Saturday, October 18, 2003
Topic/Presenter |
---|
Full AbstractThis tutorial provides detailed technical information about security technologies that should be considered when securing any networking infrastructure. Technologies to be covered include S/Key, 802.1x, RADIUS, TACACS+, SSH, SSL, L2TP, and IPsec. We will show specific architectures and configuration examples to effectively secure network infrastructures comprising routers, switches, and firewalls. Configuration examples will be vendor-independent and will include much of the most widely deployed equipment. The three 90-minute sessions will cover:
Speakers |
RecordingsFull AbstractThis tutorial covers common problems ISPs have when deploying BGP within their networks. We look at issues with peer establishment, missing routes, inconsistent route selection, and convergence issues. We also examine real-world examples of common errors that are made when deploying BGP, both as iBGP and eBGP, in service provider networks. Speakers |
Sunday, October 19, 2003
Topic/Presenter |
---|
Full AbstractIP Anycast is an older technology that has seen a bit of a resurgence in recent months, perhaps encouraged by its use in providing several of the root servers. In designating certain unicast addresses as 'anycast,' operators configure these addresses on multiple machines, and configure routes to each host. When traffic is directed to an anycast address, routers select one path from potentially several valid paths to forward traffic (thus, no change from traditional unicast forwarding). One server receives each packet and responds to the requester. In configuring multiple hosts to respond to the same address, stateless protocols such as DNS can be easily scaled. Servers can be located in closer proximity to clients, providing faster responses to queries. In the event of a single host failure, routes can quickly be withdrawn and servers in other locations handle the request traffic, all without any changes to client configurations. Recursive DNS clients built into many of today's operating systems deal rather poorly with a failure of their primary recursive server. Of eight operating systems evaluated in a recent survey, seven kept no history of failed servers, trying each DNS query against the first server and waiting for a response before moving to secondary servers. Using anycast, service is maintained even in the face of a single or multiple host failure. This substantially reduces resolution delays due to server failure. DNS will serve as an example of successful anycast use, but the strategies described are also applicable to other stateless protocols. Speakers |
Full AbstractSpeakers |
|
RecordingsFull AbstractThis tutorial provides an overview of some of the applications enabled by MPLS. The session is a high-level, vendor-independent tutorial targeted at network engineers and service providers who are not familiar with MPLS applications. It is a follow-up to Salt Lake City's Introduction to MPLS tutorial, which discussed basic MPLS building blocks and signaling protocols. Our goal is to provide the audience a high-level view of the applications where MPLS is used. Topics covered will include: traffic engineering, protection and restoration, MPLS VPNs, and pseudo-wires. Speakers |
Full AbstractSpeakers |
Full AbstractSpeakers Carl Hutzler, AOL Time Warner |
Full AbstractWho Really Owns Your Routers?, by Rob Thomas The underground continues to abuse and trade compromised routers for a variety of reasons. In this presentation, the history of the ubiquitous compromise of routers will be detailed, along with the present-day picture of how routers are compromised, traded, and abused. The motivations behind this activity will be presented, thus giving the listener a frame of reference for this and many hacking activities. Router Security - Approaches and Techniques You Can Use Today, by Neal Ziring Today's routers have substantial features for protecting themselves and the networks they support. This talk will present a simple conceptual framework for router security, and describe several important security techniques and technologies you can use right now. The talk will be non-vendor-specific. Knobs, Levers, Dials and Switches: Now and Then, by George Jones Have you ever encountered a device that had well-known default passwords, did not do any logging, was open for use as a smurf amplifier, and had 25 open ports out of the box, including an HTTP management interface using in-the-clear password authentication ? Then this talk is for you. We will present a very brief overview of a list of generic features that are needed to be able to deploy a device securely as part of an operational network. It is drawn from the IETF draft draft-jones-opsec-01.txt, "Operational Security Requirements for IP Network Infrastructure." Areas covered will include Device Management, In-Band Management and OOB Management, User Interface, IP Stack, Rate Limiting, Basic Filtering Capabilities, Packet Filtering Criteria, Packet Filtering Counters, Event Logging, AAA, and Layer 2 issues. The "Now" portion covers "Best Current Practices." The "Then" portion covers security features that are not current, but should be. Come prepared to share your own wish lists and war stories. Speakers Panelist - George Jones, MITRE Panelist - Rob Thomas, Cisco/Team Cymru Panelist - Neal Ziring, NSA |
RecordingsFull AbstractThis talk describes the AOL backbone network conversion from a multi-area OSPF IGP to IS-IS. Topics covered include reasoning for the migration, implementation, verification, and deployment of IS-IS in a live network with no visible impact to the service. Speakers |
