Are you looking for a simple operating system tailored to help you participate in all aspects of the global Internet? Allow me to pitch a project that produces free and modern implementations of the most popular Internet protocols!
Even though OpenBSD’s origin story goes back almost 25 years, there is nothing pre-historic about this project. OpenBSD is a well-renowned powerhouse for innovation. Every day extremely talented developers share their latest software creations — through the OpenBSD project — with all of the world to enjoy, for everyone to use as they see fit.
This tireless sharing of creativity helped create…
Job — Not many people know this, but The Netherlands was the second country on this planet to connect to the Internet. In those early days there was a fascinating initiative called XS4ALL. Unfortunately, our incumbent KPN is trying to destroy the dream that XS4ALL represents. Today with me I have someone who is involved in revitalizing the dream in some other shape, under a different name. Can you introduce yourself?
Gerdien — My name is Gerdien Dalmulder. I’m part of…
Job — pmacct is a wonderful open source tool that allows you to correlate what happens in your routing and where data is flowing. It allows you to analyse the profitability of the network, and it helps with security aspects. All in all the best traffic analyzer engine you can wish for! Paolo, you started this 15 years ago?
Paolo — To be more precise it was in 2003, it is actually 16 years ago!
[ Edit #1 — DONE! We reached the $20,000 fundraiser goal! Thank you NetNod, IIS.SE, SUNET & 6connect for supporting this effort!
Edit #2 — June 17th, 2019 source code delivery day: portable version, OpenBSD version, and my commit message ]
BGP routing security is in vogue! We’re seeing a ton of interest in RPKI based BGP Origin Validation: significant uptake in The Netherlands and global players such as Cloudflare have committed themselves to RPKI technology. RPKI will play a critical role in improving the Internet’s security posture, but how do we bring this technology to the masses? …
Leading in routing security: Using RPKI at Internet Exchange Points
I'd like to offer some notes on the advantages of secure route servers and why a “secure by default” approach benefits everyone, including organisations not connected to the Internet Exchange Point (IXP). In this article I’ll also cover the role of the Resource Public Key Infrastructure (RPKI).
An underexposed aspect of any route server, is that an insecure Route Server can affect any business, regardless whether the business peers with the Route Servers, or even is present at the IXP. For example: when someone inadvertently or maliciously advertises…
I'd like to share an update on some routing security activities that
ARIN, NTT Communications, YYCIX (Calgary Internet Exchange), the NLNOG Foundation, and the arouteserver project have been collaborating on. Quite some puzzles pieces were brought together! :)
Traditionally, there are two commonly-used methods to signal to your
peers or upstream providers what Origin ASN(s) are allowed to originate a given IP prefix. As an operator, you can either create a "route object" in the IRR, or you can compose a Letter Of Agency (LOA) and send that to your upstream provider for manual verification.
Some carriers view measures to improve routing security as a hinderance rather than as a safeguard to enable business. The BGP protocol itself has no inherent safety mechanisms, so the network operator has to ensure adequate layers of protection are implemented on the boundary between their own network and the Internet.
Normalcy bias may play a role, I see carriers target short term gain by heavily relying on the assumption that there will never be any misconfigurations or malicious attacks. Of course yesterday’s incident shows otherwise.
For many networks the topic of routing security becomes a priority, only after they’ve…
This industry has a long history of improving default behavior: DEC MOP is no longer enabled by default, telnet was swapped out in favor of SSH, and SHA-1 is now deprecated, so I’m confident we can manage this one too.
TL;DR This message offers advice on test scenarios to add to your evaluation checklist and a call to action to ask your vendor to implement RFC 8212. Please share this message with other communities.
Background Prior to…
Internet Architecture at NTT, director NLNOG, vice president PeeringDB, art director at OpenBSD, IETF