Categories
Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security Privacy

Rough Guide to IETF 97: DNSSEC, DANE and DNS Privacy and Security

DNS privacy will get a good bit of focus at the IETF 97 meeting in Seoul with a special tutorial as well as a meeting of the DPRIVE working group and activity in the IETF 97 Hackathon. DNS privacy will also come up in the DNSSD group this time, too. The DNS Operations working group will meeting and a new DNS BOF will take place. In contrast to the past few meetings, the Using TLS in Applications (UTA) working group where DANE has been discussed will not meet as their work is moving along on the mailing lists. Similarly, the DANE working group felt that work was moving along and no physical meeting was needed.

DNS Privacy Tutorial – Streamed Live On YouTube

On Sunday, November 13, one of the education tutorials will focus on DNS privacy and the work emerging out of the DPRIVE Working Group related to protecting the confidentiality of your DNS queries. Sara Dickinson will be leading this session and I expect it will be quite good. The session will be from 13:45-14:45 KST (UTC+9). The good news for anyone remote is that it will be streamed live on YouTube – it will also be available at that URL as a recording for those who can’t tune in live.

IETF 97 Hackathon

Over the weekend (12-13 Nov) we’ll have a good-sized “DNS team” in the IETF 97 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. You can also get more info in the IETF 97 Hackathon wiki. Anyone is welcome to join us for part or all of that event.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets on Tuesday afternoon from 13:30-15:30. Unfortunately at the time I am writing this post the DNSOP agenda does not have many details. There are a significant number of documents under discussion on the mailing list and I expect a busy session.

I am not sure if there will be discussion of the Internet Draft on DNSSEC cryptographic algorithm agility in the meeting, but I do intend to meet with the other authors to plan our next steps.

DNSBUNDLED Birds of a Feather (BOF) session

On Wednesday morning from 9:30-11:00 there will be a BOF about “bundled domains”. It’s an interesting issue:

Bundled Domain will work on a DNS solution for fully mapping one domain name to another domain name. With the emergence of internationalized domain names and new TLDs, it is often useful to redirect one domain name tree fully to another domain name tree. Current DNS protocols have not provided such ability to satisfy these requirements.

These documents – draft-yao-bundled-name-problem-statement and draft-yao-dnsext-identical-resolution - go into more detail. The security issue here is really to understand how solutions here might work in a world of DNSSEC.

This BOF is not looking to form a working group but rather to identify work to be done by the IETF in general.

DNS Service Discovery (DNSSD)

On Thursday, the  Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets in the morning from 9:30-11:00am. DNSSD is not one of the groups we regularly mention as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). But this time the DNSSD agenda includes specific discussion around the privacy of DNS queries when used in this context.

DNS Privacy (DPRIVE)

The DNS Privacy (DPRIVE) Working Group drew the short straw this IETF meeting and wound up in the last session block on Friday afternoon from 11:50-13:20. Regardless of how many people will be there, discussion should be lively as the group looks at expanding its efforts in a “Step 2” block of work. 

To date, DNS privacy work right now has been focused around using DNS over TLS from the stub resolver on a computer or device to the recursive resolver. This has been defined in RFC 7858 published in May 2016 and several other related documents are in the path to publishing (including using DNS over DTLS).

But back with the DPRIVE BoF first took place there was recognition that the next step was to look at protecting the privacy of queries between the recursive resolver and the authoritative servers. It was decided to focus on the stub-to-recursive area first, but now that that work is finishing up, Stephane Bortzmeyer will lead a discussion about moving on to the recursive-to-authoritative space. He’s written a draft that explores this issue. The outcome of the discussion will guide the future work of DPRIVE.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

We will be monitoring the TLS WG, particularly given the focus on TLS 1.3, the Security Area open meeting and other similar sessions. The DNSSD working group will also be meeting although it’s not clear that security topics will be covered there right now.

