Categories
Deploy360 IETF

Deploy360 at IETF 100, Day 4: Woohoo for DOH!

This week is IETF 100 in Singapore, and we’re bringing you daily blog posts highlighting some of the topics that Deploy360 is interested in. Thursday is another busy day, with the second sessions of the V6OPS and DNSOPS Working Groups, along with the first meeting of the DOH Working Group and other encryption-related activities.

V6OPS continues at 09.30 SGT/UTC+8 from where it left off. On the agenda are drafts relating to 464XLAT Deployment Guidelines for Operator Networks, transition requirements for IPv6 customer edge routers, and IPv6 prefix delegation for hosts. There’s other drafts on DHCPv6 Prefix Delegation and Neighbour Discovery on a cellular connected IoT router, and on using a /64 from a customer prefix for numbering an IPv6 point-to-point link. Finally, there’s an initiative to clarify about what functionalities should determine whether a network is ‘IPv6-only’.

Running at the same time is TLS, which will be primarily focusing on the two big issues of TLS 1.3 and DTLS 1.3. However, it will also be discussing drafts on connection ID, exported authenticators, protecting against denial of service attacks, and application layer TLS.


NOTE: If you are unable to attend IETF 100 in person, there are multiple ways to participate remotely.


After lunch sees the debut of DOH at 13.30 SGT/UTC+8. This is working to standardise encodings for DNS queries and responses that are suitable for use in HTTPS, thereby enabling the DNS to function where existing DNS methods (UDP, TLS and DTLS) have problems. There’s just the one draft so far, although there will also be a discussion on the planned next steps.

Alternatively, you can check out 6LO. There are four drafts relating to IPv6 Neighbour Discovery on node networks with limited power, memory and processing resources, and there will also be a discussion on the 6LO applicability and use cases. Last but not least, is a draft relating to the transmission of IPv6 packets over Wireless Body Area Networks.

Following the afternoon break, ACME is meeting at 15.50 SGT/UTC+8 to finalise the ACME specification. This has been submitted to the IESG for publication, and will focus on the feedback received to-date. Other drafts being discussed relate to automatic certificate management for telephony and email , along with Short-Term Automatically-Renewed (STAR) Certificates.

Running in parallel is DNSOP that will also continue from where it left off on Monday. Much of this session is likely to focus on new business, including returning additional answers in DNS responses, a mechanism allowing an end user to determine the trusted key state of resolvers handling DNSSEC queries, an update to the TSIG specification to address a known bug, and a proposal for a .internal TLD to use the DNS for non-global names.

For more background, please read the Rough Guide to IETF 100 from Olaf, Dan, Andrei, Steve, Karen and myself.

Relevant Working Groups

Categories
Building Trust Deploy360 Encryption Events Identity IETF Improving Technical Security Open Internet Standards Privacy Technology Transport Layer Security (TLS)

Rough Guide to IETF 100: Identity, Privacy, and Encryption

Identity, privacy, and encryption continue to be active topics for the Internet Society and the IETF community impacting a broad range of applications. In this Rough Guide to IETF 100 post, I highlight a few of the many relevant activities happening next week in Singapore, but there is much more going on so be sure to check out the full agenda online.

Encryption

Encryption continues to be a priority of the IETF as well as the security community at large. Related to encryption, there is the TLS working group developing the core specifications, several working groups addressing how to apply the work of the TLS working group to various applications, and the Crypto-Forum Research Group focusing on the details of the underlying cryptographic algorithms.

The Transport Layer Security (TLS) working group is a key IETF effort developing core security protocols for the Internet. This week’s agenda includes both TLS 1.3 and Datagram Transport Layer Security. Additionally, the TLS working group will be discussing connection ID, exported authenticators, protecting against denial of service attacks, and application layer TLS. The TLS working group is very active and, as with all things that are really important, there are many diverse opinions to fill the room.

For those new to TLS, there is a TLS 1.3 tutorial planned for Sunday afternoon in the first tutorial slot. This is an excellent opportunity to get a detailed introduction to the TLS 1.3 protocol from the experts.

Two of the working groups focused on updating crypto algorithms and the use of TLS in IETF protocols are also meeting at IETF 100. The DKIM Crypto Update (dcrup) working group, which is focused on updating the cryptographic aspects of RFC 6376, will have a short. Their first document, Cryptographic Algorithm and Key Usage Update to DKIM, has just been approved and has been moved to the RFC Editor for publication. On the agenda for this meeting will be new cryptographic signature methods for DKIM and defining elliptic curve cryptography algorithms for use with DKIM.

