>> MACARENA: Good morning, I'm Macarena Segal, part of the LACNIC staff. Thanks to the over 100 participants who are connected and there are various Speakers who will speak sometimes in English so I'm going to speak in that line which now. Welcome to LACNIC 33, our first event online. Thank you to the more than 100 people connected and given that several speakers are going to present in English, I'm going to also speak in that language. --- (Speaking Spanish) x1 --- Before continue we have begun recording the session so anyone who is interested to view the recording in a couple of hours. --- (Speaking in Spanish) --- The aim of this online event is to give the spirit of our face-to-face event and for this reason we are inviting you to Participate in various sessions and tutorials, load the app and network with other attendees and follow #LACNIC33 in social media. --- (Speaking in Spanish) --- As for the session dynamics participants will not be able to use a microphone, you have a question please post in the question-and-answer Box and if you want to share comments use the chat feature. >> [Speaking in Spanish] >> kindly remember that you may ask a question in English, Spanish or Portuguese and the questions will be read in both the original one was an the speaker's language so that all participants can understand properly. >> [Speaking in Spanish] >> Trying to reach as many participants as possible and as a tool to support a better understanding of the presentations we'll be providing simultaneous translation of the session in three languages: Spanish, hangars and Portuguese and if you want to listen in any of those damages use the interpretation button and choose the language of your choice. >> [Speaking in Spanish] >> MACARENA: We can only ask that speakers pay attention to messages in order to keep track of the time. >> [Speaking in Spaniqsh] >> MACARENA: The coordination of the agenda is the responsibility of various individuals including community representatives and mbers of the staff before we begin with the technical presentation we'd like to hear from Carolina and (indiscernible) leader of research and infrastructure development on the Internet. >> CAROLINA: Thank you Macarena. I'm going to share my presentation. Macarena can you see me? >> MACARENA: Yes Caro. >> CAROLINA: Good morning, I'm the coordinator of developing projects for LACNIC. And I went to share with you the programs that are been offered to the community. Starting with FRIDA and the main news is that this year will begin to offer a number of technical project to strengthen the Internet in Latin America and in the Caribbean. We will finance the FRIDA project in two areas. First, we have financing for projects for stability and security and then another funding for access to Internet and starting with the topic of stability and security there are a number of projects in the first is cyber security financing projects around DNS security and routing, data security among others. --- And under the same topic of stability and security we will offer projects related to innovation and automatization for networks. --- Access to the Internet has asked its objective the support of small providers and the financing also of development of software and hardware and access to electricity to reduce costs. --- Who can apply? Basically all technical participants can ask for funding and this is why we are presenting FRIDA here. FRIDA wants to support universities and governmental agencies based in the region, based in Latin America and the Caribbean. This could also be IXPs. NOGs, and college networks. In terms of how to apply you will have time until Friday, 22 of May, about two more weeks after the conclusion of this forum and to be considered you must present a resume with a limit of 750 words through FRIDA and another important information regarding the support we will provide financing between $10,000 and $40,000 for a total of $170,000. Where do you find information? At www.FRIDA.net. You will find detailed information over the proposal and instructions on how to apply and also you can make an appointment to fit learn more about the program because FRIDA is one of the topics over which you can ask for a meeting and discuss ideas for the projects or doubts that you may have. You can also reach us at FRIDA@LACNIC.net. --- We encourage you to get in touch and consider the possibility of applying and now I'd like to hand the microphone over to Guillermo. >> GUILLERMO: I want to announce that the invitation for proposals for the project RAICES which seeks to support the installation of anycast copies in root servers in the region, supporting DNS, and providing greater resiliency against any attacks to the root servers and resiliency regarding international links and LACNIC's role is to coordinate the work of root server operators with the letters F, I, J, K, L, and coordinating with the hosting institutions for the service. Our purpose is to coordinate and in some instances we provide financing and I want to make it clear that the invitation to apply is open until the 17th of may and you can see the link, https://raices.LACNIC.net. We don't have time for Q&A here concerning these programs but like Caro said, you have the links to get more information and also the virtual meeting sessions tomorrow and Friday that would provide more information about this. That is all on my behalf. Thank you. >> MACARENA: Thank you to Carolina and Guillermo. And now we proceed to the first presentation, with Javier. he will talk about fiber-optic networks for 5G networks in Peru. >> JAVIER: Thank you Macarena, can you hear me? >> MACARENA: Yes we can Javier. >> JAVIER: First, thank you for the invitation and allow me to participate in LACNIC 33. I want to talk about the transport networks for 5G in Peru. The links will appear throughout the presentation so that any investigator or participants can have access to this presentation. --- Peru as in many other countries in Latin America we have more than 100,000 population centers organized around 196 provinces and 1870 districts and over 100,000 publishing centers and those of us who work in telecommunications whether we are operators or in the public sector it is a challenge to provide access to areas that are difficult to reach because of the geography, there could be mountains or jungles and it is virtually impossible to reach those areas. --- Before looking at the networks what I want to do is provide a brief description of a telecommunications network. You have the access point, transport and the nucleus. We start with 5G now and 6G in the future but if we do not have access we cannot transport and therefore access is important and also we need a transport network of high-capacity and in Peru we have a national fiber-optic network where we have to worlds, the public sector that has installed more than 23,700Km of interurban fiber-optic and also the national network of over 13,600Km of fiber-optic and then the fiber-optic network at the national level with over 37,400Km of interurban fiber-optic. We go from the capital in Lima and then the underwater network to other points. There is also a new XP also in Lima. The long-distance network has to always go through Lima because that is where we also have our connection to the international network with three cables. The government has done very good work in serving a large portion of the country, 180 areas already have been supplied with fiber-optic and therefore we can offer you much any type of service and additionally to the state projects by the RDNFO which has 13,600Km of fiber-optic there also regional projects that plan to install over 30,500Km fiber optics aiming to reach all of the capital cities increasing the capacity of the fiber-optic network. --- The model that is being implemented in Peru is following a number of projects some of which have Artie been approved, others are planned and others have been suspended, But the goal is to have more than 44,000Km of fiber optic throughout the nation. These are high-capacity networks like 5G or high-speed Wi-Fi networks. So the goal is to implement a very robust proposal and we believe that in the next few years these projects will be completed to achieve greater connectivity. --- One of the providers that won a project was a Mexican provider named Azteca that began operations in June, 2015. With 180 state capitals and 322 Nodes. The fee established was $23/mbps. For 1G from Lima we had to pay $100-$200 so $23 seemed very attractive. However, the study around the fee of $23 was made in 2012 so when the plan was unlamented the fees had changed, and the other providers were charging $8-$10 and depending on the use you could even achieve fees of $4. So Azteca faced strong competition not being able to reduce the fee of $23 because it had been fixed by the contract. and here in this graphic you can see that most connections begin in Lima. There is no fiber optic in the Areas that are farthest from the center. What are we dealing with now? We were using only 18.96Gbps and 46% of the nodes. So 54% of the nodes did not have any clients so as you can see that although we have a high opacity network because of the contractual limitation they are limited and we hold that over the course of this year we will have a solution to this problem so that the network can be utilized by Azteca and the mobile operators. This was a lesson learned for other countries in the world, the matter of fixing a fee by contract could be counterproductive. --- On the other hand we also have the microwave links which in Peru appear here in this photo. There is also a public report about this. Peru has approximately 70,000Km reached by microwaves. In the Peruvian jungle there is no fiber-optic and the only way to reach those areas is through high-capacity fiber-optic links. And microwaves and we use them to reach also the base stations. --- This can be changed with microwave high-capacity and somehow could allow communication to be established. We can see here that most of the capacity is in the 500Mbps range. And again once we reach the remote areas it will be in the 100-200Mbps range. Here in the report you can see as well that in the Peruvian jungle we have fiber optics. we have a provider that is Telefonica that offers 7.8Gbps and Viettel with 6Gbps. You can see the network in color but we also have other population centers near the border with Brazil and Colombia. In Santa Rosa we have a project that you can see in orange with Gilat, 250Mbps. You can imagine that this would require-- to deploy so they are limiting factors. --- It is important to mention the project to install fiber-optic along the river which we expect to complete in the short term. And when there is fiber-optic, there is service coverage. We're talking about mobile services and Internet services and I'd like to talk about the access network starting in 1990 with 2G until 5G now being tested and there's operators like Entel and Claro are implementing this. You can see here the significance presence of 2G, less presence of 3G and even less 4G. HEre is the spectrum for each operator and each one of them has a certain quantity assigned depending on their design. Two operators have networks higher than 150MHz. --- We also have the 3.5Ghz band, which is highly valued in the world and certain operators of an operating for many years in this band and have been installing their own infrastructure and you can see some of the antennas AU for the 5G network. --- And lastly I want to talk about the 5G progress in Peru with four operators testing in the 3.5GHz band and we can see that 5G is closely related to the speed and low latency. This is what I wanted to show you in this presentation, the links to the reports are available in the presentation and I'm available for your questions or comments. >> MACARENA: Thank you Javier. We have a couple of minutes for questions. Cesar, can you talk about the questions that have been received? >> Yes, thank you for the presentation and