. We also dive deeper into the common use cases that drive customer IPv6 adoption on AWS, and lessons learned to help you accelerate your IPv6 adoption journey.

Full Abstract

What if you could fully automate your internet exchange? You can! In this presentation, IX founders Chris Grundemann and Matt "Grizz" Griswold will walk through the thinking, the architecture, the tools, and a real example to show you how-to use modern, open-source tools to build an IX operations platform capable of setting your IX to FullAuto.

We will cover the terms and definitions that need to be understood, we'll introduce the network automation philosophy that drives successful projects, and cover the core principles that facilitate excellent execution. Then we'll walk you through an example, using a real IX (IX-Denver), to demonstrate the possibilities - and provide a roadmap for everyone else who wants to do the same.

Automation is not just for network operators. We can, and should, automate our internet exchanges as well. Let's go!

Full Abstract

RPKI ROV adoption has grown significantly over the past five years. In a recent milestone, the percentage of IPv4 routes in the global routing table with ROAs has finally crossed 50% (IPv6 crossed this mark last year). In addition, another major telecom began rejecting RPKI-invalid routes reducing the propagation of these problematic routes even farther.

Finally, this talk with present an analysis of the 'effective expirations' of ROAs and how the behavior of these expirations varies greatly between RIRs due to differences in their cryptographic chains.

Full Abstract

When it comes to Internet access, Indigenous communities are among the most underserved throughout North America. According to Canada’s ISED, 97 percent of urban households have access to high-speed Internet, compared to only 37 percent in rural communities. The statistics are even more bleak for Indigenous communities, where just 24 percent have access to high-speed Internet.
The Internet Society works with Indigenous communities to find and implement sustainable solutions that meet their unique connectivity needs. Supporting communities to build and maintain local Internet infrastructure has proven to be key to connect the unconnected.
This talk will cover a recent partnership between the Internet Society and the National Research Council of Canada (NRC) that aimed at identifying and training a number of indigenous communities in Ontario and Northwest territories, in preparation for broadband network deployments.
Also, this talk will cover the successful deployment of a wireless broadband network in the indigenous community of Ulukhaktok in the Arctic, which would perhaps be the northern-most such deployment.

Full Abstract

Datacenters are comprised of thousands of servers, network and storage devices. Data Center Networks (DCNs) are the communications backbone of a datacenter. Several architectural and design innovations have been introduced in DCNs to address the growing size and increasing operational demands of the datacenter. From a protocol perspective, these demands and challenges have been addressed primarily by aggregating multiple off-the-shelf protocols and retrofitting them to the DCN communication needs. This aggregation has resulted in higher overhead, added operational complexity and requires increased effort to perform DCN troubleshooting and maintenance.
In this work we present a new protocol that leverages the structured and symmetrical DCN topology to significantly simplify DCN operations of routing, load balancing, fast failure detection and IP packet forwarding between the servers. We introduce the Multi-Root Meshed Tree Protocol (MR-MTP) which establishes routes without a routing protocol, performs load balancing, provisions fast failure recovery and forwards IP packets between servers. Testing was performed by adopting the folded-Clos topology. The performance of MR-MTP was compared to the popular protocol suite used in folded-Clos topology DCN, i.e. Border Gateway Protocol (BGP for routing), Equal Cost Multipath Protocol (ECMP for load balancing) and Bidirectional Forwarding Detection (BFD to speed up convergence).
As both TCP and UDP are required in folded-Clos (BGP requires TCP for its operation and BFD requires UDP), MR-MTP is replacing six protocols in a DCN router, i.e. BGP, TCP, ECMP, BFD, UDP and IP. MR-MTP is fully backwards-compatible to Internet Protocol (IP) and Ethernet. MR-MTP autoconfigures and auto-assigns routable addresses to the DCN routers, reducing the configuration needs. MR-MTP coded in C language was compared to the protocol suite BGP/ECMP/BFD (from frrouting.org) using folded clos topologies set up in the Fabric testbed (https://portal.fabric-testbed.net).
The results (provided in the slides) of these comparisons clearly demonstrate that significant performance improvement can be achieved with MR-MTP over BGP/ECMP/BFD. The testing evaluated convergence time, control overhead, packets lost, and blast radius on an interface failure. Given its unique approach, MR-MTP offers many other benefits including reduced hardware required to manufacture, immunity from traditional attacks against BGP, TCP and IP, reduced power consumption (and associated cooling costs) among others which will be investigated in the future.

