Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Internet of Things (IoT) IPv6 Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIPE 75 starts in Dubai next week

The RIPE 75 meeting is happening next week in Dubai, United Arab Emirates, and it’s going to be a busy week for the Deploy360 team who are chairing and presenting in several sessions. Both Jan Žorž and Kevin Meynell will be there, along with our colleague Andrei Robachevsky, and we’ll also be reporting on relevant developments as usual.

The RIPE meeting kicks off on Sunday this time, as that’s the start of the working week in Dubai. Proceedings commence with tutorials on IPv6 Deployment in Cellular networks, an Introduction to DDoS attacks, and one on Decoding the IoT ecosystem. These are followed by a Newcomers’ Introduction if you’re a first timer.

The opening plenary commences at 14.00 GST/UTC+4, and after the introductory pleasantries, one presentation not to miss is from Lee Howard (Retevia) on the State of IPv6-only. There’s also an interesting looking presentation on Real-Time Wide-Area TCP Latency Monitoring from Richard Cziva (University of Glasgow/REANNZ), and you can also find out about the state of IPv6 play in France and the traffic patterns in Saudi Arabia, before the lightning talks (as yet to be announced).

The MANRS initiative is planning an informal BoF on Sunday evening starting at 18.00 GST/UTC+4 (in place of the advertised BCOP Task Force). This will be chaired by Jan and Kevin, and will discuss ideas for measuring the health of the Internet routing system. The aim is to develop some empirical data to strengthen the case for collaborative routing security, including indications of good and bad security, and what metrics would accurately reflect this.

Monday is mostly a plenary session, and be sure to check out the session from 14.00-15.30 GST/UTC+4. This has talks on Recent BGP Innovations for Operational Challenges from Greg Hankins (Nokia), on Broken DNS responses from Babak Farrokhi, and of course Geoff Huston (APNIC) talks are always excellent value – this one being about the Death of Transit and Beyond.

On Monday evening from 1800-19.00 GST/UTC+4, there’s also a workshop on IPv6 and the Enterprise that’s being led by Wilhelm Boeddinghaus, (iubari)  and Benedikt Stockebrand, (Stepladder IT Training+Consulting). This will cover how to deploy IPv6 on an enterprise scale, covering DHCP and SLAAC issues, IPv6-supported applications, and how to handle legacy applications.

On Tuesday, there’s the newly created Internet-of-Things session from 14.00-15.30 GST/UTC+4 to facilitate discussion of IoT issues, how they affect the RIPE community, and whether network operators need to take a different approach with IoT developments. Kevin will be speaking in this session about the Internet Society’s Online Trust Alliance (OTA), and its IoT Security & Privacy Trust Framework.

On Wednesday, ISOC will be presenting on the IETF during the Cooperation Working Group from 09.00-10.30 GST/UTC+4. There’s also the DNS Working Group from 14.00-15.00 GST/UTC+4, which has presentations on CDNSKEY Implementation with Automated KSK Rollover in Knot DNS and the FRED Registry, the (re)focusing of DNS Efforts on the End-Points, and Why DNS Should be the Naming Service for the Internet of Things.

The IPv6 Working Group from 16.00-17.00 GST/UTC+4 isn’t in competition with anything else. So with another presentation from Geoff Huston (APNIC), this time on IPv6 fragmentation, on Webhosting on IPv6-only Virtual Machines, and more on IPv6 deployment in enterprise networks, plus the IPv6 Chair election, there are no reasons not to attend.

And rounding off the day is another workshop from 18.00-19.00 GST/UTC+4, this time on Configuring CPE for Transition Mechanisms led by Lee Howard (Retevia). This will cover the provisioning of customers without native IPv4, and how to set-up various transition mechanisms on home gateways.

Thursday is the last day of the meeting this time, and mostly features the regular agenda items such as the RIR and NRO reports. There will also be an update on IANA/PTI though, as well as a presentation on Greenfielding a New High-performance Network from Fredrik Korsbäck (NORDUnet).

For those of you who cannot attend in person – there is remote participation available with audio and video streaming and also a jabber chat room, so everyone is welcome to participate!