William says good morning, if Peru as this infrastructure what are the limitations for the country to connect to the clear network and the 5G network. >> The infrastructure exists and 5G networks will be implemented during 2020-21, but there are certain limitations like the fee limitations, and the development of regional networks already in progress. So we can't use the network to its full capacity. >> No other questions for Javier Macarena. >> MACARENA: Thank you for the discussion and the questions. Our next speaker is Maximo Candela, the software engineer to guide applications for day-to-day Internet operations and currently contributes to the automation and monitoring of the NTT global IT network and Maximo will present on -- monitoring. Welcome Maximo. >> MASSIMO: Hello everybody, can you hear me? My name is Massimo Candela, Senior software engineer at NTT one of the largest providers and I provide monitoring and the presentation is about monitoring any particular BGP monitoring and I will present this tool called BGP Palerter. Since you're in front of your computer if you follow a few steps you will be able to follow your BGP in no time. --- So let's start. We did this because we needed something to monitor at least for hijacks, or visibility loss and after we did this a lot of new features and and you type of monitoring was lamented but you can also benefit because this is open source and it is released in this linkg under BSD-3-Clause, for the can do essentially whatever you want and it is a tool that works in real time; if something happens to your network you will be notified in a matter of seconds and it is extremely easy to use, and it is our main goal to make it really easy to use. And it doesn't require almost any configuration and you don't have to collect any data as it uses public requisites. --- IF you are like operating and monitoring your network, monitoring BGP is not only to identify hijacks but it is especially important to timely identify if you are doing something wrong; essentially getting notified if you're doing something you were not supposed to or identify loss of his ability and why release this as open source? Not only because we use a lot of open-source and love it but also because a network is composed of a lot of players they need it level of automation expertise and operate on the global Internet and have tools that are free to use and easy to use and in the end it will improve Internet stability. And everybody will benefit from it. --- So this is an example of the alerts that you can get; many of us have an iPhone channel dedicated to it and this is the type of alerts you get. These are random examples but to give you an idea. And now from this moment we'll start immediately to see how you can have this and start monitoring your own system. --- So the link I gave at the beginning is where you can find everything and if you did not think the link you can search on Google for ntt bgp alert, the first result that you will find. If you click on that, you will enter this page and you will see the icon that says releases and you click on top of the yellow bar and you enter in the release page where the last release is v1.24.0 and this is binary compiled, all you have to do is download and run it. There are other possible ways of getting it; essentially you download and run it. In Linux for example you make it executable and run it. And I can show you easily -- I hope you are able to see my screen. If you don't let me know. I already downloaded it; I'm on Mac and downloaded the Mac version and the first thing is to make it executable and then just execute it. The first time that you write it it will ask you if you want to auto configure it? You say yes. [ Which system that you want to monitor? I provided an example, 2914 entity, 3333 is where we see because it has less prefixes and the autoconfiguration is much faster and this version is asking you if there is some part of your that is assigned to you but announced by someone else. You say yes. The last one says, do you want to be notified if your autonomous system start to announce prefixes that we did not see before? You say yes. The auto configuration will start and in a few seconds the monitoring will start. you won't have to do it the next time because it is monitoring all the prefixes plus the entire system and if you kill the application and run it again it will immediately start monitoring because the configuration we did before will persist and you don't have to do it again anymore. There we go, it's monitoring. --- We kill it now, go back to the presentation. Perfect. We did that. Now after you monitor, what do you get the information about the alerts? If something happens in the network how do you get notified? By default you'll go into the logs directory and you will have some files. it will tell you that this autonomous system is announced, things like this but this is not really an efficient way of doing that. You want something more real-time. So you can be modified by other ways, like email, Slack, Alerta dashboard which is open source and super easy, Kafka, Syslog, Webex or any HTTP end-point. The alerts are going to be bundled so if you see noise coming there is something wrong with the configuration and we will see how we can improve this. It is also important that you monitor multiple prefixes and you can set user groups in a way that some users are notified only for issues related to some prefixes and other prefixes. --- Additionally, BGP alert also gives you the BGP messages that can be sent to files, and you can see the logs or send them directly to Kafka or store that your big data solution or wherever you want and you can troubleshoot with it. --- This is an example of an email notification that you can get and this is the Slack with some before and with color coding you can do this which is the dashboard for BGP Alerter. --- These are the prefixes that are generated by the configuration; you can add a description that when you receive the alert immediately know what we're talking about in which autonomous system is supposed to announce the prefix. If you want to monitor only this prefix or if you want to ignore it because it is generating noise; this excludeMonoitors, if you are doing an experiment on the prefix you can disable some alerting functions. --- You can treat the IS part like sequences of commas separated -- and for example trigger the alert if it matches this configuration. Or things like this can be really useful. --- this is an example of the config.yml tool. I show you this because here it tells you a list of monitors and there are many more of these in these are just three of them and also the reports so when the alerts will go so if you go to this top file, part of the config file is commented out. You remove the comments in the next time you run it the module will start so you will be able to monitor it. The new monitor RPTI. If you have no senior configuration you should look at this, before you send me an alert I want to make sure that this amount of autonomous systems can see the same BGP message. --- Ris.ripe is an amazing project and it provides the public view of the BGP and we don't parse MRT but to get the -- directly from the Web socket and this is the link and if you want to add your own data repository you can also do that, it's extremely easy to do that. It is important to specify I think; the monitoring is done in the application so the application that you download and the data is coming from the RIS or whatever connector you use. --- So what's next? This is something really new and extremely useful; this will go out in one week because we have a freeze of two weeks while we test the application on our monitoring before releasing to everybody, we want to make sure it is stable enough. Before it was already there, but it was able to monitor for only prefixes and in a week you will be able to monitor an entire system for RPKI invalid or prefixes not covered by ROAs. And this is the type of announcement you can get for example. We deployed RPKI a couple of weeks ago and we are using this tool and find it really extremely useful -- >> Five minutes. >> This is the last slide. This is extremely useful because essentially you can use it while you are deploying and assigning your ROAs, and people will let you know that if what you assigned was correct. Maybe you announced 16 and it is announcing less than 14, a problem. After you deployed RPKI it will let you know that everything is in sync between the ROAs you assigned and the configurations. I always want to keep an eye on options for researchers because I also have a lot of fun doing research and this tool can trust is the entire streaming full speed, more than 6000 digital messages per second and you -- there is a tutorial here where you can inherit an entire platform if you decide to code the specific analysis that you want to do. I hope it's going to help people in that. --- Again, this is a source code and please contribute; there is people have already contributed to the source code and this tool can help I hope various operators. This was the last slide. If you have questions, now is the moment. >> MACARENA: Thank you Massimo. Cesar, any questions for Massimo? >> CESAR: Yes, thank you Macarena and we have a couple of questions. >> First question from Mariano Cavian (sounds like), came in English. generating generic monitoring for AS, wanting to generate the configuration, is this what is announced? some of the prefixes cannot be associated, please clarify the config file -- >> [Speaking in Spanish] >> Screen capture of the configuration but some of the prefixes do not have the information necessary for ROAs or are invoalid RPKI. How can you configure manually? >> A really good question. The auto-configuration will also use other data; if you don't have ROAs for your prefixes or you are not doing any RPKI or some of the prefixes don't have ROAs assigned, this monitoring will work; it goes online and checks what monitoring you are announcing, what your autonomous system is announcing and also -- and will create rules and validates them doing RPKI validation of them and if all of them are valid, all are signed, your configuration is good to go; there's nothing you should check. If you don't have ROAs assigned, there is no way to validate if what you are currently announcing is what you are supposed to announce so it is better if you manually validate them because if you currently have let's say a wrong state, you will enforce the state , it's more like double checking by hand but it will work. Did I answer your question? >> We also have another question from -- Jorge asks, is there a plug for (indiscernible) that you know of? >> MASSIMO: Yes, there is no need to over a plug-in for Nagis (sounds like); if you place this monitoring, you will see that the BGP monitoring is running constantly; you want to make sure that it is connected and working and if you go into the document patient there is a part related to how to do that and use an API; you enable the API which can be used through a particular plug-in for Nagis and uses directly to automatically configure eight and the same thing with the reporting, there are plug-ins to do that. So yes. >> From Victor Figueroa, Massimo, do you have some kind of rule set for things like GI hacking? >> MASSIMO: Yes, the code is public, ther e is a set of rules for more advanced monitoring. It's already there. >> From Petro Torres. I understood that the app communicates RIPE with Web socket? And what type of communication is necessary to ugse a local BGP? >> MASSIMO: It communicates with Web sockets and there are code connectors that can connect to everything that you want; you have to implement a few things to get the data and transport it. At the moment, in addition to the Web socket there is no other connector but we created a way that more can be implemented in the future; if there is a specific need you can contribute to the code or open a ticket and we'll check