Categories
About Internet Society IETF Improving Technical Security

Join a Local IETF Viewing Hub in Africa

The Internet Engineering Task Force (IETF) is the premier Internet standards body, developing open standards through processes to make the Internet work better. It gathers a large, international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Core Internet technologies such as DNS, routing and traffic encryption use protocols standardized at IETF.

The IETF holds three meetings yearly which are livestreamed and can be followed individually, or with others sharing similar interest at a common venue. The next IETF meeting will be held from 25-29 March 2019 in Prague. The usual audience for an IETF meeting is network engineers, system engineers, developers, and university students or lecturers in information technology fields.

The Internet Society Africa Regional Bureau is running an initiative to encourage remote participation in IETF meetings that aims to promote the work of the IETF. IETF Remote Hubs aim to raise awareness about the IETF and allow those who cannot travel to a meeting to participate in the meeting remotely. The meetings are streamed in English only.

Join one of the following IETF Remote Hubs in your area, raise your awareness about the IETF and engage in the various topics of your interest!

Internet Society Gauteng Chapter
Venue: Tshimologong Precinct Wits Link center
Date: Tuesday 26 March 2019
Topics of discussion:

  • Home Networking (homenet)
  • Using TLS in Applications
  • dns over https (doh)
  • quantum Internet proposed Research group (QIRG)
  • Network Time Protocol
  • Messaging Layer Security
  • Transport Layer Security (tls)
  • Thing-to-Thing

ETHNOG Ethiopia
Venue: HiLCHO
Date: Tuesday 26 March 2019
Topic of discussion: Network Time Protocol

Mozambique Research and education Network – MoRENet
Venue: Ministry of Science and Technology, Higher Education and Vocational Training
Date: Tuesday 26 March 2019
Topics of discussion:

  • Dns over https (doh)
  • Quantum Internet proposed Research group (QIRG)

Internet Society Benin Chapter
Venue: University
Date: Tuesday 26 and Thursday 28 March 2019
Topics of discussion:

  • Using TLS in Applications (26 March morning)
  • Dns over https (doh)  (26 March morning)
  • Messaging Layer Security (28 March morning)

Coded Club Ghana
Venue: University of Professional Studies, Accra
Date: Thursday 28 March 2019
Topics of discussion:

  • GitHub Integration and Tooling  (morning)
  • Human Rights Protocol Considerations (Afternoon)

ISOC Mali Chapter
Venue: AGETIC, ACI 2000 Hamdalaye
Date: Tuesday 26 2019
Topics of discussion:

  • Home Networking  (homenet)- Morning
  • Dns over https (doh)- Morning
  • Thing-to-Thing- Afternoon

ISOC Botswana
Venue: University of Botswana
Date: Tuesday 26 March 2019
Topic of discussion: Thing-to-Thing- Afternoon

ISOC Ghana Chapter
Venue: Ghana-Korea Information Access Center, University of Ghana Legon
Date: Tuesday 26 March 2019
Topics of discussion:

  • Software Updates for Internet of Things (Morning)
  • Crypto Forum (Morning)
  • Automated Certificate Management Environment (Morning)
  • Technology Deep Dive – Modern Router Architecture BOF (Afternoon)

ISOC Namibia
Venue: NBII – 1-4 Gluck Street, Windhoek West
Date: 26- 27 March 2019

Topics of discussion:

  • Home Networking
  • Quantum Internet Proposed Research Group
  • Decentralized Internet Infrastructure
  • Crypto Forum 

Youth4Internet Cote Ivoire
Venue: Bingerville
Date: Monday 25- Friday 29 2019
Topics of discussion:

  • Transport Layer Security (tls)- (25 morning)
  • Network Time Protocol – (25 afternoon)
  • Transport Layer Security (tls)- (25 afternoon)
  • Quic- (27 morning)
  • Hypertext Transfer Protocol (httpbis)- 28 afternoon)
  • Global Access to the Internet for All- (29 morning)
  • IP wireless Access in Vehicular environment- (29 morning)