The Using TLS in Applications (UTA) working group has finished a number of documents already, including recommendations for the secure use of TLS and DTLS, use of TLS for XMPP, and the use of TLS server identity check procedures for email. The first part of the meeting will focus on resolving the final IESG comments on the use of TLS for email submission and access. This draft outlines current recommendations for the use of TLS to provide confidentiality of email traffic between a mail user agent and a mail access server. The meeting will also cover open issues on a draft related to Strict Transport Security (STS) for mail (SMTP) transfer agents and mail user agents. Finally, the meeting will address a draft on an option to require TLS for SMTP.

The Network Time Protocol (NTP) working group addresses protocols for the accurate synchronization of clocks on a network. This may seem like a bit of a stretch for a blog post on identity, privacy, and encryption. However, accurate and secure time synchronization turns out to be vitally important for the proper operation of security protocols. The NTP WG has been working on Network Time Security (NTS) which is a significant update for NTP server authentication. In order to make progress, the latest version of this draft reduces the scope of the solution to the client server mode of NTP only. There is a recent IETF Journal article that provides a detailed discussion of the current state of the NTS effort.

The next activity of potential interest to the encryption community is the Crypto Forum Research Group (cfrg). Always a popular session at IETF, this week the CFRG will discuss four drafts, including Re-keying Mechanisms for Symmetric Keys, The Transition from Classical to Post-Quantum Cryptography, a draft SPAKE2, a secure, efficient password based key exchange protocol, and Public Key Exchange.

Certificate Infrastructure

Moving on from cryptography and encryption, the next set of IETF working groups are related to the certificate infrastructure for the Internet, acme and trans.

The Automated Certificate Management Environment (acme) working group is specifying ways to automate certificate issuance, validation, revocation and renewal. The main order of business at this week’s meeting is to discuss the core specification Automatic Certificate Management Environment. This document has been submitted to the IESG for publication, and this meeting will focus on the feedback received to date. The meeting will also discuss automatic certificate management for telephony (https://datatracker.ietf.org/doc/draft-ietf-acme-telephone/, https://datatracker.ietf.org/doc/draft-ietf-acme-service-provider/) and email (draft-ietf-acme-email-tls-01 and draft-ietf-acme-email-smime-01 ) along with Short-Term, Automatically-Renewed (STAR) Certificates.

The second certificate related working group is the Public Notary Transparency (trans) working group. It has been working since 2014 to improve the confidence of users in the Web PKI. The underlying premise of this work is to create transparent logs of certificates so that improperly issued certificates can be detected. That which is transparent can be observed and monitored for unexpected behavior. The core document has been submitted to the IESG, and this meeting will discuss resolution of open issues from the AD review. The threat analysis needs some minor enhancements before restarting the WGLC. The Gossiping in CT document has been submitted to the IESG, and the working group needs to address initial AD feedback. Finally, the working group will discuss name redaction (https://datatracker.ietf.org/doc/draft-strad-trans-redaction/, https://www.ietf.org/internet-drafts/draft-ito-yet-another-name-redaction-00.txt ) to improve privacy.

Authentication and Authorization

From the certificate infrastructure, we move next to authentication and authorization and the set of related working groups tackling those issues for the IETF.

Anyone with an interest in the Internet of Things (IoT), will be interested in the Authentication and Authorization for Constrained Environments (ace) working group. This working group is working to develop standardized solutions for authentication and authorization in constrained environments. They published a use cases document last year, and this week’s agenda includes discussion of existing working group documents on authentication and authorization for constrained environments, a DTLS profile for ACE, a CBOR Web Token (CWT), and an architecture for authorization in constrained environments. In addition, there will be discussion of a number of new drafts for working group consideration. You might also want to check out the Internet of Things Rough Guide post for more on IoT.

The Web Authorization Protocol (oauth) working group has been working for years on mechanisms that allow users to grant access to web resources without necessarily compromising long term credentials or even identity. It has been a very prolific working group with around 15 RFCs published to date. IETF 100 will be another busy week for those interested in this area including sessions on both Tuesday and Wednesday. Agenda items for these two sessions include a mutual TLS profile, token binding, JWT best practices, device flow, discovery, token exchange, and incremental authorization.

There are two additional working groups meeting this coming week that are related to the OAUTH work. The first is the Token Binding (TOKBIND) working group that is tasked with specifying a token binding protocol and specifying the use of that protocol with HTTPS. A number of the group’s core documents have been submitted to the IESG (https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/, https://datatracker.ietf.org/doc/draft-ietf-tokbind-negotiation/, and https://datatracker.ietf.org/doc/draft-ietf-tokbind-protocol/). Preliminary feedback from the Area Director (AD) will be discussed. This working group works in collaboration with the TLS, HTTPbis and OAUTH WGs and with the W3C webappsec WG.

Also related to OAUTH, the Security Events (SECEVENT) working group is working on an Event Token specification that includes a JWT extension for expressing security events and a syntax for communicating the event-specific data. This is a fairly new WG, formally chartered in January 2017. The meeting this week will discuss the token specification, token delivery, stream management and provisioning, and a management API.