what we can do. >> One last question. In Spanish. Please translate for Massimo. >> Diego Aguilar asks, can I monitor any AIS without being inside of it? >> MASSIMO: Without what? >> Within the AS. >> MASSIMO: This is monitoring that is already public data already available in a lot of public repositories so you can monitor whatever system you want, you can monitor NTT, Google, whoever. The idea is that you put yours so that you monitor not only what you are doing if you are doing something wrong but also your prefixes which means independently from who is announcing this so if some of the analysis your prefixes you also will get notified, not only your own system, but you can type in the auto configuration. >> No more questions Massimo, but for future reference about this, may you share with us your email? >> MASSIMO: Massimo@ntt.net. And also on the Gita repository there are issues and you can open requests or post questions, go ahead and do it. >> Thank you very much. >> MACARENA: Thank you and please write to the email divided for any questions not answered and now we'll continue with a 5-min. break. Thanks to everyone for observing the time limits. >> [5 minute break] >> MACARENA: Welcome to everyone and thanks to the over 250 participants and we continue with the next presentation. -- is software engineer and he will talk about (indiscernible). Go ahead Agustin. >> AGUSTIN: Good afternoon to everyone and thank you for participating and connect to the technical forum, I hope you're well. I want to talk about a research project at RIPE, this is the list of co-authors. I want to explain what this means, de-bogonize a preix 2a10::/12. And what conclusions we reached. Not too long ago RIPE received in you /12, this is something that and not happened in a long time and now that we are in a very unique time, in the moment that RIPE, before assigning the new suffix it was a special moment and so we decided to do something a little more. The term "bogon" comes from English, it has to do with the traffic around prefixes that have not been assigned yet, and it is not traffic that should be circulating. So when we debogonize we attempt to the defy the traffic. The main question was, once RIPE received this /12, we wanted to debogonize to see if it was ready to be used by the members who were beginning to use assignations that had /12. The first attempt was a simple packet capture. We used the RIPE RIS a roting tool and RIPE Atlas. --- Regarding RIPE RIS, this route monitoring has two types of nodes: Collector nodes that receive peer tables. And peers who choose to be part of this project, will initiate a peer session and share their mission of the Internet. In LACNIC wse have the RRC24. Here is the link if you wish to participate and be part of this. (correction) The most part is, how do we see this prefix from RIS? And the RIPE Atlas is a network of probes. We have 11000 connected probes. Now we have both hardware and software probes. For those who wish to test this, here is the link to you can be a part of this measure network and the only requirement is a RIPE access account which can be easily set up in less than a minute. --- This is the well known graphic from Google. When we started to do some research on past experiences, we started with 2006 where /48 was announced, then in 2010 a /12, larger, thousands of packets. Then a few years later, 2012, in correlation with the five RIS, we saw that there were hundreds of packets per second. The IPv6 was not as big as it is now in January, 2020 when the experiment was made in now there is greater capacity and greater vulnerabilities. And the were to carry out the same experiment today, how much more traffic are we going to attract and with what characteristics? --- >> >> [English CART ready] >> [There was a power outage] >> The majority was ICMP traffic, then TCP; we initiated phase 3 -- we see in the graph the curve that goes up. >> Five minutes Agustin. >> AGUSTIN: So if we remove the addresses that we ask the operators, basically what we see is that echo request and destination unreachable and time exceeded, now part of the spectrum attracted more traffic than others and if we remove the errors we see that there are many more destination unreachable which means there are more routing errors than time exceeded which is related to timeout errors. --- And then as far as TCP, what we saw was nothing out of the ordinary; we wanted to see vulnerabilities, and wanted to set a maximum segment size which makes more sense and in UDP we saw various things, many queries, in particular DNS queries to an abuse network, and many mistakes and configurations that are not relevant and then after RIS we focused in seeing how many could see these prefixes, we asked for a reference prefix which appears in purple, and /12 was not well distributed but /48 and /32 did. It was above 93%. And with Atals, we started with a reference prefix and when we counted the number of probes a could reach these prefixes and we relativized them against the reference prefix there were more than 90% of the process could reach these new prefixes. And if we summarize this, what you want to show you is that in this traffic every prefix is a point. On the left is RIS Peers and on the X axis you see Atlas probes. We see /32 and others. And to finish, Sometimes we forget not to have too many irrelevant information; in this case it is good data. And we want to comment that there was TCP coordinated center, Return errors, And as far as the rest of the traffic it came from many origins and so the use of both of these platforms is an complex experiment and it is difficult to have validated results but luckily both RIS and Atlas had results that were aligned. --- I want to thank you and if you have any questions or doubts or comments please do it in the Q&A section or you can also write to me directly. >> MACARENA: Thank you Agustin, we have a couple of minutes left. Cesar? >> Thank you Macarena and Agustin. I have a question from Mariano. I tried to register but in order to get into Atlas it asks for credits, how should I proceed? >> AGUSTIN: A way to generate credits is to be a probe host. So that's the way in which I suggest you begin to generate credits. and now with the software browsers you can run a probe in your own facilities so I suggested to go to the link I sent and follow the instructions and it will generate a credit so you can enroll. >> Can you tell us your email address again? >> AGUSTIN: Sure. aformoso@ripe.net >> MACARENA: Thank you Cesar and Agustin. And Mariano for the question. --- our next speaker is Karen O'Donoge (sounds like) who will talk about the role of network development and Karen is the director of internet trust in technology for the Internet society and in this role she supports the development, deployment and operations of technology standards and best practices to improve the security of the network. Go ahead Karen. >> KAREN: Thank you, good morning everyone. I'm very pleased to talk about network time security and a little bit of background, I've been working for the Internet society now for 10 years and even prior to that I've been working in the network time protocol and time synchronization in general and I currently chair the IETF working group in NTP and in the 1588 subcommittee on security so what like you wanted to talk a little bit today is about time. Humans have always measure time and it is always important in a number of ways, and is important to know our systems and the key part of our infrastructure but often it is an overlooked part of the infrastructure, there is a small community of people that work in this phase. Some of the areas where time is very important is like maintaining synchronization in power grids; actually web security and the timestamps and certificates require the quality time synchronization of transportation systems and the stock market and even the navigation problem was resolved. --- So where does accurate time come from? There's a very basic architecture that you can think of in that you have a time reference and a lot of nations have time references and these are coordinated through UTC. For example in the United States there is UTC USNO, a time source traceable. And this time is disseminated in a number of ways and the most common way is something through global navigation satellite systems like Galileo or GPS. And then it is the student and synchronized through computer networks using NTP and PTP which is what most of you are familiar with. the network time protocol developed by IETF has been around for over 30 years and pretty much comes installed by default in a lot of applications and platforms. And the precise time protocol has been developed by the IAAA for higher precision and for hardware timestamping. --- There are these two basic protocols. they both exchange Time for the purpose of clock cyclization and they use information exchange Determined the two independent clocks and based on that they make alterations to one of those clocks and they use different techniques for performing this but they perform hierarchical scree structure that is the basis for the time information and there is a little bit of difference in the architecture of the two but they are somewhat resilient in the presence of packet loss. --- The time community has long not prioritized security because time in enough itself is not a secret. It is information, the time of day is not a value that people have considered to be something that would be a threat that you would want to corrupt. And in my 20+ years that I've been looking at this and monitoring the evolution of time and there's communities it has never been a high priority and that has changed in the last 4-5 years. You see continuing interconnection and decentralization and the more you decentralize the more you need synchronization. --- We see a number of incidents on a regular basis and we see the interdependence between our security systems and our time synchronization and also some additional legal and compliance requirements and these are becoming more and more stringent. --- There are a number of documented attacks of attacks that our current and vulnerabilities that are being discovered. And what we realized is that in the NTP world that are three sources of problems. One is flaws in configuration and implementation and said things were the protocol is not the way the protocol itself is specified; it is the way it has been configured in operational system or a bug in the implementation. --- the second source of errors that you see our weaknesses in the actual protocol itself. And the third is -- Beyond the protocol itself -- is a lack of adequate security mechanisms in the protocol. And despite all of this -- here we say over 8 years -- We have not had an updated specification for time synchronization security until this year and has been ongoing work in IEEE and in the IETF for both communities and this year it looks like both of the communities would release updated specifications, specifically for time synchronization security. --- The IEEE effort is currently in the final editing process, and the NTS document is in the INTF editors' queue. --- in particular if we look at the IETF, I mentioned the three areas of the problems, flaws in configuration and the limitation; last year an NTP BCP was published, collecting information from years and years of experience from the operator communities and specified additional information to configure NTPs that would be less vulnerable. --- In the weaknesses in the protocol itself were published an updated MAC for NTP which depecrated -- I lost the name -- deprecated the cryptography that should not be used and put in more recent version in its place. RFC 8573. --- An additional weaknesses in the protocol are being looked at with a possible specification of NTP v5 and then the third piece, the meat of what I wanted to talk about today, Lack of adequate security mechanisms. And so we have network time security which has been specified. So