Skip to main content
Skip to main content

Accepted Presentations

Keynotes

Digital Sovereignty: The probable future of (our) Internet

  • Afzal Abdul Rahim

The Intelligent Internet of Things for Sustainable Development Goals

  • Mona Jaber

The RIR Social Contract

  • Randy Bush

Digital Sovereignty: The probable future of (our) Internet

As network operators continue to be disintermediated in what has been accepted as the 'natural' evolution of the global internet, it is perhaps timely to consider the potentially irreversible effects of such changes.

This session seeks to outline the probable pathways of the role of network operators and their eroding influence on the global network they administer.

The Intelligent Internet of Things for Sustainable Development Goals

In 2015, the United Nations drafted an agenda for 2030 to achieve sustainable development by defining 17 goals (SDG) that demand an urgent call for action requiring collaboration and innovation across countries and organisations. Given the alarming lack of progress today with less time left to achieve these goals, we investigate the role of digital technology in accelerating this process. This talk will discuss the opportunities offered by the rise of the Internet of Things (IoT) and advances in machine learning (ML) in ushering these goals based on an Intelligent Transportation use case. The talk will also expose the challenges that emerge from applying these technologies in the realisation of SDGs with underline risks related to conflicting goals and the limitations of silo approaches.

Conference

A Brief History of the Internet's Biggest BGP Incidents

  • Doug Madory

A Feasibility Study of RPKI ROV Enforcement at Dataplane in IXP

  • Aris Cahyadi Risdianto

A System to Detect Forged-Origin Hijacks

  • Thomas Holterbach

BGP and RPKI Monitoring

  • Massimo Candela

BGP in 2023

  • Geoff Huston

Building a Digital Twin from your Source of Truth

  • Tim Raphael

Can we make IPv6-only a reality now?

  • Xing Li

Case Study: Deploying Grafana as a unifying monitoring system

  • Abu Sufian

Coherent optical transceivers - current capabilities and future possibilities

  • Thomas Weible

Developing a Collaborative BGP Routing Analyzing and Diagnosing Platform

  • Changqing An

Distributed latency monitoring

  • Anurag Bhatia

IETF Roundup

  • Dhruv Dhody

IOS upgrade using network automation tools

  • Batmagnai Erdene

Indexing South East Asia's Internet Resilience

  • Robbie Mitchell

IoT Devices Leveraged in Cyber Attacks and How Botnets are Created and Used: Findings through JPCERT/CC's Coordination

  • Shoko Nakai

Minimising Impact When Incident Occur with RIPE Atlas and RIS

  • Lia Hestina

Networking in the Penumbra

  • Geoff Huston

Open Source Lawful Interception for Mobile Networks

  • Richard Nelson
  • Shane Alcock

Open source IP blacklist checker tool

  • Dashzeveg Baatartsogt

QoS/Traffic Management challenge for AI/ML network

  • Shishio Tsuchiya

SCION: Secure Path-Aware Internet Routing

  • Kevin Meynell

SRv6 NEXT-C-SID uSID

  • Clarence Filsfils

SRv6 Updates and SRv6 Compression (REPLACE-C-SID)

  • Zhenbin Li

Segment Routing Deployments and Demonstrations at Interop Tokyo ShowNet

  • Teppei Kamata

Solve geolocation issues with RFC9092

  • Massimo Candela

Strengthening API Security in network operators

  • Yin Chao

The New World of Satellite Networking

  • Rishabh Tarte

A Brief History of the Internet's Biggest BGP Incidents

Stretching back to the AS7007 leak of 1997, this talk covers the most notable and significant BGP incidents in the history of the internet, from traffic-disrupting leaks to recent crypto-stealing hijacks. Using this historical perspective, we explore the questions: what progress has been made and what is the path to finally securing BGP?

A Feasibility Study of RPKI ROV Enforcement at Dataplane in IXP

This presentation will discuss some limitations of RPKI deployment from security enforcement and performance perspectives, and possible solutions to deploy RPKI in the IXP. However, IXP should be able to enhance its capability of enforcing ROV by applying softwarized control methods for IXP Fabric. Using concepts such as SDN, we propose an alternative IXP deployment with a BGP ROV enforcement mechanism in the IXP data plane. The IXP control application built into the SDN controller is capable of investigating received route information and aims to support hybrid SDN environments and help non-SDN BGP neighbors to get only trusted routes. The proof-of-concept development is deployed on a testbed running over Research and Education Networks (RENs). Based on our testing and analysis, our proposed method can detect and stop legitimate traffic from being redirected to attackers, but only for directly connected IXP members.

