2. Overview
• Internet infrastructure
• Criteria for a strong Internet infrastructure
– Robust network ecosystem
– Adoption of network operations best practices
• Internet Infrastructure in Sri Lanka
• Network operations best practices
3. About the Internet
• The Internet is an interconnecting networks – “the network of
networks”
• Every device on the Internet requires an address (IP address)
so it can be found by other devices to send and receive data
• IPv4: 66.220.144.0
• IPv6: 2a03:2880:11:2f83:face:b00c:0:25de
• Independent networks manage their own IP address space,
and interconnect with other networks using BGP and
Autonomous System Numbers (ASN)
5. Who operate these networks?
Current industry mix in AP region. Other regions may vary
September 2019
Internet service provider (ISP)
Hosting/Data centre
Telecommunications/Mobile operator
Enterprise/Manufacturing/Retail
Banking/Financial
Academic/Educational/Research
Software vendor
Government/Regulator/Municipality
Media/Entertainment
Industrial (construction, mining, oil)
Infrastructure (transport/hospital)
Non-profit/NGO/Internet community
Other
Internet exchange point (IXP)
Hardware vendor
Domain name registry/Registrar
6. What does the Internet look like?
• Networks worldwide
interconnect to form the
Internet. They include ISPs,
Data Centres, Internet
Exchange Points,
Universities, Corporate
networks, etc.
• Each dot represents an AS
• There are 65,000+ ASNs
currently active in the
Internet
Credit: Cogeco Peer 1
8. Strong Internet Infrastructure
• A healthy ecosystem of inter-dependent networks
– Service providers
• Telcos, International Gateways, ISPs, Data Center/Cloud providers, Content
Delivery Networks, Media, Applications etc.
– Consumer & corporate networks
• Consumers: Mobile phones, Public WiFi, Home networks
• Corporate: Office, building, campus, branch, plant, sensor networks
• Network operations best practices
– Adopted by all types of network
19. Number Registry
• Internet number resource management
• Accurate and updated public records (Whois/RDAP)
– APNIC delegation
– Customer delegation
• Responsive IRT (Incident Response Team) contacts
• Reverse DNS management
• Awareness and compliance to policies
20. Internet Routing
• Peering
– Peer with as many networks (ISPs, CDNs, etc) as you can
– Keep local traffic local to improve end user experience
• You IPv6 peering should be a mirror of your IPv4 peering (where possible)
21. Internet Routing
• BGP session – for every peer/transit
– Enable BGP TTL security (RFC 5082 – Generalized TTL Security
Mechanism)
– At least enable BGP MD5 Auth where your router OSes don’t support
TCP AO (RFC 5925 TCP Authentication Option)
22. Internet Routing
• BGP announcement
– Announce your aggregates
– Announce more specifics only where you have traffic engineering
needs
• Ex - If you have a /18, it is fine to announce 4x/20s or 8 x/21s based on the number
of uplinks you have …. But
• There is NO need to de-aggregate down to 64x/24s!
23. Internet Routing
• BGP filtering
– Prefix filters
• For both Inbound/Outbound announcements
• Set maximum prefix limit for routes received from your peers
• Do not accept bogons or your own prefixes!
– AS PATH filters
• Do not announce/accept private ASNs (BGP customers may use private ASNs, but
strip it before announcing their routes to peers and upstreams)
• Enforce the first ASN in the AS_PATH to be your direct peer (bgp enforce-
first-as)
• Limit AS_PATH length for prefixes you receive (Current average path is about 5~7
ASNs deep)
24. Internet Routing
• BGP filtering
– Filter inbound announcements using RPKI ROAs
• Create and publish your ROAs (Route Origin Authorizations)
• Ask your downstream/peers to create ROAs for their resources
• Use BGP ROV (Route Origin Validation) for ROA based filtering (e.g. drop invalid
ROAs)
25. Internet Routing
• BGP behavior
– Change from default permit to default reject to prevent route leaks
– RFC 8212
• Currently only supported IOS-XR (all versions), BIRD (2.0.1 onwards), SR-OS
(19.5.1 onwards), OpenBGPD (6.4 onwards)
• Push your vendors!
– If your OS does not support it
• Shut the BGP session with the peer (group) during configuration
• Define and apply explicit export and import policies to the eBGP peers
• Then no-shut the BGP session
26. Network Security
• DNSSEC (forward and reverse DNS)
• MANRS (Mutually Agreed Norms for Routing Security)
– BCP 46: Recommended Internet Service Provider Security Services and
Procedures
– BCP 38: Network Ingress Filtering
– IRR
• RPKI & its applications
– Digital certificates
– ROA
– RTA
27. Network Security
• DNS
– DNSSEC for integrity
– Last mile features like DoH/DoT for privacy
– Aggressive NSEC caching to prevent DOS attacks against
authoritative servers
– Passive DNS
28. Network Security
• Traffic filtering
– BCP38 (RFC 2827) – ingress filtering
• Strict uRPF is the norm
– BCP84 (RFC 3704) – ingress filtering for multihomed networks
• Loose uRPF is the norm
29. Network Security
• Traffic filtering – IPv6 specific
– Extension Headers are dangerous
• But if you drop fragments, things like DNSSEC breaks
– Recommendation:
• Drop IPv6 fragments that that do not have upper-layer headers in the first fragment
(RFC 7112/RFC 8200)
• Drop fragments destined for your network nodes (but allow fragments to end users)
30. Network Security
• Traffic filtering – IPv6 specific
– Filtering ICMPv6 will break IPv6
• Rate limit ICMPv6 instead of dropping them!
– Do what you did for IPv4 traffic with IPv6 traffic
• ACLs/filters
• Harden hosts and applications
• Use crypto protections where necessary/critical
31. Network Security
• Security concepts
– Always start with zero-trust
– Put your firewalls closer to or in front of your services (not in the network
backbone or at the network perimeter)
• Users inside your network and from outside have to go through the firewall
• Firewalling in the backbone will reduce its throughput
• Ex: The best-known firewall has an inspected throughput of 20Gbps, while 100-400G
backbone bandwidths are becoming a norm. You will slow down your backbone by
~300Gbps just for security
– Anycast your critical services for resiliency
• E.g. your DNS
32. Network Security
• Security concepts
– Know the normal, to know what is abnormal
• Monitor – NMS tools, IDS tools, etc
– Profile your network
• Netflow
– Share and Learn from the community
• NOGs, APRICOT/APNIC conferences