Full Abstract

Sinkholes are a flexible security tool that add a wealth of new capabilities to an ISP's security toolkit. ISPs are using sinkholes to track infrastructure port scanning, identify and classify attacks, packet capture attack flows, trace attacks through their networks, and divert attack flows from the target of the attacks. Sinkholes also enable a variety of new applications brought about through necessity and growing operational experience. Sinkholes go beyond narrowly focused tools like black hole servers, Tarpits, and Honeynets. Sinkholes may be used to perform any or all of these functions, but often incorporate all of these and more. This tutorial will explain how to build a sinkhole, using generalized examples from ISP deployments around the world. Configuration using JUNOS and IOS will be used to demonstrate the various ways trigger routers and target routers in the sinkholes are safely, scalably, and efficiently configured. Architectural considerations relating to network topology and placement of sinkholes in the ISP's network will be covered, along with anycast deployment options. A multitude of tools that can be placed inside the sinkhole will also be discussed. These include a variety of freeware, shareware, home-built, and commercial tools - covering the diversity available to ISPs of any size. This tutorial is recommended to ISP engineers of all experience levels. The source materials are derived from live operational deployments, which can be modified and applied to any large IP transport network.

Speakers
Barry Raveendren Greene, Cisco Systems
Danny McPherson, Arbor Networks

Full Abstract

Although IPv6 has been deployed in a multitude of research and development networks worldwide, commercial deployment is still limited. The need for IPv6 is widely acknowledged in Asia, where IPv4 addresses are increasingly difficult to acquire. In North America, where some 74% of the allocated IPv4 addresses are located, there is not yet the sense of urgency for IPv6 as there is in Asia. Yet even here, there is growing interest and understanding IPv6 will eventually be required. It is therefore important that network operators begin familiarizing themselves with the technical issues surrounding the deployment of realistic IPv6 networks. This tutorial provides a technical overview of the existing state of the three classes of IPv6 transition technologies: dual stacks, tunnels, and translators. Specific technologies within each of these classes are examined. Outstanding transition issues, both resolved and unresolved, are also examined. These issues include multihoming, DNS, and security.

Speakers
Jeff Doyle, Juniper
Jeff Doyle is the IPv6 Solutions Manager for Juniper Networks. Specializing in IP routing protocols, MPLS, and IPv6, Jeff has designed or assisted in the design of large-scale IP service provider networks throughout North America, Europe, Japan, Korea, and the People's Republic of China. Jeff is the author of CCIE Professional Development: Routing TCP/IP, Volumes I and II, is an editor and contributing author of Juniper Networks Routers: The Complete Reference, and is the author of a new series of books on large-scale networking, the first of which will be released in the summer of 2003. Jeff has presented numerous corporate seminars for Juniper Networks, and has also spoken at NANOG, JANOG, APRICOT, and at IPv6 Forum conferences.

Full Abstract

Arbor Networks

Full Abstract

XML for network management has been a popular topic lately. The large toolset available for manipulating XML encoded data, the text-based nature of the data, and the natural applicability to encoding large sets of hierarchical data make XML a good choice for manipulating data representing network configuration and operational state. This BoF will present several examples of XML-based network management tools. Examples will include tools currently in production use at major ISPs, as well as examples of vendor-specific XML tools such as JUNOScript.

Speakers
Rob Enns, Juniper
Rob Enns is a Director of Software Engineering at Juniper Networks. Prior to Juniper he worked at Berkeley Networks, FORE Systems, and Bell-Northern Research.

Full Abstract

Speakers
Moderator - Barry Raveendran Greene, Cisco Systems

Full Abstract

Speakers
Susan Harris, Merit Network
Pete Kruckenberg, UEN
Pete Kruckenberg is the senior network engineer for Utah Education Network, a regional education and research network in Utah and southern Idaho. Prior to joining UEN, Pete co-founded a regional ISP in Utah and worked for a start-up managed services provider in Lindon, Utah. He co-founded the Utah Regional Exchange Point and serves in various roles with regional networking initiatives. Pete graduated in Computer Engineering from the University of Utah.

Val Oveson, State of Utah
Val Oveson is the CIO for the State of Utah. His prior experience includes working with KPMG as a consultant to government organzations, and as CIO of PricewaterhouseCoopers. He has served in various capacities in state and federal government organizations, acting as National Taxpayer Advocate for the IRS, Chair of the Utah State Tax Commissions, and, for two terms, as Lieutenant Governor of Utah. Mr. Oveson graduated from Brigham Young University with an accounting degree.