It will be busy week!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 96:

DNSOP (DNS Operations) WG
Tuesday, 15 November 2016, 1330-1530 KST (UTC+9), Grand Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DNSBUNDLED (Bundled Domains) BOF 
Wednesday, 16 November 2016, 930-1100 KST (UTC+9), Grand Ballroom 1
Problem statement: draft-yao-bundled-name-problem-statement/ 
Charter: http://tools.ietf.org/wg/dnsbundled/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Thursday, 17 November 2016, 0930-1100 KST (UTC+9), Studio 4
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dnssd/ 
Documents: https://datatracker.ietf.org/wg/dnssd/ 
Charter: http://tools.ietf.org/wg/dnssd/charters/

DPRIVE (DNS Privacy) WG
Friday, 18 November 2016, 1150-1320 KST (UTC+9), Grand Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

Follow Us

There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf97.

Categories
Building Trust Domain Name System Security Extensions (DNSSEC) Improving Technical Security IPv6 Open Internet Standards

Calling All Network Researchers – Call for Papers Opens for Applied Networking Research Workshop

We’re excited to announce the inaugural Applied Networking Research Workshop (ANRW) 2016, which will take place in Berlin on July 16. This one-day workshop will be co-sponsored by the Association for Computing Machinery (ACM), the Internet Society and the Internet Research Task Force (IRTF).

This academic workshop will provide a forum for researchers, vendors, network operators and the Internet standards community to present and discuss emerging results in applied networking research. Accepted papers will be published in the ACM Digital Library.

The ANRW ’16 particularly encourages the submission of results that could form the basis for future engineering work in the Internet Engineering Task Force (IETF), that could change operational Internet practices, that can help better specify Internet protocols, or that could influence further research and experimentation in the IRTF.

If you have some relevant work and would like to join us in Berlin for the workshop and potentially stay for the IETF 96 meeting that takes place in the following week, the submission deadline is May 16th.

The full Call for Papers includes detailed paper submission and formatting instructions.

I hope to see you in Berlin for what promises to be a very interesting workshop and a good warm-up for the IETF and IRTF meetings to follow.

[Photo Credit: istock.com]
Categories
Building Trust Domain Name System Security Extensions (DNSSEC) Events Improving Technical Security Technology

Bandwidth, Beer and Bratwurst – Speaking Security at Dyn's TechToberFest on October 1

What do bandwidth, beer and bratwurst have to do with each other?  Well… it is true that many Internet networking challenges have been worked out over beers between network operators, but in this case the link between the terms came in a tweet from Dyn promoting their TechToberFest event happening this Thursday, October 1, 2015, at their headquarters in Manchester, NH. 

I’ll be there for what looks like an excellent event focused on security, Internet performance and other Internet infrastructure concerns.  My particular role will be as a panelist in the 3:00-4:00 pm US EDT panel on “Chinese Hack, Sony Breach, Man in the Middle Attacks, how does that happen?

The panel will include:

  • Michael Farrell, Cybersecurity Editor, Christian Science Monitor (Moderator)
  • Kathleen Moriarty, IETF Security Area Director & Global Lead Security Architect, EMC
  • Professor Sean Smith, Research Director of Dartmouth College’s Institute for Security, Technology, and Society
  • Ben April, Director of Engineering, Farsight Security, Inc.
  • Dan York, Organizer, Internet Society’s DNSSEC Coordination Project

We’ve talked as a panel in a conference call and are looking forward to making it as engaging as we can.  No slides… just an open discussion about the major security trends and issues we see. You can expect I’ll probably work DNSSEC somewhere into the discussion – and I’ll no doubt mention “Collaborative Security“. 😉 I expect we’ll also talk about encryption, TLS, DDoS attacks… maybe some routing security. (Hmmm… will you hear me mention MANRS?) We’ll also be looking for questions from the audience.  We’ll see if we can get some good discussions going…  the reality is that we only have an hour!

Beyond that, I’m personally intrigued by the morning panel with David Benson of Akamai and Doug Madory of Dyn talking about the latest Internet trends they are seeing from the research they are doing.  Andrew Sullivan’s talk on network neutrality is a topic of interest… as is cloud security… and I’ll be intrigued to hear what Steve Case is up to these days.  It’s a great list of speakers!

