Agenda

Click on any talk title in the agenda to view the full abstract and speaker info.
Please note agenda is subject to change.
Sunday, October 31, 2021
Topic |
---|
Full AbstractA hybrid format The Hackathon starts with a brief welcome and introduction, tutorial, and team formation on Friday, October 22 at 4:00pm CDT. Hacking begins at 1:00pm CDT, Saturday, October 30. The hacking ends at 5:00pm CDT, Sunday, October 31, when the team presentations will begin. The Hackathon will conclude around 6:00pm CDT Sunday, October 31. A recap session will be recorded between 6:00pm - 7:00pm CDT, followed by an hour long reception. We have dedicated Support/Help Hours on Saturday from 1:00pm - 4:00pm CDT virtually via Zoom and again on Sunday from 12:00pm - 5:00pm CDT in a hybrid format. Join us virtually here: |
|
|
Monday, November 1, 2021
Topic |
---|
|
FilesSpeakers
|
|
Speakers
|
RecordingsFilesFull AbstractHear from candidates Christopher Chin, Steven Feldman, Alex Latzko, Brad Raymo, and Dave Siegel as they answer questions asked by Mike Starr from the NANOG Election Committee. Questions asked are: 2. What should the NANOG board do to ensure the next generation of network engineers see our community as positive, diverse, and inclusive? 3. Strategically, what do you think are the biggest opportunities or challenges for NANOG as an organization? 4. Funding is always an issue with every nonprofit. How can you help NANOG find more revenue sources? 5. What makes you stand out as a potential new member of the NANOG board of directors? Speakers
|
Speakers
|
|
Full AbstractSince there have been computer networks there have been network outages. Ask any network operator to conjure up a memorable network outage and it likely won't take them any effort at all. This session looks back at a few noteworthy networks outages from Internet history with individuals who were there to provide a truly unique perspective and look back. Want to hear from one of original AS 7007 operators? Want to know what it was like to coordinate a global response to the Slammer/Sapphire worm? Perhaps you've been reading about governments "shutting down" their Internet, but don't really know what that means or what the effect truly is? If you like a good war story, we have the panel for you. There will be plenty of time for Q&A and a chance for some of you to share your own 30-second war story with the NANOG community. Featured Panelists: Avi Freedman, Jared Mauch, and Doug Madory. Moderator: John Kristoff. Speakers
|
Full AbstractAddress: Walking Directions from Hyatt Regency Minneapolis (approx 16 min walk): Take Nicollet Mall Street for .6 miles northeast toward the Mall |
Tuesday, November 2, 2021
Topic |
---|
|
|
Sponsors: |
|
Full AbstractThis presentation discusses how control of the internet experience is moving more and more into the hands of browser and phone vendors. The advent of end-to-end encryption, also on control planes and metadata like DNS, means that no one else is able to influence the internet - except in extremely This moves a lot of agency to browser and phone vendors, who now can decide if and how they want to help governments and societies, or not. They could also enforce their own vision on what the internet & society should be. If governments don't agree, they have to resort to heavy measures to impose their will, as we've recently seen happening in Russia. In this talk I show with examples how this is the new reality. I also place these developments into a historical context -- shifting of control between governments and industry is nothing new. This context may help us ponder what developments are good and which aren't - because there are no easy answers. (While Bert is a Dutch government/inteligence agency regulator, his presentation does not reflect government policy) Speakers
|
Full AbstractARIN's President and CEO John Curran will provide a brief update about recent changes and developments at ARIN that should be of interest to the network operator community in the region. Speakers
|
Full AbstractThe Internet Routing Registry (IRR) has been long been a component of a network operator’s routing security. Internet professionals welcomed a new tool in their quiver that enhanced the security posture of the networks they managed. Operators have the ability to share information about their networks and their customers in a simplified manner across the global ecosystem. But, the IRR is only as good as the objects that exist in the databases. As time has passed and the responsibility for maintaining these records has passed from team to team, the information has become stale, or even worse, fraudulent data has made it’s way into the data stream. Is the information in the IRR ecosystem trustworthy? We need to understand where we are, discuss the next steps, learn the differences between authenticated and non-authenticated databases, and commit to cleaning up the data. Let’s work together to make the IRR the useful routing security tool it should be. Speakers
|
Full AbstractNANOG brings the network operator community together to share information and techniques which make the Internet better, and by extension, society as a whole. But our great community is not without its challenges. Some of the things that make NANOG great - the collective intelligence, global reach, lifelong friendships - can be exceedingly intimidating for many. Especially those trying to break into a male dominated industry. This presentation highlights some of the pioneering women who have helped show women can contribute and succeed in the industry. I would like to show our gratitude for their work paving the way for other women. We will also run an experiment with the audience, through some up front survey work. We want to help carry on and expand the foundation that has been laid, so NANOG will be more accessible to everyone. Speakers