The full programme can be found at: https://ripe75.ripe.net/programme/meeting-plan/

Categories
Deploy360 IPv6

IPv6 prefix assignment BCOP published as RIPE-690

We’re pleased to announce that after a year of intensive work by IPv6 experts around the world, supported by the Deploy360 team, the RIPE community has reached consensus on the Best Current Operational Practices (BCOP) for IPv6 prefix assignment for end-users – persistent vs non persistent and what size to choose. These were officially published as RIPE-690 this week.

RIPE-690 outlines best current operational practices for the assignment of IPv6 prefixes (i.e. a block of IPv6 addresses) for end-users, as making wrong choices when designing an IPv6 network will eventually have negative implications for deployment and require further effort such as renumbering when the network is already in operation. In particular, assigning IPv6 prefixes longer than /56 to residential customers is strongly discouraged, with /48 recommended for business customers. This will allow plenty of space for future expansion and sub-netting without the need for renumbering, whilst persistent prefixes (i.e. static) should be highly preferred for simplicity, stability and cost reasons.

The target audience of RIPE-690 is technical staff working in ISPs and other network operators who currently provide or intend to provide IPv6 services to residential or business end-users. Up until now, there have been no clear recommendations on how to assign IPv6 prefixes to customers, and a variety of different and sometimes problematic solutions have been implemented.

By bringing together subject matter experts with practical deployment experience, it’s been possible to identify common practices and problems, and provide recommended solutions to some of the more commonly encountered issues.

The authors of the document were Jan Žorž, Sander Steffann, Primož Dražumerič, Mark Townsley, Andrew Alston, Gert Doering, Jordi Palet, Jen Linkova, Luis Balbinot, Kevin Meynell and Lee Howard. Other contributors were Nathalie Kunneke-Trenaman, Mikael Abrahamsson, Jason Fesler, Martin Levy, Ian Dickinson, Philip Homburg, Ivan Pepelnjak, Matthias Kluth, Ondřej Caletka, Nick Hilliard, Paul Hoffman, Tim Chown, Nurul Islam, Yannis Nikolopoulos and Marco Hogewoning.

The document was submitted to the RIPE BCOP Task Force and then to the RIPE IPv6 Working Group, as part of the Internet community feedback and consensus building process. Thanks should go the Chairs of those groups who ensured the recommendations do conform with actual best operational practice, along with the RIPE NCC staff who facilitated the publishing process.

So now there are some agreed stable recommendations for IPv6 prefix assignment for end-users, we’d ask all network operators to read and consider the document when deploying IPv6 to your customers.

And as always, please visit Deploy360’s Start Here page to find resources on how to get started with IPv6.

Categories
Deploy360

SINOG 4.0 sheds light on the dark side of IPv6

The 4th meeting of the Slovenian Network Operators’ Group organised by Go6ARNES and LTFE was held on 23-24 May 2017 at the Brdo Technology Park in Ljubljana. This event was co-sponsored by the Internet Society and attended by 119 participants, being held over two days for the first time.

The first day was devoted to IPv6 issues and aims to replace the Slovenian IPv6 Summit. It’s felt that IPv6 is now sufficiently mainstream that the focus should now be on operational issues rather advocacy, hence the reason for incorporating it into the SINOG meeting itself. It featured for the first time, a panel on the ‘The Dark Side of the IPv6 Moon…’ to discuss some of the challenges of deploying IPv6 and how these can be addressed.

Setting the scene though, was the keynote provided by Ole Trøan (Cisco) who’s a Co-Chair of the IETF IPv6 Maintenance Working Group. He provided some interesting background on why IPv6 was designed, the reasons for particular architectural choices, and why particular compromises were made. For example, IPv6 was not made backwardly compatible with IPv4 because IPv4 did not offer any opportunity for forward compatibility, and many inefficient workarounds had needed to be implemented with IPv4 into order to make the Internet work as originally intended.

Whilst the primary aim of IPv6 was to vastly increase the available address space, it also aimed to simplify the evolution of how the Internet was supported, such as having fixed-sized headers with extension possibilities rather than IPv4 options, and putting host configuration into the network layer. At the same time though, the aim was to limit changes on the network layers whilst allowing transport protocols to remain unchanged.

However, there are many players involved in the Internet with interests directly at odds with each other, and the technical architecture needs to be flexible enough to support whilst retaining the ability to support new applications. This is the reason why compromises ended-up being made with address length, extension headers and host configuration, although with hindsight other design choices might have been made.

