IETF 102, Day 4: DNS, IoT & TLS

IETF 102, Day 3: DNSSEC, DPRIVE & IoT

IETF 102, Day 2: Trust in the IETF

IETF 102, Day 1: IETF arrive à Montréal

Tomorrow sees kickoff of the Working Groups sessions at IETF 102 in Montreal, Canada, we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Monday is an important day, with meetings of the TLS, 6MAN and SIDROPS Working Groups, along with two other IoT related groups.

6MAN commences at 09.30 EDT/UTC-4, and has six new drafts up for discussion covering IPv6 Neighbor Discovery Extensions for Prefix Delegation, IPv6 VPNs, ICMPv6, OAM in Segment Routing Networks with an IPv6 Data plane, allowing low or zero valid lifetimes to be accepted in Router Advertisement Prefix Information Options where it’s known that there can only be one router on the link; as well as introducing a new IPv6 ‘unrecognised’ option for ICMPv6 that conveys whether an underlying network can transmit IPv6 packets.

There are also three working group sponsored drafts, adopted from the last meeting. Privacy Extensions for Stateless Address Autoconfiguration in IPv6 describes an extension that causes nodes to generate global scope addresses from interface identifiers that change over time; IPv6 Segment Routing Header specifies how a node can steer a packet through a controlled set of instructions (segments) by prepending an SR header Continue reading

ISOC’s Hot Topics at IETF 102

The 102nd meeting of the IETF starts tomorrow in Montreal, Canada. This is will be the third time that an IETF has been held in the city, and tenth time in Canada – the first being way back in 1990.

The ISOC Internet Technology Team is as always highlighting the latest IPv6, DNSSEC, Securing BGP, TLS and IoT related developments, and we discuss these in detail in our Rough Guide to IETF 102. But we’ll also be bringing you daily previews of what’s happening each day as the week progresses.

Below are the sessions that we’ll be covering in the coming week. Note this post was written in advance so please check the official IETF 102 agenda for any updates, room changes, or final details.

Monday, 16 July 2018

• IPv6 Maintenance (6man) – Laurier @ 09.30-12.00 UTC-4
• Authentication and Authorization for Constrained Environments (ace) – Viger @ 09.30-12.00 UTC-4
• IP Wireless Access in Vehicular Environments (ipwave) – Laurier @ 13.30-15.30 UTC-4
• SIDR Operation (sidrops) – Viger @ 13.30-15.30 UTC-4
• Transport Layer Security (tls) – Place du Canada @ 13.30-15.30 UTC-4

Tuesday, 17 July 2018

• Distributed Mobility Management (dmm) – Van Horne @ 09.30-12.00 UTC-4
• Continue reading

Rough Guide to IETF 102: IPv6

In this post for the Internet Society Rough Guide to IETF 102 I’ll review what’ll be happening at the IETF meeting in Montreal next week on the topic of all things IPv6.

IPv6 global adoption rates have shown slow growth since IETF 101 and are currently approaching 25% overall. With the almost total depletion of the remaining pools of new IPv4 addresses, more-and-more networks have been increasing their IPv6 deployments, with the top 15 network operators supporting nearly half-a-billion IPv6 users. In addition, 28 percent of the Alexa Top 1000 websites are IPv6-enabled, including many of the large content providers who are now delivering native IPv6 traffic to mobile devices in particular. The US recently reached 40% deployment with nearly 80% of smartphones using IPv6, whilst along with Belgium, India, Germany, Brazil and Japan who still lead the way, we’re starting to see significant growth in countries such as Switzerland, Portugal, Estonia, Uruguay, Ecuador, Peru and New Zealand.

IPv6 is always an important focus for the IETF, particularly with respect to the standardisation work related to the Internet-of-Things.

The IPv6 Maintenance (6man) Working Group is a key group and it will be meeting on Monday morning. It hasn’t published any RFCs since Continue reading

ISOC advocates good MANRS within European R&E community

The Internet Society will be participating in the GÉANT Services and Technology Forum this week, as it continues to develop its relationship with research and education networking in support of improved routing security. GÉANT is the pan-European networking activity that connects and supports 41 National Research and Education Networks (NRENs), and which recently joined the MANRS initiative.

R&E networks are especially important partners for improving the security and resilience of the global routing system, as they are generally not in competition with each other and are able to take a collective lead in addressing global networking problems. As historically early adopters of initiatives, they are also able to set the example for security proficiency and offer a unique selling point to their customers.

