Google leaked prefixes – and knocked Japan off the Internet

Last Friday, 25 August, a routing incident caused large-scale internet disruption. It hit Japanese users the hardest, slowing or blocking access to websites and online services for dozens of Japanese companies.

What happened is that Google accidentally leaked BGP prefixes it learned from peering relationships, essentially becoming a transit provider instead of simply exchanging traffic between two networks and their customers. This also exposed some internal traffic engineering that caused many of these prefixes to get de-aggregated and therefore raised their probability of getting accepted elsewhere.

The incident technically lasted less than ten minutes, but spread quickly around the Internet and caused some damage. Connectivity was restored, but persistently slow connection speeds affected industries like finance, transportation, and online gaming for several hours. Google apologized for the trouble, saying it was caused by an errant network setting that was corrected within eight minutes of its discovery.

This incident showed, again, how fragile the global routing system still is against configuration mistakes, to say nothing about malicious attacks.

What it also showed is a lack of defense – the incident propagated seemingly without any attempt from other networks to stop it.

The Internet Society works to address security in many ways, Continue reading

IGF-USA: Promoting a More Inclusive Internet

The IGF-USA took place in Washington D.C on July 24, 2017. During the event, the panel “Promoting a More Inclusive Internet” looked at current barriers to an inclusive Internet and explored how access could be expanded to underserved areas and to underrepresented communities. Moderated by Dr. Brandie Nonnecke, Research & Development Manager for CITRIS and the Banatao Institute at the University of California-Berkeley and Chair of the San Francisco-Bay Area Internet Society Chapter Working Group on Internet Governance, the panel brought together several experts on access provision, each with many years experience of connecting the unconnected in the USA and overseas.

Decentralized Approach

One of the main themes of the panel was that there is no ‘one size fits all’ approach to getting communities online. Rather than focus on technical deployment, the panelists argued that the focus needs to shift to what Internet access actually means to different communities and to solutions adapted to fit their specific needs. When proposing solutions, the first question that needs to be asked is, ‘What are the problems that Internet access will solve?’ Often, what works for one community won’t work for another. “No one should decide what other people’s Internet access Continue reading

VNIX-NOG 2017 held in Ho Chi Minh City

VNNIC, the National Internet Registry (NIR) of Vietnam, organized 2 major events in Ho Chi Minh City. VNNIC IP Member meeting on 24th August at VNNIC HCMC Office and second VNIX-NOG event on 25th August at Saigon Prince Hotel and was attended by our Deploy360 colleague Aftab Siddiqui. NetNam, a local ISP, provided Internet connectivity for the NOG event and did a great job by providing a dual stack IPv4 and IPv6 network.

The first event was for VNNIC IP members where reports were presented and NIR policies discussed, but the NOG event the following day was attended by around 70 people from various organizations including all the major telcos and ISPs in the country, the Internet Society, APNIC, Google and BBIX.

The opening speech was provided by Nguyen Hong Thang – Deputy Director of VNNIC, and a welcome note was added by Vu The Binh – General Secretary of Vietnam Internet Association (VIA) . Presentations from the event are available here, but the emphasis was on local participants to share their experience and local community engagement.

Nguyen Tran Hieu (VNIX) shared some network statistics of the Hanoi and Ho Chi Minh City nodes, which unfortunately showed that most members Continue reading

Evidence at the cost of trust: The trouble with the Department of Justice – DreamHost case

The social and economic benefits of the Internet cannot be realized without users’ ability to communicate and organize privately, and, where appropriate, anonymously. Data collection warrants must strike a balance to protect these benefits without impeding law enforcement’s ability to enforce the law. In recent weeks, the United States Department of Justice’s (DoJ) conflict with DreamHost, a website hosting service, has underscored the importance of this balance.

A week after the 2017 U.S. presidential inauguration, the DoJ issued a warrant to DreamHost to gather evidence for almost 200 cases related to violence that occurred during Inauguration Day protests. DreamHost had provided services to a website used to coordinate protests during the presidential inauguration.

The initial warrant was broad in scope; DreamHost stated that compliance would mean handing over records relating to 1.3 million IP addresses. This July, the DoJ went even further, issuing a new warrant asking for “Files, databases, and database records” regarding the website in question. DreamHost’s filing with the court specifies that the DoJ sought: the IP addresses of visitors to the website; which website pages were viewed by visitors; and a description of the software running on visitors’ computers.