Full Abstract

Speakers
Joe Abley, ISC

Full Abstract

There is a conflict between the interests of privacy and the ability of law enforcement to intercept the communications of criminal targets. Yet interception technology is not without its own risks -- it is intended to be used only by authorized parties for lawful interception, but may also be abused by unauthorized individuals. This talk will focus on the technical risks of interception technology and discuss the wisdom of standardizing protocols and technologies to facilitate interception. This is a tricky topic, because one must balance the benefits and risks of privacy versus interception for lawful purposes. We will attempt to stay within the technical realm as opposed to the politics of interception.

Speakers
Jeff Schiller, MIT
Jeff Schiller received his S.B. in Electrical Engineering from MIT in 1979. As MIT Network Manager, he has overseen the MIT Campus Computer Network since its inception in 1984. Prior to his work in the Network Group, he maintained MIT's Multics timesharing system during the ARPANet TCP/IP conversion. Jeff is an author of MIT's Kerberos Authentication system. From 1994 through 2003, he was the Internet Engineering Steering Group's Area Director for Security, responsible for overseeing security-related Working Groups of the IETF. He was responsible for releasing a U.S. legal freeware version of the popular PGP encryption program. Jeff is also responsible for the development and deployment of an X.509-based Public Key Infrastructure at MIT. He is the technical lead for the new Higher Education Certifying Authority being operated by the Corporation for Research and Educational Networking, and a founding member of the Steering Group of NEARnet, now part of Level3.

Full Abstract

The National Information Advisory Council (NIAC) was formed by executive order in September 2002 and is charged with advising the US Department of Homeland Security and the President regarding the security of information systems and networks essential to the nation's critical infrastructure. A key task in front of the NIAC is to provide guidance on disclosing vulnerabilities, and a working group has been created to establish a framework for vulnerability disclosure to include specific recommendations to the President. As part of its outreach and information-gathering efforts, the working group is presenting a brief overview of the project during the Monday morning General Session. Interested attendees are invited to contribute further via a dialog during the ISP Security BOF at 7:30 Monday evening.

Speakers
Jim Duncan, Cisco Systems
Jim Duncan works in the Critical Infrastructure Assurance Group at Cisco Systems, where he is a topic expert on incident response, vulnerability handling, and cyberthreat assessment. Previously, Jim was an Incident Manager for the Cisco Systems Product Security Incident Response Team (PSIRT) for four years, where he handled customer security and product security vulnerabilities. In addition to his work with the NIAC Vulnerability Disclosure WG, Jim currently works on proactive issues supporting other incident response teams within Cisco. He is authoring an internal policy for information sharing, and he actively contributes to external projects for several Information Sharing and Analysis Centers (ISACs). In the background is a project to adapt "Inter-NOC Dial By ASN" technology for inter-ISAC communications. Jim contributed to RFC 1244, the Site Security Policy Handbook, co-authored a tutorial on building an incident response team for USENIX, and is a Liaison Member of the Forum of Incident Response and Security Teams. Prior to Cisco, Jim worked for Penn State University. He attended his first NANOG meeting at NANOG8, October 1996, in Ann Arbor.

Paul Vixie, ISC.

Full Abstract

Abilene, the Internet2 backbone, has been running dual-stack on its backbone routers for over a year. In this talk, we discuss experiences with both the Cisco GSR and Juniper T640 platforms on issues ranging from IGP and BGP to monitoring and performance.

Speakers
Grover Browning, Indiana University
Grover Browning is a senior engineer with the Global Research NOC at Indiana University. The NOC handles network operations services for Abilene, StarTap, AMPath, and a variety of other research and education networks.

Full Abstract

In November 2002 and again in February 2003, an international team of scientists from Caltech, SLAC, and LANL in the U.S., CERN in Switzerland, and NIKHEF in Amsterdam broke the Internet2 TCP land speed record (i.e., the product of the bits/s times the distance) not once but twice. They achieved 923Mbits/s with an end-to-end application-to-application single TCP stream from Amsterdam to Sunnyvale (10,619 Tbit-meters/s) over a 1Gbit/s bottleneck, 8.6 Gbits/s between 10 machines in Sunnyvale and 10 machines in Baltimore over a 10 Gbits/s bottleneck, and 2.38 Gbits/s with a single TCP stream from Sunnyvale to Geneva over a 2.5 Gbits/s bottleneck. The records were broken with commercial off-the-shelf components, and demonstrate that TCP can scale from the original 56kbits/s Internet of the 1980s to tomorrow's multi Gbits/s rates. The talk will address the questions of: who did it; what exactly was done; how was it done (including descriptions of the testbeds, the challenges, the effects of various solutions, and gotchas); what was special about this; why it is important; and what's next?