Monday, October 20, 2003
Topic/Presenter |
---|
Full AbstractBGP enables interdomain routing, but it can also serve as an indicator of Internet health. Just as blood pressure and pulse rate are indicators of biological distress, metrics derived from BGP observation can be used as Internet "vital signs." Since BGP traffic is erratic and prone to localized bursts of activity, BGP from multiple sources (geographically and topologically dispersed) is required to make intelligent inferences. We have developed metrics for measuring routing stability, flapping, reachability, and backbone churn. The global instability index (GII), for instance, is a single indicator fused from multiple sources that strongly indicates global Internet distress while damping localized instability. We will present measurements made during the Slammer worm and during the instability in the wake of the July 2003 IOS patch frenzy. Speakers |
RecordingsFull AbstractA globally unused /8 network was monitored using a packet capture and analysis system to measure the introduction and spread of the Blaster worm. This worm was able to quickly affect over 250,000 systems in the one week period following its August 11, 2003, introduction onto the Internet. Our data shows the breadth of the affected systems as well as the rate of the worm's spread. Overall, the global Internet community was able to respond and contain the worm's spread. Despite this reaction, several thousand Blaster hosts remain on the Internet. Speakers |
Full AbstractAlcatel |
Full AbstractSecurity incidents are a daily event for Internet Service Providers. Attacks on an ISP's customers, attacks from an ISP's customer, worms, BOTNETs, and attacks on the ISP's infrastructure are now one of many "security" NOC tickets through out the day. This increase in the volume and intensity of attacks has forced ISP's to spend constrained resources to mitigate the effects of these attacks on their operations and services. This investment has helped minimize the effects of the attacks, but it has not helped stop them at the source. Stopping attacks at their source requires rapid and effective inter-ISP cooperation. Hence, these ISP Security BOFs are also used as a face-to-face sync up meeting for the NSP-SEC forum (see https://puck.nether.net/mailman/listinfo/nsp-security" TARGET="_BLANK">https://puck.nether.net/mailman/listinfo/nsp-security). Speakers |
RecordingsFull AbstractSpeakers Jordan Lowe, Server Central |
Full AbstractSpeakers |
Full AbstractThis discussion highlights VeriSign's September 15 addition of a wildcard A record to the .com and .net zones, the user-visible (network- and sysadmin-visible) effects, and some of the responses, particularly the change ISC's BIND patches made possible within the DNS. Speakers |
RecordingsFull AbstractAbuse of the DNS at the root-server level is well documented by studies of packet traces taken from root servers. For example: http://www.caida.org/outreach/presentations/nanog0202/">http://www.caida.org/outreach/presentations/nanog0202/ http://www.caida.org/outreach/presentations/2002/nanog0210/">http://www.caida.org/outreach/presentations/2002/nanog0210/ We expect that similar abuse exists for top-level domain servers as well. However, in many cases the causes of such abuses are unknown. Studying packet traces from root servers presents only a part of the picture. We use simulations based on DNS software implementations (BIND8, BIND9, windows*, djpdns) to enhance our understanding of the client-side of DNS transactions. Our lab setup models the typical DNS architecture with root, TLD, SLD, and caching nameservers. We replay a large trace file with different caching software and different network environments. The results advance our understanding of nameserver selection algorithms and the level of DNS traffic injected into the Internet for a given client-side workload. Speakers |
Full AbstractNetwork catastrophes are as easy as paste-o's. Recovery should be as well, and is, if operators have adequate network documentation and monitoring. Whether it be hardware cooked to a golden brown, undesired or malicious configuration help, naughty s/w upgrades, or automation gone biblical, a hardware and software configuration repository and audit trail are essential to timely recovery. We will present tools that make this, plus more, possible. Speakers Panelist - John Heasley, Verio Danny McPherson, Arbor Networks |
RecordingsFull AbstractDespite the wide availability of both free and commercial software which allows data to be signed and encrypted using PGP, a convincing web of trust in the larger community of network operators has yet to form: it is frequently possible to find PGP keys for random people that you need to communicate with, but it is still unusual to find a key with a signature trail that allows it to be used with any real confidence. This brief presentation describes how a web of trust between network operators can be useful, and outlines the mechanics of key signing both at the Monday night key signing party, and also in corridors around the meeting using the "I sign keys" indicator on attendee badges. Speakers |
|
RecordingsFull AbstractThis talk describes the dimensions of the global IPv6 routing table. Speakers |
RecordingsFull AbstractSpeakers |
RecordingsFull AbstractUNINETT, a distributed academic research network in Norway, has created its own set of network management tools. We are focusing on automated statistics-gathering and presentation for proactive problem solution and customer information.
