Categories
Internet Way of Networking Strengthening the Internet

Discussion Paper Now Available about the New-IP Proposal

In the run up to the ITU World Telecommunication Standardization Assembly (WTSA-20) later this year there has been some discussion about a proposal called the “New IP.” It is positioned as a top-down architecture to solve a number of use cases that are currently been developed in the ITU-T’s Future Network 2030 Focus Group.

The Internet Society is carefully following the developments in the run-up to WTSA-20. We are trying to understand if and how the New IP works with the Internet as we know it, if it actually solves problems that cannot be solved in the Internet, and, if the ITU-T is developing standards, where other standards development organizations (SDOs) have change control.

In order to get a sense of the environment we commissioned a discussion paper, “An analysis of the ‘New IP’ proposal to the ITU-T.” The paper helps inform us and the broader community whilst the public debate around these proposals shapes up. It also aims to inform and shape the discussion from the Internet’s Society’s perspective. Eventually the debate around it will inform our position and the potential further evolution of the discussion paper itself.

We would like to thank Chip Sharp for authoring the paper, with input from a set of experts from and close to the Internet Society.

We welcome any feedback on “An analysis of the “New IP” proposal to the ITU-T”. Contact the authors directly using newIP-discussion-paper@isoc.org or join the discussion papers list, which is public and archived.


Update: Richard Li has posted a response to this paper.

Categories
Building Trust Security

‘Major Initiatives in Cybersecurity’ Shows Everyone Can Contribute to Trust

How do we work toward a more secure Internet?

In the Cyber Security discussions that take place in the various policy fora around the world, there is often little appreciation that the security of the Internet is a distributed responsibility, where many stakeholders take action.

By design, the Internet is a distributed system with no central core or point of control. Instead, Internet security is achieved by collaboration where multiple companies, organizations, governments, and individuals take action to improve the security and trustworthiness of the Internet – so that it is open, secure, and available to all.

Today we’ve published Major Initiatives in Cybersecurity: Public & Private Contributions Towards Increasing Internet Security to illustrate, via a handful of examples regarding Internet Infrastructure, there are a great number initiatives working, sometimes together and sometimes independently, in improving the Internet’s security. An approach we call collaborative security.

Major Initiatives in Cybersecurity describes Internet security as the part of cybersecurity that, broadly speaking, relates to the security of Internet infrastructure, the devices connected to it, and the technical building blocks from which applications and platforms are built.

We make no claim to completeness, but we do hope that the paper illustrates the complexity, breath, and depth of the various initiatives out there. And, by extension, that there are no one-size fits all solutions. In the spirit of collaboration, we appreciate any feedback you might have for future versions of this document.

Read Major Initiatives in Cybersecurity:Public & Private Contributions Towards Increasing Internet Security

Categories
About Internet Society Building Trust Securing Border Gateway Protocol (BGP) Security Technology

Claudio Jeker Honored by Internet Security Research Group with Radiant Award

This week another Radiant Award has been awarded by the Internet Security Research Group, the folks behind Let’s Encrypt. The award puts the limelight on the heroes who make the Internet more secure and trustworthy each day.

The newest Radiant Award winner is Claudio Jeker, who receives the prize for his work of a BGP4 implementation on OpenBSD. This makes me horrendously enthusiastic. Why?

OpenBSD is a open-software based operating system that is focused on being secure and feature complete. It comes with a set of tools that make it ideally suited to be deployed, for instance, as a secure route server in an Internet Exchange Point (IXP). A route server is a service that an IXP can host in order to make the participating network service providers lives a little easier. They do not have to get the routing information from each other, but can simply talk to this piece of centralized infrastructure. OpenBSD allows this type of infrastructure to be build from commodity components in a scalable and secure way.

With a route server in place, an IXP can take additional measures to secure the Internet, namely by taking the MANRS actions.

Ultimately this would not be possible if OpenBSD did not have a rock-solid implementation of the Internet routing protocol (BGP4) – and that is exactly what Claudio developed. And to put a cherry on top, his software fully supports authenticated filtering of routes using a protocol called RPKI. RPKI is yet another critical piece of infrastructure needed to secure the Internet routing system and a way to implement one of the MANRS actions.

