Categories
IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 98: Internet Infrastructure Resilience

Let’s look at what’s happening in the area of Internet infrastructure resilience in the IETF and at the upcoming IETF 98 meeting. My focus here is primarily on the routing and forwarding planes and specifically routing security and unwanted traffic of Distributed Denial of Service Attacks (DDoS) attacks. There is interesting and important work underway at the IETF that can help address problems in both areas.

DDoS attacks are a persistent and growing threat on the Internet. And as DDoS attacks evolve rapidly in the aspect of volume and sophistication, a more efficient cooperation between the victims and parties that can help in mitigating such attacks is required. The ability to quickly and precisely respond to a beginning attack, communicating the exact information to the mitigation service providers is crucial.

Addressing this challenge is what keeps the DDoS Open Threat Signaling (DOTS, http://datatracker.ietf.org/wg/dots/) WG busy. The goal of the group is to develop a communications protocol intended to facilitate the programmatic, coordinated mitigation of such attacks via a standards-based mechanism. This protocol should support requests for DDoS mitigation services and status updates across inter-organizational administrative boundaries. Specifications outlining the requirements, architecture and the use cases for DOTS are maturing and will be discussed at the meeting.

Draft “Inter-organization cooperative DDoS protection mechanism” (https://datatracker.ietf.org/doc/draft-nishizuka-dots-inter-domain-mechanism) goes further than communication between a victim and a mitigation service provider. It attempts to describe possible mechanisms that implement the cooperative inter-organization DDoS protection by DOTS protocol, leveraging the capacity of the protection by sharing the resources among several organizations.

A recently chartered SIDR Operations Working Group (SIDROPS) has taken over the technology developed in the SIDR WG and is focused on developing guidelines for the operation of SIDR-aware networks, and providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks. The working group meets for the first time and will, among other things, discuss mitigation mechanisms for route leaks.

There are still two proposals addressing the route leak problem. One is an IDR WG document, “Methods for Detection and Mitigation of BGP Route Leaks” (http://datatracker.ietf.org/doc/draft-ietf-idr-route-leak-detection-mitigation), where the authors suggest an enhancement to BGP that would extend the route-leak detection and mitigation capability of BGPSEC. Another is an independent submission, “Route Leak Detection and Filtering using Roles in Update and Open messages” (https://tools.ietf.org/html/draft-ymbk-idr-bgp-open-policy). This proposal enhances the BGP Open message to establish an agreement of the (peer, customer, provider, internal) relationship of two BGP neighboring speakers in order to enforce appropriate configuration on both sides. Propagated routes are then marked with a flag according to agreed relationship allowing detection and mitigation of route leaks. An updated version of the specification allows signaling a potential leak more than one hop away.

Both proposals will be discussed at the SIDROPS as well as at the IDR WG sessions.

Another item that can certainly contribute to better resilience of an IXP infrastructure and is on the agenda of the IDR WG session is a proposal, “Making Route Servers Aware of Data Link Failures at IXPs” (https://datatracker.ietf.org/doc/draft-ietf-idr-rs-bfd/). When route servers are used, the data plane is not congruent with the control plane. Therefore, the peers on the Internet exchange can lose data connectivity without the control plane being aware of it, and packets are dropped on the floor. This document proposes a means for the peers to verify connectivity amongst themselves, and a means of communicating the knowledge of the failure back to the route server.

To summarize – there is important work underway at the IETF that will hopefully lead to a more resilient and secure Internet infrastructure.

Related Working Groups at IETF 98

SIDROPS (SIDR Operations) WG
Tuesday, 28 March, 14:50-16:20, Zurich C
Agenda: https://datatracker.ietf.org/meeting/98/agenda/sidrops/
Charter: https://datatracker.ietf.org/wg/sidrops/charter/

GROW (Global Routing Operations) WG
Monday, 27 March, 17:10-18:10, Zurich G
Agenda: https://datatracker.ietf.org/meeting/98/agenda/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/

IDR (Inter-Domain Routing Working Group) WG
Friday, 31 March, 09:00-11:30, Zurich G
Agenda: https://datatracker.ietf.org/meeting/98/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

DOTS (DDoS Open Threat Signaling) WG
Tuesday, 28 March, 16:40-18:40, Zurich G
Agenda: https://datatracker.ietf.org/meeting/98/agenda/dots/
Charter: https://datatracker.ietf.org/wg/dots/charter/

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf98.

