Kevin Meynell
Author Archives: Kevin Meynell
While MANRS has gone from strength to strength since its beginning in 2014, gaining attention, interest, and credibility from network operators worldwide, for the initiative to be sustainable and impactful in the long run there should be a stronger sense of ownership by the community. MANRS is an industry-led initiative whose participants set and develop […]
The post Feedback Requested: Chartering the MANRS Community appeared first on Internet Society.
Today, we’re proud to announce another milestone: the number of network operators that commit to the Mutually Agreed Norms for Routing Security (MANRS) has surpassed 300.
The current number of network operator program participants stands at 322. These Internet Service Providers (ISPs) joined the initiative by showing their conformance with the actions to improve the resilience and security of the Internet’s routing infrastructure.
Launched in 2014 with a group of nine operators, the number of MANRS participants reached 100 in 2018 and has risen rapidly in the last two years, with 156 joining in 2019 alone, and 45 so far in 2020.
This includes operators in more than 60 countries across all continents; with Brazil leading the way with nearly 70 MANRS participants, followed by the US with nearly 50.
According to BGPStream, the number of reported routing incidents was on the decrease from 2017 to 2019 (see chart below), while the number of MANRS participants grew in the period. While this does not mean one caused the other, a correlation between the two can be observed.
The MANRS community has grown rapidly through its other programs, too. In 2018, the initiative expanded to include Internet Exchange Providers (IXPs), which Continue reading
Routing Security is featuring heavily on the APRICOT 2019 programme, which is being held on 23-28 February 2019 in Daejeon, South Korea. This helps build on the MANRS initiative being supported by the Internet Society,
On Wednesday, 27 February (09.30-13.00 UTC+9) there will be a Routing Security session that will discuss the latest problems, developments, and how routing security measures can be implemented. Speakers include Job Snijders (NTT) who’ll be discussing changes to BGP in the coming 18 months; Töma Gavrichenkov (Qrator Labs) on how BGP hijacks can be used to compromise the digital certificates used to secure online transactions; and from Anurag Bhatia (Hurricane Electric) who’ll analyse the top misused ASNs.
During the second part of the session, Tashi Puntsho (APNIC) will cover the practical issues and implications of deploying your own RPKI Certificate Authority; Tim Bruijnzeels (NLnet Labs) will discuss the use of route servers at Internet Exchange Points; whilst Ed Lewis (ICANN) will discuss the issues with using the RIR Whois databases.
Following on from this, our colleague Andrei Robachevsky will be raising awareness of the MANRS Initiative during the FIRST Technical Colloquium (16.30-18.00 UTC+9).
FIRST is the global organisation of Computer Security Continue reading
The Internet Society will be actively contributing to the APTLD 75 meeting on 20-21 February 2019 in Dubai, United Arab Emirates.
Our colleague Jan Žorž will not only be presenting on DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) during the DNS Operations, Security, and Privacy session (20 February, 11.30-12.30 UTC+4), but will then be presenting on IPv6 connectivity issues during the Security in IPv6-enabled TLDs session (20 February, 14.30-15.30 UTC+4).
He’ll be in good company in what’s shaping up to be a great programme featuring a number of DNS luminaries covering technical, policy, internationalisation and data protection issues, as well as abuse handling and registry and registrar training. Other sessions of particular interest include 5G mobile networks, the implications of Alternative DNS Root Servers, and emerging trends in the DNS.
The Asia-Pacific Top-Level Domain (APTLD) Association is a non-profit organisation of ccTLD (Country Code Top-Level Domains) registries in the Asia-Pacific region that was founded in 1998. It organises two meetings each year for its members, with APTLD 75 being held in conjunction with the 6th Middle East DNS Forum.
If you’re interested in attending then you can register at http://www.aptld75.ae/reg/end.php
Further Information
The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to address the problems of DNS name server implementations that are not in compliance with long-established DNS standards. This is causing the DNS to not only be unnecessarily slow and inefficient, but prevent operators from deploying new functionality including mechanisms to protect against DDoS attacks.