A System to Detect Forged-Origin Hijacks

Despite global efforts to secure Internet routing, attackers still successfully exploit the lack of strong BGP security mechanisms. This paper focuses on an attack vector that is frequently used: Forged-origin hijacks, a type of BGP hijack where the attacker manipulates the AS path to make it immune to RPKI-ROV filters and appear as legitimate routing updates from a BGP monitoring standpoint. Our contribution is DFOH, a system that quickly and consistently detects forged origin hijacks in the whole Internet. Detecting forged-origin hijacks boils down to inferring whether the AS path in a BGP route is legitimate or has been manipulated. We demonstrate that current state-of-art approaches to detect BGP anomalies are insufficient to deal with forged-originhijacks. We identify the key properties that make the inference of forged AS paths challenging, and design DFOH to be robust against real-world factors (e.g., data biases). Our inference pipeline includes two key ingredients: (i) info a set of strategically selected features, and (ii) a training scheme adapted to topological biases. DFOH detects 90.9% of the forged-origin hijacks within only ~5min. In addition, it only reports ~17.5 suspicious cases every day for the whole Internet, a small number that allows operators to investigate the reported cases and take countermeasures.

BGP and RPKI Monitoring

Providing easy to use tools for monitoring the correctness of BGP and RPKI is a key operation in improving the stability of the global Internet. While the adoption of RPKI increased, many operators still lacking basic monitoring. A considerable percentage of ASes announce everyday RPKI invalids and are slow in realizing it.In this presentation we will see BGPalerter, an open-source monitoring tool trusted by many ISPs worldwide. At the end of the presentation, you will be able to monitor for hijacks, visibility loss, leaks, RPKI invalid announcements, and RPKI misconfigurations. Additionally, I will show you a list of malfunctions detected by RPKI monitoring that affected the RPKI Trust Anchors over the past 4 years.

BGP in 2023

The BGP routing table can tell us a lot about the dyamics of the Internet. Not only is this related to the size of memory needed to store the routing tables, but the rates of growth can tell us about the dynamics of network growth and the relative level of network growth in IPv6 as compared to IPv4. The dynamics of network convergence can also tell us how the BGP routing infrastructure is coping with scaling pressures. In this presentation we will look closely at the BGP routing table across 2023, and make some predictions as to its likely size and dynamic properties in the coming five years.

Building a Digital Twin from your Source of Truth

This talk will demonstrate the power of harnessing a reliable Source of Truth for replicating a production network as a "Digital Twin". With a Digital Twin, you can proof-of-concept, test and validate network upgrades, migrations and changes with real-world accuracy using all the same tooling you use on a production network. We'll show how Containerlab can be integrated with Netbox for the creation of Digital Twin networks in the lab.

Can we make IPv6-only a reality now?

We are trying to enhance monitoring capabilities by integrating Usageand Latency datasets from diverse sources, combining them to one singleplatform for facilitating robust Capacity Planning and PerformanceAnalytics. This strategic move allows for optimized resource utilizationand proactive issue resolution. Simultaneously, we introduce aninnovative solution for historical usage analysis of Mikrotik PPPoEinterfaces through Zabbix and Grafana, promoting a more insightfuland user-friendly interface

Case Study: Deploying Grafana as a unifying monitoring system

We are trying to enhance monitoring capabilities by integrating Usageand Latency datasets from diverse sources, combining them to one singleplatform for facilitating robust Capacity Planning and PerformanceAnalytics. This strategic move allows for optimized resource utilizationand proactive issue resolution. Simultaneously, we introduce aninnovative solution for historical usage analysis of Mikrotik PPPoEinterfaces through Zabbix and Grafana, promoting a more insightfuland user-friendly interface

Coherent optical transceivers - current capabilities and future possibilities

With the speed of 400G coherent technology was introduced to pluggable optical transceivers (OIF 400ZR and OpenZR+). This technology is complex and powerful for your network, it even has influence on your network device operating system.