More Activities

For the security crowd, no IETF week is complete without the Security Area Advisory Group (SAAG) meeting. This meeting features a quick run through all the working groups doing security related work in the IETF across all areas, a set of short talks, and an open session to bring issues and topics forward from the community. This week will have one invited talk on Inter-domain DDoS mitigations: potentials, challenges, and solutions. The remaining time will be spent on an experiment, called secdispatch, where proposals for new work will be discussed.

Also, don’t forget the IETF Hackathon which is held the weekend before the IETF. This IETF Hackathon has several projects of interest including continuing work on TLS 1.3 testing and interoperability, the HTTP status code 451, generating certificate requests for short-term automatically-renewed certificates, and distributed denial of service threat signaling. All the potential projects of this rendition of the IETF Hackathon as listed on the IETF 100 Hackathon wiki site.

Finally, in a continuing effort to connect security researchers and the Internet security standardization community, two topics with active working groups at IETF 100, IoT Security and DNS Privacy, are planning for workshops to be held in conjunction with NDSS 2018. Both the Decentralized IoT Security and Standards (DISS) workshop and DNS Privacy: Increasing Usability and Decreasing Traceability (DNSPRIV) workshop are currently accepting submissions and planning for productive workshops in February 2018. Perhaps something overheard in the halls of IETF 100 would make a good submission.

Join us for another full week for identity, and privacy, and encryption related topics here at IETF 100!

Relevant Working Groups at IETF 100

ace (Authentication and Authorization for Constrained Environments) WG
Tuesday, 14 November 2017, 930 – 1200, Collyer
Agenda: https://datatracker.ietf.org/doc/agenda-100-ace/
Charter: https://datatracker.ietf.org/wg/ace/about/

acme (Automated Certificate Management Environment) WG
Thursday 16 November 2017, 1550 – 1750, Sophia
Agenda: https://datatracker.ietf.org/doc/agenda-100-acme/
Charter: https://datatracker.ietf.org/wg/acme/about/

cfrg (Crypto Forum Research Group)
Wednesday, 15 November 2017, 15:20-16:50, VIP A
Agenda: https://datatracker.ietf.org/meeting/100/agenda/cfrg/
Charter: https://irtf.org/cfrg

dcrup (DKIM Crypto Update)
Wednesday, 15 November 2017, 930-1100, Bras Basah
Agenda: https://datatracker.ietf.org/meeting/100/agenda/dcrup/
Charter: https://datatracker.ietf.org/wg/dcrup/about/

ntp (Network Time Protocol) WG
Monday, 13 November 2017, 1330 – 1530, VIP A
Agenda: https://datatracker.ietf.org/doc/agenda-100-ntp/
Charter: https://datatracker.ietf.org/wg/ntp/about/

oauth (Web Authorization Protocol) WG
Tuesday, 14 November 2017, 1550 – 1750, Sophia
Wednesday, 15 November 2017, 1520 – 1650, Orcard
Agenda: https://datatracker.ietf.org/doc/agenda-100-oauth/
Charter: https://datatracker.ietf.org/wg/oauth/about/

saag (Security Area open meeting)
Thursday, 16 November 2017, 1330-1530, Padang
Agenda: https://datatracker.ietf.org/meeting/100/materials/agenda-100-saag/

secevent (Security Events) WG
Monday, 13 November 2017, 1330 – 1530, Bras Basah
Agenda: https://datatracker.ietf.org/meeting/100/materials/agenda-100-secevent/
Charter: https://datatracker.ietf.org/wg/secevent/about/

tls (Transport Layer Security) WG
Thursday, 16 November 2017, 930 – 1200, Canning
Agenda: https://datatracker.ietf.org/doc/agenda-100-tls-sessa/
Charter: https://datatracker.ietf.org/wg/tls/about/

tokbind (Token Binding) WG
Tuesday, 14 November 2017, 1330 – 1530, VIP A
Agenda:  https://datatracker.ietf.org/meeting/100/materials/agenda-100-tokbind/
Charter: https://datatracker.ietf.org/wg/tokbind/about/

trans (Public Notary Transparency) WG
Monday, 13 November 2017, 1550 – 1720, Orchard
Agenda: https://datatracker.ietf.org/meeting/100/materials/agenda-100-trans/
Charter: https://datatracker.ietf.org/wg/trans/about/

uta (Using TLS in Applications) WG
Wednesday, 15 November 2017, 1330 – 1500, Bras Basah
Agenda: https://datatracker.ietf.org/meeting/100/materials/agenda-100-uta/
Charter: https://datatracker.ietf.org/wg/uta/about/

Follow Us

A lot is going on in Singapore, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Society blog, Twitter, Facebook, or see https://dev.internetsociety.org/events/ietf/ietf-100/.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Encryption Human Rights IETF Internet of Things (IoT) IPv6 Securing Border Gateway Protocol (BGP)

Deploy360’s Hot Topics at IETF 100

Next week is IETF 100 in Singapore which will be the first time the IETF has been held in the country. The Deploy360 team will be represented by Megan Kruse and Dan York, along with ISOC’s Chief Internet Technology Officer Olaf Kolkman. We’re again highlighting the latest IPv6, DNSSEC, Securing BGP, TLS and IoT related developments.