Categories
IETF Open Internet Standards

IETF Journal Volume 12, Issue 3 Now Online

The latest issue of the IETF Journal (Volume 12, Issue 3) is now available online: https://www.ietfjournal.org/journal-issues/march-2017/

Our cover article is a manifesto of why Internet-enabled businesses should care about the open standards and open source communities. We present the first two of a series of interviews with IETF leadership, in this case outgoing IETF chair Jari Arkko and his successor Alissa Cooper.

Also in this issue, you’ll learn about CodeStand, a new initiative that matches developers with coding projects related to IETF activity. We have several Working Group (ccamp, lwig, dhc) and BoF updates, a summary of the pre-IETF Hackathon, and an article about the Internet Society briefing panel on the topic: The I in IoT: Implications for a Global Open Internet. Our regular columns from the IETF, IAB, and IRTF chairs and coverage of the IAB technical plenary wrap up the issue.

You can read this issue online or download the full issue as a PDF. You can also keep up to date with the latest issue by subscribing to the IETF Journal as an email edition or have it delivered to your postal address in hardcopy.

IETF Journal is on Facebook (www.facebook.com/ietfjournal/) and Twitter (@ietfjournal).

Hard copies will be available as usual at the upcoming IETF 98 meeting from 26-31 March in Chicago, Illinois.

Many thanks to all our contributors. Please send any comments or suggestions for future issues to ietfjournal@isoc.org.

Categories
IETF Internet of Things (IoT) Technology

Rough Guide to IETF 98: Internet of Things

The Internet of Things (IoT) is a buzzword around the Internet industry and the broader technology and innovation business. We are often asked what the IETF is doing in relation to IoT and in this short post I’d like to highlight some of the relevant sessions scheduled during the upcoming IETF 98 meeting in Chicago next week. Check out the IETF Journal IoT Category for more details about many of these topics.

Before getting into the IETF 98 proceedings, I’ll note that the IAB recently provided commentsto the United States National Telecommunications and Information Administration (NTIA) on the Green Paper: Fostering the Advancement of the Internet of Things that was released on January 12, 2017.

The core WG aims to extend the Web architecture to most constrained networks and embedded devices. This is one of the most active IoT working groups and they will be meeting twice in Chicago, on Tuesday afternoon and Friday afternoon.

The Thing-to-Thing Research Group investigates open research issues in turning the IoT into reality. They will be meeting on Monday afternoon in Chicago to report out on various recent activities. There will also be some t2trg-related items on the agenda of the Information Centric Networking research group meeting taking place on Sunday March 26.

The 6lo WG defines mechanisms to adapt IPv6 to a wide range of radio technologies, including “Bluetooth Low Energy” (RFC 7668), ITU-T G.9959 (as used in Z-Wave, RFC 7428), and the Digital Enhanced Cordless Telecommunications (DECT) Ultra Low Energy (ULE) cordless phone standard and the low-cost wired networking technology Master-Slave/Token-Passing (MS/TP) that is widely used over RS-485 in building automation. They will be meeting on Wednesday morning in Chicago.

The 6tisch WG was chartered in 2014 to enable IPv6 for the Time-Slotted Channel Hopping (TSCH) mode that was recently added to IEEE 802.15.4 networks. They are meeting on Tuesday morning in Chicago.

The IPv6 over Low Power Wide-Area Networks (lpwan) WG will be meeting in Chicago on Wednesday afternoon. Typical LPWANs provide low-rate connectivity to vast numbers of battery-powered devices over distances that may span tens of miles, using license-exempt bands.

The IP Wireless Access in Vehicular Environments (ipwave) WG’s primary deliverable is a specification for mechanisms to transmit IPv6 datagrams over IEEE 802.11-OCB mode. ipwave will meet on Friday morning in Chicago.

Security for IoT is addressed in several WGs including the ace WG that is concerned with authenticated authorization mechanisms for accessing resources hosted on servers in constrained environments. The ace WG will meet on Monday morning.

