The Internet Society (Aftab Siddiqui) and APNIC (Tashi Phuntsho) jointly conducted a Network Security Workshop in Port Moresby, Papua New Guinea (PNG) on 3-5 October 2017. This was arranged for current and potential members of the first neutral Internet Exchange Point (IX) in the country called PNG-IX, at the request of NICTA – the National Information and Communications Technology Authority – a government agency responsible for the regulation and licensing of Information Communication Technology (ICT) in Papua New Guinea. NICTA is also a key partner in establishing the Internet Exchange in PNG.
This first half of Day 1 (3 October) was dedicated to the PNG-IX awareness., such the role of an IX, how it works, why an IX has been established in PNG and why everyone should peer in order to achieve both short- and long-term benefits to the local Internet ecosystem. NICTA CEO Charles Punaha, NICTA Director Kila Gulo Vui, and APNIC Development Director Che-Hoo Cheng shared their views
There were more than 40 participants in the Network Security workshop, with diverse backgrounds ranging from enterprise environments, state universities, financial institutions, telcos and ISPS. The training alumni completed lab work and learned about important security topics such as cryptography, SSH, PGP, TLS/SSL, IDS/Snort and infrastructure security topics such as RPKI, ROA and BGPsec . The presentation material is available on the APNIC Wiki.
The workshop participants who had different levels of industry experience, unsurprisingly asked many curious questions and discussion extended beyond the agenda topics and into more general Internet security issues. The participants found the workshop not only informative but also inspirational with the knowledge that was presented.
This event was made possible with the support of NICTA, and the Internet Society is grateful for their help and assistance throughout the week.
The Apple Worldwide Developers’ Conference (WWDC16) is being held all this week at the Bill Graham Civic Auditorium in San Francisco, USA.
It’s worth mentioning that Stuart Cheshire from Apple will be talking about how to support IPv6 during the Networking for the Modern Internet session this coming Thursday, 16 June 2016 between 1500 and 1540 PDT/UTC-7.
Want to learn about DNSSEC and how it helps add a layer of trust to DNS? Puzzled by how this all works? If so, please join us today from 16:45 to 18:15 UTC for “DNSSEC for Everybody: A Beginner’s Guide” streaming live out of Marrakech, Morocco, in both audio and video on links found off of this page:
(The video and slides are provided via the “Virtual Meeting Room Stream Live” link.)
UPDATE: It turns out that unfortunately there will NOT BE VIDEO in the room that ICANN assigned for us. You can still listen by audio and watch the slides – but you will unfortunately not see any video.
The session consists of an introduction and then a skit where a group of us act out DNS operations – and then add DNSSEC into the picture.
Yes… you heard that right… a bunch of engineers acting out a skit about DNS! 🙂
Hey… you might as well have a bit of fun with it, eh? And our history has told us that this skit has helped people tremendously in understanding DNS and DNSSEC. We also have some other technical information and usually spend about half the session answering questions from participants.
DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues.
Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.
The session is aimed at everyone, so no technical knowledge is required. Come and find out what it’s all about…!
The target audiences for this tutorial are recent university graduates, network administrators, network engineers, and other parties with a working knowledge of IPv4 who are looking for a basic course on IPv6. The course consists of the following modules:
Introduction to IPv6
Understanding IPv6 Addresses
Protocol, Neighbor Discovery, and SLAAC
As IPv4 exhaustion becomes more and more imminent, network operators across the globe are taking a closer look at transitioning to IPv6. Given that the Internet is now a critical global infrastructure for socio-economic growth and is growing faster in developing countries, there are a number of key drivers for IPv6 migration to be accelerated in these nations. A number of these drivers are highlighted below:
Many developing countries have made considerable strides in ICT but still trail developed nations as it pertains to Internet access. This ‘digital divide’ can be reduced by extending wireless networking and mobility through the provisioning of a larger address space via IPv6.
By expediting the migration of IPv6, governments can deliver enhanced support for public safety networks, as well as reduce the complexity associated with the management of such. These broadband networks better allow emergency services, such as police, fire and emergency medical services, to respond to a wide array of natural, man-made and emerging threats.
IPv6 is the ideal platform on which m-Health capabilities can be built. M-Health applications include the application of mobile devices in gathering clinical data, conveyance of health-related data to medical practitioners, researchers, and patients, real-time patient monitoring systems, and remote home care by means of mobile telemedicine.
The underlying protocol for smart grid technology is preferably IPv6. Smart grid computing provides monitoring, analysis, control, increased cyber-security and communication capabilities to electrical delivery systems in order to maximize the throughput of the system while reducing the energy consumption.