CyberStorm – Mauritius
Venue: Pointe aux Piments, Villa MU
Dates: 21- 29 March 2019
Topics of discussion:

  • Hackathon
  • TLS, 6man
  • HRPC
  • DNSOP
  • UTA

This page will be updated with info on the hubs and the contact persons at each of the hubs:  https://trac.ietf.org/trac/ietf/meeting/wiki/104remotehubs

Categories
Deploy360 DNS Privacy Domain Name System (DNS) Improving Technical Security Security

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions, and mentioned some of the protocols that have been recently developed to improve user privacy.

To complement this, we are publishing our DNS Privacy Frequently Asked Questions (FAQ). This highlights and provides answers to the most important aspects of DNS privacy.

Please also check our DNS Privacy page for more information!

Further Information

Categories
Deploy360 DNS Privacy Improving Technical Security

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map a human-friendly domain name to a set of IP addresses that can be used to deliver packets over the Internet. DNS transactions can therefore be correlated to the applications we use, the websites we visit, and sometimes even the people we communicate with.

While the domain name information itself is public, the transactions performed by the hosts are not. Unfortunately, the DNS does not inherently employ any mechanisms to provide confidentiality for these transactions, and the corresponding information can therefore easily be logged by the operators of DNS resolvers and name servers, as well as be eavesdropped by others.

So we are publishing our Introduction to DNS Privacy to raise awareness of the privacy implications of the DNS, and the mechanisms that have been recently developed to improve user privacy.

Please also check our DNS Privacy page for more information!

Further Information

Categories
Deploy360 Improving Technical Security IPv6 Security Security

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a different protocol! But we think years of IPv4 operational experience should be leveraged as much as possible.

So we are publishing IPv6 Security for IPv4 Engineers as a roadmap to IPv6 security that is specifically aimed at IPv4 engineers and operators.

Rather than describing IPv6 in an isolated manner, it aims to re-use as much of the existing IPv4 knowledge and experience as possible, by highlighting the security issues that affect both protocols in the same manner, and those that are new or different for the IPv6 protocol suite. Additionally, it discusses the security implications arising from the co-existence of the IPv6 and IPv4 protocols.

Be sure also to check our IPv6 Security page as well!

Further Information

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Making the Internet Better Together at APRICOT 2019

Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) 2019, said to be the largest technical conference in the region, drew hundreds of the world’s leading Internet engineers from over 50 countries to Daejeon, South Korea last week.

The Internet Society, a long-time partner of the event, contributed to the event by not only sponsoring over a dozen of fellows to travel there, but also made multiple high-profile appearances in various sessions, including the opening keynote speech.

The Internet Society’s President and CEO Andrew Sullivan delivered the keynote Up and Down the Stack Through a Nerd’s Eyes: Making the Internet Better the Internet Way with hundreds of people present, including Tae-Jeong Her, Mayor of Daejeon, and Dr Hee-yoon Choi, President of organiser the Korea Institute of Science and Technology Information (KISTI), a government research institute.

Now that so many people depend on the Internet, it is no surprise that businesspeople, policymakers, regulators, and politicians all want a say in the way the Internet evolves. But some of the proposals for the future of the Internet, Sullivan said, betray fundamental misunderstandings of the way the Internet works. The talk urged us all to continue to engage with the big questions that affect the future of the Internet, and to bring to that engagement the technical understanding of how the Internet depends on the community of independent network operators in order to remain healthy and strong.

The Internet Society delegation this year also included Rajnesh Singh, Regional Director of the APAC Bureau; Aftab Siddiqui, Technical Engagement Manager, APAC; Salam Yamout, Regional Director, Middle East; Andrei Robachevsky, Senior Technology Programme Manager; Sally Harvey, Director, Membership and Partnership Development; and me, Outreach Manager, APAC.

