NANOG Program Committee: Wednesday, October 30, 2019

back to meeting agenda.

Wednesday Registration
Date/Time	7:30 AM to 5:00 PM
Location	Lone Star Foyer, Level 3
back to meeting agenda.
Wednesday Extended Breakfast
Date/Time	7:30 AM to 9:45 AM
Location	Griffin Hall, Level 2
back to meeting agenda.
Wednesday Espresso Bar
Date/Time	8:30 AM to 4:30 PM
Location	Lone Star East Foyer, Level 3
Sponsors	QTS Richmond NAP
back to meeting agenda.
NANOG 77 Community Meeting
Date/Time	10:00 AM to 10:30 AM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Vincent Celindro, Dell Technologies Vincent has nearly twenty years of experience architecting, deploying, operating networks and challenging the norm. He started his career at Northwestern University, where he was one of the pioneers running an MPLS/VPN network in a university environment. Vince currently is an Architect at Juniper Networks, where he travels around the country helping well-known organizations ranging from Mega/Hyperscale datacenters, tier2/3 service providers, the largest Colo-facilities globally, Higher Ed, retailers and online gaming companies – architect, maintain and advance their networks to support their respective services today and for the future. He is a mentor, and always willing to share his knowledge/experiences to help improve and progress the craft of Network Engineering. Network \R\evolutionist (JNCIE #69/CCIE #8630) Steve Feldman, CBS Interactive Edward McNair, NANOG Benson Schliesser, Volta Networks
Presentation Files	NANOG 77 Community Meeting - Celindro
Video Files	NANOG 77 Community Meeting
back to meeting agenda.
Designing a workflow to respond to BGP Incidents
Date/Time	10:30 AM to 11:00 AM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Job Snijders, NTT Job is actively involved in the Internet community both in an operational capacity and as a founder of cooperation efforts such as the NLNOG RING. He has taught service providers in the Middle East how to deploy IPv6 and has a passion for Routing Security and Automation. Job holds a position at NTT Communications' IP Development Department.
Abstract	What do you do when someone calls you and tells you your company is part of a BGP hijack? None of us want to be part of or contribute to route leaks, misconfigurations, or BGP hijacks; but what steps do you take to analyse the problem, how can you verify such a claim? After all, we do need to prevent taking down the wrong customer should the BGP hijack complained contain the wrong information. It is prudent for Network Operations Centers to respond to BGP incidents in a consistent and reliable manner; preferably without having to make up the process on the spot! In this presentation we'll cover what incident response can look like in a NOC in terms of evidence collection and interpreting the available data.
Presentation Files	Designing a workflow to respond to BGP Incidents - Snijders
Video Files	Designing a workflow to respond to BGP Incidents
back to meeting agenda.
An Architecture of Highly Available Services using Anycast and Segment Routing in IPv6
Date/Time	11:00 AM to 11:45 AM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Andrew Wang
Abstract	IPv6 anycast is increasingly being used to provide geoproximity, fault-tolerance and load balancing solutions for services that are available from multiple points in the network. Anycast is a technique that can be used to direct clients to the closest server that can respond to the request, often reducing latency and improving the client experience. The major challenge in such systems is handling TCP connections during outages, as nodes go down and eventually come back up. We present an architecture that leverages Segment Routing in IPv6 (SRv6) to ensure fast failover in the presence of server outage. i.e., requests are redirected to a remote server, but keep ongoing TCP connections to remote servers intact in the presence of local recovery, all this transparently to the client making the request. In this presentation we cover basic concepts of IPv6 anycast and Segment Routing. We show how anycast can be achieved in IPv6 using BGP and the challenges it presents for a TCP connection. Then we will go over SRv6, introduce its main principles, and show how it can be leveraged to support stable TCP connections for services that are anycast from multiple points in the network. A short demonstration running in Containernet (mininet based network emulator that supports docker images) will tie all the concepts together: GoBGP for route advertisement, Netbricks (framework for developing DPDK apps) for SRv6 packet handling and Consul for service healthcheck. We will show a client making a request which will be served by a local cluster, and how the request will be fulfilled by a remote server when the local server is unavailable.
