Security Platforms/Tools

Key Takeaways From the UK Network Operators' Forum

Intrigued by its mission to "pro-actively support the sharing of knowledge, ideas and best practices to enhance the effective, stable and secure operation of the UK's Internet infrastructure as a whole," I attended the annual get-together of the UK Network Operators' Forum (UKNOF) this week.

That mission statement might seem familiar to those in North America, as it is similar to that of the North American Network Operators' Group (NANOG).

First up at the UKNOF day was David Kelsey, head of the Particle Physics Computing Group at The Science and Technology Facilities Council, a UK government body that carries out scientific research. Kelsey's team is tasked with, among other things, providing access for UK scientists to the 70 petabytes of data generated annually by experiments conducted at the CERN facility in Switzerland.

Kelsey described the challenges his team had faced in preparing for the migration from IPv4 to IPv6, a process that began in 2011. Many of the data transfer protocols and data storage systems that were used were not IPv6-ready and much of the campus infrastructure of the UK's research sites had not been IPv6-enabled. The migration is still ongoing, with around a quarter of bulk data transfers now going over IPv6 but the majority still on version 4.

Kelsey was followed by an overview of IPv6 security from David Holder, director at training and consultancy firm Erion. Holder pointed out that although many organizations shy away from implementing IPv6 because of the complexity of dealing with the new cybersecurity attack vectors that it presents, the reality is that most operating systems and devices in the field today are dual stack, with IPv6 switched on by default. As a result, all networks should be secured for IPv6 vulnerabilities regardless of whether or not a user chooses to migrate from v4. Holder went on to identify many of these vulnerabilities, such as Neighbor Discovery Protocol, ICMPv6 and Transition threats.

DNS evolution
Next up was Cathy Almond from the Internet Systems Consortium, who gave a presentation on the upcoming changes to DNS software and services. As a result of those changes, which come into effect on February 1, systems that don't adhere to the EDNS (Extension mechanisms for DNS) protocol will cease to be accommodated: The upshot is that certain websites may become unreachable. You can check out if a certain website will be affected here: https://dnsflagday.net/

Bijal Sanghani, head of the non-profit Internet Exchange Point association Euro-IX Secretariat, then presented a new database of Internet exchange points. It includes a breakdown of network hardware instances by vendor, which predictably shows Cisco (34% share) and Juniper (25%) as the dominant suppliers, followed by some less predictable and possibly erroneous names (Routerboard?). You can also see the ASN of all the major operators (for example, 5400 for BT) and all the IXPs to which they connect -- 19 in BT's case).

Facebook probes
Following Sanghani was Louis Plissonneau, network production engineer at Facebook, who explained how his team was able to detect all TCP retransmits throughout the network by using all production packets (user traffic) as probes (one bit in the packet header identifies whether the packet is a restransmit). He explained that Facebook had been able to write the code to perform this "Total TCP Loss detection" function because it owns its own data centers that house their own racks and networks. Facebook still relies on third-party vendors for spine switches, he noted, but the social media giant is looking to replace these with its own designs eventually.

Last but not least, David Freedman, head of engineering, and colleagues from Claranet, a UK managed services provider, described their implementation of EVPN-VXLAN (Ethernet VPN-Virtual Extensible LAN) in Claranet's data center. Back in 2014 the Claranet team was struggling with constant operational headaches caused by ageing equipment (Cisco Catalyst 6500 switches). Automation was a key consideration in the resulting upgrade plan. EVPN-VXLAN requires many more lines of configuration than traditional networking technologies, which creates many more opportunities to make mistakes. Interestingly, the Claranet team developed its automation stack entirely in-house. The system, which encompasses IPAM (IP Address Management), VLANs and Network Topology, comprises modular components called "policers" that build and sync configuration to network devices. It has a web-based user interface and a REST API for scripting.

To get the slides from these presentations or to sign up for future UKNOF events, see the Forum's website.

— James Crawshaw, Senior Analyst, Heavy Reading

knmitchell 1/18/2019 | 12:16:20 PM
UKNOF Meetings Thank you James for your coverage of UKNOF42.

Note that (again like NANOG), UKNOF meets 3 times a year, not annually.

#UKNOF43 will be in Manchester on 9th April 2019.
Sign In