In line with the Internet Society’s 2019 Action Plan, our message at APRICOT 2019 was to give voice to the need to improve the Internet’s technical security, specifically routing security. That was why in different sessions we promoted the Mutually Agreed Norms for Routing Security (MANRS), a global initiative of the Internet Society that provides operators with steps to mitigate the most common routing threats.

We undertook a variety of roles at the conference and side events, including chairing and speaking at the AP* Meeting, speaking at the APNIC Global Reports, speaking at the APNIC Cooperation SIG, as well as several other speaking and moderation roles. We also had a number of bilateral meetings with other Internet organisations throughout the week.

I had the pleasure to moderate the ISOC@APRICOT session, in which we introduced the community to our work plans and invited them to exchange views on broad Internet issues in the region with us. We were much encouraged by the support of some Internet Society Chapter leaders and members who told us more about their local communities.

In the session, Sullivan introduced the 2019 Global Internet Report: Consolidation in the Internet Economy, which explores the growing influence of a few powerful players in the Internet economy.

The study is the beginning of a conversation about the implications of concentration in the Internet economy. Our analysis shows the questions surrounding these trends are very complex, and hasty interventions could lead to unintended consequences and harm for the Internet and its users. More work must be done to understand this important issue.

“I hope you’ll join us and help identify gaps that we haven’t done or suggest ways to improve the study,” Sullivan concluded the session by introducing our research funding opportunities.

Read the 2019 Global Internet Report: Consolidation in the Internet Economy to understand key features of consolidation, the impact of emerging trends on the Internet, and explore the questions it raises.

Categories
Deploy360 Improving Technical Security IPv6

IPv6 Security Frequently Asked Questions (FAQ)

The Internet Society recognises that global deployment of the IPv6 protocol is paramount to accommodating the growth of the Internet. Given the scale at which IPv6 must be deployed, it is also important that the possible security implications of IPv6 are well understood and considered during the design and deployment of IPv6 networks, rather than as an afterthought.

We are therefore publishing our IPv6 Security Frequently Asked Questions (FAQ), which highlights and provides answers to the most important aspects of IPv6 security.

Be sure also to check our IPv6 Security page as well!

Further Information

Categories
Building Trust Improving Technical Security Technology

NDSS 2019 Honors Timeless Papers

The papers and presentations are done, the awards and appreciation certificates have been handed out, and the boxes are packed and labeled for shipping. NDSS 2019 has come to a successful close. It was a record setting event with over 550 registrations, 89 papers, 36 posters, and four workshops. It was inspiring to see such energetic and passionate security research professionals gathered together in one place discussing their work. All of the highlights can be found at the NDSS 2019 website, including the Distinguished Paper and Distinguished Poster Awards for this year and the full program. It is worthwhile, however, to highlight a new award series initiated this year.

NDSS Test of Time Awards

This year, to kick off the second 25 years of NDSS, an NDSS Test of Time annual award was created. This award is for papers that were published more than ten years ago and have had a significant impact on both academia and industry in the years since. There were three awardees in the inaugural class.

The first Test of Time award is from 1996: SKEME: A Versatile Secure Key Exchange Mechanism for Internet by Hugo Krawczyk. SKEME was an integral component of early versions of the Internet Key Exchange (IKE) protocol used with Internet Protocol Security (IPsec) and is the basis for many of the cryptographic design choices in the current IKEv2 Internet Standard. IPsec and IKE are the de facto Internet standards for protection of Internet Protocol (IP) communications, including Virtual Private Networks (VPNs), and are widely deployed in numerous commercial products.

The second award is Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks by Ari Juels and John Brainard, published at NDSS 1999. The paper introduced the use of “client puzzles” to protect against connection depletion attacks (a form of denial of service) in connection-oriented protocols, such as TCP Syn flooding. The paper led to a number of other efforts to develop different forms of client puzzles and to apply them to various other protocols and systems.

