Agenda

Full Abstract

A hybrid format
One week before the hackathon (Friday, October 22nd) we will hold the hackathon welcome, introduction, infrastructure tutorial, idea-pitching, and team-forming session over Zoom; this session will be recorded.
Saturday, October 30th will be the start of the hackathon; this day is all virtual regardless of whether or not you are at the conference venue.
Sunday will be a true hybrid day with people continuing to work virtually as well as dedicated facilities (workspace, wifi, etc) for those at the conference venue.

The Hackathon starts with a brief welcome and introduction, tutorial, and team formation on Friday, October 22 at 4:00pm CDT.

Hacking begins at 1:00pm CDT, Saturday, October 30. The hacking ends at 5:00pm CDT, Sunday, October 31, when the team presentations will begin.

The Hackathon will conclude around 6:00pm CDT Sunday, October 31. A recap session will be recorded between 6:00pm - 7:00pm CDT, followed by an hour long reception.

We have dedicated Support/Help Hours on Saturday from 1:00pm - 4:00pm CDT virtually via Zoom and again on Sunday from 12:00pm - 5:00pm CDT in a hybrid format.

Join us virtually here:
https://nanog.zoom.us/j/87158458997?pwd=TWE0bmdBempaUXBaVHFST3JTZTR4dz09

Full Abstract

ARIN's President and CEO John Curran will provide a brief update about recent changes and developments at ARIN that should be of interest to the network operator community in the region.

Full Abstract

NANOG brings the network operator community together to share information and techniques which make the Internet better, and by extension, society as a whole. But our great community is not without its challenges. Some of the things that make NANOG great - the collective intelligence, global reach, lifelong friendships - can be exceedingly intimidating for many. Especially those trying to break into a male dominated industry.

This presentation highlights some of the pioneering women who have helped show women can contribute and succeed in the industry. I would like to show our gratitude for their work paving the way for other women. We will also run an experiment with the audience, through some up front survey work. We want to help carry on and expand the foundation that has been laid, so NANOG will be more accessible to everyone.

Full Abstract

Automating firewalls is not the easiest task to automate, but once you have done it, the hardest work is now on the users. The users are now expected to have near expert level knowledge of how IP services work within your environment. This is where the Application Dictionary comes in.

The Application Dictionary intends to be the Source of Truth that fundamentally change the paradigm of automating firewalls rules. Allowing application owners to define their application and the requests to be made between applications instead of IP services. This allows application owners to ask simple requests like "provide my application access to Splunk".

This is not just vaporware, there is a live demonstration to show the reimagining of firewall rules from conception to deployment.

Full Abstract

The key to optimizing the performance of an anycast-based system (e.g., the root DNS or a CDN) is choosing the right set of sites to announce the anycast prefix. One challenge here is predicting catchments. A naïve approach is to advertise the prefix from all subsets of available sites and choose the best-performing subset, but this does not scale well. We demonstrate that by conducting pairwise experiments between sites peering with tier-1 networks, we can predict the catchments that would result if we announce to any subset of the sites. We prove that our method is effective in a simplified model of BGP, consistent with common BGP routing policies, and evaluate it in a real-world testbed. We then present AnyOpt, a system that predicts anycast catchments. Using AnyOpt, a network operator can find a subset of anycast sites that minimizes client latency without using the naïve approach. In an experiment using 15 sites, each peering with one of six transit providers, AnyOpt predicted site catchments of 15,300 clients with 94.7% accuracy and client RTTs with a mean error of 4.6%. AnyOpt identified a subset of 12 sites, announcing to which lowers the mean RTT to clients by 33ms compared to a greedy approach that enables the same number of sites with the lowest average unicast latency.

Full Abstract

Internet resources form the basic fabric of the digital society. They provide the fundamental platform for digital services and assets, e.g., for critical infrastructures, financial services, government. Whoever controls that fabric effectively controls the digital society.

In this work we demonstrate that the current practices of Internet resources management, of IP addresses, domains, certificates and virtual platforms are insecure. Over long periods of time adversaries can maintain control over Internet resources which they do not own and perform stealthy manipulations, leading to devastating attacks. We show that network adversaries can take over and manipulate at least 68% of the assigned IPv4 address space as well as 31% of the top Alexa domains. We demonstrate such attacks by hijacking the accounts associated with the digital resources.

For hijacking the accounts we launch off-path DNS cache poisoning attacks, to redirect the password recovery link to the adversarial hosts. We then demonstrate that the adversaries can manipulate the resources associated with these accounts. We find all the tested providers vulnerable to our attacks.

We recommend mitigations for blocking the attacks that we present in this work. Nevertheless, the countermeasures cannot solve the fundamental problem - the management of the Internet resources should be revised to ensure that applying transactions cannot be done so easily and stealthily as is currently possible.

Full Abstract

Since the early days of the Internet (Arpanet in 1970), the topic of Routing Protocol Convergence Time has been a top-of-mind issue. A number of protocols and technologies have been developed and deployed at a large scale with the objective of improving overall network reliability. Although such approaches have dramatically evolved, they all rely on a reactive approach: upon detecting a network failure, the traffic is rerouted onto an alternative path. In contrast, a proactive approach would rely on a different paradigm consisting in rerouting traffic before the occurrence of a predicted failure onto an alternate path that meets application Service Level Agreement (SLA) requirements.

Years of research led to the development of the first Predictive Engine for the Internet. Millions of paths and thousands of SP networks have been analyzed in depth leading to deep modeling of path characteristics at all layers. Machine Learning and Statistical have been developed to perform predictions of potential SLA violations and thus proactively routing thanks to trusted automation. In this short talk, such analysis of the Internet characteristic along with the promising avenue of a predictive Internet will be presented.

Full Abstract

IPv6 Extension Headers (EHs) allow for the extension of the IPv6 protocol, and provide support for core functionality such as IPv6 fragmentation. However, common implementation limitations suggest that EHs present a challenge for IPv6 packet routing equipment and middle-boxes, and evidence exists that IPv6 packets with EHs are intentionally dropped in the public Internet in some network deployments. This presentation summarizes the operational implications of IPv6 extension headers, and attempts to analyze reasons why packets with IPv6 extension headers are often dropped in the public Internet.

Full Abstract

The traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96% of tested) open DNS resolvers are standard compliant and treat DNS records transparently.

In this work, co-authors Philipp Jeitner and Haya Shulman show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors.

In our evaluation of the attacks in the Internet we find that all the standard compliant open DNS resolvers we tested allow our injection attacks against applications and users on their networks.