Routing for IoT is tackled by the roll WG which focuses on routing protocols for constrained-node networks. Thursday afternoon is the time for them to meet in Chicago.

Finally, in addition to the new protocols and other mechanisms developed by IETF working groups, IoT developers often benefit from additional guidance for efficient implementation techniques and other considerations. The Lightweight Implementation Guidance (lwig) WG is developing such documents and they will meet in Chicago on Monday afternoon.

If you have an interest in how the IoT is developing and being standardised in the IETF I hope to see you in person or online at some of these meetings during IETF 98.

t2trg (Thing-to-Thing) RG
Monday, 27 March 2017, 1300-1500, Vevey 1/2
Agenda: https://datatracker.ietf.org/meeting/98/agenda/t2trg/
Charter: https://irtf.org/t2trg

6lo (IPv6 over Networks of Resource-constrained Nodes) WG
Wednesday, 29 March 2017, 0900-1130, Zurich A
Agenda: https://datatracker.ietf.org/meeting/98/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: http://datatracker.ietf.org/wg/6lo/charter/

6tisch (IPv6 over the TSCH mode of IEEE 802.15.4e) WG
Tuesday, 28 March 2017, 0900-1130, Zurich C
Agenda: https://datatracker.ietf.org/meeting/98/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: http://datatracker.ietf.org/wg/6tisch/charter/

lpwan (IPv6 over Low Power Wide-Area Networks) WG
Wednesday, 29 March 2017, 1300-1500, Zurich C
Agenda: https://datatracker.ietf.org/meeting/98/agenda/lpwan/
Documents: https://datatracker.ietf.org/group/lpwan/
Charter: https://datatracker.ietf.org/group/lpwan/charter/

core (Constrained RESTful Environments) WG
Tuesday, 28 March 2017, 1300-1430, Zurich C
Friday, 31 March 2017, 1150-1320, Zurich C
Agenda: https://datatracker.ietf.org/meeting/98/agenda/core/
Documents: https://datatracker.ietf.org/wg/core/
Charter: http://datatracker.ietf.org/wg/core/charter/

ace (Authentication and Authorization for Constrained Environments) WG
Monday, 27 March 2017, 0900-1130, Zurich C
Agenda: https://datatracker.ietf.org/meeting/98/agenda/ace/
Documents: https://datatracker.ietf.org/wg/ace/
Charter: http://datatracker.ietf.org/wg/ace/charter/

roll (Routing Over Low power and Lossy networks) WG
Thursday, 30 March 2017, 1740-1840, Zurich B
Agenda: https://datatracker.ietf.org/meeting/98/agenda/roll/
Documents: https://datatracker.ietf.org/wg/roll/
Charter: http://datatracker.ietf.org/wg/roll/charter/

lwig (Light-Weight Implementation Guidance) WG
Monday, 27 March 2017, 1710-1810, Zurich D
Agenda: https://datatracker.ietf.org/meeting/98/agenda/lwig/
Documents: https://datatracker.ietf.org/wg/lwig/
Charter: http://datatracker.ietf.org/wg/lwig/charter/

ipwave (IP Wireless Access in Vehicular Environments) WG
Friday, 31 March 2017, 0900-1130, Zurich E/F
Agenda: https://datatracker.ietf.org/meeting/98/agenda/ipwave/
Documents: https://datatracker.ietf.org/wg/ipwave/
Charter: http://datatracker.ietf.org/wg/ipwave/charter/

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf98.

Categories
IETF Open Internet Standards Technology

Rough Guide to IETF 98 — In The Loop: IETF Heads to Chicago

It’s almost here! Pack your bags (or start your remote participation browser) and get ready for IETF 98! Starting on Sunday, 26 March, the Internet Engineering Task Force will be in Chicago, Illinois, where about 1000 engineers will spend a week discussing the latest issues in open standards and protocols. As usual, the agenda is packed, and the Internet Society is providing a ‘Rough Guide’ to the IETF via a series of blog posts on topics of mutual interest:

  • Internet of Things
  • Internet Infrastructure Resilience
  • Scalability & Performance
  • DNSSEC, DANE, and DNS Security
  • IPv6
  • Trust, Identity, and Privacy
  • Encryption

All these posts can be found, and will be archived, through our Rough Guide to IETF 98 overview page at https://dev.internetsociety.org/tag/ietf98/.