the network time security document has been evolving in the ITF now for several years and has gone through several iterations, it's not quite published, it does not have an RSC but we're in the final stage. x --- What does NTF do for you? The original version of NTF, we built our own IP exchange and we needed a bunch of things and security community question why did we want to roll our own solution so NTS is based on TLS. So it used TLS to exchange Key material and then it uses NTS extensions for NTPv4 to secure the protocol itself so it provides integrity for the NTP packets; it provides unlinkability once NTP has been targeted to an (indiscernible) session. >> (indiscernible). Two minutes left. >> KAREN: Anyway, it provides a bunch of capable of these, authentication of clients and at this point it is time to talk about deployment; there are several building blocks of deployment, the technology standards development and we have prototype and preliminary implementations and we have done some initial interoperability testing and the rest of the steps are where we need to go next and we don't quite have pressure quality open source and we're looking for commercial products and we need to develop tools and troubleshooting and deploy some preliminary deployments and develop best practices and we have an Internet society time security project and divided it up into four pieces and we are looking to go from that point of eliminate implication through the guidance of this year we'll be focusing a lot on setting up a distributed, multiparty testbed and conducting virtual test events and developing test and measuring tools and taking all of that in subsequent years and creating lessons learned and BCPs. --- With that, we're looking for potential collaborators in this work and already talked to the number of folks interested in working with us and particularly interested in network operators, developers and potential testbed participants and time service providers and folks providing like national time services for the countries. So, if you're interested in working with us on a time security project please send me an email or you can follow this on the Internet society webpage and with that, are there any questions? >> MACARENA: Thank you Karen. Are there any questions for Karen? >> KAREN: Here's a few resources with a couple of links. >> Cesar goes on. >> CESAR: Thank you Karen, no questions, but for future reference, can you share your email again? >> KAREN: It's there, odonoghue@isoc.org >> CESAR: No further questions Macarena. >> MACARENA: Our next speaker also in English -- Richard Hammill who will present understanding the cyber threat landscape and Richard Hamill has 11 years of expense in the intelligence field and is currently the threat intelligence manager for airborne networks -- welcome Richard. >> RICHARD: Hola, buenos dias, that is the extent of my Spanish. Let me get my PowerPoint here. >> MACARENA: Now we can see it correctly Richard. >> RICHARD: Okay, loet me get my presentation going. You see everything? >> MACARENA: Yes, thank you. >> RICHARD: I'm going to rocket through this, The primary focus is revolving around DIDOS (sounds like) landscape and what are attackers doing and how are they changing the techniques to take out networks in advancing and evolving so this report and presentation takes place in the second half of 2018; we compare that second of time to the previous years and we do that specifically because when you think that at the end of the year you have holidays and Christmas and Thanksgiving and naturally you see increased activity so what we like to do is compare one snapshot with the snapshot to see how things have changed so let's get into it. This is going to be a country to country espionage. --- Here are some of the key things that we want to pull up. In the title of this you have because on the 14th (correction) 4th biannual wizard. if you go to the link at the bottom, netscour.com/threatreport you will see the data if you want to see the carriers and what they're seeing in DDoS, what are the top threats that an enterprise or carry the network is expensing in general across the landscape? So it is worth checking out so you have time to free to download, and one of the things want to do is look at different techniques and taxes were using and there are seven vectors that we have identified or have seen attackers use more frequently and we'll talk about collateral damage and then go into EPT with stuff to specifically on the mobile side of the house and we talk about IoT fortification of threats because things are getting bigger and badder, a lot more difficult to get into these things so this is a really quick snapshot. What we call the cyber threat horizon. You can go to the URL and register and you can see attacks as they are occurring in real-time and you can create what we call neighborhoods and I bring this up specifically because a lot of statistics you will see later on is derived from the data fueling this dashboard so this is a good way to get a high-level picture of what is happening around the cyber threat landscape specific to DDoS attacks. We have some plaster with more into the malware area but this is more in the DDoS space. --- So, a little spin on Guide Fox. If your mentor nothing else from this presentation remember 8,400,000 attacks in 2019, 23,000/day, 16/minute. We recently saw a 1.2terabit attack and sometimes they are high-volume that often than not they are not; we identified seven new vectors or increase the used, some is ARMS if you have a Mac and it is an enterprise device there is a good chance this service is enabled; the byproduct of that is that you are vulnerable to become an amplifier for these >> DDoS networks. This has a vulnerability in that allows for amplification of traffic. We have some cool narratives around these. --- 20.4 billion, the number of ip devices projected to connect to the Internet this year which is a lot of IT devices a lot of footprint on the Internet that attackers have access to and this is a scary space. And this is just one recent why it is bad. Mariah is a predominant malware item out there and we have seen an increase in the number of unique variants circulating in a while so you can see in this chart on the bottom to go from 34,000 to over 220,000 end of 2019 unique Mariah samples circulating in the wild and they are going together and this we expand our footprint the threat continues to grow and this is an intensification of threats. --- Top four targeted verticals: The wire telekinesis (correction) Telecommunications carriers,. Telecommunications, Data processing and wireless telecommuters and carriers and mainly this is a target against gamers, and taking down networks of competitive gaming; the East Board is getting huge and there are millions and millions of dollars at risk and all it takes is a fast, powerful attack to take down a network of potential competition and it only has to be for a couple of minutes in order to throw a match or for money to exchange Hands and it does not have to be really a long lived attack, not something that is the one terabit per second attack. You want to disrupt this quickly and efficiently as possible in order to do something which is motivated most like by fame. And so a lot of times when you see these attacks and you see these high-level verticals that is what we're talking about. A lot of it is just gaming and wireless telecoms are there because a lot of the Asian community uses wireless access points to do their gaming and it is more and more popular so we see the trend of adopting that across the world. --- one thing that is really notable, if you look at the report that we have we talk about different verticals; it used to be that we would have the top 10 verticals, and there was not a whole lot of movers so we kept the top four but the very left-hand column you see the satellite telecoms and we saw some attacks, kind of showy, and they were saying hey look what we can do and there was a rumor like was extortion of this is showboating, they want to attack financial institutions in Europe and little did they know that a lot of the IP footprint for these financial institutions was using satellite IP space and so what happened is that they started targeting all these telecoms with this new technique that I'm going to talk about the next line in the byproduct is that the satellite took a heavy hit and a lot of the networks were wiped out and just because of that incident we saw satellite telecoms is one of the top 10 verticals targeted by DDoS in 2018. We had not seen satellites show up. --- We dug a little bit into the rest but that some of the background it is hard to eek out the motivation for this and sometimes what will see our new tools released; they are on the fires available or maybe there is a hacker that is always hitting them and all of a sudden they have a new reflector that increases the attacks against them. the last of the wireless telecoms you saw in the be this page with 600% increase year over year which is incredible. --- DDoS attackers innovate and adapt. attackers are not only doing recon they are also monitoring the efficacy of their attacks and adding the techniques so let's break these down; with recon, we litigated an attack recently where attackers scammed their targeted network and they found out where the boundaries were. As an ISP or carrier, a big enterprise, you have a network footprint and a couple of ESNs or what have you. Anything in that footprint is your home space so you are more likely to trust traffic coming from your own home space than something external but attackers get wise to that as well so they start scanning these footprint and identify the boundaries of what is good submitted to some test packets and figure out what the reply looks like in the response, hey this works. Now they're going to try to get control of a lot of nodes in the home network and use that as a platform to launch the DDoS attack. They do that, they start launching attacks and maybe choose DNS application and maybe that is not working the way you want to maybe they are getting requests or they don't see any outages so they will add a couple of vectors and if it doesn't work lets the carpet bombing so instead of targeting one destination I'm going to die the entire area and launch traffic in order to determine the threshold. Let's say I don't care of any traffic unless it reaches 5 Gb per second and an attacker might test that and a may watch attacks and see the threshold and when the stuff stars dropping off and then they back off and then did take the entire cyber block and send that putting a traffic to every single definition and you have this massive inbound flood of traffic saturating every single type in the create as many problems but there is more. Let's add TCP Send so now you know you have all of these networks but you happen entire vectors that leverages disabilities and you are targeting maybe tens of thousands of IP addresses at the same time and this is a very effective tactic that as attackers monitor this they can pivot super easy and it is hard for a defender to mitigate all of those different threads in the so it is important to stay abreast of all of these tactics that attacks are using so that is really one of the newest techniques, carpet bombing with TCP send attacks, and it has been very effective in a lot of instances. --- this is getting into the fun stuff; they did a case study into the different vectors and I had a lot of questions. Just to break this down on the right hand side we have the product table of DDoS attackers and there's a lot of information so download the PDF and blow it up and put it on your wall. The is the maximum application factor that we have seen. >> Five minutes. >> RICHARD: Thank you. There's a lot of cool stuff here so dive into this. Here's my questions: How long does it take for a vector to get cleaned up? does it grow or decay? Which one pose the greatest risk? Well, you can't predict. You'll