SlideShare ist ein Scribd-Unternehmen logo

AusNOG 2022: Measuring RPKI use in BGP

APNIC
APNIC

APNIC Chief Scientist Geoff Huston presents on measuring RPKI use in BGP at AusNOG 2022, held from 6 to 7 April 2022 in Sydney, Australia.

Internet
1 von 51
Downloaden Sie, um offline zu lesen
Measuring the Effectiveness of Route Origin Validation Filtering via Drop Invalids from the perspective of the End User using a Technique of Broad Scale Reachability Measurement Geoff Huston APNIC Labs
Measuring RPKI Geoff Huston APNIC
Measuring RPKI Geoff Huston APNIC Route Origin Validation Filtering!
Routing Security What’s “the objective” of routing security?
Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
Let’s not be too ambitious! Enforcing rules to ensure that the routes carried in BGP are both protocol-wise accurate and policy-wise accurate is well beyond the capabilities of BGP and viable BGP control mechanisms * Route Origin Validation is designed to prevent BGP speakers from learning and preferring routes that are not authorised by the prefix holder The intent of not preferring unauthorised routes is to prevent users’ traffic from being steered along these bogus routes * BGP is not a deterministic protocol, but more of a negotiation protocol that attempts to find meta-stable ‘solutions to importer / export policy preferences simultaneously. Where the policies are incompatible the BGP “solution” is not necessarily reached deterministically and different outcomes will be seen at different times – see “BGP Wedgies” for an illustration of this form of indeterminism
Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
Our Objective • To measure the “impact” of invalid route filtering on users • The question we want to answer here is user-centric: • What proportion of users can’t reach a destination when the destination route is invalid according to ROV? • We’d like to continue this as a long term whole-of-Internet measurement to track the increasing deployment of RoV filtering* over the coming months and years * “RoV filtering” is shorthand for “using RPKI validation of published Route Origination Attestations to detect and drop route objects that are invalid according to the conventional RoA interpretation”, which in practice means either the prefix is too specific (shorted than MaxLength) or has an origin AS which is not contained in a valid ROA
Production vs Consumption There are two aspects to this framework: • Generating ROAs to describe the intended origination of prefixes • Looking for those networks that will admit and propagate invalid routes • i.e.: those networks that are not performing some for of “drop invalid” filtering on BGP advertisements
Production Which national operator communities have been generating ROAs for their announced prefixes? https://stats.labs.apnic.net/roas
ROAs for Australian Networks
ROAs for individual networks 30%
ROAs for individual networks 50%
ROAs for individual networks 0.1%
Production vs Consumption • So we are looking at the uptake of the generation of ROAs • The next question is: Who is using these ROAs to determine whether to accept routes (or not!)
Measurement Approach If we are looking at the effectiveness of the secure routing system in blocking the ability to direct users along bogus routing paths, then this suggests a measurement approach: • Set up a bogus (RPKI RoV-invalid) routing path as the only route to a prefix • Direct a very large set of users from across the Internet to try to reach a web server located at this prefix • Use a ‘control’ of a valid routing path to the same destination • Measure and compare
Methodology qSet up a prefix and AS in a delegated RPKI repository • We used the Krill package to achieve this • It Just Worked! tm https://www.nlnetlabs.nl/projects/rpki/krill/
Counting RPKI Clients Number of Unique IP addresses per day performing a fetch from our RPKI repository
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states # Flip to "good" at 00:00 on Fri/Mon/Thu 0 0 * * 1,4,5 /home/krill/.cargo/bin/krillc roas update --delta ./delta-in.txt > /tmp/krillc-in.log 2>&1 # Flip to "bad" at 12:00 on sat/Tue/Thu 0 12 * * 2,4,6 /home/krill/.cargo/bin/krillc roas update --delta ./delta-out.txt > /tmp/krillc-out.log 2>&1 These two scripts flip the ROA valid state between ‘good’ and’bad’ origin ASNs for the prifix
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet • We are using 3 locations: US (LA), DE (FRA), SG • We are using 3 transit providers • The server at this location delivers 1x1 blots • This is IPv4-only at this point
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet • We started by using 3 locations: US (LA), DE (FRA), SG • We then enlisted the assistance of a very large cloud provider and expanded this to more than 200 locations!
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script • The DNS component uses HTTPS and a unique DNS label component to try and ensure that the HTTP FETCH is not intercepted by middleware proxies
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script qFeed the script into the advertising systems • This is part of the larger APNIC Labs ad-based measurement system – this test is one URL in a larger collection of URLs
Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script qFeed the script into the advertising systems qCollect and analyse data • We use the user record of successful fetch to avoid zombies and stalkers
Flipping ROA states • What’s a good frequency to flip states? • How long does it take for the routing system as a whole to learn that a previously valid route is now invalid? And how long for the inverse invalid to valid transition • Validity / Invalidity is determined by what is published at the RPKI publication point • Each transition is marked by revocation of the previous ROA’s EE certificate and the issuing of a new ROA and EE certificate • What’s the re-query interval for clients of a RPKI publication point? • There is no standard-defined re-query interval so implementors have exercised their creativity!