Nevertheless, the fact remained that IPv4 addresses were facing exhaustion and technical kludges were increasingly having to be used to eke them out further. IPv6 was a functional protocol and was increasingly becoming available as a native transport service, so whilst uptake in Slovenia was a bit low at 6.8% (according APNIC Labs), it had substantially increased over the past year which supported the assertion that there were no reasons not to deploy it.

Christian Teuschel (RIPE NCC) followed-up with some observations about IPv6 routing in Slovenia. The RIPEness IPv6 project rates how prepared Local Internet Registries (LIRs) in the RIPE Service Region are for IPv6 deployment, and awards up to 5 stars if they fulfil particular criteria. Of the 60 LIRs registered in Slovenia, 6 qualify for the 5-star rating by providing access or content via IPv6, with another 33% qualifying for 4-stars, 27% qualifying for 3-stars, and just 5% having no IPv6 capability.

Slovenia should therefore be well placed with its support for IPv6, although most IPv6 traffic appears to stay local, and there are less than half the number of unique AS paths via IPv6 compared to IPv4 of which 79% are via SIX-SI.  The use of 6to4 tunnels creates some long RTTs, and there appears to be just three native IPv6 paths, all running via DE-CIX. This is obviously an area for improvement, although if you read Slovenian, you might want to read about Telekom Slovenije’s efforts to deploy IPv6 in the country – presented by Saša Žbontar (Telekom Slovenije).

Next up was ‘Why IPv6 Security Is So Hard‘ which was presented by Ivan Pepelnjak (ipSpace) on behalf of Enno Rey (ERNW). We previously highlighted this in a RIPE 74 blog, but it covers the perceived failures with IETF IPv6 standards and offers some suggestions as to how to operational practices can be improved.

Our colleague Jan Žorž followed-up with some results from the NAT64/DNS64 testing being undertaken by the Go6lab and supported by the Internet Society. The NAT64check tool enables websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed.

And so to the main event, the ‘The Dark Side of the IPv6 Moon… panel chaired by Jan and featuring Ole Trøan (Cisco), Job Snijders (NTT), Ivan Pepelnjak (ipSpace) and Kevin Meynell (Internet Society). The focus was on the deployment and operational consequences of the IPv6 architectural and standardisation decisions about IPv6, and the real world challenges of using IPv6 in production networks.

It might seem a bit strange to be highlighting problems and issues with IPv6 when at the same time advocating its use, but the case for IPv6 is now well established and the protocol is sufficiently widely deployed that it’s reasonable to air this discussion. It should also not be forgotten there are issues with deploying IPv4 as well, but it’s just better understood how to workaround these and in many cases IPv6 can improve this situation.

The Deploy360 involvement didn’t end there. Jan presented the recently published BCOP on IPv6 prefix assignment for end-users which aims to provide guidance to ISPs as to what size IPv6 prefixes should be assigned to customers, when to choose static or dynamic assignment, and whether a /48 or /56 should be assigned to a particular customer.

Kevin meanwhile presented on ‘Two Good Years of MANRS‘ which is the routing security initiative defining four concrete actions that network operators should implement to promote a culture of collaborative responsibility, and the next steps to develop a MANRS certification programme as well as partnerships with IXPs.

Although not Deploy360-related, you might also want to check out some of the other excellent presentations over the two days. Ole Trøan gave a presentation about his day job which is developing VPP – The Universal Fast Dataplane, Alexander Holzer (NextGen Firewalls) covered Large Scale Firewall management, whilst Job Snijders (NTT Communications) explained the problem of Large BGP communities, the recent RFC 8092 that aims to address this, and provided some information on how to get started.

Be sure though to check out the presentation on securing network automation from Ivan Pepelnjak who always provides excellent value, and on LibreNMS from Uroš Berglez (FERI MB).

So that’s it from Ljubljana for this year, but all the presentations and videos of the talks can be found on SINOG website. If you’re inspired to deploy IPv6 after this,, then please take a look at our Start Here page to understand how you can get started.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

RIPE 74 – Highlights from Day 1

The RIPE 74 meeting is happening this week in Budapest, Hungary. There’s well over 600 participants at this meeting who’ve assembled at the Intercontinental Hotel on the banks of the River Danube, and Kevin Meynell and Jan Žorž are here to highlight all the relevant presentations and activities.