Here are some of the activities that the Internet Society is involved in and some of my personal highlights.

IETF Journal

Before we get to IETF 98, catch up on some of the highlights from IETF 97 in Seoul, South Korea, by reading Volume 12, Issue 3 of the IETF Journal. You can read all the articles online at https://www.ietfjournal.org, or pick up a hard copy in Chicago. Our cover article is a manifesto of why Internet-enabled businesses should care about the open standards and open source communities. We present the first two of a series of interviews with IETF leadership, in this case outgoing IETF chair Jari Arkko and his successor Alissa Cooper. Also in this issue, you’ll learn about CodeStand, a new initiative that matches developers with coding projects related to IETF activity. We have several Working Group and BoF updates, a summary of the pre-IETF Hackathon, and an article about the Internet Society briefing panel on the topic: The I in IoT: Implications for a Global Open Internet. Our regular columns from the IETF, IAB, and IRTF chairs, and coverage of the IAB technical plenary wrap up the issue.

If you’d like to write something for the next issue, please contact us at ietfjournal@isoc.org. You can subscribe to hard copy or email editions at https://dev.internetsociety.org/form/ietfj.

IRTF and ANRP

Through the Applied Networking Research Prize (ANRP, supported by the Internet Society) the Internet Research Task Force (IRTF) recognizes the best new ideas in networking, and brings them to the IETF, especially in cases where the ideas are relevant for transitioning into shipping Internet products and related standardization efforts. In Chicago, two talented researchers will present during the IRTF Open Meeting on Monday, 27 March, at 15:20 CDT:

Hackathon

Right before IETF 98, on 25-26 March, the IETF is holding another Hackathon to encourage developers to discuss, collaborate, and develop utilities, ideas, sample code, and solutions that show practical implementations of IETF standards. The Hackathon is free to attend, but pre-registration is required. Read our article about the last Hackathon in the IETF Journal.

Birds of a Feather (BoF) Sessions

A major highlight of every IETF is the new work that gets started in birds-of-a-feather (BoF) sessions. Getting new work started in the IETF usually requires a BoF to discuss goals for the work, the suitability of the IETF as a venue for pursuing the work, and the level of interest in and support for the work.

There are four BoFs happening in Chicago:

  • wugh – “WGs Using GitHub” will review the IETF WGs actively using GitHub today, the use of third-party services by IETF activities, and the issues related to using GitHub for IETF work in particular.
  • iasa20 – “IASA 2.0” will review and possibly rework administrative arrangements at the IETF.
  • casm – “Coordinated Address Space Management” proposes to standardize interfaces for coordinated management of IP addresses, including SDN/NFV networks and other forms of virtualization.
  • teep – “A Protocol for Dynamic Trusted Execution Environment Enablement” proposes to standardize a protocol for dynamic trusted execution environment enablement. A proposal for such a protocol has been published.

Other Noteworthy Things

Newly Nomcom-appointed members of IETF leadership will take their seats during IETF 98 and on this occasion that will include the seating of a new IETF Chair. Jari Arkko has chaired the IETF since 2013 and he will be succeeded by Alissa Cooper, the first woman to hold the position.

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://dev.internetsociety.org/tag/ietf98/.

Categories
IETF Improving Technical Security Open Internet Standards Technology

Applied Networking Research Workshop – Paper Submission Deadline: 3 April

We’re excited to share news of the second Applied Networking Research Workshop (ANRW2017), which will take place in Prague, Czech Republic, on July 15. This one-day workshop will be co-sponsored by the Association for Computing Machinery (ACM), the Internet Society and the Internet Research Task Force (IRTF). The Call for Papers is open now, with a deadline of 3 April.

This academic workshop will provide a forum for researchers, vendors, network operators and the Internet standards community to present and discuss emerging results in applied networking research. Accepted papers will be published in the ACM Digital Library.

ANRW2017 particularly encourages the submission of results that could form the basis for future engineering work in the Internet Engineering Task Force (IETF), that could change operational Internet practices, that can help better specify Internet protocols, or that could influence further research and experimentation in the IRTF.

If you have some relevant work and would like to join us in Prague for the workshop and potentially stay for the IETF 99 meeting that takes place in the following week, please see the full Call for Papers, which includes detailed paper submission and formatting instructions.

