Vsebina predavanj SINOG 4.0 srečanja – 23. in 24. maj 2017
SINOG 4.0 – first day… (IPv6 topics)
Ole Trøan, Cisco – The IPv6 Keynote
Why is IPv6 what it is? Protocol design is not value neutral. This talk will cover some of the choices made in designing the IPv6 protocols and discuss some of the ongoing tussles in IPv6 standardisation. It will also take a look at where we might be heading with the IPv6 transition in the future.
Ivan Pepelnjak, IPspace (presenter) and Enno Ray, ENRW (author) – Why IPv6 Security Is So Hard: Structural Deficits of IPv6 & Their Implications
Many organizations do not consider it an easy task to properly secure their IPv6 deployments, namely when they realize that “just transferring their IPv4 security architectures in an 1:1 way, to longer addresses” does not work. In this talk I will lay out which are reasons on a design and specification level and I will discuss what this means in practice when developing an IPv6 security strategy.
RIPE NCC – IPv6 Routing in Slovenia, as seen from the rest of the world
Nathalie did an analysis with all the different RIPE tools to see how IPv6 routing in Slovenia is performing. She will talk about IPv6 RIPEness, the IXP Country Jedi, but also an elaborate comparison of IPv4 and IPv6 routing with the help of RIPE Atlas probes.
Jan Žorž – NAT64/DNS64 real life experiments, warnings and also one useful tool
As many mobile operators were moving to IPv6 only which is incompatible with IPv4 on the wire, it’s necessary to employ transition mechanisms such as 464XLAT or NAT64. The Go6lab NAT64/DNS64 testbed was therefore established so that operators, service providers, and hardware and software vendors can see how their solutions work in these environments. This has already generated significant interest, and instructions on how to participate are available on the Go6lab website.
When using NAT64 there are many things that need to be checked to ensure they work correctly. NAT64check has therefore been developed to allow websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed. For example, even if a web server is not running IPv6 (why not?), hardcoded IPv4 addresses can cause NAT64 to fail.
Jan Zorz from Go6/ISOC will give an insight and discuss some issues that he found while testing NAT64/DNS64 technology in real life scenarios and use-cases.
‘The dark Side of the IPv6 Moon’ panel discussion
Panel discussion, chaired by Jan Žorž and featuring Ole Trøan (Cisco), Job Snijders (NTT), Ivan Pepelnjak (ipSpace) and Nathalie Kunneke-Trenaman (RIPE NCC). The focus is the deployment and operational consequences of the IPv6 architectural and standardisation decisions about IPv6, and this will discuss the real world challenges of using IPv6 in production networks.
We hope to shed some light on some IPv6 protocol and architecture aspects and issues from operational and deployment point of view and tell operators what they need to be aware of when deploying IPv6. All this years IPv6 evangelists and promoters have been talking mostly about the good and shiny aspects about IPv6, but now when the snow-ball is over the edge – we think it’s time to talk also about less convenient part of the whole IPv6 story.
Jan Žorž – IPv6 Lightning Talk: “IPv6 prefix assignment for end-customers – persistent vs non-persistent, and what size to choose.”
In this presentation Jan Žorž will talk about the BCOP (Best Current Operational Practice) document that gives some down-to-earth operational advices to operators, deploying IPv6 in two areas – what should be the size of IPv6 prefix that they assign to end-users (residential or business customers) and how the assignments should be done – in a persistent (more static) or non-persistent (dynamic) way. Second draft of the document can be found on https://sinog.si/docs/draft-IPv6pd-BCOP-v2.pdf .
SINOG 4.0 – second day…
Ivan Pepelnjak, IPSpace – Securing Network Automation
If you have operational experience in running large networks then you’re probably yearning to replace the traditional way of managing individual network devices via SSH with something better and more reliable. Software Defined Networking (SDN) was touted as the all-encompassing solution, but what we got instead is a heap of academic ideas, several platforms that require as much investment as an SAP deployment, and a bunch of proprietary products focused more on increasing lock-in and vendor revenue than solving operational problems.
It’s time we learn from the Unix playbook and start building our network automation solutions from small reusable components… but can we make such a solution secure and reliable? Can we still protect the network from misconfiguration, management-plane attacks, or automation-caused failures? This presentation will discuss the security and reliability challenges of network automation, and describe a few potential solutions.