A LIVE VIDEO STREAM will be available if you can’t make it in person: http://hub.dyn.com/h/i/144117157-techtoberfest-livestream

I am told all the sessions will be recorded for later viewing.  You an also follow along on Twitter (and presumably other social networks) using the hashtags #TechToberFest and #DynTTF.

Of course, attending remotely means you won’t get to experience the beer and bratwurst, which I understand will actually appear at the very end!

If you are going to be at the event in Manchester, please do say hello.  If you can’t get there I do hope you get a chance to join in remotely.

P.S. As a bonus, I’ll finally get to meet Kyle York from Dyn who I’ve met through social media a few years back… but who is no relation to me (that we know of, at least).

Categories
Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security Privacy

Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security

Wow! There is a crazy amount of DNS activity happening at IETF 93 next week in Prague! Beyond the usual working groups we follow such as DNSOP and DANE, there are a wide range of other groups where DNS security and privacy are under discussion. It’s going to be a VERY busy week for all of us involved with DNS!  (And, there’s also the IETF 93 Hackathon starting on Saturday and Sunday where several of us will be working on code related to DNSSEC, DANE and more.)

Let’s walk through the week…

NOTE: If you are unable to attend IETF 93 in person, there are multiple ways to participate remotely and listen to these sessions. Also, all times below are Central European Summer Time (CEST) which is UTC+2.

DNS Operations (DNSOP)

Monday turns out to be a big DNS day with DNSOP starting off the back-to-back marathon in the 15:20 to 17:20 block. The major piece of DNSSEC-related work will be two different drafts from Joe Abley and Warren Kumari around publication of DNSSEC trust anchors. Both of these are work items out of the ongoing work around how we successfully perform a key rollover with critical DNSSEC keys such as the Key Signing Key at the root of DNS. After that, DNSOP will continue the ongoing discussion related to “special-use” names which, while not directly connecting to DNS security, should still be quite interesting.

Domain Boundaries (DBOUND)

Next up on Monday in the 17:40 to 18:40 session will be the DBOUND group. This group is look at the boundaries used to determine when an address being requested in DNS is “private” versus “public”. This impacts security policies.

DNS-based Authentication of Named Entities (DANE)

Finally in the 18:50 – 19:50 slot on Monday, the working group looking after the DANE protocol will be meeting to focus on three drafts:

  • TLS extension for DNSSEC
  • Client Certificates in DANE TLSA Records
  • DANE and SMIME

Given the amount of activity with using DANE in email communication these days, I expect there to be some good discussion.

Tuesday is TLS Day

Tuesday turns out to be “TLS Day” with both the core Transport Layer Security (TLS) and the Using TLS in Applications (UTA) groups meeting. Because of the connection to DANE, the TLS meeting is important to understand in terms of the evolution of the protocol with TLS 1.3 and beyond. There is packed agenda for the TLS WG and it spans two days – both Tuesday and Wednesday. If time permits, there is also a specific presentation for the group about DNSSEC and DANE validation chains. The UTA working group has a lighter agenda this time, but again is something we’ll follow because of the connection to TLS and DANE.

DNS Service Discovery (DNSSD)

Wednesday morning will begin with the 9:00-11:30 session having both the second session of the TLS Working Group and also the only session of DNSSD. The key reason to mention the group this time is that the DNSSD agenda includes a discussion of the threat model and security considerations for multicast DNS (mDNS).

Crypto Forum Research Group (CFRG)

Wednesday afternoon from 13:00-15:30 brings the meeting of the CFRG which has nothing specific to DNS security on its agenda, but there looks to be a lengthy discussion planned about the use of elliptic curve cryptography (ECC). This is something we’ve certainly been looking at within the DNSSEC space with regard to using ECDSA and other algorithms for DNSSEC signatures. It will be interesting to see what emerges out of this discussion in terms of future directions for IETF crypto algorithms.