The DoJ itself appears to Continue reading

Evidence at the cost of trust: The trouble with the Department of Justice – DreamHost case

RFC 8215: Local-Use IPv4/IPv6 Translation Prefix published

RFC 8215 “Local-Use IPv4/IPv6 Translation Prefix” was recently published, reserving the IPv6 prefix 64:ff9b:1::/48 for local use within domains enabling IPv4/IPv6 translation mechanisms.

This allows the coexistence of multiple IPv4/IPv6 translation mechanisms in the same network, without requiring the use of a Network-Specific Prefix assigned from an allocated global unicast address space.

The well-known prefix 64:ff9b::/96 was originally reserved by RFC6052 for IPv4/IPv6 translation, but several new translation mechanisms such as those in RFCs 6146 and 7915 have subsequently been defined that target different use cases. It’s therefore possible that a network operator may wish to make use of several of these simultaneously, hence why a larger address space has been defined to accommodate this.

The shortest translation prefix being deployed in a live network was observed as being a /64, hence /48 was chosen as being on a 16-bit boundary whilst being able to accommodate multiple instances of /64.

If you’re interested in finding out more about IPv4/IPv6 translation mechanisms, there’s a few Deploy360 blogs on NAT64 and 464XLAT amongst others.

The post RFC 8215: Local-Use IPv4/IPv6 Translation Prefix published appeared first on Internet Society.

Abidjan Holds a Successful AfPIF 2017

Abidjan became the third West African city to hold the annual Africa Peering and Interconnection Forum (AfPIF), attracting top African and global players in the Internet ecosystem.

This year’s forum attracted 227 participants working in IXPs, ISPs, governments, content carriers, network providers, hardware providers, and software service providers among others. The meeting tool, which allows participants to discuss ways to exchange content, had 276 registered users who scheduled 170 meetings. Twenty networks introduced themselves during “Peering Introductions” session, held every day. This year there were 23 sponsors: Seacom, Liquid Telecom, Angonix, Angola Cables, De Cix, Linx, Adva, Afrinic, Akamai, Dolphin, Facebook, Flexoptix, France IX, Google, icolo.io, Main One, Netflix, Netnod, Yahoo, Medalion, MTN, Teraco, and ARTCI.

Getting more statistics

Research conducted by PCH reinforced the fact that most peering agreements have no formal agreement. The study done in 2016 found that 99 per cent of peering agreements in 148 countries were through a handshake. The study asked questions such as: are there formal agreements, is the peering arrangement symmetrical, is the content is IPv6 or IPv4, and what are the laws governing the agreement. Out of the 1,935,822 agreements, 49 percent comprised of matching peers, meaning it was easy Continue reading

Abidjan Holds a Successful AfPIF 2017

AfPIF Day Two: Identifying Challenges and Opportunities

Take a Brief Survey to Support Community Networks

The Internet Society has worked with NetCommons to promote community networks. They are a conducting a survey to examine users’ concerns about Internet use and explore the potential of alternative Internet provision.

The netCommons project funded by EU (EU Horizon 2020 project netCommons: Network Infrastructure as Commons) aspires to study, support, and further promote community-based networking and communication services that can offer a complement, or even an alternative, to the global Internet’s current dominant model. It involves a collaboration of six organizations, namely the University of Trento in Italy, The Polytechnic University of Catalonia (UPC) in Spain, the National Center for Scientific Research (CNRS) in France, the University of Westminster (UK), the Athens University of Economics and Business in Greece, and the non-profit organization Nethood in Switzerland. 

Community networks provide citizens with access to a neutral, bottom- up network infrastructure, which increases the transparency of data flow, but they also represent an archetype of networked collective cooperation and action, mixing common or communal ownership and management of an infrastructure with a balanced set of services supported by the local stakeholders. In this way, they are a departure from the standard Internet, which is dominated by commercial Internet providers, global corporate Continue reading

AfPIF Day Two: Identifying Challenges and Opportunities

AfPIF Day Two Summary 

The second day at the Africa Peering and Interconnection Forum (AfPIF) is dedicated to plenary presentations and discussions between the technical community, private sector, and government representatives.

