Categories
IETF Improving Technical Security Technology

Routing Security on the Internet – Is it Really Worth the Effort?

A security researcher from Georgia Institute of Technology has called into question the efforts underway to secure the Internet’s routing infrastructure. Robert Lychev’s findings are striking and the paper he and his co-authors wrote earned them the third Applied Networking Research Prize for 2014.

Many widely used communication protocols on the Internet were not originally designed with security in mind: they were intended for parties that trust each other. As the Internet has evolved, many new protocols intended to address specific security vulnerabilities have been developed. Deployment of these new protocols can take a long time and therefore questions about the interactions of new secure protocol solutions with legacy insecure protocols are important.

For routing of Internet traffic, Border Gateway Protocol (or BGP) is a key technology and much work has been done to address the real security vulnerabilities of BGP through developments like the Resource Public Key Infrastructure (RPKI) and BGP Security Extensions (BGPSEC). Lychev and his collaborators were interested in understanding the security properties of BGPSEC in partial deployment. In particular, what does partially deployed BGPSEC offer over RPKI or, “Is the juice (additional security benefits) worth the squeeze (extra efforts of deployment)?”

In their paper, “BGP Security in Partial Deployment” (Proc. ACM SIGCOMM, Hong Kong, China, August 2013), Lychev and his co-authors Sharon Goldberg and Michael Schapira found that partially deployed security measures sometimes introduce new vulnerabilities and partial deployment provides only meagre benefits over RPKI if operators do not prioritise security over all other considerations in their routing policies.

Speaking about the award and his trip to the IETF meeting in Toronto, Lychev said, “Thank you very much for making this trip possible. I think that I have learned quite a bit from this meeting. I met a lot of people, and I hope to start new collaborations with some of them in the near future.”

Lychev received his award at the recent Internet Research Task Force open meeting at IETF 90 in Toronto, where he also presented his results. His slides are available and audio from the presentation is also available (starting at 00:09:00).

The nomination period for Applied Networking Research Prizes to be awarded in 2015 is now open. Please submit your nominations for the 2015 ANRP award before the closing date of October 31, 2014. Nominations can be submitted via the submission site or by email to anrp@irtf.org.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF

The DNSSEC Coordination “Breakfast” At IETF90

As has been our practice for the last several IETF meetings, a group of us involved with DNSSEC got together at about 7:30am on Friday, July 25, 2014, at IETF 90 in Toronto to talk about… well… whatever we wanted… but often involving DNSSEC! As usual it was an enjoyable time catching up and learning more about each other… and talking about new ideas and new ways we could do things.

DNSSEC breakfast

This breakfast included: Shumon Huque, Paul Ebersman, Mike Baer, Dan York (me), Russ Mundy, Frederico Neves and Wes Hardaker.

If you’d like to join into DNSSEC-related activities such as this, please feel free to join the public “dnssec-coord” mailing list where we coordinate plans like this to get together.

And if you’d like to learn more about DNSSEC, please check out our Start Here page to learn more about how to get started!

UPDATE – 25 Aug 2014:  I neglected to mention that the photo was taken by Richard Guy Briggs, who also attended the breakfast.  Thanks to Shumon for pointing out the omission … and thanks to Richard for taking the photo!

Categories
Deploy360 Events IETF

Recovering From The Wonderful Insanity of IETF 90

Today is the Monday after an IETF meeting.  For those who were following our “Deploy360@IETF” and other posts last week or are following us on social media, you know how insanely busy it was for us all. Today I think many of the 1200+ “IETFers” at IETF 90 in Toronto last week are getting back to our respective offices all around the world and “decompressing” from the wonderful craziness that makes up an IETF week.

Mostly, we’re just trying to recover from the pace.  Figure out what it is we need to do next… and start doing that.

There are so many action items I wrote down.  So many articles I want to write for here on Deploy360 and on other sites.  So many Internet Drafts I want to review.  So many drafts I want to write.

It will take a while.

Right now I find myself still caught up in all that happened.  IETF 90 was an excellent event.  Extremely productive on issues around IPv6, DNSSEC, TLS, routing security … and more. Like all IETF meetings it is a study in contrasts.  The large plenary sessions seating 1,000+ people:

ietf90-plenary-450

And the smaller, more intimate working group rooms that seat far fewer:

ietf90-wes-450

It’s the long microphone lines:

IETF microphone line

… and the passionate discussions that sometimes happen at those microphones:

IETF 90 microphone discussion

It was presenting our work in one session:

Jan zorz presenting

… and sitting in one of the most ornate conference rooms I’ve ever been in (owing apparently to the history of the Fairmont Royal York):

IETF 90 ornate ballroom

It was going to completely packed sessions at 9:00am in the morning:

ietf90-dnsop-packed-450

… and being amused to find that the Terminal Room contained an actual terminal :

ietf90-terminal-450

It was smiling when I saw this slide (in an excellent presentation about calculating where to locate authoritative DNS servers for a TLD registry operator) and realizing that my own knowledge of some types of mathematics is so rusty that my brain didn’t think of this as “simple”:

simple example

… and it was laughing when I saw that some IETFer modified the Fairmont Royal York’s warning that long dresses could get caught in an escalator to be a bit more appropriate for the audience:

warning - long beards

It was getting up for 7:30am breakfast meetings and not getting back to my hotel room until 11:30pm and then realizing on Thursday evening that I hadn’t left the hotel since Tuesday evening….  and it was going for a 6:00am run with 3 other IETFers on Friday morning:

Morning run in Toronto

It was a crazy, busy … and wonderful week.  Full of all the conversations, discussions, arguments, presentations… and random meetings… that move the open Internet standards along. Full of the amazing people that make the IETF the truly amazing organization that it is – all gathered together, and attending remotely… all trying to make the Internet work better!