The final NDSS Test of Time award is A Virtual Machine Introspection Based Architecture for Intrusion Detection by Tal Garfinkel and Mendel Rosenblum, published in 2003. This paper introduced the use of VMI for cybersecurity and opened the floodgates on a tremendous amount of research and derivative tools that took VM technology beyond simple resource multiplexing and leveraged it for intrusion detection, intrusion prevention, forensics, isolation, and other cybersecurity protections. The paper is the most highly cited NDSS paper (1751 citations) from the period 1995-2009.

Categories
Deploy360 Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIRs Enhance Support for Routing Security

BGP hijacking and route leaks represent significant problems in the global Internet routing systems, along with source address spoofing. BGP hijacks are where allocated or unallocated address space is announced by entities who are not holders and are not authorized to use it.

The announcement of allocated address space often creates big news, such as when 53 route prefixes of Amazon were hijacked, but the announcement of unallocated address space (whether IPv4, IPv6 or AS numbers) which are also known as ‘bogons’ often does not generate much publicity as it does not cause immediate disruptions to service or business. With depletion of the IPv4 address space though, the announcement of bogons are on the rise with miscreants scraping the unallocated address space from all RIRs and abusing it.

Resource Public Key Infrastructure (RPKI) was therefore developed to try to solve these problems, and APNIC (the Routing Internet Registry for the Asia-Pacific region) recently announced it will honour the creation of AS0 ROA objects. They join ARIN, AfriNIC and the RIPE NCC in supporting AS0 ROA objects, with only LACNIC yet to implement this.

APNIC members can create AS0 ROAs for the prefixes they manage using the MyAPNIC platform.

So, what is the significance of AS0 ROAs? A quick overview of ROA is in order before explaining the importance of AS0 ROA. According to RFC6483:

A “route” is a unit of information that associates a set of destinations described by an IP address prefix with a set of attributes of a path to those destinations.

The Border Gateway Protocol (BGP) relies on the assumption that the Autonomous System (AS) that originates routes for a particular prefix, is authorized to do so by the holder of that prefix. A Route Origination Authorization (ROA) is used to verifiably assert that the holder of IP address space is authorized to originate routes from a given set of prefixes.

A ROA identifies a single AS that has been authorized by the address space holder to originate routes, and provides a list of one or more IP address prefixes that will be advertised. If the address space holder needs to authorize multiple ASes to advertise the same set of address prefixes, the holder issues multiple ROAs, one per AS number.

The information in the ROAs can be used by networks using BGPto perform Route Origin Validation (ROV) on incoming BGP advertisements. ROV allows BGP speakers to determine if they should accept the routes being advertised to them as real, and is based on the state of a received announcement which can be Valid, NotFound, or Invalid.

  • Valid – The announcement is covered by at least one ROA
  • NotFound – The announcement is not covered by any ROA
  • Invalid – Announcement that contradicts ROA information. It can be an AS of unauthorised origin AS, or that the announcement is more specific than is allowed by the maximum length set even if it originates from a valid AS number.

What must be remembered is that RPKI validation relies on the availability of RPKI data, and therefore RPKI caches should be located close to routers that require this data (we are not going to discuss Relying Party-RP or RTR Protocol here).

Up until September 2012, AS0 was listed in the IANA Autonomous System Number Registry as “Reserved – May be used to identifying non-routed networks”. This status was updated with RFC7607 which redefined AS0 in line with RFC6491 “Resource Public Key Infrastructure (RPKI) Objects Issued by IANA”:

AS0 ROA: A ROA containing a value of 0 in the ASID field. “Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origination Authorizations (ROAs)”

Whereas, RFC6483 defines the term “Disavowal of Routing Origination”.