Speakers
Les Cottrell, Stanford University

Full Abstract

Recently the security of BGP has been called into question by the government, security experts, and the media. Perhaps by assuming that a compromise of the Internet routing infrastructure would be relatively trivial to accomplish, most of the recent attention has focused on replacements to BGP rather than ways we can do the best with what we have. Because any possible replacement for BGP will not be widely deployed in the near-term, an understanding of the key threats and mitigation techniques against current BGP deployments needs to be better understood. Furthermore, since most of the existing work related to BGP vulnerabilities is largely theoretical in nature, any new effort should be based in real testing on implementations that are commonly deployed by ISPs. This talk presents the results of research in the area of BGP attacks. This research includes three main areas. First, specific attacks as outlined in the BGP Attack Tree draft were tested against lab networks to gauge attack results, difficulty, and the availability of best practices which mitigate the attack's effects. Where appropriate, these attacks were done against multiple BGP implementations to measure variations in response. Second, multiple implementations were tested using a BGP malformed message generator in an attempt to measure the resilience of BGP implementations against unexpected input. Third, the prevalence of generally accepted best practices on the Internet was measured by querying a representative set of the Internet's BGP routers on key management interfaces. Analysis of this data will be useful for operators looking to improve the security of their BGP networks today and to evaluate potential improvements to BGP in the future, especially given the challenge of balancing scalability and ease of deployment with security in any future "secure BGP."

Speakers
Sean Convery, Cisco Systems
Sean Convery is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG). The research arm of the CIAG is tasked to collaborate with various groups on security issues 3-5 years in the future. Before coming to the CIAG, Sean worked primarily on the SAFE blueprint, and is an author of several whitepapers on the subject. Prior to his five years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking.

Matthew Franz, Cisco Systems
Matthew Franz is a security researcher in Cisco Systems' Critical Infrastructure Assurance Group in Austin, Texas. Apart from work on BGP, interests include industrial automation (SCADA/DCS/Industrial Ethernet), security, and automated protocol test tools. Before joining CIAG, Matthew was senior security engineer in the Security Technologies Assessment team, where he conducted product security evaluations on a variety of Cisco products and network protocols. Before coming to Cisco in 2000, Matthew was a network security consultant and taught technical network security courses to government information warfare customers in San Antonio, Texas.

Full Abstract

Speakers
Vijay Gill, AOL Time Warner
Sue Hares, NextHop
Mike Lloyd, RouteScience

Full Abstract

The increasing economic importance of IP networking, combined with a sharp increase in the frequency and sophistication of attacks, has made security of critical importance for IP data networks. In response to this need, a group of service providers and vendors, operating as part of the Network Reliability and Interoperability Council (NRIC), has developed a set of best practices for enhancing data network security. This talk will give a short overview of NRIC and of the best practices for security. We will give an example of how best practices can be useful in stopping attacks such as the slammer/sapphire worm, and will provider pointers to more information on NRIC and the NRIC best practices for security.

Speakers
Ross Callon, Juniper
Ross Callon is an engineer in the protocols group at Juniper Networks. He has experience in Internet protocol standards, high-speed router design, and multi-protocol coexistence and interoperability. Ross is co-chair of Network Reliability and Interoperability Council 6, Focus Group 2, advising the FCC on network reliability. He also was a participant in a recent effort to advise the White House on security in communications networks. Ross is a long-standing participant in multiple IETF working groups, and has previous experience in the ATM Forum, IESG, IEEE, ANSI, and ISO. He has authored or contributed toward VPN, MPLS, PNNI, IPv6, IS-IS and CLNP networking standards. He is a former co-chair of the IETF IP Next Generation (IPv6) working group. Ross has published numerous articles and been awarded twelve patents. He holds a B.S. in Mathematics from MIT and an M.S. in Operations Research from Stanford University.

Full Abstract

The members of ARIN instituted a policy to curb lame DNS delegations within ARIN's scope in the in-addr.arpa domain. The staff of ARIN has begun implementing the policy and has already witnessed a reduction in lame delegations. This presentation will outline the ARIN policy, results from early tests, and explain how ARIN is interacting with registrants and other registries on this issue.

Speakers
Ed Lewis, ARIN
Edward Lewis is the Research Engineer for ARIN. He has been involved in DNS and DNSSEC Working Groups in the IETF since 1996 and is one co-chair of the Provisioning Registry Protocol Working Group of the IETF.