And now… as we all return to our homes and offices… the next step is to translate all the work that happened last week into actions over the weeks and months ahead…

 

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) IETF

Deploy360@IETF90, Day 5: HOMENET, SIDR, TRANS and GROW… and then we're done!

IETF LogoYou might think the final day of IETF 90 might be a bit quieter for us… but in fact the morning session from 9:00-11:30 EDT has three sessions happening simultaneously that are related to the work we do (HOMENET, SIDR and TRANS) – and in my personal case I want to be in two separate places at the same time!  (Which I will be attempting to do via monitoring Jabber chat rooms.)   The day will actually start at 8:00am with an informal breakfast meeting of some of the folks subscribe to the DNSSEC coordination mailing list.  After that we’ll be heading into the morning session block where we’ll be choosing between the three conflicting sessions.

One of those three sessions is HOMENET, which Chris described in his Rough Guide post about IPv6:

(HOMENET) is chartered to address the challenges in the evolving networking technology within and among relatively small “residential home” networks. This work is not necessarily dependent on a specific version of IP but the thrust of all discussions within the WG is how the IPv6 protocol suite can better serve these often overlooked networks out at the consumer edge of the Internet. 

The HOMENET agenda is filled with IPv6-related drafts and discussion points… BUT… there is also a DNSSEC angle that I described in my own Rough Guide post:

the HOMENET Working Group has on its agenda two documents from Daniel Migault that that look at two different aspects of DNSSEC interaction with customer-premise equipment (CPE).  The first draft outlines an architecture in which a CPE device could manage some of its naming services and then outsource other naming services, such as DNSSEC management, to external services.  The second draft proposes new DHCP optionsthat would provide a means to update the trust anchors used in DNSSEC and also provide a way to update the time of a CPE device. These are both definitely important work as we need CPE devices to provide solid DNSSEC support if we are to get DNSSEC validation happening everywhere.

The challenge for me is that one floor down in the hotel the TRANS working group will also be talking about DNSSEC.  As I said in the Rough Guide post:

 the TRANS Working Group focused on “Certificate Transparency” (CT) will be having a discussion about whether there is a role for CT to play in logging DNSSEC information. There is not a draft associated with this idea but there was a lengthy discussion in the trans mailing list that began with a message from Nico Williams and continued on into great detail. My understanding is that the discussion will be mainly about what, if any, role CT might play with DNSSEC and DANE. Given some of the passions involved with this whole topic I expect there to be a great amount of discussion.

Meanwhile, in a room nearby to TRANS, the Secure Inter-Domain Routing (SIDR) working group that focuses on securing BGP will be meeting.  As our colleague Andrei Robachevsky wrote in his Rough Guide post about routing resiliency, there is a great amount of work happening in this group this week.  Of particular interest may be a discussion around “RPKI Revisited” led by Geoff Huston about the Resource Public Key Infrastructure (RPKI). As Andrei writes:

Perhaps a bigger change that is being discussed is related to the problem of potential operational fragility in the management of certificates in the RPKI in response to the movement of resources across registries described by the draft “RPKI Validation Reconsidered”. The problem in a nutshell is that in the current model, specified by RFC 6487, a certificate is considered invalid if a proper validation path cannot be built for all resources specified by that certificate. But in operational reality such a situation can occur, for instance, with the resource transfer, when “shrinkage” of the parent certificate will immediately invalidate the whole branch beneath, unless all subordinate certificates are also re-issued. If such a situation happens high in the hierarchy, say at the RIR level, the impact can be pretty severe. The draft also describes alternative approaches, although the focus of the discussion now is on the problem.

After those three sessions in the first meeting block, the second meeting block really has for us only the Global Routing Operations (GROW) Working Group.  The GROW agenda covers a number of routing security topics, one of which, as Andrei writes, deals with the issue of route leaks:

One of the items, which originally emerged in the SIDR WG and has now also been discussed in the GROW WG, is so-called “route-leaks”. Simply speaking, this describes a violation of a “valley-free” routing when, for example, a multi-homed customer “leaks” an announcement from one upstream provider to another one. Since usually customer announcements have the highest priority, if no precautions are taken this results in traffic from one provider to another bypassing the customer. This introduces the potential for a staged MITM attack. But this is an explanation in layman terms, and the group was working on nailing down the definition and the problem statement, see https://datatracker.ietf.org/doc/draft-ietf-grow-simple-leak-attack-bgpsec-no-help/.