Below are the sessions that we’ll be following. Note this post was written in advance so please check the official IETF 100 agenda for any updates, room changes, or final details.

Monday, 13 November 2017

Tuesday, 14 November 2017

Wednesday, 15 November 2017

Thursday, 16 November 2017

Friday, 17 November 2017

The Internet Society has also put together its latest Rough Guide to IETF 100. In particular, see:

If you can’t get to Singapore next week, you can attend remotely!  Just visit the IETF 100 remote participation page or check out http://www.ietf.org/live/ for more options.

Categories
IETF Improving Technical Security Internet of Things (IoT) Open Internet Standards Technology

Rough Guide to IETF 100: Internet of Things

The Internet of Things (IoT) is a major buzzword around the Internet industry and the broader technology and innovation business arenas. We are often asked what the IETF is doing in relation to IoT and in this Rough Guide to IETF 100 post I’d like to highlight some of the relevant sessions scheduled during the upcoming IETF 100 meeting in Singapore. Check out the IETF Journal IoT Category, the Internet Society’s IoT page, or the Online Trust Alliance IoT page for more details about many of these topics.

The Thing-to-Thing Research Group (T2TRG) investigates open research issues in turning the IoT into reality. The research group will be holding a half-day joint meeting with the Open Connectivity Foundation (OCF) on the Friday before IETF, and they will also be meeting on Tuesday afternoon in Singapore to report out on their recent activities. Included on the agenda is the upcoming Workshop on Decentralized IoT Security and Standards (DISS). This workshop will be held in conjunction with the Network and Distributed System Security (NDSS) Symposium on 18 February 2018 in San Diego, CA, USA. The DISS workshop will gather researchers and the open standards community together to help address the challenges of IoT Security. The Call For Papers for DISS closes on 8 Dec 2017.

In addition, T2TRG is undertaking ongoing work resulting from the Workshop on IoT Semantic/Hypermedia Interoperability in Prague held last July in conjunction with IETF 99.

The Constrained RESTful Environments (core) WG aims to extend the Web architecture to most constrained networks and embedded devices. This is one of the most active IoT working groups and they will be meeting twice in Singapore, on Monday afternoon and Tuesday afternoon.

The IPv6 over Networks of Resource-constrained Nodes (6lo) WG defines mechanisms to adapt IPv6 to a wide range of radio technologies, including “Bluetooth Low Energy” (RFC 7668), ITU-T G.9959 (as used in Z-Wave, RFC 7428), and the Digital Enhanced Cordless Telecommunications (DECT) Ultra Low Energy (ULE) cordless phone standard and the low-cost wired networking technology Master-Slave/Token-Passing (MS/TP) that is widely used over RS-485 in building automation. There is a very useful Internet Draft recently released, which should prove to be a good reference: IPv6 over Constrained Node Networks (6lo) Applicability & Use cases. They will be meeting on Thursday afternoon in Singapore.

The IPv6 over the TSCH mode of IEEE 802.15.4e (6tisch) WG was chartered in 2014 to enable IPv6 for the Time-Slotted Channel Hopping (TSCH) mode that was recently added to IEEE 802.15.4 networks. The 6top Protocol is defined in a recently revised Internet Draft, as a Proposed Standard. They are meeting on Monday afternoon in Singapore.

The IPv6 over Low Power Wide-Area Networks (lpwan) WG will be meeting in Singapore on Monday morning. Typical LPWANs provide low-rate connectivity to vast numbers of battery-powered devices over distances that may span tens of miles, using license-exempt bands. There is a recently-published LPWAN Overview.

The IP Wireless Access in Vehicular Environments (ipwave) WGs primary deliverable is a specification for mechanisms to transmit IPv6 datagrams over IEEE 802.11-OCB mode. For more about this very timely topic, there is a recently released Internet Draft: IP-based Vehicular Networking: Use Cases, Survey and Problem Statement. IPWAVE will meet on Monday afternoon in Singapore.

Security for IoT is addressed in several WGs including the Authentication and Authorization for Constrained Environments (ace) WG that is concerned with, as its name suggests, authentication and authorization mechanisms in constrained environments, where network nodes are limited in CPU, memory and power. The proposed standard is the subject of a recently-released Internet Draft. ACE will meet on Tuesday morning.

Routing for IoT is tackled by the Routing Over Low power and Lossy networks (roll) WG which focuses on routing protocols for constrained-node networks. Wednesday afternoon is the time for them to meet in Singapore.