I hope to see you in Prague for what promises to be a very interesting workshop and a good warm-up for the IETF and IRTF meetings to follow.

Categories
Beyond the Net Community Projects Development Growing the Internet Human Rights IETF Internet Governance Open Internet Standards Technology

How the IETF community is shaping technology to build a better society

The continued advancement in technological landscape enabling more people having Internet access in the global arena has meant that IETF (Internet Engineering Task Force) remains at the forefront of integrating technology with humanity. In fact, IETF has made significant use of social dimension to articulate its area of work and research. It is beautifully reflected in section 4.1 of the RFC 3935 wherein it states that “We want the Internet to be useful for communities that share our commitment to openness and fairness.  We embrace technical concepts such as decentralized control, edge-user empowerment and sharing of resources, because those concepts resonate with the core values of the IETF community”. This focus of inclusion remains at forefront of integration of IETF with human dimension of technology. The standards created in IETF are testimony to technical developments and enables innovation by providing a platform for the innovation and interoperability.

Indian IETF Capacity Building (IICB) Program Phase II has received Beyond the Net Support from Internet Society and focuses on creating technical capacity development for increased participation and contribution of technical standards on Internet from India. The program aligns itself with United Nations Sustainable Development Goals such of economic growth, employment and decent work for all.

The IICB program was conceived as a traditional program which is hierarchical in nature, meaning it has fixed KPIs rolling up-to objectives and further upward roll up to mission and vision. However, in reality, the program has taken a shift and has focused on creating communities as well which decides their own course of action. This was a marked shift as it required adjustments in the delivery of the program and larger emphasis on adoption. As individuals are important in IETF process, it asked from the program implementers to develop a greater understanding of the role of individual who is going to contribute in the IETF process, the collective beliefs one possesses, the world views on standards and standardization, the priorities of making a contribution as well as loyalties as time has to be taken out from different parts of day, personal and professional space for inching into this community.

Hence, the awareness sessions being carried out in the program focused on human concerns in the technical standard development process in IETF like. The workshops focused on societal benefits of collaborative work happening in IETF and remote participation was not hearing the speakers over Internet, but was a presence across the seas and directly learning from the activities therein.

A significant milestone for IICB program was in late 2016 when a community of technical researchers and academicians based out of 150 KMs from main city of Kolkata, at a place called Mallabhum wherein we had done our awareness sessions and workshops, proposed us their own plans of execution and the task at hand was now just to enable them. Since then they are moving out to do IETF awareness sessions, remotely logging on to IETF sessions, have created smaller sub groups to focus on specific areas of technology and following the debate in IETF mailing lists. Emboldened, one of the key movers is working to get his visa for his first physical participation in IETF in Chicago.

Stay tuned for the upcoming blog and follow our stories on Twitter.

Share this story

If you like this story, please share it with your friends. That would tremendously help in spreading the word and raising the visibility of this project. Help more people understand how the Internet can change lives.

We are interested in your project

We are looking for new ideas from people all over the world on how to make your community better using the Internet. Internet Society “Beyond the Net Funding Programme” funds projects up to $ 30.000 USD.

Applications are open until 23th March
Find out more about the programme 

Categories
Building Trust Improving Technical Security Internet of Things (IoT) Open Internet Standards Privacy Technology

The Internet of Insecurity: Can Industry Solve It or Is Regulation Required?

That was the question Bruce Schneier and I were asked by Craig Spietzle of the Online Trust Alliance (OTA) during a panel he moderated recently at the RSA conference.

My answer to that question was “an unequivocal yes!” Below is the longer answer. The key lies in accountability.

Old wine in new bags

No matter how you think about the Internet of Things, it is clear that it captures a vision of mind boggling opportunities. Suddenly everything around is being connected. Security cameras, thermostats, fridges, and cars turn into connected computers. The speed of the changes by which the Internet of Things changes our lives is unprecedented. Speed and impact amplify the challenges that we face on the Internet today: Challenges with security and privacy. Companies that used to build appliances or toys are now suddenly, and often without realizing it, IT companies. They often make the same mistakes that earlier generations made. The Mirai botnet – which exploits network-attached cameras and DVRs – relies on the same vulnerabilities that the Morris worm in the 1990s exploited. Suddenly we are faced with questions that we didn’t have before: Am I OK with my television listening to my conversations and sending them to the cloud? Or, is my daughter’s toy doll a spying device?

