Categories
Deploy360 Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIPE 76 Sees Strong Focus on Routing Security

The RIPE 76 meeting is happening this week in Marseille, France, held at the fantastic location of the Palais du Pharo overlooking Marseille’s Old Port. And it’s also another record attendance with over 850 people registered.

The first couple of days have primarily been devoted to plenary sessions, and there’s been a big focus on routing security. Erik Bais (A2B Internet) kicked off the discussion with a presentation on ‘Why are we still seeing DDoS traffic?‘, which highlighted that DDoS attacks are still originating from the same networks. Looking at the list of the worst offenders, there’s even one amongst the regular RIPE attendees, and he called for networks to clean up their acts. This was also a good opportunity to highlight the MANRS initiative, which of course includes measures to mitigate amplification attacks, and encourages networks to make good routing practices the norm.

Alexander Azimov (Qrator Labs) reinforced this message by outlining the current problems with BGP, including the ongoing route leaks and hijacks affecting the Internet. There are currently only moral obligations to not use other providers’ address space or to support anti-spoofing policies, yet major providers (including Tier 1 providers) continue to both originate and accept incorrect routes. There are things that can be done to mitigate this such as implementing IRR filters and ROA validation, but even then only around 10% of prefixes are using ROA and percentage of these are incorrect and therefore invalid. Network operators need to be doing better.

Job Snijders (NTT) also encouraged the case for filtering, and highlighted the use of Internet Routing Registries (IRRs) as a source for generating customer prefix filters. IRR sources are offered by the Regional Internet Registries, but also third parties such as RADB, NTT and ALTDB. However, IRRs differ in terms of purpose, policy and validation and still rely on network operators entering correct and legitimate information. This issue, particularly with certain IRRs needs to be addressed, as well as RPKI deployment being increased to allow incorrect IRR data to be identified and ignored.

That left Martin Winter (Hurricane Electric) to present the Real-Time Monitoring BGP Toolkit that is able to monitor for BGP errors and hijacks. This offers a looking glass service compiled from multiple sources around the world, and therefore enabling comparison of active BGP routes against known registered routes. The initial tests have revealed some interesting results such as the ongoing use of deprecated BGP Attributes, malformed 4-byte AS implementations, and repeated re-advertisement of the same routes. The tool can be found at https://rt-bgp.he.net.

Other highlights from the first couple of days including a lightning talk from Jordi Palet (Consulintel) who introduced HTTP/2, QUIC and DOH. Internet traffic is increasingly moving to HTTP/HTTPS due to the fact that networks are limiting access to these protocols, but the DNS is not yet using this. However, the IETF DNS over HTTPS (DOH) Working Group has been standardising the encoding of DNS queries and responses over HTTPS. which aims to enable DNS Privacy over paths where DNS-over-(D)TLS has issues.

HTTP/2 can reduce the number of round-trips, and avoid blocking by using  parallel streams and discarding the unwanted ones, so provides offers a faster web experience. QUIC can decrease latency, avoid packet loss blocking all steams (as with HTTP/2) and makes connections possible over different interfaces.

Our colleague Jan Žorž, along with Benno Overreinder (NLnet Labs), also chaired the BCOP Task Force on Monday. There were a couple of proposals for developing BCOPs – the first on recommendations for DNS Privacy Privacy operators from Sara Dickinson, and the second on running E-mail servers on IPv6 from Sander Steffann.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe76.ripe.net/programme/meeting-plan/

Categories
Deploy360 IETF Internet Exchange Points (IXPs) Internet of Things (IoT) IPv6 Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIPE 76 dans le Midi

The RIPE 76 meeting starts next week in Marseille, which surprisingly is only the second RIPE meeting to have ever been held in France. RIPEs are always a key event for the Internet Society, with one of our colleagues, Jan Žorž, being a member of the RIPE Programme Committee, and another, Salam Yamout, being a member of the RIPE NCC Board. Andrei Robachevsky will be presenting during the Connect Working Group, and I’ll be there reporting on the highlights of the meeting, as well as staffing the MANRS stand on Thursday, so please come and say hello!