Claudio’s work will prove to be an important piece towards a better Internet security.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to implementation, organization, and execution.

Categories
About Internet Society Building Trust Encryption Security Technology

Rachel Player Honored by Internet Security Research Group with Radiant Award

Internet security is accomplished by many unsung heroes. People who put their talent and passion into improving the Internet, making it secure and trustworthy. This is a feature of the Internet: security isn’t achieved through a central mandate but through the hard work and tenacity of individuals working across the globe.

Rachel Player, a cryptographic researcher, is one of those unsung heroes. She’s just been awarded the Radiant Award from the Internet Security Research Group, the folks behind Let’s Encrypt, for her work in post-quantum cryptography and homomorphic encryption. Homomorphic encryption allows people to do computations on encrypted data, so that information can remain private and still be worked with. This is a highly-relevant field in any area that deals with sensitive and personal data, such as medicine and finance. Player is also interested in lowering the barriers for young people – young women, especially – to work professionally on topics like cryptography.

To learn more, read the announcement by the Internet Security Research Group and Rachel Player’s blog post about her work and her interest in making the profession more accessible.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to implementation, organization, and execution.

Categories
Building Trust Shaping the Internet's Future

Peace and Cyber Hygiene

It doesn’t immediately make sense, does it: the terms peace and cyber hygiene in the same breath. Still, there is a reason why these two come together at the Paris Peace forum this week. That reason is simple though. Cyber hygiene – taking basic and common measures to secure software, devices, and networks – reduces the attack vectors that can be used by criminals and state actors alike. Cyber hygiene will reduce the odds that your network is seen as a belligerent actor just because it has been hacked by others. Cyber hygiene helps to create a more trustworthy and secure environment where people can go about their daily business in confidence that nothing dreadful will happen to them. It is one of the tools in the toolbox of confidence-building measures that enable peace.

Supporters of the Paris Peace Call, which was launched at the Peace Forum last year, are committed to working together to, among other things, “improve the security of digital products and services as well as everybody’s ‘cyber hygiene.’” The Internet Society has joined with a significant number of states, companies, and organizations to sign the Paris Call.

The topic of cyber hygiene is not new to the Internet Society, but at the Paris Peace Forum three activities stand out.

Cyber Hygiene and Global Normative Behavior

The Global Commission on the Stability of Cyberspace explicitly talks about Cyber Hygiene. It proposes two norms that are related: the Norm to Reduce and Mitigate Significant Vulnerabilities and the Norm on Basic Cyber Hygiene as Foundational Defense. These two norms read, respectively:

  • Developers and producers of products and services on which the stability of cyberspace depends should prioritize security and stability, take reasonable steps to ensure that their products or services are free from significant vulnerabilities, take measures to timely mitigate vulnerabilities that are later discovered, and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
  • States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.

The first norm calls upon the many actors that are involved in the day-to-day operation. The second calls upon on states’ role to provide the policy and legal environment to foster cyber hygiene.

The final report of the GCSC, in addition to proposed norms, provides a set of principles to approach cyber peace and stability and a number of recommendations.

The Internet Society has long promoted the idea that improving the security of the Internet is a responsibility of those that operate, design, and use the network. There are many endeavors that help improve the Internet’s security and of cyber space in general. Which is the context for the next two activities.

Using Technology to Strengthen Cyber Hygiene

We joined CyberGreen, the Cybersecurity Tech Accord, the Global Cyber Alliance, and Microsoft in an initiative to promote existing good practices that could help address the growing set of attacks that lever vulnerabilities have existed for a significant time. The initiative brings together those that help drive the adoption of essential measures to defend against avoidable dangers in cyberspace. Measures include adoption of the Mutually Agreed Norms for Routing Security (MANRS) and the deployment Domain-based Message Authentication, Reporting and Conformance (DMARC).

We hope that over the coming months and weeks others will join in the effort of promoting the Paris Call’s cyber hygiene principle and add to the list of good practices that aim to increase the security and safety of our global online environment.