“A ROA is a positive attestation that a prefix holder has authorized an AS to originate a route for this prefix into the inter-domain routing system.  It is possible for a prefix holder to construct an authorization where no valid AS has been granted any such authority to originate a route for an address prefix.  This is achieved by using a ROA where the ROA’s subject AS is one that must not be used in any routing context.  Specifically, AS0 is reserved by the IANA such that it may be used to identify non-routed networks

A ROA with a subject of AS0 (AS0 ROA) is an attestation by the holder of a prefix that the prefix described in the ROA, and any more specific prefix, should not be used in a routing context. The route validation procedure will provide a “valid” outcome if any ROA matches the address prefix and origin AS even if other valid ROAs would provide an “invalid” validation outcome if used in isolation.  Consequently, an AS0 ROA has a lower relative preference than any other ROA that has a routable AS, as its subject.  This allows a prefix holder to use an AS0 ROA to declare a default condition that any route that is equal to or more specific than the prefix to be considered “invalid”, while also allowing other concurrently issued ROAs to describe valid origination authorizations for more specific prefixes.”

This means that AS0 in a ROA can be used to mark a prefix and all its more specific prefixes as Invalid and not to be used in a routing context. By publishing a ROA that lists AS0 as the only origin, it allows a resource holder to signal that a prefix (including its more specific prefixes) should not be routed. In other words, a BGP speaker should not accept or propagate routes containing AS0.

RFC7607 codifies the BGP speaker behaviour to handle AS0.

“A BGP speaker MUST NOT originate or propagate a route with an AS number of zero in the AS_PATH, AS4_PATH, AGGREGATOR, or AS4_AGGREGATOR attributes. 

An UPDATE message that contains the AS number of zero in the AS_PATH or AGGREGATOR attribute MUST be considered as malformed and be handled by the procedures specified in RFC7606 “treat-as-withdraw”

An UPDATE message that contains the AS number of zero in the AS4_PATH or AS4_AGGREGATOR attribute MUST be considered as malformed and be handled by the procedures specified in RFC6793 “attribute discard”

If a BGP speaker receives zero as the peer AS in an OPEN message, it MUST abort the connection and send a NOTIFICATION with Error Code “OPEN Message Error” and subcode “Bad Peer AS” (see Section 6 of RFC4271).  A router MUST NOT initiate a connection claiming to be AS0.”

Returning to RFC6491, this ‘Recommends’ that IANA issue an AS0 ROA for all reserved IPv4 and IPv6 resources not intended to be routed, to all Unallocated Resources – namely Resources that have not yet been allocated for special purposes to Regional Internet Registries (RIRs) – or to other resources that are not intended to be globally routed.

This measure can greatly enhance the effectiveness of RPKI and routing security in general, but network operators should also take a look at the MANRS initiative – which is supported by the Internet Society. This specifies additional actions including filtering, anti-spoofing, coordination, as well as support for global validation mechanisms such as RPKI and currently encompasses over 200 Autonomous Systems around the world, including some of the largest ISPs.

If you’re a network operator or IXP, then please see how you can help contribute towards improving the security and resilience of the global routing system.

Further Information

Categories
Building Trust Improving Technical Security Technology

NDSS 2019 Highlights the Best in Security Research

Tomorrow, the 26th consecutive Network and Distributed System Security Symposium (NDSS) is set to kick off in San Diego, CA. NDSS is a premier academic research conference addressing a wide range of topics associated with improving network and system security. A key focus of the Internet Society has long been improving trust in the global open Internet and all of its connected devices and systems. In today’s world, we need new and innovative ideas and research on the security and privacy of our connected devices and the Internet that connects them together.

NDSS 2019 (24-27 February) will be the biggest NDSS symposium yet, featuring 89 peer-reviewed papers, 35 posters, 4 workshops, and a keynote. Record registration numbers are a key indicator that NDSS 2019 is featuring vital and timely topics. Below are some of the highlights expected in the coming week.

Workshops

This year’s program officially starts with four workshops on Sunday, 24 February. NDSS workshops are organized around a single topic and provide an opportunity for greater dialogue amongst researchers and practitioners in the area. Each of this year’s workshops have dynamic agendas.