This talk will provide first insight in Nokia's implementation as well as known or potential interoperability issues addressed by the OIForum. If your transport system, router or even switch already provides coherent pluggable transceivers check the available interface parameters.

And finally new form factors for 800G and 1,6T will be part of the game as well. Stay tuned....

Developing a Collaborative BGP Routing Analyzing and Diagnosing Platform

BGP is one of the foundational infrastructures that enable the functioning of the Internet. This project, funded by APNIC Foundation, aims to create a collaborative platform for BGP routing services. It's a result of joint efforts from 19 countries/economies. This presentation will outline the primary objectives and functionalities achieved in the project, including BGP prefix hijack detection, route path hijack detection, and increased event accuracy through data-plane detection. The platform ensures swift response times, sends event warnings via email, assesses the severity of events, and provides event replay capabilities, all designed to assist network operators effectively. Additionally, the platform has developed various tools useful for network operators to monitor the network. We anticipate that this presentation will gather feedback and foster collaborations with additional communities. You can access the system through the following URL: https://bgpwatch.cgtf.net/

Distributed latency monitoring

This presentations talks about journey of going from Smokeping to Prometheus+Blackbox exporter+Grafana for a modern latency monitoring stack along with use of RIPE Atlas measurement data within the same stack.

IETF Roundup

The Internet Engineering Task Force is a standards organization for the Internet and is responsible for the technical standards that comprise the Internet protocol suite. This session will give a roundup of the latest updates from the IETF 118 including new working groups, hot topics etc. It will also notify the audience about key topics for IETF 119 in Brisbane.

IOS upgrade using network automation tools

Our network automation experience:
  • No dedicated engineer appointed on this work
  • Planned to perform the OS upgrades for 20 devices per night But it was possible to upgrade more than 20 devices per night
  • Saved a lot of time
  • NOC engineers in a night shift conducted monitoring the work progress
  • no manual works
  • Network engineers learnt Python programming language
  • Learned new automation technologies. Ansible, Docker, Gitlab CI/CD Pipeline etc..
  • Before-and after results comparison completed by Python Mysql and Grafana

Indexing South East Asia's Internet Resilience

A resilient Internet connection is one that maintains an acceptable level of service in the face of faults and challenges to normal operation. While most network operators implement monitoring systems to measure the performance and reliability of their networks, understanding what's happening upstream is equally important. Given the global nature of your business and the Internet, this involves knowing that the networks you're peering with and the routes you're taking are resilient as well as the Internet ecosystem of countries they reside in. In this presentation, we will review the Internet resilience of South East Asia to highlight the successes and weaknesses that we can learn from and improve.

IoT Devices Leveraged in Cyber Attacks and How Botnets are Created and Used: Findings through JPCERT/CC's Coordination

It has been several years since Mirai, malware that infects IoT devices, appeared. Observation data from TSUBAME, an Internet threat monitoring system operated by JPCERT/CC, shows that variants of Mirai and other types of malware have been used since then, making the situation surrounding IoT devices even worse. Receiving incident reports from ISPs and Internet users, JPCERT/CC conducts assessments, investigations, and coordination, and a number of malware-infected routers, security cameras, DVRs, and other devices are identified on a daily basis.

To infect IoT devices with such malware, attackers first compromise them, and targeting the Web-UI authentication with its default setting or bypassing authentication by exploiting vulnerabilities are the commonly used methods. After breaking into the targeted device, the attacker injects the malware into the device. Through our investigation, we have learned that DDNS service for IoT devices are exploited for malware infection in some cases.

When businesses use IoT devices for security reason, such as surveillance cameras, they need to remotely monitor and check the status of the devices, and for that purpose, DDNS service is enabled. In such cases, attackers may compromise the DDNS service setting and make the devices connect to a server managed by them . Furthermore, we have newly found the cases where the domain names designated by manufacturers for their DDNS services are not properly managed due to the discontinuation of the businesses. In such cases, we cannot rule out the possibility that attackers hijack the domains.

In this presentation, I will describe the current situation of Mirai and recent other types of malware infecting IoT devices, sharing actual incident cases. In addition, I will also discuss how we could address the issue of such ever-expanding botnets for future.