Full Abstract

With a few simple changes, IP-transit customers can increase the reliability of the prefix filtering provided to them by their IP-transit providers, and hopefully avoid easy-to-mitigate prefix filtering issues.

As an IP-Transit provider, we (Inter.link) often encounter prefix list generation issues with our customer's IRR data. In this talk we'll present some easy to implement changes, in relation to their IRR data and PeeringDB data, that have helped our customers, which other IP-transit customers can implement to improve the quality of their service with their provider.

Full Abstract

This 15-minute talk introduces the audience to ICANN's KINDNS Initiative. Modeled on ISOC's MANRS program, KINDNS (which stands for Knowledge-sharing and Instantiating Norms for DNS and Naming Security) aims at developing a simple but effective framework for a secure DNS operation to which operators can voluntarily and easily commit. This framework should be something simple to refer to and be accessible to even small operators that may typically be unable to dedicate many resources to globally follow both the evolution of the DNS protocol and discussions about operational best practices.

Full Abstract

Exploring integration options:
- gNMIc
- Prometheus client library (i.e. Python)
- Exporter installed directly in Network Element
- Unified Telemetry Model (NMS or SDN)
Dissect advantages and challenges of each option.
Selecting the best monitoring solution based on network needs and resources.

Full Abstract

The American Registry for Internet Numbers (ARIN) is a nonprofit, member-based organization that administers IP addresses and ASNs in support of the operation and growth of the Internet. Hear from ARIN's Chief Customer Officer on where the organization sits with IPv6 growth, IPv4 Waitlist and Transfer stats, along with other notable organizational updates.

Full Abstract

Network operators engineer their networks with enough capacity to service peak loads. They also engineer redundant capacity into their networks. During off-hours, much, if not most, of this capacity is unused.

Sadly, most networks consume nearly the same amount of power during off-hours as they consume during peak-hours.

In this presentation, we propose a power management portal that reports a) network status, b) network power utilization and c) network power efficiency. It also proposes strategies for powering down selected router components during off-hours and powers those router components up and down as per the proposed strategy.

This power management portal is under development and the authors are soliciting co-innovators.

Full Abstract

The use of IP spoofing for generating DDoS attacks has been around for decades. In the last several years, tracing back spoofed traffic and engaging networks to deploy ACLs/uRPF to enforce BCP38 has become a common method to disrupt DDoS-As-A-Service providers (also known as booters/stressers). This presentation will cover the overall effort along with methodologies that networks can use to detect this as well as controls they can implement to mitigate this behavior. A number of real-world trace back scenarios will be covered as well as interesting things found along the way.

Full Abstract

This talk summarises for a NANOG audience an academic paper recently presented at the "23rd Workshop on the Economics of Information Security". In the paper we evaluate a rare successful intervention in the management of Internet infrastructure -– a multi-year "traceback" campaign to shut down sources of spoofed traffic utilised for DDoS attacks. We assess why it has been possible to "move the needle" on an issue that has dogged the network engineering community for more than thirty years. The decentralised community of competing network providers has few incentives to solve the issue -- which is why little has changed since the flurry of activity when BCP38 (and the century) was new. Our analysis is based on interviews with key players in the initiative. We find that success occurred because the issue of spoofing was migrated away from the incentives of these companies into the incentive structures of the far more densely networked and centralised professional community of network engineers.

Full Abstract

As part of this research, we demonstrate the surprising impact of 1% packet loss on throughput, both in symmetric and asymmetric networking topologies, in the environment using CUBIC congestion avoidance algorithm. Our findings reveal a significant decrease in throughput, more than 70%, compared to baseline measurements without packet loss. Moreover, we explore the effects of increasing packet loss levels, up to 10%, and observe a compounding decline in throughput, indicating the importance of addressing even minor levels of packet loss. We compare attained results using CUBIC congestion avoidance algorithm, in both topologies, with those achieved using the BBR congestion avoidance algorithm, advocating for broader and faster adoption of BBR.