RPKI Publication Point Re- Query Intervals (first hour) 120 seconds is popular 600 seconds is also well used as is one hour What’s this?
Re-Query – Cumulative Distribution Within 2 hours we see 75% of clients perform a requery
Why the tail lag? https://grafana.wikimedia.org/d/UwUa77GZk/rpki?panelId=59 &fullscreen&orgId=1&from=now-30d&to=now Clients can take a significant amount of time to complete a pass through the entire RPKI distributed repository set, which makes the entire system sluggish to respond to changes
This is NOT scaling well https://grafana.wikimedia.org/d/UwUa77GZk/rpki?from=now- 30d&orgId=1&to=now&viewPanel=59 As more publication points and clients are added to the RPKI, the RPKI scanning function is getting slower (and more variable)
We use 12 and 36 hour held states for ROA validity The route object validity state cycles over a 7 day period in a set of 12 and 36 hour intervals
We use 12 and 36 hour held states view from stat.ripe.net
We use 12 and 36 hour held states BGP Play view of the routing changes
We used 12 and 36 hour states This shows the per-second fetch rate when the route is valid (green) and invalid (red) over a 7 day window The route validity switches are clearly visible ”invalid” route state ”valid” route state Weekly Measurement
Transition – Valid to Invalid It takes some 30 minutes for the valid to invalid transition to take effect in this measurement It appears that this is a combination of slow re-query rates at the RPKI publication point and some delays in making changes to the filters being fed into the routers This system is dependant on the last transit ISP to withdraw Time of ROA change at the RPKI repository
Transition – Invalid to Valid It takes some 5 minutes for the invalid to valid transition to take effect in this measurement This system is dependant on the first transit ISP to announce, so it tracks the fastest system to react Time of ROA change at the RPKI repository
RPKI “sweep” software • There is a mix of 2, 10 and 60 minute timers being used • 2 minutes seems like a lot of thrashing with little in the way of outcome – the responsiveness of the system is held back by those clients using longer re-query timers • 60 minutes seems too slow (I’d go with a 10 minute query timer as a compromise here)
User impact of RPKI filtering At 20% of users that’s a surprisingly large impact for a very recent technology However, nothing much has changed in the past 16 months!
Results: User Impact of RPKI filtering – Jul 2020 https://stats.labs.apnic.net/rpki
Results: User Impact of RPKI filtering – Oct 2020 https://stats.labs.apnic.net/rpki 74
Results: User Impact of RPKI filtering – Mar 2022 https://stats.labs.apnic.net/rpki
Turning on Drop Invalid Filtering
Australia % of AU users
Local ISPs
Does everyone have to play? There are two factors at play: • Networks that perform invalid route filtering and • Network that do not filter themselves, but are customers of transit providers who filter In either case the basic RPKI RoV objective is achieved, in that the users within these ISP networks are not exposed to invalid route objects
Next Steps for Measurement This is a work in progress and would benefit from more refinement, including: • Could we attempt selective traceroute from the anycast servers to identify the networks that are performing the RoV invalid filter drop? • The measurement setup detects the user impact but not the individual networks who are performing drop invalid. Selective traceroute may allow a better way to identify the point of invalid drop • Should we perform further analysis of BGP route updates in route collectors to determine route withdrawal and announcement patterns when RPKI validity changes? • What is the difference between the primary point of route withdrawal / announcement and the consequent propagation in eBGP to the surrounding networks?
Questions we might want to think about Stub vs Transit • Is it necessary for every AS to operate RPKI ROV infrastructure and filter invalid routes? • If not, what’s the minimal set of filtering networks that could provide similar levels of filtering for the Internet as a whole • What’s the marginal benefit of stub AS performing RPKI ROV filtering?
Questions we might want to think about (2) Ingress vs Egress • Should a stub AS RPKI only RoV filter its own announcements? • Should every AS filter their own announcements? • What’s more important: Protecting others who DON’T RoV filter from your operational mishaps or protecting yourself from the mishaps of others? • Does Partial Adoption change your answer?
Questions we might want to think about (3) Prefix vs AS attestations • Should an AS be able to enumerate ALL of its originations in a AS-signed attestation?
Questions we might want to think about (4) When and how will we protect the AS Path? • What is going in with the ASPA drafts in the IETF? • Is anyone experimenting with ASPA yet? • What is the benefit of Origination protection without AS Path protection?
What are we trying to achieve here? • If this is a routing protection measure then what are you trying to protect? From whom? From what threat? • If this is guard against operational errors then don’t forget that operational mishaps are endlessly varied, and we can’t foresee all possible causes of routing accidents! • If this is a user protection measure then the issue of route filtering is an issue for transit providers, not stub networks • A stub network should generate ROAs for its routes, but there is far less of an incentive to perform RoV invalid filtering if the stub’s upstreams / IXs are already performing this filtering • Is it more important for IXs and Transits to perform drop-invalids than for stubs?
Thanks!