Please see the Tech Accord for more information about this call.

Collaborative Efforts towards Cyber Hygiene

Getting to a secure and trustworthy Internet is complex and multifaceted. It calls for tailored approaches that, depending on the context and the nature of the subject, involve different stakeholders. In any case collaboration seems to be the vital ingredient for success. During the Peace Forum we pitch examples of two endeavors that address different issues but lead to a more secure cyberspace: the collaborative approach to face the growing set of challenges in IoT Security, and the Mutual Agreed Norms on Routing Security (MANRS) that pertains to the very fabric of the Internet itself.

We have written extensively about MANRS, but if you want to know more see manrs.org Let me focus here on the IoT developments.

The collaborative work on IoT takes place on many fronts. The Candadian Multistakeholder process on Enhancing IoT security has produced an extensive report around:

  1. A shared set of definitions and benchmarks around the security of Internet-connected devices.
  2. Shared guidelines to ensure the security of Internet-connected devices over their lifespan, including the development, manufacturing, communications, and management processes.
  3. Recommendations to inform national policy related to IoT security in Canada.

It’s set into motion work by the government and the community to tackle the challenges with insecure IoT deployments.

In addition to the Canadian Multistakeholder process on Enhancing IoT security, the Internet Society’s French Chapter has worked with AFNIC, ANSSI, ARCEP, CINOV-IT, Conseil National du Numérique (CNNum), La Quadrature du Net, Nokia, and Pôle Systematic Paris-Région to explore strategies to strengthen the security and protection of personal data in IoT. Their report will be launched soon. The developments in Canada and France do not happen in isolation. Similar activities have been launched in Senegal and Uruguay.

In order to bring together the experiences from these initiatives we have helped to establish an innovative platform. The IoT Security Policy Platform is made up of national government agencies and non-governmental organizations (NGOs) working in this space, that draw on the strength and expertise of all stakeholders to develop solutions to protect both people and innovation online. By the cross pollination of ideas, practices, and experiences, the platform can aid harmonization of various approaches and speed up the development and deployment of the measures. As far as I know, this is a unique approach.

The Internet Way

The Paris Peace Forum brings together leaders from across the world with an interest in peace and stability – in the context of a digitized society. It starts with the realization that the Internet is not a thing but rather a result. A result that reflects the values of sharing and collaboration for the greater good. Making the Internet, and all that is connected, more secure must be done in the same spirit. The Paris Call on Cyber Hygiene expresses not just a common goal, but vision. Much like the Internet itself, a large and distributed set of collaborative efforts will get us there.

Categories
Building Trust Encryption

WhatsApp: How a Bug Relates to the G7

On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.

Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references  below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.

Two observations:

  • Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
    • WhatsApp is a valuable target, if bugs exist they will be found and exploited.
    • A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
  • The use of spyware like this cannot be contained, a Financial Times article suggests that clearly: The NSO software has been used against lawyers engaged in a lawsuit against the NSO Group and against various civil rights groups.

Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk. When bugs like this are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties. Whilst arguably speculative, one cannot be certain that the NSO Group was the only entity with knowledge of the vulnerability.

This example clearly makes the case that exploits of unintentional bugs are undermining the security of over a billion WhatsApp users, and that they pose a risk to national security and personal safety. One can only imagine what the effect of the introduction of intentional vulnerabilities could be, which is what recent lawful access methodologies proposed so far are doing.

As the Digital Ministers of the G7 countries prepare to meet tomorrow, this serves a real world example of one of the reasons why the Internet Society calls for strong and secure communication, and takes exception to lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it.

It is a critical time to stand for strong and secure communications.  If you are on social media, use the #G7 hashtag and join us by asking world leaders to support strong and secure encryption for all.

References

There are two Financial Times articles that did early reporting on this: https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5 and https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab (paywalled) and various other outlets picked up the news too.

Encryption is under threat around the world. It’s up to each of us to take action.

Categories
Technology

What Is the Internet Model of Networking?

Fundamentally, the Internet model is that independent networks connect to one another and, all together, provide the global Internet.