Mobile banking and mobile payments can substantially improve access to banking products such as savings, deposits and insurance for lower income demographics. These services provide ways and means for the unbanked and underbanked persons to invest in productive assets, expand their businesses and protect their livelihoods. IPv6 is emerging as the preferred platform and is a core component of the wireless Internet architecture (2G, 3G, 4G and beyond).
In short: It’s doable and your government should support it!
Over 4 years ago, the Go6 Institute started a discussion with the Slovenian government about the idea for a Slovenian IPv6 roadshow project. This would include a web portal with basic technical and deployment information about the IPv6 protocol, as well as one-day basic IPv6 workshops that would be free for everybody to attend, but more importantly, outside of the capital city (Ljubljana).
The motivation behind this initiative was the fact that the majority of IPv6 related conferences, meetings and workshops were usually held in Ljubljana as the density of Internet experts in that area is higher than elsewhere. But is using this as a reason to organize IPv6 events there fair? We thought not, and this resonated with Internet experts living outside the Ljubljana region.
“If the mountain won’t come to Muhammad, then Muhammad must go to the mountain…”
People from busy IT departments, enterprises, operators and other parts of industry are involved with their work and don’t have the time and resources to travel for several hours to join a workshop about something they are not entirely sure they need to know about. Of course, usually after joining a meeting or workshop they realize how important the knowledge is and change their mind, but before this happens, they have hesitations about whether it is a good use of their time.
The aim was to change this mentality by bringing an IPv6 workshop to their city that is free to attend, and to encourage them to see IPv6 as part of their future professional expertise and required knowledge.
The Slovenian government always stressed the importance of providing education and learning opportunities to everyone in the country, so we saw the perfect opportunity to partner this vision with increasing knowledge and awareness of IPv6 awareness. We therefore need to thank the Ministry of Education, Science and Sport and Arnes, the Slovenian NREN for supporting this pilot project.
This project was announced in September 2015, and needed to be completed before the funding expired at the end of 2015. We decided to divide the project into two parts – developing a web portal with IPv6 information in Slovenian, as well as organising two IPv6 workshops in Nova Gorica and Maribor – two cities at diametrically opposite ends of the country.
The web portal now proudly lives at https://ipv6.si/ and is still under development, but the content is nearly complete and should be available next week. The aims is to gather together IPv6 information in Slovenian to become a reference point for any citizen needing to understand and deploy IPv6 in their networks and services. Our wish is to continue to develop the portal – adding new protocols, tutorials and workshop materials over time.
The two IPv6 workshops took place this week on 15 December 2015 in Nova Gorica, and 17 December 2015 in Maribor. The first had over 80 participants, whilst the second had around 40 participants, so both can be considered a great success. Arnes also recorded the proceedings of the Maribor workshop which will appear on https://ipv6.si/ shortly.
Participants were highly interested in learning about IPv6 and Matjaž Straus Istenič and Luka Manojlovič introduced them to the IPv6 protocol, how to start, and the importance of gaining a lot of experience in order to be able to run trouble-free networks and services
The workshops also covered why we need to implement IPv6, addressing and making address plans, accompanying protocols, ICMPv6 services, and the usage of different auto configuration mechanisms such as SLAAC and DHCPv6. More advanced topics included DNS and IPv6, privacy and traceability in IPv6, a look at IPv6 security issues, and transitional mechanisms like A+P (MAP), 6to4, NAT64 and others.
One of participants said after the workshop: “If you guys had not organised this workshop, I would not have learnt about IPv6 to the extent that the whole thing would catch my attention and interest to start testing and experimenting with it. Quite simply, I have too much other work and would not have been able to reprioritize my other assignments to start learning about IPv6 from the Internet. I live and work nearby and in a single day I learned the basics of IPv6, lost the fear of an unknown new protocol, and actually obtained enough knowledge to encourage me to start playing with it at home. When I get comfortable with it, I’ll start thinking about implementing it at work…”
From the feedback received, it’s clear this initiative was welcomed as a good to way to encourage people to deploy IPv6. We therefore plan to talk our government and NREN about continuing this activity next year, as the web site is nearly ready, workshop material has been prepared, and a team well trained in its use.
We’d like to thank everyone who made this pilot project happen, including the Ministry of Education, Science and Sport; Arnes; IZUM Maribor; Šolski center Nova Gorica; Go6 Institute, the Internet Society; and other everyone else that helped make the workshops a bit better.
We’re also interested in hearing if there are similar initiatives in other countries, and would encourage other governments to support the deployment of IPv6 in this way.
