Categories
Encryption Strengthening the Internet

Chapter Leaders Worldwide Make the Case for Strong Encryption

What makes a great leader? Earlier this year, 473 Chapter Members participated in the 2020 Chapters Training Program. The Internet Society kicked off the program with a lot of hope and excitement. This was an opportunity to harness the power of us – our global community – to incubate innovative ideas and tomorrow’s Internet leaders.

The program aimed to develop new community leaders to work with their Chapters, create local awareness of the Internet Society’s mission-driven work, and become involved in Action Plan projects, including Encryption.

Each time we share information on the Internet, we assume that only our selected recipients – and no one else – will receive and read it. But how can we be sure? Ursula Wyss of the Switzerland Chapter says, this is “where end-to-end encryption comes in, since it ensures that only you and those people who are intentionally included in the conversation can read the messages that are being exchanged. This is done by scrambling the message in a way that it can only be read by those who have the right encryption key to unscramble it. For everyone else, the messages remain scrambled.”

The Encryption Chapters Training Program was developed to equip Chapter Leaders with knowledge and tools to engage their members locally in an impactful and informed way. It included 139 trainees from 66 Chapters. They watched 10 videos and attended a two-hour training session with Internet Society staff and experts from the community, including Chapter Leaders from Germany, the U.S., Canada, India, Ghana, and Bolivia as well as partners such as Derechos Digitales.

Why Does Encryption Matter?

“With an escalation in hackings over the past decade, breaches in our private data are of ubiquitous meaning now more than ever and, for this, encryption is key,” writes Loide Uuzigo of the Namibia Chapter in “The Time For Encryption Is Now.

Encryption safeguards the personal security of billions of people and the national security of countries around the world. These are just a few examples of how:

Internet privacy concerns are real: Encryption helps protect your online privacy by turning personal information into “for your eyes only” messages, seen only by the parties it’s shared with.

Hacking is big money: Cybercrime is a global business, often run by multinational outfits. Many of the headline-making large-scale data breaches demonstrate that cybercriminals are often out to steal personal information for financial gain. End-to-end encryption, the most secure form of encryption, ensures that sensitive, confidential information transmitted by billions of people online every day remains confidential and out of the hands of criminals.

Online health and learning solutions rely on it: With people worldwide increasingly relying on telehealth and remote learning during a pandemic, encryption is a must. For instance, in the U.S. the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to implement security features that help protect patients’ sensitive health information online.

Once armed with information, the Encryption Chapters Training Program trainees developed local initiatives to amplify awareness of the critical role encryption plays in our everyday lives. Here are a few of the submissions that stood out:

Encryption helps protect private information, sensitive data, and can enhance the security of communication between two parties,” says Theorose Elikplim Dzineku, an Internet Society Ghana Chapter Member. “Whereas the Internet proposes a host of ways to communicate with friends, co-workers, and complete strangers, it also allows third parties to intrude on those communications, as well as track online conversations and activities. Using encryption tools helps individuals keep communications secret and protect swapping activities of personal tales with a friend or transacting important business with a client.”

Says Rahabu Sakilali of Tanzania, “with the COVID-19 pandemic, virtual conferencing and social media became the go-to place to hold lessons, business meetings and sensitive discussions. Encryption makes the virtual platforms safe!  End-to-end encryption protects ourselves and our data. It also helps us be sure who we are communicating with, sign digital documents and ensure the recipient is authentic.”

Effective encryption is a foundation for us to build trust on the Internet”, states Josephine Nampala of the Uganda Internet Society Chapter. In fact, during the COVID-19 pandemic, end-to-end encryption’s got us covered. “With the social distancing that is required to control the pandemic, many enterprises are opting to operate remotely. As well, many people are trying so much to keep close to their loved ones through different online platforms.” In these situations, we need to be sensitive about our privacy online, and strong encryption is key for us to trust the Internet.

Many trainees shared Spanish-language resources, too. Highlights include this video from Oscar Danilo González Navarrete of the Nicaragua Chapter, a blog post from Fernando Manuel Morales Rodas of the Guatemala Chapter, which includes videos that explain Encryption in a simple way, and a blog post from Osvaldo Juan Encinas Moreno of the Venezuela Chapter, who highlights the importance of digital education for those in vulnerable groups.