The independent networks may be enterprises with business services and employees connected to them, they may be cloud service providers or residential Internet service providers. They are independent in the way that they choose their business models, build and manage their networks, and compete with their neighbors;  they offer, however, global connectivity by adhering (voluntarily) to a set of open Internet standards that enable interoperability. To connect on the Internet is inherently to do so voluntarily via open protocols.  A different architecture might use different choices, but these are the ones the Internet uses.

All these independent networks interoperate and form an Internet by participating in a global routing system, subject only to technical standards and agreements with neighbors (the technical terms here are peering and transit). The magic of the Internet is that in order to communicate between a mobile phone connected to a broadband provider in the Netherlands and a server in a data center in Kenya, the two networks at either end of the connection do not need a relationship with each other. The magic of the Internet is that you only need to connect to one other network that is already connected to the Internet to become part of the global Internet. This way, the Internet rapidly grows and becomes more valuable to all participating networks.

There is no center to the Internet, nor is there a central authority forcing the independent networks to behave in certain ways. The Internet works because the independent networks choose to internetwork by adhering to interoperable specifications and shared convention, and they choose to do that because the value of the sum is much greater than the sum of the parts.

I realize that this description is somewhat distant from what most people experience as the Internet. Most people relate to the Internet through how it has impacted their lives, both positively and, there is no denying, negatively too. Our role is to engage in the discussions about the impacts of the use of the Internet on society and make sure that when society is grappling with those issues that the properties that make the Internet are understood and maintained. We need to find Internet-compatible ways to address the issues that emerge.

Over time we intend to refine clearer expressions of the Internet model to help build that necessary understanding. We also intend to bring data to bolster the analysis and support arguments about the value of the Internet model.

Image: Community Networks Champions at the Digital Empowerment Foundation training center in Delhi, India ©Atul Loke/Panos Picture for the Internet Society

Categories
Building Trust Improving Technical Security Internet Governance

Global Cybersecurity and the Internet Conundrum

Today marks the 100th anniversary of the armistice that ended the first World War. The 1918 ceasefire re-introduced a fragile peace that had collapsed when the world failed to defend common rules and international cooperation. International security and stability are as important now as they were a century ago.

That’s why French President Emmanuel Macron and leaders from around the world are about to gather in Paris for the first Paris Peace Forum. The forum will attempt to pave a way forward for a world that is shifting and changing faster than most of us can keep up with. That change and shift, and the speed of it is enabled by the Internet.

That is why the Internet Society is participating in the Forum.

I will be in Paris to speak on a panel about creating peace in cyberspace. Cybersecurity concerns across the world are real and justified and need to be addressed. We believe that the collaborative approach that helped to drive the growth of the Internet and allows it to thrive is essential for establishing cybersecurity.

The essence of a collaborative approach is that it allows stakeholders to create a shared vision for security.

The Shared Vision

At the Paris Peace forum there will be many places where we will talk and try to converge on a shared vision

For example, we  support the work of the Global Commission on the Stability of Cyberspace (GCSC) – for which I am allowed to serve as commissioner. The GCSC has developed the “Call to Protect the Public Core“.  In fact, in the lead up to the Paris Forum, the GCSC  introduced six more norms towards cyber stability.

But while a shared vision is necessary for successful collaboration, it is not sufficient. We need to get to action.

Securing Cyber

Implementing the cybersecurity vision doesn’t come from a single technical fix or upgrade, nor will it come from a treaty or declaration. Improving security is done in a highly distributed way with the responsibility in the hands of many. This means participation not only by policymakers and a few companies from Silicon Valley, but millions of security practitioners, developers, implementers, protocol developers, network operators, civil society groups, and researchers.

And as we work to secure the broader cybersecurity environment, we have to make sure that we do not break the Internet along the way.

Can You Actually Break the Internet?

In short: specific regulatory or even technical interventions may break the Internet.

And now for a longer explanation of what that means.

For the Internet Society, the Internet (capital I) is the open network of networks voluntarily interconnecting to deliver connectivity globally. This network of networks enables those that connect to develop and deploy applications.

