Short Take: BGP Peering Updates

Worth Reading: Measuring the KSK Roll

When viewed as a network infrastructure, looks can be very deceiving when looking at the DNS. It appears to be a simple collection of resolvers and servers. Clients pass their DNS name resolution queries to resolvers, who then identify and ask an appropriate authoritative name server to resolve the DNS name, and the result is passed back to the client. —Goeff Huston @potaroo

Worth Reading: The KSK Rollover

In a little over two weeks, precisely in 17 days (on 11 October 2018 at 16:00 UTC), ICANN will roll the Domain Name System Security Extensions (DNSSEC) root Key Signing Key (KSK). —Adiel A. Akplogan @CircleID

IPv6 Security Considerations

When rolling out a new protocol such as IPv6, it is useful to consider the changes to security posture, particularly the network’s attack surface. While protocol security discussions are widely available, there is often not “one place” where you can go to get information about potential attacks, references to research about those attacks, potential counters, and operational challenges. In the case of IPv6, however, there is “one place” you can find all this information: draft-ietf-opsec-v6. This document is designed to provide information to operators about IPv6 security based on solid operational experience—and it is a must read if you have either deployed IPv6 or are thinking about deploying IPv6.

The draft is broken up into four broad sections; the first is the longest, addressing generic security considerations. The first consideration is whether operators should use Provider Independent (PI) or Provider Assigned (PA) address space. One of the dangers with a large address space is the sheer size of the potential routing table in the Default Free Zone (DFZ). If every network operator opted for an IPv6 /32, the potential size of the DFZ routing table is 2.4 billion routing entries. If you thought converging on about 800,000 routes is Continue reading

Worth Reading: The Ecology of Web Browsing Engines

Early in my career when I worked at agencies and later at Microsoft on Edge, I heard the same lament over and over: “Argh, why doesn’t Edge just run on Blink? Then I would have access to ALL THE APIs I want to use and would only have to test in one browser!” Let me be clear: an Internet that runs only on Chrome’s engine, Blink, and its offspring, is not the paradise we like to imagine it to be. —Rachel Nabors @css-tricks

Bird

Weekend Reads 092818

Windows and Linux users need to beware, as an all-in-one, destructive malware strain has been discovered in the wild that features multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems. —Swati Khandelwal @The Hacker News

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic. —Carlos Morales @Dark Reading

As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms “hacking back” and “active cyber defense” (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of Continue reading

Worth Reading: Why you shouldn’t join a startup

According to a statistic published in a Harvard Business School study by Shikhar Ghosh, 75% of venture-backed (yes, venture-backed) startups fail. In a study by Statistic Brain, Startup Business Failure Rate by Industry, 50 percent of all U.S. companies fail after 5 years, and over 70 percent fail after 10 years. This is if you are lucky enough to get some venture funding. —Sean Choi @Free Code Camp

Worth Reading: Persistent DNS connections

For decades, the Domain Name System (DNS) has been based on a connectionless semantic: a client sends its query as a single User Datagram Protocol (UDP), and it receives a single UDP datagram with the response. This very simple communication model, along with efficient caching and clear administrative boundaries, is what allowed the DNS to scale and successfully adapt to an ever-increasing demand. —Baptiste Jonglez @APNIC

Worth Reading: Are carriers still missing the IoT point?

Sprint is yet another operator to announce an IoT platform, but we still don’t have a real handle on what a really useful IoT platform would look like. So far, perhaps not surprisingly, what’s coming out focuses on what the operator does in the RAN to support IoT sensors. Is that all there is, or even the best overall place to focus? I don’t think so. —Tom Nolle @CIMI

Worth Reading: How to get things done

Have you ever come into work, sat down at your computer to begin a project, opened your editor, and then just stared at the screen? This happens to me all the time, so I understand your struggle. —Kate Matsudaira @ACM Queue

Worth Reading: The Microserver, Redux

If there is one rule of computing, is that it gets increasingly more expensive and more difficult to scale up performance within a single device or a single server node. And if there is another rule, it is that companies would rather throw hardware at a problem than rewrite their software. —Timothy Prickett Morgan @The Next Platform

Network Collective: Do You Really Need Good Engineers?

Worth Reading: Internet Performance Myths that Sabotage SaaS

Software as a Service has become the de facto delivery model for core business applications today. The most business-critical network between the end user and the application is now the public internet. —Pej Roshan @The New Stack

Worth Reading: eVPN Behind the Curtain

Is EVPN magic? Well, like Arthur C Clarke said, any considerable leap in technology is indistinguishable from magic. On that premise, moving from a traditional layer 2 environment to VXLAN driven by EVPN has much of that same hocus pocus feeling. —Rama Darbha and Eric Pulvino @Cumulus

BGP Security: A Gentle Reminder that Networking is Business

At NANOG on the Road (NotR) in September of 2018, I participated in a panel on BGP security—specifically the deployment of Route Origin Authentication (ROA), with some hints and overtones of path validation by carrying signatures in BGP updates (BGPsec). This is an area I have been working in for… 20 years? … at this point, so I have seen the argument develop across these years many times, and in many ways. What always strikes me about this discussion, whenever and wherever it is aired, is the clash between business realities and the desire for “someone to do something about routing security in the DFZ, already!” What also strikes me about these conversations it the number of times very fundamental concepts end up being explained to folks who are “new to the problem.”

Part of the problem here is Continue reading

Worth Reading: Internet Reliability Report

Internet connectivity at the inter-domain level is based on connectivity between Autonomous Systems (ASes). As the number of alternate routes between ASes increases, so does fault-resistance and the stability of the Internet in a given economy increase. However, some paths prove to be more important than others. —Alexander Azimov @APNIC

Weekend Reads 092118

Five of the largest U.S. technology companies pledged support this year for a dangerous law that makes our emails, chat logs, online videos and photos vulnerable to warrantless collection by foreign governments. Now, one of those companies has voiced a meaningful pivot, instead pledging support for its users and their privacy. EFF appreciates this commitment, and urges other companies to do the same. —David Ruiz @EFF

Quantum computing is a new way of computing — one that could allow humankind to perform computations that are simply impossible using today’s computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length. @Schneier on Security

If you manage Internet number resources in the APNIC Whois Database, you are requested to provide contact information so that people can contact you for network abuse or troubleshooting. You and your colleagues might have created person objects for this purpose. However, from time to time a person performing a role may change. If you have a lot of resource contacts to manage, updating person contacts can Continue reading

Grill

Worth Reading: IPv6 in a WISP

This guide is meant to give you an overview of an example IPv6 addressing plan for an entire WISP as well as the config needed in MikroTik to deploy IPv6 from a core router all the way to a subscriber device. —Kevin Myers @Stubarea51