Agenda

Full Abstract

A hybrid format
One week before the hackathon (Friday, October 22nd) we will hold the hackathon welcome, introduction, infrastructure tutorial, idea-pitching, and team-forming session over Zoom; this session will be recorded.
Saturday, October 30th will be the start of the hackathon; this day is all virtual regardless of whether or not you are at the conference venue.
Sunday will be a true hybrid day with people continuing to work virtually as well as dedicated facilities (workspace, wifi, etc) for those at the conference venue.

The Hackathon starts with a brief welcome and introduction, tutorial, and team formation on Friday, October 22 at 4:00pm CDT.

Hacking begins at 1:00pm CDT, Saturday, October 30. The hacking ends at 5:00pm CDT, Sunday, October 31, when the team presentations will begin.

The Hackathon will conclude around 6:00pm CDT Sunday, October 31. A recap session will be recorded between 6:00pm - 7:00pm CDT, followed by an hour long reception.

We have dedicated Support/Help Hours on Saturday from 1:00pm - 4:00pm CDT virtually via Zoom and again on Sunday from 12:00pm - 5:00pm CDT in a hybrid format.

Join us virtually here:
https://nanog.zoom.us/j/87158458997?pwd=TWE0bmdBempaUXBaVHFST3JTZTR4dz09

Full Abstract

This presentation discusses how control of the internet experience is moving more and more into the hands of browser and phone vendors. The advent of end-to-end encryption, also on control planes and metadata like DNS, means that no one else is able to influence the internet - except in extremely
heavy handed and binary fashion.

This moves a lot of agency to browser and phone vendors, who now can decide if and how they want to help governments and societies, or not. They could also enforce their own vision on what the internet & society should be. If governments don't agree, they have to resort to heavy measures to impose their will, as we've recently seen happening in Russia.

In this talk I show with examples how this is the new reality.

I also place these developments into a historical context -- shifting of control between governments and industry is nothing new. This context may help us ponder what developments are good and which aren't - because there are no easy answers.

(While Bert is a Dutch government/inteligence agency regulator, his presentation does not reflect government policy)

Full Abstract

ARIN's President and CEO John Curran will provide a brief update about recent changes and developments at ARIN that should be of interest to the network operator community in the region.

Full Abstract

The Internet Routing Registry (IRR) has been long been a component of a network operator’s routing security. Internet professionals welcomed a new tool in their quiver that enhanced the security posture of the networks they managed. Operators have the ability to share information about their networks and their customers in a simplified manner across the global ecosystem. But, the IRR is only as good as the objects that exist in the databases. As time has passed and the responsibility for maintaining these records has passed from team to team, the information has become stale, or even worse, fraudulent data has made it’s way into the data stream. Is the information in the IRR ecosystem trustworthy?

We need to understand where we are, discuss the next steps, learn the differences between authenticated and non-authenticated databases, and commit to cleaning up the data. Let’s work together to make the IRR the useful routing security tool it should be.

Full Abstract

NANOG brings the network operator community together to share information and techniques which make the Internet better, and by extension, society as a whole. But our great community is not without its challenges. Some of the things that make NANOG great - the collective intelligence, global reach, lifelong friendships - can be exceedingly intimidating for many. Especially those trying to break into a male dominated industry.

This presentation highlights some of the pioneering women who have helped show women can contribute and succeed in the industry. I would like to show our gratitude for their work paving the way for other women. We will also run an experiment with the audience, through some up front survey work. We want to help carry on and expand the foundation that has been laid, so NANOG will be more accessible to everyone.

Full Abstract

If you are not able to attend in person, we have a networking session available via Zoom!

Join Zoom Meeting
https://nanog.zoom.us/j/88978845443?pwd=dGtpZ3hxTVh6UmVSZHk3YWxZUjNZUT09

Meeting ID: 889 7884 5443
Passcode: 383671
One tap mobile
+13126266799,,88978845443# US (Chicago)
+16468769923,,88978845443# US (New York)

Full Abstract

Changing Internet landscapes should cause us to rethink our interconnection landscape as well. Instead of relying on the existing interconnectivity footprint, we need to match interconnectivity to our customers' demands. After internal study and canvassing the environment, Lumen will begin requiring deeper interconnects with its peering partners next year, which will ultimately help everyone connected to the internet achieve lower latency.

Full Abstract

Automating firewalls is not the easiest task to automate, but once you have done it, the hardest work is now on the users. The users are now expected to have near expert level knowledge of how IP services work within your environment. This is where the Application Dictionary comes in.

The Application Dictionary intends to be the Source of Truth that fundamentally change the paradigm of automating firewalls rules. Allowing application owners to define their application and the requests to be made between applications instead of IP services. This allows application owners to ask simple requests like "provide my application access to Splunk".