What happens if our conversation data is uploaded to the cloud and then is stolen during a data breach? Or, will that data then be used to influence our behavior in ways that we may, as a society, not find acceptable?

Collective Responsibility and Accountability

Let’s focus primarily on the security questions.

To face the security challenges, we need an approach that takes into account the nature of the Internet. The Internet does not have a central control. Internet security is distributed and is enforced at the edges – in your home or in your company. The Internet is not built from one gigantic blueprint. Rather, it developed organically out of interoperable and interconnected building blocks.

In an environment where everything is interconnected, the approach that works is Collaborative Security. Different players collectively assume responsibility over those aspects of the Internet which they can influence. They take into account whether their action or inaction poses a threat on the Internet as a whole. It’s like living in a giant apartment building: we expect everybody to lock the front door to the building. If you forget, your neighbor may be in trouble. And the best way to get solutions is bottom-up. To continue the analogy, the tenants of the apartment building are probably more effective in developing building access policies than the state legislature. Sometimes they address the problem by hiring a doorman, sometimes the social agreement is sufficient. They understand their local environment. But their decision about security has broad implications for the whole neighborhood and, eventually, the entire village or city.

To get a better sense of collaborative security you could read what we wrote here, here, and here, or watch a keynote speech on the topic here.

One aspect of collaborative security we haven’t talked about often is accountability. Collective responsibility works better if the participants are in some way accountable for action or lack of action. Let’s take the example of devices that are shipped with simple-to-guess default passwords, something that has been frowned upon since the early 90s. But now we have new players in the IT marketplace who have to learn these lessons anew. There are several factors that contribute. First the lack of experience, if you are in the business of making dolls, your expertise is in children’s toys, not network security. And even if you are IT savvy, the reality is that security-by-design is difficult, costly, and time-consuming. In a highly competitive marketplace, like that for consumer goods, manufacturers feel intense pressure to rush products to market at minimum cost. The incentives are misaligned, as Schneier has often argued. How do we realistically hold doll manufacturers accountable for bringing “smart” dolls to market with insufficient security?

Market and Legal

There are roughly two factors that can reinforce accountability: market and legal mechanisms.

One possibility is to create sufficient consumer demand for security and privacy. If we successfully get consumers focused on security (and privacy), this might be enough to create a market where secure products have a competitive advantage. Perhaps consumer organizations (like Consumer Reports in the United States) could assess not just the physical security of products but also the cybersecurity of products in order to help consumers make effective choices. Consumer campaigns could raise awareness and help consumers to see the value of security. Governments may also impact the market for security by procuring products that implement the best current security practices. One could imagine a scenario whereby security incidents and data breaches that impact a large customer base have a serious impact on a company’s stock values.

The accountability mechanism at play here is a company’s bottom line. Organic food was not really a thing a few decades ago; now consumers are willing to pay more for products that carry that label. What can we learn from the dynamics at play there?

Legal liability mechanisms may also force compliance or assign liability. (I am keeping criminal law out of this equation for now). We are familiar with the mechanisms. Without minimum safety standards you may not put a vehicle on the road. And when you don’t comply you can be held liable when causing accidents.

IoT and the policy toolbag

Legal and regulatory action has its place in securing the Internet of Things. But we should not overestimate its effect or underestimate its complexity. There will be jurisdictional complexity, enforcement challenges, and unintended consequences.

The complexity of the IoT ecosystem comes from the diversity in societal applications, technical, and policy domains. There are many ways to approach this. First, take a stab at the requirements and applications in the various sectors. Look at industrial automation, the power system, healthcare, automotive, and home automation. Second, consider the different contexts in which IoT vulnerabilities pose a threat. IoT as a botnet, IoT as a privacy intruder, or IoT as physical security threat. Third, cut through the components that make up an IoT environment. Look at devices, cloud infrastructure, and data brokers and apps developers.

