Saturday, May 22, 2004
Topic/Presenter |
---|
Full AbstractNANOG plans to make an IPsec server available at NANOG31, which attendees can use to encrypt their traffic on the local network. This willl significantly reduce the chance that someone can sniff your passwords on the wireless network. During this tutorial, you will learn how to configure your Linux, BSD, Mac, or Windows laptop for use with the NANOG IPsec server. This is a hands-on tutorial, so bring your laptops to the session. If you want to be fully prepared for the tutorial, visit my page http://www.packet-pushers.net/NANOG/ipsec/" TARGET="_blank">http://www.packet-pushers.net/NANOG/ipsec/ in advance. Install any necessary software on your laptop in advance if possible. Speakers |
Full AbstractThe tutorial introduces service providers to some more advanced BGP features and techniques to aid with operating their networks within the Internet. After a recap of iBGP, eBGP, and common attributes, the tutorial will look at the various scaling techniques available, when to use BGP instead of an IGP, and examine policy options available through the use of local preference, MED and communities. The tutorial then looks at common deployment scenarios as used in ISP networks, before finishing off with some of the newer configuration features available. Speakers |
Sunday, May 23, 2004
Topic/Presenter |
---|
RecordingsFull AbstractThis presentation reviews recent IETF enhancements to IS-IS, including extensions in support of high availability [Restart-TLV], MD5 authentication support, multi-topology extensions, and IS-IS for IPv6. The tutorial also covers topics that will help ISPs improve the operating efficiency of their network.
Speakers |
Full AbstractSpeakers |
Full AbstractNANOG and Switch and Data invite you to join us for a Sunday evening reception, to be held from 6:00 - 8:00 p.m. at http://lecolonialsf.com" TARGET="_BLANK">Le Colonial Restaurant. We'll be serving beer, wine, and light hors d'oeuvres in a private lounge on the second floor of the restaurant. |
RecordingsFull AbstractThis talk reviews several possible architectures for service provider MPLS network interconnections, including:
Speakers |
Full AbstractTraditional approaches to IP mobility target host mobility, rather than mobile networks per se. Providing internet access on mobile platforms where hosts (which may number in the hundreds) remain relatively stationary with regards to the platform presents a set of problems that has not been addressed by traditional IP mobility solutions. This presentation describes a technique that allows intercontinental mobility of networks aboard aircraft that does not require either any modifications to the TCP/IP protocol stacks of the hosts on board the aircraft, or interaction from the end-user of this device. Mobility is accomplished by means of selective advertising and withdrawing prefixes at satellite earth stations as aircraft transit the globe. This topic will be of interest to all service providers, as our actions impact the global routing table. Speakers |
RecordingsFull AbstractSpeakers |
Monday, May 24, 2004
Topic/Presenter |
---|
RecordingsFull AbstractAs routing researchers, we frequently hear comments such as:
Perhaps because I am also an operator I think the measure that counts is whether the customers' packets reach their intended destinations. If the customers' packets are happy, the routing system (and other components) are doing their job. Therefore, I contend that, for the most part, we should be judging control plane quality by measuring the data plane. And we have well defined metrics for the data plane: delay, drop, jitter, reordering, etc. We also have tools with which to measure them. It is not clear that happy packets require routing convergence as we speak of it today. If there is better routing information near the destination than at the source, maybe there is sufficient information near the source to get the packets to the better informed space. This is not that unlike routing proposals, such as Nimrod, where more detail is hidden the further you get from the announcer. If the routing system is noisy, i.e., there is is lot of routing traffic, that may not really be a bad thing. We know convergence time can be reduced if announcement throttling (MRAI) is lessened. As long as network growth increases load on the routers below Moore's law, it is not clear we are in danger. This talk presents results of six months of measurements using multiple globally widespread streams directed at a multi-homed routing beacon. Speakers Tim Griffin, Intel Research |