This is not just vaporware, there is a live demonstration to show the reimagining of firewall rules from conception to deployment.

Full Abstract

Hosts on the internet are continuously targeted and penetrated by so called scanners which try to automatically break into a system. Network operators apply different techniques to prevent an incident. Blocking traffic from (malicious) IPs has been proven to be successful. This requires a consistently updated and reliable list of the origins of scanning activity.
The consequence is an entire industry which has emerged to provide the best IP blocklist. A typical approach to identify scanners is an infrastructure of honeypots. Such a sensor infrastructure can consist of hundreds of honeypots shared all over the world. The rise of cloud platforms has established a convenient way to deploy honeypots globally.
Research has shown that some scanners target a specific IP address space. This raises the question if cloud-based global diversity is enough to identify the majority of scanners.
We set up a small sensor infrastructure with honeypots not only in cloud-based environments but also in residential areas and campus networks. The resulting data set provides valuable insights in scanning activity aiming at different kinds of networks.
A geographical and temporal analysis delivers indicators that different scanners target different protocols. Further, the results show that certain scanners target specific networks exclusively. Particularly scanners of residential areas are hard to discover with a cloud-only sensor infrastructure. Ultimately, we assess the completeness of the dataplane.org data feeds.

Full Abstract

The key to optimizing the performance of an anycast-based system (e.g., the root DNS or a CDN) is choosing the right set of sites to announce the anycast prefix. One challenge here is predicting catchments. A naïve approach is to advertise the prefix from all subsets of available sites and choose the best-performing subset, but this does not scale well. We demonstrate that by conducting pairwise experiments between sites peering with tier-1 networks, we can predict the catchments that would result if we announce to any subset of the sites. We prove that our method is effective in a simplified model of BGP, consistent with common BGP routing policies, and evaluate it in a real-world testbed. We then present AnyOpt, a system that predicts anycast catchments. Using AnyOpt, a network operator can find a subset of anycast sites that minimizes client latency without using the naïve approach. In an experiment using 15 sites, each peering with one of six transit providers, AnyOpt predicted site catchments of 15,300 clients with 94.7% accuracy and client RTTs with a mean error of 4.6%. AnyOpt identified a subset of 12 sites, announcing to which lowers the mean RTT to clients by 33ms compared to a greedy approach that enables the same number of sites with the lowest average unicast latency.

Full Abstract

If you are not in Boundary Waters AB + Foyer in Minneapolis visiting with Charter Communications, IPv4.Global, and Smartoptics, then be sure to join in a game of Kahoot! with Infinera via Zoom and the Kahoot! App

Join the webinar at 3:45pm CDT here:
https://us06web.zoom.us/j/81540753322?pwd=Z2sxM3cwUHEzSUh5Qk9ZS3J4WTZ6QT09

Full Abstract

The Federal Emergency Management Agency’s (FEMA) Integrated Public Alert and Warning System (IPAWS) is a national system that is used for local alerting. IPAWS provides public safety officials an integrated gateway to send life-saving alert and warning messages to the public through TV and radio via the Emergency Alert System (EAS), mobile phones via Wireless Emergency Alerts (WEA), NOAA Weather Radio (NWR), and other public alerting systems, all from a single interface. Today, over sixteen hundred federal, state, local, territorial, and tribal Alerting Authorities use IPAWS to geographically target critical emergency messages to people in their jurisdictions.

Even though IPAWS currently has comprehensive dissemination channels, technology keeps evolving. Thus, IPAWS needs to continue evolving to prepare for the future. As people are moving their daily activities away from traditional TVs/Radios to Internet connected service/products, IPAWS must be able to deliver alerts to the latest internet connected devices and services. The IPAWS Office wants to expand our dissemination pathways with internet-based services and apps. We’re hoping more Internet connected technologies will deliver public emergency alert and warning messages to Internet end-users. Received alerts, save lives!

Full Abstract

Internet resources form the basic fabric of the digital society. They provide the fundamental platform for digital services and assets, e.g., for critical infrastructures, financial services, government. Whoever controls that fabric effectively controls the digital society.

In this work we demonstrate that the current practices of Internet resources management, of IP addresses, domains, certificates and virtual platforms are insecure. Over long periods of time adversaries can maintain control over Internet resources which they do not own and perform stealthy manipulations, leading to devastating attacks. We show that network adversaries can take over and manipulate at least 68% of the assigned IPv4 address space as well as 31% of the top Alexa domains. We demonstrate such attacks by hijacking the accounts associated with the digital resources.

For hijacking the accounts we launch off-path DNS cache poisoning attacks, to redirect the password recovery link to the adversarial hosts. We then demonstrate that the adversaries can manipulate the resources associated with these accounts. We find all the tested providers vulnerable to our attacks.