Extensible Provisioning Protocol Extensions (EPPEXT)

In the last session slot on Wednesday from 17:40-19:40 the EPPEXT group will be meeting to discuss extensions to the EPP protocol used between DNS registrars, registries and similar entities.  An agenda has not yet been published but several of the past documents have related to exchanging DNSSEC-related information.

Thursday is for TRANS

The only working group we’re tracking on Thursday related to DNS or TLS is the Public Notary Transparency (TRANS) group meeting in the 17:40-19:10 block at the end of the day. No agenda yet, so it’s not clear what will be discussed.  Certificate Transparency is one of the number of technologies that are working to make TLS more secure and so this remains of interest.

DNS PRIVate Exchange (DPRIVE)

In the unenviable slot of Friday morning from 9:00-11:30 will be the third meeting of the DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” A great bit of work has been going on and the DPRIVE agenda shows discussion being planned for several possible solutions to provide this level of privacy and confidentiality.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 93:

DNSOP (DNS Operations) WG
Monday, 20 July 2015, 1520-1720 CEST, Congress Hall II
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DBOUND (Domain Boundaries) WG
Monday, 20 July 2015, 1740-1840 CEST, Athens/Barcelona
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dbound/ 
Documents: https://datatracker.ietf.org/wg/dbound/
Charter: http://tools.ietf.org/wg/dbound/charters/

DANE (DNS-based Authentication of Named Entities) WG 
Monday, 20 July 2015, 1850-1950 CDT, Venetian
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

EPPEXT (Extensible Provisioning Protocol Extensions) WG 
Wednesday, 22 July 2015, 1740-1940 CEST, Karlin III
Agenda: https://datatracker.ietf.org/meeting/93/agenda/eppext/ 
Documents: https://datatracker.ietf.org/wg/eppext/ 
Charter: https://datatracker.ietf.org/wg/eppext/charter/

DPRIVE (DNS PRIVate Exchange) WG
Friday, 24 July 2015, 0900-1130 CEST, Karlin I/II
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dprive/ 
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf93.

Categories
Domain Name System Security Extensions (DNSSEC) Improving Technical Security Internet Governance

ISOC At ICANN52, Monday: A Great Amount Of IANA Transition Discussion With A Bit of Cybersecurity and DNSSEC, Too

Greetings from Singapore! As the 52nd meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) gets formally underway this morning on Monday, February 9, 2015, we thought we’d give you an idea of what we’ll be focusing on today from an Internet Society point of view as well as provide links so that you can join in and follow along remotely.

To understand our public policy interests here at ICANN 52, you need to read what Konstantinos Komaitis wrote in a post last week. As he noted, a great amount of discussion here will be focused on the twin inter-related issues of the IANA transition and ICANN accountability. Already over the weekend these topics have received significant focus at lengthy meetings of the IANA Coordination Group (ICG), the Government Advisory Council (GAC) and the Generic Names Supporting Organization (GNSO).

Today those two topics will continue to receive much discussion. While there are a great number of meetings today on the full ICANN 52 schedule, here are the ones that we’ll be focused on from a public policy perspective. If you follow each of these links you can find out how to listen in remotely to audio streams or to join the live stream of the “Virtual Meeting Room”:

All times are Singapore Time which is UTC+8. The meetings will all be recorded for later viewing if you are unable to watch them live.

On the technology side, last week I wrote about the many DNSSEC-related activities happening here and two of those events will take place today: the DNSSEC for Everybody tutorial workshop and the DNSSEC Implementers Gathering. There will also be a number of DNSSEC and security-related topics in the Tech Day (see agenda). The Public Safety Workshop will also bring together law enforcement attendees and others to discuss issues related to cybersecurity and the overall security and stability of the DNS.

You can follow along with the technology sessions at these links:

UPDATE: The Public Safety Workshop was changed to start at 1530.

These events will also be recorded for later viewing. As I noted in my earlier post, the DNSSEC Implementers Gathering is an informal meeting at a local restaurant to which there is no remote participation.

