This document discusses strengthening internet infrastructure in the Philippines. It begins by noting the growth in ASN holders in the Philippines from 2014 to 2018. It then discusses changes to the internet infrastructure, such as the shift from a centralized transit model to a more distributed peering model. The rest of the document focuses on ways to improve network capabilities, such as improving traffic management, interconnection, protocol usage, and security. It also discusses improving the capabilities of individuals, teams, and communities who work on internet infrastructure. The document provides recommendations in each of these areas and lists additional resources for further information.
2. Before we start
• Who's here?
Telco
ISP / cable TV
Data centre / cloud
University / research
Corporate
Platform provider (Google / Facebook / Microsoft, Alibaba etc.)
2
3. Four years ago (2014)
• Celebrating Philippine's 20-year Internet anniversary
• Spoke about the same topic of strengthening Philippine's Internet
Focused on the quantity of network nodes
• ASN holders in Philippines have grown by around 50% since
3
4. ASN holders in Philippines
• 300 ASNs managed by 153 organizations • 416 ASNs managed by 230 organizations
823
358331
300
227
178
55
INDONESIA
THAILAND
SINGAPORE
PHILIPPINES
VIETNAM
as of 31 Mar 2014
1350
529
487
416
368
243
886826 INDONESIA
THAILAND
SINGAPORE
PHILIPPINES
VIETNAM
MALAYSIA
CAMBODIA
MYANMAR
LAO
as of 30 Jun 2018
4
9. Overview
• Internet infrastructure
Definition
Changes to the Internet infrastructure
• Improving network capabilities
Traffic management
Interconnection
Protocols
Security
• Improving people capabilities
Individual
Team
Community
9
10. Internet infrastructure
• In this presentation, Internet infrastructure means layer 3 and below
The Open Systems Interconnection (OSI) model
Layer 3
and
below
10
11. Changes to the Internet infrastructure
• From Geoff Huston's (APNIC Chief Scientist) presentation at APRICOT
2017 titled 'The Death of Transit'
11
21. Strengthening Internet infrastructure
• Given the changing architecture of the Internet, what does it take to
strengthen its infrastructure (layer 3 and below)
• How can we build and operate a fast, reliable, and secure infrastructure
that meets the 'upper layers' needs?
21
23. Traffic management
• Monitor
Flow direction and timing
Load pattern (Continuous vs diurnal vs unpredictable)
Symmetric vs Asymmetric
Synchronous vs Asynchronous
• Control
Bandwidth provisioning that matches application's need
Dynamically adjust as pattern change
• Tools
Use a mix of commercial and open source software that fits your budget
23
24. Interconnection
• External
Choice of upstreams (yes, it's OK to connect to multiple upstreams)
Peering
Direct interconnect or through IXP
Bilateral or multilateral
• Internal
Network topology design
To support your specific traffic profile
To provide internal path redundancy
24
25. Protocols
• Can you survive with the limited number of IPv4?
Should you consider IPv6?
• What routing protocols to use?
External: BGP or static routing?
Internal: OSPF or ISIS or RIPv2 or EIGRP
• New protocols to be aware of
QUIC (it's like TCP+TLS+HTTP/2 implemented on UDP)
TCP BBR for congestion control
25
26. Security
• In today's condition, never treat security as an afterthought
• Routing: Follow IETF's BCP38 (Network Ingress Filtering) and MANRS
(Mutually Agreed Norms for Routing Security) currently promoted by
ISOC
• Firewalls: Watch and block malicious traffic at the borders
• Intrusion and malware detection: Observe internal traffic from/to every
device (or use tools such as Darktrace and FireEye) and escalate any
anomalies found
• Regular off-line backups to ensure recovery from untainted source
26
28. Individual
• Train regularly
Train at least two people for every skill set
Vendor certifications
Practical operational skills
• Specialization
Avoid investing in specialised skills that can be automated in the future
Train to become a 'polymath' (a person whose expertise spans a significant
number of different subject areas)
• Programming/automation skill is key in operating a network
Know how to write, test and deploy code, or
Know how to specify and get it written, tested and deployed
28
29. Team
• Segregate operations from development team for improved stability
Rotate roles if possible to spread experience across all team members
• Establish an incident response team
Follow best practices in managing security incidents
• Adopt standard practices such as ITSM/ITIL, ISO 27001 etc that suits
your organization
Source: NIST Computer Security Incident Handling Guide
29
30. Community
• PHNOG!
Share operational experience; learn new things
• Security
DICT National Cybersecurity Plan 2022: Build CERT capabilities at every level
and sectors (National, Govt, Military, Corporation, etc.)
• Policy and Governance
Take part at policy discussions in the region and globally
Ensure that local situation and needs are considered
Policies and regulations are best if discussed in a bottom-up fashion involving
multiple stakeholders
30
31. Resources
• https://www.apnic.net
/ipv6 - Information about IPv6 and deployment case studies
/security - Learn more about APNIC security related works
/training - Training curriculum and schedule
/policy - Latest policy documents on Internet numbers (ASN & IP address)
/blog - Lots of useful articles for network operators
/vizas - AS interconnections visible on the global routing table (by economy)
/helpdesk - We're here to help!
31