|
FilesFull AbstractIf you are not able to attend in person, we have a networking session available via Zoom! Join Zoom Meeting Meeting ID: 889 7884 5443 |
Sponsors: |
Full AbstractChanging Internet landscapes should cause us to rethink our interconnection landscape as well. Instead of relying on the existing interconnectivity footprint, we need to match interconnectivity to our customers' demands. After internal study and canvassing the environment, Lumen will begin requiring deeper interconnects with its peering partners next year, which will ultimately help everyone connected to the internet achieve lower latency. Speakers
|
Full AbstractAutomating firewalls is not the easiest task to automate, but once you have done it, the hardest work is now on the users. The users are now expected to have near expert level knowledge of how IP services work within your environment. This is where the Application Dictionary comes in. The Application Dictionary intends to be the Source of Truth that fundamentally change the paradigm of automating firewalls rules. Allowing application owners to define their application and the requests to be made between applications instead of IP services. This allows application owners to ask simple requests like "provide my application access to Splunk". This is not just vaporware, there is a live demonstration to show the reimagining of firewall rules from conception to deployment. Speakers
|
Full AbstractHosts on the internet are continuously targeted and penetrated by so called scanners which try to automatically break into a system. Network operators apply different techniques to prevent an incident. Blocking traffic from (malicious) IPs has been proven to be successful. This requires a consistently updated and reliable list of the origins of scanning activity. Speakers
|
Full AbstractThe key to optimizing the performance of an anycast-based system (e.g., the root DNS or a CDN) is choosing the right set of sites to announce the anycast prefix. One challenge here is predicting catchments. A naïve approach is to advertise the prefix from all subsets of available sites and choose the best-performing subset, but this does not scale well. We demonstrate that by conducting pairwise experiments between sites peering with tier-1 networks, we can predict the catchments that would result if we announce to any subset of the sites. We prove that our method is effective in a simplified model of BGP, consistent with common BGP routing policies, and evaluate it in a real-world testbed. We then present AnyOpt, a system that predicts anycast catchments. Using AnyOpt, a network operator can find a subset of anycast sites that minimizes client latency without using the naïve approach. In an experiment using 15 sites, each peering with one of six transit providers, AnyOpt predicted site catchments of 15,300 clients with 94.7% accuracy and client RTTs with a mean error of 4.6%. AnyOpt identified a subset of 12 sites, announcing to which lowers the mean RTT to clients by 33ms compared to a greedy approach that enables the same number of sites with the lowest average unicast latency. Speakers
|
Full AbstractIf you are not in Boundary Waters AB + Foyer in Minneapolis visiting with Charter Communications, IPv4.Global, and Smartoptics, then be sure to join in a game of Kahoot! with Infinera via Zoom and the Kahoot! App Join the webinar at 3:45pm CDT here: |
Recordings |
Full AbstractThe Federal Emergency Management Agency’s (FEMA) Integrated Public Alert and Warning System (IPAWS) is a national system that is used for local alerting. IPAWS provides public safety officials an integrated gateway to send life-saving alert and warning messages to the public through TV and radio via the Emergency Alert System (EAS), mobile phones via Wireless Emergency Alerts (WEA), NOAA Weather Radio (NWR), and other public alerting systems, all from a single interface. Today, over sixteen hundred federal, state, local, territorial, and tribal Alerting Authorities use IPAWS to geographically target critical emergency messages to people in their jurisdictions. Speakers
|
RecordingsFilesFull AbstractInternet resources form the basic fabric of the digital society. They provide the fundamental platform for digital services and assets, e.g., for critical infrastructures, financial services, government. Whoever controls that fabric effectively controls the digital society. In this work we demonstrate that the current practices of Internet resources management, of IP addresses, domains, certificates and virtual platforms are insecure. Over long periods of time adversaries can maintain control over Internet resources which they do not own and perform stealthy manipulations, leading to devastating attacks. We show that network adversaries can take over and manipulate at least 68% of the assigned IPv4 address space as well as 31% of the top Alexa domains. We demonstrate such attacks by hijacking the accounts associated with the digital resources. For hijacking the accounts we launch off-path DNS cache poisoning attacks, to redirect the password recovery link to the adversarial hosts. We then demonstrate that the adversaries can manipulate the resources associated with these accounts. We find all the tested providers vulnerable to our attacks. We recommend mitigations for blocking the attacks that we present in this work. Nevertheless, the countermeasures cannot solve the fundamental problem - the management of the Internet resources should be revised to ensure that applying transactions cannot be done so easily and stealthily as is currently possible. Speakers