Presentation Files	An Architecture of Highly Available Services using Anycast and Segment Routing in IPv6 - Wang
Video Files	An Architecture of Highly Available Services using Anycast and Segment Routing in IPv6
back to meeting agenda.
Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation
Date/Time	11:00 AM to 12:00 PM recorded
Location	Lone Star Salon A-C, Level 3
Presenters	Speaker Jatin Kataria
Abstract	In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. The Cisco Trust Anchor module (TAm) is one such example that is deployed in a significant number of enterprise network switches, routers, & firewalls. We discuss several novel direct FPGA bitstream manipulation techniques that exploit the relative simplicity of input and output pin configuration structures.We present an analysis of the efficacy of Cisco TAm & discuss both the high-level architectural flaws of the TAm as well as implementation specific vulnerabilities in a TAm- protected Cisco router. By combining techniques presented in this talk with other recent advancements in FPGA bitstream manipulation, we demonstrate the feasibility of reliable remote exploitation of all Cisco TAm implemented using Xilinx Spartan-6 FPGAs. The TAm exploit described in this presentation allows the attacker to fully bypass all Trust Anchor functionality, including hardware-assisted secure boot, & to stealthily inject persistent malicious implants within both the TAm FPGA & the application processor. Outline: Describe Cisco ASR1001-X Tam & initial recon process. Record emanation during boot process with near-field probe. Hypothesis: FPGA loads bitstream, becomes TAm, emulates a SPI device, yields XEON bootloader, performs integrity attestation Upon detection of corruption, FPGA resets XEON processor. FPGA Bitstream Manipulation RTL reconstruction is a complex problem. RTL reconstruction without intimate knowledge of the specific FPGA hardware design is currently infeasible. Identify/Reconfigure IOB that controls FPGA GPIO pin that affects RST pin. Win without doing any RTL reconstruction Fundamental flaw of FPGA-based TAm design,all FPGA-based TAm implementations are vulnerable Chain PSIRT 0513862549 & PSIRT 0968652476, demonstrate remote FPGA bitstream manipulation attack to bypass TAm. Cisco patch explanation *Effect: Automotive ADAS, weapon guidance & control systems
Presentation Files	Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation - Kataria
Video Files	Defeating Cisco Trust Anchor A Case Study of Recent Advancements in Direct FPGA Bitstream Mani
back to meeting agenda.
Wednesday Lunch (On Your Own)
Date/Time	12:00 PM to 1:15 PM
back to meeting agenda.
Lightning Talk: DNS Transparency Project
Date/Time	1:40 PM to 1:50 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker James Shank
Abstract	Recent attacks on the DNS, such as those detailed in Cisco Talos' report "Sea Turtle", expose a critical lack of visibility / audit trail within the DNS hierarchy. This lack of an available audit trail helps sophisticated actors remain difficult to detect in their efforts to undermine entire ccTLDs. Myself, Tim April, Barry Greene, Warren Kumari, and Matt Ploessel are working together with several others within the DNS Operations community. We hope to solve this problem with a system broadly modeled off the Certificate Transparency concept. We are creating a system that will allow domain owners to protect their domain name resources by making record changes available for the domain owners and other interested parties to verify. We are calling this service "DNS Transparency" and we want to work with all companies and stakeholders to enable a more transparent naming infrastructure for the future! https://dnstransparency.org
Presentation Files	Lightning Talk: DNS Transparency Project - Shank
Video Files	Lightning Talk: DNS Transparency Project
back to meeting agenda.
Lightning Talk: Next chapter in MANRS
Date/Time	1:50 PM to 2:00 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Andrei Robachevsky, Internet Society Andrei Robachevsky is the Senior Technical Programme Manager at the Interenet Society. His primary area of interest is security and resilience of the Internet infrastructure. This work is based on active engagement with the operator, research and policy communities. Prior to joining ISOC, Andrei was Chief Technical Officer of the RIPE NCC, responsible for the deployment of DNSSEC for the reverse DNS tree and deployment of anycast instances of the K-root DNS server. Andrei brings to the Internet Society more than 20 years experience in the Internet technical community. For more than a decade he is actively following Regional Internet Registry (RIR) and Internet Engineering Task Force (IETF) activities. He was Chair of the Number Resource Organization’s (NRO) Engineering Coordination Group (ECG), which is responsible for various technical inter-RIR activities and projects. In 2010-2012 Andrei was a member of the Internet Architecture Board (IAB).