These are only a few examples of how we all depend on encryption every day of our lives. Effective encryption is key to secure online communications, from financial transactions to healthcare. It is the foundation upon which a trustworthy Internet is built.

Got an interesting story about how encryption is a critical part of securing out day-to-day experiences safe online? We want to hear it! Write to us at encryption@isoc.org.

Categories
Encryption Strengthening the Internet

Don’t Forget Cybersecurity on Your Back-to-School List

This opinion piece was originally published in Dark Reading.

School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

In recent years, schools have also seen an increase in debilitating ransomware attacks, even prompting an FBI alert this summer highlighting increased abuse of the Remote Desktop Protocol (RDP) to plant ransomware on school systems.

The security challenges are amplified by the move to more online learning and administration, specifically:

  • Systems that were designed to be accessed on internal networks now need remote access.
  • A wide variety of devices that were never connected to the school’s network now need regular access to services.
  • The type of access needed has expanded well beyond posting of class assignments online. It now includes everything from live classrooms to access to administrative tools and health services.

These additional requirements significantly expand the attack surface, compounding the risks. This brings a largely un-cybersecurity educated set of users into play, placing additional stress on school IT staff who are already typically stretched thin.

So, who is responsible to ensure that these systems and their users are safe? In this case, all layers of the ecosystem – vendors, school districts, and students/parents – have a role to play.

Vendors need to recognize the shift to remote use and provide appropriate built-in security.

School district staff need to choose tools that have appropriate security controls and establish strong cybersecurity practices for staff and students.

Students (and their parents) need to protect themselves and the school’s systems by practicing strong cyber hygiene.

Here are some practical guidelines for each group.

Vendors Need to Raise the Security Bar
To cover the full range of needs, there are many applications and websites for school district staff to consider – most of these apps, websites, and software products are developed primarily to deliver certain capabilities and levels of functionality and may not incorporate strong security practices. These include limiting access by type of account, encrypting communication and data at rest, offering multi-factor authentication (MFA) to limit illicit access, and securing data on hosted cloud platforms.

As usage continues to increase, vendors need to bolster the security of their products to prevent breaches and disruption of their services.

School Staff: The Critical Role
School district staff has the most critical role to play in ensuring proper levels of cybersecurity, as they’re responsible for making the choices regarding what tools to offer students and parents, as well as setting up the networks for teachers, students/parents, and administrators.

As with any enterprise, school district staff need to follow strong cybersecurity practices. In March, the Consortium for School Networking (CoSN) issued Cybersecurity Considerations in a COVID-19 World to provide guidance to staff on how to best protect their networks and users. The recommended best practices include guidelines related to classroom supervision, layered permissions, Web content filtering, encrypting data, and protecting devices.

In addition to adhering to CoSN’s guidelines, staff should carefully select which online learning tools to use, make cybersecurity part of the decision-making criteria when selecting digital tools, and not hesitate to demand stronger security capabilities from existing vendors.

Students and Parents: Empowering End Users
It’s critical that students and parents take concrete steps to empower themselves to be safer when engaging in remote learning online, as failure to properly secure their access can have negative side effects on both the school systems and systems used in their household, which likely include corporate systems in our new work-at-home world.

Though students and parents are at the mercy of the choice of tools made by the school, they can still practice good cyber hygiene by using strong passwords, enabling multi-factor authentication, changing default passwords on devices in the home to prevent illicit access, exercising care in sites they visit, and choosing strongly encrypted services for their personal use.

Given the massive increase in video conferencing use since the start of the pandemic, it’s also important for students and parents to make smart choices regarding those services. Mozilla released a guide to videoconferencing services, assessing them against minimum security guidelines, as part of their “*privacy not included” series. This is a valuable resource for students and parents.

Back to school 2020 will certainly be unique, as schools scramble to figure out how to provide education in the context of an ever-shifting coronavirus backdrop. With a continued shift to online learning, maintaining a strong focus on cybersecurity is more important than ever.


Image by Element5 Digital via Unsplash

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

The State of Routing Security at DNS Registries

The Domain Name System (DNS) is an important component of the Internet, but it was not designed with security in mind. In the last 20 years or so, much attention has been directed at improving its inherently insecure aspects.

