We all know about Border Gateway Protocol (BGP). We also know that it’s permissive by nature and that serious problems can happen when routes are leaked or, worse still, hijacked. In previous years, even prominent organisations such as Google, Apple, Facebook, YouTube, and Microsoft have been victims of hijacking, which is a good reminder that we need to actively prevent it.

So, the question remains, how do we protect ourselves and reduce our networks’ vulnerability to leaking and hijacking? Think BGP security!

Although it’s a topic that has been widely discussed for many years, there are a few things you can do to instantly improve BGP security on your network by adopting some of our tips for good BGP hygiene.

 

Tip One: Block bogons

Plain and simple, by definition, bogon prefixes should not exist on the Internet. Bogon routes are bogus. They are those routes that comprise IP address ranges mistakenly, or purposely, advertised that are unassigned, or even reserved for something else altogether. We should not be receiving or sending packets from them, and if collectively blocked, we can protect our networks.

What do people achieve by using this space? SPAM! You can use a prefix that no one owns and spam to your heart’s content. TEAM CYMRU provides a BGP feed that you can use to drop these at your edges automatically.

 

Tip Two: Filter, filter, filter!

Filtering should be applied at every stage, starting with a ‘drop all’ and being specific about what to allow.

Transit Providers – Ingress:

  • Drop Bogons (including RFC1918 space) – DON’T RELY ON A DROP ALL RULE TO CATCH THESE
  • If you are expecting only a default route, DROP EVERYTHING ELSE
  • If you are expecting a full transit feed without default, DROP DEFAULT

 Transit Providers – Egress

  • Send your routes
  • Send your customer routes – send your customer tagged routes based on your internal community
  • Do not use prefix lists alone – you MUST use prefix lists and communities together

 Customers – Ingress

  • Drop Bogons (including RFC1918 space)
  • Validate prefixes with RIRs and get LOAs – if the customer does not own the prefix, do not accept it
  • Match BOTH prefix AND AS-Path
  • Drop RPKI invalids
  • Set max-prefixes – if a customer should only be sending you ten prefixes, set a limit of 15 on the session. That way, if they have a route leak, their session will be disabled and will stop you from propagating the leak (see tip three for more information on leaky routes)
  • Use communities – tag valid routes here with an internal community, and propagate to your providers based on the communities

 Peering Providers (that’s us) – Ingress:

  • Drop Bogons (including RFC1918 space)
  • Do not trust routes from route servers – we validate, but you MUST validate them too
  • Set max prefix limits on sessions and shut down route servers if it exceeds the max prefix limit (generally 10-20% of total routes)
  • Drop RPKI invalids
  • Set max-prefixes – our numbers are on PeeringDB

 Peering Providers – Egress:

  • See Transit Provider Egress
  • Send your internal routes
  • Send your customer routes – send your customer tagged routes based on your internal community
  • Do not use prefix lists alone – you MUST use prefix lists and communities together.

 

Tip Three: Adopt good routing practices

You should always have a consistent route advertisement policy. Don’t send /24s to peering and /22s to transit providers. Unfortunately, this adds junk into the ever-expanding global routing table and is not beneficial in any shape or form.

Our Tech Team Leader predicts that if we *remove* all the redundant specific routes – that is /24s when the same path exists with a /22 or something larger – we can reduce the size of the routing table from 870,317 routes all the way down to 390,074 routes (please note that this an internal finding and should be taken with a grain of salt).

 

 

The best local preference orders are:

  1. Preference customer routes – they pay you, so if you have a route from a customer, you should use that first.
  2. Preference peering routes – peering is cheap, so offload as much as you can here to reduce your transit bill
  3. Preference transits – the *last* resort path, as it’s generally expensive

With everyone following the model above, using /24s on peering and /22s on transits makes no sense, as peering will already be preferred – YOU CAN HELP TO SAVE THE ROUTE TABLES!

 

Tip Four: Use Resource Public Key Infrastructure (RPKI)

If you haven’t already, deploy RPKI. This form of authentication helps by using Route Origin Authorisation (ROA), a form of authentication of the origin AS number to verify routes. Simply, it acts as a digital thumbprint.