Minimising Impact When Incident Occur with RIPE Atlas and RIS

In this presentation I will outline how network operators can proactively minimise the impact of incidents through strategic preparations and swift responses, utilising RIPE Atlas and RIS data.

The first focus is on gearing up before incidents occur, where RIPE Atlas and RIS data play an important role. These tools help operators to analyse network behaviour, identify vulnerabilities, and optimize infrastructure. Through specific use cases and best practices, operators can integrate these resources into their preparations before incidents happen.

The next step is the importance of taking swift and informed action during incidents. Features and methodologies are introduced for real-time measurement, result display, and data gathering. By leveraging insights from RIPE Atlas and RIS, operators can pinpoint incident occurrences, understand their scope, and initiate immediate actions for debugging or transparent communication of network performance to customers.

This integrated approach will help strengthens network resilience and also enables operators to maintain optimal performance standards, ensuring a robust and responsive network performance even in the face of unforeseen incidents.

Networking in the Penumbra

The last decade has seen a dramatic rise in the level of mutual distrust between network carriage service providers and network application services. The response has been to progressively shift user traffic into encrypted communication modes.This presentation explores this theme and looks at how today's application environment is attempting to conceal user transactions from the underlying network, and what this means to network operators.

Open Source Lawful Interception for Mobile Networks

Lawful Interception allows Law Enforcement Agencies to legally receive private customer communications from a network operator as an aid to investigating serious crimes. Lawful interception is a legally-mandated obligation for network operators in many countries and failure to comply can result in severe penalties.

In New Zealand a change in the legal requirements resulted in many network operators collaborating to fund an Open Source Lawful Interception system resulting in the OpenLI project. This system is now in regular use in NZ and other countries. OpenLI currently supports IP data and VoIP intercepts.

In 2023 the OpenLI project received an ISIF Asia grant to support LI in the Pacific Islands. The first stage of this grant was to review the requirements for LI in the region. We have found that almost all Pacific Island economies have some legislation enabling the use of LI. Some have recently added a requirement for real-time interception. However at this stage no Island nation has gotten to the stage of enacting regulations and gaining Law Enforcement support for formal LI deployment. A second observation was that Mobile Network support is critical if OpenLI is ever to be any use in the Pacific due to the prevalence of mobile networks compared with fixed line broadband.

In this case, the most appropriate initial target is support for 4G networks so the OpenLI project is now adding support for 4G mobile networks to the software. This work includes completing support for intercepting GTP tunnels using all mobile identifiers as well as adding encoding for SMS and Location data. The presentation will show the up to date progress at the APRICOT meeting.

We are keen to talk to any interested mobile operators to aid in refining the requirements and testing the software.

Open source IP blacklist checker tool

We developed an open-source IP blacklist checker tool and researched some statistics using this tool. The presentation describes our basic goals and shows some demos.

Why are we presenting this at APRICOT?

  1. According to our research: About 40% of all addresses are included in the blacklist, which made some people understand that our country needs to pay attention to this issue. We want to bring it to more people.
  2. We would like to receive feedback from other Engineers involved in APRICOT to improve our solution.

QoS/Traffic Management challenge for AI/ML network

AI/ML is one of trend topic of today. There is some exciting technic in network infrastructure. But the technology is patchwork of legacy QoS architecture. To support 1million GPU traffic , ultra ethernet new algorithm for traffic management.

The presentation share some the legacy QoS technology from past evolution of infrastructure like integrated Voice and Video. I hope it would be help for understanding of traffic management when new architecture of ultra ethernet will come.

SCION: Secure Path-Aware Internet Routing

SCION is a secure path-aware Internet architecture, designed to achieve high resilience to routing attacks and path selection for Internet users and operators with safety critical traffic such as in the financial, healthcare and power sectors. RPKI/ROV is useful for origin validation but does not validate paths, ASPA is still an experimental technology, whilst BGPSEC has yet to be widely deployed and needs explicit router support along a path to achieve the full benefits.

SCION has commercial and open-source implementations and is in production use by the financial services industry in Switzerland and internationally, including Korea, Singapore and the US. This includes the SCION Research & Education Network (SCIERA) with connections to NUS and KISTI.

This talk will discuss the SCION design and architecture, its trust model, and how it can be deployed. It will also discuss the IETF/IRTF work, and the community efforts supported by the SCION Association to encourage further deployment and development.

