myanmar member gathering
TRANSCRIPT
APNIC Member Gathering
20 November, Yangon
1
Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructure
2
IP resource statistics
3
7/16 6/16
Getting the final /22
4
12 3
IPv4 is fast exhausting, what next ?
5
IPv4 You payGet IPv6 for no extra fee
/24 No extra fees /48/22 No extra fees /32
IPv6 Kick Start
No evaluation required
6
Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructure
7
8
A
AS1 (ISP of Victim)AS4 (Large ISP)
AS2 (Legitimate owner of 2001:DB8::/32)
BGP:2001:DB8::/32
B
C
D
BGP:2001:DB8::/48
BGP:2001:DB8::/32BGP:2001:DB8::/48
AS3 (ISP of Hijacker)
Source : http://www.secureworks.com/
Resource Public Key Infrastructure
What is RPKI?
•A robust security framework for verifying the association between resource holders and their Internet resources
•Uses x.509 certificates with RFC3779 extensions
• Collaborative effort by all RIRs to help secure Internet routing by validating routes
9
APNIC’s involvement in RPKI
• Initial phase introduced by RIRs in 2009
• Initiative from APNIC aimed at:
– Improving the security of inter-domain routing
– Augmenting the information published in the whois database
10
Motivation
11
• Prevent route hijacking
– Only the rightful custodian can originate the prefix announcement – ISPs filter prefixes they propagate
• Minimize common routing errors
– Limits human errors– Prioritize routes with certificates
Real-life routing incidents• July 2015 – Axcelx; hosting provider in Boston leaked Reddit routes,
knocking off websites dependent on Amazon and AWS
• June 2015 - Telecom Malaysia caused large-scale routing issues due to route leak
• April 2014 - Indosat leaked 32,000 routes
• April 2010 - China Telecom advertisement caused 15% of Internet traffic to pass through Chinese servers
• February 2008 - Pakistan Telecom announced 208.65.153.0/24 (YouTube prefix)
12
APNIC Resource Certification
Valid from: 2015.11.20 Valid to: 2016.11.20 Origin ASN: 131107 IP prefix: 2001:0DB8::/32 Most specific allowed: /36
Create your ROAs now through APNIC’s Resource Certification Tool.
www.apnic.net/ROA13
Creating ROAs in MyAPNIC
14
• What you need to have before creating a ROA
– Must be an APNIC Member– Have access to MyAPNIC with 2 factor authentication
• Takes only 5 minutes to create, and 10 minutes to be visible to the public
TOTP, more convenient 2FA
15
Digital certificates are not neededCan get full access from ANY device you login with
www.apnic.net/2FA
ROA creation in MyAPNIC
16
1 2
Route management made easier
17
Services improvements for route management next year
• One page to manage routes and ROAs
• Ability to create ROA together with route object
• Quick visualization of all your routes and ROAs
• View who is using your ASN
Success story
• May 2015: APNIC Outreach in Bangladesh– 13 organizations visited– Onsite support to create ROA objects
18
561 valid prefixes (24%)
http://rpki.surfnet.nl/bd.html
ROA usage in apps and services
19
Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructure
20
Reduce delaysAdd more robustness
Peering
Internet Peering is a local routing optimization, a way to exchange some of your traffic with neither party incurring Internet transit fees.
21
VizAS: Visualize your connectivity
AS Numbers with more downstream connectivity located towards the centre.
Lines show their connectivity to down streams
22
VizAS: Visualize your connectivity
AS Numbers on the edge have no down streams. They provide services to end users.
Red means heavy traffic. Yellow means low traffic.
23
VizASWant to find out about Myanmar ?
labs.apnic.net/vizas
24
Agenda
RPKI; For more secure routing
Grow your business with more IP resources
Upcoming APNIC events
VizAS; Visualize your network infrastructure
25
Upcoming conferences
26
APNIC Training
www.training.apnic.net27
28
APNIC Training: New courses
www.training.apnic.net
E-LearninglOSPF Operation & LSDBGP Attributes & Path Selection ProcessIPv6 Protocol ArchitectureDNS SecurityWHOIS Database + MyAPNICIntro to RPKIIntro to MPLSIPSec VPN Design
WorkshopsRPKI Tutorial & Router Configuration DemoAdvance MPLSAdvance BGP
Technical Assistance Service
TAS - Thailand TAS - Bangladesh
Support for scalable and resilient networks and best
practices in network operations
• Distribution and registration of resources• Supporting reverse DNS delegation• Managing whois and IRR• Resource Certification• IPv6 deployment• Internet infrastructure security• Supporting open & neutral IXP & root serverswww.apnic.net/tas
29
Outreach in Sri Lanka (8 Members), Bangladesh (13 Members), Thailand (10 Members)