DNSSEC and other extended features of the DNS require EDNS0 (Extension Mechanisms for DNS – RFC 6891), and properly implemented name servers should either reply with an EDNS0 compliant response, or provide a regular DNS response if they don’t understand.
However, a lot of name server software is not implemented properly which has meant resolvers have had to incorporate workarounds when name servers don’t respond correctly. These cause unnecessary retries, delays, and prevent the newer features of the DNS being used.
As a result, the vendors of the most commonly used DNS software (BIND, Ubound, PowerDNS and Knot) will no longer be supporting these workarounds in new versions of their software, whilst a number of public DNS resolver operators (CleanBrowsing, Cloudflare, Google and Quad9) will no longer resolve hostnames served by broken name server implementations.
This may mean Continue reading
With the New Year comes the launch of NAT64Check version 2 from the Internet Society. The first version of NAT64Check was introduced a couple of years ago and has proved very popular and successful, so for the past year we’ve been working on a number of enhancements in response to feedback and requests. And we’re very happy to be able to make the new version available as we welcome in 2019.
NAT64Check is a tool developed by the Internet Society in collaboration with Stichting IPv6 Nederland, Go6, SJM Steffann, Internetbureau Max and Simply Understand. This allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. It also compares responsiveness using the different protocols, therefore allowing network and system administrators to easily identify anything is ‘broken’, to pinpoint where any non-IPv6 compatible elements need to be fixed.
The original version of NAT64Check though, ran on two separate servers at Go6 and the IPv6 Lab which each had a limited view of the Internet Continue reading
The Internet Society continued its engagement with Middle East networking community by participating in the e-AGE18 Conference, where we took the opportunity to promote the importance of DNS Security and Privacy. The conference was held on 2-3 December 2018 at the Marriott Hotel in Amman, Jordan and was organised by the Arab States Research and Education Network (ASREN) and co-sponsored by the Internet Society.
Kevin Meynell from the Internet Society’s Middle East Bureau, highlighted the importance of implementing DNSSEC which allows DNS resolvers to authenticate the origin of data in the DNS through a verifiable chain-of-trust. This reduces the possibility of spoofing where incorrect or corrupt data is introduced into a resolver, or a man-in-the-middle attack whereby DNS queries are re-directed to a name server returning forged responses.
Unfortunately, only the Saudi Arabia ccTLD (.sa) has operationally deployed DNSSEC in the Middle East region at the present time, although Iran (.ir) and Iraq (.iq) have deployed it on an experimental basis. On the positive side, around 18% of DNS queries originated from Middle East countries are being validated compared to 12% globally, with Yemen (45.1%), Saudi Arabia (32.1%), Iraq (30.6%), Bahrain (23.2%) and Continue reading
The Internet Society in conjunction with the Open Society Institute Assistance Foundation – Tajikistan and the CAREN3 project organised an IXP workshop on 25 October 2018 at the Center of Written Heritage of the Tajik Academy of Sciences, in Dushanbe, Tajikistan. This followed on from a previous workshop held in 2017, and brought together nearly 30 stakeholders from local ISPs, civil society, and academia to discuss progress on the establishment of an Internet Exchange Point in Tajikistan.
I opened the workshop by summarising the IXP Environment Assessment report for Tajikistan that was commissioned by the Internet Society in 2017. This highlighted that Internet usage was below average for the region, and partly contributed to the low levels of economic growth in the country. The number of Internet users is estimated at between 15-40% of the population, Internet services are costly, and areas outside of the main cities do not have good access to broadband.
Internet uptake and use has been constrained by a variety of different factors, some of which are related to the geographic conditions (such as the landlocked mountainous nature of the country), and these have led to high prices for international capacity, high cost of services for the Continue reading
The Internet Society participated in a Routing Security Workshop that was held during the Internet2 Technology Exchange 2018 on 15 October 2018 in Orlando, United States. The research and education networking community has been one of the key targets of the MANRS initiative that is promoting adoption of best practices to reduce threats to the global routing system, and this community workshop followed on from a previous engagement we had with Internet2 and a number of other R&E networks in the US earlier in the year.
