The NANOG 83 meeting took place earlier this month. Excluding the hackathon, it was approximately five hours of content each day for three days. Slide decks for all the talks are on the meeting page already and the videos are on the TeamNANOG YouTube channel. This is a very brief, likely imperfect summary of the technical talks from the meeting.
Day 1
Famous Internet Outages
Avi Freedman, Doug Madory, Jared Mauch, John Kristoff (moderator)
Yours truly moderated a discussion on some famous Internet outages
including an uncensored look back at the AS 7007
incident by Avi and
retrospective on how ISPs responded to SQL
Slammer by Jared. Doug
provided some context and insight into modern phenomenon of “Internet
shutdowns” that have risen markedly since Egyptian protests in early
2011.
Day 2
Who Really Controls the Internet?
Bert Hubert
An spirited keynote from the founder of PowerDNS. He runs through the
usual and some not-so-usual culprits that undermine much of the spirit
of Internet communications. He examines how software vendors, hardware
makers, governments, and even individuals make choices that often
surreptitiously, but also occasionally unwittingly exert their power to
steer how the Internet works to their advantage.
ARIN Update
John Curran
A brief update on a handful of technical and policy changes made over
the past year or so at the RIR. This includes some fee “harmonization”
and the introduction of a premium support option for large customers. On
the technical front, the non-authenticated IRR is shutting down in
March, some requested features to the IRR and RPKI interface are being
introduced, and ARIN online authentication gets some enhancements that
track some of the latest NIST recommendations.
IRR Spring Cleaning
Brad Gorman
Brad went into more detail with the ARIN IRR following John’s
introduction. A more thorough overview of the system and some
additional detail on decommissioning the non-authenticated IRR was
covered.
Courageous Women of NANOG
Jezzibell Gilmore
In the wake of Susan
Forney, a
NANOG board member who passed away since the last meeting, Jezzibel
celebrated the many accomplished women that have been involved with
NANOG and encouraged the next-generation of women to take part and
get involved.
Deeper Peering
Guy Tal
Lumen is updating it’s connectivity and peering strategy with the aim to
better interconnect into secondary and tertiary metro markets. They are
modernizing their interconnect that reduces reliance on the big markets
such as NYC, LA, and Chicago. This is leading to changes in the peering
requirements, but it isn’t clear if there are going to be any immediate
or short-term depeering events due to this change in strategy.
[Editor’s note: Guy, after seeing the initial version of this summary
clarifies: “I’d have said that I was highlighting how our networks
haven’t adapted to our customers' needs over the last decade+ and after
showcasing the logic behind our policy change, what we are doing about
it. Also, I believe I answered twice in the Q&A that we’re not out to
depeer anyone, we’re fostering deeper network to network interconnection
for the benefit of the entire internet."]
Next-Gen Firewall Automation
Kenneth Celenza
Ken is working on a tool set integrated with
Nautobot, a Netbox-derived
automation platform. One plug-in, an application dictionary aims to
help ease the management of network firewall rule sets by managing the
complex relationships of applications and policies using a
Nautobot source of truth repository.
Should Network Operators Hop on the Data Plane
Max Resing
Max, a student at the University of Twente, shares his experience
evaluating the differences a honeypot sees on different types of
networks (e.g. hosting providers versus residential cable modem
networks). He specifically compares the heavily hosted-based
infrastructure used by my project,
Dataplane.org. He finds distinct differences
in what sensors see between the different network types. This work is
based on his bachelor thesis of the
same name.
AnyOpt: Predicting and Optimizing IP Anycast Performance
Xiao Zhang
This talk is based on a recent measurement research
paper that tries to
optimize anycast service deployment by taking pairwise performance
samples between sites peered with tier 1 networks. They discover the
optimal “catchment” of BGP announcements that perform better than more
naive deployment strategies.
Integrated Public Alert and Warning System (IPAWS)
May Wu
A engineering staff member with FEMA presented an overview of the U.S.
public warning system familiar to those that have gotten regional and
national alerts through their mobile phones and broadband TV. As use
and reliance on Internet continues to grow, FEMA is increasingly looking
for ways to integrate warning systems into the Internet era,
particularly with streaming audio and video services that are not
required to incorporate warnings and alerts into their broadcasts.
