18 September 2019
Takeaways from UKNOF44
The entire Faelix team was in Belfast for UKNOF44, the thrice-annual national meeting of network architects and infrastructure engineers. The scope of the presentations this time was quite wide, ranging from the challenges of meeting ever-increasing demand for network capacity; through academic projects to leverage software-defined networks in security/threat mitigation; to some of the softer skills for personal development.
Evolution of Infrastructure
Rob Evans from Jisc spoke about their recent deployment of 400G single-carrier wavelengths on Janet, covering wavelength selective switching (an evolution towards gridless DWDM) and Raman amplification as deployed on dark fibre spans over hundreds of kilometers.
Touching a fascinating topic for network operations, Thomas Weibel spoke about the complexity of hyper speed transceivers and covered some of the characteristics that Flexoptix have to consider when designing and testing their 100G and 400G transceivers. This was deep optical and electronic engineering, and enlightening to those of us who just take for granted the availability of QSFP-DD, OSFP and CFP8 pluggable modules.
DNS and Routing Security
The session after lunch was heavy on DNS. Robert Šefr from Whalebone spoke about the latest news in the DNS resolution covering some DNSsec deployment pitfalls and learning points.
Andy Fidler gave an update on DoH and emerging IETF / IRTF standards, treating us to news about BT’s plans to roll out their DNS-over-HTTPS service trial.
The subject of DNS-over-HTTPS continued with a panel discussion on the operational considerations of DoH deployment. The roll-out of DNS privacy technologies is something we strongly support, and our public DNS services gained significant exposure this summer when Internet Service Providers Association nominated Mozilla for an “Internet Villain Award”. Since ISPA made that notorious suggestion, we have been working with other like-minded ISPs in the UK to promote and build DNS-over-HTTPS services. We were also interviewed by the EFF about DoH and explained our philosophy and stance on protecting our customers with DNS technologies.
Back to our review of UKNOF: we were treated to Barry O’Donovan’s talk about how INEX have rolled out route servers with RPKI. As a signatory to the MANRS manifesto we welcome seeing more and more Internet exchanges around the world adopting measures to protect global routing security. High profile BGP misconfigurations or traffic redirections are on the increase, and many of these would be mitigated were ISPs and carriers to adopt appropriate filtering, but these are rarely discussed outside network operations circles like UKNOF.
Gimme all of it. Stop hoarding what you know ;)— lucas geiger (@geiger_lucas) September 16, 2019
Faelix’s routing security
We have adopted a multi-tier approach. We have implemented BCP38 to prevent our customers spoofing traffic (forging the source address of IP packets) so that our address space cannot be used to start amplification-type DDoS attacks.
BGP itself cannot vouch for the authenticity of a route announcement as it is a protocol spoken between Internet routers. Some other trusted sources of information are required as databases to prove which networks own or provide service to networks which own IP addresses. This information can come from Regional Internet Registries (such as RIPE NCC), routing databases (such as RADB), or from RPKI. BGP-speaking routers can acquire RPKI (resource public key infrastructure) data using other protocols like RTRR and use this to make decisions about networks that BGP is telling them about.
We publish our routing policy in the RIPE database. This includes our AS-set (the list of our network, and our customers’ networks, and all their customers, et cetera). We use similar information published by our customers to ensure we only accept routes for addresses they are allowed to announce. Carriers who provide Faelix with upstream connectivity are able to our AS-set to automatically and dynamically generate their own prefix-lists to decide whether or not to accept our BGP announcements to them, ensuring that we (and our downstream customers) cannot accidentally or maliciously redirect BGP traffic. We apply these same kinds of filters to our peers.
Later this month we are deploying our new edge routers which will filter with RPKI as well as dynamically- and automatically-generated prefix lists. RPKI uses public key cryptography to create and verify certificates that tie address space to autonomous systems, making route spoofing even harder than just relying on information published in RIR databases.
It is good to see more Internet exchanges automatically making decisions about whether or not to accept announcements using RPKI.
Soft Skills are Hard
Two stand-out talks at UKNOF were on some of the harder topics in network engineering. Brian Nisbet explained how he has used skills honed in roleplaying to work through business continuity planning (in case a dragon has destroyed the data-centre). Just over a year ago we ran a tabletop disaster plan test with a customer, and we will be adding some of Brian’s advice into the lessons we learned during that exercise.
Finally something to reflect on when not dealing with my own mammoth todo-list: Donal Cunningham gave his tips for Time Management for Technical People. In some ways these kinds of soft skills are the hardest!