The MANRS initiative is also keen to utilise the expertise of the R&E community in capacity building, and providing input and feedback on the MANRS Observatory that is being developed to provide analysis of the state of the security and resilience of the routing system.

There are currently eleven (N)RENs participating in MANRS including GÉANT (Europe), NORDUnet (Nordic countries), CSC/FUNET (Finland), RUNNET (Russian), SUNET (Sweden), SURFnet (Netherlands) and BelWue (Baden-Württemberg/Germany) in Europe. Other participants elsewhere in the world Continue reading

IoT Security is the Heart of the Matter

The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.

Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.

These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and Continue reading

SEE 7: Connectivity, Routing Security & IoT

The 7th RIPE South-East Europe (SEE 7) meeting is being held on 18-19 June 2018 in Timisoara, Romania, and is focusing on several of the subjects of interest to the Internet Society. It’s also being chaired by our colleague Jan Žorž, whilst I’ll be talking about IoT Security and the OTA IoT Trust Framework.

In Monday, there are talks on BGP monitoring from Paolo Lucente (pmacct), and from Krzysztof Grzegorz Szarkowicz (Juniper Networks) on improvements to routing protocols to suit the centralised data centre-based architectures that are becoming more prevalent on the Internet, and which are the subject of an Internet Draft. Zoran Perovic (SOX) will also talk about paradigm shifts in the implementation of Internet Exchange Points.

On Tuesday, there will be a discussion led by Goran Slavic (SOX) on implementing MANRS in an IXP, which is very relevant to the current MANRS initiative which is increasingly being adopted by IXPs. Our colleague Jan will then be presenting about RIPE-690 which provides recommendations for IPv6 address prefix assignments for end-users. Preceding this, will be an update on IPv6 adoption in the SEE region from Massimiliano Stucchi (RIPE NCC).

Some other highlights are the talk on Quad9DNS by Nishal Goburdhan (PCH) that’s supporting Continue reading

MANRS BCOP published as RIPE document

The MANRS initiative’s set of Best Current Operational Practices has received recognition from the RIPE community by being published as RIPE-706.

Mutually Agreed Norms for Routing Security (MANRS) – which is supported by the Internet Society – aims to help network operators around the world to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and support for global validation. It currently involves over 85 organisations encompassing nearly 200 Autonomous Systems around the world, including some of the largest ISPs.

The MANRS BCOP offers guidance on how to practically implement each of the MANRS actions, based on the operational experiences of numerous network operators around the world. It’s a must read for those working with the global routing system, as routing security is a shared responsibility and needs commitment to good practices from all its participants.

The RIPE documents are developed and approved by the RIPE community, having been published since 1989. They include technical and operational recommendations, as well as policy, procedural and organisational documents. The publication of RIPE-706 represents community recognition of the MANRS principles and the importance of a commitment to routing security.

The MANRS initiative would like to thank David Freedman, Brian Continue reading

ISOC has goals at TNC18

This week is TNC18, the largest European research and education networking conference, which is being held at the Lerkendal Stadium in Trondheim, Norway – the home of current Norwegian Football Champions Rosenborg BK. Of course we’re actually in a conference centre underneath one of the grandstands and not on the pitch, but this is still a premier event that brings together managers, network engineers, and researchers from R&E networks in Europe and the rest of the world.

The Internet Society is not only one of the conference sponsors, but has a significant role in the programme as well. Our colleague Karen O’Donoghue on Monday spoke about NRENs and IoT Security in the ‘What’s Coming Next In Privacy Innovation‘ session, where she’s discussing the security and privacy challenges of burgeoning numbers of IoT devices and how these will impact R&E communities. ISOC is encouraging the development of best practices through the Online Trust Alliance’s IoT Security & Privacy Trust Framework, and this is a good opportunity to discuss how the NREN community can take the lead in adopting good operational practice.

Karen will also be talking about Time and Security during the ‘Security‘ session on Tuesday. Continue reading

SINOG 5: IPv6, DNS Privacy and IoT Security

There will be significant Internet Society involvement at SINOG 5 next week, which is being co-organised by our colleague Jan Žorž, supported by ISOC, and will feature talks on NAT64Check and the Online Trust Alliance. SINOG is the Slovenian Network Operators Group, and the meeting is held on 7-8 June 2018 at the Biotehniška Fakulteta in Ljubljana, Slovenia.

