SlideShare uma empresa Scribd logo

Routing Security - its importance and status in South Asia

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Routing Security - its importance and status in South Asia

Internet
1 de 25
Baixar para ler offline
Internet Society © 1992–2019 What is the problem? And what are we trying to fix? Routing Security – Its importance and status in South Asia Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Presentation title – Client name 1
The Routing Problem 2
2/3 Napkin Protocol 3 https://computerhistory.org/blog/the-two-napkin-protocol/ 1989
2/3 Napkin Protocol In 1989. Kirk Lougheed and Len Bosack of Cisco and Yakov Rekhter of IBM were having lunch in a meeting hall cafeteria at an Internet Engineering Task Force (IETF) conference. They wrote a new routing protocol that became RFC 1105, the Border Gateway Protocol (BGP), known to many as the “two—napkin protocol” — in reference to the napkins they used to capture their thoughts. 4 • BGP-1 – RFC 1105, June 1989 • BGP-3 – RFC1267, October 1991 • BGP-4 – RFC 1654, July 1994
The Routing Problem Caption 10/12pt Caption body copy 5 Border Gateway Protocol (BGP) is based entirely on unverified trust between networks • No built-in validation that updates are legitimate • Anyone can announce anything • Lack of reliable resource data
Routing Security You must be thinking that building a “Global Network” on the assumption of TRUST, that everyone who uses it is ”Trustworthy” was not a really bad idea? May be or May be not – I can’t make the judgement call… But Lets hear from Geoff Huston… "The internet is now busted, and to be perfectly frank, it's totally unclear how we can fix it. We can't make it better," "I actually want to apologise for my small part in this mess we find ourselves in, because it all turned out so horrendously badly." 6
The routing system is constantly under attack – incidents every day 7 http://bgpstream.com/
The routing system is constantly under attack – incidents every day 8 http://bgpstream.com/ 0 2 4 6 8 10 12 14 16 10/1/20 10/2/20 10/3/20 10/4/20 10/5/20 10/6/20 10/7/20 10/8/20 10/9/20 10/10/20 10/11/20 Possible BGP Hijacks
Routing Security Global routing system is a complex, decentralized system consist of ~70,000 individual networks that have implemented BGP to communicate with each other. Despite its strengths, its prone to incidents. Just as water main breaks, broken pipes, and sewage mix-up can disrupt life in a city, routing incidents like route leaks, route hijacks, and IP-address spoofing each have the potential to slow down Internet speeds or even to make parts of the Internet unreachable. 9
Common Problems 1 0 Prefix/Route Hijacking Route Leaks IP address spoofing
Common Problems Finding out after the fact that • Big chunk of your internet traffic has been incorrectly routed through a hostile network operator. • Some of your internet traffic has been going to another network operator. None of the above 2 options are great news to anyone! 11
Routing Incidents Cause Real World Problems 1 2 Prefix/Route Hijacking Route Leaks IP address spoofing Filtering Source Address Validation
BGP Operations and Security February 2015 BCP 194 – RFC7454 13 Filtering
Why Filtering • Your first line of defence • You can [MUST] control what you are announcing • You have no control over what other networks announce • To avoid issues, you have to decide what to accept from other networks [ahem ahem RPKI] 14
BCP 194 – Filtering Inbound and Outbound Filtering filters SHOULD be applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Max Prefix Filtering It is RECOMMENDED to configure a limit on the number of routes to be accepted from a peer AS Path Filtering Network administrators SHOULD accept from customers only 2-byte or 4-byte AS paths containing ASNs belonging to (or authorized to transit through) the customer. 15
BCP 194 – Filtering Data Sources The biggest issue in filtering is to find out the best/cleanest/workable/scalable aka MAGICAL data source. • IRRs (Internet Routing Registry) • Bogons lists (IPv6 & IPv4) • PeeringDB (For AS-Sets) • RPKI 16
Status of South Asia and Bangladesh 17
South Asia (as per APNIC) 18 https://stats.apnic.net/delegations/Southern%20Asia
South Asia (UN region) 19 https://observatory.manrs.org/#/overview
Bangladesh 20
Why Filtering is Important? Example 1 Network Next Hop Metric LocPrf Weight Path 103.209.80.0/24 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 103.209.81.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 i 103.209.82.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 103.209.83.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 203.96.178.0 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 21 aut-num: AS135100 as-name: MOL-AS-AP descr: Maxnet Online Limited country: BD org: ORG-MOL1-AP
Why Filtering is Important? Example 1 22
Why Filtering is Important? Example 2 23 AS: 59365 BD-NETWORKS-AS-AP BD Networks, BD AS: 59356 - VMCENTRAL-AS-AP VMCENTRAL Cloud Services, AU
Why Routing Security? • Your Cyber Security Strategy is incomplete without Routing Security • Build Threat intelligence, improve your network’s situational awareness • Create a Audit Checklist for infrastructure security • Align infrastructure security across divisions • Prevent reputational damage (Google PTCL + Youtube) 24
Questions ? 25 Email: siddiqui@isoc.org Twitter: @aftabsiddiqui