The Workshop on Binary Analysis Research (BAR) is returning for its second year at NDSS after a very successful inaugural year in 2018. Binary analysis refers to the process where humans and automated systems examine underlying code in software to discover, exploit, and defend against vulnerabilities. With the enormous and ever-increasing amount of software in the word today, formalized and automated methods of analysis are vital to improving security. This workshop will include a keynote, a number of peer-reviewed papers, an invited speaker, and a panel discussion. It will also emphasize the importance of releasing and sharing artifacts that can be used to reproduce results in papers and can be used as a basis for further research and development.

The Workshop on Decentralized IoT Systems and Security (DISS) is in its second year, following a very successful inaugural year in 2018. The seemingly endless potential of the Internet of Things (IoT) is somewhat tempered by the concern over the ever-increasing risk that these devices pose to the Internet. The ultimate success of IoT depends on solving the underlying security and privacy challenges. Following the spirit of NDSS, the goal of this workshop is to bring together researchers and practitioners to analyze and discuss decentralized security in the IoT. DISS features a keynote, several papers, and a panel discussion.

The new workshop this year is the Workshop on Measurements, Attacks and Defenses for the Web (MADWeb). The web connects billions of devices, running numerous types of clients, and serves billions of users every day. To cope with such a widespread adoption, the web constantly changes. This is evident by some browsers that have a release cycle of just six weeks. These rapid changes are not always studied from a security perspective, resulting in new attack vectors that were never observed before. The MADWeb is looking to connect researchers working at the intersection of browser evolution and web security. The goal is to create a new venue for discussing the rapid changes to browsers from a security perspective, the security implications of current web technologies, and how we can make browsers in the future more secure without hindering the evolution of the web.

Finally, the Workshop on Usable Security (USEC 2019) is one of the original NDSS workshops and is occurring at NDSS for the sixth consecutive year. You can see the results from the previous five years of USEC at NDSS plus three sister events held in Europe (EuroUSEC) here. This workshop has long focused on considering technical as well as human aspects of security. Enabling people to manage privacy and security necessitates giving due consideration to the users and the larger operating context within which technology is embedded. This year, and possibly for future USEC workshops, exceptional USEC papers will be invited to publish extended versions in a special issue of the Journal of Cybersecurity.

Keynote

Moving beyond the workshops, NDSS will also feature Dr. Deborah Frincke. Dr. Frincke leads the Research Directorate of the National Security Agency (NSA). She will speak on the modern challenges for cyber defense, asking the attendees how we meet the challenge of cyber defense as technological advancement creates a world where an adversary has more opportunity to break into our framework of order.

NDSS 2019 Papers

The main content of NDSS 2018 is of course the set of papers to be presented and published. This year there are 89 peer-reviewed papers organized into 19 sessions, representing around 20% of the original submissions. Topics are wide ranging and include authentication, cryptography, censorship, privacy, blockchain, IoT, and mobile and web security. Papers, slides, and videos of all the talks will eventually be available on the NDSS 2019 programme page.

The final program component of NDSS 2019 is the Monday night Poster Session and Reception. This session will feature 35 posters of recently published or newly emerging research. Attendees will have a chance to vote for their favorite posters with special prizes being awarded in different categories.

The Internet Society is proud to have been associated with NDSS for over 20 years. We are excited to see the results of this year’s event! As of this writing, we are smashing all our recent records including number of accepted papers, number of accepted posters, and total attendees. Congratulations to all the workshop speakers, NDSS authors and speakers, and poster presenters for contributing to what will surely be an exciting week of research discussion and collaboration leading to significant advancements in network and system security.

Follow along via our social media channels – TwitterFacebook, and LinkedIn, or search/post using #NDSS19. See you in San Diego!