SRv6 NEXT-C-SID uSID

SRv6 NEXT-C-SID (a.k.a SRv6 uSID) in an integrated solution that includes the service creation, the measurement, and the analytics. It can deliver any kind of service (VPN, TE, FRR, NFV) end-to-end across the various network segments (Access, Metro, Core, DC, NFV, Cloud, Host) without any shim layer. Hence, the operator would no longer need neither MPLS nor VxLAN. By removing the shim layers, SRv6 provides better scale, better reliability, lower cost, and seamless deployment in brownfield networks.

The SRv6 solution is fully standardized at IETF. It has more than 9 RFCs that covers the Architecture, Data Plane, Control Plane, and Operation & Management (OAM) of the solution. It enjoys a very rich ecosystem that includes network vendors, merchant silicon, open-source, and operators. All the key network vendors participated in the SRv6 NEXT-C-SID interop testing at EANTC 2023.

In addition to SRv6 benefits in terms of service creation, the native integration of the measurement capabilities makes it a unique solution. The Integrated Performance Measurements (IPM) solution delivers Latency, Loss, and Liveness measurements required for End-to-End assurance. It leverages the native HW capabilities to generate and ingest the measurement probe packets at very high rate, eliminating the need for external probing appliances. In addition, the IPM measurements are correlated with the routing information to deliver routing-correlated analytics. This enables new use-case, such as post-mortem and AI-powered analytics.

In this session, we will update the audience about the SRv6 NEXT-C-SID and IPM solution.

SRv6 Updates and SRv6 Compression (REPLACE-C-SID)

SRv6 has been widely deployed all over the world. It also introduces challenges of SRv6 packet header and the SRv6 compression technologies were developed. The presentation introduces the SRv6 compression technology, C-SID REPLACE flavor (i.e. G-SRv6) and its deployment in CMCC, MTN and Aisacell.

Segment Routing Deployments and Demonstrations at Interop Tokyo ShowNet

This talk introduces deployments and demonstrations of Segment Routing at Interop Tokyo ShowNet, sharing lessons learned through them. Interop Tokyo is the largest annual exhibition of Internet technologies in Japan, and ShowNet (AS290) is a large demonstration network built at Interop Tokyo. We, ShowNet NOC Team, have deployed SR in ShowNet since 2018, as part of various interop tests and demonstrations. From those demonstrations, we introduce three topics: SRv6-based Service Chaining in 2019, measuring the Internet with BGP Egress Peer Engineering in 2021, and deploying SRv6 in ShowNet Backbone from 2021 to 2023.

Solve geolocation issues with RFC9092

Two years ago we introduced RFC9092, which gives back to the network operators the power to be authoritative about the geolocation of their IP resources by linking geofeed files in whois. This solution reached great support and adoption, both by geolocation/content providers and by operators.In this presentation, I will provide numbers about the adoption of RFC9092 (including number specific for the APNIC region), and explain how operators can use it to correct their geolocation automatically. I will explain how it compares to the other geolocation hints in whois. Finally, I will provide a tool that the operators can use to correct their geolocation.

Strengthening API Security in network operators

It is no surprise that API adoption is growing rapidly in network operators. The reality is that new business innovation and services are powered by APIs. But the rush to innovate is leaving security teams struggling to understand the very real security risks that APIs pose. Today, APIs carry vast amounts of data and are increasingly targets in data breaches.

This talk delves into common API security concerns and the importance of API Discovery. It highlights the key needs for an API security tool to detect API abuses and the importance of having a data lake for threat hunting.

The New World of Satellite Networking

The presentation delves into the comprehensive realm of satellite technology, exploring key concepts such as orbits, footprint, bands, and the fundamentals that govern satellites. With a particular emphasis on Low Earth Orbit (LEO) satellites, the presentation addresses the question of "Why Leo?" by elucidating the advantages and distinctive features that make LEO satellites a preferred choice in the contemporary space landscape.The audience is guided through the intricate workings of satellite systems, examining their segmented structure and the diverse range of services they offer. A comparative analysis between traditional networks and Inter-Satellite Link (ISL) based links sheds light on the evolving landscape of satellite communication. The integration of satellite technology with 5G and its implications on backhaul architectures is explored, showcasing the synergies between space-based and terrestrial networks.As the presentation unfolds, key takeaways and practical use cases are presented, providing valuable insights for both enthusiasts and industry professionals. The overarching narrative underscores the pivotal role of satellites in shaping the future of communication, emphasizing their adaptability and integration with emerging technologies like 5G, Addtionally the presentation talks about the best practices of traditional IP networks that are important and crucial in satellite networking as well. This exploration of satellite fundamentals serves as a foundation for understanding the evolving landscape of space-based communication networks and their pivotal role in modern telecommunications.