see on the right-hand side the removal of these vectors but this is a lifecycle, you see some of these level of. The story behind these is that ubiquity happens to be the use of network devices that have admins behind them. We can't predict for all of the different vectors; this is the most interesting part of all of this. it turns out that attacks are using very few of the available servers out there; co-op is a good example, for we had roughly something in the millions of devices and we look at attacks we see how many service attackers are using, less than 1.5 % of the available reflectors and amplifiers for the vector and that is huge; when you start looking at the size of COAP attacks we see Attacks in the 300Gbps range. There's a lot of outstanding questions and quickly we'll blast through this, again 24 billion, 7% increase of IT devices and on the right inside you see all the OS devices that Mariah is ported into. 87% increase in explication of dems against our Iot Honeypots. This is very real and very concerning. Brute force versus exploitation. Notice here at the time that there are movements to secure our devices but it is not enough, you have the OWASP Iot Project, the California bill to ban the use of hardcoded default passwords in consumer IoT devices What does it mean? It is a very concerning area that we need to be cognizant of because as enterprises and carriers there are tons of IT devices either in our organizations or for our consumer so what are we doing to mitigate these? It's something we all need to be concerned about. >> Two minutes. >> RICHARD: Mobile Malware. They used to track dissidents and protesters in their own country or across the border looking at geopolitical interest but they leverage their services so here's three different countries. China uses the POISONCARP, Vietnam uses a long history of mobile malware and Iran uses tools like GolfSpy or MobonoGram. Really quick on Emotet, there's a lot more details in the PDF. What does it look like? Emotet and (indiscernible) are the two main threads; peewee block Emotet we aslo block TrickBot (sounds like), in a six-month month of time we have the same amount of samples, 300,000 notifications of victims of Emotet, that theory works. We tried to get closer to the source for mitigating these And it works so we can cut the head off the snake. (audio loss) Thank you for your time. >> MACARENA: Any questions for Richard. >> CESAR: Thank you Richard. Questions for Richard? >> Question from Eduardo. How frequently do the attacks occur that you mentioned? He also said that billions of dollars are lost. >> I used Google Translate. you are talking about it number of attacks, hourly or daily and what that means for actual losses for organizations are one of the things that were identified as we are doing this exercise is we wanted to find out what the dollar amount was and we did not get to it in this report but it is something we are considering doing for the next and so we do these reports twice per year and there's a lot of questions around what does this mean from the monetization standpoint for carrier network and enterprises? What dollar amount does it cost for these organizations for DDoS? If an ISP is paying for a 13-year-old to watch attacks, 13-year-olds can cause you lots of damage so 8.4 billion attacks was in 2019, about 23,000 a day, 16/minute. Those statistics are on the PDF but stay tuned for the next report because I really do want to do this, what is it mean for the organization? What is the dollar amount? Because we leave and brief this because this is how we make our money so you go to the customer and say hey, this is a cost-benefit analysis; this is something we want to do from the attacker's perspective. We already do that in the business sense. They look at the environment but I want to look at it from what actual attacks cost and so yes that is something that we are planning on doing for the next one. >> Another question from Oscar. What preventive measures can you take to prevent attacks on IOT devices? >> That's a tricky one. This is why IOT is so scared. When people asked me what I'm most cared about? It's IOT, what can you do? People say let's get this behind firewall that there is a lot of malware the gets around the firewall so does that make sense? I don't know. As an enterprise you are not going to bring any nonapproved device into the office but as a consumer how do you do this? Can you tell the consumers you are running vulnerable persons IT of Contribute into DDoS? What is law being able to enforce of the manufacturers? compromising IT devices is what Mariah is good at. It's a very imperative thing that manufactures are cognizant of the fact and start securing the devices and that is really where we have to start. we have to come together as a community and say this has to happen and if it does not be have to take drastic measures to say we are not going to allow this in our that was because it is a very real threat and difficult to mitigate. >> CESAR: The last question. >> We didn't mention ransomware in the incidents, but is worth mentioning more. What do you think about ransomware risk? >> Yeah, ransomeware, every time I get asked the question I have to pause. I was working at (indiscernible), and I was the ransomware person, I know how it's this evident in the ins and outs; here's the reality, from our perspective one of the things we're trying to do is we do have the capability to block -- --. If you have ransomware beaconing out to command-and-control, What can we do? We tried to get close to the source of the intrusion vector so one of the things I instructed my team to do is let's focus on what the students these malware families. How is ransomware getting into the network? Spam messaging? Malicious macro documents? What is the primary method? In fact, a lot of the more recent ransomware scares have occurred with something you can mitigate; we have on our ability inherent in systems and they get a foothold and maybe they want to extricate data or maybe they're looking for things they are interested in and so let's play ransomware, steal your data and hold your ransom. So for things like that, you need to have adequate patching; as vulnerabilities come out you need to make sure you are patching immediately and has cycles can last a long time in organizations but that is imperative that this happens and you want a -- approach. you want to have some segmentation so if an attacker did get in the connective and laterally to your systems and maybe that is a two factor authentication we have to have his glasses to the machine and that approach is also critical and you need to have those backups stored in places where you can't reach any other way except physically or some other method that does not connect to the rest of your systems, those are the best practices that I have for ransomware now. --- if it is distributed by email make sure you have a good email filter provider like an iron portal that monitors for malicious attachments. It is tough for me wanting to do something and knowing that if you do see -- ransomware is too late so we're trying to get close to the source of the infection in order to mitigate. >> CESAR: Thank you Richard, for reference can you confirm your email? >> Yes. I had it on the slide. Richard.hummel@netscout.com Feel free, happy to do a follow-up question and answer. >> MACARENA: Please send the questions to the speaker's the mellitus and thank everyone for participating in the session of the first LACNIC event, LACNIC 33, we look forward to seeing you at 17 UTC, one hour, and we'll be back with the LACNIC technical forum. >> [One hour break] >> MACARENA: Hello everyone, welcome to LACNIC 33. thank you to the almost 200 participants who are connected. I'm going to share this in English. --- Welcome back and let me begin by thanking more than 170 participants connected to the event and for being a part of this LACNIC 33 and as we did this moment given that speakers are also presenting in English I'm going to relate key information in that language. As for dynamics the participants will not be able to use a microphone and if you have any question regarding the content of the presentation please submit it using the Q&A panel and if you want to share general comments please do so in the chat feature. >> [Speaking in Spanish] >> MACARENA: Kindly remember that you may ask your questions in English, Spanish or Portuguese and the questions will be read both in the original line which in the line which of the speaker so that all speakers will understand properly. x1 --- >> MACARENA: To try to reach as many participants as possible and to better understand the presentation we'll be providing simultaneous translation in Spanish, English and Portuguese and if you want to see a transcript please go to the website and press the button to choose your language. Mariana will be in charge of handling questions and comments to direct them to the speakers and we asked all presenters to pay attention to the messages that Mariela will provide. And now we begin the second half of LACNIC 33. I'd like to invite Alejandro Acosta. >> Good afternoon, good morning, can you hear me? >> MACARENA: Yes, very well. >> OSCAR: I have 10 minutes to announce the winners of the latest challenge and we are very satisfied with this initiative. First things first. What is the IPv6 challenge? It is an initiative created by the community, by you in Latin America, the people deploying IPv6 and you chose to create this challenge. We want to distinguish the work of various organizations that have implemented IPv6 internetworks and it sounds interesting. Who can participate? This is something that has evolved a bit in the seven iterations of this. All the organizations that find themselves in the LACNIC area of coverage can't (correction) can participate. This could include ISPs -- Universities and colleges as well as governmental agencies and you do not need to be a member of LACNIC. We ask you to participate that you enter your name in the distribution lists so that you will be informed about the challenge with it is launched. It would be on our web; there will be a page where you can register and during this opportunity we had approximately 40 enrolled in the seventh edition of the IPv6 challenge, a number that keeps growing from a challenge to another and if you see the slide, among other things that you have to do is to put a spate in webinars where we are always in touch with the participants and we must delivered two projects. It can be confusing; why do we ask for two entries about the project, for example one photo showing the Web servers and another photo showing another part of the project. (audio loss) The members of the committee are Asel Fernandez from Mexico who is always work with us from the very beginning, Jorgie Villa from CU, Nicolas Antoniello and -- >> [Applause] -- I personally will always be very thankful to this committee because there's always a lot of work. If you would like to know more about the challenge here are two links. There is general information as well as contact information and something created recently, the FAQs. We hope that you will be able to have all of your questions answered or you can contact us. Now like to announce the winners. --- Second places for Luis Javier Barrera and Javier Soto for their work on deploying IPv6, a very complete work, about the risk segments for the national presidency. First place was for Felipe Correia and Rosa Laderia, deploying IPv6 in the national Institute of pure and applied mathematics network. There were private enterprises that we would like to enroll in this challenge for the next LACNIC and we hope that the enthusiasm will continue for the rest of 2020. For the next steps I'd like to invite you to the next LACNIC 34 and the committee will begin working in the next challenge and hopefully everyone will participate as possible. Macarena? Thank you for your attention. >> MACARENA: Thank you Alejandro and congratulations