Full AbstractLike the fixed telecom infrastructure that connects most users to the Internet, the international distribution of publicly routed IPv4 addresses (based on the national registration of their originating AS, using partially corrected/updated whois data) is fairly closely predicted by national gross domestic product (GDP). This statistical observation is consistent with well-known facts about the extra-national use (i.e., outside of their country of reported allocation) of IP and AS numbers across highly developed countries because, like "national" IP and AS accounting, "national" GDP calculations implicitly encompass many of the international productive assets of locally incorporated firms. Additionally, inter-domain routing for public Internet services remains highly nation-centric in heavily regulated telecommunications markets. In such cases (still the norm in many parts of the world), the extension of national telecom monopoly control to layer 3 effectively creates national Autonomous Routing Domains (ARDs), with the national telecom monopoly serving as a barrier between domestic and international inter-domain routing. National GDP is not a good predictor of public AS numbers. However, a simple two-variable interaction model using national GDP and national AS numbers very closely parallels the global landscape of publicly routed IP. All things (e.g., GDP, fixed telecom infrastructure) remaining equal, more AS numbers in use by a national economy leads nonlinearly to the accumulation of more Internet resources by those same Autonomous Systems, as measured by public routed IP. One interpretation of this statistical observation is that ASes introduce the element of specialization into the global Internet growth equation. This is intuitively plausible since ASes enable network operators to exercise beneficial control over shared and wholly-owned telecom resources, assembling them into logical systems to achieve specific institutional (usually commercial) goals. The role of specialization, exchange, and competition in facilitating resource accumulation was first observed by Adam Smith in The Wealth of Nations (1776). Smith theorized that systems of specialized, interacting, and competing units constitute a more efficient form of economic organization than unicellular and undifferentiated systems of similar size. This efficiency takes the form of accelerated capital formation and accumulation, which in turn contributes to further innovation and specialization, and to higher standards or living. The global distribution of Internet resources seems to be consistent with Smith's vision of economic organization. A variety of factors may complicate or contradict this finding. For example, the use of IPv4 address and AS number accounting to quantify Internet resource production could be disputed on a variety of empirical grounds (varying national patterns of NAT and IPv6, the existence of ARDs larger and smaller than individual AS numbers, etc.). The author hopes to solicit operationally-grounded comments from the NANOG community to inform ongoing work on a general theory of IP economics. Speakers |
Full AbstractWe present the latest results of our NSF-sponsored research project to extend our existing 1-Gbps PCI-based traffic processing hardware to 10 Gbps. The PCI card has two Ethernet ports and acts as a line speed Ethernet bridge with sub-microsecond latency. The card can be programmed with a large number of predefined stateful signatures that identify which packets are to be captured and/or blocked at line speed. Blocking/monitoring rules (specified as either Snort 2.x rules or BPF expressions) can be uploaded/modified in real-time by the host through the PCI without interrupting the packet flow. The hardware has been designed to easily integrate with existing open source monitoring software. Using our approach, all existing sniffing applications, such as tcpdump, Snort, etc., can transparently benefit from the hardware line-speed acceleration without modification (as they see our hardware as a standard NIC in promiscuous mode). Preliminary data indicates that a 10 Gbps version of our PCI traffic processing hardware (to be built later this year) is feasible at a surprisingly low cost. With our innovative design, the use of a XILINX virtexII-Pro FPGA and existing off-the-shelf components allows processing of approximately 625 Snort-like signatures at 10 Gbps line-speed with sub-microsecond latency. The increase in the number of rules scales linearly with the addition of FPGAs; thus, a 2-FPGA board would hold approximately 2*625 (1250) signatures, etc.. The programmable nature of this hardware technology can easily be adapted, modified and enhanced to accommodate new user-defined functions. An open-source hardware library of line-speed functions (common to both 1 Gbps and 10 Gbps) that go beyond the current capability is currently being worked on by a small research group. We hope to stimulate an exchange of ideas on the subject with the NANOG community. In particular, we hope to find out how to facilitate the adoption of this powerful new concept in an open-source, operational environment. Speakers |
Full AbstractAlcatel |