Peering Forum


A Close Look at Remote Peering

  • Marinho Barcellos

Internet Landscape in Thailand

  • Kittinan Sriprasert

Peering LAN Security at IXPs Revisited

  • Greg Hankins

Role of a Peering Manager

  • Achie Atienza

Sustainability of community-driven IXP

  • Paul Ooi Cong Jen

A Close Look at Remote Peering

Internet eXchange Points (IXPs) have significantly transformed the structure and economics of the Internet by allowing nearby networks to connect directly, avoiding transit providers. In addition, some IXPs have become quite large, which made them especially attractive, even to networks far away. The access to distant IXPs is known as remote peering (RP) and typically involves the use of resellers. In this talk, I will share insights about remote peering based on experience gained with four years of research on the topic. I will comment on the implications of remote peering to Internet routing, compare remote peering and its alternatives in terms of performance & robustness, and list associated best practices.

Peering LAN Security at IXPs Revisited

It's been a while since peering LAN security at IXPs has been a hot topic in the peering community. BCPs and standards were written that are widely implemented at IXPs now. We analyzed DE-CIX peering LAN traffic, and found that a lot more needs to be done to make peering LANs more secure. We'll look at some things that are working and aren't working, and we'll suggest some next steps to make peering more secure.

Role of a Peering Manager

Peering is an essential part of the Internet Ecosystem

But besides the infrastructure that provides connectivity and access, there is an equally important element that keeps it running - that is the "People Network"

This Presentation provides information about the essential role of a Peering Manger. It covers the what, who, why, where, when and how of the Peering Ecosystem that is the backend function of good connectivity .

Sustainability of community-driven IXP

The research study aims to investigate and enhance the resilience, sustainability, and competitiveness of community-driven and operated Internet Exchange Points (IXPs). Commercially-run IXPs tend to have greater access to capital and business development resources and are run to generate profits for their owners.

In contrast, community-run IXPs are generally run on a cost-recovery basis, have limited access to capital and any surplus is typically used to develop the IXP or its associated community further.

Tutorials

AI network infrastructure design

  • Shishio Tsuchiya

Comparison of SDN's Southbound Interface (SBI) protocols

  • Dhruv Dhody

Git for network engineers

  • Philip Paeps

Instrumenting your DNS with DSC and friends

  • Phil Regnauld

Let's Encrypt: Automate all the things!

  • Philip Paeps

MMIX's VXLAN Deployment

  • Thein Myint Khine

SRv6 Introduction

  • Jakub Horn

Segment routing: a tutorial

  • Paresh Khatri

AI network infrastructure design

AI/ML is needed in all industries, and its applications are expected to continue to expand and network traffic to grow.

This tutorial will share the basic dynamics of AI workloads, InfiniBand, Ethernet fabric features and design, and the purpose of Ultra Ethernet and others.

Comparison of SDN's Southbound Interface (SBI) protocols

This tutorial will go over the popular SDN SBI protocol (BGP, PCEP, YANG-based NETCONF/RESTCONF) in use in the current SDN controllers. It will discuss and compare them on various factors and how each of them fare in terms of applicability to key use cases.

Git for network engineers

Why should network engineers learn Git?

Computers are a lot better at remembering things than humans. With good revision control hygiene, you can easily revert configurations to a known working state. You can also review changes before breaking your network.

Git is a popular revision control system used by software engineers and systems people. This presentation highlights some of the ways it can be used effectively by network engineers too.

Instrumenting your DNS with DSC and friends

Aimed towards intermediate sytems and network engineers tasked with operating DNS authoritative nameserver (and recursive as well), this tutorial will introduce participants to DSC, the DNS Statistics Collector

DSC is a set of tools for collecting and aggregating DNS data collected at, or near a DNS nameserver.