Speakers |
|
Full AbstractEven without CATV wiring in their dorm rooms, Northwestern University students can watch 23 television channels on their computers in their dorm rooms. Northwestern University Information Technology and NU Student Affairs use technology developed by Video Furnace LLC to provide NUTV to students. Several issues had to be addressed during the development of this service. The data network had to be configured to allow a fixed number of users to connect to the service. Content providers had to understand this distribution mechanism so that they could pay their licensing fees to the content owners. Attention had to be paid to the number of MPEG2 software decoders in use by the service so that those fees could be paid appropriately. A mechanism insuring legal clients were viewing the material had to be developed. And then there was the question of recording... A follow-on service with CSPAN and CSPAN2, in which the license to redistribute comes from the content owner itself, had its own unique challenges. NUIT will demonstrate how NUTV works, how these copyright issues were dealt with, and the futures for this now one-year old service. Speakers |
Tuesday, October 21, 2003
Topic/Presenter |
---|
Full AbstractRouter testing has focused on isolated performance of control plane protocols and data plane forwarding. This is not always adequate to validate a router for network deployment, as routers in an operational network are simultaneously configured with multiple protocols and security policies while forwarding traffic and being managed. To accurately benchmark a router for deployment it is necessary to test the router in operational conditions by simultaneously configuring network protocols and security policies, sourcing traffic, and managing the router. Operational network conditions may be accelerated to benchmark the router under stress, enabling service providers to truly evaluate readiness for deployment. This presentation will discuss the benefits of router stress testing, stress testing model and framework, and current effort to standardize router stress testing in the IETF's Benchmarking Methodology Working Group. Speakers Shankar Rao, Qwest |
RecordingsFull AbstractSpeakers |
|
RecordingsFull AbstractThis presentation reviews protocol and implementation optimizations, as well as design and deployment guidelines, which should be considered for sub-second ISIS convergence in an ISP backbone. We will share the details of our test methodology and results. Speakers |
Full AbstractSeveral recent studies have indicated that human configuration error is a leading cause of network downtime. Network operators need better verification techniques to ensure that routers are configured correctly. Distributed dependencies in wide-area routing cause small configuration mistakes or oversights to spur complex errors, which sometimes have devastating effects on global connectivity. These errors are often difficult to debug because they are sometimes only exposed by a specific message arrival pattern or failure scenario.
We present a tool that network operators can use to test BGP configuration for some common, elusive, and catastrophic errors. The tool checks configuration on an AS-wide level against a set of rules. These rules statically analyze the router configuration files and verify that specific constraints are satisfied. While the rules that the tool tests are by no means exhaustive, we have designed our tool in a way that allows for easy extensibility. We hope that the NANOG community will apply the tool to their own configuration files and suggest new rules and features that should be incorporated. While static analysis can catch many configuration errors, simulation and emulation are typically necessary to determine the precise scenarios that could expose runtime errors. Based on these observations, we propose the design of a BGP verification tool that uses a combination of static and dynamic analysis, present examples where it could be applied in practice, and describe future research challenges. Speakers |
RecordingsFull AbstractThis presentation provides an overview of the BGP MED attribute:
Speakers |
Full AbstractThere has been quite a disturbing development in the telecommunications industry during the past few months. More and more vendors seem to be abandoning the use of standard gigabit interface converters (GBICs). The GBIC interface standards were developed to allow mass production, greater quality control, and lower cost interfaces for a wide range of multi-vendor telecommunications equipment. The success of the existing GBIC deployment indicates this has worked very well to date. Basically, all of the mainstream network equipment vendors don't even make their own GBICs. They simply re-market a standard GBIC produced by one of the handful of GBIC manufacturers. Mixing and matching of these standardized GBICs between multi-vendor equipment is prevalent in the industry today. However, the new smaller form factor SFP GBICs have introduced a new "Vendor ID" field on the EPROM. Some mainstream equipment vendors are now starting to use this field to ensure that only the GBICs they re-sell are used in their network equipment. If another GBIC is used, the GBIC port will be disabled even though the GBIC you insert is identical (from the same OEM and production run) as the GBIC that is being re-marketed by the equipment vendor. This has potentially huge cost and support issues for our industry. This is especially true if equipment vendors decide not to grandfather the unrestricted use of the older existing GBICs -- which at least one vendor is planning. This talk presents a brief history and summarizes the current state of GBICs, and the GBIC standard, in the industry. Speakers |
RecordingsFull AbstractSpeakers |