It’s well worth coming for the keynote alone, which will be given by Ron Broersma (DREN) – one of the earliest Internet pioneers who operated Node #3 of ARPANET. He’ll be talking about IPv6, the Cloud, and a bit of Internet history, and as he was involved in the NCP-to-TCP/IP migration back in 1983, there are perhaps some lessons to be learned in migrating from IPv4-to-IPv6.

Following-on from this will be how IPv6 was implemented at IBM from Andy Mindnich (IBM), a discussion on the issues of CGN and IPv6 from a law enforcement perspective from Sara Marcolla (Europol), some of which we touched upon in a previous blog, and then an update on version 2 of the NAT64Check portal from Sander Steffann. NAT64Check is a tool allowing you to enter the URL of a particular website and run tests over IPv4, IPv6 and NAT64, and Continue reading

RIPE 76 Sees Strong Focus on Routing Security

The RIPE 76 meeting is happening this week in Marseille, France, held at the fantastic location of the Palais du Pharo overlooking Marseille’s Old Port. And it’s also another record attendance with over 850 people registered.

The first couple of days have primarily been devoted to plenary sessions, and there’s been a big focus on routing security. Erik Bais (A2B Internet) kicked off the discussion with a presentation on ‘Why are we still seeing DDoS traffic?‘, which highlighted that DDoS attacks are still originating from the same networks. Looking at the list of the worst offenders, there’s even one amongst the regular RIPE attendees, and he called for networks to clean up their acts. This was also a good opportunity to highlight the MANRS initiative, which of course includes measures to mitigate amplification attacks, and encourages networks to make good routing practices the norm.

Alexander Azimov (Qrator Labs) reinforced this message by outlining the current problems with BGP, including the ongoing route leaks and hijacks affecting the Internet. There are currently only moral obligations to not use other providers’ address space or to support anti-spoofing policies, yet major providers (including Tier 1 providers) continue to both originate Continue reading

RIPE 76 dans le Midi

The RIPE 76 meeting starts next week in Marseille, which surprisingly is only the second RIPE meeting to have ever been held in France. RIPEs are always a key event for the Internet Society, with one of our colleagues, Jan Žorž, being a member of the RIPE Programme Committee, and another, Salam Yamout, being a member of the RIPE NCC Board. Andrei Robachevsky will be presenting during the Connect Working Group, and I’ll be there reporting on the highlights of the meeting, as well as staffing the MANRS stand on Thursday, so please come and say hello!

The Internet Society is also sponsoring the new RIPE on-site childcare service, whilst on Thursday we’ll be raising awareness of the MANRS initiative by organising a lunch for MANRS advocates, as well as having a stand in the exhibition area with goodies such as MANRS t-shirts and stickers.

The RIPE meeting is back to its usual Monday morning start after Dubai, and there’s three tutorials to choose from on Event-driven Network Automation and Orchestration using Salt (Mircea Ulinic), SRv6 Network Programming (Pablo Camarillo Garvia, Cisco), or IPv6 Security (Alvaro Vives, RIPE NCC).

The opening plenary commences at 14.00 CEST/UTC+2, and after the Continue reading

ISOC Engages with R&E Networking in the Asia-Pacific Region

The APAN 45 meeting was held on 25-29 March 2018 in Singapore, where Kevin Meynell presented the MANRS routing security initiative during the Network Engineering Workshop.

We’ve previously discussed the underlying trust-based issues of BGP that MANRS attempts to address in a number of blogs, but we’re particularly interested in partnering with R&E networking communities for the reasons that National Research and Education Networks (NRENs) are often early adopters of new technologies and initiatives, they’re interested in distinguishing themselves from commercial operators, and the R&E community is a collaborative one.

This engagement resulted in significant interest from a number of NRENs in becoming MANRS participants, with AARNet (Australian Academic and Research Network) signing-up shortly afterwards (AS 7575). The presentation is available on the APAN 45 website, and may be freely used by those interested in promoting MANRS to raise awareness of routing security issues and promote the initiative.

APAN (Asia Pacific Advanced Network) supports the R&E networks in the region to help them to connect to each other and to other R&E networks around the world, allows knowledge to be exchanged, and coordinates the activities, services and applications of its members for their common good. APAN and the preceding APNG Continue reading

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more

There was an important development this month with the launch of Cloudflare’s new 1.1.1.1 DNS resolver service. This is a significant development for several reasons, but in particular it supports the new DNS-over-TLS and DNS-over-HTTPS protocols that allow for confidential DNS querying and response.

