Cisco Blogs


Cisco Blog > Perspectives

Securing Critical Internet Infrastructure: an RPKI case study in Ecuador

Securing the Critical Internet Infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. Last September something exceptional happened in Ecuador, a small South American country. The entire local network operation community got together to be pioneers in securing its local Internet infrastructure by registering its networks in the Resource Public Key Infrastructure (RPKI) system and implementing secure origin AS validation. This project is a great example on how a global technology change can be accelerated by maximizing its value to local communities.

The global inter-domain routing infrastructure depends on the BGP protocol that was initially developed in the early 90s. Operators know that a number of techniques are needed to improve BGP security (a good reference can be found here). Although these improvements, it is still possible to impersonate the entity with the right of use of Internet resources and produce a prefix hijack as the famous attack in 2007. The IETF, vendors and Regional Internet Registries have been working inside the SIDR working group to create technologies that allow the cryptographic validation. The initial outcomes of this effort have been the RPKI and the BGP origin AS validation; two complementary technologies that work together to improve inter-domain routing security.

Read More »

Tags: , , , , , , , , , , , ,

IPv6 Peering, Part 2: The Next Steps for ISP Interfacing

August 6, 2012 at 5:00 am PST

In my first post on IPv6 peering, I provided some sample questions for your ISP and discussed considerations for the physical implementation.  After the physical details have been worked out, the next step is how to set up the control plane so that routing information can be exchanged.  From a routing perspective, most providers prefer that you peer with them either using BGP or static routing.  Static routing is typically used for single, homed organizations that do not want or need a dynamic routing capability.  In this case, the organization has a default route to the ISP, and the ISP distributes the organizational routes via the ISP BGP process.

Read More »

Tags: , , , ,

IPv6 Peering, Part 1: Questions For Your Service Provider

July 16, 2012 at 9:35 am PST

Today, many organizations are focusing on how to integrate IPv6 services into their Internet edge. The World IPv6 Launch has come and gone with over 3000 sites now IPv6-enabled.  In addition, the US government has directed that all agencies must enable their Internet facing services for IPv6 by October 1st, 2012. These drivers are pushing organizations to take a harder look at how to approach IPv6 integration.  My next couple of posts will examine how to interface with your Internet Service Provider (ISP).

The Internet edge is the point in your network where your organization will interface with the IPv6 Internet, and it is how customers will access your services. It is important that your ISP have the same Service Level Agreement (SLA) as your IPv4 point of attachment. After all, you are going to be running your business over both IPv4 and IPv6 for quite some time. To ensure that your ISP’s IPv6 services meet your business and technical requirements, I’ve compiled a list of questions to ask. The questions are grouped along the lines of how IPv6 is physically delivered, how the control plane is handled, and the services that are offered. The following are several example questions:

Read More »

Tags: , , , ,