A metaphorical description of the Internet Architecture is an hourglass.

The sand in the bottom half is the physical infrastructure that makes the Internet work. It is the network of networks each making their own competitive and technical choices to compete in the market of offering connectivity.

The sand in the top half of the hourglass is made of Internet applications like social media, blockchain, email, messaging, and all the apps we use in our daily lives.

While the top and bottom parts of this hourglass need each other for the hourglass to work, they are very loosely coupled and their interaction is limited. Basically, they are the two most co-dependant strangers you will ever come across.

The thin funnel at the center of the hourglass contains the protocols and technologies that provide the ability for the applications in the top half of the hourglass to benefit from a single global Internet. The Internet Protocol (IP), the global Domain Name System (DNS), various transport protocols such as the Hypertext Transport Protocol (HTTP), and global authentication and encryption infrastructure provide the ability to interoperate and establish a baseline of trust that allows all of these applications to flourish.

The beauty of the Internet is that the technology is agnostic. The bottom half and funnel of the hourglass have no idea what is running above it – whether it’s an email to your mom, a cat picture to Instagram, or a million rupee transaction.

It is the loose coupling between the top and bottom of the hourglass, that offers the ability to invent new applications without having to negotiate with the network; the networks do not need to have detailed knowledge about the working of the applications, and the applications do not have to understand the workings of the networks. Without this property of permissionless innovation, inventions like the World Wide Web, messaging apps, or Blockchain would likely not have been possible.

Losing out on either global connectivity or permissionless innovation will impact the ability that the Internet brings for social and economic prosperity.

A growing number of countries are putting these opportunities at risk by proposing policies or laws to regulate technology in the bottom half of the Internet hourglass in reaction to security challenges appearing on the top half of the hourglass. An example of this would be a law that restricts Internet connectivity in reaction to concerns about social media content. It is these kinds of policy approaches that worry us – while individual measures may not immediately break the Internet, they will lead us down a path where we find that we have lost the properties that make the Internet what it is. It will no longer be a global network of networks, but a tightly controlled tool where someone else is in charge of what we see and do.

We may think that pulling a hair or two is OK, but at some point, we’ll be bald.

Back to the Paris Peace Forum.

In Paris, we join a vision for a secure society in which the Internet plays a major role.

That vision calls for action.

  • Action that is deliberate, distributed, and takes a global perspective.
  • Action that is already ongoing all across the Internet technical community.
  • Action in which regulation, tax, and other government tools have a role but are not the only tools in the box.
  • Action that attempts to address issues at the appropriate layer – the half of the hourglass where the problems arise. And most important;
  • Actions that do not break the Internet itself while also addressing the legitimate needs of society.

The Internet Society CEO, Andrew Sullivan, recently summarized this as, “We must not save the Internet by breaking it, denying humanity this tool that can benefit us all.”

Tweet your support for an Internet that’s for everyone! #DontBreakTheInternet

Categories
Improving Technical Security Technology Transport Layer Security (TLS)

TLS 1.3 – Internet Security Gets a Boost

Today marks the formal publication of an overhaul of the Transport Layer Security (TLS) protocol. TLS is an Internet standard used to prevent eavesdropping, tampering, and message forgery for various Internet applications. It is probably the most widely deployed network security standard in the world. Often indicated by the small green padlock in a web browser’s address bar1, TLS  is used in financial transactions, by medical institutions, and to ensure secure connections in a wide variety of other applications.

We believe the new version of this protocol, TLS 1.3, published as RFC 8446, is a significant step forward towards an Internet that is safer and more trusted.

Under development for the past four years and approved by the Internet Engineering Task Force (IETF) in March 2018, TLS 1.3 addresses known issues with the previous versions and improves security and performance, in particular it is able to establish a session more quickly than its predecessors. Because it is more efficient, TLS 1.3 promises better performance for the billions of users and organizations that use TLS every day. As with every IETF standard, TLS 1.3 was developed through open processes and participation, and included contributions from scores of individuals.