Why 1.1.1.1?

Before we get to that though, Cloudflare joins Google’s Public DNS that uses 8.8.8.8 and Quad9 DNS that uses 9.9.9.9, by implementing 1.1.1.1 as a memorable IP address for accessing its new DNS service. IP addresses are generally not as memorable as domain names, but you need access to a DNS server before you can resolve domain names to IP addresses, so configuring numbers is a necessity. And whilst a memorable IP address might be cool, it’s also proved important recently when DNS resolvers have been blocked or taken down, requiring devices to be pointed elsewhere.

The 1.1.1.1 address is part of the 1.1.1.0 – 1.1.1.255 public IP address range actually allocated to APNIC, one of the five Regional Internet Registries, but it has been randomly used as an address for Continue reading

IETF 101, Día 5: Todo claro, verdad?

Esta semana tiene lugar el IETF 101 en Londres. El Equipo de Tecnología de Internet de ISOC te trae entradas diarias de blog que destacan los temas de interés.

A NOTAR: Si no puedes asistir al IETF 101 personalmente, hay muchas posibilidades de participar a distancia

Homenet comienza a 09.30 GMT/UTC. Homenet en este momento tiene el perfil  Babel del protocolo de enrutamiento. Otros borradores incluidos son: Simple Homenet Naming and Service Discovery Architecture, Outsourcing Home Network Authoritative Naming Service, y DHCPv6 Options for Homenet Naming Architecture.

Para saber más haz clic aquí

The post IETF 101, Día 5: Todo claro, verdad? appeared first on Internet Society.

IETF 101, Day 5: All Sorted, Innit?

This week is IETF 101 in London, and we’ve been bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Friday is only a half-day, but there’s still a couple of interesting sessions to wrap-up the week.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

Homenet starts at 09.30 GMT/UTC, and has the Homenet profile of the Babel routing protocol currently in IETF Last Call. Other drafts being discussed include the Simple Homenet Naming and Service Discovery Architecture, Outsourcing Home Network Authoritative Naming Service, and DHCPv6 Options for Homenet Naming Architecture.

The remainder of the agenda will be a discussion about Homenet security in relation to the home perimeter, HNCP and Babel, as well as appropriate trust models and how to establish trust.

ROLL continues from where it left off on Thursday morning, also starting at 09.30 GMT/UTC. There are several drafts being discussed dealing with the issues of routing over resource constrained networks where limited updates are possible.

So that brings the IETF in London to a close, and hopefully we’ve also given you a bit of an Continue reading

IETF 101, Day 4: The Brass Tacks about DNS and Routing

This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. And Thursday is probably the busiest day for us, covering the whole range of our interests.

ROLL has its first of two sessions starting at 09.30 GMT/UTC; continuing on Friday morning. There are several drafts being discussed dealing with the issues of routing over resource constrained networks where limited updates are possible.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

There’s a choice between a couple of working groups after lunch, starting at 13.30 GMT/UTC.

DOH was chartered to create a single RFC, so clearly the draft DNS queries over HTTPS is going to be the primary focus of discussion. However, there will also be updates on the practical implementation work, and a discussion about possible future work if there is a decision to re-charter the group.

6LO runs in parallel and has a fairly busy agenda with Registration Extensions for 6LoWPAN Neighbor Discovery, and Address Protected Neighbor Discovery for Low-power and Lossy Networks having received feedback from the IESG. Continue reading

IETF 101, Day 3: TLS & DPRIVE is no Diet Coke

This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. There’s plenty of variety on Wednesday, following the themes of Trust and Identity, IPv6 and the Internet-of-Things.

TLS has its second session of the week starting at 09.30 GMT/UTC, and will be focused on the big development of the TLS 1.3 specification being approved by the IESG. Some further work is required, but there are a number of TLS 1.3 related drafts up for discussion.

These include Datagram Transport Layer Security, DTLS Connection Identifer,  Exported authenticators in TLS, DANE Record and DNSSEC Authentication Chain Extension for TLS, TLS Certificate compression, SNI Encryption in Tunnelling via TLS, and Semi-static DH Key Establishment in TLS 1.3.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

Running in parallel is LPWAN which is working on enabling IPv6 connectivity with very low wireless transmission rates between battery-powered devices spread across multiple kilometres. There’s a draft providing an overview of the set of LPWAN technologies under consideration by the IETF Continue reading