www.kentik.com
kentik is a netflow saas that has some serious clue on board
one founder was a founder of Akamai. CTO built netflix CDN. Staff person I talked to used to work at Arbor, etc.
They built their own dbase modeled on Google dremel.
They are working closely with Luca Deri and ntop. There is flag to export ntop direct to kentik cloud as part of their demo
They integrate with ddos tools including A10. Their netflow system can automatically detect and alert on ddos and then mitigate via your ddos system
They can provide an on-site server for sites with issues about moving netflow data offsite. They have https access to their cloud servers
Contacts:
Michael Jacobs, Strategic Accounts, San Francisco, 408.515.9408
Larry Austin, Strategic Account ext, SF, 408.796.1292
Wednesday, June 15, 2016
Experiences with network automation at Dyn
At NANOG 63 I talked about Kipper, our network automation project at
Dyn, and how it aims to align our network configuration lifecycle with
the existing continuous integration model used for servers. Since then
we have significantly expanded its coverage, added new features and
incorporated other teams in our workflow. In this presentation I will
describe the current setup and then talk about our challenges, successes
and some of the lessons we have learned along the way.
Post IPv4 Depletion Trends
Hijackers are focusing on networks without an ARIN POC - affects legacy/academic networks according to the presenter:
https://www.nanog.org/sites/default/files/Nobile_Post_Ipv4_Depletion.pdf
https://www.nanog.org/sites/default/files/Nobile_Post_Ipv4_Depletion.pdf
Automating Maintenance Notifications
Very interesting system for standardizing and parsing maintenance events and getting the information out to the right people, on the right calendars, etc.
Despite all the recent progress around network automation, there's one aspect of our operations that for many remains stuck in a manual past. Most of us deal with maintenance notifications - both those we get and those we send - by throwing people at the problem.
Thousand Eyes
Was told that Thousand Eyes is opening an Austin office with marketing and possibly some training support.
Need to investigate as a possibility for local training and education on TE, especially for other ITS/IT groups who need to understand how to monitor cloud services.
Contact:
Steve Brown, Senior Solutions Engineer, San Francisco, sbrown@thousandeyes.com, 770.335.0354
Need to investigate as a possibility for local training and education on TE, especially for other ITS/IT groups who need to understand how to monitor cloud services.
Contact:
Steve Brown, Senior Solutions Engineer, San Francisco, sbrown@thousandeyes.com, 770.335.0354
Utilizing Kea hook points for modern IP addressing (DHCP)
Kea is a new high performance, open source project for DHCP IPv4 and IPv6 addressing.
"No restart required unless physical interfaces change"
Facebook Kea DHCP servers all answer on one IP address
Facebook proposed using Ke dbase to also store Kea config to provide hitless config with no restart
Facebook Kea DHCP servers all answer on one IP address
Facebook proposed using Ke dbase to also store Kea config to provide hitless config with no restart
Measurement based inter-domain traffic engineering
This presentation concentrates on an inter-domain traffic engineering scenario for multi-homed stub ASes.
Suffering Withdrawal; an automated approach to connectivity evaluation
Today’s routers generally make themselves more- or less-attractive to
transit traffic through operator’s manipulation of their interfaces IGP
metrics or overload status. This all-or-nothing method lacks granularity
and does not take advantage of the wealth of connectivity and
health-check information readily available at the router.
TCP over IP Anycast - Pipe dream or Reality?
The talk will focus on how to route our end users to the closest
location serving content -- i.e. to the closest PoP. Traditionally
LinkedIn used geo-location based load balancing (with help of DNS) but
there are challenging areas with this approach that lead to bad
performance for the end user and operational challenges for the LinkedIn
site teams.
Tuesday, June 14, 2016
Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild
DDoS attacks remain a serious threat not only to the edge of the
Internet but also to the core peering links at Internet Exchange Points.
Internet but also to the core peering links at Internet Exchange Points.
DNS-based censorship: theory and measurements
As explained in RFC 7754, "Technical Considerations for Internet Service
Blocking and Filtering", it is tempting for a censor to attack, not the
direct traffic or servers, but the rendezvous systems, the most obvious
one being the DNS.
Peering Security and Resiliency
In this presentation we'll talk about BGP peering security and
resiliency challenges. First we'll show real-world peering observations
from the perspective of a peering router at an IXP. Then we'll give an
operational perspective on peering configuration challenges, with a
focus on scale an automation.
Everyday practical BGP filtering
Robust BGP filtering is a challenge in and of itself. In this talk
NTT offers unprecedented insight into how today's AS2914
filter-sausage is made.
NTT offers unprecedented insight into how today's AS2914
filter-sausage is made.
Avoiding Nation-State Surveillance
When Internet traffic enters a country, it becomes subject to those
countries’ laws. As an increasing number of countries pass laws that
facilitate mass surveillance, Internet users have more need than ever to
determine---and control---which countries their traffic is traversing.
To this end, we first conduct a large-scale measurement study to
demonstrate that Internet paths often transit countries where laws may
make users more vulnerable to surveillance than they would be in their
home country.
DNSSEC Tutorial
Eddie Winstead
from ISC -- tutorial on DNSSEC.
Root has been signed as of July 2010 ("Layer 9 issue") so only need one trust anchor in your configuration
As of 2016 DNSSEC deployment is much easier.
Root has been signed as of July 2010 ("Layer 9 issue") so only need one trust anchor in your configuration
As of 2016 DNSSEC deployment is much easier.
Tutorial Everything You Always Wanted to Know About Optical Networking
Richard Steenberger preso on current state of the art for optical networking.
Useful set of slides: https://www.nanog.org/sites/default/files/Steenbergen.Everything_You_Need.pdf
Useful set of slides: https://www.nanog.org/sites/default/files/Steenbergen.Everything_You_Need.pdf
Elliptic curves to the rescue: tackling availability and attack potential in DNSSEC
Notes: Not quite ready for prime time, but moving to better security in the next year or so is on the roadmap. Something to consider if/when making a DNSSEC deployment.
Network Support for TCP Fast Open
Notes: Biggest issue was firewalls incorrectly dropping TCP packets with
these options. Broken code in firewalls in the systems that they
investigated. So middleboxes are making improvements difficult. APprox
20 percent of sites had issues with middlebox-induced failures.
Subscribe to:
Comments (Atom)