By
Amber Rasche - Communications Manager, Internet2
Internet2 Insight Console gives research and education (R&E) network engineers and cloud architects a way to visualize, manage, and troubleshoot Internet2 network services in real time. With the console, they can create cloud connections, inspect live traffic, troubleshoot routing issues, and more — all in one place.
For CAAREN, or the Capital Area Advanced Research & Education Network, the BGP Route Report integrated into Insight Console earlier this year is a key part of its routing security toolbox.
“Having a consistent and regular view of our network and customer cone — or the BGP routes advertised by our members — helps ensure our routing intent is translated and understood correctly by the community,” said Andrew Gallo, principal IT architect at CAAREN. “The BGP Route Report is an easily explainable, consumable, and shareable way to show what is happening not only on our part of the network but across the entire country.”
What is the BGP Route Report?
Within Insight Console, the BGP Route Report provides visibility into the routes announced to Internet2 R&E IP and Internet2 Peer Exchange (I2PX) services. It helps network operators and engineers identify rejected routes, troubleshoot issues, and assess their routing security posture.
In this Q&A, Andrew Gallo shares how CAAREN has been a leader in strengthening routing security in the R&E space. He also discusses how easy access to route information in Insight Console helps CAAREN protect its network and support its members through better visibility and collaboration.
Q&A with Andrew Gallo: ‘Explainable, Consumable, and Shareable’
How does CAAREN prioritize routing security to protect its network and support its broader member community?
Andrew Gallo: CAAREN was one of the first R&E networks in the world to create Route Origin Authorizations (ROAs) for our number resources. We were also the first to join the global MANRS initiative, or Mutually Agreed Norms for Routing Security.
For CAAREN customers, we provide training and consultation on routing security, policy, and operation. We have also worked with our peer R&E networks to help the community maintain BGP skills amid workforce transitions and as new professionals enter the field.
How have Insight Console and the BGP Route Report helped CAAREN monitor, validate, and strengthen routing security across its network and the institutions it connects?
Andrew Gallo: The CAAREN team has been an enthusiastic user of the Route Report from the early days, when Internet2 first introduced it as a downloadable resource. It has evolved a lot since then, including its integration into Insight Console. What hasn’t changed is the value of the visibility it provides.
Having a consistent and regular view of our network and customer cone — or the BGP routes advertised by our members — helps ensure our routing intent is translated and understood correctly by the community. Using the report, we’ve been able to detect suboptimal situations such as missing prefixes.
Even though we’re a small network, things change, and having an outside view provides a useful cross-check. Also, the report is helpful when customers have questions or concerns about routing anomalies.
Can you share an example of how Insight Console and the BGP Route Report have helped the CAAREN team with operational troubleshooting and long-term improvements in routing security?
Andrew Gallo: We have a small customer base, each having a fairly stable set of prefixes. However, there was a change in how one of our customers was advertising its IPv6 networks, which caused it to fail the inbound prefix list. I noticed this while reviewing the Route Report.
For years, BGP advertisements from many R&E networks didn’t change much. As customers have embraced the cloud and outsourced services traditionally hosted on-prem, routing has gotten more complicated. We see this especially with Distributed Denial of Service (DDoS) protection, which may require customers to partially deaggregate their address space, either permanently or temporarily.
The Looking Glass feature of Insight Console gives us a real-time view into what is happening. In one case, a customer opened a ticket with the CAAREN network operations center asking about asymmetric routing with cloud-based DDoS protection. Using Insight Console, we were able to demonstrate that traffic was flowing on the intended path, resulting in the much-desired “mean time to innocence.”
How have you used insights from the console’s BGP Route Report to engage with your member institutions around optimizing configurations and aligning with routing security best practices?
Andrew Gallo: The BGP Route Report is an easily explainable, consumable, and shareable way to show what is happening not only on our part of the network but across the entire country. This is especially useful when explaining routing to a technical manager or director — the report is more digestible than command-line output.
Also, getting an overview of what other networks are doing is useful to ensure that we’re aligned with community norms and best practices.
What lessons learned would you share with peers in the R&E community as they work to enhance the resiliency of their networks and protect against common routing security threats? How might Insight Console support their efforts?
Andrew Gallo: For many organizations, BGP routing was a “set-it-and-forget-it” type of configuration. That is no longer the case. The size and complexity of what we’re asking our R&E networks to do continue to grow — as evidence, the IPv4 routing table passed 1 million entries earlier this year. It’s no longer enough to “just keep the lights on” with respect to BGP. We need to pay attention and, at a minimum, maintain a defensive posture with our connections to the global internet. Configuration errors and active attacks pose serious risks to our infrastructure. Routing security can help ensure your critical infrastructure remains available for service.
Taking a moment to review your routing intention — and then using these tools to ensure it is reflected in the network — is important. Are your Internet Routing Registry (IRR) entries correct? Do you have ROAs created for your networks? The BGP Route Report not only can tell you this but also directly links to tools to dig deeper.
I’ll also add that Insight Console has an API — and it’s easy to use! In preparing for a router replacement, CAAREN has been using the API to compare pre- and post-cutover routes received by the Internet2 backbone. This will help us identify any problems during the maintenance event and address them quickly.
Explore What’s Possible
Internet2 Insight Console continues to evolve with the needs of the R&E networking community. It’s designed for the engineers and architects who use it every day to improve visibility, strengthen security, and streamline operations.
Go to Insight Console and explore what’s possible today.
If your organization has a story to share about how you’re using Internet2 Insight Console, contact arasche@internet2.edu.
ICYMI
About the Author(s)
Amber Rasche supports strategic communications and media relations in service of Internet2’s mission to advance the research and education community. She has 14+ years of experience in higher education IT and in research, education, and government high-performance networking environments. From technical writing to storytelling, she enjoys shining a light on collaboration and innovation—and the people who make it all possible.