The Internet Society is also sponsoring the new RIPE on-site childcare service, whilst on Thursday we’ll be raising awareness of the MANRS initiative by organising a lunch for MANRS advocates, as well as having a stand in the exhibition area with goodies such as MANRS t-shirts and stickers.

The RIPE meeting is back to its usual Monday morning start after Dubai, and there’s three tutorials to choose from on Event-driven Network Automation and Orchestration using Salt (Mircea Ulinic), SRv6 Network Programming (Pablo Camarillo Garvia, Cisco), or IPv6 Security (Alvaro Vives, RIPE NCC).

The opening plenary commences at 14.00 CEST/UTC+2, and after the introductions, there’s three presentations to follow. Artyom Gavrichenkov (Qrator Labs) usually provides good value for money, and kicks off with the lessons learned from the Memcache Amplification DDoS attack. Randy Bush (IIC/Arrcus) then makes a return to the RIPE stage with a talk about routing in massive data centres employing Clos architectures; followed by Pere Barlet-Ros (Universitat Politecnica de Catalunya) who will present his work on network traffic classification using NetFlow/IPFIX. The session will concludes with lighting talks (to be announced).

Jan, along with Benno Overreinder (NLnet Labs), will again be chairing the BCOP Task Force on Monday evening starting at 18.00 CEST/UTC+2. There’s a couple of new BCOPs up for discussion – one on DNS Privacy (led by Sara Dickinson) and another on running E-mail servers on IPv6 (Sander Steffann). As always, the Task Force is looking for volunteers who can help contribute their knowledge and experience to these BCOPs.

Tuesday is mostly plenaries, but there’s several talks on BGP security during the first session (09.00-10.30 CEST/UTC+2). Then check out the talk from Geoff Huston (APNIC) on TCP and BBR which is a recent TCP delay-controlled flow algorithm developed by Google, along with the others on improving TCP performance which is the focus for the session before lunch (11.00-12.30 CEST/UTC+2). The last session of the day (16.00-17.30 CEST/UTC+2) has a presentation about a large-scale deployment of Lightweight 4over6 (lw4o6) in Greece, which is an extension to DS-Lite which is able to transport IPv4 packets over an IPv6-only network.

We also need to mention the Operators and IETF BoF on Tuesday evening (18.00-19.00 CEST/UTC+2) which will be a panel discussion on how input and feedback from the RIPE community to the IETF can be increased, and better incorporated into the standards process. This is a great opportunity to meet with the IESG and IAB members and put forward any concerns about how well the IETF is meeting the needs of network operators.

Wednesday then sees the start of the Working Group sessions, and Andrei will be presenting the MANRS IXP programme during the Connect Working Group that runs from 11.00 to 12.30 CEST/UTC+2. It’s also worth highlighting the DNS Working Group, which is somewhat confusingly split into two non-contiguous sessions this time – one from 09.00-10.30 and the other from 14.00-15.30 CEST/UTC+2 – but there’s a big focus on DNS Privacy developments, not least because DNS-over-TLS resolvers are being trialled during this RIPE meeting. There will also be an update on DNSSEC rollovers, and improving DNS performance over TCP.

The Working Groups continue on Thursday, and there’s a couple of interesting presentations during the Routing Working Group (09.00-10.30 CEST/UTC+2) on neutralising BGP hijacking, and on a new Internet Draft which aims to improve the practical function of RPKI through so-called ‘AS-Cones’. There’s then a choice of the Internet-of-Things or IPv6 Working Groups during the afternoon starting at 14.00 CEST/UTC+2, before the day is rounded off by a BoF on IPv6 address allocations and ASN assignments for governments and how RIPE policies might better support large entities that are often comprised of many independent sub-organisations with their own connections to the Internet.

Friday morning features the regular RIPE NCC report and RIPE meeting summary, but Gilles Roudiere (LAAS-CNRS) will also be talking about using traffic snapshots to detect DDoS attacks, and there will be additional lightning talks (to be announced) before the meeting wraps up.

For those of you who cannot attend in person – there is remote participation available with audio and video streaming and also a jabber chat room, so everyone is welcome to participate!

The full programme can be found at: https://ripe76.ripe.net/programme/meeting-plan/