After that, our team will be attending the regular meeting of the Internet Society Advisory Council and then will be starting the process of heading home!   As you can tell from our posts, it’s been a VERY busy – but successful – week!

If you’d like to join the HOMENET, SIDR or GROW sessions (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

The information about the relevant working groups today is:

HOMENET (Home Networking) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/homenet/
Documents: https://datatracker.ietf.org/wg/homenet/
Charter: https://datatracker.ietf.org/wg/homenet/charter/
(Friday, July 25, 2014, 0900-1130 EDT, Canadian)

TRANS (Public Notary Transparency) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/
(Friday, July 25, 2014, 0900-1130 EDT, Manitoba)

SIDR (Secure Inter-Domain Routing) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/
(Friday, 25 July, 0900-1130 EDT, Territories Room)

GROW (Global Routing Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/
(Friday, 25 July, 1150-1320 EDT, Ontario Room)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90” posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Categories
Deploy360 IETF

IETF 90: Operators and IETF Initial Survey Results & Discussion

Jan Zorz presenting at IETF90 OpsAWG
Jan Zorz presenting at IETF90 OpsAWG

Yesterday, July 23rd, at IETF 90, I presented a partial analysis of the data we gathered from our Operators and the IETF survey. The survey was open from January to July 2014. Since the survey closed just three weeks ago, we’ve really just started to analyze the data, and with this IETF presentation looming, we focused largely on the portion of the people who claimed they don’t participate in the IETF at all.

In the slides embedded below, you can see the initial results, including our key findings:

  • The majority of survey participants were Operators/Engineers/Architects; more than 90% hold primarily technical roles.
  • 50% of respondents claim to have a managerial role.
  • ~50% do not participate in the IETF in any form; ~30% participate just on mailing lists.
  • Many have heard of the IETF and know what it does, but do not know how to participate.
  • +50% believe operator input is welcome; 64% say they do NOT rely on vendors to represent them
  • A strong majority claim they are interested in IETF mailing lists, find the content relevant, believe it’s important to their jobs, but don’t have enough time to participate in mailing lists.
  • 82% say that they don’t have a travel budget for IETF meetings.

[slideshare id=37283632&doc=operators-ietf-survey-results-140723093958-phpapp02]

We have promised to continue analyzing the data and to write an I-D for the next IETF meeting in Hawaii. This will contain much more data and also suggestions on how to lower the bar for other operators to participate.

The presentation of these initial results was accepted quite well at IETF 90, and most importantly triggered a long queue at the microphone in the room. There were some great suggestions from the community that we will integrate into the I-D. This discussion has been ongoing without any real data to understand the issues, concerns, and obstacles, that prevented operators from participating in the standards making process.

We look forward to the rest of the data analysis and will report back when we have more to share.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) IETF IPv6

Deploy360@IETF90, Day 4: 6LO, DNSSD, SUNSET4 and Learning About 5G Wireless Technology…

IETF LogoToday at IETF 90 we on the Deploy360 team will be starting the day focusing on the “Internet of Things (IoT)” as we listen to what is being discussed in the 6LO working group.  Formally titled “IPv6 over Networks of Resource Constrained Nodes” this group focuses on using IPv6 in low power and constrained environments such as sensor networks, “smart grids” and other embedded environments. The 6lo agenda is full of drafts exploring different types of such networks.  There is great work happening in this group and we’re looking forward to listening to the discussions.

At the end of the scheduled working group sessions we’ll also be in IPv6-land as we join in the SUNSET4 Working Group looking at what needs to be done to ensure that networks can operate in the absence of IPv4, i.e. in an IPv6-only situation. Today’s SUNSET4 agenda looks at how to shut off IPv4 on a network and several drafts about how to work in an IPv4-only space.

At the same time as the SUNSET 4 WG there will also be the TLS Working Group that will be looking at several new encryption mechanisms for TLS.

In between those IPv6 and TLS sessions I’ll be sitting in the DNSSD working group. As I mentioned in the Rough Guide post relating to DNSSEC, the work in this group doesn’t directly apply to DNSSEC, but there are discussions relating to DNS security in general that are important for us to monitor.

Some of the other sessions that some of our team members may monitor include:

If you’d like to join the 6LO or SUNSET4 sessions (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

Lunch Briefing About 5G Wireless Technology

In the middle of the sessions during the lunch break from 11:30-13:00 EDT I’m planning to be in Ballroom to listen to a presentation from Erik Dahlman of Ericsson about what “5G” technology is all about. The abstract is:

Discussions on fifth generation (5g) wireless access has rapidly intensified during the latest two years. 5G wireless access is seen as the long-term enabler of the overall networked society, not only providing enhanced mobile broadband access but being a tool to provide wireless connectivity for any kind of application.

This speech will provide an overview of the state of 5G efforts around the world. We will discuss the specific requirements and challenges being identified for 5G wireless access and the different technology
components and alternatives being considered. We will also outline possible time schedule for 5G in ITU and 3GPP.

The lunchtime session will have a live video stream and will also be recorded for later viewing.