The main event for us was the BCOP Task Force on Monday evening, chaired by Jan. There’s currently an initiative to setup a global BCOP website to collate all the different Best Current Operational Practice documents in one neutral repository, with administrative support being provided by Deploy360 and the Go6lab. We hope to get this up-and-running over the next month.

The Mutually Agreed Norms for Routing Security (MANRS) Implementation Guide was recently published, but there was some interest in publishing an abridged version as a RIPE document. The aim is to demonstrate RIPE community support for the best current operational practices described in the guide.

Jordi Palet (Consulintel) then presented the recently published draft on IPv6 prefix assignment for end-users that has been out for review for the past 6 weeks. This aims to provide guidance to ISPs as to what size IPv6 prefixes should be assigned to customers, when to choose static or dynamic assignment, and whether a /48 or /56 should be assigned to a particular customer. Some feedback had been received and will be incorporated into the final revision that will be published in the next couple of weeks.

Ondřej Surý (CZ.NIC) proposed a new BCOP on DNS Operational Considerations for Standards Compliance. The DNS Violations Project had identified a number of common violations of DNS protocols such as case-sensitive DNS servers, QNAME minimisation, ENDS breakages, and DNSSEC-related problems. They therefore felt there needed to be better guidance for DNS implementations, and this should involve DNS and CDN operators as well as the RIPE DNS Working Group.

Last up was a proposal from Sascha Pollok for a BCOP on IPv6 assignment for hosting operations, who called for co-authors to assist with this. Running IPv6 on virtual and physical servers had some interesting challenges, and a particular question to resolve was whether one /48 per customer location should apply, or whether one /128 per server was recommended.

Just in case you’re the only person that still isn’t aware of the Root Zone DNSSEC Key Signing Key rollover in October, please check out the presentation from Ed Lewis (ICANN). We’ve discussed this several times before, but this presentation provides some useful information on what DNS operators need to think about, what they need to do, and some possible problems they may encounter.

Finally, not in any way Deploy360 related, but you should be aware of the Anti-Shutdown Policy proposal that Andrew Alston (Liquid Telecom) presented at the end of the plenary session. This is a pretty controversial proposal that generated a lot of heated discussion during the meeting.

In essence, the proposal calls for implementation of measures to suspend or revoke Internet resources from countries whose governments shutdown or attempt to shutdown the Internet within their jurisdictions. The rationale is that shutdowns cost African economies an estimated USD 2.4 billion between June 2015 and June 2016, hurt investment, and allowed actions to be undertaken without international scrutiny against local populations. It’s certainly a radical proposal that’s attracted a lot attention, and the debate will no doubt continue.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe74.ripe.net/programme/meeting-plan/

Categories
Deploy360 IPv6

ripe-554 authors hold reunion at RIPE 74

Left-to-Right: Sander Steffann (Steffann.nl), Merike Käo (Farsight Security) & Jan Žorž (Internet Society)

The RIPE 74 meeting that’s being held this week in Budapest, Hungary provided the opportunity for the three authors of the ripe-554 document “Requirements for IPv6 in ICT Equipment” to get together again to discuss an update.

ripe-554 was originally published in June 2012 and aims to provide guidance to governments and enterprises on their requirements for IPv6 compatibility when tendering for ICT equipment and support. This is based on Best Current Practices and serves as a template for organisations that need to produce IPv6 specifications, as well as for organisations interested in bidding for contracts.

Whilst ripe-554 is widely referred to, the original authors consider that five years on might be a good opportunity to review the content and revise the document if current best practices warrant it. It should though be stressed this is a community-sourced, so other contributors are encouraged to participate in this process through the RIPE BCOP Task Force.

Categories
Deploy360 IPv6

IPv6 prefix assignment BCOP available for review

A new Best Current Operational Practice (BCOP) document on IPv6 prefix assignment for end-users has just been published for review.

This aims to provide guidance to ISPs as to what size IPv6 prefixes should be assigned to customers, and when to choose static or dynamic assignment. In particular, there’s often confusion as to whether a /48 or /56 should be assigned to a particular customer, whilst in some cases /64s have been assigned which is not recommended.

Comments are now being sought from the Internet community on this document, especially from network operators. BCOPs aim to be living documents that attempt to encapsulate best practices as agreed by experts in their fields, so it’s important to have review and acknowledgment from those  actually implementing these practices.

Feedback is welcomed by contacting Jan Zorz at zorz@isoc.org.