Software Updates for Internet of Things (suit) (formerly known as FUD – Firmware Updating Description) – this nascent working group will hold a BoF on Monday afternoon. This is a very interesting WG that I am very pleased to see spinning up, tackling a very challenging and important problem. There are four Internet Drafts that provide a good overview. From the draft charter:

Vulnerabilities in Internet of Things (IoT) devices have raised the need for a secure firmware update mechanism that is also suitable for constrained devices. Security experts, researchers, and regulators recommend that all IoT devices be equipped with such a mechanism. While there are many proprietary firmware update mechanisms in use today, there is a lack of a modern interoperable approach of securely updating the software in IoT devices.

Finally, in addition to the new protocols and other mechanisms developed by IETF working groups, IoT developers often benefit from additional guidance for efficient implementation techniques and other considerations. The Lightweight Implementation Guidance (lwig) WG is developing such documents and they will meet in Singapore on Wednesday morning. The recently published Internet Draft CoAP Implementation Guidance should be a good resource.

I also want to draw your attention to a very interesting (Standards Track) Internet Draft being discussed in the Operations and Management Area Working Group (opsawg), which seems to hold promise, and which appears to be gaining some serious traction: “Manufacturer Usage Description Specification“ (MUD). From the abstract: This memo specifies a component-based architecture for manufacturer usage descriptions (MUD). The goal of MUD is to provide a means for Things to signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control.  Later work can delve into other aspects. The opsawg meeting will be held on Tuesday afternoon.

MUD plays a significant role in the draft project description – Mitigating IoT-Based Automated Distributed Threats – being developed by the US National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).

If you have an interest in how the IoT is developing and being standardized in the IETF, I hope to see you in person or online at some of these meetings during IETF 100. (Note that if you will be unable to travel to the meeting and would like to participate remotely, you must register as a remote participant. There is no fee to be a remote participant at an IETF meeting, but registration is required. If you do not want to register, you may opt to listen to the live audio stream of the sessions instead.)

Related Working Groups at IETF 100

Schedule and locations subject to change. Please refer to the online agenda to confirm.
** All times SGT – Singapore Time: UTC+8 **

t2trg (Thing-to-Thing) RG
Friday, 10 November, off-site
Half-day joint meeting with the Open Connectivity Foundation (OCF)

Tuesday, 14 November, 15:50-17:50, Padang
Agenda/Materials
Documents
Charter

6lo (IPv6 over Networks of Resource-constrained Nodes) WG
Thursday, 16 November, 13:30-15:30, Sophia
Agenda/Materials
Documents
Charter

6tisch (IPv6 over the TSCH mode of IEEE 802.15.4e) WG
Monday, 13 November, 15:50-17:20, Bras Basah
Agenda/Materials
Documents
Charter

lpwan (IPv6 over Low Power Wide-Area Networks) WG
Monday, 13 November, 9:30-12:00, Olivia
Agenda/Materials
Documents
Charter

core (Constrained RESTful Environments) WG
Monday, 13 November, 13:30-15:30, Sophia
Tuesday, 14 November, 13:30-15:30, Bras Basah
Agenda/Materials
Documents
Charter

ace (Authentication and Authorization for Constrained Environments) WG
Tuesday, 14 November, 9:30-12:00, Collyer
Agenda/Materials
Documents
Charter

roll (Routing Over Low power and Lossy networks) WG
Wednesday, 15 November, 13:30-15:00, VIP A
Agenda/Materials
Documents
Charter

lwig (Light-Weight Implementation Guidance) WG
Wednesday, 15 November, 9:30-12:00, Olivia
Agenda/Materials
Documents
Charter

ipwave (IP Wireless Access in Vehicular Environments) WG
Monday, 13 November, 17:40-18:40, Sophia
Agenda/Materials
Documents
Charter

Follow Us

There’s a lot going on in Singapore, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Society BlogTwitterFacebook, or see https://dev.internetsociety.org/events/ietf/ietf-100/.

Categories
Building Trust Deploy360 IETF Improving Technical Security Open Internet Standards Securing Border Gateway Protocol (BGP) Technology Transport Layer Security (TLS)

Rough Guide to IETF 100: Internet Infrastructure Resilience

As we approach IETF 100 in Singapore next week, this post in the Rough Guide to IETF 100 has much progress to report in the world of Internet Infrastructure Resilience. After several years of hard work, the last major deliverable of the Secure Inter-Domain Routing (SIDR) WG is done – RFC 8205, the BGPSec Protocol Specification, was published in September 2017 as standard. BGPsec is an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems (ASes) through which a BGP update message propagates.