Image courtesy of Wes Hardaker

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

Developing Good BGP Neighbour Relationships @ APRICOT 2019

Routing Security is featuring heavily on the APRICOT 2019 programme, which is being held on 23-28 February 2019 in Daejeon, South Korea. This helps build on the MANRS initiative being supported by the Internet Society,

On Wednesday, 27 February (09.30-13.00 UTC+9) there will be a Routing Security session that will discuss the latest problems, developments, and how routing security measures can be implemented. Speakers include Job Snijders (NTT) who’ll be discussing changes to BGP in the coming 18 months; Töma Gavrichenkov (Qrator Labs) on how BGP hijacks can be used to compromise the digital certificates used to secure online transactions; and from Anurag Bhatia (Hurricane Electric) who’ll analyse the top misused ASNs.

During the second part of the session, Tashi Puntsho (APNIC) will cover the practical issues and implications of deploying your own RPKI Certificate Authority; Tim Bruijnzeels (NLnet Labs) will discuss the use of route servers at Internet Exchange Points; whilst Ed Lewis (ICANN) will discuss the issues with using the RIR Whois databases.

Following on from this, our colleague Andrei Robachevsky will be raising awareness of the MANRS Initiative during the FIRST Technical Colloquium (16.30-18.00 UTC+9).

FIRST is the global organisation of Computer Security and Incident Teams (CSIRTs) which are often in the front line when network security incidents occur, but are also involved in implementing preventative measures and capacity building. MANRS therefore considers CSIRTs to be important partners in improving the security and resilience of the global routing system, as well as providing input and feedback on the MANRS Observatory that is being developed to provide analysis of the state of the security and resilience of the routing system.

The Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) is the largest international Internet conference in the region, drawing network engineers, operators, researchers, service providers, users and policy communities from over 50 countries to teach, present, and develop relationships. Other Asia-Pacific networking organisations also use the opportunity to meet, in order to share knowledge required to operate the Internet.

If you’re interested in attending then it’s still possible to register at https://2019.apricot.net/register/register/

Alternatively, if you’re unable to make it in person, then the sessions can be followed via webcast.

Further Information

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Routing Security – Getting Better, But No Reason to Rest!

Editor’s note: This is an abridged version of a post that was first published on MANRS.org. Read the full version.

In January last year I looked back at 2017 trying to figure out how routing security looked like globally and on a country level. I used BGPStream.com – a great public service providing information about suspicious events in the routing system.

The metrics I used for this analysis were number of incidents and networks involved, either by causing such incidents, or being affected by them.

An ‘incident’ is a suspicious change in the state of the routing system that can be attributed to an outage or a routing attack, like a route leak or hijack (either intentional or due to a configuration mistake). BGPStream is an operational tool that tries to minimize false positives, so the number of incidents may be on the low side.

Of course, there are a few caveats with this analysis – since any route view is incomplete and the intents of the changes are unknown, there are false positives. Some of the incidents went under the radar. Finally, the country attribution is based on geo-mapping and sometimes gets it wrong.

However, even if there are inaccuracies in details, applying the same methodology for a new dataset – 2018 – gives us a pretty accurate picture of the evolution.

Here are the highlights of some changes in routing security in 2018, compared to 2017.

  • 12,600 (a 9.6% decrease) total incidents (either outages or attacks, like route leaks and hijacks).
  • Although the overall number of incidents was reduced, the ratio of outages vs routing security incidents remained unchanged – 62/38.
  • About 4.4% (a decrease of 1%) of all Autonomous Systems on the Internet were affected.
  • 2,737 (a decrease of 12%) Autonomous Systems were a victim of at least one routing incident.
  • 1,294 (a 17% decrease!) networks were responsible for 4739 routing incidents (a 10.6% decrease).

The bottom line – we did much better last year than the year before. Is it accidental, or part of a positive trend? This is hard to say yet, although in my experience there is much more awareness, attention, and discussions of the challenges of routing security and helpful solutions recently.

Let us look in more details at what was happening in the global routing system in 2018.

Although comparing just two years cannot say a lot about a long-term trend, overall, I feel we are moving in the right direction. More awareness and attention to the issues of routing security in the network operator community, rejuvenated interest to RPKI and some positive trends I provided here support this.