This includes the deployment of DNS Security Extensions (DNSSEC) that enables cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS, which encrypts DNS transactions between hosts and resolvers.

The DNS, though, is also dependent on the global routing system for sending DNS queries from resolvers to servers, and then returning the responses. The integrity of the routing system is, therefore, extremely important for ensuring DNS transactions are delivered efficiently to the correct destination. Yet, at present, few DNS registries are implementing Routing Public Key Infrastructure (RPKI), a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol (BGP).

A survey of 4,138 zones – that included 1,201 generic top-level domains (gTLDs), 308 country code top-level domains (ccTLDs), 271 reverse map zones, and 1,780 sub-ccTLD zones – showed a total of 6,910 route origins for the name servers that are serving these zones.

Yet, just 22% of these had valid Route Origin Authorisations (ROA), a digitally signed object that verifies an IP address block holder has authorized an AS (Autonomous System) to originate routes to that one or more prefixes within the address block.

Whilst the figures for the reverse map zones (53%) and ccTLD zones (34%) give evidence of deployment, they are significantly lower for the gTLD zones (11%). In fact, around 40% of TLDs have no ROA deployment at all, with 20% only having partial deployment.

These findings are discussed in more depth in “A Look at Route Origin Authorizations Deployment at DNS Registries” on the MANRS website. It is important to highlight an aspect of DNS security that has been somewhat overlooked.

If you’re interested in finding out more about why important routing security is so important, please also read our five-part Introduction to Routing Security.

Categories
Internet Way of Networking Strengthening the Internet

Mapping Intermediary Liability in Latin America

Thanks to our Chapters in Latin America, we now have a clearer map of the intermediary liability regulatory landscape across the region.

Intermediary liability answers the question, “Should Internet intermediaries (ISPs, web hosting and cloud services, social media platforms, etc.)  be liable for content posted or for actions performed by others, such as, for example, their users?”

The success of the Internet depends on intermediary liability regimes that protect Internet providers – by ensuring responsibility for user behavior is on the users themselves, not on the intermediaries upon which they rely (both at the infrastructure and content layers).

The way legal frameworks deal with intermediary liability around the world can impact the Internet way of networking in different ways.

In some countries, intermediary liability legislation is well known: the 1996 US Communications Decency Act (Section 230) and the Brazilian Internet Bill of Rights, for example. But in much of the world it is covered by other more general-purpose regulations, such as tort law, consumer protection law, and child protection law.

We asked our local community to help us map and monitor the current regimes that apply to Internet intermediaries in their countries, so that our work can ensure that policies and regulations related to the matter keep supporting a healthy foundation for the Internet.

The questionnaire we developed in partnership with Chapter leaders was responded to by people from 18 Latin American countries.[1] The responses generated country profiles with detailed descriptions of rules and regulations that can affect intermediary liability in Bolivia, Brazil, Colombia, Chile, the Dominican Republic, Ecuador, Mexico, and Venezuela.

The country profiles provide an up-to-date snapshot of the complex regulatory landscape. The majority of countries still rely on general administrative, civil, and criminal norms that apply more or less uniformly to Internet intermediaries.

Copyright regimes and editorial liability are commonly applied, even if they predate the Internet age. General telecommunications regulations can also comprise rules that apply to Internet intermediaries. Chile is a highlight due to its longstanding network neutrality rules, which impose penalties for intermediaries who interfere with the free flow of data at the infrastructure level.

Brazil is the only country among those listed above that has a specialized intermediary liability regime designed for Internet access providers and Internet application providers. The “Marco Civil” establishes exemptions to providers’ liability in relation to third-party content. Access providers are always exempt from liability for user content and behavior.

Our  mapping exercise is still underway. More country profiles produced by LAC Chapter members are expected for the upcoming months.

The process went beyond gathering up-to-date information. It has also helped us identify people who can promote and defend the importance of strong intermediary liability regimes for the Internet Way of Networking project in support of future community engagement and advocacy.

Based on what we have accomplished so far, we had some ideas on how the Internet Society can keep growing its knowledge base on intermediary liability – with the help of its global community. This could include:

  • Country or Chapter-level working groups to review and expand individual country profiles
  • Additional training and work to inspire and collaborate with other Chapters in the region
  • Additional activities and resources around the topic of intermediary liability
  • Replication of the process in other regions
  • Leveraging our community to serve as a valuable source of input to other mapping exercises, such as the World Intermediary Liability Map

Learn more about the Internet Way of Networking!