In about 35 minutes, at 17:00 Argentina time (UTC-3), we will be streaming live out of ICANN 53 in Buenos Aires, Argentina, with the “DNSSEC For Everybody: A Beginner’s Guide” session. You can watch and listen live at this link:
The session goes for 90 minutes today, roughly half of which is the actual program and the remainder is what usually turns into a live Q&A session. We’ll have some introductory remarks that I’ll do, then we’ll have a skit that dramatizes DNS and DNSSEC interactions, then Russ Mundy will dive into a bit deeper detail about DNSSEC… and then we’ll go to Q&A.
Note that remote participants can ask questions through the Adobe Connect interface.
If you’d like a quick way to understand more about DNS and DNSSEC… join us!
It will be archived for later viewing, too, if you can’t watch it live.
Some time ago Matthijs Mekking, one of the authors, maintainers and coders for the OpenDNSSEC project asked me why go6.si domain was not signed. My answer was that I need a short, precise and deployment/operations-oriented document with clearly described steps on how to setup the signing platform, how to add a zone and sign it.
Matthijs accepted the challenge and soon we got the first draft of the document to Go6lab. There were some errors in the procedure, so together we fixed them. Matthijs added some more information that he saw as needed for better understanding and re-tested the procedure again – and this time it worked. After some cycling through the Linux distributions we found that using Fedora and installing OpenDNSSEC from their repository usually brings you the latest version of the code – and the issue that we found in first round of testing was fixed in new version (the issue was that if you had OpenDNSSEC signer as “bump in a wire” between silent primary and secondaries that served the signed zone – signer did not understand “NOTIFY” message from primary and did not transfer new zone for signing).
We decided to install OpenDNSSEC signer as “bump in a wire”, fetching the unsigned zones from the “silent” primary server, where we edit and change the zones (with notify to signer), sign the zones on signer server and push them over AXFR to two secondary servers that acts like primary and secondary DNS for that zone. Seems easy – and it is, in a way 🙂
The “silent” primary server runs on PowerDNS with a mysql database backend. The two secondary servers that are serving the signed zones are both running bind9.
At first glance all worked fine, following the deployment guide we added go6.si, go6lab.si and zorz.si zones for signing (zorz.si was a test “mule” to see if the process works). The signer got the zones, signed them and pushed them to both name servers nsec1.go6lab.si and nsec2.go6lab.si. Our .si TLD dnsmaster Benjamin Zwittnig inserted for us DS records in .si zone and the whole thing started to work. We are pressing now our registrar to implement the tool to insert DS records to .si zone without bothering Benjamin. Hopefully this happens soon.
So, with DS records in parent zone we were able to test the whole thing and all was fine… until I stopped changing the zones and the primary server did not send any NOTIFY to signer server that there is a change in the zone for some time. And that “some time” was exactly the time that was set for a zone to expire. What happened was that signer server realized that the zone expired and instead of asking his primary name server for retransmit (AXFR) – the server expired the zone and stopped serving it.
So, zorz.si was off-the-Internet for 20 minutes! When my monitoring system alerted me that there is something wrong with DNS responses for that domain, I immediately figured out that signer expired the domain without refreshing it at the primary server.
As I needed to solve this issue quickly I created cronjob that forces a NOTIFY for all signed domains on hidden primary server every day at midnight – and so domains never expires on signer server. I also reported this bug to Matthijs and I think that the fix will be done in next release of the software.
It’s good to have a real environment where we can test and stress-out these new tools that are making the Internet a safer place – and also make these tools better with finding bugs before they hit somebody else in a big production environment.
You can now download the latest draft of Matthijs’ opendnssec-start-guide document that I used to set up the whole thing. Please note – it’s a draft, so all comments, suggestions and ideas are more than welcome.
How did we test if our DNSSEC signing was correct and valid? We used three tools:
The team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read. CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does. Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:
Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible. He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.
All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece. Thanks to Nick Sullivan and his team for getting this out there!
As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014. Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. 🙂 It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF. We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.
All great to see – and this will only help get DNSSEC much more widely deployed!
If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!
So much IPv6 talk is centered around operators and their configurations. With this post we’re going to focus on end user IPv6 configuration. We recently completed three resource pages dedicated to helping end users configure their desktop operating systems for IPv6.
The resources aim to help users of Apple’s Mac OS X, Microsoft Windows and Linux operating systems get up and running fast on IPv6. End users don’t have to be power end users to configure IPv6 in their client operating systems. With both DHCPv6 and SLAAC, IPv6 was designed with ease of use in mind. Usually all that is required is turning it on. However, if you are the power user type, you’ll find links in each resource page for you.
If you’re stuck in an environment that doesn’t yet offer IPv6 but want to get on board, this page on IPv6 transition technologies is for you. If you want IPv6 connectivity, but are currently stuck at an operator that only support IPv4, the specific video on 6in4 is for you.