Further Information

We encourage network operators to document how they deploy new technologies including IPv6DNSSECTLS and routing resilience/security, so their experiences may assist others in doing so. We’ll be organising BCOP sessions at RIPE 74 & 75, and in Africa and Latin America this year, so stayed tuned for more information.

Categories
Deploy360 Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Securing Routing: MANRS, RPSL & RPKI @ APRICOT 2017

To wrap-up our reports on APRICOT 2017, we’d like to highlight the Network Security session that featured our Internet Society colleague Andrei Robachevsky, as well as highlight other routing security related topics.

Andrei presented the Mutually Assured Norms for Routing Security (MANRS) initiative that has now been running for two years. This aims to address the issue that BGP is largely based on trust, with no inherent validation of the legitimacy of routing updates and limited ways of authenticating Internet resource data. Whilst there are tools and techniques to improve this, these only have limited deployment and there’s little incentive to do so as implementing them on your own network has little direct benefit to yourself.

MANRS therefore aims to help network operators around the world to work together to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and global validation. The initiative was launched on 6 November 2014 with 9 network operators, and has since expanded to encompass 90 Autonomous Systems.

In order to help network operators facilitate the actions, a MANRS Best Current Operational Practices (BCOP) document has been produced, and a set of online training modules is under development. These will walk students through a tutorial and provide a test at the end, with a view to this being the first step towards a MANRS certification. A partnership programme is currently being developed with IXPs, and other partners are being sought who’d be interested in including it in their curricula.

If you’re interested in signing-up to MANRS, more information is available on the Routing Resilience Manifesto website.

Tom Paseka (Cloudflare) then covered some of threats to the Internet in more detail, and how to mitigate them. Spoofing and Denial-of-Service attacks were becoming wider in scope and involving more-and-more bandwidth such as the Mirai botnet that exceeded 500 Gb/s. A number of recommendations and techniques exist to mitigate these attacks, but operators and vendors in many cases simply did not implement these. There needed to be more awareness and responsibility amongst those involved in provisioning networks about the collective security of the Internet.

On the practical side of things though, there was a tutorial held during the conference on how to implement RPSL and RPKI which are two ways of improving security. Routing Policy Specification Language (RPSL) is used by network operators describe their routing policies, whilst Resource Public Key Infrastructure allows the holders of Internet resources (IP address and AS numbers) to be authenticated and can be used to prevent route hijacking.

Securing Internet Routing: RPSL & RPKI Tutorial

Categories
Deploy360

BCOP BoF to be held at APRICOT 2017

The Deploy360 team will be organising a BoF on Best Current Operational Practices (BCOP) during APRICOT 2017 in Ho Chi Minh City, Vietnam. This is being held on Monday, 27 February 2017 (17.30 to 19.00 UTC+7) in Ballroom 1&2 of the Sheraton Saigon Hotel, and will be co-chaired by Aftab Siddiqui and Jan Žorž.

This is part of Deploy360’s BCOP initiative to encourage the development of regional BCOP initiatives to document operational knowledge and practices based on the experience of network engineers. This knowledge is often exchanged in a casual manner between groups of people in hallways or in social settings, or where it is discussed online, in a variety of forums with archives in different formats, if archived at all.

BCOPs aim to be living documents that attempt to encapsulate best practices as agreed by experts in their fields, and reviewed by the global networking community. There are active initiatives in Europe and North America in particular, as well as Africa and Latin America, so this BoF is an attempt to re-initiate efforts in the Asia-Pacific region with support from APNIC.

Deploy360 has also recently updated its BCOP page to reflect all the BCOP documents that we know about around the world. If we’ve missed something, please contact us at deploy360@isoc.org and we’ll be pleased to add it.

More Information:

We encourage network operators to document how they deploy new technologies including IPv6DNSSECTLS and routing resilience/security, so their experiences may assist others in doing so. We’ll be organising other BCOP sessions at RIPE 74 & 75, and in Africa and Latin America this year, so stayed tuned for more information.

Categories
Deploy360 Events IPv6

RIPE 73 starts in Madrid next week

ripe-73The RIPE 73 meeting is happening next week in Madrid, Spain, kicking off with a couple of tutorials on the Monday morning, before the opening plenary starts at 15.00 CEST/UTC+2. And there’s a lot on the programme of interest if you’re following the Deploy360 technologies, as both Jan Žorž and Kevin Meynell will be.