Many companies have indicated that they plan to implement and deploy TLS 1.3 in the near future and several have already done so. Part of their readiness can be traced back to the fact that the standard’s development was informed along the way by “running code” – test implementations that helped identify issues in and provide additional clarity to the specification, ensuring TLS 1.3 would not only look good on paper but that it would work well in the real world too. TLS 1.3 was also reviewed extensively by academic security and cryptography experts to help identify and address possible weaknesses before it was widely deployed.

A popular saying in the IETF community is that “there are no protocol police.” This reflects the reality that adoption of IETF protocols is voluntary and each network, enterprise, and Internet user is free to decide whether or not to use them. Given how widely TLS is deployed, it is inevitable that some challenges will be encountered as TLS 1.3 adoption gathers pace. Additional work may be required to address these challenges. However, on balance, TLS 1.3 represents a significant security win for the Internet and its users. We look forward to using it and tracking its adoption on the Internet.

See also:


1 – Editor’s Note: The TLS protocol is often mistakenly called “SSL” or “Secure Socket Layer”. SSL was the name of the original protocol developed by Netscape back in the mid-1990s. It was replaced by TLS 1.0 in 1999. (Yes, almost 20 years ago!) TLS 1.0 was in turn replaced by 1.1, 1.2, and now 1.3.

Categories
Building Trust Events IETF Open Internet Standards Technology

Rough Guide to IETF 102

Starting next weekend, the Internet Engineering Task Force will be in Montreal for IETF 102, where over 1,000 engineers will discuss open Internet standards and protocols. The week begins on Saturday, 14 July, with a Hackathon and Code Sprint. The IETF meeting itself begins on Sunday and goes through Friday. We’ll be providing our rough guides on topics of mutual interest to both the IETF and the Internet Society as follows:

For more general information about IETF 102 see:

Immediately prior to the IETF meeting, ICANN are hosting a DNS Symposium on the theme “Attention, Domain Name System: Your 30-year scheduled maintenance is overdue.” The ICANN DNS Symposium will take place in the same venue as the IETF 102 meeting on Friday 13th July.

Here are some of the activities that the Internet Society is involved in during the week.

Applied Networking Research Workshop (ANRW 2018)

The ACM, IRTF and ISOC Applied Networking Research Workshop will take place on the Monday of IETF week, as part of the Internet Research Task Force (IRTF) mission to foster greater collaboration between researchers and the IETF community. Registration is free for IETF attendees.  The ANRW program is full of great presentations including invited talks and features sessions on TLS, routing, Internet infrastructure, congestion control, traffic engineering, and anonymous communications. The workshop will also feature an extensive poster session.

The workshop will be livestreamed for those not able to attend in person:

9:30-12:00 Monday July 16 Morning session I
http://www.meetecho.com/ietf102/anrw/

13:30-17:50 Monday July 16 Afternoon sessions I and II
http://www.meetecho.com/ietf102/anrw_II/

Applied Networking Research Prize (ANRP)

Through the Applied Networking Research Prize (ANRP), supported by the Internet Society, the Internet Research Task Force (IRTF) recognizes the best new ideas in networking and brings them to the IETF, especially in cases where the ideas are relevant for transitioning into shipping Internet products and related standardization efforts. Out of 55 submissions in 2018, six submissions will be awarded prizes. Two winners will present their work at the IRTF Open Meeting on Tuesday, 17 July at 9:30AM.

GCSC Panel

On Tuesday, 17 July, during IETF 102 in Montreal, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology.” During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Global Commission on the Stability of Cyberspace sets out to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. During this lunch panel GCSC want to engage with the IETF community to discuss the norms they have proposed so far:

In addition, the Commission want to talk about the work that they are currently undertaking on vulnerabilities, their exploitation and disclosure.

The panelists are:

  • Irina Rizmal, Research Fellow at the DiploFoundation specialized in policy analysis in matters pertaining to national security and defense.
  • Bill Woodcock, Commissioner and Executive Director at Packet Clearing House, the non-profit agency that supports critical Internet infrastructure.
  • Jeff Moss, Commissioner, founder of Black Hat and Defcon, member of the DHS security council, and former ICANN CSO.