We'll first talk a little bit about the demands of modern DNS, and how security improvements such as DNSSEC have placed additional expectations of correctness, synchronization and availabilty on one's DNS infrastructure.

We'll then proceed to show how to deploy DSC in a virtual environment, covering aspects such as:

  • software environment
  • storage requirements
  • data collection points

We'll also talk about the different ways in which data can be collected

for use by DSC, including dnscap and using span (mirror) ports for collecting DNS data at the network level.

We'll continue with examples on producing Grafana dashboards to display and organize the collected data, and how to explore the output.

Along the way, we'll also be mentioning some useful tools and techniques for monitoring availability and response time for nameservers, and the data they serve, and other performance testing tools such as dnsperf.

Let's Encrypt: Automate all the things!

The days of cleartext communication are over. We live in an age where everything needs to be encrypted. A popular solution is to 'rent' integers from well-known for-profit certification authorities, one year at a time. And then forget to renew your certificates every year.

Anything that is done 'annually' ends up being done 'manually'. Learn how to use short-lived Let's Encrypt certificates to secure your infrastructure ... and add some useful automation because you have to.

This lively tutorial goes into a bit of background about certification authorities but most of the time is spent showing a real-world demo of automated issuing of Let's Encrypt certificates with DNS verification.

MMIX's VXLAN Deployment

MMIX is sharing the experience and issues when deploying VXLAN EVPN BGP. This is including the concept of BGP routing, route import export issues, other unexpected issues & how to solve those issues. This also includes detailed configuration of both Layer 2 and Layer 3 over EVPN BGP.

Segment routing: a tutorial

Segment Routing is an interesting paradigm shift in routing that allows source nodes to steer a packet along an explicit route using information attached to the packet and without the need for per-path state information to be held at transit nodes.

Such a capability is of particular importance when considering SDN approaches which decouple the control plane and data plane, allowing centralised computation of optimal paths which can then be pushed down to source nodes to achieve desired traffic flow steering.

In this technology tutorial, we cover the following:

  • an introduction to the technology of segment routing: terminology, concepts and data plane behaviour
  • a discussion of the most common use cases of segment routing
  • an overview of the protocol extensions to enable segment routing
  • the use of Segment Routing to provide better IP Fast Reroute coverage
  • the use of Segment Routing with Seamless MPLS

BoFs

Leveraging Shadowserver and other "Cyber Civil Defense"Tools

  • Barry Greene

Open Source in the Asia-Pacific Region

  • Martin Winter

Leveraging Shadowserver and other "Cyber Civil Defense"Tools

This is a BOF for all those using, trying to use, or without idea of Shadowserver's benefits.

Shadowserver is one of the best tools to help organizations secure their network. The reports are free with two decades of trust in the community.

We will have a short "ops review" session (see below) to help everyone check their Shadowserver access. We'll then get into use cases and discussions on everyone sharing how they can benefit.

Short Briefing Agenda:

Shadowserver's Public Benefit Mission has not changed! Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity, and emerging threats. We promote a culture of sharing, equip organizations to improve their security, support criminal investigations, help protect victims, and offer free remediation reports.

What would we cover in the session?

We will start with the essential network and domain data to ensure Shadowserver can deliver all the threat intel to your organization.

  • Update all the network/domain information to provide richer threat intelligence effectively.
  • Walk through the new delivery capabilities for API and Common Event Format (CEF).
  • Explore Shadowserver's Dashboard - sponsored by the UK FCDO - that is now a benefit to the community.
  • Highlight Shadowservers update rhythm of action with rapid report scanning on the 'hot' threat vectors.
  • Commission Services. Shadowserver's non-profit-public-benefit structure allows organizations to 'invest' in new capabilities and capacities that solve industry-wide security/resiliency risks.
  • Idea Factory - There are many ways to leverage Shadowserver in our joint mission to bring Digital Safety to the Internet.

Open Source in the Asia-Pacific Region

Most of the Open Source Contributions and feedback for using it are from America and Europe. Only a few countries in APAC are regularly seen in the Open Source Community. This session tries to discuss the issue and hold a discussion on how to improve this. What would the Open Source Community need to do better or different? Why are countries with lots of money using more Open Source than countries who are more constrained?