Recomendados

Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resourcesBangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 

Recomendados

Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshBangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resourcesBangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT RoutingBangladesh Network Operators Group
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Bertrand Duvivier
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5newbie2019
 
BGP persistence
BGP persistenceBGP persistence
BGP persistenceBertrand Duvivier
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR Bertrand Duvivier
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment RoutingAPNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7newbie2019
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerAPNIC
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8newbie2019
 
Ccna rse chp2
Ccna rse chp2Ccna rse chp2
Ccna rse chp2newbie2019
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionRasoul Mesghali, CCIE RS
 
768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?Dhiman Chowdhury
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network OperatorsBangladesh Network Operators Group
 

Mais conteúdo relacionado

Mais procurados

MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Bertrand Duvivier
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5newbie2019
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR Bertrand Duvivier
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment RoutingAPNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7newbie2019
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerAPNIC
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8newbie2019
 

Mais procurados (20)

pps Matters
pps Matterspps Matters
pps Matters
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
WAN SDN meet Segment Routing
WAN SDN meet Segment RoutingWAN SDN meet Segment Routing
WAN SDN meet Segment Routing
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
 
Ccna rse chp2
Ccna rse chp2Ccna rse chp2
Ccna rse chp2
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
 

Semelhante a Routing Security - its importance and status in South Asia

768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?Dhiman Chowdhury
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023Chris Grundemann
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]APNIC
 
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014Đồng Quốc Vương
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Chapter 5 Routing.pptx
Chapter 5 Routing.pptxChapter 5 Routing.pptx
Chapter 5 Routing.pptxAyaanMohamed4
 
Respond 3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docx Respond 3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docxaryan532920
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?GeoffHuston
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?APNIC
 

Semelhante a Routing Security - its importance and status in South Asia (20)

768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?768K Day - Internet Doomsday: is it real?
768K Day - Internet Doomsday: is it real?
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023Peering 101 - ABQNOG1 - May2023
Peering 101 - ABQNOG1 - May2023
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
Whats so special about 512?, by Geoff Huston [APNIC 38 / APOPS 3]
 
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_4_v5_0_exam_answers_2014
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 
Chapter 5 Routing.pptx
Chapter 5 Routing.pptxChapter 5 Routing.pptx
Chapter 5 Routing.pptx
 
Respond 3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docx Respond 3 of your colleagues postings in one or more of the fol.docx
Respond 3 of your colleagues postings in one or more of the fol.docx
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
 

Mais de Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

Mais de Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?
 

Último

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Último (9)

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Routing Security - its importance and status in South Asia