The Hijackers Guide to the Galaxy: Off-path Taking Over Internet Resources
Tianxiang Dai
A group of researchers examined dependencies in core protocols such as
BGP, DNS, and the RPKI that may lead to the hijacking of Internet
resources maintained by RIRs. For instance, a brief BGP sub-prefix
hijacking attack could be performed when an RIR account password reset
is requested. Without additional verification, a change password URL
may be delivered to the hijacker, who might then take over the attacked
RIR account. Based on their recent recent Usenix Security
paper
of the same name.
Demystify Quantum Key Distribution
Melchior Aelmans
This talk gave an overview of how quantum theory concepts are being
applied to the field of computer networking. The main thrust of the
talk then went on to focus on Quantum Key Distribution (QKD). That is,
distribution of keys over photons. This distinction is important as it
is much less exotic than it may first sound. Experiments have been
conducted that implement QKD for many years, but it may still be a few
years before you start see the QKD protocols showing up in your routers.
Predictive Internet
JP Vasseur
This lightning talk argued for an Internet architecture designed to be
more predictive of faults, peaks, loss, and other varieties of behavior
that might eventually lead operators to re-actively address. Enabling
the Internet to learn seems to be the goal, but at least this audience
member found answers to basic questions such as why, how, and when left
unanswered.
Day 3
IPv6 - The Next 10 Years
John Jason Brzozowski
JJB was invited to give a keynote on IPv6 in part because of his well-known
success in deploying IPv6 at Comcast that avoided spending a fortune on
acquiring more and more IPv4 address blocks from a rapidly diminishing
pool and ever increasingly cost for which to obtain them. He made a
point multiple times the religious arguments of IPv4 and IPv6 are
largely irrelevant and uninteresting. That is, it has made good
economic business sense to deploy IPv6 for those that need addresses.
A long thread on the expansion of the IPv4 free
pool
from previously special-use blocks may suggest the converse is also true
for those in the market to make money from selling scarce IPv4 resources.
Operational Implications of IPv6 Packets with Header Extensions
Fernando Gont
Fernando gave a brief overview of work examining the challenges to
performance and security when packet forwarding devices (e.g. routers,
firewalls) have to process, sometimes complex, IPv6 extension headers.
A number of good IETF references on the subject where this work has
taken place includes IETF RFC
9098 - Operational
Implications of IPv6 Packets with Extension Headers, IETF RFC
7872 - Observations on
the Dropping of Packets with IPv6 Extension Headers in the Real World.
Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events
Fernando Gont
Another short talk by Fernando, this time about what is likely a fairly
limited, but perhaps important issue where IPv6 is widely deployed in
places such as cable modem networks. What happens when customer premise
equipment (CPE) using DHCPv6-PD reboots, perhaps unexpectedly, and it
does not retain prior lease information. This might lead to a situation
where it receives a new prefix, but the old prefix is still in use on
hosts behind it. The problem was documented in IETF RFC
8978 - Reaction of IPv6
Stateless Address Auto-configuration (SLAAC) to Flash-Renumbering Events
with engineer recommendations published in IETF RFC
9096 with the same title
as this talk.
Injection Attacks Reloaded: Tunneling Malicious Payloads over DNS
Philipp Jeitner
A research talk that demonstrates how some stub resolvers are not
sufficiently strict in how they parse domain names. In their tests they
found that CNAMEs with RDATA that encodes a null (\000) can fool some
resolvers into accepting a prefix in victim.com\000.attacker.com to
point
to victim.com rather than the full null-embedded name. You can test
your resolver and read more about this work on their test
page.
Containerlab - Running Networking Labs with Docker UX
Roman Dodin, Karim Radhouani
This was a tutorial on containerlab, a command line-based tool to help
setup and manage container-based network lab environments. Visit the
containerlab web page to get
started with this solution.
Network Automation Using Ansible
Ganesh Nalawade
A tutorial and introduction to Ansible. A fairly comprehensive look at
using Ansible for network operators that is best experienced by watching
the video since it includes lots of demo that is not present in the
slide deck.