In the opening plenary, the results of the IPv6 Deployment Survey on residential and household services undertaken by Consulintel will be presented, followed by an analysis of Carrier-Grade NAT (CGN) from Philipp Richter (TU Berlin). Then check out the state of IPv4 transfer markets with Ioana Livadariu (Simula Research Laboratory).

Jan will then be chairing the BCOP Task Force on Monday evening starting at 19.00 UTC+2. This will discuss progress on documenting best current operational practices, with three BCOP documents up for discussion including a new MANRS BCOP. As ever, the Task Force is also looking for volunteers to help support the task of writing the documents and achieve consensus within the group.

On the Tuesday morning, there’s a focus on anycast, with four presentations covering different aspects of this. The afternoon is devoted more to network security, data protection and privacy issues, although there will also be a panel chaired by Leslie Carr on the unique financial challenges of smaller IXPs

Wednesday and Thursday are traditionally devoted to Working Groups, and as usual we’ll be following the IPv6, DNS and Routing Working Groups and reporting on developments there. It’s also worth noting there’s also an open mic  session on the Internet-of-Things between 19.00 and 20.00 UTC+2, which aims to discuss what role RIPE can play in this space and whether the RIPE community’s expertise can be put to good use in safeguarding the security and stability of the Internet.

Finally on Friday, there will be an update on IPv6 performance from Geoff Huston (APNIC) which always makes for interesting listening.

There are already over 600 registered attendees, so it’s sure to be a busy and productive week. For those of you who cannot attend in person – there is remote participation available with audio and video streaming and also a jabber chat room, so everyone is welcome to participate!

The full programme can be found at https://ripe73.ripe.net/programme/meeting-plan/

Categories
Deploy360 Improving Technical Security Internet of Things (IoT)

Olaf Kolkman presents on Collaborative Security @ TNC16

tnc16_prague

The Internet Society’s Chief Internet Technology Officer Olaf Kolkman presented on Collaborative Security at the TNC16 Conference in Prague, Czech Republic earlier this week. TNC is one of the leading conferences for research and education networking, and attracted around 700 participants from National Research and Education Networks (NRENs), universities, research institutions and industry in Europe and around the world.

Olaf talked about how we usually think of the Internet as a complex network of networks, each operated by autonomous operators whose services are only loosely coupled to a best efforts service. However, the security and resilience of the Internet not only depends on how well risks to you and your assets are managed, but also on how you manage the risks that you present to the Internet ecosystem. This is the notion of collective and shared risk management that is aligned with the “public interest” nature of the Internet.

This is becoming increasingly important with the rise of the Internet-of-Things (IoT) that will greatly increase the proliferation of low-cost devices with limited power, memory and processing resources, These will have the tendency to be unattended with built-in obsolescence, which can create significant problems if the hardware and software are built with limited security features and/or are not updated in response to security issues as they’re discovered.

It’s therefore important to design devices to minimise the impact of their misuse, including good security at the outset and the ability to deploy new security mechanisms over the lifetime of the devices. Protocols should also be designed so that a compromise of a single device does not result in compromise of others, especially since the compromise of a large number of devices can enable attacks such as a distributed denial of service. For example, sharing secret keys across an entire product family is problematic since compromise of a single device might leave all devices from that product family vulnerable.

The full presentation and archived video are available on the TNC16 website.

In you’re interested in finding out more about collaborative security, then please see our MANRS website, as well as our The Internet of Things (IoT): An Overview white paper. You can also visit our resources related to IoT on the Deploy360 website.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

RIPE 72 – Highlights from Day 1

RIPE 72The RIPE 72 meeting is happening this week in Copenhagen, Denmark, and looks to be the biggest ever with nearly 800 registered participants. Jan and Kevin from the Deploy360 team are here, and we’ll be highlighting all the relevant presentations and activities.

There were three interesting DNS presentations during the opening plenary session that are worth highlighting. The first by Paul Ebersman (Comcast) asked the question “What’s so hard about DNSSEC?” and related his deployment experiences. The main reasons to deploy DNSSEC are the ability to assert responses to DNS queries, to help protect against cache poisoning, and as a way of enabling DANE and other PKIs.