There are seven RFCs in the suite of BGPsec specifications:

  • RFC 8205 (was draft-ietf-sidr-bgpsec-protocol) – BGPsec Protocol Specification
  • RFC 8206 (was draft-ietf-sidr-as-migration) – BGPsec Considerations for Autonomous System (AS) Migration
  • RFC 8207 (was draft-ietf-sidr-bgpsec-ops) – BGPsec Operational Considerations
  • RFC 8208 (was draft-ietf-sidr-bgpsec-algs) – BGPsec Algorithms, Key Formats, and Signature Formats
  • RFC 8209 (was draft-ietf-sidr-bgpsec-pki-profiles) – A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
  • RFC 8210 (was draft-ietf-sidr-rpki-rtr-rfc6810-bis) – The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1
  • RFC 8211 (was draft-ietf-sidr-adverse-actions) – Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)

You can read more about this important milestone in our recent blog post: BGPsec: A Reality Now.

If you follow the work of the SIDR and SIDR Operations Working Group (SIDROPS) working groups, you may recall that for more than three years the participants have been discussing an issue of potential operational fragility in the management of certificates in the RPKI in response to the movement of resources across registries. At the moment, the final version of the I-D is under the IESG evaluation. The substance of the proposal is summarized in the draft: “Where the procedure specified in RFC 6487 requires that Resource Certificates are rejecting entirely if they are found to over-claim any resources not contained on the issuing certificate, the validation process defined here allows an issuing Certificate Authority to choose to communicate that such Resource Certificates should be accepted for the intersection of their resources and the issuing certificate. This choice is signaled by form of a set of alternative Object Identifiers (OIDs) of RFC 3779 X.509 Extensions for IP Addresses and AS Identifiers, and certificate policy for the Resource Public Key Infrastructure (RFC 6484).”

In the area of Resource Public Key Infrastructure (RPKI) and BGPsec, SIDROPS has taken over the technology developed in SIDR and is focused on developing guidelines for the operation of SIDR-aware networks, and providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks.

In my last guide, I mentioned some work to ease the job of an RPKI relying party software developer. An individual submission, “Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties”, recently being called for adoption, provides a single reference point for requirements for Relying Party (RP) software for use in the RPKI. To see how these requirements are implemented in practice, one can look at the RPSTIR package. Hopefully efforts like this will ease adoption of the technology.

Another item in this area is a recently adopted I-D “Origin Validation Clarifications“ that provides guidance to equipment vendors to resolve potential ambiguity regarding the implementation. Specifically, it requires that all routes are considered for validation and marked accordingly, as a default mode. It also states that by default no policy should be applied to these marked routes – this is a job of the network operator.

There was little progress in the work on mitigating route leaks and I am curious if this discussion surfaces on the Inter-Domain Routing Working Group (IDR) WG agenda. At the moment, there are still two proposals addressing the route leak problem. Both are IDR WG documents: “Methods for Detection and Mitigation of BGP Route Leaks”, and “Route Leak Prevention using Roles in Update and Open messages”.

DDoS attacks are a persistent and growing threat on the Internet, and as DDoS attacks evolve rapidly in the aspect of volume and sophistication, more efficient cooperation is required between the victims and parties that can help in mitigating such attacks. The ability to quickly and precisely respond to a beginning attack, communicating the exact information to the mitigation service providers, is crucial.

Addressing this challenge is what keeps the DDoS Open Threat Signaling (DOTS) WG busy. The goal of the group is to develop a communications protocol intended to facilitate the programmatic, coordinated mitigation of such attacks via a standards-based mechanism. This protocol should support requests for DDoS mitigation services and status updates across inter-organizational administrative boundaries. Specifications outlining the requirements, architecture, and the use cases for DOTs are maturing and will be discussed at the meeting.

To summarize – there is important work underway at the IETF that will hopefully lead to a more resilient and secure Internet infrastructure.

Related Working Groups at IETF 100

SIDROPS (SIDR Operations) WG
Wednesday, 15 November, 13:30-15:00, Sophia
Agenda: https://datatracker.ietf.org/meeting/100/session/sidrops/
Charter: https://datatracker.ietf.org/wg/sidrops/charter/

IDR (Inter-Domain Routing Working Group) WG
Monday, 13 November, 13:30-15:30, Canning
Agenda: https://datatracker.ietf.org/meeting/100/session/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

DOTS (DDoS Open Threat Signaling) WG
Tuesday, 14 November, 13:30-15:30, Olivia
Agenda: https://datatracker.ietf.org/meeting/100/session/dots/
Charter: https://datatracker.ietf.org/wg/dots/charter/

Follow Us

A lot is going on in Singapore, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Society blog, Twitter, Facebook, or see https://dev.internetsociety.org/events/ietf/ietf-100/.

Categories
IETF Open Internet Standards Technology

November 2017 IETF Journal Now Available Online

The November 2017 issue of the IETF Journal is now online at https://www.ietfjournal.org/journal-issues/november-2017/. With IETF 100 in Singapore starting this coming weekend, this is the perfect time to get caught up on what’s been happening in the world of Internet standards lately. (Starting next week, you can also learn more about the Internet Society’s work at IETF 100 via our series of Rough Guide blog posts.)