Abstract	Mutually Agreed Norms for Routing Security (MANRS) is a global initiative that provides crucial fixes to reduce the most common routing threats. Originally designed by and for network operators, the initiative has already been adapted once to address the unique needs and concerns of IXPs. This resulted in the development of a so-called MANRS IXP Programme. We would like to present the next phase of this work that focuses on CDN and Cloud providers and aims at making MANRS more accessible and impactful to these categories of operators. This is work in progress. Following the approach we used in the past a task force developed a draft Action Set, that will be presented in this talk to raise awareness and solicit feedback.
Presentation Files	Lightning Talk: Next chapter in MANRS - Robachevsky
Video Files	Lightning Talk: Next chapter in MANRS
back to meeting agenda.
Powering Your Automation: A Single Source of Truth
Date/Time	2:00 PM to 3:00 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Tim Schreyack, Dell Networking Tim began his career as a network engineer for a regional DSL provider in New England in 2000 and progressed to working on large scale cloud provider networks. About 4 years ago, he first learned of DevOps, the SRE model and automation as pertaining to their use in Networking. He became an early adopter, first using Puppet and then eventually Ansible to enable automation and orchestration of networks. Most recently he joined the Dell Networking team to try and help others in transitioning to the Open Networking model.
Abstract	Powering Your Automation: A Single Source of Truth Introduction - How we define automation - Automation vs Orchestration Automation Overview - Ansible, Salt, Puppet - Template based configs - Git and peer review process Single Source of Truth - Automation depends on inputs and assignment of resources - How do we populate and maintain those inputs - Single Source of Truth DB DB Data Structure - Physical and virtual devices - Links - IPAM - Logical and physical resource pools - Rich connections between all items in the DB allows for easy data retrieval Accessing data from the DB in your templates - Small code modules to use in templates (python,ruby, etc...) - Example python code for Ansible Demo - Run small demo of using Ansible and .j2 template to create and deploy device configuration for two different switches
Presentation Files	Powering Your Automation: A Single Source of Truth - Schreyack
Video Files	Powering Your Automation: A Single Source of Truth
back to meeting agenda.
Hackathon Recap
Date/Time	3:00 PM to 3:30 PM recorded
Location	Lone Star Salon D-H, Level 3
Presentation Files	Hackathon Recap
Video Files	Hackathon Recap
back to meeting agenda.
Wednesday Break
Date/Time	3:30 PM to 4:00 PM
Location	Lone Star Foyer, Level 3
Sponsors	Flexential
back to meeting agenda.
The intersection of optical transport and routing in next-generation networks
Date/Time	4:00 PM to 4:30 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Phil Bedard, Cisco I began working at my first ISP at the age of 16, working tech support, building servers, and managing a network of Proteon routers. I continued to work at service providers for over 20 years, most recently as a Principal Engineer at Cox Communications, a position I held for ~9 years. I joined Cisco in March 2017 as a Technical Marketing Engineer in the SP Networking Software and Automation group, focused on network architecture and helping build automation products for the operator community. I have resided in Atlanta, GA for 10 years, originally hailing from SE Wisconsin. I have a B.S. in Computer Science from the University of Wisconsin-Parkside. In my spare time I enjoy racing in amateur motorsports, backcountry hiking, and tinkering with just about everything.
Abstract	Innovations in networking will change the way you think about optical transport and IP routing. Key advances in coherent optical technology and routing platforms are destined to intersect in a way that will disrupt how metro, regional, and long-haul backbone networks are built. In this talk we will explore these innovations and their applicability to metro, regional, and long-haul backbone networks. You will better understand the potential for this to condense layers, simplify operations and drive higher resiliency. We will also discuss enhancements at the packet layer to ensure continued support for high speed wavelength services with path determinism, transparency, protection, and SLA assurance.
Presentation Files	The intersection of optical transport and routing in next-generation networks - Bedard
Video Files	The intersection of optical transport and routing in next generation networks
back to meeting agenda.
