HKIX Updates at HKNOG 7 · 2019. 3. 4. · –Update automatically from Internet Routing Registry...

HKIX Updatesat HKNOG 7.0

Kenneth CHANHKIX

www.hkix.net1 Mar 2019

HKIX Today• Supports both MLPA (Multilateral Peering) and BLPA

(Bilateral Peering) over layer 2

• Supports IPv4/IPv6 dual-stack

• More and more non-HK participants

• 300+ different networks (autonomous systems)

connected

• 510+ physical connections in total

– 41 100GE, 320+ 10GE & 150+ GE• 1.34+Tbps (5-min) total traffic at peak

• Annual Traffic Growth ~30%

Current HKIX TrafficDaily Graph (5-min average)

Current HKIX TrafficYearly Graph (1-day average)

Trend of 100GE connections

HKIX 100GE Participants (1/2)• Akamai• Amazon• AOFEI• BGP Consultancy• China Mobile HK• China Mobile

International• CloudFlare• Facebook• Google• HKBN• Hurricane Electric• Level 3• Limelight

HKIX 100GE Participants (2/2)• Mytek• PCCW IMS• Telin• Telstra• Tencent• TVB• Udomain• Valve• Yahoo

Portal for HKIX Participants

– Basic Functions (Currently Available)1. Change Port Security2. MRTG Statistics

§ Physical port§ LAG port§ Aggregated per Customer

3. Schedule Maintenance Window

– Planned Features• Port Application• Site Access Application• Filter Update• Fault Case Reporting

Portal for HKIX Participants• HKIX Portal Login Page (URL: https://portal.hkix.net/)

Contact provision@hkix.net for your portal account. It’s free!

Production Now!

Support of Blackholing for Anti-DDoS on HKIX Route Servers

HKIX route servers support Remote Triggered Black Hole Filtering (RTBH) for announcement of black-hole filtering

http://www.hkix.net/hkix/anti-ddos.htm

No. of ASNs Registered : 52

How it works?• Victim’s ISP tag the /32 prefix with 4635:666 for its customer• HKIX route servers set the prefix with next hop 123.255.90.66• RTBH participants accept the /32 prefix and set the next hop address for

123.255.90.66 to null

Expected Results: • Only the victim’s IP will be unreachable via HKIX network while saving the others• The DDoS traffic will be black-holed at the side of the RTBH participating routers

which are closer to the DDoS traffic sources

Support of Blackholing for Anti-DDoS on HKIX Route Servers (BEFORE)

Support of Blackholing for Anti-DDoS on HKIX Route Servers (AFTER)

Support of Blackholing for Anti-DDoS on HKIX Route Servers

Enhancement of RTBH on HKIX route servers :• Contact us for RTBH membership registration• Only RTBH registered members can tag the blackhole route• Register your AS-Set in internet routing database and use IRR

filtering on HKIX route servers (it can minimize the risk from accidentally announced a black-holing route that you are not allowed to advertise)

• Only /32 is accepted for the prefix (e.g. victim’s IP address)• Announce your own network prefix only (very important!!!)• HKIX may shutdown the connection if improper use of the RTBH

reported

Filtering on HKIX Route Servers• HKIX supports IRR filtering on Route Servers

– Applicable to general HKIX members– Filtering by IP addresses– Update automatically from Internet Routing Registry database– Please register your AS-SET at IRR database

• The Origin ASNs manual update processes will be ceased on 1-Jul-2020– Please register and change to use IRR filtering before

decommission of AS Number filtering

• RPKI support will be available by 2019

HKIX-R&E Network Diagram

HKIX Upgrade Plan @MEGA-i

HKIX3b Target 2019-Q2

HKIX3b@MEGA-i HKIX-R&E

Since 2008

Upgrade 40G to 200G by April 2019

Reseller Network Topology Diagram

HKIX Reseller Program• Target oversea participants for peering• Non exclusive arrangement / resellers can be

IXPs, Data Centres, local and regional ISPs• First batch will be available in satellite sites only• Second batch will be extended to HKIX core sites

If you are interest be one of our resellers, please contact info[@]hkix.net.