to both winners. The first presentation is from Claudio Ortizo. He is an active researcher in the computing department of the engineering department and his main area is to optimize networks. Welcome Claudio. >> CLAUDIO: Can you hear me? >> MACARENA: Yes Claudio. >> CLAUDIO: Thank you for the opportunity. I'd like introduce the work of one of my students . Part of the problem of the international network. We can think about this as an arrangement of autonomous systems. This is a system that share their routes through a BGP. This is known as full-mesh optimality. The problem is scalability with the number of routers in the AS, Because every eBGP can handle hundreds of requests. There is more than one proposal, the most classic one is the use of BGP routes. Routes have an overlay and mistakes on the reflectors. Those are the only once and able to do overlay, And this happens in two levels. Reflectors themselves; this is a way to guarantee the messages and the problem is that each will be provided according to their own insight and not necessarily the customer's insight. It's hard to guarantee that all the routes can choose to send Gateway in case of having a full mesh. In this project we saw one objective. We need to guarantee optimal mesh and be resilient. And with less hours as possible. --- In the subsequent stage we did a study. This is a focus that is not that easy because of the topology of the design. We will have more recent approaches so we have servers and each is rotted separately. In this project we have a classic approach; we build an outlet wihtout zones, without clusters. And even so have a lot of variety in only internal routers of the network (indiscernible) -- a second approach was solved. The third approach -- any router to me a reflector sustaining the resiliency. The problem is that we go from simple to critical and all routes, so there's a problem coordinate based on the BLS. This last variant that we have emphasizes more the design of the international network. So previous versions in this case -- we worked with various hypothesis And we saw root clusters and those POS are three or four, and most of them are international links so our approach for practical purposes we had one application, so he said okay, your approach is possible but not practical. We emphasized a lot the links so before any failure, Links for the distribution of the traffic may be at the defined in pathways that the network would identify. That was another primary interest, To deliver the traffic and except the failure in the nodes where the loss of latency. We did contemplate to sustain the router optimization and that the traffic from the first links with controlled the delay. --- These are the objectives of the traffic engineering. We want to design primary and secondary tunnels. And on the other hand we took a look at what would happen using RSVP-TE to comply with the series of restrictions of quality of service. We inspected the primary and secondary routes. We made sure that they were compatible. --- The design process is in two stages. First the iBGP overlay and then the MPLS is detailed. From a high level, we capture the update for all the routes, and we feel to them following the BGP path selection alrogithm. Prefixes that results are filtered again to discard those that have not been used because there was another more specific present. Those prefixesthat survive are grouped in there's classes according to the combination of ASBRs that will retransmit them. This reduces considerably the complicity of the problem. We calculate the iBGP overlay that is optimal for these classes and the traffic for each class is estimated using statistics are the source of the network. --- >> Five minutes. >> This takes care of a single aspect and this is an example, I have 5 minutes of ongoing and little faster so we have the scenario for an international network; we have the countries like Argentina, Uruguay and Brazil and the network has Millions of connections. And we have this class assignment. Here they're announced by the routers as class 1 TS, CA S2. The first concentration of classes of prefixes to make it simpoler. This is the result of that network. We see that the methodology is much more efficient to obtain the same results. In terms of traffic quickly the nominal demand, 346Gbps of traffic and it could reach 495Gbps, worst-case scenario. We could reach the jamming or congestion of about 25% in fallen link accommodations and adjacent losses. Under no circumstance will the adjacent losses will reach 40% of capacity. To the right you can see where we widened the links. Because we do not have any jamming of the network. To conclude, this shows how to coordinate optimally the overlay. The use of classes allows the standards at a bigger scale and the results of the network shows that it is feasible to control with 10% of adjacent loss and spaces that could reach 40% of links because this is a tremendously robust network; we did the exercise to have -- a mock exercise, with optimum space where we simulated LDP and verify that the network was not feasible in any of the scenarios and we also had an additional 20-25% investment and the benefits of measuring what technology versus the other, there are a series of communications that you see here that you can refer to. Here is my email address if any of you are willing to contact me, I'm willing to help you with whatever you need. It was a bit fast but if anyone has a question you can direct it to my email. I'm willing to answer any questions that may arise. Thank you Claudio for your presentation. Mariela, any questions? >> No questions. Claudio, can we have your email address? >> On the last slide, crisso@fing.edu.ny. >> MARIELA: That was all Macarena. >> MACARENA: W'e like to remind to all speakers that we have simultaneous transcription so please speak slowly. Thank you. The next speaker speaks English and will present on transit network development. He has been involved in RPKI development and has been working on the development of a open-source, RPKI server implementation so welcome Tim. >> TIM: Thank you, can everybody hear me? Thank you for the introduction. I'd like kto talk about Trends in RPKI deployment. I work for NLNETLabs in the to the lands and we are nonprofit foundation that works in open-source and open standards and open Internet. We've ventured into routing and TI; and before I joined for (indiscernible) so already quite familiar with the subject. Let's move on to the subject matter. --- We at the NLNET labs with the software development and standards development and research in one of the things we look at is the RPKI data over time. I wanted to share this, what people put into the RPKI. --- We've looked at the data from various sources and namely we've looked at running information from various sources like Routeviews, Akamai and RIPE RIS. And the paper was produced where we did a comparison. I'll give you the short version of that and the follow-up here. What did we look at? We looked at accuracy maps. --- Which validated ROAs had prefixes put into the system by people? And where do they occur? And how well do they match what is going on in the BGP? These are the sources we used. Routeviews, again historic information and the Mac into countries are based in the statistics published by the RIRs. --- Then if we look look further back, around January 2011, the RIR started supporting the service including LACNIC, and of course at the time there was no coverage at all the knife we look we see pretty good coverage especially in Latin America and increasing the also in other regions. And if I had shown this pictured three years ago it would've been more wide. If you look at the accuracy of the data, this is a measure of you authorize announcements; the announcement that we see in BGP agree with this or vice a versa. And the picture is most pretty good, back in April 2019 but not always. This is due to a number of reasons I believe. Back in the beginning that quality was really poor and LACNIC and others have invested a lot to improve that effort and providing users with a good user interface that helps to create a robust system. This is how to improve the data a lot. --- Most networks were not actively filtering based on ROAs yet. Even even if you did not update your ROAs, you would see negative results and not everybody was maintaining their ROAs as well as they should. --- Then in 2018 a change happened; this is the year that people started to reject invalid announcements. One of the things that triggered it was probably the much discussed hijack that resulted in the route 53 hijack as it is known where crypto currency was stolen. I think this was the moment that other players started saying enough is enough. --- Before then there were active people, early adopters; Columbia was particularly very active and most others in the Latin American region. There were small networks in Europe especially in the Netherlands but the major ones not so much who were dropping this but it started to change. --- This is an overview of what we did regarding active measurements and we presented this two years ago and again last year and we can see a big increase. We have a quote from last week. By Job Snjders, the numbers are below. Keep in mind that for RPI to be effective it is important to deploy (indiscernible). They don't necessarily need to filter unless they need to protect themselves but in order to protect nobody else it is good to protect anybody in the path. --- There was a big increases you can see since starting around 2018, going up and up and if you look at the accuracy today than the picture is actually quite different than the one I showed you before. The accuracy is much higher and is probably the result of people dropping in valids, ROAs do not reflect what people are doing in BGP. If we look at the coverage we don't see the dropping at all. --- To highlight this picture here, this is showing the change from 2018 until today where countries in white have less than 90% accuracy and dark blue is 100%; if you look at this overtime you will see that all over the globe essentially the data quality is really improving a lot. --- Coverage -- well like I said earlier, if you are causing your announcements to the invalid because you don't maintain your ROAs you can either fix them or remove them. If you remove them they would be rejected so you could emphasize that people will stop doing RPKI, but that is not what we see. We don't see things going down significantly, actually the opposite is happening. The coverage is still increasing. I'll let this play for awhile so you can see the end of it. These videos are in the links and they should work for you. --- Next slide. --- Now, my background is mostly on theory and on the data analysis. I don't actually manage networks myself but I should include something from what I've heard other people say. --- So the general advise that I hear, if you are looking into doing the three you should monitor before you start dropping; you should also train your helpdesk because you and to know what is going on. If people call you you need to understand where to look and what to fix especially if you are a big organization and everybody in your organization is in the ROA. --- On the other side, if you are creating ROAs you should drop your invalids, and keep them up-to-date. --- What else happened recently? In 2019, NIC deployed RKI using software we built and one of the main organizations funding our work so thank NIC BR for that. NIC.BR is a bit different from what LACNIC has; it provides hosted platforms where members use the Portal to manage the ROAs. --- On the BR, people manage and they can publish as APR. You can also run delegated CAs on the other RIRs; think the it is possible to run it and other RIRs have a small number of early adopters running delegated CA. --- Which tools can you use for this? RPKID by Dragon Reserach Labs, one of the oldest tools and used it several NARs. And then this Krill, that we