Bits-N-Bites

We’ll be ending the day at the Bits-N-Bites session that has a new format and what look like very cool demonstrations related to the “Internet of Things”.  Should be fun to see!

The information about the relevant working groups today is:

6LO (IPv6 over Networks of Resource Constrained Nodes) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6lo/ 
(Thursday, July 22, 2014, 0900-1130 EDT, Tudor 7/8)

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/
(Thursday, July 24, 2014, 1520-1720 EDT, Canadian)

SUNSET4 (Sunsetting IPv4) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/sunset4/
Documents: https://datatracker.ietf.org/wg/sunset4/
Charter: http://tools.ietf.org/wg/sunset4/charters
(Thursday, July 22, 2014, 1730-1830 EDT, Tudor 7/8)

TLS (Transport Layer Security) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/tls/
Documents: https://datatracker.ietf.org/wg/tls/
Charter: http://tools.ietf.org/wg/tls/charters
(Thursday, July 22, 2014, 1730-1830 EDT, Ontario)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90” posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Categories
Deploy360 IETF

Deploy360@IETF90, Day3: Operators and the IETF, DHC, DANE in TRAM, CrypTech and more

IETF LogoWednesday at IETF90 is a bit quieter day for our Deploy360 topics, which is nice after the crazy schedule of yesterday and of Monday .  It’s still quite busy and starts off with our team member Jan Žorž presenting in the OPS Area Working Group about our “Operators and the IETF” project, as well as IPv6 activity happening in the DHC Working Group. We learned of a new DANE draft happening in the TRAM Working Group. The CrypTech project has a lunch briefing and the Routing Area Working Group meets this afternoon.  More info below…

If you’d like to join the OPSAWG or TRAM sessions (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

OPS Area Working Group  – and IPv6 in DHC

In the Operations Area Working Group from 9:00-11:30 EDT, Jan is going to be speaking about our “Operators and the IETF” project and presenting some preliminary results from the survey we undertook to understand what were some of the reasons network operators had for not participating in the IETF standards process.  The goal here is to relay the feedback we’ve collected thus far and have a conversation about how we might be able to get more network operators involved with the IETF so that we can improve the amount of operational feedback provided into the standards process.

At the same time in another room the DHC Working Group will be covering a great many topics related to IPv6 and DHCP, specifically clarifying various points about how DHCP works with IPv6 and how to use DHCP more securely.

Lunch Briefing About The CrypTech Project

During the lunch break from 11:30-13:00 EDT in the Quebec Room there will be a briefing about the CrypTech Project, a fascinating project to develop an open hardware cryptographic engine.  Our colleague Lucy Lynch recently wrote about this in a blog post, “The Black Box Paradox – How to Trust a Secret on Today’s Internet“.  It looks quite interesting.

A DANE Draft in TRAM

In a side conversation with Marc Petit-Huguenin here at IETF 90 on Monday I learned that he has a DANE-related draft in the TRAM Working Group. The TRAM WG is focused on improving the TURN and STUN servers that facilitate real-time communications between people who are behind NAT boxes such as home / enterprise firewalls. This is particularly of interest to people working on WebRTC/RTCWEB.  Marc’s draft, draft-petithuguenin-tram-stun-dane-00, defines how DANE can be used by STUN clients to secure the TLS connection with servers.  His slides are available.

After that we’ll probably be in the Routing Area Working Group and then listening to the Operations and Administration Plenary tonight.  And then we’ll be getting ready for another VERY busy day tomorrow!

The information about the relevant working groups today is:

DHC (Dynamic Host Configuration) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dhc/
Documents: https://datatracker.ietf.org/wg/dhc/
Charter: https://datatracker.ietf.org/wg/dhc/charter/
(Wednesday, July 23, 2014, 0900-1130 EDT, Salon B)

OPSAWG (OPS Area Working Group) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/opsawg/
Documents: https://datatracker.ietf.org/wg/opsawg/
Charter: https://datatracker.ietf.org/wg/opsawg/charter/
(Wednesday, July 23, 2014, 0900-1130 EDT, Ontario)

TRAM (TURN Revised and Modernized) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/tram/
Documents: https://datatracker.ietf.org/wg/tram/
Charter: https://datatracker.ietf.org/wg/tram/charter/
(Wednesday, July 23, 2014, 1300-1130 EDT, Manitoba)

RTGWG (Routing Area Working Group) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/rtgwg/
Documents: https://datatracker.ietf.org/wg/rtgwg/
Charter: https://datatracker.ietf.org/wg/rtgwg/charter/
(Wednesday, July 23, 2014, 0900-1130 EDT, Ballroom)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90” posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Categories
Building Trust IETF Improving Technical Security Open Internet Standards Privacy Technology

Video Archive: ISOC Panel at IETF 90 on Security and Privacy

Yesterday, we held our ISOC Briefing Panel, called “Internet Security and Privacy: Ten Years Later,” during IETF 90 in Toronto. In case you missed it, the video archive of the session is now available.

