Being a good Netizen GRNOG 9 December 6 2019 Antonis Lioumis - - PowerPoint PPT Presentation

being a good netizen grnog 9 december 6 2019
SMART_READER_LITE
LIVE PREVIEW

Being a good Netizen GRNOG 9 December 6 2019 Antonis Lioumis - - PowerPoint PPT Presentation

Jan 09, 2024 12 likes •116 views

http:// www.grnet.gr Being a good Netizen GRNOG 9 December 6 2019 Antonis Lioumis GRNET/NOC National Infrastructures for Research and Technology Connect Research and Educational Community in Greece GRIX operators Network

slide-1
SLIDE 1

http:// www.grnet.gr

Being a good Netizen GRNOG 9 December 6 2019

Antonis Lioumis GRNET/NOC

slide-2
SLIDE 2
  • Connect Research and Educational Community in

Greece

  • GRIX operators
  • Network infrastructure

– Optical, MPLS/L2-L3, Access, Internet/GEANT

  • Computing infrastructure

– 5 DCs – Cloud services – HPC

  • Digital transformation

– Services across the public sector

National Infrastructures for Research and Technology

2

slide-3
SLIDE 3
  • Series of norms an ISP should follow in order to

secure network as possible

  • Not “rocket science”
  • Easy to implement
  • Great benefjt for ISP and community in general

Good Network Practices in GRNET

3

slide-4
SLIDE 4
  • Hostmaster
  • Online form for collecting all customer info
  • Abuse mail, contact details (admin and

tech)

  • Strict policy for network assignments

(/27’s, /48’s)

  • Efgorts to regain unused IP space
  • Signifjcant IP space has been returned to

GRNET

  • Internal IPAM
  • Getting rid of IPv4 network management
  • Promote IPv6

Good Network Practices in GRNET

4

slide-5
SLIDE 5
  • Keep Databases (RIPE, PeeringDB)

clean

  • Updated entries (inetnum, route objects)
  • Based on route objects we build BGP

fjlters

  • Valid Abuse mails contacts
  • ROAs for every prefjx
  • Maintain private whois database
  • For private AS numbers

Good Network Practices in GRNET

5

slide-6
SLIDE 6
  • RPKI
  • Deployed RPKI infrastructure more than

three years ago

  • Two RPKI validators in use (both RIPE NCC

solution)

  • Until recently just changing Local

Preference preferring GRIX over upstream

  • Since mid October started dropping invalid

RPKI prefjxes on upstream and GRIX peerings

  • Dropped traffjc was less than 50Mbps

(peak)

  • Evaluate other validators (ie routinator)

Good Network Practices in GRNET

6

slide-7
SLIDE 7
  • Management plane
  • Same fjrewall fjlters across network
  • Control Plane (BGP)
  • AS path fjltering
  • Prefjx list fjltering
  • Announce only aggregates to GRIX

and Upstream

  • TTL security mechanism
  • Data Plane
  • Drop bogons, martians
  • Antispoofjng (Customers & DC)
  • Forbid NAT in BGP p2p subnets

Good Network Practices in GRNET

7

slide-8
SLIDE 8
  • MANRS (www.manrs.org)
  • Mutually Agreed Norms for Routing Security
  • Filtering
  • Antispoofjng
  • Coordination
  • Global Validation

Good Network Practices in GRNET

8

slide-9
SLIDE 9
  • Defending our Network
  • Abuse IO tool (automated tool for sending

abuse reports to IP space holders)

  • Firewall on Demand (BGP fmowspec rules)
  • Scrubbing tools
  • Upstream protection (subscribed

already)

  • Testing internal tools (XDP)
  • Promote Firewall as a Service
  • Permanent Firewalling for customers
  • Alerting (Peakfmow appliance)
  • ROA alerts (RIPE NCC portal)
  • RIS live (https://ris-live.ripe.net/)

Good Network Practices in GRNET

9

slide-10
SLIDE 10

http:// www.grnet.gr

Thank you Questions?

alioumis@noc.grnet.gr

10