We would like to thank the following people for having committed their time and knowledge to help us with this collaborative effort: Roberto Zambrana Flores; Félix Fabian Espinoza Valencia; Flávio R. Wagner; Giovanna Michelato; Lorena Donoso Abarca; German M Fajardo Muriel; César Moliné; Alejandro Pisanty; Viviana Da Silva. Additionally, Nancy Quiros and Christian O’Flaherty contributed to this article.

We would also like to thank these people for their contributions: Graciela Mariani; Hector Ariel Manoff; José Ignacio Alvarez-Hamelin; R  Danton Nunes; Eric Alexander – Venturas; Jorge Augusto Ottoni Nobre de Oliveira; Leonardo Lins;   Miguel Medina; Willy Maurer; Mauricio Alarcón Salvador; Kelvin Atiencia; Ethel Monge de Kuri; Yesenia Granillo; Fernando Manuel Morales Rodas; Jose Anibal Silva de los Angeles; Ernesto Pineda; Sandy Karyna Palma Rodríguez;  Ana Laura Leon; Francisco Javier Huerta Gijón; Simon Perez C.; Haydee Almiron; Dra. Dámaris Mercado Martínez; Alicia Castillo; Eduardo Tomé and Jan Alvarado.


[1] Argentina, Bolívia, Brasil, Chile, Colombia, Costa Rica, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Panama, Paraguay, Peru, Puerto Rico, República Dominicana, Uruguay, Venezuela.


Image by delfi de la Rua via Unsplash

Categories
Strengthening the Internet Time Security

Working Collaboratively to Improve Emerging Network Time Security Implementations

Accurate and secure time is essential for the security and trustworthiness of the Internet. Many systems that we regularly interact with rely on accurate time to function properly. Accurate time also provides an essential foundation for online security, and many security mechanisms, such as digital certificates used for Transport Layer Security (TLS), depend on accurate timekeeping. The Network Time Protocol (NTP) provides time synchronization for clocks on computer networks.

NTP’s security mechanisms were designed back in an era when most Internet traffic was trusted, and the risk of attack was unlikely. Due to the continued exponential expansion of the Internet, these mechanisms became outdated and needed to be redesigned. The Internet Engineering Task Force (IETF) has been working on a specification for Network Time Security (NTS) for several years now. This specification was approved by the Internet Engineering Steering Group (IESG) in March of this year and is currently in the RFC editing process for the final publication. Over the course of the last couple of years, there have been a series of NTS projects held as part of the IETF Hackathons. These projects have worked to identify mistakes and ambiguities in the specification and to test and improve interoperability between implementations.

Time Community Collaboration

Recently, as part of the IETF 108 virtual hackathon, there was another successful event in this series. Representatives from several organizations including chrony, Cloudflare, Netnod, Orolia, Ostfalia University of Applied Sciences, Physikalisch-Technische Bundesanstalt (PTB), and the Internet Society took part in the project on Network Time Security (NTS) in July 2020. By the end of the week, there were 13 installations of six different NTS server implementations. These server implementations were tested against five different client implementations showing improvements in the maturity and interoperability of both the client and server implementations of NTS.

Additionally, a key highlight from the effort was the contribution of the first NTS test tool. This tool was contributed by Miroslav Lichvar and checked an implementation’s adherence to the specification as well as performing some basic performance tests. A short presentation on the outcomes of the NTS project at the IETF 108 virtual Hackathon is available here

NTS Support

At this point, there are now two mainstream open source NTP implementations that have added NTS support: chrony and NTPsec. Additionally, there are open source NTS implementations from Netnod, Ostfalia, and Cloudflare. The Internet Society’s Time Security project is building a distributed testbed with some of these implementations to provide additional test and implementation opportunities for the wide community.

Find out more:


Image by Josh Redd via Unsplash

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Knowledge Sharing and Meaningful Conversation at InterCommunity 2020: Securing Global Routing

Recently, five routing security experts shared how they’ve been working to protect the Internet from the most common routing threats – by implementing and promoting the actions called for in Mutually Agreed Norms for Routing Security, or MANRS. They were all participants in InterCommunity, which gives the Internet Society community a way to connect for meaningful conversations about the issues that matter most to the Internet.