Andrei Robachevsky moderated the panel, as four distinguished experts discussed the nature of Internet security and its evolution. The speakers were:

  • Lucy Lynch
  • Danny McPherson
  • Dave Oran
  • Wendy Seltzer

Panelists discussed how Internet security and privacy landscapes have changed over the years, challenges we still need to address, and whether we’ll still be using the same security building blocks ten years from now. They also brought up the societal and legislative changes that have affected the Internet, including user interfaces and risk assessment, privacy and identity implications of ‘free’ online services, and how we as a technical community can work together to implement more of the existing security standards like DNSSEC, DANE, and TLS.

The full webcast is available to watch at https://www.youtube.com/watch?v=zqAgLkkRuBk, and is embedded below.

Did you join us in person, or did you watch remotely? What did you think of the session?

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF To archive

Deploy360@IETF90, Day 2: DNSOP, DANE, UTA, V6OPS, IDR, OPSEC and ISOC@IETF

IETF LogoToday seems to be “DNS Day” here at IETF 90 in Toronto with the two major DNS-related working groups we follow here at Deploy360, DNSOP and DANE, both meeting on the same day.  We’ve also got V6OPS meeting again (as they did yesterday), have several IPv6-security drafts in OPSEC and have routing discussions happening in IDR.  Oh, and we’ll be splitting ourselves 3 ways in the first time slot (and wishing we had clones!). Plus, we’ll have the “ISOC@IETF” briefing panel at lunch time looking at security and privacy issues. It’s going to be a busy day!

If you’d like to join the DNSOP or DANE sessions (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

DNSOP, DANE and UTA

As I mentioned in my Rough Guide post about DNSSEC/DANE at IETF 90, there is a great amount happening in both DNSOP and DANE.  Here is the relevant excerpt from that post:

DNS Operations (DNSOP)

Tuesday morning from 9:00-11:30 EDT the DNSOP Working Group kicks off with a full agenda that includes a great amount of DNSSEC activity. Matthijs Mekking will bepresenting a draft about DNSSEC key and signing policies. Daniel Migault will betackling the topic of what the requirements are for DNSSEC validation so that DNS resolvers can always have validation enabled.

Of particular interest to folks looking to get DNSSEC deployed (as I am) will be the “DNSSEC Roadblock Avoidance” draft that explores what are the problems with DNSSEC validation in many common network environments – and how do we mitigate those problems.

As the agenda indicates, there will be a range of other topics covered in DNSOP, too. The biggest and most controversial discussion may be around how we optimize the distribution of root zone data, with Warren Kumari and Paul Hoffman offering one view of distributing the root zone and Paul Vixie and Xiaodong Lee offering another view of how to scale the root of DNS. Given that DNSSEC plays an important role in both scenarios we’ll be paying close attention to what I expect will be quite a passionate discussion!

Beyond those topics you can probably expect to see some of the many other documents under DNSOP (scroll down the page to see the full list) raised for consideration – unless, of course, the root optimization discussion consumes most of the time, as could easily happen.

DNS-based Authentication of Named Entities (DANE)

Later on Tuesday afternoon, the working group looking after the DANE protocol will be actively discussing how various other protocols can use DANE / DNSSEC to provide a higher level of security for TLS (SSL) certificates. We should see discussion aroundthe “DANE and OpenPGP” draft as well as the “DANE and SMIME” draft. One of the DANE WG co-chairs, Olafur Gudmundsson, told me that the “SMTP security via opportunistic DANE TLS” draft and the “Using DANE with SRV Records” draft will both be going to Working Group Last Call and so that may or may not trigger some comments.

What may generate more discussion, though, is interest in changing the “DANE Operational Guidance” draft into a “DANEbis” document, i.e. looking at it as a replacement/update for RFC6698 that defines DANE. This should be an interesting discussion!

On a similar track, Paul Wouters will be speaking about standardizing how “Raw Public Keys” for TLS can be authenticated using DANE. As I understand it, Paul wants to extend the TLSA record used in DANE to support more than just PKIX-formatted certificates, allowing DANE to be used for applications that do not require PKIX certs.

I am also intrigued to learn more about ideas from Haixin Duan to use DANE to better secure the usage of HTTPS connections in content distribution networks (CDNs). Haixin Duan and some colleagues have written a paper that goes into more detail (search for “DANE” to jump to the relevant section).

If there is time Olafur tells me that the chairs also intend to kick off a discussion of “reverse DANE”, i.e. DANE records for clients, that might lead to some interesting applications and areas of work.

Unfortunately at the same time as DNSOP from 09:00-11:30,  the Using TLS in Applications (UTA) working group will be meeting. While the UTA agenda  doesn’t directly mention DNSSEC, we definitely pay attention to UTA given that the drafts all focus on securing TLS and that DANE could potentially play a role here. We also have an interest for our “TLS For Applications” section of Deploy360.

IPv6

Beyond DNS, today the IPv6 Operations (V6OPS) working group is back with an agenda once again looking at the operational aspects of running IPv6.  The first document on running multiple IPv6 prefixes was actually addressed in yesterday’s session so there may be more time available for other discussions.  I’m personally intrigued by the discussion about power consumption due to IPv6 multicast on WiFi devices.  I’ve not been directly following that draft so I’m intrigued to learn more.