Job Snijders, NTT Communications – Large BGP Communities
BGP Large Communities (RFC 8092) are a novel new way to signal meta-information within and between networks, a new way that improves upon classic BGP communities (RFC 1997), especially for 32-bit ASNs. In this presentation we’ll introduce BGP Large Communities, and how to use them. We’ll talk about how to develop a comprehensive community policy, and what tools are available for testing and deploying BGP Large
Communities. The examples will range from dealing with the eyeball/CDN demarcation, up to how route server operators or global carriers might present traffic engineering features to their customers.
Rok Arzenšek, NIL – Upravljanje in orkestracija v kompleksnih in dinamičnih okoljih
Upravljanje in zagotavljanje storitev v velikih omrežnih okoljih terja veliko časa, dodatna težava pa je tudi njihova “neodpornost” na naše napake. Transakcijski pristop naslavlja ravno ta izziv, toda ali je zaradi tega upravljanje omrežnih storitev lahko zares učinkovitejše?
V predavanju bomo predstavili, koliko k uspešni orkestraciji v SDN okolju pripomore standardizacija in kaj lahko dosežemo s pravilno konceptualno zasnovo sistema. Ob tem pa bomo izpostavili kako oboje prispeva k enostavnejšemu in učinkovitejšemu upravljanju storitev v omrežnemu okolju.
Ole Trøan, Cisco – VPP/fd.io
Vector Packet Processing is an open source router/switch data plane running on commodity hardware. It is a development framework for building bespoke forwarding applications. This talk will cover the basic architecture and use cases of VPP. Including replacing standard routers, as a vRouter/vSwitch or as Virtual Network Functions (VNFs).
Kevin Meynell, Internet Society – Two years of good MANRS
Mutually Agreed Norms for Routing Security (MANRS) is an initiative by network operators launched in November 2014. Started by 9 operators it has grown to almost 100 networks around the globe. The goal of the initiative is to set a visible industry supported baseline for essential security measures for global adoption.
The presentation explains the concept behind MANRS, discusses challenges and successes over last 2 years and introduces new MANRS-related activities that are currently under development.
Peter Zalar, Advant – »Zakaj moj WiFi ne dela?«
Predavanje se bo dotaknilo žgoče problematike zavedanja pomena izhodiščnih zahtev za načrtovanje in razporeditev brezžičnih WiFi točk v kompleksnih okoljih. Danes se s samoumevnostjo tovrstnega povezovanja in naraščajočim številom priključenih naprav oža načrtovalska svoboda s pomočjo profesionalnih programskih orodij.
Navidez delujoče WiFi omrežje je počasno, izpadi na določenih lokacijah večkratni, povezovanje nezanesljivo……na zacetku ni bilo tako.
Od načrtovalca in uresničevalca se zahteva več. Z jasnimi zahtevami in željami je sodobno brezžično omrežje kos pokritju predvidenih lokacij in številu uporabnikov. V kratkem predavanju bodo predstavljeni problemi in univerzalne rešitve.
Matej Vadnjal, Arnes – openConfig in NAPALM – iz omrežnih konfiguracij v kodo in nazaj
Z naraščanjem števila naprav v omrežju in pogostostjo sprememb konfiguracij se ročno konfiguriranje ne obnese najbolje. Pri uveljavi avtomatizacije v naše omrežje, pa se hitro spopademo s težavami, kako parametre našega omrežja ustrezno strukturirati in kako jih prevesti v obliko, ki jo bodo naše omrežne naprave razumele.
V tem predavanju si bomo pogledali en način, kako se lotiti tega problema. Na kratko bo predstavljen YANG jezik za modeliranje podatkov ter podatkovni modeli iniciative OpenConfig.
V nadaljevanju si pogledamo Python knjižnico NAPALM. Videli bomo, kako lahko na relativno enostaven način konfiguracijo omrežne naprave prevedemo v strukturo kompatibilno z OpenConfig modeli, kako to strukturo programsko spreminjamo ter seveda, kako jo prevedemo nazaj v konfiguracijo naše omrežne opreme.
Za konec pa pogledamo še, kako lahko to rešitev uporabimo v Ansible.