Want to join the InterCommunity conversation? Become an Internet Society member today!

This session of InterCommunity, “Securing Global Routing,” set out to increase awareness of MANRS, share good routing practices, and encourage more network operators to take the MANRS actions to make the Internet more secure for us all.

The speakers shared their network operations and capacity building knowledge while more than 200 participants participated live in the informative conversation.

Special thanks to Melchior Aelmans of Juniper Networks who moderated the discussion skillfully!

Here’s what the panelists had to say:

Abdul Awal, Bangladesh National DataCentre
Awal spoke about his goals in building technical capacity around Resource Public Key Infrastructure (RPKI) and raising awareness of MANRS principles in South Asia. He also discussed how we can help networks validate their routing information by implementing Route Origin Authorizations (ROAs).

ROAs enable network operators to cryptographically sign routing advertisements sent over Border Gateway Protocol (BGP) to other networks on the Internet. Using RPKI, other networks can cryptographically verify ROAs and drop similar routing information that may be received from other networks.

This significantly improves Internet security by preventing distribution of invalid route advertisements that may lead to parts of the Internet being unreachable or being hijacked by malicious networks.

Awal has worked with networks in the Asia-Pacific region to increase the percentage of valid routing information, thus improving the region’s secure routing.

Mark Tinka, SEACOM
Mark has been in the routing and network engineering industry for several years, active in both the Asia-Pacific and African regions as a network operator and trainer.

Working with RPKI since 2014, Mark explained how routing hardware from Cisco and Juniper has helped improve RPKI support over the years. He also described the process of deploying RPKI in Africa and some of the challenges he faced.

Kevin Blumberg, TORIX
Kevin spoke about implementing MANRS principles from the viewpoint of an Internet Exchange Point (IXP).

TORIX is an IXP in Toronto, Canada that has grown from 1 Gigabit per second in 2000 to 1.1 Terabits per second in 2020. He said it was easy for TORIX to become a MANRS participant as it had been running Internet Routing Registry (IRR) based filtering for more than a decade.

He also said IXP operators are generally less restrictive and so IXPs can easily become a source of a BGP hijack where different networks trust the routing information they receive. Therefore, TORIX feel they have a social obligation to ensure the peering data at their IXP is valid. Without this, it would be easy to permeate route hijacks via IXPs and TORIX wants to prevent that.

Jorge Cano, NIC.mx
Jorge spoke about FORT, a free and open source RPKI validator. An RPKI validator helps routers quickly validate routing information received over BGP without burdening routers with more processing load. FORT works on both Linux and BSD that (the Mexican registry) are working on with the help of LACNIC. The validator is free to use and open to everyone.

Jorge ran a poll to see which validator was most commonly used by the audience. We learned that most participants were currently using the RIPE Validator, with a few already using FORT.

Tashi Phuntsho, APNIC
Tashi gave a presentation on why it is important to secure global routing, highlighting the issues with differences in validated ROA outputs observed with different validators, and the ROA outreach work by the APNIC Training team in the region. Tashi also noted the beta testing the APNIC Training team has done with ROSv7.

If you run an ISP, IXP, CDN, or cloud network let’s protect the Internet ecosystem together. Join MANRS!
Categories
Open Internet Standards Open Standards Everywhere Strengthening the Internet

Speed Matters: How Businesses Can Improve User Experience Using Open Standards

A recent report – Milliseconds make Millions – commissioned by Google and published by Deloitte, has shown that mobile website speed has a direct impact on user experience. Reducing latency and decreasing load times by just 0.1 second can positively affect conversion rates potentially leading to an increase in net earnings.

Over a four-week period, Deloitte’s research team analyzed mobile web data from 37 retail, travel, luxury, and lead generation brands throughout Europe and the U.S. Results showed that by decreasing load time by 0.1s, the average conversion rate grew by 8% for retail sites and by 10% for travel sites. The team also observed an increase in engagement, page views, and the amount of money spent by website visitors when sites loaded faster.

