Presentation is loading. Please wait.

Presentation is loading. Please wait.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

Published byMillicent Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch."— Presentation transcript:

1 RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar jeroen@unfix.org Things to watch

2 Jeroen Massar ::2 Generate from DB You need to store the information already, thus why not automate it? Want to keep clicking on the site, making mistakes or just write a script once which mails the updates out every evening? Generate objects from your customer DB and generate your router config with rtconfig. Use SVN to store updates to router configs so that you can see when. Check out RANCID for this too. Create a PGP key for your robot so that it can automatically sign everything

3 Jeroen Massar ::3 Monitor your address space Watch BGP –BGPmon (http://bgpmon.net)http://bgpmon.net –RIPE RIS (http://ris.ripe.net)http://ris.ripe.net –RIPE Labs Tools (http://labs.ripe.net)http://labs.ripe.net –Colorado BGPmon (http://bgpmon.netsec.colostate.edu/)http://bgpmon.netsec.colostate.edu/ These might notify you of a hijack Watch your local network: –Use NetFlow / sFlow

4 Jeroen Massar ::4 BCP 38 (RFC 2827) “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing” In short: Do not send packets to the network that you should not be originating Do source-route filtering as close to the source as possible –Watch out for “multi-homed” customers Techniques: Simple firewall rule blocking out the prefix Unicast RPF When there is no route towards that prefix it should not originate it Various device specific techniques eg in DSLAMs / Cable concentrators which also look at MAC addresses

5 Jeroen Massar ::5 Protect your BGP Don’t let anything else but the IX/peers talk to your BGP daemons BGP with TCP/MD5 Generalized TTL Security Mechanism (GTSH) –Set TTL to 255 at sender and verify on receiver that the TTL is still 255 –Packets then have to be from the same link and cannot have been routed Only accept packets from known MAC addresses Use arpwatch alike tools to make sure no new MACs are introduced on a switch, next to monitoring the switch that the cable was not unplugged Use RPSL –Put your route/route6 objects in the IRR –Generate prefix filters from it There are various secure routing proposals, unfortunately none in wide deployment Monitor your own prefix on the Internet so that you at least know that it is being used somewhere else by somebody else, of course inform folks of the hijack Using multiple prefixes can be useful because of that as they need to steel all your prefixes to be able to bring you down at ISPs that accept their advertisement

6 Jeroen Massar ::6 Resource Public Key Infrastructure (RPKI) Public Key Infrastructure to be able to verify BGP signatures X.509 based, RFC3779 Signature Types –Route Origin Attestations (ROA) “I am the signed origin” –Adjacency Attestations (AAO) “We peer together” Offline verification Open Source: https://subvert-rpki.hactrn.net/

7 Jeroen Massar ::7 IRT object http://www.ripe.net/db/support/security/irt /irt-h2.html (google: RIPE IRT object)http://www.ripe.net/db/support/security/irt /irt-h2.html Put an IRT object on all your parent objects, that way abuse reports will find your way much easier –and thus you can resolve those problems –customers will be happier –other ISPs will be happy that you are resolving issues and help you out with other issues

8 Jeroen Massar ::8 Communities Go to RIPE meetings Come to SwiNOG (http://www.swinog.ch)http://www.swinog.ch Be secure and active part of: –iNOC-DBA (http://www.pch.net/inoc-dba/)http://www.pch.net/inoc-dba/ –CERT (http://www.cert.org)http://www.cert.org –FIRST (http://www.first.org)http://www.first.org –NSP-SEC (http://www.nspsec.org)http://www.nspsec.org They physically meet at RIPE meetings –OPS-Trust (http://www.ops-trust.net)http://www.ops-trust.net –PeeringDB (http://www.peeringdb.com)http://www.peeringdb.com

9 Jeroen Massar ::9 No More IPv4 (almost ;) Last /8’s allocated to the RIRs When they are out, IPv4 is out. No more new customers unless you start doing NAT for your customers and other icky stuff…. (got a Playstation/xbox and want to play games, that won’t work with multiple layers of NAT….) Thus: Get IPv6 years AGO! and otherwise, really really hurry….

10 Jeroen Massar ::10 Questions? Jeroen Massar JRM1-RIPE http://unfix.org/~jeroen/ jeroen@unfix.org

Download ppt "RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch."

Similar presentations

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.

IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff +1 312 362-5878 DePaul University.

ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff DePaul University.
© 2010 IBM Corporation Jeroen Massar Security, DDoS and AntiSpam How to secure the Internet outside of the bunkers inside the Swiss Alps IBM Research –

© 2010 IBM Corporation Jeroen Massar Security, DDoS and AntiSpam How to secure the Internet outside of the bunkers inside the Swiss Alps IBM Research –
Andrei Robachevsky, Shane Kerr. APNIC/APRICOT2001, February 2001, Kuala Lumpur, Malaysia. 1 Routing Registry Consistency Check Presented.

Andrei Robachevsky, Shane Kerr. APNIC/APRICOT2001, February 2001, Kuala Lumpur, Malaysia. 1 Routing Registry Consistency Check Presented.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
The Resource Public Key Infrastructure Geoff Huston APNIC.

The Resource Public Key Infrastructure Geoff Huston APNIC.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Similar presentations

Ads by Google