Validate RPKI at every step. Validate routes from transit, peering, and customers.

  • If RPKI state is INVALID, then drop the route. Do not use it to route any packet – no matter what
  • If RPKI state is VALID, prefer this path over an unknown
  • If RPKI state is UNKNOWN, use this path at a lower preference

The Internet continues to be a place of opportunity, both good and bad, and we need to do our best to reduce our networks susceptibility to leaking and hijacking. To instantly reduce some of the vulnerabilities of your network, try following our tips for good BGP hygiene or get in contact to speak with one of our network experts at the Internet Association of Australia Ltd, who are always happy to help.

 

Disclaimer: Before choosing to action any of the tips in this post, please be sure to consult with your organisation’s network and security experts.

IAA submitted to Home Affair’s Strengthening Australia’s cyber security regulations and incentives paper. In our submission, we highlighted the complexity of existing cybersecurity legislation, especially for smaller ISPs to navigate. We commented on suggested mechanisms which could promote the uptake of cybersecurity, including minimum standards for personal information and health checks for small businesses. We called on Home Affairs to collaboratively engage with relevant industry stakeholders throughout the process of drafting cybersecurity regulation or processes.

IAA supported the extension of the Wholesale ADSL to 20 June 2024 in our recent submission to the ACCC. We raised the point that WADSL as continues to be prominent in rural, regional and remote areas, it needs to be provisioned for.

We also expressed our perspective on ACMA’s Statement of Expectations (SoE) for the Telecommunications Industry with regards to vulnerable consumers. We extended our support to the SoE, however, highlighted that for smaller ISPs, some objectives and examples regarding financial hardship and customer service would be difficult to meet because of resource constraints.

The ACCC published updated Non-Discrimination Guidelines for the telecommunications sector, a process we responded to in June. In the new Guidelines, the ACCC will assess whether NBN Co or access providers have acted in a discriminatory manner by conducting an explicit or implicit discrimination test. A quick summary of how this process will work is available here.

 

This year we launched our IAASysters@AusNOG program. The program is based on the international systers.org and systers@IETF programs and offers ten sponsored attendees the opportunity to participate in both the AusNOG conference and our IAASysters@AusNOG workshop 

We are passionate about cultivating a more inclusive Internet industry and have created the IAASysters@AusNOG program to support and enable women to access the valuable technical content and business networking opportunities that come from the AusNOG conference. 

Sponsored attendees will receive: 

  • Economy airfares to Sydney and three nights’ accommodation for interstate participants 
  • Admission to the AusNOG conference (April 6-7) 
  • Admission to the IAASysters@AusNOG workshop (April 5) 
  • A one-year complimentary Professional membership to IAA – subject to Board approval. 

An essential part of our program is the IAASysters@AusNOG workshop. This is a one-day event; offering targeted technical and presentation skills training in addition to a career planning session delivered by industry professionals, designed to help you advance your career. 

Whether you are at the beginning of your career, yet to begin or starting again, the IAASysters@AusNOG program offers a variety of opportunities designed to boost your knowledge, skills, and confidence. 

Due to the current Covid-19 situation in New South Wales, the program dates have changed to be in line with the AusNOG conference in December.  

Details for the IAASysters@AusNOG workshop: 

Date: Tuesday, 5 April, 2022
Time: 9:00am AEST – 3:00pm AEST
Location: The Fullerton Hotel, Sydney 

 Applications close on 31 Sunday, October 2021, 5:00pm AEDT.  

 For more information or to apply, please visit the IAASysters@AusNOG information page on our website. 

Associations strive to remain relevant, expand their reach and increase profitability. Those that survive and thrive have embraced principles of good governance. Join the Associations Forum at the WA Association Meeting and hear from Kitty Hibble, Executive Officer at Internet Association Australia (IAA), who will discuss the association’s governance transformation. 

