Post on 02-Aug-2015
transcript
2
? DUTCH DATACENTER ASSOCIATION
Marc Gauw Michiel Leenaars
• NLnet used to be a Internet Service Provider (‘80 and ’90), sold in 1996
• Since 1996 an ‘ANBI foundation’ ; mission ‘to stimulate electronic information-exchange’
• Last few years we have a special focus on cybersecurity projects, examples :
o Trusted Networks Initiative (AntiDDoS)
o Holland Strikes Back (cybersecurity congress)
o Radically Open Security (cybersecurity start-up)
o Various projecten with the NCSC (tools and scripts)
o Many donations, mostly contributing to ‘safe’ open source development.
o Many loans, e.g. to De Nationale Wasstraat (AntiDDoS)
o Partner in setting up ‘Internet.nl’ (safe internet education)
o Support of the Open Inventions Network
(open source patent defense, https://nlnet.nl/help/ )
o Participant in Digitale Infrastructuur Nederland ‘DINL:
NLnet ?
The problem:
DDoS-attacks could become too big or to
long-lasting to mitigate with current solutions
A last-resort solution:
Temporary disconnect your website from the
‘untrusted part of the Internet’ and remain
access from the ‘trusted part’
The Inter’-’net !
Access Networks
Access Networks
Access
Networks
Transit
Networks Access Networks
website
visitor
Internet Exchanges
Internet Exchanges
Transit Networks
Hosts
Hosts
Hosts
website.com
The Internet:
Trusted and less trusted parts
website
visitor
critical.com
source: www.digitalattackmap.com
Create additional ‘drawbridges’
website
visitor
website
visitor
‘Trusted
Internet’
‘Global Internet’
critical.com
During emergency:
Raise the bridge to ‘global’ temporary
website
visitor
critical.com
‘Trusted
Internet’
‘Global Internet’
website
visitor
What is a Trusted Network ?
A website and/or network that commits :
1) to take technical measures to prevent DDoS
attacks, like antispoofing/BCP38
2) to secure organisational measures to quickly act
in case of attacks from its own network
3) to follow the applicable law and cooperate with
justice.
If you commit:
Global
Internet
Trusted Routing
Additional
Routes
VLAN 112
Trusted-Routing-
Routeserver
Trusted Routing concept
critical.com
access.com
Internet
Exchange
other.com
Global Internet
Feed(s)
Trusted
Routing Website visiter
via ‘trusted’
Website visiter
via ‘global’
Required :
• your own AS,
• your own IP (/24 IPv4),
• your own BGP4-router
• enough routing knowledge
Technical
Requirements
critical.com
Global
Internet
Global
Internet
Global
Internet
Global
Internet
Global
Internet
Option I
“Emergency-only”
112
112 112
112
112
Community-
Routing
<-Normal
Emergency->
Community-
Routing
<-Normal
Emergency->
Community-
Routing
<-Normal
Emergency->
Community-
Routing
Normal ->
<-Emergency
Community-
Routing
Normal ->
<-Emergency
Trusted-Routing-
Routeserver :
‘Emergency-
Only’
Trusted-
Routing-
Routeserver
Global
Internet
Global
Internet
Global
Internet
Global
Internet
Global
Internet
Option II
“Permanent”
112
112 112
112
112
direct permanent
session
Trusted
Routing Website visiter
via ‘trusted’
Website visiter
via ‘global’
In case of
emergency
In case of an attack:
- announce attacked IP-address to Trusted Networks only
- and blackhole the attacked IP-address on global internet feed(s)
- or disconnect attacked block from global internet feed(s)
Global Internet
Feed(s) critical.com
Trusted Routing
Connection details
Various routings
Routes to other Networks
Routes to other Trusted Networks
IX Port +
VLAN’s
Patch-
cable
Additional
VLAN (s)& Routing
Trusted Routing
VLAN 112
Router of
Trusted Network
Internet
Exchange
to ‘global’
Global
Internet
Trusted-Routing-
Routeserver
critical.com
Member-page
Policy
FAQ
Qualification-memo
and Trusted Network
Policy at :
www.trustednetworks
initiative.nl
1) Qualify for
Trusted Network
Get connected to
Trusted Routing
www.trustednetworksinitiative.nl www.nl-ix.net/trustedrouting
critical.com
2) Request the
Trusted Routing connection
ams-ix.net/trusted-networks-initiative
Step 2:
“ Connect to Trusted Routing“
www.nl-ix.net/trustedrouting
2) Request the
Trusted Routing connection
ams-ix.net/trusted-networks-initiative
trustednetwork.com
Operations: Configuration training
By teacher Iljitsch van Beijnum, autor of :
Operations: Mailinglists Shared mailinglist for qualified
Trusted Networks:
tn-tech@list.surfnet.nl
Shared mailinglist for members
(and observers) of the Trusted
Network Initiative:
tn-org@list.surfnet.nl
Members/
Observers
Members/
Observers
Members/
Observers
Members/
Observers
Members/
Observers
Ready to go ! …..