IPv6 adoption is accelerating and it’s easier than ever to get onboard as an IPv6 end user. Join the conversation and get up and running with IPv6 today.
If you would like to get started with IPv6, please visit our IPv6 resources or begin with our “Start Here” page to help find resources most appropriate for your type of organization. If you have an IPv6 case study you think we should consider for inclusion on our site, please contact us – we are always looking for more!
Are you looking for a quick way to learn more about IPv6 and how to get started? Would you like to quickly set up a computer to test out IPv6 and learn how to use it?
If so, check out the Consumer Guide: All About IPv6. Published by the Internet Society Hong Kong Chapter, this ebook gives a basic introduction to IPv6, then provides tutorials for configuring IPv6 on consumer devices. It explains what IPv6 is all about by explaining IPv4 exhaustion and other benefits of IPv6 adoption. It also includes tutorials detailing how to enable and configure IPv6 and 6in4 tunneling on typical consumer software including Windows 7, Apple’s OS X, VPN clients, and home routers.
The book is a well-done basic introduction to IPv6 that is easy to read and understand. It is available both as a PDF that can be printed or read in an ebook reader or on a tablet or smartphone – or as a website for desktop viewing, complete with a clickable table of contents and other controls.
Thanks to the ISOC Hong Kong Chapter for creating such a useful guide!
If you are looking for more resources to get started with IPv6, please visit our “Start Here” pages that can guide you to resources appropriate to your type of organization or activity.
Meanwhile, in Northern France, the International Cybersecurity Forum (FIC2014) got under way, with some 2,500 attendees gathering in Lille to hear, among others, the French Minister of the Interior outline his policies for countering the cyber threat while safeguarding citizens’ basic freedoms.
And before FIC2014 had even finished, the 2014 conference on Computers, Privacy and Data Protection (CPDP) had already started in Brussels.
All these events raised issues which directly concern us – digital citizens – and the digital footprints we create as we go about our daily business.
Crucially, we need to look at whether it is possible to control (or at least manage… or even see…) the trail of personal information we leave on the Internet.
Consider the following:
Obama proposes new governance measures for the collection of US citizens’ telephone metadata, but skirts the question of privacy as a universal right, and says nothing about the economic damage to companies’ trust in Internet technology. By and large, nothing the President said suggested any great change with regard to the average citizen’s data: mass interception and pervasive monitoring will continue, as will the long-term storage of vast amounts of tracking data. If there is to be substantive change, all the indications are that it will have to come from citizens themselves.
At FIC2014, the debate on the question of whether online anonymity is possible shows increasing maturity and sophistication. The key point is made that achieving ‘anonymity’ today does not mean what it meant 10 years ago, nor what it meant 1000 years ago. What implications does that have for 10 years hence? That’s an important question, because the data we classify as ‘anonymous’ today will still be around in 10 years’ time: will we still think they are anonymous, and will we wish, in 2024, that we had thought more carefully in 2014?
And at CPDP, a troubling theme is the suggestion – by some stakeholders – that we should stop worrying about controlling the collection of personal data, and instead focus our efforts on achieving better control over its use. I couldn’t agree less. Imagine how we’d feel if the nuclear industry adopted the same philosophy. For all that personal data is an increasingly vital economic asset, its retention also represents a growing liability – and by far the best way to manage that liability is not to collect the data in the first place. The principle of data minimisation, as an important element of privacy by design, is not a new one, but our interpretation of it needs to keep pace with innovation.
Despite the imbalance in the power relationship between us and service providers, data minimisation is not just something we should insist they should do on our behalf, the privacy outcomes are something for which we must take more responsibility ourselves.
The implications for individual consumers and citizens are clear. We all need to be doing more to understand our digital footprints, to understand the asymmetric power relationship they represent, and to take responsibility to the extent that we can. To that end, and to coincide with Data Privacy Day 2014, Internet Society is launching a set of materials to help us all understand our digital footprints:
We will follow this up with a short animated video in a few weeks. You can use that as a “nudge point”, to see if you have started thinking differently about your online privacy and your digital footprints. I hope you will.
It’s the second day of 2014. Are you at work looking to get started with deploying IPv6 in your network? Or are you at home on holiday break and looking for something educational to watch online? Was deploying IPv6 one of your New Year’s Resolutions?
If so, you might be interested in watching this Google+ Hangout recorded by the folks at Cisco Systems in December 2013 where Cisco’s Harpreet Singh provided an outline of what changes with IPv6, what you need to think about in your network, what kind of planning you need to do for the migration and similar topics. While the video is of course from a vendor of networking equipment, the session and slides do provide a good general overview of IPv6 transition issues. Great to see Cisco making these kinds of sessions available!