The panel will be moderated by Olaf Kolkman, GCSC Commissioner and Chief Internet Technology Officer of the Internet Society.

IETF Journal

The IETF Journal provides an easily understandable overview of what’s happening in the world of Internet standards, with a particular focus on the activities of the IETF Working Groups. Articles highlight some of the hot issues being discussed in IETF meetings and on the IETF mailing lists. You can follow IETF Journal via our Twitter and Facebook channels. If you would like to write for the Journal about your work at IETF 102, please email us at ietfjournal@isoc.org.

Other highlights of the IETF 102 meeting include:

Hackathon

Right before IETF 102, the IETF is holding another Hackathon to encourage developers to discuss, collaborate, and develop utilities, ideas, sample code, and solutions that show practical implementations of IETF standards. The Hackathon is free to attend but has limited seats available. Technologies from past Hackathons include DNS, HTTP 2.0, NETVC, OpenDaylight, ONOS, VPP/FD.io, RiOT, SFC, TLS 1.3, WebRTC, YANG/NETCONF/RESTCONF. Details on all planned technologies will be listed on the IETF 102 Meeting Wiki.

Technical Plenary

One of the week’s highlights is the plenary meeting. It will take place on Wednesday, 18 July, from 17:10-19:40. The event is live streamed.

Birds of a Feather (BoF) Sessions

Another major highlight of every IETF is the new work that gets started in birds-of-a-feather (BoF) sessions. Getting new work started in the IETF usually requires a BoF to discuss goals for the work, the suitability of the IETF as a venue for pursuing the work, and the level of interest in and support for the work. There are three BoFs happening in Montreal:

  • DNS Resolver Identification and Use (driu)Thursday, 19 July, 15:50-17:50 The IETF has added additional methods for DNS stub resolvers to get to recursive resolvers (notably DNS-over-TLS, RFC 7858), and is about to add another (DNS-over-HTTPS, from the DOH Working Group). As these have been developed, questions have been raised about how to identify these resolvers from protocols such as DHCP and DHCPv6, what the security properties these transports have in various configurations (such as between strict security and opportunistic security), and what it means for a user who has multiple resolvers configured when the elements of the configured set have different transports and security properties.This BoF is not intended to form a Working Group. Instead, it is meant to bring together authors of various WG and individual drafts to prevent overlap and to garner interest in particular topics.
  • Internationalization Review Procedures (i18nrp) Monday, 16 July, 13:30 – 15:30 This BOF is to examine procedural and structural options for moving forward with work on internationalization topics in the IETF, or deciding not to work on that topic.
  • The Label “RFC” (rfcplusplus) Wednesday, 18 July, 18:10 – 19:40 This BoF is intended to discuss a proposed experiment to tackle the “regrettably well-spread misconception” that all RFCs are standards.

Follow Us

It will be a busy week in Montreal, and whether you plan to be there or join remotely, there’s much to monitor. Follow us on the Internet Society blog, Twitter, or Facebook using #IETF102 to keep up with the latest news.

Categories
Building Trust Domain Name System Security Extensions (DNSSEC) Human Rights IETF Improving Technical Security Internet of Things (IoT) IPv6 Open Internet Standards Privacy Technology

Rough Guide to IETF 99: Back to Prague

Time to get ready for IETF 99! Starting a week from today, on Sunday, 16 July, the Internet Engineering Task Force will be in Prague, Czech Republic, where about 1000 engineers will spend a week discussing the latest issues in open standards and protocols. As usual, the agenda is packed, and the Internet Society is providing a ‘Rough Guide’ to the IETF via a series of blog posts all this week on topics of mutual interest:

  • Overview (this post!)
  • Internet Infrastructure Resilience
  • Internet of Things
  • IPv6
  • Scalability & Performance
  • DNSSEC, DANE, and DNS Security
  • Trust, Identity, and Privacy
  • Encryption

All these posts will be found on the Internet Technology Matters Blog, and archived via the Rough Guide to IETF 99 overview page.