Internet2 interconnects R&E institutes across the United States in conjunction with regional and state networks, so we see them as a key partner in raising awareness of the routing security issues, as well as encouraging the adoption of the four MANRS principles. Indeed, one of the aims of MANRS is for network operator communities to take ownership of this process by generating awareness and disseminating best practices, along with making recommendations for improvement. So this workshop was a fantastic step in this direction.
Another positive step was Internet2 formally becoming a MANRS participant shortly before the workshop, follow in the footsteps of ESnet, CAAREN, KanREN, George Washington University, Indiana University, and DePaul University. WiscNet Continue reading
This week is IETF 103 in Bangkok, Thailand, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Thursday actually represents the last day of the meeting this time, although there’s still several sessions to draw attention to.
SUIT is meeting first thing at 09.00 UTC+9. This is considering how the firmware of IoT devices can securely updated, and the architecture and information models for this will be discussed. There are three other drafts relating to manifest formats that are the meta-data describing the firmware images.
NOTE: If you are unable to attend IETF 103 in person, there are multiple ways to participate remotely.
DMM is the first of the afternoon sessions at 13.50 UTC+7, and there are several IPv6-related drafts under consideration. Proxy Mobile IPv6 extensions for Distributed Mobility Management proposes a solution whereby mobility sessions are anchored at the last IP hop router, whilst Segment Routing IPv6 for Mobile User Plane defines segment routing behaviour and applicability to the mobile user plane behaviour and defines the functions for that. There’s also three updated drafts on 5G implementations which may interest some.
To round off the week, there’s a choice Continue reading
This week is IETF 103 in Bangkok, Thailand, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Wednesday is a relatively light day in this respect, although there’s some pretty important matters being discussed today.
DPRIVE kicks off the day at 09.00 UTC+9, and will mostly be discussing user perspectives with respect to the recently introduced implementations of DNS-over-TLS and DNS-over-HTTPS, as well as the issues of DNS privacy between resolvers and authoritative servers. There’s also a new draft up for discussion on DNS-over-TLS for insecure delegations that describe an alternative authentication mechanism without need for DNSSEC support.
NOTE: If you are unable to attend IETF 103 in person, there are multiple ways to participate remotely.
TLS holds its second session of the week immediately after lunch at 12.20 UTC+7. This will carry-on where it left off on Monday, although will be discussing a DANE Record and DNSSEC Authentication Chain Extension for TLS. The intention is to allow TLS clients to perform DANE authentication of a TLS server without needing to perform additional DNS record lookups.
Then at 13.50 UTC+7, Homenet will be focusing on Homenet Naming Continue reading
This week is IETF 103 in Bangkok, Thailand, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. And following on from the previous day, Tuesday also features a packed agenda.
LPWAN will be discussing whether to move to a Working Group Last Call on the Static Context Header Compression (SCHC) framework for IPv6 and UDP, that provides both header compression and fragmentation functionalities. Three other drafts describe similar schemes for SigFox,LoRaWAN and IEEE 802.15.4 type networks.
NOTE: If you are unable to attend IETF 103 in person, there are multiple ways to participate remotely.
Then at 11.20 UTC+7, IPWAVE will be focusing on updates to the specification for transmitting IPv6 Packets over IEEE 802.11 Networks in Vehicular communications, and the use cases for IP-based vehicular networks. There have also been a couple of updates to DNS Name Autoconfiguration for Internet of Things Devices and IPv6 Neighbor Discovery for Prefix and Service Discovery in Vehicular Networks, so these may also be discussed.
6MAN will be meeting at 13.50 UTC+7 and has nine drafts up for discussion. The couple of working group Continue reading
The Working Group sessions start tomorrow at IETF 103 in Bangkok, Thailand, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Only four days have been scheduled for the working groups this time around, which means there’s a lot of pack into each day; with Monday being no exception.