Full AbstractSecurity incidents are a daily event for Internet Service Providers. Attacks on an ISP's customers, attacks from an ISP's customer, worms, BOTNETs, and attacks on the ISP's infrastructure are now one of many "security" NOC tickets through out the day. This increase in the volume and intensity of attacks has forced ISP's to spend constrained resources to mitigate the effects of these attacks on their operations and services. This investment has helped minimize the effects of the attacks, but it has not helped stop them at the source. Stopping attacks at their source requires rapid and effective inter-ISP cooperation. Hence, these ISP Security BOFs are also used as a face-to-face sync up meeting for the NSP-SEC forum (see https://puck.nether.net/mailman/listinfo/nsp-security" TARGET="_BLANK">https://puck.nether.net/mailman/listinfo/nsp-security)
Speakers |
RecordingsFull AbstractSpeakers Susan Harris, Merit Network Duane Wessels, The Measurement Factory |
Full AbstractIt is now common knowledge that locally well defined BGP routing policies can interact to produce unexpected routing anomalies globally. We introduce a new class of such problems, called BGP Wedgies. A BGP Wedgie is defined as a policy interaction where (1) there are multiple solutions (routings) at the AS level, (2) some solutions are intended, while others are not, (3) getting stuck in an unintended solution requires resetting BGP sessions to "kick the system" back to an intended solution, (4) no one group of network operators has control over the set of sessions that needs to be reset, and (5) no one set of network operators has enough global knowledge to know what is happening. In such a situation the routing is "wedged" into a local optimum that is very difficult to change. Realistic examples will be given. Speakers |
RecordingsFull AbstractThis presentation will cover the use of L2/L3 technologies with the ultimate goal of providing transit service for IP traffic. Specific reference will be made regarding the use of Frame, ATM, and MPLS L2 technologies as well as the use of BGP, IGP, and ECMP. The technologies will be contrasted in such a fashion as to provide a view of how the interaction of these technologies can help and/or hinder a network. Detail will be shared regarding some of the problems experienced with the various traffic management methods and some solutions. Speakers |
Full AbstractSpeakers |
Full AbstractThe http://www.ietf.org/" TARGET="_BLANK">Internet Engineering Task Force is making standards for the Internet. It is not always clear that these standards are improving the situation for those who run the Internet infrastructure. This session gives you a chance to tell some of the people who run the IETF what you would like to see the IETF do in order to make the Internet work better. Speakers Alex Zinin, Alcatel |
Full AbstractThis talk discusses several currently deployable methods designed to improve the security of a service provider's router infrastructure, and outlines their operational implications. Many of these methods have been implemented on the Sprint IP network, which will be used as a case study. For example, one such method that Sprint has implemented is to remove the more specific routes to the /30 networks between Sprint and its customers. Sprint also plans to remove the more specific routes to its intra-router /31 networks as well. This talk will discuss the motivation behind these changes, how they were made, and most importantly, their operational impact. Speakers |
Full AbstractCurrent interdomain routing policies are based on information local to each ISP and optimized for the benefit of that ISP. It is known that this combination can to lead to sub-optimal Internet paths and even unpredictable results. Paths can be sub-optimal because decisions that appear locally sound may have adverse global effects, such as when early-exit routing sends packets further from the ultimate destination. Behavior can be unpredictable because the actions of one ISP can have an unintended influence on the other and vice versa, and in the worst case cycles of influence can lead to oscillations as traffic is re-routed. Today, these problems are resolved by operator intervention, not by protocols. We present work that examines whether two neighboring ISPs can benefit by using automated negotiation to determine the paths of traffic that they exchange. There is an incentive to negotiate only if both ISPs benefit relative to making independent decisions. To see if this is so, we simulated ISP routing choices driven by latency reduction and hotspot avoidance over sixty measured ISP topologies with a variety of traffic models. We find negotiation most valuable as a means of avoiding hotspots. It also provides a modest decrease in latencies, which suggests that the "price of anarchy" is low in terms of path length with real ISP topologies, even though it can be substantial in the theoretical worst case. Interestingly, we also find that global optimization (which treats both ISPs as a single larger ISP) is undesirable in the sense that in some cases one ISP can suffer to benefit the other. We also describe our first steps towards a practical negotiation protocol. ISPs can already influence each other's routing decisions to some extent (e.g., via MEDs and AS-path prepending), but this influence is mostly indirect, coarse, often governed by trial-and-error and supplemented by out-of-band agreements between operators. Our intent is to help operators by relieving them of the bulk of the tedious and error-prone task of responding to traffic engineering problems, such as an overloaded peering link, while allowing them to maintain control over the result. It accommodates competitive concerns by revealing little ISP-internal information and independent ISP management by allowing different optimization criteria. We find that it selects routing strategies that realize most of the potential benefits identified in our study. We are particularly interested in operator feedback on the need for, requirements, and utility of this kind of mechanism. Speakers David Wetherall, University of Washington |
