Deploy360 Domain Name System Security Extensions (DNSSEC) Events

PhNOG: Thriller in Manila

PhNOG 2016Kevin Meynell and Jane Coffin from ISOC participated in the PhNOG Conference 2016 which was held on the 25th of January 2016 in Manila, The Philippines. This was organised by the Department of Science and Technology – Advanced Science and Technology Institute (DOST-ASTI), in partnership with the Philippine Network Operators’ Group (PhNOG) and the Trans-Eurasia Information Network Network Cooperation Center (TEIN*CC) with sponsorship provided by the Internet Society, APNIC, NSRC and others.

The event featured some interesting topics with a mixture of international and local speakers that attracted over 100 attendees. Credit must go to the Programme Committee for putting together such a good programme. The presentations have unfortunately not yet been made publicly available, but we believe they will be published soon and will let you know when they are.

Jane gave a presentation on the Management and Sustainability of IXPs with particular reference to the Philippines Open Internet Exchange (PHOpenIX). Kevin followed this up by providing an overview of Deploy360 and its resources on IPv6, DNSSEC, TLS and secure routing, as well as ISOC’s work in encouraging the development of Best Current Operational Practices (BCOPs) in the different regions around the world. He also introduced MANRS which aims to build a community of security minded operators promoting collaborative responsibility through filtering, anti-spoofing, coordination and global validation actions which elicited some interest from the audience.

It’s worth highlighting a couple of other presentations though. George Michaelson provided another excellent presentation, this time on the state of RPKI. As some may know, RPKI is an exercise in being able to validate that Internet number resources (IP addresses and AS numbers) are held by a particular Local Internet Registry (LIR), with the longer-term goal being secure BGP. George gave some very good examples of how absurdly easy it currently is for bad guys to fake authority in order to hijack or otherwise persuade others to route fake prefixes, and there were at least 2,000 known cases of this happening globally.

APNIC has developed a prototype tool to see which IP address ranges in each country/economy in the Asia-Pacific region are protected by a Route Origin Authorisation (ROA). ROAs attest that particular AS numbers are authorised to originate particular IP prefixes (i.e. specific ranges of IP addresses), and are cryptographically signed by the holders of these resources using RPKI certificates issued by Regional Internet Registries (RIRs) such as APNIC.

The Philippines actually has quite an impressive number of ROAs in comparison to many other countries/economies, although this still constitutes less than 5% of all prefixes. There needs to be a lot more signed prefixes in order to gain critical mass in being able to undertake reliable checks on who controls the number resources.

Another interesting presentation was from Kam-Sze Yeung on Akamai’s State of the Internet report for 2015. We have previously reported on this, but as a major content delivery network provider, Akamai is able to collate substantial amounts of data on many metrics including connection speeds, network availability, traffic patterns, and IPv6 adoption. Unfortunately, the Philippines does not feature particularly highly on many of the rankings which is no surprise to the local network operators, although is by no means bottom of the league in this respect.

All-in-all it was a useful and informative event to have attended, as well as having the opportunity to make contact with and engage with an active community of network operators. Following the PhNOG event, the ISOC staff also attended the co-located APAN 41 meeting.

Development Growing the Internet Internet Exchange Points (IXPs)

IXPs level up in emerging Asia-Pacific

There are currently some 80 or so active Internet exchange points (IXP) operating in Asia-Pacific, according to a database maintained by Packet Clearing House. These are in various stages of development, having as little as 2 to as many as 170 participants, but more than half are concentrated in developed markets like Japan and New Zealand. Most emerging economies in the region only have one or two, and more than 20 countries—most of them in the Pacific—do not have a single IXP.

We have written at length about the benefits of having a carrier-neutral IXP. Costs and delays associated with having to rely on international transit providers are reduced when ISPs can freely exchange local traffic in a local facility—much like using the local post to have your package delivered straight to your cousin in the next village, instead of having it shipped out of and back into the country before it reaches their doorstep. What follows is a more competitive playing field, especially for smaller ISPs, and better quality of service overall. Having more direct routes is becoming even more relevant as more Internet users access bandwidth-heavy content, such as videos, or services like VoIP, which has a low tolerance for latency.

But if IXPs bring in such good gains, why aren’t there more of them? Proportions vary, but pundits like to say that building an IXP is 80% human and 20% technical engineering. It can take as little as US$ 5,000 to put together the physical infrastructure—some routers, switches and cables– but it takes a lot more time and effort to have competing ISPs come together to share a common resource for mutual advantage.

There are different ways by which local communities build momentum. In the Philippines, it was a small ISP that took the plunge and connected to the country’s then newly established open Internet exchange, PhOpenIX at a time when others remained skeptical of its value. In September last year, we helped the Department of Science and Technology-Advanced Science and Technology Institute (DOST-ASTI), which runs PhOpenIX, launch a second IXP in Cebu, in the Visayas region, by which time the IX in Manila, the capital, was interconnecting 43 networks, including major carriers, universities, cable operators, state agencies, hospitals and broadcast companies. In Thailand, a younger neutral IX, BKNIX, which we helped set-up in 2014, is on a similar trajectory.

Now nine years old, PhOpenIX is in many ways leveling up. It increased its capacity from 1Gb to 10Gb in 2015, and has attracted six DNS root server mirrors, as well as Google and Akamai caches—which now comprise the bulk of its traffic. It is reaching out to partners, both in the Philippines and abroad, and is looking into more sustainable funding and governance mechanisms—the focus of our follow-up session at last month’s PHNOG conference.

But with its expansion comes growing pains that many IXPs in the region, and around the world, may be familiar with. The incumbent has recently agreed to host a third PhOpenIX node and peer with the government network, but prefers to negotiate bilateral arrangements with other ISPs, a move that stakeholders fear would undermine trust in an ecosystem where all members have participated on equal terms—with everyone peering with everyone else—and could set a precedent for other operators to follow suit.

The local community is undoubtedly keen to have the incumbent, which currently controls more than 70% of the market, onboard, but it is more keen to have PhOpenIX growing as it has been—open, neutral and non-discriminatory–and to reap the many rewards that these bring, with or without the biggest player in town.

*Photo credit: Benjz Sevilla, Board Member, ISOC Philippines Chapter

To learn more about creating an Internet Exchange Point in your region, please visit our IXP Toolkit.