Multiple studies have consistently shown that faster page load speeds will result in better conversion rates. Akamai’s 2017 Online Retail Performance Report, for example, showed that a 100-millisecond delay in website load time can reduce conversion rates by 7% and that over half (53%) of mobile site visitors will leave a page that takes longer than three seconds to load.

HTTP/2 and IPv6: Faster and More Available

There’s good news: making some relatively simple changes to your webserver configuration could help to improve your website’s user experience as well as making it more available.

Implementing HTTP/2, for example, can speed up webserver performance by enabling browsers to download multiple files simultaneously over the same connection. This means that all of the files needed to display a webpage effectively are downloaded faster, enabling users to access content sooner.

And, as more and more people come online it’s likely that they will be connecting via IPv6 rather than over IPv4: over 90% of Reliance Jio’s 387.5 million 4G subscribers connect to the Internet via IPv6. So, by ensuring that your website is available over IPv6, the number of users that could potentially visit your site is greatly increased. IPv6 also optimizes the route that Internet traffic takes, which can also lead to improved website performance.

Improve Your Website

The Internet Society’s Open Standards Everywhere (OSE) project promotes the use of open Internet standards that can help to improve website speed, security, and availability. We’re working to equip everyone with the knowledge to make simple changes to some of the most widely used webservers (including NGNIX and Apache) by providing simple how-to guides to enabling HTTP/2 and IPv6 as well as other standards, including TLS 1.3 and DNSSEC.

First, test your website to see how well it supports open Internet standards. If you’re at 100%, congratulations: your website users are already getting a more enhanced experience! If you don’t quite get a perfect score, we might be able to help.

If you have access to the administrative interface of your webserver:
Take a look at our crowdsourced step-by-step documentation to see how you can make improvements. Once you’ve implemented the latest open standards, test your website again and see whether your score has improved. You can also consider contributing your experience to our documentation to help others make changes.

If you use a Content Delivery Network (CDN):
Businesses, large and small, often use CDN services to optimize their websites. Most CDNs enable HTTP/2 and IPv6 by default even if these protocols are not enabled on the original webserver, so your website could already be offering an improved user experience. Check with your CDN if you are unsure and ask them to enable these protocols if they have not done so already.

If you are using a hosting company and cannot access your webserver to make changes:
There is unfortunately not much that you can do to make changes to your webserver. You could switch to a provider that does offer its customers the option to enable HTTP/2 and IPv6 and other open Internet standards. Or you could contact your provider and ask them if they are planning on implementing these standards for their customers in the near future.

We’re in the process of developing short tutorials and training courses to further support people who want to make improvements. We’ll launch these over the coming months.

Making the Case

The conclusions are clear: as the number of consumers connecting to the Internet increases, those businesses that can deliver a faster online user experience for visitors will benefit from a higher conversion rate than those that can’t.

But it’s not just online retailers and e-commerce that should be paying attention: any call to action on your website can be considered a conversion. Requesting signatures for an online petition, asking people to support community networks, or recruiting new members for an Internet Society Chapter could all potentially be positively impacted by increased website speeds.

So what are you waiting for? Find out how to take action now.


Image by Sabri Tuzcu via Unsplash

Categories
Strengthening the Internet Time Security

Everything You Need to Know about Network Time Security

This article was first published on Netnod’s Blog. It is reposted here with permission of Netnod.

A lot of the Internet’s most important security tools are dependent on accurate time. But until recently there was no way to ensure that the time you were getting came from a trusted source. The new Network Time Security (NTS) standard has been designed to fix that. In this post, we will summarise the most important NTS developments and link to a range of recent Netnod articles providing more information on the background, the NTS standard and the latest implementations.

What is NTS and why is it important?

NTS is an essential development of the Network Time Protocol (NTP). It has been developed within the Internet Engineering Task Force (IETF) and adds a much needed layer of security to a protocol that is more than 30 years old and is vulnerable to certain types of attack. Netnod has played an important role in the development of Network Time Security (NTS) from the standardization effort in the IETF to the development of several implementations and the launch of one of the first NTS-enabled NTP services in the world.

NTS consists of two protocols, a key exchange and extended NTP. This ensures that clients can validate that the time that they receive has been sent from the correct server. More detailed information about how NTS works and why it is important is available here and in a guest post recently published on RIPE Labs here.

