DHPA Techday

21 may 2015

‘Trusted Networks Initiative’

Marc Gauw, NLnet

2

? DUTCH DATACENTER ASSOCIATION

Marc Gauw Michiel Leenaars

• NLnet used to be a Internet Service Provider (‘80 and ’90), sold in 1996

• Since 1996 an ‘ANBI foundation’ ; mission ‘to stimulate electronic information-exchange’

• Last few years we have a special focus on cybersecurity projects, examples :

o Trusted Networks Initiative (AntiDDoS)

o Holland Strikes Back (cybersecurity congress)

o Radically Open Security (cybersecurity start-up)

o Various projecten with the NCSC (tools and scripts)

o Many donations, mostly contributing to ‘safe’ open source development.

o Many loans, e.g. to De Nationale Wasstraat (AntiDDoS)

o Partner in setting up ‘Internet.nl’ (safe internet education)

o Support of the Open Inventions Network

(open source patent defense, https://nlnet.nl/help/ )

o Participant in Digitale Infrastructuur Nederland ‘DINL:

NLnet ?

‘Trusted Networks Initiative’

A last ‘drawbridge’

in case of (too) big DDoS

attacks

The problem:

DDoS-attacks could become too big or to

long-lasting to mitigate with current solutions

A last-resort solution:

Temporary disconnect your website from the

‘untrusted part of the Internet’ and remain

access from the ‘trusted part’

A last resort solution….

‘The’ Internet ?

website

visitor

website.com

‘The’ Internet ?

The Inter’-’net !

Access Networks

Access Networks

Access

Networks

Transit

Networks Access Networks

website

visitor

Internet Exchanges

Internet Exchanges

Transit Networks

Hosts

Hosts

Hosts

website.com

The Internet:

Trusted and less trusted parts

website

visitor

critical.com

source: www.digitalattackmap.com

Create additional ‘drawbridges’

website

visitor

website

visitor

‘Trusted

Internet’

‘Global Internet’

critical.com

During emergency:

Raise the bridge to ‘global’ temporary

website

visitor

critical.com

‘Trusted

Internet’

‘Global Internet’

website

visitor

What is a Trusted Network ?

A website and/or network that commits :

1) to take technical measures to prevent DDoS

attacks, like antispoofing/BCP38

2) to secure organisational measures to quickly act

in case of attacks from its own network

3) to follow the applicable law and cooperate with

justice.

If you commit:

“ Trusted Networks Initiative ”

Website

Operators

Access

Networks

Internet

Exchanges Institutes

14

Supported by:

Endorsed by :

Current IXP’s, networks and members

Global

Internet

Trusted Routing

Additional

Routes

VLAN 112

Trusted-Routing-

Routeserver

Trusted Routing concept

critical.com

access.com

Internet

Exchange

other.com

Global Internet

Feed(s)

Trusted

Routing Website visiter

via ‘trusted’

Website visiter

via ‘global’

Required :

• your own AS,

• your own IP (/24 IPv4),

• your own BGP4-router

• enough routing knowledge

Technical

Requirements

critical.com

Global

Internet

Global

Internet

Global

Internet

Global

Internet

Global

Internet

Option I

“Emergency-only”

112

112 112

112

112

Community-

Routing

<-Normal

Emergency->

Community-

Routing

<-Normal

Emergency->

Community-

Routing

<-Normal

Emergency->

Community-

Routing

Normal ->

<-Emergency

Community-

Routing

Normal ->

<-Emergency

Trusted-Routing-

Routeserver :

‘Emergency-

Only’

Trusted-

Routing-

Routeserver

Global

Internet

Global

Internet

Global

Internet

Global

Internet

Global

Internet

Option II

“Permanent”

112

112 112

112

112

direct permanent

session

Trusted

Routing Website visiter

via ‘trusted’

Website visiter

via ‘global’

In case of

emergency

In case of an attack:

- announce attacked IP-address to Trusted Networks only

- and blackhole the attacked IP-address on global internet feed(s)

- or disconnect attacked block from global internet feed(s)

Global Internet

Feed(s) critical.com

Trusted Routing

Connection details

Various routings

Routes to other Networks

Routes to other Trusted Networks

IX Port +

VLAN’s

Patch-

cable

Additional

VLAN (s)& Routing

Trusted Routing

VLAN 112

Router of

Trusted Network

Internet

Exchange

to ‘global’

Global

Internet

Trusted-Routing-

Routeserver

critical.com

Member-page

Policy

FAQ

Qualification-memo

and Trusted Network

Policy at :

www.trustednetworks

initiative.nl

1) Qualify for

Trusted Network

Get connected to

Trusted Routing

www.trustednetworksinitiative.nl www.nl-ix.net/trustedrouting

critical.com

2) Request the

Trusted Routing connection

ams-ix.net/trusted-networks-initiative

Step 1: “ Qualify “

1) Qualify for

Trusted Network

www.trustednetworksinitiative.nl

critical.com

Step 2:

“ Connect to Trusted Routing“

www.nl-ix.net/trustedrouting

2) Request the

Trusted Routing connection

ams-ix.net/trusted-networks-initiative

trustednetwork.com

Operations: Technical Design

Operations: Configuration training

By teacher Iljitsch van Beijnum, autor of :

Operations: Participants website (www.tn-init.nl)

Operations: Mailinglists Shared mailinglist for qualified

Trusted Networks:

tn-tech@list.surfnet.nl

Shared mailinglist for members

(and observers) of the Trusted

Network Initiative:

tn-org@list.surfnet.nl

Members/

Observers

Members/

Observers

Members/

Observers

Members/

Observers

Members/

Observers

Ready to go ! …..

By the way…:

https://nlnet.nl/help/

https://nlnet.nl/helpmee/

Thank you ! …..