V6OPS is a key group and will be meeting on Monday morning starting at 09.00 UTC+7. It’s published four RFCs since its last meeting, including Happy Eyeballs v2, and this time will kick-off with a presentation on the CERNET2 network which is an IPv6-only research and education in China.
There’s also four drafts to be discussed, including three new ones. IPv6-Ready DNS/DNSSSEC Infrastructure recommends how DNS64 should be deployed as it modifies DNS records which in some circumstances can break DNSSEC. IPv6 Address Assignment to End-Sites obsoletes RFC 6177 with best current operational practice from RIPE-690 that makes recommendations on IPv6 prefix assignments, and reiterates that assignment policy and guidelines belong to the RIR community. Pros and Cons of IPv6 Transition Technologies for IPv4aaS discusses different use case scenarios for the five most prominent IPv4-as-a-service (IPv4aaS) transitional technologies, Continue reading
The 103rd meeting of the IETF starts tomorrow in Bangkok which is the first time that an IETF meeting has been held in the city.
The Internet Society’s Internet Technology Team is as always highlighting the latest IPv6, DNSSEC, Securing BGP, TLS, and IoT related developments, and we’ll also be covering DNS Privacy and NTP Security from now on. This is discussed in detail in our Rough Guide to IETF 103, but we’ll also be bringing you daily previews of what’s happening each day as the week progresses.
Below are the sessions that we’ll be covering in the coming week. Note this post was written in advance so please check the official IETF 103 agenda for any updates, room changes, or final details.
Monday, 5 November 2018
Tuesday, 6 November 2018
In this post for the Internet Society Rough Guide to IETF 103, I’m reviewing what’ll be happening at the IETF in Bangkok next week.
IPv6 deployment hit another milestone recently, reaching 25% adoption globally. The almost total depletion of the pool of unallocated IPv4 addresses has seen the cost of an IPv4 address on the transfer market rise from USD 15 to 18 in just a few months, which has encouraged network operators to further step-up their deployment efforts.
There was some good news from the UK with the largest mobile operator EE and the incumbent provider of broadband Internet BT, increasing to nearly 30% and 46% respectively. Other mobile operators deploying IPv6 also saw a boost this month with the release of Apple’s iOS 12 update that adds IPv6 support for cellular data.
Belgium still leads the way, but Germany is rapidly catching up, followed by Greece, the US and India. France, Malaysia, Finland and Australia also seem to have seen a surge in deployment recently.
IPv6 is always an important focus for the IETF, and this meeting will see a lot of work with respect to deployment-related improvements and the Internet-of-Things.
The IPv6 Operations (v6ops) Working Group is Continue reading
The 18th Annual Global LambaGrid Workshop (GLIF 2018) was held on 18-21 September 2018 at the Kulturværftet in Helsingør (Elsinore), Denmark. Kronberg Castle, located next to the venue, was immortalised as Elsinore in the William Shakespeare play Hamlet, but there proved to be nothing rotten with the state of high-bandwidth networking as 50 participants from 19 countries came to hear how these networks are facilitating exascale computing in support of biological, medical, physics, energy production and environmental research, and to discuss the latest infrastructure developments.
This event was organised by myself with support from NORDUnet who hosted the event in conjunction with the 30th NORDUnet Conference (NDN18), and where I also took the opportunity to raise awareness of the MANRS initiative.
The keynote was provided by Steven Newhouse (EBI) who presented the ELIXIR Compute Platform which was being used for analysing life science data. In common with high-energy physics, genomics research produces a lot of data, but this is more complex and variable, requires sequencing and imqging on shorter timescales, and of course has privacy issues. The European Molecular Biology Laboratory is based across six countries and employs over 1,600 people, but also collaborates with thousands of other scientists Continue reading
The Internet Society in conjunction with Packet Clearing House (PCH), our Kyrgyzstan Chapter (ISOC-KG) and the CAREN Project organised a BGP and Peering capacity building workshop on 3-7 September 2018 in Bishkek, Kyrgyzstan. This five-day workshop was aimed at training engineers for the existing KG-IX Internet Exchange in the capital Bishkek, but also for the prospective Ferghana Valley Internet Exchange being established in the southern city of Osh.