Empfohlen

HKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIHKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
btNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIbtNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIAPNIC
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 

Empfohlen

HKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIHKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
btNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIbtNOG 7: Measuring RPKI
btNOG 7: Measuring RPKIAPNIC
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
teste
testeteste
testeVeris Faculdades
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)NAIM Networks, Inc.
 
Routing, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsRouting, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
Spirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsSpirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsMalathi Malla
 
Spirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSpirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSailaja Tennati
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingAPNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Real-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSReal-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSJayaprakash Nagaruru
 
Open Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshOpen Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshCloudOps2005
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basicstanawan44
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 

Weitere ähnliche Inhalte

Ähnlich wie AusNOG 2022: Measuring RPKI use in BGP

NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)NAIM Networks, Inc.
 
Routing, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsRouting, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsAPNIC
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
Spirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsSpirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsMalathi Malla
 
Spirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSpirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSailaja Tennati
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingAPNIC
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingAPNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
Open Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshOpen Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshCloudOps2005
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basicstanawan44
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 

Ähnlich wie AusNOG 2022: Measuring RPKI use in BGP (20)

teste
testeteste
teste
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)4th SDN Interest Group Seminar-Session 2-3(130313)
4th SDN Interest Group Seminar-Session 2-3(130313)
 
Routing, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsRouting, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of Analytics
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Spirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsSpirent SDN and NFV Solutions
Spirent SDN and NFV Solutions
 
Spirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSpirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV Deployments
 
PacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet RoutingPacNOG 24: Securing Internet Routing
PacNOG 24: Securing Internet Routing
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
LkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet RoutingLkNOG 3: Securing Internet Routing
LkNOG 3: Securing Internet Routing
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
 
Real-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSReal-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOS
 
Open Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshOpen Source Networking Days- Service Mesh
Open Source Networking Days- Service Mesh
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
 

Mehr von APNIC

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 

Mehr von APNIC (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 

Kürzlich hochgeladen

Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 

Kürzlich hochgeladen (20)

Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 

AusNOG 2022: Measuring RPKI use in BGP

  • 1. Measuring the Effectiveness of Route Origin Validation Filtering via Drop Invalids from the perspective of the End User using a Technique of Broad Scale Reachability Measurement Geoff Huston APNIC Labs
  • 3. Measuring RPKI Geoff Huston APNIC Route Origin Validation Filtering!
  • 4. Routing Security What’s “the objective” of routing security?
  • 5. Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
  • 6. Let’s not be too ambitious! Enforcing rules to ensure that the routes carried in BGP are both protocol-wise accurate and policy-wise accurate is well beyond the capabilities of BGP and viable BGP control mechanisms * Route Origin Validation is designed to prevent BGP speakers from learning and preferring routes that are not authorised by the prefix holder The intent of not preferring unauthorised routes is to prevent users’ traffic from being steered along these bogus routes * BGP is not a deterministic protocol, but more of a negotiation protocol that attempts to find meta-stable ‘solutions to importer / export policy preferences simultaneously. Where the policies are incompatible the BGP “solution” is not necessarily reached deterministically and different outcomes will be seen at different times – see “BGP Wedgies” for an illustration of this form of indeterminism
  • 7. Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
  • 8. Our Objective • To measure the “impact” of invalid route filtering on users • The question we want to answer here is user-centric: • What proportion of users can’t reach a destination when the destination route is invalid according to ROV? • We’d like to continue this as a long term whole-of-Internet measurement to track the increasing deployment of RoV filtering* over the coming months and years * “RoV filtering” is shorthand for “using RPKI validation of published Route Origination Attestations to detect and drop route objects that are invalid according to the conventional RoA interpretation”, which in practice means either the prefix is too specific (shorted than MaxLength) or has an origin AS which is not contained in a valid ROA
  • 9. Production vs Consumption There are two aspects to this framework: • Generating ROAs to describe the intended origination of prefixes • Looking for those networks that will admit and propagate invalid routes • i.e.: those networks that are not performing some for of “drop invalid” filtering on BGP advertisements
  • 10. Production Which national operator communities have been generating ROAs for their announced prefixes? https://stats.labs.apnic.net/roas
  • 12. ROAs for individual networks 30%
  • 13. ROAs for individual networks 50%
  • 14. ROAs for individual networks 0.1%
  • 15. Production vs Consumption • So we are looking at the uptake of the generation of ROAs • The next question is: Who is using these ROAs to determine whether to accept routes (or not!)
  • 16. Measurement Approach If we are looking at the effectiveness of the secure routing system in blocking the ability to direct users along bogus routing paths, then this suggests a measurement approach: • Set up a bogus (RPKI RoV-invalid) routing path as the only route to a prefix • Direct a very large set of users from across the Internet to try to reach a web server located at this prefix • Use a ‘control’ of a valid routing path to the same destination • Measure and compare
  • 17. Methodology qSet up a prefix and AS in a delegated RPKI repository • We used the Krill package to achieve this • It Just Worked! tm https://www.nlnetlabs.nl/projects/rpki/krill/
  • 18. Counting RPKI Clients Number of Unique IP addresses per day performing a fetch from our RPKI repository
  • 19. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states # Flip to "good" at 00:00 on Fri/Mon/Thu 0 0 * * 1,4,5 /home/krill/.cargo/bin/krillc roas update --delta ./delta-in.txt > /tmp/krillc-in.log 2>&1 # Flip to "bad" at 12:00 on sat/Tue/Thu 0 12 * * 2,4,6 /home/krill/.cargo/bin/krillc roas update --delta ./delta-out.txt > /tmp/krillc-out.log 2>&1 These two scripts flip the ROA valid state between ‘good’ and’bad’ origin ASNs for the prifix
  • 20. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet • We are using 3 locations: US (LA), DE (FRA), SG • We are using 3 transit providers • The server at this location delivers 1x1 blots • This is IPv4-only at this point
  • 21. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet • We started by using 3 locations: US (LA), DE (FRA), SG • We then enlisted the assistance of a very large cloud provider and expanded this to more than 200 locations!
  • 22. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script • The DNS component uses HTTPS and a unique DNS label component to try and ensure that the HTTP FETCH is not intercepted by middleware proxies
  • 23. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script qFeed the script into the advertising systems • This is part of the larger APNIC Labs ad-based measurement system – this test is one URL in a larger collection of URLs
  • 24. Methodology qSet a prefix and AS in a delegated RPKI repository qRegularly revoke and re-issue ROAs that flip the validity state between valid and invalid states qAnycast the prefix and AS pair in a number of locations across the Internet qLoad a unique URL that maps to the destination into a measurement script qFeed the script into the advertising systems qCollect and analyse data • We use the user record of successful fetch to avoid zombies and stalkers
  • 25. Flipping ROA states • What’s a good frequency to flip states? • How long does it take for the routing system as a whole to learn that a previously valid route is now invalid? And how long for the inverse invalid to valid transition • Validity / Invalidity is determined by what is published at the RPKI publication point • Each transition is marked by revocation of the previous ROA’s EE certificate and the issuing of a new ROA and EE certificate • What’s the re-query interval for clients of a RPKI publication point? • There is no standard-defined re-query interval so implementors have exercised their creativity!