|
Full AbstractIn this presentation we will explore how Quantum Key Distribution (QKD) works and how it can be leveraged in existing security mechanisms. Before diving into QKD we will first look at some of the quantum terminology and principles. We will also explore what a Quantum Network and/or Quantum Internet is. Speakers
|
Full AbstractSince the early days of the Internet (Arpanet in 1970), the topic of Routing Protocol Convergence Time has been a top-of-mind issue. A number of protocols and technologies have been developed and deployed at a large scale with the objective of improving overall network reliability. Although such approaches have dramatically evolved, they all rely on a reactive approach: upon detecting a network failure, the traffic is rerouted onto an alternative path. In contrast, a proactive approach would rely on a different paradigm consisting in rerouting traffic before the occurrence of a predicted failure onto an alternate path that meets application Service Level Agreement (SLA) requirements. Years of research led to the development of the first Predictive Engine for the Internet. Millions of paths and thousands of SP networks have been analyzed in depth leading to deep modeling of path characteristics at all layers. Machine Learning and Statistical have been developed to perform predictions of potential SLA violations and thus proactively routing thanks to trusted automation. In this short talk, such analysis of the Internet characteristic along with the promising avenue of a predictive Internet will be presented. Speakers
|
Wednesday, November 3, 2021
Topic |
---|
|
|
|
Full AbstractWorld IPv6 Day was in 2011, World IPv6 Launch in 2012. We will briefly reflect on the status of IPv6 deployment across eyeball and content networks ~10 years later. We will take a look at statistics across a wide range of public and private (cited) sources. In 2021 the cost of IPv4 address acquisition is increasing, dramatically. We will take a close look at what has worked and what has not, across the board, focusing on what the next 10 years of IPv6 needs to look like to not just increase adoption, but to increase bonafide end to end usage. Speakers
|
Full AbstractIPv6 Extension Headers (EHs) allow for the extension of the IPv6 protocol, and provide support for core functionality such as IPv6 fragmentation. However, common implementation limitations suggest that EHs present a challenge for IPv6 packet routing equipment and middle-boxes, and evidence exists that IPv6 packets with EHs are intentionally dropped in the public Internet in some network deployments. This presentation summarizes the operational implications of IPv6 extension headers, and attempts to analyze reasons why packets with IPv6 extension headers are often dropped in the public Internet. Speakers
|
RecordingsFilesFull AbstractIn scenarios where network configuration information related to IPv6 prefixes becomes invalid without any explicit and reliable signaling of that condition (such as when a Customer Edge router crashes and reboots without knowledge of the previously employed prefixes), hosts on the local network may continue using stale prefixes for an unacceptably long time (on the order of several days), thus resulting in connectivity problems. This problem was recently documented by the IETF in RFC8978 (published in March 2021), but IETF work continued in order to devise solutions to the aforementioned problem In this presentation, Fernando Gont (co-author of both RFC8978 and RFC9096) will present the upcoming RFC9096 on "Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events", with recommendations for Customer Edge Router, and configuration advice for administrators/operators of such devices. Speakers
|
Full AbstractThe traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96% of tested) open DNS resolvers are standard compliant and treat DNS records transparently. In this work, co-authors Philipp Jeitner and Haya Shulman show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors. In our evaluation of the attacks in the Internet we find that all the standard compliant open DNS resolvers we tested allow our injection attacks against applications and users on their networks. Speakers
|
|
Speakers
|
Full AbstractWith the growing number of containerized Network Operating Systems grows the demand to easily run them in the user-defined, versatile topologies. Containerlab provides a Command Line Interface for orchestrating and managing container-based networking labs. It starts the containers, builds a virtual wiring between them to create topologies of user's choice and manages lab's lifecycle. Having a strong focus on the containerized Network Operating Systems, containerlab also has support for running traditional VM-based networking products in the same container-like fashion. That makes it a universal tool for deploying network topologies, encompassing both legacy VM based systems and containerized products. By being open source, lightweight, fast and having multivendor support, makes containerlab a perfect tool to deploy network topologies for lab exercises, network testing and CI. Speakers
|
|
Full AbstractThis will an introductory session on Network Automation using Ansible. Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code. Ansible provides a simple way to manage network devices like routers, switches, firewalls etc. Speakers
|
Speakers
|
|
The NANOG 83 Network Lounge is located in Boundary Waters C and sponsored by Console Connect.