Proposed session/track on routing and traffic security with talks from MANRS and several Cloud/CDN providers
Session title: Internet Routing and Traffic Security – A view from Cloud and CDN Providers
Session length: 80-90min (4x20-25)
Speakers (order TBD):
Andrei Robachevsky (MANRS)
Anees Shaikh (Google)
Fredrik Korsback (AWS)
Somesh Chaturmohta (Microsoft)
Routing and traffic security is one of the top challenges faced by the Internet today. A reliable and secure Internet is essential for society, but the trust model on which connectivity is based has eroded through BGP hijacks, routing misconfigurations, and DDoS attacks. While the Internet community has pursued several practical mechanisms to protect the Internet from these vulnerabilities, it is clear that the pace of adoption and deployment needs to increase further. Cloud and CDN providers are subject to these same issues, and also have some unique challenges that have led to collaborations in forums such as MANRS to introduce additional best practices. This session includes perspectives from several cloud and content providers to share their progress and experience implementing routing and traffic security to protect the Internet, and highlight how they are working with the wider Internet community toward the same goal.
Title: How AWS is helping to secure internet routing (Tentative)
Speaker: Fredrik Korsbäck
Bio: Fredrik Korsbäck is a Senior Infrastructure Business Developer in the AWS Networking team, primarily taking care of the peering network in Europe. Fredrik is passionate about routing security and has been part of the Internet routing security community for a long time, enrolling three ISPs over the years into the MANRS programme.
Summary/Abstract: To help put an end to BGP hijacking, AWS has been working closely with other industry leaders to make an industry-wide standard practice the use of Resource Public Key Infrastructure (RPKI) to digitally sign route announcements. This is not a simple process, and it has taken lots of time, effort, and cooperation. We are happy to have over 99% of our IPv4 and IPv6 -Space covered under a Route Origination Authorization for two years, and that we are right now dropping RPKI invalid routes in every single Point-of-Presence for AS16509. In this talk we will look at how we did it and what we believe the future holds.
Title: Building reliable RPKI infrastructure for large scale networks and Protect network against DDoS. (Tentative)
Speaker: Somesh Chaturmohta
Bio: Somesh Chaturmohta is a Principal Software Engineering Manager in the Microsoft Global Networking team, responsible for managing the Microsoft Edge Network. He has been leading the Microsoft Edge Network team for more than 3 years and is currently working on the software-defined Edge. Prior to this, Somesh was leading the Azure Accelerated Networking program, where he built a software-defined networking stack for FPGA-based NICs. Somesh has more than 15 years of experience building various software-defined network controllers for cloud-scale networks.
Summary / abstract
Microsoft operates one of the largest global networks in the world, connecting over 190 Microsoft Edge (PoP) locations and 61+ Azure regions. Protecting the Internet on this large scale network comes with unique challenges. In this talk, we talk about how at Microsoft we have deployed a reliable RPKI infrastructure and steps we are taking to protect the network against DDoS.
Title: (tentative) A multi-pronged approach for securing Internet routing
Speaker: Anees Shaikh
Anees Shaikh is a Principal Software Engineer with the Global Networking team at Google where he works on software systems that support traffic control, routing security, network management, and cloud networking. He is also active in a number of open source and industry efforts, including OpenConfig and MANRS. Prior to Google, Anees was the Chief SDN Architect at IBM where he was responsible for IBM's software-defined networking product architecture and technical strategy.
Protecting networks and users from Internet routing disruptions cannot be achieved with a single “silver bullet” solution – the threats are varied, and require development and deployment of multiple technical capabilities. Google has deployed a combination of mechanisms, including route filtering systems, public registrations to enable correctness checks by other networks, and monitoring systems that provide early detection when routes are hijacked. We have also emphasized collaboration with the wider Internet operator community to improve data hygiene to enable all networks to deploy practical security mechanisms.