  • 26. RPKI Publication Point Re- Query Intervals (first hour) 120 seconds is popular 600 seconds is also well used as is one hour What’s this?
  • 27. Re-Query – Cumulative Distribution Within 2 hours we see 75% of clients perform a requery
  • 28. Why the tail lag? https://grafana.wikimedia.org/d/UwUa77GZk/rpki?panelId=59 &fullscreen&orgId=1&from=now-30d&to=now Clients can take a significant amount of time to complete a pass through the entire RPKI distributed repository set, which makes the entire system sluggish to respond to changes
  • 29. This is NOT scaling well https://grafana.wikimedia.org/d/UwUa77GZk/rpki?from=now- 30d&orgId=1&to=now&viewPanel=59 As more publication points and clients are added to the RPKI, the RPKI scanning function is getting slower (and more variable)
  • 30. We use 12 and 36 hour held states for ROA validity The route object validity state cycles over a 7 day period in a set of 12 and 36 hour intervals
  • 31. We use 12 and 36 hour held states view from stat.ripe.net
  • 32. We use 12 and 36 hour held states BGP Play view of the routing changes
  • 33. We used 12 and 36 hour states This shows the per-second fetch rate when the route is valid (green) and invalid (red) over a 7 day window The route validity switches are clearly visible ”invalid” route state ”valid” route state Weekly Measurement
  • 34. Transition – Valid to Invalid It takes some 30 minutes for the valid to invalid transition to take effect in this measurement It appears that this is a combination of slow re-query rates at the RPKI publication point and some delays in making changes to the filters being fed into the routers This system is dependant on the last transit ISP to withdraw Time of ROA change at the RPKI repository
  • 35. Transition – Invalid to Valid It takes some 5 minutes for the invalid to valid transition to take effect in this measurement This system is dependant on the first transit ISP to announce, so it tracks the fastest system to react Time of ROA change at the RPKI repository
  • 36. RPKI “sweep” software • There is a mix of 2, 10 and 60 minute timers being used • 2 minutes seems like a lot of thrashing with little in the way of outcome – the responsiveness of the system is held back by those clients using longer re-query timers • 60 minutes seems too slow (I’d go with a 10 minute query timer as a compromise here)
  • 37. User impact of RPKI filtering At 20% of users that’s a surprisingly large impact for a very recent technology However, nothing much has changed in the past 16 months!
  • 38. Results: User Impact of RPKI filtering – Jul 2020 https://stats.labs.apnic.net/rpki
  • 39. Results: User Impact of RPKI filtering – Oct 2020 https://stats.labs.apnic.net/rpki 74
  • 40. Results: User Impact of RPKI filtering – Mar 2022 https://stats.labs.apnic.net/rpki
  • 41. Turning on Drop Invalid Filtering
  • 44. Does everyone have to play? There are two factors at play: • Networks that perform invalid route filtering and • Network that do not filter themselves, but are customers of transit providers who filter In either case the basic RPKI RoV objective is achieved, in that the users within these ISP networks are not exposed to invalid route objects
  • 45. Next Steps for Measurement This is a work in progress and would benefit from more refinement, including: • Could we attempt selective traceroute from the anycast servers to identify the networks that are performing the RoV invalid filter drop? • The measurement setup detects the user impact but not the individual networks who are performing drop invalid. Selective traceroute may allow a better way to identify the point of invalid drop • Should we perform further analysis of BGP route updates in route collectors to determine route withdrawal and announcement patterns when RPKI validity changes? • What is the difference between the primary point of route withdrawal / announcement and the consequent propagation in eBGP to the surrounding networks?
  • 46. Questions we might want to think about Stub vs Transit • Is it necessary for every AS to operate RPKI ROV infrastructure and filter invalid routes? • If not, what’s the minimal set of filtering networks that could provide similar levels of filtering for the Internet as a whole • What’s the marginal benefit of stub AS performing RPKI ROV filtering?
  • 47. Questions we might want to think about (2) Ingress vs Egress • Should a stub AS RPKI only RoV filter its own announcements? • Should every AS filter their own announcements? • What’s more important: Protecting others who DON’T RoV filter from your operational mishaps or protecting yourself from the mishaps of others? • Does Partial Adoption change your answer?
  • 48. Questions we might want to think about (3) Prefix vs AS attestations • Should an AS be able to enumerate ALL of its originations in a AS-signed attestation?
  • 49. Questions we might want to think about (4) When and how will we protect the AS Path? • What is going in with the ASPA drafts in the IETF? • Is anyone experimenting with ASPA yet? • What is the benefit of Origination protection without AS Path protection?
  • 50. What are we trying to achieve here? • If this is a routing protection measure then what are you trying to protect? From whom? From what threat? • If this is guard against operational errors then don’t forget that operational mishaps are endlessly varied, and we can’t foresee all possible causes of routing accidents! • If this is a user protection measure then the issue of route filtering is an issue for transit providers, not stub networks • A stub network should generate ROAs for its routes, but there is far less of an incentive to perform RoV invalid filtering if the stub’s upstreams / IXs are already performing this filtering • Is it more important for IXs and Transits to perform drop-invalids than for stubs?