In this issue, you’ll learn about implementation work taking place in the Human Rights Protocol Considerations Research Group, the latest security updates to Network Time Protocol, new email-related Working Groups JMAP and EXTRA, as well as the important coding work that took place as part of the IETF Hackathon.

Our regular columns from the IETF, IAB, and IRTF chairs and coverage of the Birds-of-a-Feather meetings and presentations from the Applied Networking Research Prize winners wrap up the issue.

There will be print copies available at IETF in Singapore, the email version will hit subscribers’ inboxes in the coming days, and print subscribers will receive their issues shortly thereafter.

This issue marks the final hardcopy version of the IETF Journal. As we explain in “We’re Going Digital!”, starting in 2018 we’ll be shifting our focus to ietfjournal.org. Be sure to follow us on Twitter (@ietfjournal) and Facebook (facebook.com/IETFJournal) to stay current with our future IETF Journal activities.

If you are interested in writing for the next issue, or know someone who may be, please let us know via email to ietfjournal@isoc.org.

Happy reading!

Categories
Events IETF Open Internet Standards Technology

Rough Guide to IETF 100 – Slinging Standards in Singapore

It’s time for the third and final IETF meeting of 2017. Starting on Sunday, 12 November, the Internet Engineering Task Force will be in Singapore for IETF 100, where about 1000 engineers will discuss the latest issues in open internet standards and protocols. All this week, we’re providing our usual Internet Society Rough Guide to the IETF via a series of blog posts on topics of mutual interest:

  • Internet of Things (IoT)
  • Routing Infrastructure Security Resilience
  • IPv6
  • DNSSEC, DANE and DNS Security
  • Identity, Privacy, and Encryption

All these posts can be found on our blog and will be archived through our Rough Guide to IETF 100 overview page.

Here are some of the activities that the Internet Society is involved in and some of my personal highlights.

IETF Journal

Catch up on highlights from IETF 99 in Prague by reading the IETF Journal. You can read all the articles online at https://www.ietfjournal.org, or pick up a hardcopy in Singapore.

This issue marks the final hardcopy version; starting in 2018, we’ll be shifting our focus to longer-form articles online and via our Twitter and Facebook channels. In the meantime, this issue has articles on the Human Rights Protocol Considerations Research Group, the latest security updates to Network Time Protocol, new email-related Working Groups JMAP and EXTRA, as well as the important coding work that took place as part of the IETF Hackathon. Our regular columns from the IETF, IAB, and IRTF chairs, coverage of the Birds-of-a-Feather meetings, and presentations from the Applied Networking Research Prize winners wrap up the issue.

Want to write for the Journal? Email us at ietfjournal@isoc.org.

IRTF and ANRP

Through the Applied Networking Research Prize (ANRP), supported by the Internet Society, the Internet Research Task Force (IRTF) recognizes the best new ideas in networking, and brings them to the IETF, especially in cases where the ideas are relevant for transitioning into shipping Internet products and related standardization efforts. Six submissions were awarded prizes in 2017. Two winners will present their work at the IRTF Open Meeting on Thursday, 16 November at 9:30AM.

  • Paul Emmerich, a research associate at the Technical University of Munich. Emmerich will present his work to develop the high-speed packet generator, MoonGen.
  • Roland van Rijswijk-Deij, a researcher at the Centre for Telematics and Information Technology (CTIT) at the University of Twente. Van Rijswijk-Deij will present his analysis of the impact of elliptic curve cryptography on DNSSEC validation performance.

Other Research Activities

Another effort to connect the research and standardization communities involves both the IETF and the Network and Distributed System Security (NDSS) Symposium. Two areas with active working groups at IETF 100, IoT Security and DNS Privacy, are planning for workshops to be held in conjunction with NDSS 2018. Both the Decentralized IoT Security and Standards (DISS) workshop and DNS Privacy: Increasing Usablility and Decreasing Traceability (DNSPRIV) workshop are currently accepting paper submissions and planning for productive workshops in February 2018. 

Hackathon

Right before IETF 99, the IETF is holding another Hackathon to encourage developers to discuss, collaborate, and develop utilities, ideas, sample code, and solutions that show practical implementations of IETF standards. The Hackathon is free to attend but has limited seats available.

Technologies from past Hackathons include DNS, HTTP 2.0, NETVC, OpenDaylight, ONOS, VPP/FD.io, RiOT, SFC, TLS 1.3, WebRTC, YANG/NETCONF/RESTCONF. Details on all planned technologies will be listed on the IETF 100 Meeting Wiki.

Technical Plenary

One of the week’s highlights is always the technical plenary. We don’t have the specific topic yet, but we know it will take place on Wednesday, 15 November, from 17:10-19:40 and you should be there to hear the talk.