IETF Journal

Before we get to IETF 99, catch up on some of the highlights from IETF 98 in Chicago, Illinois, USA, by reading Volume 13, Issue 1 of the IETF Journal. You can read all the articles online at https://www.ietfjournal.org, or pick up a hard copy in Chicago.

Our cover article is a deep dive into Segment Routing, a new traffic-engineering technology being developed by the SPRING Working Group. Also in this issue, you’ll learn about the many activities of the new Education and Mentoring Directorate, which aims to enhance the productivity, diversity, and inclusiveness of the IETF. We also present an update from the Security Automation and Continuous Monitoring WG, BoF updates, a readout from the pre-IETF Hackathon, a list of the tech demonstrations at the Bits-N-Bites event, and an article about the Internet Society Policy Guests to the IETF. Our regular columns from the chairs and coverage of the IETF plenary wrap up the issue.

If you’d like to write something for the next issue, please contact us at ietfjournal@isoc.org. You can subscribe to hard copy or email editions at https://dev.internetsociety.org/form/ietfj.

IRTF and ANRP

Through the Applied Networking Research Prize (ANRP, supported by the Internet Society) the Internet Research Task Force (IRTF) recognizes the best new ideas in networking, and brings them to the IETF, especially in cases where the ideas are relevant for transitioning into shipping Internet products and related standardization efforts. In Prague, two talented researchers will present during the IRTF Open Meeting on Thursday, 20 July, at 15:50 CEST:

  • Stephen Checkoway, University of Illinois Chicago, US, for “A Systematic Analysis of the Juniper Dual EC Incident”
  • Philipp Richter, Technische Universität Berlin, DE, for “A Multi-perspective Analysis of Carrier-Grade NAT Deployment”

Hackathon

Right before IETF 99, on 15-16 July, the IETF is holding another Hackathon to encourage developers to discuss, collaborate, and develop utilities, ideas, sample code, and solutions that show practical implementations of IETF standards. The Hackathon is free to attend, but pre-registration is required.

Birds of a Feather (BoF) Sessions

A major highlight of every IETF is the new work that gets started in birds-of-a-feather (BoF) sessions. Getting new work started in the IETF usually requires a BoF to discuss goals for the work, the suitability of the IETF as a venue for pursuing the work, and the level of interest in and support for the work.

There are four BoFs happening in Prague:

  • BANdwidth Aggregation for Network Access (BANANA) – would work on bandwidth aggregation and failover solutions for multi-access networks where the end-nodes are not multi-access-aware.
  • Network Slicing (NETSLICING) – would develop a set of protocols and/ or protocol extensions that enable the following operations on slices: efficient creation, activation / deactivation, composition, elasticity, coordination / orchestration, management, isolation, guaranteed SLA, OAM/Feedback mechanisms and safe and secure operations within a network environment that assumes an IP and/or MPLS-based underlay.
  • IDentity Enabled Networks (IDEAS) – would standardize a framework that provides identity-based services that can be used by any identifier-location separation protocol.
  • IASA 2.0 (iasa20) – “IASA 2.0” will review and possibly rework administrative arrangements at the IETF.

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://dev.internetsociety.org/tag/ietf99/.

Categories
Encryption Improving Technical Security

Call on Your Government To Support Encryption

Eighty-three organizations and individuals from Australia, Canada, New Zealand, the United Kingdom, and the United States are insisting governments support strong encryption.

The letter, which was sent to government representatives in each of the above countries, called for public participation in any future discussions. It comes on the heels of the “Five Eyes” ministerial meeting in Ottawa, Canada earlier this week.

The Internet Society supports the substance of the letter.  

Strong encryption is an essential piece to the future of the world’s economy, and the Internet Society believes that encryption should be the norm for Internet traffic and data storage. It allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and more.

Encryption is a technical building block for securing infrastructure, communications, and information. It should be made stronger and universal, not weaker.

We urge people around the world to tell their governments to support opportunities in business, education, economy and almost everything else. 

Make encryption stronger. Not Weaker.

Note: The Internet Society is a signatory to the letter.