make, it does now suppose Spanish. Why would you run a delegated CA? First off, for many of you -- the majority of people here who are LACNIC members, the LACNIC-hosted interface is perfect fine for a lot of people but you may still run into some things yourself because if you feel you can use one solution on the RIRs, yet have a single API for all; you can delegate space to others would you cannot usually do in a portal, so any customer or team of the space. And you have more local control over who can access and modify your RPKI data. --- >> Two minutes left. >> TIM: With regards to Krill, we have lots of documentation. For the easy install we now have Krill manager that sets everything up for you including including the proxy available on digital ocean marketplace. Today it's semi official that it is accepted and done. x --- NIC.BR is going strong. Some early adopters. More importantly I'll just talk about Krill. What kind of issues do we find? We found issues where people used a local host as a repository; and so people stopped using their delegated CA so these are really the biggest things that we found since this was started with NIC.BR. Butr I believe that we are good on the way to fix all this so there are provisions in place to prevent this. So conclusions: Delegated CAs pricing and uptake and NIC.BR members to not have a portal they can use so they don't have a choice but it's not stopping them. We do see some early adopters in other regions and we do see some initial issues but generally speaking it's not much different from what we have seen with people using RIR services. --- Managed repositories are much-needed because we do see that there are many more RPKI reports putting more burden on the underlying party software and it will be interesting to see where this is going in the near future and a long future for that matter. That brings me to the end of my story. --- Contact details here, and my email address if you have any questions for me or my team -- and with that I'd like to hand it back. >> MACARENA: Thank you very much Tim. >> MARIELA: We have comments and questions, Carolina, would you please send Ricardo's comments to Tim? >> I will read in Spanish and English. Let me pull the knot. comments up from Ricardo, we'd like to express our appreciation to NLNET Labs for the good collaboration we had even before the deployment. Do teams use our repository or have their own? >> TIM: You don't have to use a repository provided by NIC.BR if you are a member; you can use your own but most people would choose to not have the burden to distance themselves. >> Thank you Tim. We have a question from Erica Vega. >> So I'll read the question in English and Spanish. Hi, I'm Erica Vega from Colombia then we met in Singapore; what problems do organizations face if they have outdated ROAs and their announcements are invalidated? >> TIM: a significant number of organizations dropped RPKI ROAs announcements and you will see that the announcements don't get very far in more. You need to be aware that this is the effect of not maintaining ROAs and you have two choices: you can maintain them properly or you can choose not to do it at all but that you are not protected either. And when I look at the data, it could be that there are no doubts that there are some organizations who choose to switch it off because maintaining is too much work. But coverage is still going up so by and large people are choosing to fix their ROAs rather than delete them. >> Thank you Tim. Another comment. >> CAROLINA: Last comment. Our approach is to inform the number of notifications and not impact (indiscernible) -- Macarena those were the last comments and questions. >> MACARENA: Thank you Tim, Carolina and Mariela. thank you for visiting and we invite you to take a five minute break. >> [5 minute break] >> MACARENA: Welcome to all. As for system dynamics participants will not be until to use the microphones, if you have questions regarding the content please use the chat feature. we continue with the next presenter from Hugo Salgado, who works in NIC Chile. And he participates in regional projects like the DNS of LAC among others. Carlos Martinez is the knowledge manager. welcome to both. >> CARLOS: We're oing to talk about DNSSEC a little bit. Either the algorithm becomes outdated or new vulnerabilities are discovered that make it subject to attack. Hugo, next slide. We'll chat about some of the DNSSEC concepts quickly. DNSSEC is a group of extensions for DNS that has to do by making some modifications to the protocol plus a few more registries to make the information in the DNS structured around the registries like A Registry where we usually keep addresses or 4A Registry and others. DNS specifically does not have other safeguards for its security other than if you unique numbers included in the packets and this clearly became not sufficient. DNSSEC allows us to incorporate various asymmetric cryptography elements known usually as people signatures for DNS information. In order to be able to do asymmetric cryptography we must have certain codes and those codes are generated starting from asymmetric structure like RSA, and a Russian algorithm called GOST. Further, to generate signatures we need the address and from HASH that allows to convert blocks of information and condense them and hash them to make them a lot shorter so that even though the HASH product is a lot shorter, it has certain properties that guarantee that finding to address and the produces a result would be extremely difficult. So the other with a fan to messages to provide the same HASH, and in this case is considered broken and the most well-known one is the MD5 algorithm that becomes part of the popular culture and was the first one to experience by using the Internet which gave origin to a lot of cryptography tools first utilized. and in the family of the SHA algorithms. --- The algorithm MD5 is one that is relatively simple. It's very short. It can be and limited without being an expert and for many years it was sufficiently good to be used over the Internet. The MD5 is no longer used, however. --- As I said, when an algorithm is broken it must be changed and so we must do a rollover. The rollover is an algorithm rollover; we're changing the algorithm for something we do because you can not rotate codes without rotating algorithms; we have to necessarily change the code but the algorithm rotation requires certain additional precautions. Why is it necessary to rotate algorithms? Because algorithms can also suffer attacks by force or different types, replay, computation and when it is cryptographically insecure it must be changed. --- in the event of a force attack it doesn't mean that it was a bad algorithm; it was a good algorithm at some point like MD5. The attacks back then could be fought off because of the computational capacity back then but with the advances of the taken place the algorithm is no longer a secure and it's interesting to note that it's not that the algorithm to network but that the environment changed. x --- You will see that the rotation looks a lot like a code rotation but don't lose track that those new codes will be generated within the logarithm not just simply regenerating them. --- MD5 as I commented was dead and was no longer used. It is likely that some of us are still using MD5. We know that we have to abandon MD5. --- SHA-1 about year ago has reached about think situation as MD5. The probability of encountering attacks signified that it would be time to remove this because now it is possible to run into conflicts due to the availability of a wide range of users. The consequences for this for all of those who utilize it, is to know that the signatures generated with SHA-1 was probably the most commonly used algorithm in DNSSEC. It was software on the DNS and the servers that understood it. DNSSEC needs to account the duality, not just the signature origin but also the servers that resolve the address; regardless of how secure the algorithm is if nobody can validate it, there is no sense to use it. So Hugo, your turn to talk about how to implement the algorithm rotation. >> HUGO: Thank you Carlos. I' like to calm everyone down because you may think that there are problems with DNSSEC. It's not the case; DNSSEC was designed to be independent of the algorithm and the catching; the fact that we dop SAH-1 and move to a different one is normal and it should be expected to take place in what is important is that SAH-1 had a wide use but it's the time to rotate this in an orderly fashion so this is a call for people to check if they are using SAH-1 in their DNSSEC and to schedule the rotation by the in the year;. and now I'd like to show you a little bit about this rotation which is a little different, must be careful in doing it and ther is the hacker mode to understand how it works and to be clear about when it happens. Currently, the software that handles keys carry out the role of algorithms; the process is automatic. it is important to explain how it works a little bit to know what is happening in here are a few of the commands that are available like dnsviz and zonemaster who published this in a graphic information and below is a link to more information that explains step-by-step what to do. --- Here is an example of what will be an ordinary zone with the more common registries. And of course we can have many registries and this is signed with DNSSEC and here is the KSK key and the original key, made with SHA-1. It's this is very to rotate them and in addition to our zone it is relevant to know who delegates the DNS and delegates the security of the zone. >> 5 minutes. >> So, said one is the initial state, step 2 is when we add the new algorithm, ZSK2; it is necessary to implement in our area, publish it in weight some time for it to propagate through the Internet. This is not immediately coherent. In the previous article, you can see how much time you need to wait until you follow to the next that which is adding the KSK with the new algorithm and step four is adding the DS2 in the parent. It's important that both algorithms sign both keys In a moment that we publish this in the parent. There have been instances where one key does not sign the algorithm. --- Step five is removal of the old DS and finally we eliminate it completely and having the permanent state. --- important things to do this step-by-step with the new algorithm from the bottom to the top and then eliminate the old one from top to bottom. --- Using open DNSSEC is easy, you change this in your configuration and execute a pair of commands. In Bind, it is also simple, to generate the new keys with the correct algorithm and then reload both and change the parent and finally you manually deactivate the old keys and hello you see more information about each step. >> 2 minutes. >> With Knot it's much easier; you change the algorithm parameter and reload the server. This is a study of the actual use of SHA-1. Blue and Road colors utilize the SHA-1. It should be discontinued; outside of that are zones more important and more well known that have a different use. So far cause actions is this: Verify the algorithm and the command in look at the third field that shows the algorithm being used, anything less than 8 is a problem. And lastly there is time to plan this we do not know until when the critical point will be when the validators decide to the trust SHA-1 so it is important to do this now and be prepared when that moment happens. Here is our email information and the link for you to enroll in the resolution list for LACNOG. >> MACARENA: Thank you Hugo and Carlos. Mariela, questions_ >> Ther were presentations, you know if there's a summary of what happened and what were the consequences? >> HUGO: Yes, we kept carrying out fairly complete measurement of what took place in there was a presentation about what happened after (indiscernible) and everything looked good, there were no major issues and all of these changes are actually gradual and there is