Outside of V6OPS, IPv6 will also feature prominently on today’s OPSEC agenda with two drafts from Fernando Gont being presented that talk about how firewalls interact with IPv6. First he’ll be discussing how many firewalls drop IPv6 extension headers (EH) and his thoughts about that.  Second, he’s got a draft on “Requirements for IPv6 Enterprise Firewalls” that looks quite interesting.

(As an aside, having lived in Canada from 2000-2005, I’m very pleased that there is at least one draft (Fernando’s) being presented here in Toronto that includes “eh” in it, given that this is a very common Canadian verbal expression, as in “It’s going to be a great day, eh?” 🙂 )

Routing and Securing BGP

Today is also the day one of the major routing working groups we track will be meeting, unfortunately in that same 9:00-11:30 am block as DNSOP and UTA.  The Inter-Domain Routing (IDR) working group has an extremely packed agenda full of all sorts of drafts related to securing BGP and improving the security of our routing infrastructure.  As our colleague Andrei Robachevsky wrote in his Rough Guide post, IDR “continues to work on better handling of malformed BGP attributes that may cause serious outages, and even cascading effects for other networks.  Because of the timing conflict, I won’t personally be in IDR, but you can expect to find Andrei there.

ISOC@IETF90 Briefing: Internet Security and Privacy: Ten Years Later

In the midst of all the working groups today we’ll spend our lunch time from 11:45-12:45 at the traditional “ISOC@IETF Briefing Panel” that happens every Tuesday of an IETF meeting.  The theme this time is “Internet Security and Privacy: Ten years later” and the abstract begins:

Many fundamental Internet protocols and architectural elements were designed for relatively closed and controlled networks and later used in a fairly trusted environment. Then came explosive Internet growth that changed its very nature – the Internet became a global, open communication medium to which anyone could connect and contribute.

At the same time, the Internet model was also changing. Concentration and centralization of certain functions at various Internet architecture layers created new types of vulnerabilities and, consequently, facilitated new threats such as pervasive monitoring. These vulnerabilities manifest themselves in different ways – for instance, in lack of diversity in implementations of critical security protocols, like TLS.

The number and nature of connected devices is also changing dramatically – sensors, controllers, appliances, etc., all communicating without human intervention.

The Internet continues to change and this evolution will continue. How will security and privacy challenges be addressed ten years from now? What are the missing building blocks that need to be developed? Will current approaches allow us to catch up or is a change of paradigm required?

There are a great set of panelists and this should be a great discussion.  It will be live streamed over YouTube and anyone is welcome to watch.  (Unless they are trying to view the stream from Germany, where apparently they can’t.)

And after all that is done we’ll probably be going to the IETF Social event tonight to talk to more people about how we might be able to help them… before eventually getting to bed to get ready for Day 3…

The information about the relevant working groups today is:

DNSOP (DNS Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/
(Tuesday, July 22, 2014, 0900-1130 EDT, Ballroom)

UTA (Using TLS in Applications) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charters/
(Tuesday, July 22, 2014, 0900-1130 EDT, Ontario)

IDR (Inter-Domain Routing Working Group) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/
(Tuesday, 22 July, 0900-1130 EDT, Tudor 7/8 Room)

OPSEC (Operational Security) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/opsec/
Charter: https://datatracker.ietf.org/wg/opsec/charter/
(Tuesday, 22 July, 1300-1400 EDT, Territories Room)

V6OPS (IPv6 Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
(Tuesday, July 22, 2014, 1420-1620 EDT, Ontario)

DANE (DNS-based Authentication of Named Entities) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/
(Tuesday, July 22, 2014, 1640-1840 EDT, Canadian)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90” posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Categories
Building Trust IETF Improving Technical Security Open Internet Standards Technology

TODAY – ISOC Briefing Panel on Internet Security and Privacy – Webcast and Extra Seats

Today, at 11:45 AM EDT, we’ll hold and livestream the “Internet Security and Privacy: Ten Years Later” ISOC briefing panel during IETF 90 in Toronto. Two bits of good news: (a) we have a bigger room than usual, so we have some extra seats, and (b) the webcast will be available to everyone!

How have Internet security and privacy landscapes changed since the Internet’s inception? What challenges do we still need to address, and will we still be using the same building blocks (TLS, DNSSEC, etc.) ten years from now? If not, what’s next? These are the types of questions we’ll be asking our panelists today.

Andrei Robachevsky will moderate the panel, as four distinguished experts discuss the nature of Internet security and its evolution. The speakers are:

    • Lucy Lynch
    • Danny McPherson
    • Dave Oran
    • Wendy Seltzer

Participation

If you pre-registered to participate onsite, great! We will see you in the Ontario Room at the Fairmont Royal York just before 11:45 AM EDT, and you’ll get a boxed lunch as usual. If you didn’t pre-register but you’re here, we will be able to accept some walk-ins. (Unfortunately, you will NOT get lunch, though.) And if you aren’t in Toronto, you can still join remotely to participate in the discussion.