RecordingsFull AbstractThere is a need for a systematic approach to verifying router configurations before they are deployed. In this work, we develop a static analysis framework for configuration checking and use it in the design of rcc, a "router configuration checker." rcc takes as input a set of router configurations and flags anomalies and errors based on a set of well-defined correctness conditions. We have used rcc to check BGP configurations from nine operational networks, testing nearly 700 real-world router configurations in the process. Every network we analyzed had configuration errors, some of which were potentially serious and had previously gone unnoticed. Our analysis framework and results also suggest ways in which BGP and configuration languages should be improved. rcc has also been downloaded by 30 network operators to date.
Speakers |
|
RecordingsFull AbstractIn the first part of 2004, Tufts University planned and implemented a new naming methodology to be used across all network devices and interfaces. During the planning discussions, the group came up with several interesting guidelines and methodologies for creating an extensible, comprehensible, and self-documenting network naming scheme. We have since changed over to the new naming scheme, and have already seen productivity benefits. Topics to be covered in the talk include a summary of the problem, methodology, results, and lessons learned. Speakers |
Full AbstractRouting instability has been one of the most interesting topics for both network operators and researchers for years. While many efforts have focused on inter-domain routing instability, studies of intra-domain routing are quite limited. Most network operators still do not have enough knowledge about how frequently intra-domain routing instability can occur on their networks, and how the instability can affect the networks.
Speakers |
Full AbstractDiagnosing performance faults on Internet paths is a difficult and time-consuming task for which there is little operational support, especially when the paths cross multiple ISPs. Standard tools such as traceroute test connectivity but do not pinpoint the lossy or congested segments of the path; performance tools such as pathchar are often bandwidth-intensive or inaccurate over long paths. Speakers Neil Spring, University of Washington. |
|
Full AbstractAt the April 2004 ARIN meeting in Vancouver, there was a discussion of how ARIN and other Regional Internet Registries could provide near-real-time data on which netblocks have been allocated to help enable network and service operators to filter traffic coming from unallocated space. ARIN would like more participation and input from NANOG on how such a service should be implemented. Speakers Cathy Wittbrodt, Daydream Imagery. |
Tuesday, May 25, 2004
Topic/Presenter |
---|
Full AbstractCERT's Network Situational Awareness group uses data from the regional registries' allocation databases to supplement the analysis of network security incident data. The aim of this effort is to build a single allocation tree view of the IPv4 address space so that events may be aggregated by source and destination network. We are building a tool chain to automate the preparation of RIR data for this purpose. This presentation addresses the techniques used by these tools, including:
Speakers |
Full AbstractA long-standing operational issue with the security added to SNMPv3 is the fact that it does not integrate with existing security infrastructures, i.e., password and account databases. Although SNMPv3 was the first SNMP version that added security to the protocol, there have been reservations about deploying it because it's "yet another user database to maintain." The author (and others) are looking into creating an add-on security extention to the SNMPv3 protocol that will better integrate with your existing security infrastructure. In this presentation, the author will be soliciting feedback about whether this work is important to the operational community and which security infrastructures are most important to target (RADIUS, local accounts, X.509 certificates, SSH, Kerberos, etc). The feedback obtained from the operational community will directly impact whether the work progresses and what requirements it must fulfill to be considered complete - we appreciate your input! Speakers |
