Deploy360 Domain Name System Security Extensions (DNSSEC)

ENOG 11 in Moscow


The 11th Eurasia Network Operator’s Group (ENOG 11) that was held on 7-8 June 2016 in Moscow, Russia featured a record turnout of 550 participants from the Russian Federation, Commonwealth of Independent States and Eastern Europe who came together to discuss operational issues and share expertise about evolving the Internet in the region. This bi-annual event was supported by the Coordination Center for the .ru /РФ ccTLD, the Technical Center of Internet (TCI), MSK-IX, the RIPE NCC and the Internet Society.

The meeting was held in a combination of Russian and English, but it’s worth highlighting a few talks. First up is the presentation on The New Internet from Stefan Meinders (Deepfield) which identified trends in cross-ISP capacity based on data collected by the Internet Observatory. Back in 2007, 50% of traffic came from thousands of ASNs, but the past ten years has seen increasing consolidation into a smaller number of ASNs. In 2016, just 10 ASNs are generating 70% of the traffic, whilst 30 ASNs account for 80% of this. Another interesting trend is that around 60% of Internet traffic is now originating from Content Delivery Networks (CDNs), compared with just 20% in 2009. There are signs this growth is now slowing which is possibly due to market maturation, but nearly 55% of this is currently web, 40% video, and the rest other traffic.

ENOG 11Anurag Bhatia (Hurricane Electric) also provided an informative overview of how ASes 1-3 are misused on the Internet, usually due to blind copying of sample configurations or typos in routing policy. This can result in wrongly prepended route announcements propagating across the Internet, more chances of broken connectivity of routes due to BGP loop prevention, and the possibility of being treated as an AS hijack.

An analysis undertaken from 2010 to 2015 revealed the worst offenders, and whilst this primarily affected IPv4 prefixes, there were also a handful of IPv6 prefixes involved as well. Whilst in many cases the leaks were short lived, there were a number that exceeded a year, and in one case nearly 4 years. Anurag provided some advice on how to avoid mistakes, and recommended that operators read their particular router’s documentation to ensure that they’re prepending properly.

The problem of BGP route leaks was further highlighted by Alexander Asimov (Orator Labs) who pointed out that around 1,000 ASs were responsible for around 50,000 leaked routes that affected everyone on the Internet. A new BGP extension was therefore being proposed that could help mitigate route leaks through use of an optional non-transit attribute that would flag whether a route should only be announced internally or to customer links. This is currently the subject of a new Internet Draft draft-ymbk-idr-bgp-open-policy-00.

Switching to DNS issues, Jaap Akkerhuis (NLnet Labs) described the CDAR (Continuous Data-driven Analysis of Root Stability) study which is analysing how the root server system is affected by the addition of new gTLDs. This shows that whilst the percentage of queries to new gTLDs have increased over time, they are still very low (<0.5%) in relation to other queries. The volume of root traffic for a new gTLD is also often observed to decrease significantly after delegation, although can also increase temporarily and in the long-term in some cases. RTT (round-trip time) does not seem to be significantly affected after delegation, and thus far it can be concluded the addition of new gTLDs has had limited impact on the root. Work is continuing to standardise and improve the quality of the measurements, as well as develop qualitative scenarios for further root zone expansion.

ENOG 11 Record AttendanceA significant part of the programme was also devoted to Internet Exchange issues, and included updates on PeeringDB 2.0 which provides a database of peering information on the Internet. This has been completely re-written using Python and HTML5, and features a redesigned schema with data validation, input validation and versioning, as well as a RESTful API to support third party querying.

PeeringDB is an organisation formed in December 2015 and is currently comprised of 94 organisations with an elected board, and funded by a number of official sponsors including the Internet Society. If you aren’t registered in PeeringDB, you can register on the PeeringDB website.

Of the other IX-related presentations, it’s also worth highlighting the View on the Future of IXPs from Konstantin Chumachenko (MSK-IX), as well the update on Sea-IX (in Russian) which serves 39 ISPs and content providers in the Krasnodar Territory and Rostov Region of Russia.

Last but not least, Kevin Meynell from the Deploy360 team talked about the production launch of Let’s Encrypt as well as discussed how it can be used to facilitate encrypted mail communications via DNS-based Authentication of Name Entities (DANE).

All the presentations from the meeting can be found on the ENOG website. The next ENOG meeting will be held on 3-4 October 2016 in Yerevan, Armenia.

Deploy360 Domain Name System Security Extensions (DNSSEC) IPv6

Deploy360 @ ENOG 11


Kevin Meynell from the Deploy360 team will be presenting at ENOG 11 on Let’s Encrypt and DANE this coming Wednesday. The meeting is being held on 7-8 June 2016 at the Marriott Grand Hotel in Moscow, Russia.

The Eurasia Network Operators’ Group (ENOG), is an open forum where technology experts from the Russian Federation, Commonwealth of Independent States and Eastern Europe gather to discuss operational issues and share knowledge and expertise about evolving the Internet in the region. It’s supported by the Coordination Center for the .ru /РФ ccTLD, the Technical Center of Internet (TCI), MSK-IX and the RIPE NCC.

There are several topics of interest to Deploy360 on the programme, including IPv6 implementation in the region, the state of IPv4 availability, BGP and misused ASNs, and an IXP session. As well as talking about the production launch of Let’s Encrypt, Kevin will also be discussing how Let’s Encrypt can be used to facilitate encrypted mail communications via DNS-based Authentication of Name Entities (DANE).

The full programme can be found on the ENOG 11 website. Registration is free-of-charge and open to anyone, so there’s no excuses for not coming along!