The workshop was led by Nishal Goburdhan who’s an Internet Analyst at PCH, a non-profit organisation that builds and support IXPs around the world. He was assisted by myself (Kevin Meynell), with the workshop being hosted by the National Academy of Sciences of the Republic of Kyrgyzstan.
The workshop was comprised of a mix of lectures and hands-on lab work to teach the skills required for interconnecting networks on the Internet, and participating in an Internet Exchange. It commenced with Internet address planning using both IPv4 and IPv6, followed by setting-up OSPF on different internal networks, then interconnecting those using BGP and applying routing policy and filtering. The workshop concluded with how to set-up an IXP and discuss current best practices for peering.
Twelve participants attended the workshop, drawn from the incumbent Continue reading
Last week saw the formal publication of the TLS 1.3 specification as RFC 8446. It’s been a long time coming – in fact it’s exactly 10 years since TLS 1.2 was published back in 2008 – but represents a substantial step forward in making the Internet a more secure and trusted place.
What is TLS and why is it needed?
Transport Layer Security (TLS) is widely used to encrypt data transmitted between Internet hosts, with the most popular use being for secure web browser connections (adding the ‘S’ to HTTP). It is also commonly (although less visibly) used to encrypt data sent to and from mail servers (using STARTTLS with SMTP and IMAP/POP etc..), but can be used in conjunction with many other Internet protocols (e.g. DNS-over-TLS, FTPS) where secure connections are required. For more information about how TLS works and why you should use it, please see our TLS Basics guide.
TLS is often used interchangeably with SSL (Secure Socket Layers) which was developed by Netscape and predates it as an IETF Standard, but many Certification Authorities (CAs) still market the X.509 certificates used by TLS as ‘SSL certificates’ due to their familiarity with Continue reading
APAN 46 is being held on 5-9 August 2018 in Auckland, New Zealand, with the Internet Society being one of the sponsors. I’ll also be talking about IoT Security and the OTA IoT Trust Framework, as well as using the opportunity to continue to raise awareness of the MANRS Routing Security Initiative amongst network operators in the Asia-Pacific region.
The Asia Pacific Advanced Network (APAN) supports the research and education networks in the region to help them to connect to each other and to other R&E networks around the world, provides opportunities to exchange knowledge, and coordinates common activities, services and applications for its membership. It was established back in 1997, and this is the second of its two annual meetings for 2018.
I’ll be speaking during the Internet-of-Things session next Wednesday (8 August 2018 @ 09.00-10.30 UTC+12), and will discuss how IoT is responsible for huge growth in the number of unmanaged or minimally-managed devices connected to the Internet, but do we really know who or what is communicating with them, and the information they are collecting and sending? I’ll also present ISOC’s Online Trust Alliance’s initiative to develop the IoT Trust Framework which is backed Continue reading
There’s just the couple of sessions to highlight on the last day of IETF 102 before we wrap up for the week.
V6OPS continues at 09.30 EDT/UTC-4 where it left off on Thursday afternoon. On the agenda are drafts relating to Multi-Addressing Considerations for IPv6 Prefix Delegation which considers prefix delegation considerations for both classic routing and various multi-addressing use cases; whilst IP over Ethernet (IPoE) Session Health Checking describes a mechanism for IP over Ethernet clients to achieve connectivity validation using PPP-style keepalives such as BFD Echo, or ARP and Neighbor Discovery functions.
The remaining draft proposes a method for Discovering Provisioning Domain Names and Data, which describes a way for hosts accessing the Internet via multiple interfaces and with possible multiple IPv6 prefixes, to identify themselves using Fully Qualified Domains as Provisioning Domain identifiers.
NOTE: If you are unable to attend IETF 102 in person, there are multiple ways to participate remotely.
The final session starting 11.50 EDT/UTC-4 includes IDR. This has been working on (amongst other things) the issue of route leaks, and is trying to pull together different conflicting approaches towards mitigation of these in favour of a more complementary approach. This work includes two drafts Continue reading