The Future of Passive Multiplexing and Multiplexing Beyond 10G
Date/Time	4:30 PM to 5:00 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Wouter van Diepen, Solid Optics Wouter (pronounced WOW-TER) has a background in Chemistry and Computer Science. His early career was in the industrial automation industry, but for the past 12 years he has worked in the data networking industry with a special focus on optical transceiver technology and CWDM & DWDM passive optical networks. As a Co-Founder and CTO of Solid Optics, Wouter developed multiple unique products to meet the needs of network professionals, including a handheld optics recoding/tuning device (Multi-Fiber-Tool) and several innovative multiplexers, including an all-in-one 1RU MUX + EDFA + DISP COMP for long distance DWDM projects and 100G (EDFA-MUX).
Abstract	The Future of Passive Multiplexing and Multiplexing Beyond 10G. In the past, it was easy to change your optical network from 1G to 10G by simply changing the transceiver, but what if you want to do more than 10G? What if you want to go beyond 80km? What are your options and why is there no QSFP28-DWDM-ZR? These are the central questions in this presentation. We will cover the 3 “ingredients” of Multiplexing: The Fiber, the Passive Mux, and the Transceiver, and talk about the limitations and possibilities of multiple times 100G over one fiber pair. We will also cover the following topics: The challenges that arise due to attenuation and chromatic dispersion; Different types of Multiplexers - Cascaded TFF and AWG (including Gaussian Fit and Flat Top); ITU Grids such as DWDM and the new LWDM band (often used for 5G deployment); Modulation & Coherent 100G/200G/400G; How to use QSFP28 DWDM PAM4; and what is coming in 2020 - 400G DWDM QSFP-DD. At the end of this talk, you will understand the future of 100G multiplexing and how it can fit into your network.
Presentation Files	The Future of Passive Multiplexing and Multiplexing Beyond 10G - van Diepen
Video Files	The Future of Passive Multiplexing and Multiplexing
back to meeting agenda.
Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web
Date/Time	5:00 PM to 5:30 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Austin Hounsel I'm a Ph.D. student in the Computer Science department at Princeton University. Generally speaking, I'm interested in Internet measurements, privacy, and censorship.
Abstract	Essentially all Internet communication relies on the Domain Name System (DNS), which first maps a human-readable Internet destination or service to an IP address before two endpoints establish a connection to exchange data. Today, most DNS queries and responses are transmitted in cleartext, making them vulnerable to eavesdroppers and traffic analysis. Past work has demonstrated that DNS queries can reveal everything from browsing activity to user activity in a smart home. To mitigate some of these privacy risks, two new protocols have been proposed: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). Rather than sending queries and responses as cleartext, these protocols establish encrypted tunnels between clients and resolvers. This fundamental architectural change has implications for the performance of DNS, as well as for content delivery. We measure the effect of DoH and DoT on name resolution performance and content delivery. We find that although DoH and DoT response times can be higher than for conventional DNS (Do53), DoT can perform better than both protocols in terms of page load times, and DoH can at best perform indistinguishably from Do53. However, when network conditions degrade, webpages load quickest with Do53, with a median of almost 0.5 seconds faster compared to DoH. Furthermore, in a substantial amount of cases, a webpage may not load at all with DoH, while it loads successfully with DoT and Do53. Our in-depth analysis reveals various opportunities to readily improve DNS performance, for example through opportunistic partial responses and wire format caching.
Presentation Files	Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web - Hounsel
Video Files	Analyzing the Costs and Benefits of DNS, DoT, and DoH for the Modern Web
back to meeting agenda.
Conference Closing
Date/Time	5:30 PM to 6:00 PM recorded
Location	Lone Star Salon D-H, Level 3
Presenters	Speaker Edward McNair, NANOG
Presentation Files	Conference Closing - McNair
Video Files	Conference Closing
back to meeting agenda.
ARIN Welcome Reception
Date/Time	6:00 PM to 7:00 PM
Location	Lone Star Salon A-C, Level 3
Abstract	We encourage you to attend, connect with friends, and recharge before the Public Policy and Members Meeting gets underway.
Sponsors	ARIN
back to meeting agenda.