Registrations are free and exclusive to Associations Forum members and not-for-profit organisations and will be open online from Tuesday, October 5, 2021. The registration link will be made available through IAA’s social media channels once registrations have opened. 

Date: Monday, October 25, 2021
Time: 3:00pm – 5:00pm AWST
Location: Pan Pacific Perth, 207 Adelaide Terrace, Perth CBD 

We hope to see you there! 

We are excited to announce that we have put forward a submission to host a roundtable discussion exploring what classifying the Internet as an essential service would entail and its wider implications for digital inclusion, minimum service level requirements and digital infrastructure investment for the upcoming NetThing Forum.   

NetThing is Australia’s Internet Governance Forum, an annual two-day event bringing a diverse multidisciplinary community together for the discussion of policy issues pertaining to the Internet and technology in Australia. An open and inclusive platform, NetThing provides an opportunity to explore relevant topics, hear from a range of perspectives, and mobilise the community to collaborate on solutions.   

This event is set to take place on Thursday 4th and Friday 5th November 2021. It will focus on a metanarrative of ‘Building Bridges’ and encompassing NetThing’s desire to span the invisible divide between stakeholder groups and bring them together in a safe and moderated environment. The four themes for this year are health, trust, inclusion and environment.    

If this is an event you are interested in, you can register now or see their website for more details. 

Want to join a dynamic focus group and give back to your association? We’re looking for a group of five members who would like to join a focus group to provide feedback on our marketing efforts.  

As part of the focus group, you will be asked periodically for your feedback on prospective marketing ideas, campaigns, and content to ensure we provide members with the resources, events, and content they want.  

If this is something you or someone you know is interested in, please get in touch with us at admin@internet.asn.au 

The SHE-E-O event was many things, but most of all, it was inspiring, insightful and empowering. The three incredible women who shared their stories touched on so many areas of relevance to women in the workplace today.  

All from humble beginnings in their careersthe common themes in their stories were having immense grunt and grit, self-belief and being comfortable with breaking with tradition – particularly when you are the only woman in the room.  

From mentions of passion, drive and resilience to burnout, the speakers openly talked about the realities of their journey – the highs, the lows and the lifechanging moments.   

Some of the key takeaways from each speaker werebe passionate about the industry you choose to work in and learn the business side of it, women often offer a magical combination of softness and kindness to the workplace, life is a series of lucky breaks, remembering when to switch off and learning to make compromises!  

We are proud to be sponsors of this event and look forward to the next inspiring event from WitWA 

The transition to a company limited by guarantee continues as we patiently wait to hear back from ASIC to register under the Corporations Act 2001 (Cth) with deregistration from the Associations Incorporation Act 2015 (WA) complete.   

With lockdowns and now even the earthquake, paperwork processing at ASIC has been delayed. Members should rest assured that we will call the AGM as soon as we hear from ASIC!  

We would like to extend our gratitude to members who participated in the workshops and consultations and voted on the transition. As a member-run association, your input is invaluable.   

After much internal anticipation, research and writing, we are happy to launch our very own blog next month! With a prospective launch date of Friday, October 15, 2021, be sure to keep an eye out on our socials for the announcement of our very first blog post.   

As an organisation that operates for the benefit of the Internet and the people who build and operate it, we have decided that a monthly blog post providing an expert opinion on hot topics relating to the Internet would greatly benefit members.   

If you haven’t already, connect with us on our social media channels: Facebook, LinkedIn and Twitter to get all the latest blog posts, share your thoughts on the topic, and let us know which topics you would like us to cover.   

We are pleased to announce the purchase of 35 Nodegrid Gate Services Routers and two Net Service Routers that will improve our network management and infrastructure. These new pieces of hardware will be used for both in-band and out-of-band services, with one device located in each point-of-presence (PoP) on our network.  

These routers provide peace of mind in the unlikely event that equipment breaks down by ensuring engineers can gain access to broken devices. The new ZPE Systems hardware will also contain both Telstra and Optus SIM cards to ensure redundancy and continuous coverage.  

In future, we will also be able to create data centre latency maps available on Grafana and, later, the members portal.