HKIX Planned Works for 2019• Improved Stability

– Better Control of Proxy ARP• Improved Services

– Rollout portal for HKIX participants / R&E participants– True 24x7 NOC (both email & hotline support)– Improve after-hour support– Introduce advanced Route Server functions– Automatic network filter update (support updates from IRR)– New HKIX Route Server– perfSONAR server

• Improved Security– ISO27001– Better support for DDoS mitigation– Implement MANRS IXP Programme for routing security– Implement RPKI on HKIX Route Servers to enhance routing security

HKIX Future Upgrade Plan• Support of 400G connections• Network traffic visibility• Network automation• EVPN (VXLAN)– Multiple vendors support– Unknown unicast suppression– VLAN translation

HKIXIX name Hong Kong Internet eXchangeCity, Country Hong KongPoint of Presence Core Sites:

HKIX1 & HKIX1b @CUHK

HKIX-R&E:HKIX-R&E@MEGA-i

Satellite Sites: HKIX2@CITIC, HKIX3@iAdvantage, HKIX4@NTT, HKIX5@KDDI

# of connected ASN 302Peak traffic 1.34 TbpsRoute Servers Yes (Cisco ASR1006)Remarks PeeringDB:

https://www.peeringdb.com/ix/42

•Information• http://www.hkix.net• info@hkix.net

Thank You!

For enquiries, please contact us atinfo [@] hkix.net

HKIX Updates at HKNOG 7 · 2019. 3. 4. · –Update automatically from Internet Routing Registry...

Documents

HKNOG · APRICOT-APAN 2011 held in HK with 8 x 10GE external connectivity and 100GE trial ... • Intend to have HKNOG 1 in 2015 – >= 1 day – May co-locate with APNIC Regional

HKNOG 6.0: Death in Transit

The latest development and new core site of HKIX 0

00 BrianHo HKNOG 6.0 Opening COMMITTEE CHANGES New Program Committees: Alice NG, Tata Communications Brian HO, Asia Telecom Management Eddie CHENG, Amazon Eric LEUNG, Akamai Kenneth

HKIX Updates at APRICOT 2019at APIX Meeting #19 Kenneth CHAN HKIX Team 24 Feb 2019, Daejeon APRICOT2019 HKIX Today •Supports both MLPA (Multilateral Peering) and BLPA (Bilateral

How the Internet Works? ( TCP/IP, DNS, HKIX … ) CSC1720 – Introduction to Internet Essential Materials

Path to Disaggregation - HKNOG · 2016. 7. 21. · SDN / NFV and Disaggregated Infrastructures will enable Service Providers and Enterprises to deliver these Services Disaggregated

Let’s Encrypt - HKNOG€¦ · Let’s Encrypt - Introduction SSL CA Initiative from the Electronic Frontier Foundation (EFF) Some major sponsor: Mozilla, Cisco, Akamai, Facebook

HKIX Sharing at PacNOG 18 Che-Hoo CHENG CUHK/HKIX 30 Nov 2015

DDOS attacks in an IPv6 World Tom Paseka HKNOG 1.0 September 2014

Hong Kong Internet Exchange (HKIX) · What is HKIX? HKIX is a Public Internet Exchange Point (IXP) in Hong Kong – it is not a Transit Provider HKIX is the major domestic Interconnection

Hknog 4.0 Tko express - undersea cable system

OTT Traffic and Trends - HKNOG• Only CDNs will increase ability of traffic engineering • more unbalance :P • Usually outbound traffic control is easier, and inbound traffic control

Security in an IPv6 World Myth & Realityhknog.net/.../HKNOG-1.0-Chris_of_ISOC_IPv6Myths-DOteam.pdf · 2014-11-15 · IPv6 Has Security Designed In Routing Header Type 0 (RH0) –

HKIX Updates at APIX #20at APIX #20 Kenneth CHAN HKIX Team 9 Sep 2019, Chiang Mai HKIX Today •Supports both MLPA (Multilateral Peering) and BLPA (Bilateral Peering) over layer 2

IoT Smart & Connected Facilities 2017 - HKNOG · IoT Smart & Connected Facilities 2017 Raymond Poon ... SF7 5470 28 250 bytes -124. ... • Structured cabling cost structure • Pull

HKIX Updates at APRICOT 2019 · •Supports both MLPA (Multilateral Peering) and BLPA (Bilateral Peering) over layer 2 •Supports IPv4/IPv6 dual-stack •More and more non-HK participants

3. ASTRI Duncan Ransomware - HKNOG · 2016. 10. 4. · $675, 3ursulhwdu\ 5dqvrpzduh 7kh 0rvw 3urilwdeoh 0dozduh 'xqfdq :rqj 3k' 93 )lqdqfldo 7hfkqrorjlhv 6hswhpehu

Some thoughts on IoT - HKNOG · 2017-07-03 · IPv4 and IoT • The “conservative” option for IP in this environment • Ubiquitous support across the entire deployed Internet

HKNOG 6.0 Christian Kaufmann, Sr. Director Network Technology€¦ · • ISP routing issues such as tromboning, filtering, de-peering were affecting inbound cache fill ... config