With that the first formal day of ICANN 52 will draw to a close. If you are interested in meeting with any Internet Society staff, you will be able to find us in these sessions above. You are also welcome to contact ISOC staff by email or send me an email at york@isoc.org and I can connect you to the right person.

Photo: The Government Advisory Council (GAC) meeting on Sunday, February 8, 2015.

Categories
Domain Name System Security Extensions (DNSSEC)

Rough Guide To ICANN 51: DNSSEC And The Root KSK Rollover

How do we increase the security of the Domain Name System (DNS)? How can we expand the usage of DNS Security Extensions (DNSSEC) and use it to create a higher level of trust on the Internet? How do we make the Internet more secure?

Most of us probably don’t think all that much about DNS but yet we use it for almost every interaction we have on the Internet. Whether we are reading the latest news, buying something online, sending email to a friend or joining into whatever the latest social network is, domain names are the tool we use to connect to sites without having to remember long numerical IP addresses. We just expect it to work and take it for granted.

There is, however, a whole community of people out there who are deeply concerned about ensuring that DNS “just works” for everyone and provides the correct answers. Coming from network operators, vendors, enterprises, governments, universities and other organizations, many of those people will be present at the ICANN 51 meeting next week in Los Angeles for a series of deeply technical meetings focused around the operations, security, stability and reliability of DNS. Many of these meetings will take place under the auspices of ICANN’s Security and Stability Advisory Committee (SSAC) although they will occur in other groups as well.

From an Internet Society technology point of view, our primary focus will be on continued efforts to accelerate the deployment of DNSSEC. This is one of the primary topics of our Deploy360 Programme and has been an area in which I have personally focused. I wrote a detailed description of the DNSSEC activities at ICANN 51 for those interested, but here are the key points:

DNSSEC For Everybody: A Beginner’s Guide On Monday, October 13, we will have an introductory session from 17:00-18:30 PDT where we will introduce the basics of DNS and DNSSEC in a light-hearted and fun way. It’s a good place to learn the basics and it will be streamed live for those who are remote.

DNSSEC Workshop – On Wednesday, October 15, will be the largest session about DNSSEC. In this 6+ hour session from 8:30-14:45 PDT we have a great range of technical speakers covering these topics:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

It should be an excellent session with great technical conversations. It will be available remotely and all the relevant links and slides can be found at http://la51.icann.org/en/schedule/wed-dnssec

DNSSEC Root KSK Rollover Workshop – On Thursday, October 16, ICANN will be holding a public workshop about the potential impact of changing the Root Key Signing Key (KSK) that is at the heart of the DNSSEC “global chain of trust”. I published links to background information that provide some context for this discussion. It’s quite an important one and, like the others, will be available for people who are remote.

It will be a very busy week on the technology front as there is also a meeting of the DNS-OARC organization over the weekend and a very busy Tech Day on Monday. Again, more details can be found in my Deploy360 article on this topic.

If you will be out at ICANN 51 and interested in speaking with me more about these topics, please do find me in one of the DNSSEC sessions or contact me via email to arrange a time to meet. See you in L.A.!

Categories
Domain Name System Security Extensions (DNSSEC) Open Internet Standards Technology

A Natural Path Forward

I will be joining the Internet Society as Chief Internet Technology Officer.

During the last one and a half decades, I have tried to push the needle to a more secure, resilient, and dependable Internet. For the last eight and a half years, I did this at NLnet Labs by leading a team that writes high quality code, participates in the Internet standards process, and works with operators on implementations. The Lab has pushed the needle on DNSSEC deployment by building products that I proudly believe make a difference for the Open Internet.

Why does it make a difference?

Because, the Internet’s technology matters.

Bottom up innovation and deployment of technology, even if there is very little short-term economic incentive to take action, is at the very heart of the success of the Internet. The availability of Open Source software turns out to be an important driver for the successful deployment of new protocols. That is where NLnet Labs and a myriad of other open (and closed) source developers, in groups or as individuals, make a difference.

