News & Infos

  • 10.10.2017

    DENOG9 Agenda online

    weiter

  • 25.07.2017

    Save the Date the real one: DENOG9 23./24.11.2017

    weiter

  • 19.07.2017

    DENOG9 Anmeldung online

    weiter

DENOG9 Agenda

Tag 1 - 23.11.2017

TagZeit23.11.Sprecher
111:30-13:00Registration & Welcome Lunch
113:00-13:15Eröffnung & BegrüßungDENOG Orga
113:15-13:45Peering DB UpdateArnold Nipper
113:45-14:15200G over Alien WavelengthMoritz Frenzel / Marc Helmus
114:15-14:45Secure your server's IPMI remote managementWerner Fischer
114:45-15:15IP Hijack Attacks: Challenges in DetectionYuval Shavitt
115:15-16:00Kaffeepause
116:00-16:45Lightning Talks
116:45-17:00DENOG Vereinsgründung (Ankündigung)DENOG
117:00-17:30Verification of RFC 6980 Implementations on varying Operating SystemsJacky Hammer
117:30-18:00Contemporary Linux NetworkingMaximilian Wilhelm
119:00Social Event @ Corroboree, Kasinostr. 4-6 (Fußweg)

Tag 2 - 24.11.2017

TagZeit24.11.Sprecher
209:00-09:30Lightning Talks
209:30-10:00Automation for Network Lab EnviromentsTobias Heister
210:00-10:30Automating Juniper Devices with AnsibleRudolph Bott
210:30-11:00DENOG Vereinsgründung (Gründungsversammlung)DENOG
211:00-11:45Kaffeepause
211:45-12:15Alice-LG Looking glassStefan Plug
212:15-12:45Routing Software vs. Hardware RoutersOliver Knapp
212:45-13:00AbschlussDENOG Orga
213:00Farewell Lunch

 


 

Vorträge am Tag 1 - 2017-11-23


PeeringDB Update
Arnold Nipper, PeeringDB
PeeringDB has been around for 14+ years and has been extremely useful to the peering industry. Since early 2016 PeeringDB is an association with members from all over the world. Board elections have taken place three times already. Quite a few policy documents make PeeringDB a sound organisation having also a sound commercial backing through continous sponsorships from smallest to large companies. The board has delegated the future development and the day-to-day work to two committees, the Product Committee and the Admin Committee. All this work is voluntary work. Since 2016-03-15 PeeringDB 2.0 is live and has been a big success. The Product Committee is constantly gathering input from the community for bug fixes as well as new features. PeeringDB 2.0 also comes with a powerful API which makes it easy to integrate it into any automation.
back to top

 

200G over Alien Wavelength
Moritz Frenzel and Marc Helmus, Globalways AG and Gasline
Alien Wavelengths have been around since ages, and have been specified within ITU-T G.698.2, at least for DWDM applications at 2.5 and 10 Gbit/s with 100 GHz channel frequency spacing as well as applications at 10 Gbit/s with 50 GHz channel frequency spacing. Howsoever it is 2017 and the demand for higher bandwidths is there, therefore we went ahead and performed tests with multiple vendors over a span from Stuttgart to Frankfurt with a 50GHz Alien Wavelength.
back to top

 

Secure your server's IPMI remote management
Werner Fischer, Thomas-Krenn AG
"Virtually every server has a dedicated remote management chip in the form of an IPMI Baseboard Management Controller (BMC). This controller is independent of the actual server, but has direct access to its hardware for control and monitoring purposes. These features are also quite desirable to manage servers remotely.
Two factors, however, have prompted security experts to devote themselves closer to these management chips:
  1. The firmware of an IPMI BMC is usually an embedded Linux, which must be regularly updated with security updates.
  2. The IPMI specification has some security design weaknesses.
In the previous years, security analyzes published in this context revealed major flaws and the IPMI firmware images did not show a good testimony. For administrators reason enough, not to operate IPMI interfaces publicly on the Internet - so one should actually mean. Network scans carried out on a large scale showed that hundreds of thousands of servers can be accessed publicly via the Internet via IPMI.
The lack of awareness about existing risks and non-existent knowledge about safe configuration are often the reasons why IPMI interfaces are publicly operated on the Internet. In this talk Werner Fischer will show you can secure your own server's IPMI configuration and how you can detect suspicious traffic in your networks."
back to top

 

IP Hijack Attacks: Challenges in Detection
Yuval Shavitt, BGProtect Ltd. and Tel Aviv University
IP Hijack is an emerging technology that enables sophisticated attackers to perform man-in-the-middle attacks against a network in order to penetrate it, and spy on outgoing or incoming traffic. The IP hijack attack can be done using DNS, BGP, or data plane attacks. The ability to identify these attacks as they occur (in near real time) is crucial to the ability to mitigate their damage and activate protection measures.
In this talk I will explain the attacks and the difficulties in exposing them. I will give examples of real attacks as much as time permits.
back to top

 