We hope to see you there (in person or online)!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) IETF To archive

Deploy360@IETF90, Day1: v6OPS, DNSSEC in SIPCORE, 6TISCH and the Technical Plenary

IETF LogoToday here in Toronto at IETF 90 the main activity for the Deploy360 team will be the “IPv6 Operations” (V6OPS) session happening at 9:00am EDT this morning.  The V6OPS agenda  shows that today there will be three larger discussions of interest to us:

  • A discussion of how the interaction between SLAAC and DHCPv6 for can be improved for the configuration of IPv6 clients. There is an Internet Draft that explains the problem statement and will be the basis for the discussion.
  • An analysis of problems encountered in a mobile environment when IPv6-enabled devices roam between mobile networks. Again, an Internet Draft provides the analysis. Coming out of the work of a number of mobile service providers this should be an interesting session.
  • A discussion about what is the appropriate usage of Unique Local Addresses (ULAs).  A draft will be presented but there will also be a much larger discussion happening around what the role of ULAs will be.

There are also a few other topics on the V6OPS agenda and overall it should be a busy session.

If you’d like to join the V6OPS session (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

After that I’ll be over in the SIPCORE session in the afternoon for Olle Johansson’s draft about how DANE can be used to improve the security of VOIP sessions using TLS and SIP. As I said in my Rough Guide post about DNSSEC/DANE at IETF 90, Olle’s draft presents an interesting usage of DANE in the world of SIP-based voice-over-IP (VoIP).

Next I’ll be over listening in the 6TISCH working group.  This is not one I’ve been actively monitoring but it is of interest to me because it is looking at how IPv6 gets used in automated environments and in Low-power and Lossy Networks (LLNs) that many of us may broadly group into the “Internet of Things”.  From the 6TISCH charter:

The IEEE802.15.4e Timeslotted Channel Hopping (TSCH) is a recent amendment to the Medium Access Control (MAC) portion of the IEEE802.15.4  standard. TSCH is the emerging standard for industrial automation and  process control LLNs, with a direct inheritance from WirelessHART and ISA100.11a. Defining IPv6 over TSCH, 6TiSCH is a key to enable the further adoption of IPv6 in industrial standards and the convergence of Operational Technology (OT) with Information Technology (IT).

Finally, our formal schedule will end today with what should be a very interesting Technical Plenary looking at the link between “network topology” and geography.  The Technical Plenary will be streamed live at http://www.ietf.org/live/ starting at 5:10pm EDT and is available for all to watch. Here is the description of the main technical focus:

Since network gear, links, and the nodes they connect must be in some specific physical place, there is always a relationship between geography and network topology. The flow of data through that topology has generally, however, been relatively independent of the geography.

Recently, some public policy proposals have tried to tie the flow of data on the network to national or regional boundaries. This panel will discuss the relationship between geography and network topology from three points of view.

Each panelist will make a brief presentation, and then we will discuss the implications of their findings. A Question & Answer session will follow the presentations.

I’m personally fascinated by this topic so I’ll be looking forward to this plenary session! Again it is at http://www.ietf.org/live/ – please feel free to share that link widely.

The information about the relevant working groups today is:

V6OPS (IPv6 Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
(Monday, July 21, 2014, 0900-1130 EDT, Canadian room)

SIPCORE (Session Initiation Protocol Core) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/sipcore/
Documents: https://datatracker.ietf.org/wg/sipcore/
Charter: http://tools.ietf.org/wg/uta/charters/
(Monday, July 21, 2014, 1300-1500 EDT, Territories room)

6TISCH (IPv6 over TSCH mode of 802.16e4)
Agenda: https://datatracker.ietf.org/meeting/90/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/ 
(Monday, July 21, 2014, 1520-1650 EDT, Territories room)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90” posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Categories
Technology

The Internet Society announces its 25th Cohort of Technology Fellows to the Internet Engineering Task Force Meetings

 “The Internet is Magic”

The Internet Engineering Task Force (IETF) is an open community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet’s architecture and smooth operation. Organized in 1986, the IETF produces open standards that are the cornerstone of a vibrant Internet that many of us have the luxury of taking for granted.

As the next billions of Internet users come online, they will come from countries like Argentina, Brazil, China, India, and Kenya. The Internet Society Fellowship to the IETF provides technologists from these countries and more the opportunity to have a voice in the development of open standards, and to connect with Internet pioneers and peers. Since its inception in 2006, the Fellowship programme has provided nearly 225 awards to individuals from more than 50 countries from developing and emerging economies.

As one former Fellow from Venezuela noted, “The Internet is magic. It makes it possible for me to stay in touch with my family while I am in a different country. There is so much I can do and, because of this Fellowship, I now understand more of what goes into making it work.”

The IETF technical community this week in Toronto will be actively engaged in the ‘nuts and bolts’ of what makes the Internet work. It is that critical work that makes the magic happen — and we are grateful for all that it enables, including the connections across boundaries, unbounded innovation, and better opportunities and access for everything from education to health care. To that end, we congratulate this meeting’s Fellows.

Over the years, participation has become increasingly competitive. An important factor in considering an applicant’s selection is a demonstration of how they will apply their learnings to their regions and local communities — and bring that magic home.