We recommend mitigations for blocking the attacks that we present in this work. Nevertheless, the countermeasures cannot solve the fundamental problem - the management of the Internet resources should be revised to ensure that applying transactions cannot be done so easily and stealthily as is currently possible.

Full Abstract

In this presentation we will explore how Quantum Key Distribution (QKD) works and how it can be leveraged in existing security mechanisms. Before diving into QKD we will first look at some of the quantum terminology and principles. We will also explore what a Quantum Network and/or Quantum Internet is.

Full Abstract

Since the early days of the Internet (Arpanet in 1970), the topic of Routing Protocol Convergence Time has been a top-of-mind issue. A number of protocols and technologies have been developed and deployed at a large scale with the objective of improving overall network reliability. Although such approaches have dramatically evolved, they all rely on a reactive approach: upon detecting a network failure, the traffic is rerouted onto an alternative path. In contrast, a proactive approach would rely on a different paradigm consisting in rerouting traffic before the occurrence of a predicted failure onto an alternate path that meets application Service Level Agreement (SLA) requirements.

Years of research led to the development of the first Predictive Engine for the Internet. Millions of paths and thousands of SP networks have been analyzed in depth leading to deep modeling of path characteristics at all layers. Machine Learning and Statistical have been developed to perform predictions of potential SLA violations and thus proactively routing thanks to trusted automation. In this short talk, such analysis of the Internet characteristic along with the promising avenue of a predictive Internet will be presented.

Full Abstract

World IPv6 Day was in 2011, World IPv6 Launch in 2012. We will briefly reflect on the status of IPv6 deployment across eyeball and content networks ~10 years later. We will take a look at statistics across a wide range of public and private (cited) sources. In 2021 the cost of IPv4 address acquisition is increasing, dramatically. We will take a close look at what has worked and what has not, across the board, focusing on what the next 10 years of IPv6 needs to look like to not just increase adoption, but to increase bonafide end to end usage.

Full Abstract

IPv6 Extension Headers (EHs) allow for the extension of the IPv6 protocol, and provide support for core functionality such as IPv6 fragmentation. However, common implementation limitations suggest that EHs present a challenge for IPv6 packet routing equipment and middle-boxes, and evidence exists that IPv6 packets with EHs are intentionally dropped in the public Internet in some network deployments. This presentation summarizes the operational implications of IPv6 extension headers, and attempts to analyze reasons why packets with IPv6 extension headers are often dropped in the public Internet.

Full Abstract

In scenarios where network configuration information related to IPv6 prefixes becomes invalid without any explicit and reliable signaling of that condition (such as when a Customer Edge router crashes and reboots without knowledge of the previously employed prefixes), hosts on the local network may continue using stale prefixes for an unacceptably long time (on the order of several days), thus resulting in connectivity problems. This problem was recently documented by the IETF in RFC8978 (published in March 2021), but IETF work continued in order to devise solutions to the aforementioned problem

In this presentation, Fernando Gont (co-author of both RFC8978 and RFC9096) will present the upcoming RFC9096 on "Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events", with recommendations for Customer Edge Router, and configuration advice for administrators/operators of such devices.

Full Abstract

The traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96% of tested) open DNS resolvers are standard compliant and treat DNS records transparently.

In this work, co-authors Philipp Jeitner and Haya Shulman show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors.

In our evaluation of the attacks in the Internet we find that all the standard compliant open DNS resolvers we tested allow our injection attacks against applications and users on their networks.

Full Abstract

With the growing number of containerized Network Operating Systems grows the demand to easily run them in the user-defined, versatile topologies.
Unfortunately, container orchestration tools like docker-compose are not a good fit for that purpose, as they do not allow a user to easily create links between the containers which comprise a topology.

Containerlab provides a Command Line Interface for orchestrating and managing container-based networking labs. It starts the containers, builds a virtual wiring between them to create topologies of user's choice and manages lab's lifecycle.

Having a strong focus on the containerized Network Operating Systems, containerlab also has support for running traditional VM-based networking products in the same container-like fashion. That makes it a universal tool for deploying network topologies, encompassing both legacy VM based systems and containerized products.

By being open source, lightweight, fast and having multivendor support, makes containerlab a perfect tool to deploy network topologies for lab exercises, network testing and CI.

Full Abstract

This will an introductory session on Network Automation using Ansible. Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code. Ansible provides a simple way to manage network devices like routers, switches, firewalls etc.
This talk will focus on how Ansible can be used to manage configuration data for network devices using network_cli/netconf/httpapi/restonf connection plugins and access the operational state data and easy to understand YAML format. Further, it will discuss how to work with Ansible network collections and extend its capabilities by writing Ansible plugins.