The NTS standard in the IETF

In March 2020, the Internet Draft ‘Network Time Security for the Network Time Protocol’ was approved as a Proposed Standard, which describes NTS as: “a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP).” It’s currently in the RFC editor queue awaiting publication as an RFC proper.

NTS implementations

Netnod launched one of the first NTS-enabled NTP services in the world on 28 October 2019. It’s available to the public at:

  1. nts.ntp.se (for users anywhere in the world)
  2. nts.sth1.ntp.se & nts.sth2.ntp.se (for users close to Stockholm)

More information on this service is available here. Netnod has also published a HOWTO explaining how to set up an NTS client and to connect to Netnod’s NTS servers here. Some current NTP clients supporting NTS (two of which were written by Netnod staff) include:

  1. ntpsec (written by Eric Raymond)
  2. A Python implementation (written by Christer Weinigel, Netnod)
  3. A Go implementation (written by Michael Cardell Widerkrantz (Netnod), Daniel Lublin and Martin Samuelsson)

Joachim Strömbergson and Peter Magnusson from Assured have been asked by Netnod to work on a Verilog implementation of the extended NTP. More information about this will be available later in the year.

Why take time from Netnod?

On behalf of the Swedish Post and Telecom Authority (PTS) Netnod keeps a Verilog implementation of NTP with attached atomic clocks running in locations across Sweden. This means you speak NTP directly to the FPGA chip! As there is no software involved, you get the most accurate time possible. The service is available to the general public worldwide for free on ntp.se, which resolves to anycast IPv4 and IPv6 addresses.

In a recent blogpost, Netnod looked at some of the fundamentals in providing accurate time. These include looking at what makes a clock, how to ensure accuracy down to the level of nanoseconds and what Netnod is doing to ensure accurate time throughout Sweden.

The Internet Society believes that the security of the Internet’s time synchronization infrastructure has a direct impact on the overall trustworthiness of the global Internet. We’re working to promote global deployment of time security protocols and to encourage operational best practices. Take a look at our Time Security project homepage to find out more about our work.

Categories
Open Standards Everywhere

IPv6 Buzz Podcast Dives into Open Standards Everywhere

What are the challenges with applications supporting IPv6? What do people, particularly those working in enterprises, need to know about how servers and applications work with IPv6? What is the Internet Society’s Open Standards Everywhere project doing to help? How can people get more involved?

To answer all these questions and more, I recently joined Scott Hogg and Tom Coffeen on their IPv6 Buzz Podcast episode 53. You can listen here:

It was a very enjoyable conversation! Thanks to Scott and Tom for having me on their show. I also want to thank Ed Horley, who first contacted me about joining the show but with schedule conflicts was not able to join the recording. I would also encourage you to listen to other IPv6 Buzz episodes to learn more about IPv6.

If you would like to help in the work to get open standards deployed everywhere, please:

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

A (Fairly) Non-Technical Guide to Routing Security Basics

On the MANRS website, we write about routing security. We dig into the details of technical problems, research the origins of route leaks and hijacks, analyze trends and statistics related to networks around the globe via the MANRS Observatory, and generally get pretty nerdy about how to improve the routing system that underpins the Internet. Last week, we took a step back and published a series of posts regarding Routing Security Basics.

This 5-part series covers the following topics:

While it’s difficult to explain routing security without assuming some baseline knowledge, our intent is for these posts to be as non-technical as possible to help non-experts understand this sometimes-complicated topic.

It all started with a Twitter thread on a Friday afternoon, comparing routing security to online dating. We then expanded this silly analogy into a series of blog posts. Follow along as Juan, Maria, and Bad Guy Chad help us explain the types of routing incidents that happen and how the simple, concrete MANRS actions can help.

We hope you’ll read the Routing Security Basics posts, and if you’re running a network at an ISP, IXP, or CDN/Cloud provider, we hope you’ll consider implementing the MANRS actions and joining the MANRS community.


Image by Alexander Sinn via Unsplash

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Meet the MANRS Ambassadors

We’ve appointed four MANRS ambassadors in the areas of training, research, and policy. We’re excited to welcome Anirban Datta, Flavio Luciani, Boris Mimeur, and Sanjeev Gupta to the program, and can’t wait to benefit from their input and expertise.

