improving the internet infrastructure · 2014-05-15 · sanog 11 © 2008 cisco systems, inc. all...
TRANSCRIPT
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 1
Improving the Internet Infrastructure
Philip SmithSANOG 1110th-18th January 2008Dhaka, Bangladesh
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 2
Topics
Internet Operations Groups
Registry System
IXPs
Service Provider Security
Root Nameserver Operations
Training
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 3
Internet OperationsGroups
CNNOG
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 4
Internet Operations Groups
Where network engineers and operators meet theircolleagues
Peering & Business relationshipsIndustry relationshipTechnology discussionsOperational best practicesCompare experiences (supplier, operational,…)Purchasing decisions influencedRouting software feature requests worked outJobs fairKeeping the Internet Working
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 5
Regional Internet Operations Groups
NANOG – North America
APRICOT – Asia & Pacific Region
SANOG – South Asia
MENOG – Middle East
PacNOG – Pacific Islands
RIPE – Europe
AfNOG – Africa
LACNOG – Latin America
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 6
Country Network Operations Groups
NZNOG – New Zealand
JANOG – Japan
CNNOG – China
PhNOG – Philippines
AusNOG – Australia
SWINOG – Switzerland
UKNOF – United Kingdom
…
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 7
New NOGs
NOG creation is a recent phenomenonLocal LanguageLocal Culture – Internet is not just American cultureLocal Needs
SANOG and NZNOG are common modelsToo much temptation to introduce bureaucracy in newer NOGs
Potential newcomers:Central AsiaCaribbeanLatin America
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 8
The Registry System
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 9
Regional Internet Registries
Responsible for distribution of:IPv4 and IPv6 address spaceAS numbers
5 RIRsAfriNIC, APNIC, ARIN, LACNIC, RIPE NCC
Membership drivenLIRs: most are ISPs or other service providers
Politics higher up, e.g. ICANN, etcVery little relevance to day to day Internet operations
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 10
Regional Internet Registries
PoliciesMembership driven
Minimum IPv4 allocation is ~/21(if you can justify a /22 you can get a /21)(AfriNIC and LACNIC minimum is /22)
Minimum IPv6 allocation is a /32
ASN assigned if connecting to two differentautonomous networks
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 11
Regional Internet Registries
Work together to try and ensure that allocation policiesare approximately aligned globally
There will be local variations
Examples:Initial IPv6 allocation policy4-byte ASN policy
Success of these two seems to encourage somedubious policy proposals aiming for global consensus
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 12
Regional Internet Registries
All hold two meetings per year
For AfriNIC, APNIC and ARIN, one meeting held withregional NOG
LACNIC hold meetings along with other Internet relatedorganisations, e.g. IPv6 Task Force, NAPLA (LA IXPforum), etc
RIPE NCC also hold Regional MeetingsMoscow, Dubai, Bahrain, Doha,…
APNIC Policy ShowcasesSANOG, NZNOG, etc
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 13
Internet Exchange Points
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 14
Internet Exchange Points
Technical:An Ethernet switch in a co-lo facilityISPs bring routers, and peer with each other
Business:The creator of the local Internet economyAvoiding paying upstream transit provider to carry local trafficAvoiding RTTs which impede “doing business”
Political:Monopoly & state telcos don’t like themIXPs without regulator support are doomed to failure
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 15
Internet Exchange Points
Activities:Well established for many years in Europe, North America andmany parts of SE and NE AsiaAfrican IX activity increasingSouth Asia activity increasingLatin America still sees most peering in Miami, USAMiddle East and Pacific Islands has discussion
IssuesIXP still confused with monopoly transit provider or ISP transitserviceRegional IXP is still the dream of those who don’t understandwhat an IXP is
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 16
Internet Exchange Points
Operations:Biggest IXPs (LINX, AMS-IX, etc) are using high end 10GigESwitches, handling several 100Gbps of trafficSmallest IXPs are still using typical 24 port 10/100 manageddesktop switches
Significance:Maybe not “critical infrastructure” but vital for Internet economyMore than “just a switch”
Getting started:90% political, 10% technicalLatter is simple Ethernet switch and BGP peering betweenparticipants
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 17
Euro-IX
Euro-IXNot a European Region IXP!!Consortium of mostly European IXPs (+ some others)Meetings typical see 40+ IXes representedTechnical & operational forum for advice, sharing & exchangeof ideas, best practices, etc
Cisco is patron of Euro-IXAlong with Foundry, Force10 and Glimmerglass
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 18
Service Provider Security
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 19
Service Provider Security
1990s saw rapid growth of InternetGetting established and financial profit came before quality andprofessional service
Early 2000s saw bigger threats to Internet infrastructureDOS against routers and high profile servers/servicesPacket amplification attacks
ResponsesFormation of the ISP Security Community (NSP-SEC)Development of more techniques and robust network design tothwart abuse of Internet infrastructure
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 20
Service Provider Security
NSP-SECGlobal reachWeb of trust – membership by invitation/recommendation onlyOpen to key members of ISP security operations team onlyKey security personnel of vendors participate (e.g. CiscoPSIRT)
Regional NSP-SECs forming tooe.g. Japan, China,…Every major region needs one – no ISP is an island
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 21
Anycast Root Nameservers & DNS
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 22
Anycast DNS
Anycast:Multiple instances of the identical service visible in multipleparts of the InternetIndividual devices share the same global IP addressRouting system chooses service closest to the end-user
DNS Anycast AdvantagesInsulates DNS against (D)DOS attacksImproves DNS lookup performanceLocated at IXPs meaning low latency to end users
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 23
Anycast DNS
DNS Root NameserversMany of the operators now anycast the DNS service (e.g. F-root, I-root are visible in many parts of the world)
GTLD and CCTLD NameserversMany cctld and gtld operators now anycast their DNS services(e.g. Verisign, PCH)
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 24
Training
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 25
Training
NOGsMany NOGs have workshops (e.g. ISP Routing, BGPMultihoming, Scalable Services, Network Management, DNS &DNSSEC, etc)Many NOGs have tutorials (e.g. Routing, IPv6, BGPTechniques, Multihoming, BGP Troubleshooting, MPLS, etc)
Many other organisations organise their own events:The RIRsNSRC – Network Startup Resource Center (www.nsrc.org)AIT – Asian Institute of TechnologyCisco (ISP and Security Workshops)Team Cymru (Security Workshops)
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 26
Training
So much training availableSo many venues – http://ws.edu.isoc.org/calendarMost is cost recovery ($100 per day) or free; compare withprofessional courses ($1000 per day)Most is very high quality and relevant; compare withprofessional courses which simply teach technology skills
Yet ISP management deny these training opportunitiesto their technical staff
Doing so denies their business the opportunity of success
© 2008 Cisco Systems, Inc. All rights reserved.SANOG 11 27
Summary
Internet InfrastructureIs taken for granted by too manyIs cared for by too few
End-users only see services and when those servicesare working/failing
Every ISP is responsible for their piece of theInfrastructure