  • 1. Internet Society © 1992–2019 What is the problem? And what are we trying to fix? Routing Security – Its importance and status in South Asia Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Presentation title – Client name 1
  • 4. 2/3 Napkin Protocol In 1989. Kirk Lougheed and Len Bosack of Cisco and Yakov Rekhter of IBM were having lunch in a meeting hall cafeteria at an Internet Engineering Task Force (IETF) conference. They wrote a new routing protocol that became RFC 1105, the Border Gateway Protocol (BGP), known to many as the “two—napkin protocol” — in reference to the napkins they used to capture their thoughts. 4 • BGP-1 – RFC 1105, June 1989 • BGP-3 – RFC1267, October 1991 • BGP-4 – RFC 1654, July 1994
  • 5. The Routing Problem Caption 10/12pt Caption body copy 5 Border Gateway Protocol (BGP) is based entirely on unverified trust between networks • No built-in validation that updates are legitimate • Anyone can announce anything • Lack of reliable resource data
  • 6. Routing Security You must be thinking that building a “Global Network” on the assumption of TRUST, that everyone who uses it is ”Trustworthy” was not a really bad idea? May be or May be not – I can’t make the judgement call… But Lets hear from Geoff Huston… "The internet is now busted, and to be perfectly frank, it's totally unclear how we can fix it. We can't make it better," "I actually want to apologise for my small part in this mess we find ourselves in, because it all turned out so horrendously badly." 6
  • 7. The routing system is constantly under attack – incidents every day 7 http://bgpstream.com/
  • 8. The routing system is constantly under attack – incidents every day 8 http://bgpstream.com/ 0 2 4 6 8 10 12 14 16 10/1/20 10/2/20 10/3/20 10/4/20 10/5/20 10/6/20 10/7/20 10/8/20 10/9/20 10/10/20 10/11/20 Possible BGP Hijacks
  • 9. Routing Security Global routing system is a complex, decentralized system consist of ~70,000 individual networks that have implemented BGP to communicate with each other. Despite its strengths, its prone to incidents. Just as water main breaks, broken pipes, and sewage mix-up can disrupt life in a city, routing incidents like route leaks, route hijacks, and IP-address spoofing each have the potential to slow down Internet speeds or even to make parts of the Internet unreachable. 9
  • 11. Common Problems Finding out after the fact that • Big chunk of your internet traffic has been incorrectly routed through a hostile network operator. • Some of your internet traffic has been going to another network operator. None of the above 2 options are great news to anyone! 11
  • 12. Routing Incidents Cause Real World Problems 1 2 Prefix/Route Hijacking Route Leaks IP address spoofing Filtering Source Address Validation
  • 13. BGP Operations and Security February 2015 BCP 194 – RFC7454 13 Filtering
  • 14. Why Filtering • Your first line of defence • You can [MUST] control what you are announcing • You have no control over what other networks announce • To avoid issues, you have to decide what to accept from other networks [ahem ahem RPKI] 14
  • 15. BCP 194 – Filtering Inbound and Outbound Filtering filters SHOULD be applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Max Prefix Filtering It is RECOMMENDED to configure a limit on the number of routes to be accepted from a peer AS Path Filtering Network administrators SHOULD accept from customers only 2-byte or 4-byte AS paths containing ASNs belonging to (or authorized to transit through) the customer. 15
  • 16. BCP 194 – Filtering Data Sources The biggest issue in filtering is to find out the best/cleanest/workable/scalable aka MAGICAL data source. • IRRs (Internet Routing Registry) • Bogons lists (IPv6 & IPv4) • PeeringDB (For AS-Sets) • RPKI 16
  • 17. Status of South Asia and Bangladesh 17
  • 18. South Asia (as per APNIC) 18 https://stats.apnic.net/delegations/Southern%20Asia
  • 19. South Asia (UN region) 19 https://observatory.manrs.org/#/overview
  • 21. Why Filtering is Important? Example 1 Network Next Hop Metric LocPrf Weight Path 103.209.80.0/24 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 103.209.81.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 i 103.209.82.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 103.209.83.0/24 203.202.143.34 0 7474 7473 6453 10102 58672 135100 135100 135100 135100 i 203.96.178.0 203.202.143.33 0 7474 7473 2914 132602 137491 135100 135100 i 21 aut-num: AS135100 as-name: MOL-AS-AP descr: Maxnet Online Limited country: BD org: ORG-MOL1-AP
  • 22. Why Filtering is Important? Example 1 22
  • 23. Why Filtering is Important? Example 2 23 AS: 59365 BD-NETWORKS-AS-AP BD Networks, BD AS: 59356 - VMCENTRAL-AS-AP VMCENTRAL Cloud Services, AU
  • 24. Why Routing Security? • Your Cyber Security Strategy is incomplete without Routing Security • Build Threat intelligence, improve your network’s situational awareness • Create a Audit Checklist for infrastructure security • Align infrastructure security across divisions • Prevent reputational damage (Google PTCL + Youtube) 24