Ambassadors are representatives from current MANRS participant organizations who provide mentorship, guidance, and feedback to others in the routing security community. With their wealth of experience and knowledge – and their passion and commitment – they help make the global routing infrastructure more robust and secure.

The MANRS Ambassadors Selection Committee, consisting of six representatives from the MANRS Advisory Group, assessed the applications and appointed four exceptional individuals.

They’ll receive a monthly stipend of US$1,500 for up to six months and together they’ll train people on good routing practices, analyze routing incidents, research ways to secure routing, and survey the global policy landscape. Ambassadors will also provide mentorship to the MANRS Fellows in their respective categories to help the Fellows to fulfill their obligations.

Four Amazing Ambassadors

Anirban Datta, training ambassador

Anirban works for Fiber@Home Global Ltd in Dhaka, Bangladesh. His role is to establish international links and points of presence in different parts of the world. He’s also involved with many Internet network operators’ groups (NOGs) and community-driven organizations like bdNOG, SANOG, and INNOG. As an instructor, he helps to improve the technical knowledge of the local community.

Flavio Luciani, training ambassador

Flavio Luciani has a master’s degree in computer engineering from Roma 3 University. He’s worked with Namex since 2008. He supervised the technical and infrastructural development of the Internet exchange point, firstly as a member of the technical staff and then, from March 2020, as Chief Technology Officer.

Boris Mimeur, research ambassador

Boris is the Vice-President of Engineering Operations at CENGN in Canada. He leads teams developing a secure hybrid cloud platform that enables test and validation for new products and technologies. In the last two years, Boris has supported the promotion of security in BGP routing through partnerships with multiple Canadian Telecom Service Providers. He’s also contributed to the development of the IXP/CXP for the Ottawa Gatineau region (OGIX).

Sanjeev Gupta, policy ambassador

Sanjeev is based in Singapore. He first heard about routing in the late 80s. He believed that every single router contacted every other router every 30 seconds and the idea of security never entered his mind. Since then, he’s learnt the hard way what happens when people announce routes to Google. Trying to figure out why traffic for your network is going to a small Vietnam Internet service provider via a European Tier 1, when you have no relationship with either, is frustrating at best.

The Internet Society supports this program as part of its work to reduce common routing threats and establish norms for network operations. Find out more and join MANRS today.

Categories
Open Standards Everywhere Strengthening the Internet

In Africa, An Open Internet Standards Course for Universities

Seventy university students from the Democratic Republic of Congo (DRC), Ethiopia, Kenya, and Ghana gained insights into open Internet standards

Many of the Internet standards that make the Internet work today are developed using open processes. Early exposure to these processes could significantly help future engineers play a role in the evolution of the Internet.

Next Generation of Open Internet Standards Experts in Africa

To expose the next generation of African experts to open Internet standards, the Internet Society put together a short pilot course on Internet Protocol Security (IPSec). IPSec is a technology used to improve communication security between devices on the Internet.

To promote the teaching of open Internet standards in African Universities, the one-month course brought together 70 students from 4 African universities from DRC, Ethiopia, Kenya, and Ghana. The pilot course was designed to provide university lecturers with additional training material to support existing courses at universities.

Facilitators

Technology experts Dr. Daniel Migault, Professor Nabil Benamar, and Loganaden Velvindron facilitated the learning experience. Between March and April 2020, they delivered online lectures for three weeks before opening up a week for student assignments.

The Internet Society’s Regional Vice President for Africa Dawit Bekele said the course was designed to be used as additional teaching content that could easily be integrated by teachers and lecturers – without having to alter their current teaching curricula. This would allow the universities to teach current Internet technology within their existing educational programs.

Rooting Open Standards in African Universities

“Lecturers were required to enroll their students and support them during the pilot course, while facilitators helped by providing content and assessing the assignments,” he added.

For Bekele, the innovative approach is meant to help root the teaching of open Internet standards in universities across Africa without adding too much burden on lecturers.

On June 26th, a virtual ceremony recognized the best students and lecturers for their work. During the event, Bekele, on the behalf of the Internet Society, thanked the participants, facilitators, and staff who supported the development of the course. He also urged participant universities to find ways of rolling out similar courses to expose students to current technologies.

Learn about Open Standards Everywhere and join us in deploying open standards to help build a bigger, stronger Internet!