The oft-heard reasons for not deploying DNSSEC are that it requires a lot of additional work, tends to break things, and is reliant on ICANN and the root servers. The reality though, is that the DNS already relies on the root servers, customers increasingly expect improved security, and that DANE is already being used for validating non-web servers. Deployment of DNSSEC can require additional effort, but this can be substantially reduced through automation.

Whilst setting-up the signing of a zone requires some effort and key rollovers need to be handled carefully, Comcast’s experience was that their signed zones typically returned less than two dozen errors per month, whilst the need for Negative Trust Anchors (NTAs) was limited to single digits per month. The message therefore, is that using DNSSEC is not without problems, but most of these can be mitigated by careful planning and communication and has been substantially less painful than anticipated.

The second presentation was an alert from Patrik Fältström (Netnod) that Web Proxy Auto‐Discovery (WPAD) queries intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers. This could result in domain name collisions with internal network naming schemes, allowing these to be abused by configuration of an external proxy for network traffic that provides the potential for man‐in-the-middle attacks. This issue has been known about for at least three years, but the problem has been increasing as more second-level domains have been created within new gTLDs and more platforms have been found to be affected.

Network administrators are therefore being asked to disable automatic proxy discovery/configuration in browsers and operating systems, use fully qualified domain names (FQDNs), configure internal DNS servers to respond authoritatively to internal TLD queries, whilst configuring firewalls and proxies to log and block outbound requests for wpad.dat.

The third presentation was an analysis by Geoff Huston (APNIC) on DNS zombies – queries that have no user awaiting the response and are instead are echoes of previous queries. Over a five month experiment and detailed analysis of around 44 billion DNS queries, it was discovered that around 20%  these queries were zombies, but question was whether this behaviour is due to DNS resolvers continually sending out queries for which responses are never accepted, or whether this was due to something more sinister? As it transpires, it would seem to be attributable to misconfigured resolvers, of which just 11 are responsible for 60% of all zombie queries. This is explained in more detail in this APNIC article.

We’d also like to highlight the presentation from our Internet Society colleague Phil Roberts on Cryptech. This an open source hardware security module (HSM) reference design that can store, manage and process digital keys as used in DNSSEC, PKI, RPKI and PGP amongst other applications. The aim is to address concerns about potentially compromised devices in critical Internet infrastructure, and to ensure IETF protocols are supported in an open and transparent manner.

The first alpha boards are now working and will be available for external testing this summer, initially supporting DNSSEC with RPKI coming shortly afterwards. Cryptech was therefore looking for people with implementation and operational experience of these technologies to help undertake additional testing of these devices, as well as help with the documentation. More information is available on the Cryptech website.

Although not directly related to Deploy360, it’s also worth checking out a couple of presentations on the State of African Peering by Andrew Owens (Teraco) and Interconnection in the Nordics by Lasse Jarlskov (TDC) which provide a good overview on where and how peering happens in two distinct regions of the world.

Following the plenary session, Jan Žorž chaired the BCOP Task Force. There were two new BCOPs up for discussion relating to DNS Operations and Using your last IPv4 address, as well as an update on the MANRS (Mutually Assured Norms for Routing Security) BCOP. The meeting was also updated on BCOP developments in Africa and Latin America, some of which were discussed in our previous post on the AfBCOP Workshop.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe72.ripe.net/programme/meeting-plan/

Categories
Deploy360 Events

ION Bangladesh / bdNOG 5 in Dhaka

13029728_10154194365249884_2525848278973951241_o

The Deploy360 team has just completed a couple of hectic weeks that included our ION Conference in Bangladesh, participating in SEE 5 in Albania, before Jan headed off to SEEDIG in Serbia. The ION Conference was organised jointly with bdNOG 5 on 11 April 2016 at the Lakeshore Hotel in Dhaka, and attracted a very high turnout of 152 participants. This had been preceded by three days of technical training provided by bdNOG and APNIC.

Kevin Meynell opened the event with a overview of the Deploy360 programme, followed by a welcome from Professor Shabbir Ahmed, President of the ISOC Bangladesh Dhaka Chapter.

Jahangir Hossain (ISOC Bangladesh Dhaka) then explained Secure BGP and reported on RPKI adoption in Bangladesh. There were currently 2,079 advertised IP prefixes in Bangladesh, of  which 97 had Route Origin Authorisations (ROAs) accounting for 4.67% of the total. Unfortunately, 26 of these prefixes were invalid according to their ROAs, which was something that needed further investigation.