Here is more about the experiences and interests of the 11 new and returning Fellows selected for the IETF 90 meeting in Toronto and ISOC’s 25th cohort of Fellows to IETF:

Shabbir Ahmed (Bangladesh) is a Professor at the University of Dhaka. He also works as a Consultant to DrikICT (an ISP in Bangladesh), and is a Chapter Leader in the ISOC Bangladesh Dhaka chapter. Shabbir holds a BSc. in Applied Physics and Electronics, MSc. in Computer Science, and a Ph.D. in Computer Science and Engineering. His research interest includes routing challenges in DTN, data mining techniques, and IPv6 deployment and operations. He is a long-time follower of the IETF MANET working group at the IETF. Shabbir was previously a Fellow to IETF 84.

Abhijan Bhattacharyya (India) currently works as a scientist in the Innovation Lab of Tata Consultancy Services, where he is involved in R&D and works on protocols for resource constrained domains to help Tata create reusable solutions for Internet of Things (IoT) use cases. Abhijan is passionate about learning new technologies and applying the knowledge towards creating innovative solutions. He is currently subscribed to the CoRE, ACE, and DTLS-IoT working groups in the IETF.

Jeferson Campos Nobre (Brazil) is a Ph.D. student at Federal University of Rio Grande do Sul, Brazil. He is a member of Computer Networks Group, working on network management, and is a Lecturer at the University of Vale do Rio do Sinos. His core interest is in distributed and autonomic network management, and he is involved in NMRG and network monitoring related working groups (LMAP, IPFIX, IPPM). His Ph.D research is in the areas of autonomic distributed control of active measurement mechanisms based on the IETF standards One-Way Active Measurement Protocol (OWAMP) and Two-Way Active Measurement Protoco (TWAMP).

Nicolas Fiumarelli (Uruguay) currently works at LACNIC and specializes in Software and Network Engineering. He is presently involved in the development of RPKI policies and algorithms and how they apply to protocols such as SIDR and IDR. He maintains that the technical community has a strong role to play in the IANA transition, and is following those developments closely. He is also currently performing research on elliptic curves and artificial intelligence at the Universidad de la República in Uruguay.

Giuseppe Gangi (Venezuela) is a Software Developer and Free Open Source Software consultant and advocate. He is very excited about participating in the IETF 90 Meeting and is looking forward to becoming more involved in standards development as the basis for establishing himself as a leader and contributor to society.

Fahima Ahmed Khan (Pakistan) currently works in Security & Compliance and Information Assurance at Grameenphone Ltd of Telenor Group. Her role is to assess and validate the security of network and application systems, monitor and identify security incidents and ensure compliance with Sarbanes-Oxley (SOX), ISO27001 and other information systems control frameworks. Fahima holds a BSc. in Computer Engineering and a MBA. She is also qualified as a Certified Information Systems Auditor (CISA), and as such has strong interest in security-related IETF working groups such as NEA, OAUTH, SACM, and TLS.

Frank Maginga (Tanzania) is a Network Planning Engineer with specific focus on Next Generation Networks (NGN) and IP/MPLS Networks at TTCL, a telecom operator in Tanzania. His main responsibilities are to design, plan, and develop efficient networks and infrastructure for TTCL to meet business and service goals. He is interested in QoS techniques and end-to-end performance measurement on the Internet, and is subscribed to the LMAP working group.

Hugo Morillo (Venezuela) is currently employed as an IT Advisor at Pricewaterhouse Coopers Venezuela. He possesses a BSc. in Systems Engineering. Hugo is passionate about new technologies, software development, online gaming and production of short-films. His particular interests in regards to the IETF are IPv6 operations and web security.

Tirumaleswar Reddy (India) is a Technical Lead at Cisco Systems, where he works on firewall and cloud-based Security as a Service (SaaS) features. He has 12 patents pending approval at the U.S. Patent Offices, and is conducting research in the areas of Security, WebRTC, Privacy and AEON (Application Enabled Open Networking). He is also an active contributor to the PCP, TRAM and RTCWEB working groups at the IETF.

Tauqeer Safdar (Pakistan) is a Ph.D. student at University Technology PETRONAS Malaysia. He is a member of the Computer Networks Group, working on network routing, IPv6, MANET and security. He is also a Lecturer in the Department of IT Networking, Higher College of Technology, Muscat, Oman. He is passionate about routing and network management, especially issues related to routing security in IPv6. He is active in ISOC chapters in both Malaysia and Pakistan, specifically working on IPv6-related issues. He is involved in the MANET, IPv6 and Routing working groups in the IETF, and has also co-authored a number of RFCs. Tauqueer is a previous Fellow to IETF 86.

Nestor Michael Tiglao (Philippines) is an Associate Professor of Electrical and Electronics Engineering at the University of the Philippines in Quezon City, Philippines. He holds a BSc. in Electrical Engineering, MSc. in Electrical Engineering, and a Ph.D. in Electrical and Computer Engineering. He is currently working on a wireless sensor network project for smart grid applications. Nestor is passionate about education and using technology such as the Internet for improving the overall quality of life and for building a better society. Nestor has previously been a Fellow at IETF 81 and IETF 85.