I’d like to believe that efforts like MANRS also contributed to this positive trend.  MANRS, an industry-driven initiative supported by the Internet Society, provides an opportunity to strengthen the community of security-minded operators and instigate a cultural change. MANRS defines a minimum routing security baseline that networks are required to implement to join. The more service providers join MANRS, the more gravity the security baseline gets, the more unacceptable will be lack of these controls, the fewer incidents there will be, and the less damage they can do.

This baseline is defined through four MANRS Actions:

  • Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
  • Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
  • Coordination – Maintain globally accessible up-to-date contact information
  • Global Validation – Publish your data, so others can validate routing information on a global scale.

Maintaining up-to-date filters for customer announcements could mitigate many route leaks. Preventing address squatting could help ward off things like spam and malware. Keeping complete and accurate routing policy data in Internet Routing Registry (IRR) or Resource Public Key Infrastructure (RPKI) repositories are essential for global validation that helps prevent BGP prefix hijacking. Having updated contact information is vital to solving network emergencies quickly.

Last year the community also developed MANRS for IXPs. Another baseline, allowing an IXP to build “safe neighborhood” with the participating networks. Most important, and therefore mandatory for joining, Actions are:

  • Prevent propagation of incorrect routing information. Requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI).
  • Promote MANRS to the IXP membership. IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions.

In 2018 we saw a significant uptake in MANRS, too. In one year the number of participants more than doubled, reaching 120, and the MANRS IXP Programme grew up to 28 IXPs in a year.

Let us hope all the positive trends continue in 2019. And it is not hope alone – every network can influence this future. Because once connected to the Internet – we are part of the Internet.

Categories
Domain Name System Security Extensions (DNSSEC) Improving Technical Security

Call for Participation – ICANN DNSSEC Workshop at ICANN64 in Kobe, Japan

Will you be at the ICANN 64 meeting in March 2019 in Kobe, Japan? If so (or if you can get to Kobe), would you be interested in speaking about any work you have done (or are doing) with DNSSEC, DANE or other DNS security and privacy technologies?  If you are interested, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-kobe@isoc.org before  07 February 2019.


Call for Participation

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN64 meeting held from 09-14 March 2019 in Kobe, Japan. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.

For reference, the most recent session was held at the ICANN Annual General Meeting in Barcelona, Spain, on 24 October 2018. The presentations and transcripts are available at: https://63.schedule.icann.org/meetings/901549https://63.schedule.icann.org/meetings/901554, and https://63.schedule.icann.org/meetings/901555.

At ICANN64 we are particularly interested in live demonstrations of uses of DNSSEC, DS automation or DANE. Examples might include:

  • DNSSEC automation and deployment using CDS, CDNSKEY, and CSYNC
  • DNSSEC/DANE validation in browsers and in applications
  • Secure email / email encryption using DNSSEC, OPENPGPKEY, or S/MIME
  • DNSSEC signing solutions and innovation (monitoring, managing, validation)
  • Tools for automating the generation of DNSSEC/DANE records
  • Extending DNSSEC/DANE with authentication, SSH, XMPP, SMTP, S/MIME or PGP/GPG and other protocols

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.
We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC Panel (Regional and Global)

For this panel, we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. DS Automation

We are looking at innovative ways to automate the parent child synchronization CDS / CDNSKEY and methods to bootstrap new or existing domains. We are also interested in development or plans related to CSYNC, which are aimed at keeping the glue up to date.
We would like to hear from DNS Operators what their current thoughts on CDS/CDNSKEY automation are.

3. DNSSEC/DANE Support in the browsers

We would be interested in hearing from browser developers what their plans are in terms of supporting DNSSEC/DANE validation.

4. DANE Automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?
  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to
dnssec-kobe@isoc.org  before ** 07 February 2019 **

We hope that you can join us.
Thank you,
Kathy Schnitt

On behalf of the DNSSEC Workshop Program Committee:
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Russ Mundy, Parsons
Ondřej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society
Mark Elkins, DNS/ZACR


Image credit:  ICANN