RecordingsFull AbstractSpeakers |
|
Full AbstractThere is an increasing demand for interconnection at layer 2 between diverse network operators. The drivers for this are often economic rather than technical. There are, however, operational problems which arise from connecting distinctly-managed Ethernet switch infrastructures at layer 2. These include risks such as broadcast storms, which have led to a number of past incidents at various internet exchanges. There are also service-level-affecting issues such as providing resilience within the limitations of spanning-tree, problem diagnosis, and fault resolution. Where the interconnecting IXPs are located in the same facilities within a metro area (i.e. they are "coterminous"), there can be significant advantages from interconnecting them using native Ethernet. These include increasing peering opportunities and "critical mass" for their participants, reducing overall latency, and better localisation of traffic. Services which allow interconnection and extension of non-coterminous layer-2 IXP fabrics over long-haul distances are increasingly available. Although these appear to offer a cost-effective alternative to conventional IP peering and transit arrangements, the issues outlined above lead to more acute risks and problems than the coterminous case. In particular, use of non-native Ethernet circuit technology such as tunnelling and/or over limited capacity links can impose performance constraints and increase latency. There are also significant scaling issues with use of conventional MAC-broadcast based IP address resolution techniques, and non-global circuit identifier space. In late 2002, XchangePoint, a commercial competitive IXP operator, and LoNAP, a mutual membership IXP association, interconnected their coterminous exchanges in London. Several potential interconnection models and their advantages and disadvantages were considered. A VLAN-based approach has been employed which contains many of the operational risks, flexibly addresses participant requirements, and has some minor limitations. The formal interconnection agreement arrived at covers commercial, service level, AUP and operational implementation details, and the approach is likely of more widespread interest and use. The operational experiences of connecting two established coterminous Internet Exchanges have demonstrated when and how with appropriate design this type of layer-2 interconnection can be made to work, but have also highlighted the limitations that make non-coterminous interconnect much more problematic. Speakers |
RecordingsFull AbstractA new Internet peering ecosystem is rising from the ashes of the 1999/2000 U.S. telecommunications sector crash. Global Internet transit providers have gone bust and a critical broadband infrastructure provider has failed, leaving in its wake a large set of Internet players to fend for themselves to provide their customers with Internet services. A broad set of service providers that were once focused only on growing their market share (at any cost) now are bending down to shave pennies off of their cost structure. Those who cannot prove the viability of their business model while satisfying their customer demands are out of business. In this presentation, we share research carried out over the last four years with hundreds of Peering Coordinators to document the recent chaotic evolution of the peering ecosystem. We do this by first defining the notion of an "Internet Peering Ecosystem" as a set of autonomous Internet Regions, each with three distinct categories of participants. Each of these groups of participants has their own sets of characteristics, motivations and corresponding behaviors and interconnection dynamics. We describe four classes of Peering Inclinations as articulated in Peering Policies. The bulk of the presentation, however, focuses on the evolution of the U.S. Peering Ecosystem. Several key players, some abandoned by their service providers, have entered into the Peering Ecosystem and caused a significant disruption to the ecosystem. Peer-to-peer application traffic has grown to represent a significant portion of their expense. We describe five major events and three emerging evolutions in the Peering Ecosystem that have had, and continue to have, a significant disintermediation effect on Tier 1 ISPs. Speakers |
|
RecordingsFull AbstractIPv6 is seeing increased deployments worldwide and is expected to ramp up significantly with the U.S. Department of Defense mandate of IPv6 by 2008. Much of the existing security discussion around IPv6 has focused on its inclusion of IPsec. While the confidentiality, integrity, and authentication features of IPsec are clearly useful, IPSec deployment will suffer many of the same deployment challenges as are currently seen in IPv4 (identity, key management, and configuration issues). Speakers Darrin Miller, Cisco Systems |
RecordingsFull AbstractSpeakers Panelist - Ed Lewis, ARIN Panelist - Rob Rockell, Sprint Panelist - Brent Sweeny, Internet2 NOC |