Jonathan Postel Award

The Postel Award was established by the Internet Society to honor individuals or organizations that, like Jonathan Postel, have made outstanding contributions in service to the data communications community. The award is focused on sustained and substantial technical contributions, service to the community, and leadership. The Award Ceremony will take place on Wednesday, 15 November during the IETF Plenary.

Birds of a Feather (BoF) Sessions

Another major highlight of every IETF is the new work that gets started in birds-of-a-feather (BoF) sessions. Getting new work started in the IETF usually requires a BoF to discuss goals for the work, the suitability of the IETF as a venue for pursuing the work, and the level of interest in and support for the work. There are four BoFs happening in Singapore:

  • Software Updates for Internet of Things (suit)
    Monday, 13 November, 15:50-17:20
    Aims to standardize a secure firmware update mechanism that is suitable for constrained devices.
  • IASA 2.0 (iasa20)
    Tuesday, 14 November, 13:30-15:00
    Reviews and possibly rework administrative arrangements at the IETF.
  • Trusted Execution Environment Provisioning (teep)
    Wednesday, 15 November, 13:30-15:00
    Aims to develop an application layer protocol providing Trusted Execution Environments (TEEs) with lifecycle management of trusted applications, and security domain management.
  • Data Center Routing (dcrouting)
    Wednesday, 15 November, 09:30-12:00
    Discusses issues, requirements, and solutions for routing in the data center.

Follow Us

A lot is going on in Singapore, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Society blog, Twitter, Facebook, or see https://dev.internetsociety.org/events/ietf/ietf-100/.

Categories
Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) Events IETF IPv6 Open Internet Standards Technology Transport Layer Security (TLS)

IETF 100 Hackathon: Bringing Innovation and Running Code to the IETF

Interested in contributing running code to the Internet Engineering Task Force (IETF)? Do you see a problem with DNS, DNSSEC, IPv6, TLS, or something else that you want to help fix?

The IETF is holding its next meeting in Singapore in November. Just before IETF 100, on 11-12 November, is a Hackathon to encourage developers to discuss, collaborate and develop utilities, ideas, sample code and solutions that show practical implementations of IETF standards.

Check out the Hackathon Wiki to learn more about how to register, get involved in a project, add your own topic of interest, or even participate remotely if you can’t make it to Singapore next month. You can also read more about a past Hackathon in this IETF Journal article.

As an added bonus, there are some prizes on the line! A panel of judges announces winners in several categories at the end of the event, with winners choosing from sponsor-donated prizes.

Remember, the IETF needs operational expertise to make sure its protocols and standards actually work in real life networks.

Categories
Technology

Applied Networking Research Prize: Winners Announced, Nominations for 2018 Now Open

As we rapidly approach the last Internet Engineering Task Force meeting for the year, we’re pleased to report that the final winners of the Applied Networking Research Prize (ANRP) for 2017 have been announced.

The ANRP awards for IETF 100 go to:

Paul Emmerich for developing the high-speed packet generator MoonGen.
Paul Emmerich, Sebastian Gallenmüller, Daniel Raumer, Florian Wohlfart, and Georg Carle, “MoonGen: A Scriptable High-Speed Packet Generator,” in Internet Measurement Conference (IMC) 2015, Tokyo, Japan, Oct. 2015.

Roland van Rijswijk-Deij for analysing the impact of elliptic curve cryptography on DNSSEC validation performance.
Roland van Rijswijk-Deij, Kaspar Hageman, Anna Sperotto and Aiko Pras, “The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation,” in IEEE/ACM Transactions on Networking, Volume 25, Issue 2, April 2017.

For the 2017 award period of the ANRP, 39 eligible nominations were received. Each submission was reviewed by several members of the selection committee according to a diverse set of criteria, including scientific excellence and substance, timeliness, relevance, and potential impact on the Internet. Based on this review, six submissions were awarded an Applied Networking Research Prize in 2017.

Paul and Roland will present their work at the IRTF Open Meeting during IETF 100 in Singapore. Remote participation details will be available in due course.

The ANRP is awarded for recent results in applied networking research that are relevant for transitioning into shipping Internet products and related standardization efforts. Researchers with relevant, recent results are encouraged to apply for this prize, which will offer them the opportunity to present and discuss their work with the engineers, network operators, policy makers and scientists that participate in the Internet Engineering Task Force (IETF) and its research arm, the Internet Research Task Force (IRTF). The goal of the Applied Networking Research Prize is to recognize the best new ideas in networking, and bring them to the IETF and IRTF especially in cases where they would not otherwise see much exposure or discussion.

The nomination window for ANRP 2018 is now open and you can submit nominations until November 5, 2017. More information about the ANRP is available including full details of the nomination process.

Please nominate (or self-nominate) and help to support great networking research in getting the recognition it deserves at the IETF in 2018!