Verification of RFC 6980 Implementations on varying Operating Systems
Jacky Hammer, ERNW GmbH
Following the research on RFC 6980 implementations published on insinuator.net, I would like to present my findings about targeting FreeBSD and additionally some about the behavior of Linux systems that are still to be done. In this talk, I will do a short introduction on IPv6 Neighbor Discovery and the general problem of rogue router advertisements and then cover the topic of sending those and the existing shortcomings of systems enabling one to successfully inject default routes to clients.
As IPv6 becomes more popular and widespread, attacks become more attractive and come to the center of attention. Focusing on abusing the neighbor discovery protocol and router advertisements, we can see how even the best efforts can barely prevent the injection of harmful information.
back to top

 

Contemporary Linux Networking
Maximilian Wilhelm, University of Paderborn / Freifunk Hochstift / Freifunk Rheinland
This talk will provide a brief overview about some of the latest developments in the Linux networking world: Things like VLAN-aware-bridges, VXLAN, VRF-Lites, as well as MPLS support will be shown with practical examples.
Everyone still using »ifconfig«, »route«, »arp« etc. might want to attend to get an idea how to use the Linux swiss army knife for networkers (»ip«) which already has replaced or will replace all the old tools on current distributions.
For Debian based systems ifupdown2 provides a convenient replacement for the old ifupdown toolchain including configuration for VLAN interfaces and LAGs which previously required auxiliary tools.
At the end you will get a glimpse into building your own SDN with Debian Linux, ifupdown2, Salt Stack and Python.
back to top

 

Vorträge am Tag 2 - 2017-11-24

 

Automation for Network Lab Enviroments
Tobias Heister, Xantaro Deutschland GmbH
We operate a network Test, Verification and PoC Lab in our frankfurt location. Technology from various vendors spanning various OSI Layers (Optical to Application) is placed and run in this Lab. This Talk describes how we tame and managed all of theses devices using open source Tools and Scripting
  • Asset Managemnt with racktables
  • Reservation/scheduling System based on PHP Scheduler
  • lots of scripting glue to tie all of it together to make it easy and convenient to use
  • Power Management via outlet monitoring and powering off of not used and not reserved devices
  • many small bits and pieces like autogenerated aliases for every device to acces it via ssh/serial console power on/off the device
  • Monitoring via Librenms/Grafana

back to top

 

Automating Juniper Devices with Ansible
Rudolph Bott, sipgate GmbH
We replaced our datacenter network gear and decided to let Ansible do all the dirty configuration work. Since we found that nobody usually talks about these things in public, we decided to change that.
Choosing new network gear is not that easy. We would like to give you some insights how we ended up using Juniper gear, why we chose Ansible over other solutions, what are the benefits we already have and what is there to come. And last but not least some examples to get you started into network automation with Ansible!
back to top

 

Alice-LG Looking glass
Stefan Plug, ECIX
ECIX is proud to introduce to the world her new looking glass: Alice-LG. Check her out in action at lg.ecix.net.
The looking glass has the following features:
  • show who is peering with the route servers, and who not
  • show which routes are advertised, and by whom
  • show which routes the route server has rejected, and why
  • show which routes were NOT exported to whom, and why
  • all data you see is also available using the REST API
  • fully open source! Get your own copy at github.com/ecix/alice-lg
Alice-LG was born during RIPE NCC's RIPE 73 hackathon in Madrid where our developer Matthias Hannig joined forces with INEX's Barry O'Donovan's team to build a front-end for Barry's new BIRD API, Birdseye. We decided to further develop this new looking glass into Alice-LG. A huge thanks to Eileen Gallagher from INEX for coming up with that name. A pretty sweet feature which Alice-LG throws at us is her REST API, some examples:
  • lg.ecix.net/api/routeservers
  • lg.ecix.net/api/routeservers/0/neighbours
Internally we use the REST API for some Slack tools to quickly check up on a peer without having to log into the route servers themselves, but we can totally imagine a peer writing a tool which alerts them whenever Alice-LG sees that their routes are being rejected.
Alice-LG is developed in-house at ECIX, but it is entirely open source and available to all at github.com/ecix/alice-lg.
Development on Alice-LG is ever ongoing. If you find a bug, miss a feature, or miss documentation don't hesitate to open up an issue on GitHub.
back to top

 

Routing Software vs. Hardware Routers
Oliver Knapp, Nokia
Software routing based on standard x86 server hardware has become a viable alternative to specialized hardware routers in the recent years. In this presentation, some basic concepts and technologies of software-based routing are explained, and a comparison with conventional hardware-based routers is attempted, as well as a look onto where software routers might have some intrinsic limitations.
back to top

Lightning Talks

C-RAN – Far more than 5G…
James Merchant, Huber+Suhner Cube Optics AG

Supporting NOGs in our Region
Mirjam Kühne, RIPE NCC

DDoS in Deutschland
Karsten Desler, Link11

Status Quo IPv6 Sub-assignment Clarification (RIPE address policy proposal 2016-04)
Maximilian Wilhelm, Zentrum für Informations- und Medientechnologien (IMT) Universität Paderborn

Avoid blackholing: Selective Next-Hop Resolution
Oliver Herms, EXARING AG

We take care about data quality
Jan Stumpf, DE-CIX Management GmbH

Verify it!
André Niemann, becon GmbH

back to top