As a corollary, when there is such little short-term economic incentive, there needs to be buy-in for the vision of ‘what good looks like’. With such vision all the independent players can work towards a common objective and we collectively take a bet on a future network value. That is where ISOC makes the difference. With its promotion of the open development, evolution, and use of the Internet (for the benefit of all people throughout the world), ISOC can share a vision and encourage technologies that help to increase trust, provide security, and make the net more stable, to gain a foothold.

For me, the transition from an organization that builds technology for the Open Internet to an organization that promotes the Open Internet is a natural path. I had “Evangineer” as job title on my business card: A pun combining the realism of technical engineering with evangelizing the good of the Open Internet. At ISOC I plan to continue the practice of “evangineering”, ‘by working with good people and fostering broad collaboration to address the [Internet’s] issues, since we all know that the Internet’s Technology Matters’ (A quote from my predecessor Leslie Daigle). The knowledge of Internet technology and understanding of technical realities and nuances differentiates ISOC from the wide variety of other entities in the Internet ecosystem. The work on Internet technology, in trinity with the regional and broad policy work, informs and drives the ISOC mission.

In order to be successful, the Internet Technology group needs to have its feet in the (technical) reality; that grounding will provide the ‘street cred’ that is needed for ISOC to remain a recognized, relevant, and driving player. There is a foundation to build on. Observed from technological, policy and different regional perspectives, the Internet evolves rapidly towards a future where the openness that I take for granted, needs care, nurturing, and promotion.

At the Internet Society, we can shape that future, and I am proud to be part of it.

Categories
Building Trust Domain Name System Security Extensions (DNSSEC) Improving Technical Security Open Internet Standards Technology

Fixing Heartbleed – It's The Culture, Not Just The Technology

In the aftermath of discovering the Heartbleed bug, now it is useful to look at the bigger picture of security building blocks that the Internet – and all of us – relies on.

A Bit About Heartbleed

Heartbleed allows someone making a connection using TLS to read a random piece of server memory, which may contain important bits – private keys, fragments of cached files, etc. Make another connection, get another 64KB of data. Do this enough times and a bad actor may get enough useful information to do some damage – for instance a private key the server uses to authenticate itself and encrypt communication.

With the private key, an adversary can impersonate a server. If they can intercept traffic, they can also decrypt it. If the server is using crypto-suites that don’t support perfect forward secrecy (PFS), the adversary can also get at data collected in the past. And because it leaves no trace, we cannot be sure if the vulnerability has been exploited and to what extent.

This is pretty bad stuff.

Most prominent sites and services have been fixed (see Mashable’s summary of affected sites). Things are getting back to normal for most web services, although we will probably hear more about the impact of this bug as time goes on.

Building Blocks of Internet Security

So how resilient is the Internet to such vulnerabilities? Let’s begin with the fact that there is no absolute security or absolutely flawless software in real life. And what differentiates a resilient system from a fragile one is not necessarily the absence of flaws. It is the absence of a single (or double, or triple, depending on the requirements) point of failure. In information security jargon it is called “defense in depth” – securing one layer alone (say, an application) is not enough.

So what are other security technologies that can provide additional layers of protection?

DNSSEC. It is much more difficult to impersonate a server if its name is protected by DNSSEC and the client can validate it. I’ve heard people question the value of DNSSEC if a site already uses an X.509 certificate issued by a respected CA. Well, apart from some other flaws of the web PKI system, Heartbleed is a prominent example of why we need more DNSSEC deployment. Even if someone gets access to the secret key (essentially stealing the X.509 certificate) and sets up a fake site, DNSSEC, if used by the name owner and validated by the client, will reveal the deception.

DANE. DANE provides an easier way to replace compromised keys without relying on CRLs and OSCP (Online Certificate Status Protocol), which are not always enabled and working. A site owner creates a new certificate and publishes it in the DNS, protected by DNSSEC. It actually takes longer to get it done in the traditional way through the issuing CA.

PFS. PFS comes with some cost to the server operators, but it pays off in situations like Heartbleed. By using crypto-suites that support PFS, even in the case of a compromised private key, past communication cannot be decrypted.

