Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during the 31st meeting of LACNIC, several operators pledged to take steps to make routing security, and the Internet itself, stronger. They joined the MANRS initiative, which includes four simple and concrete steps to improve the Internet’s security and reliability. In August, NIC Mexico convened the second meeting of network operators in the country, during which routing security stood out as one of the main issues on the agenda.

The Internet Society also made progress on collaboration with National Research and Education Networks (NRENs) and higher education institutions. During the TICAL 2019 meeting, we offered a workshop on MANRS in collaboration with RedClara, LACNIC, the University of Guadalajara, ANUIES, and the Autonomous University of Yucatán. This workshop was part of a series of virtual sessions started in April, which ended on October 2 during the ANUIES-TIC meeting with a long-term practical workshop.

As we head to the final stretch of the year, the 32nd meeting of LACNIC will be a new opportunity to work with network operators to improve the security of the Internet. From Panama we will advise anyone interested in implementing the four actions of MANRS and offer advice to make the most of the recently launched MANRS Observatory.

As neighbors in this worldwide network called the Internet, we must work together to make it as strong and resilient as we can.

Deploy360 IPv6

Why you need IPv6 and the sad tale of an ISP that didn’t deploy it

IPv6-imageWe’ve recently come across a couple of videos about IPv6 that we think are worth sharing.

The first comes from Ethan Banks of Packet Pushers who makes the case for why you finally really do need IPv6. Here he argues that where IPv6 is not deployed, it’s starting to have a real business impact in a number of regional markets. As IPv4 reaches a stage of imminent exhaustion, it’s becoming necessary to buy address space at a significant cost, or use multiple layers of Network Address Translation that degrade performance and break applications.

In many cases, users already have IPv6 capability as many mobile operators have been deploying IPv6 for a while, whilst other ISPs particularly in US but also parts of Europe, are also rolling it out. Many operating systems including Windows, even prefer using IPv6 for transport, so there no reason not to support IPv6 on your web sites and other services. Indeed, you’re increasingly likely to be cutting off potential users if you don’t.

Conversely, take a look at the sad tale of an ISP that didn’t deploy IPv6 that was produced by the University of Guadalajara for LACNIC 23. This relates the tale of a large incumbent ISP that decided not to deploy IPv6 whilst a smaller one did. The result is that it loses customers be cause it no longer has sufficient IPv4 addresses, it cannot participate in state tenders that require IPv6 to be supported, and eventually its engineers and then sales team leave for the smaller ISP. Whilst real names have not been used in the video, it’s purportedly based on a true story and should therefore serve as a cautionary tale.

One more video to view if you’re interested in deploying IPv6 is Clinton Work’s presentation at NANOG 65 on deploying IPv6 at scale. Here he presents TELUS’s experiences of planning and deploying IPv6, the technical and training challenges, and their reasons for doing it.

We at Deploy360 want to support those interested in deploying IPv6, so please take a look at our Start Here page to understand how you can get started.


Deploy360 IPv6 To archive

LACNIC IPv6 Troubleshooting for Helpdesks Webinar today

lacnic-logoLACNIC is organizing a “IPv6 Troubleshooting for Helpdesks” webinar that will take place today, 23rd March 2016 at 15.00 UYT (UTC -3) through Webex. The main theme of the webinar is how ISP helpdesks can use the RIPE-631 Best Current Operational Practice document and associated online tools to troubleshoot and fix IPv6 issues.

The webinar will be lead by LACNIC with the main speakers being Sander Steffann and Jan Žorž (Internet Society), the two co-authors of RIPE-631.

Jan Zorz and Sander Steffann, webinar presenters
Jan Zorz and Sander Steffann, webinar presenters

Who should attend? Technical staff with IP knowledge, IPv6 network administrators, first- and second- level line support, as well as people from companies implementing IPv6.

There are currently over 120 people registered, so we’re expecting a good webinar to happen today.

Registration if free, so please register at and see you later!


Is RPKI ready to ROA?

Securing BGPIt’s worth drawing attention to the Study and Measurements of the RPKI Deployment. This is a recently published thesis analysing the deployment of RPKI and the quality of the data, but is also worth reading for its comprehensive documentation of routing incidents, the problems they can cause, and mitigation measures that can be implemented.

The analysis reveals that the global percentage of IPv4 address space covered by a Route Origin Authorisation (ROA) was 6.03% in September 2015, although this figure varies widely between the RIR regions. The RIPE NCC and LACNIC lead the way with 18.67% and 13.87% respectively, AfriNIC comes close to the average at 5.31%, but ARIN registers just 1.98% and APNIC even further behind with just 0.40% .

Perhaps more interestingly though, an authentication analysis undertaken between March 2012 and September 2014 revealed issues with the registration of many RPKI resources, as well as a couple of RIR repositories. However, whilst the percentage of invalid RPKI-covered prefixes in 2012 was as high as 21%, this progressively dropped to just over 7% by September 2015 which indicates a decrease in problems as RPKI deployments has risen.

It’s also interesting to note that even where invalid prefixes were found, most of them were covered by another valid or not found prefix. This suggests that dropping invalid prefixes from the routing table may be less problematic than previously thought by network operators.

More Information

For more information on Securing BGP, please do look at our Start Here page to understand how you can get started transitioning your networks.


IPv4 is Really Almost Out – The Time for IPv6 is NOW

On our Deploy360 blog we’ve been documenting the exhaustion of IPv4 addresses in each of the regional registry pools around the world. Yesterday, LACNIC announced that practically speaking there are no more IPv4 addresses available in Latin America and the Caribbean. What this actually means as we documented on our Deploy360 site is that they are down to the final 25% of their last /8 allocation, and are now in a mode of operation where allocations are far more limited and review of applications for new addresses is much more restrictive. It is starting to become impossible to get IPv4 address space using the traditional means around the globe.

As LACNIC CEO Raul Echebarria pointed out, the need for network operators to transition to IPv6 has never been more urgent. There is plenty of IPv6 address space available for anyone who wants to use it and there is more and more IPv6 being deployed in networks around the world. As we document on the World IPv6 Launch site each month, the number of networks with measurable IPv6 deployment continues to increase, and the amount of traffic from those networks to big websites around the world increases steadily as well. It is worthwhile mentioning that the most popular websites – Google, Facebook, YouTube, Yahoo!, and Wikipedia – have been using IPv6 for a couple of years now. We also observed that networks that have IPv6 deployed for their end users see a lot of IPv6 traffic on their network.

Transitioning to IPv6 is very possible and the exhaustion of IPv4 addresses in the LACNIC region just provides us with one more reminder that now is the time to make the transition. Our Deploy360 Programme can help you get started.

Deploy360 Events Improving Technical Security IPv6

Watch LIVE NOW – IPv6 Security Session Out of LACNIC 21

lacnic21-promohomeInterested to learn more about IPv6 security? Our Chris Grundemann will be speaking about “Security In An IPv6 World” at LACNIC 21 in Cancun in just a few minutes.  He is the second speaker in a session that is scheduled to start at 9:30am local time (which is 10:30 US EDT and 14:30 UTC)… which is pretty much right now!  You can view the session live at:

You can view the live stream in Spanish, Portuguese or English… although Chris will be speaking in English! 🙂

Chris will also be speaking about the Deploy360 Programme tomorrow, May 7, 2014, at 9:05am local time (14:05 UTC).  (You can read more about what Chris is doing at LACNIC 21 this week.)

Our colleague Mat Ford will be speaking on Friday at 9:15-9:30am local time (14:15-14:30 UTC) about our routing resilience survey.

You can see the full agenda for LACNIC 21 at their website.