Full Abstract

BGP’s deployment model makes even modest software bugs have significant consequences on global Internet routing. 
When is a bug just a bug and not a security issue? 
CVSS is a scoring system used to classify issues and is an important input toward vendors issuing security alerts – and subsequently locking down all information on that issue. 
We discuss BGP and CVSS scoring and its impact upon the availability of information on BGP implementation defects.

Full Abstract

This talk discusses methods and challenges involved in disrupting the operations of groups that carry out Distributed Denial of Service (DDoS) attacks. To disrupt DDoS attack operations, automated mechanisms need to continuously track global DDoS attacks and identify their orchestration infrastructures. This information enables sending high-quality takedown requests to hosting providers and domain registrars used by the DDoS groups. Successful takedown requests disrupt the attacks and demotivate DDoS operators by hampering their ability to keep their services running for financial gain. The takedown requests also help the recipient service providers to address gaps in their abuse detection and keep DDoS operations out of their platforms. However, these service providers respond to takedown requests at varying degrees of speeds and efficacy. The talk will explore alternative mechanisms to address these inconsistent responses.

Full Abstract

IPv6 has been "the next generation of IP" for over 20 years. For the longest time, the gold standard has been to run a network with both IPv4 and IPv6, however operating both protocols at the same time presents an additional operational challenge. With the global share of IPv6 traffic nearing 40-50%, it's time to re-evaluate our goal and look at ways to run networks that are largely IPv6-only. So how do we start testing IPv6-only technologies? They can be complex to setup and troubleshoot even for seasoned network engineers let alone application developers, IT support personnel, and others with limited networking experience.

Enter the IPv6 Test Pod, a device that intends to makes testing IPv6-only networks easy, made possible by the ARIN Community Grants program. The IPv6 Test Pod delivers a several IPv6-enabled networks, presented as SSIDs that the user can join to start testing IPv6-only technologies -- including dual-stack (as a baseline), IPv6-only, DNS64/NAT64, 464XLAT, and others. The IPv6 Test Pod is made available for no cost to project participants and participants can be anyone interested in testing IPv6-only networks including IT support personnel, developers, or even network engineers that are too busy to test IPv6-only networks. Dual stack is arriving, let's get ready for an IPv6-only world.

Full Abstract

This presentation will explore the integral role of the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) in global internet governance, with an emphasis on the new NRO RPKI Program, an initiative overseen by the NRO Executive Council. As a strategic effort under the NRO and RIRs, the RPKI Program is pivotal in advancing the development and adoption of Resource Public Key Infrastructure (RPKI) across the globe, enhancing the security and stability of internet routing. We will introduce the leadership team spearheading this program, outline our strategic objectives, and discuss the impactful initiatives that are currently being developed. The presentation will emphasize how this program is a collaborative effort guided by the expertise and governance of the NRO Executive Council, seeking to draw in active feedback from the technical community to refine and innovate our approach. Concluding with detailed resources and avenues for engagement, attendees will gain insights into the significance of their participation in shaping the future of internet security through the NRO RPKI Program.

Full Abstract

Where exactly are we with BGP security in the global Internet routing system? And what's ahead of us? In this talk I'll reflect on progress made in recent years and look ahead what problems remain and what solutions are in the pipeline. This won't be a "Look ROAs are up and to the right!!11!"-talk, but rather a reflection on various milestones the wider community managed to reach and where the gaps are in this multi-decade journey towards a secure routing system.

Full Abstract

It's been a while since I adopted a new habit. The last few days of every year are a special time for me to recap what happened and what I learned in my personal and professional life. Additionally, I have a stash of notes that I've collected over the years. This session will demonstrate four of the most important lessons in my professional life and career in IT, notably managing high-performance teams in two of the largest public cloud providers in the world: Oracle Cloud and Amazon. While I learned these lessons the hard way and through a lot of trial and error, this short session is an attempt to share that experience not just with my peers in leadership roles but also with anyone who wants to manage even a small team of one. Here I will go over the four principles of (1) The power of authenticity, (2) The impossible self-cloning, (3) The concept of flexible 1:1s, and (4) The handling of unreasonable requests.