Diversity. Flawless software is rare and the more complex the code is the greater probability of bugs creeping in. Bugs hurt, but are devastating when the same bug is pervasive, which happens when there is not enough diversity in protocol or technology implementation and deployment. Open standards documenting the design of protocols and technologies enable such diversity, but it also requires a conscious choice when these components are deployed.

Users. Internet users contribute to the overall resilience of the system, too, by keeping software up-to-date and using strong passwords that vary across sites. Changing passwords periodically has always been good practice, but now it is vital in response to the Heartbleed (check if the system is still vulnerable before doing this, though, at https://www.ssllabs.com/ssltest/index.html).

Collective Responsibility

Looking at this specific, albeit unique, case we can see multiple paths toward improvement. Everyone has a role to play and an opportunity to contribute positively to the overall security and resilience of the Internet.

Security and resilience is ultimately not a technology. It is a culture.

Categories
Domain Name System Security Extensions (DNSSEC) Improving Technical Security Open Internet Standards Technology

Creating a Secure and Resilient Internet: Community Collaboration Required

“The Internet is open, interconnected and interdependent. It’s an ecosystem based on collaboration and shared responsibility.”

These are the opening remarks of our new infographic called “Collaboration for a resilient and secure Internet.” In it, we’ve tried to convey the idea that when it comes to Internet security and resilience, the traditional approach of just protecting our own assets is not good enough – the Internet demands a sense of collective stewardship and shared responsibility to be truly secure and truly resilient to attack.

When performing a risk assessment, do you also look at risks your network presents to the Internet ecosystem – so-called “outward” risks? How much do you care if your network passes traffic with spoofed IP addresses? How many of your DNS resolvers, NTP and SNMP servers are ready to answer queries from anyone in the world? Do you scrutinize routing announcements you are getting from your customers and peers?

There are several technologies and best practices available to mitigate these risks. Implementing them has costs, but through collective action we are creating a safer global network – a benefit that is hard to overestimate.

Please check out the infographic below and let us know what you think. What else can we do to encourage *every* network operator to deploy these technologies and best practices and help keep the Internet secure?

Categories
Building Trust Domain Name System Security Extensions (DNSSEC) Improving Technical Security IPv6 Open Internet Standards Privacy Technology

Follow Along With Us at IETF 89 This Week!

It’s here! The whole Internet Society technology team is in London this week, along with about a thousand other Internet engineers, to discuss the latest issues in Internet protocol engineering at IETF 89. There’s a lot going on this week, and we’d love to talk with you about the work we’re doing and how we can help you. In the last ten days or so, we’ve published six “Rough Guide to IETF 89” posts including an overview and five posts related to our major topics:

Coming up this week, we’ll be participating in *tons* of working groups and BoFs related to our topics of interest. We’re also interested in the Technical Plenary tonight, focusing on payment systems and Bitcoin. It will be live-streamed at http://www.ietf.org/live starting at 5:50PM UTC if you’re not here in London with us.

Tomorrow (Tuesday, 4 March), we’re holding our traditional ISOC@IETF briefing panel to discuss the work of the IETF in the context of the Internet and the world at large. This time, during “Evolution of end-to-end: why the Internet is not like any other network” we’ll be doing a retrospective about the end-to-end principle of the Internet, and considering some predictions for its future relevance. The panel will be live-streamed at https://plus.google.com/events/c1gfue9n0i7f5hanjfu6csgeo3g beginning at 11:45AM UTC. 

For a recap of IETF 88 in Vancouver, check out the latest edition of the IETF Journal. Note you can also subscribe to either the print or online version to receive future issues. We’re always interested in articles for upcoming issues, so if you’re following work at the London meeting and would be willing to provide an update, drop a line to ietfj-editor@isoc.org.

We’re onsite in London capturing as much of the action as possible. Be sure to follow us on follow us on Twitter in particular as there will be lots of updates, photos, and thoughts there. We’ll also post on this Internet Technology Matters blogFacebookGoogle+, and you can follow the blog’s RSS feed. 

We’d love to hear from you! What interests you the most at IETF 89?