The discussions aim to foster understanding of the landscape the various players operate in, the challenges faced, opportunities and ways to create synergies that guarantee increased connectivity, and exchange of content within the region.

The first session of the day was the formal opening ceremony, with Yves Miezan Ezo, representative of the Conseiller Technique du Ministre de la Communicatiln, de l’Economie Numerique et de la Poste de la république de Cote d’Ivoire, Caliste Claude M’Bayia, representative of l’ARTCI, and Moctar Yadaly, head of Infrastructure and Energy at the African Union Commission (AUC).

In his speech, Dawit Bekele, Head of the Internet Society Africa Bureau, welcomed participants to the 8^th AfPIF session, noting that great strides have been made in Africa’s technology landscape, and it will get better.

The first AfPIF session was held in 2010 by the Internet Society out of the realization that too much African Internet traffic was exchanged outside the continent, and the region could save costs by exchanging the content locally.

Bekele noted Continue reading

Take a Brief Survey to Support Community Networks

DPRIVE experimental service debuts @ IETF 99

The IETF is not only a place to discuss the development of Internet protocols, but also offers a place for developers and operators to ‘eat their own dog food’ on the meeting network. And given that the IETF DPRIVE Working Group has published some RFC specifications over the past year, the most recent IETF 99 in Prague provided a timely opportunity to run an experimental DNS-over-TLS service.

DNS queries and responses are currently transmitted over the Internet entirely in the clear, and whilst DNSSEC is able to authenticate a response from a DNS server, it does not actually encrypt the transmitted information. The aim of DPRIVE is therefore to add mechanisms to provide confidentiality to DNS transactions and address concerns about pervasive monitoring using TLS or DTLS to encrypt queries and responses between DNS clients and servers.

Some information about how the experimental DNS-over-TLS service was set-up on the IETF network can be found on the IETF99 Experiments page, but the DNS Privacy Project offers a list of experimental servers supporting both IPv4 and IPv6 if you want to try this out yourself. You also can check out their up status.

The post DPRIVE experimental service debuts @ IETF 99 appeared first on Internet Society.

AfPIF 2017 Kicks Off In Abidjan

The annual Africa Peering and Interconnection Forum (AfPIF) kicked off at the Azalai Hotel in Abidjan, Ivory Coast. The first day is known as “Peering Coordinators Day” where peering managers from various networks, operators, and policy makers meet and deliberate on the various ways to exchange content locally, lower the cost of connectivity, and increase the number of internet users in the region. In the course of the three days, participants get a chance to discuss, exchange ideas, and agree to exchange content, known as peering. Most peering agreements are through the handshake and AfPIF encourages participants to take advantage of the various social events and share contacts. There is a session at the beginning and end of every day, where participant share their AS numbers, peering policy, and contacts, allowing those willing to interconnect to reach out. The first session explored the general data and interconnection landscape; Telegeography presented the latest statistics, which is derived from its annual survey. Statistics show that the growth of submarine cables has led to growth in Internet bandwidth and local content. Five years ago, International transit was growing at 40 per cent, but this year, the growth is at 30 per cent, owing Continue reading

IGF-USA: Promoting a More Inclusive Internet

AfPIF 2017 Kicks Off In Abidjan

NAT64check proves popular

We’ve already mentioned this a few times this year, but we’ve just published an more in-depth article about NAT64check over on the RIPE Labs and APNIC websites.

NAT64check is a tool developed by the Internet Society, Go6, SJM Steffann and Simply Understand that allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. The rationale behind NAT64check is also explained, how it works, and how you can use it.

If you just want to take a look at the tool, then please go to either https://nat64check.go6lab.si/ or https://nat64check.ipv6-lab.net/, type the URL you wish to check into the box at the top of the page, and the result should be returned within a few seconds. It’s simple and easy, and will help you identify what needs to be done to make your website accessible with IPv6.

Deploy360 also want to help you deploy IPv6, so please take a look at our Start Here page to learn more.

The post Continue reading

Announcing our updated Privacy Policy

Thirteen Fellows to Attend AfPIF 2017

Brazil needs to involve all stakeholders in Internet governance