a period Of adjustment. There is a flag day coming next this year, but I have heard that it's being suspended for no reasons but we need to continue to implement this so we need to keep in my. >> Next question, will there be another Flag Day with the change of algorithm? >> Due to the size of the DNS packets -- this is more urgent. >> CARLOS: I'd like to add that you don't need to run out and make the Rotations now; it is better to take the time to implement this carefully. We had not had major issues. We should ensure that if you are going to rotate algorithms, which one is recommended? >> Yes, good comment. I hope that you can go to the elliptical curves because the keys are smaller as one of the signatures, so you can have greater security with a smaller key; the support is broad. The (indiscernible) were the pioneers and they did not have any issues. so hopefully we can do this, I don't remember the code but it's inside of the recommended algorithms. >> CARLOS: I think it's field 13. >> MACARENA: That was the question for Manuel. One more and the others will be pending. Is there any information to show what do deployment of DNSSEC is in the region? >> HUGO: As I said, the graphic displays that it is more in the higher use areas; From the validating points, it's over 33% and as for the signature, it depends a lot on the different regions. There is an effort to reach a better level. And that increases the capacity of signatures; they're not very updated but in terms of validation it is more deployed in something important is that by referring to NSEC (sounds like) what is it that it will promote? We see this. It's something promoted by DNSSEC and Microsoft announced that with Office they are going to start signing with DNSSEC to have validation in the mail. >> I'm going to read the last comment and then close the session. We have SHA-1 and SHA-2, does not depend on one owner, but we'll close this part. >> MACARENA: If you have questions please enter them in the chat box and the last presentation is by Jose Camargo for low cost solutions. Jose is telecommunications engineer. >> JOSE: Good morning and good afternoon to everyone. >> MACARENA: Good afternoon we can hear you well. >> JOSE: Thank for the opportunity to be here and today we're going to talk about the low-cost alternative solution, A project for Latin America and I'm not going to go into this in great detail. --- The volumetric attacks in LATAM. Nowadays many operators in levels 1, 2, 3, 4, are subject to attacks of service denial and we need to find solutions internationally like scrubbing solutions but it is expensive however malicious traffic is processed and it is eliminated and the clean traffic is sent through tunnels and the solutions for LATAM is creating latencies. Some of you may have had the opportunity to interact with some of the solutions And have something important to take advantage in Latin America, the CTMs and interconnection points and IxP also offers resources and we can see that clearly there is a volumetric attack and supplies level one and two. When a company or a small WISP is under attack it will request a blocking of such traffic from his provider including a full disconnection of the same and the potential attacks more than anything are for operators at levels 3 or 4 because they live some sort of an open port and we still to see attacks were the objective is port 11211. And these are amplified which could cover (correction) compromise up to 500Mb-1G. --- one of the most common attacks that we run into? The majority of the element to contact have a flood of UDP traffic; we have also TCP traffic attacks to deny service and the attacks continued to come for the most commonly known places and in Latin America Brazil has a large network where national attacks can be very big, another variable in this equation. --- Clearly we have seen that there is a significant presence of attacks him from the US, Russia and Asian countries. And the vision that we had about attacks on the network tended to compromise port 123 which is NTP, 161, SNMP, 53 DNS and 0, modified packets. 98% of the attacks come from international sources. Only 1.4% attacks come from local sources. --- Let's look at how the previous architecture works and the first step as such, we have a network administrator who injects a static route inside of the route+edge, using a monitoring tool based on Netflow. The route injected once you have the TSP. When you have international networks you can generate the blocking only in the appropriate POP; this is where we think we can take advantage of all of this business of CDN+NAPs+IxPs. --- We have a route server where the administrator does not interacts against the route. Lastly, this is a (indiscernible), when a provider has a large capacity, the attacks will continue to arrive and this is where we use one of the BGP resources available to service providers at level I. These are Blocking points here that are no longer done there but will go to Tier I. It turns out that when you use these communities with these providers when I've reset the BGP community I can announce this route as a /32 route. What will happen? We're going to block international traffic is closely for that IxP. --- We had to identify identification and resolution which could take more than two hours and we had 1Gb attacks up to 20Gb with it loss of tens of thousands of dollars because of the network interruption. --- We would talk about manufacturer solutions we talked about significant investments which made the project not feasible at the moment and these are excellent solutions but to start with it is very expensive. The proposed solution has an annual cost below $8,000 and it is a limited solution because of the bandwidth. We had an element where you have the main characteristics, an analysis platform of the NETFLOW traffic. When I have the attacking traffic, it will enter the route and the plot from the text it and injects the route and directs it to mitigating platform where based on certain signatures I can filter it and generate a tunnel and deliver it to the client. And to close when we have large attacks, we can utilize the RTBH community to announce the blocks. And identification and resolution is less than 5 minutes because it is automated and the operational impact is virtually zero and this is a real graphic and the time for resolution is 4 min. And to close, my invitations to use the BGP communities and that way you can be autonomous and be able to control this type of situation. Thank you. >> MACARENA: Mariela, questions? Carolina? It's in English. >> What series of network reporting of fragments, do you check in packet capture, are there no initial fragments as such? No UDP header? >> No, not really. What we detect with the NETFLOW tool is to identify known attack porks and what we did is to recognize those attacks in areas that are most used and the traffic went through the network and is exported and matches the signature and is not a matching layer or losing artificial intelligence, they are signatures already created and since we implemented this solution we have not had a single volumetric attack. >> Thank you. Wesley asks, where is this mitigating center? >> If you're referring to certain mitigating centers at the manufacturing level that could be several but in this case this is being implemented in the United States. >> Next question, does this solution provoke a delay? >> No. What is done in the graphic that we saw traffic is redirected and filtered only if it matches the attacking signature and that it is redirected so it is adding one additional step in the same location but the response time can vary between 1 and 5000 miliseconds. >> Carlos Altamirano says what part of your solution identifies the attack? >> It is done by NETFLOW and a tool and it injects the route as a /32 route. >> One question. Does this work also for voice over IP traffic? >> Voice traffic is not as significant. We are talking about volumetric attacks but if I wanted to, I could filter such traffic with very minimal delay. It would not affect voice packets. >> We're ready Macarena. >> MACARENA: Thank you Mariela, Carolina and Jose. And lastly I'd like to let Carlos speak. >> CARLOS: I want to the business of these last moments to share with you a brief closing presentation. I'm going to share our thoughts. First, I'd like to think all the participants this week, not only in today's activities but also On Monday and Tuesday. And tomorrow we will continue. We also had the technical forum in LACNIC where we wanted to encourage the exchange Of technical themes and network operation in our region and in other regions based on other operators experiences. Normally and this was in the original idea was to carry out this forum in person, unfortunately due to the known circumstances we are carrying out this online and we have adopted the FTL format to an online format and we would like to hear everyone's opinion about what you thought about it and what can be done better. The presentations that we normally have in FTL include network operations, security, DNS protocol, measuring techniques like Tim's presentation a few minutes ago and we have had other things like connectivity and the Internet of things. The objective is to create a space to share information and to share information that we can apply to our individual networks for our respective jobs. Here we see the members of the committee program, (reading the names). The three first names were chosen by the community. We had one single call to present in one of the things that is important is how relevant is a certain experience for other people? They could be things that are very interesting in a very special situation but not necessarily relevant to most people. In the proposals received for 2020 we had an acceptance and rejection distribution that you see here. Originally when the call was made and we thought we would do this in person, We had two different presentations: Short and long. And we had to modify the format to make it more suitable for online use but you can see the distribution of accepted and projected presentations. --- The level of the presentations has improved every year and this makes the program committee's work even more challenging. The proposals received, there is a large number of male proponents and we would like to see more female speakers participate so we encourage women to submit their proposals. --- We had 200 presentation minutes divided in 4 50-min. sessions with a break in the middle for lunch. This is for FTL 2020 and we had a maximum number of participants in the morning of 290 and 220 in the afternoon. I lost the number of questions but tomorrow I'll enter the number of questions answered compared to questions that are pending. --- we had nine speakers, two secretaries procession and interpreters, and we had simultaneous transcription in Spanish, Portuguese and English. --- We want to emphasize that is important to participate in the survey because we're learning what works in an online environment and have a good online experience for everyone. FTP 2021 will be in May next year and the topic is always will be the same, network operation, infrastructure and architecture, stability and security and research as well and data collection. --- The call for presentations will be held the last trimester of this year if you want to start thinking about submitting a proposal. We invite you to be present in the next one, thank you so much and we'll see you in the next FTL in 2021. >> MACARENA: We conclude the third edition of the technical forum of LACNIC. And the presentations from morning already published and in the next few hours the rest will be presented and we invite you to continue to follow us in the social networks under #LACNIC33. The video and language of the speakers will be posted on our Internet. We will return tomorrow at 14:00 UTC to continue with secure routing tutorials, thank you for participating and we'll see you tomorrow. >> [End of call]