Jan speaking about DANE

Next up was a panel session on MANRS that included Fakrul Alam (APNIC), Rashed Amin (Link3 Technologies) and Jan Žorž. This introduced the Routing Resilience Manifesto initiative that aims to help network operators around the world work together to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and global validation. Although the initiative was new to most of the audience, it still generated significant discussion and several network operators expressed interest in signing-up during and after the conference.

Jan then updated the audience on DANE adoption and implementing it in the go6lab. This has previously been covered in the ION Cape Town and the Let’s Encrypt certificates for mail servers and DANE blogs, but the .bd domain is not currently signed with DNSSEC which has limited potential deployment of DANE in Bangladesh. Hopefully the increasing usage of TLS and Jan relating his experiences of successfully deploying DANE will encourage the implementation of DNSSEC in the .bd domain shortly.

The session after the tea break was devoted to the bdNOG report (provided by Rashed Amin, bdNOG President) and the keynote speech on the Potential of Indigenously Developed Telemedicine using the Internet (provided by Dr. Khondkar Siddique-e-Rabbani, University of Dhaka). There were also remarks from the Chief Guest Dr. Shahjahan Mahmoud, the Honourable Chairman of the Bangladesh Telecommunication Regulatory Commission, and from the Special Guest M.A Hakim, the President of ISPAB Bangladesh.

13040895_10154194367174884_9022138773687310107_o
Kevin & Jan at ION Bangladesh/bdNOG 5

After lunch, Kevin talked about what was happening at the IETF and how to get involved. He pointed out that had been 1,824 registered participants from 65 countries at the recent IETF in Buenos Aires, but not one was from Bangladesh even though India was well represented. There was clearly a very active Internet community in Bangladesh, but for whatever reason little engagement with the IETF. However, he encouraged the local community to check out the IETF Fellows and Regulators to the IETF programmes.

Pubudu Jayasinghe (APNIC) followed this with an update on the current situation in the Asia-Pacific region with respect to IPv4 address availability, how to request IPv6 addresses, and the rollout of RPKI to provide cryptographic attestations about route advertisements. The rest of the session was devoted to submitted papers including The Future of SIP in WebRTC (provided by Shaila Sharmin, Link3 Technologies) and a Holistic view of 802.1x integration & optimisation (provided by Faisal, BDPEER).

The final session focused on IPv6. Abdul Awal (BDREN) set the scene with a presentation on IPv6 deployment in BDREN, the Bangladesh National Research and Education Network, as well as the wider challenges of deploying IPv6 in Bangladesh. This led into the IPv6 Panel session moderated by Kevin that included Asela Galappattige (Sri Lanka Telecom), Nurul Islam Roman (APNIC), Sumon Ahmed Sabir (Fiber@Home), Matsuzaku Yoshinobu (IIJ) and of course Jan.

Lalbagh Fort in Old Dhaka

The panel session focused on the message that deploying IPv6 was not a complex or expensive process, but eking out IPv4 addresses would be in future. IPv4 addresses were a finite resource and would increasingly only be obtainable through recovery and trading, which would impose a real cost for network providers. This was particularly an issue in countries like Bangladesh that currently had relatively limited Internet penetration, but which had large productive and aspirational populations that would put heavy demands on address resources. IPv6 deployment was presently quite low in Bangladesh, but the experience of BDREN demonstrated that networks could be substantially enabled for IPv6 with minimal effort and limited impact on existing services.

The conference was concluded with some final remarks from Kevin, thanking the host bdNOG, as well as the sponsors Afilias, APNIC, ISPAB, ISOC Bangladesh Dhaka and the Bangladesh ICT Business Promotion Council, before the training certificates were presented. The Deploy360 team would also like to thank bdNOG and their officers for helping us bring an ION Conference to Bangladesh for the first time, as well their contributions towards making the event a successful and productive one.

The State Minister for ICT, Zunaid Ahmed Palak at the Cyber Security and Network Security Workshop

Our work was still not yet over though, as the following day Kevin was invited to open the Bangladesh Cyber Security and Network Security Workshop that was also attended by the State Minister for ICT, Zunaid Ahmed Palak. This workshop involved around 100 participants from the Internet community, academia, government as well as law enforcement agencies.

 

Further Information

The proceedings from ION Bangladesh are available here.