One way to deal with the policy complexity of IoT is to think about generic requirements, irrespective of the sector. For instance, think of IoT as a potential privacy threat and set the general boundary conditions based on well-understood public interest requirements. Define the rights of data subjects and liabilities of data controllers across a broad set of sectors. This approach may be better than defining those rights and liabilities for specific sectors because it means that one does not have to go back to the drawing board every time new issues arise. For example, in the US, there are privacy regulations that apply to the rentals of video tapes. Those do not apply to online services like Netflix. It seems logical that the expectations of movie buffs about their privacy are the same regardless of the delivery mechanism.

That all said, sometimes it makes more sense to set specific requirements. The privacy and safety concerns of medical devices are different from consumer toys.

Another axis of complexity comes from the speed of changes in IoT technology. Care needs to be taken that the rules and regulations do not cope with the problems of today at the expense of innovation tomorrow. They need to be future-proof. For example, much of the focus right now seems to be on regulating devices. But we have passed the point where the Internet of Things are just devices connected to the Internet. They form a complex interconnected system that includes components such as middleware, application clouds, external apps, etc. Thus, an approach that only focuses on devices will miss the broader security threat to the network at large.

Additionally, one has to take into account the unintended consequences of policy and regulatory measures.

The Internet is a complex, dynamic, global environment where measures may have unintended side effects. The spill-over effects of some measures may not be well understood or may be hard to predict.

For example, software often comes with a waiver of liability. Introducing liability may have a negative effect on open-source software development. Not the result you want, given that open-source software is a major driver of security innovation.

Urgency

The problems that we are facing are urgent. The security problems with consumer IoT devices are rapidly becoming human safety issues.

So when I am asked: Internet of Insecurity: Can Industry Solve It or Is Regulation Required?

Then my ‘unequivocal yes’ answer translates to: both are needed. But my answer comes with a warning that regulatory hammers such as “banning unsecure devices” are not going to be very successful. Regulatory tools are likely to be more effective in creating the right environment. An environment in which solutions can develop. In other words, regulations themselves are not likely to be the solution. We have to understand possible side effects before introducing rules and regulations. That is as important as monitoring effects and side effects after they have been introduced.

Responsibility is not in the hands of any single institution.

Industry must take a leadership role in making security their business differentiator. They must create best practices. They must be kept accountable by consumers, shareholders, and, as final resort, governments.

Government should translate societal expectations into boundary conditions that must be met by consumers and industry alike. Furthermore, policies that assign liability are going to be a factor to create accountability. So does imposing serious fines when the boundary conditions are not met.

This is what we mean by collaborative security – no one actor holds the keys to “a solution” to the security challenge. And actions taken will have reactions across the ecosystem. So, Technologists, Civil Society, and Policymakers must find each other to understand the issues that face us and address them head on.

Categories
Building Trust Improving Technical Security Internet of Things (IoT) Open Internet Standards Technology

The Internet of Things as an Attack Tool

Akamai has published its Q4 2016 State of the Internet/Security report As always, an interesting read and an opportunity to look at trends in attacks.

Not all trends are up and to the right. As the report states, Q4 2016 was “the third consecutive quarter where we noticed a decrease in the number of attack triggers”. Still, “the overall 2016 attack count was up 4% as compared to 2015”. Also, the volume and number of “mega-attacks” is on the rise.

And of course, there was the Mirai malware recruiting poorly secured devices connected to the Internet. The Mirai-based botnet produced the largest-ever DDoS attacks, with volume peaking at 623 Gbps. That drew a lot of media attention to the dark side of the Internet of Things (IoT), calling for action before it is too late.

Let us look at a few trends playing out in this area.

First, the IoT. Lacking an agreed definition, there is a tendency to call anything connected to the internet, except conventional computers, an IoT device. Not trying to craft yet another definition, an important question is what makes these new types of connected devices different from the ones that were connected in the past? In the context of DDoS attacks I can only think of the three:

Increased number. Twenty years ago, a household would have a home router and one or two computers connected. Then the smartphone revolution came and significantly more devices were added: gaming consoles, smartphones and tablets. Now with the ability to easily connect anything there is a potential that the number of connected things per household, but also in other areas, such as industrial systems and “smart” environments, will increase in orders of magnitude. And since any device is potentially vulnerable, that increases opportunities for an attacker.

Limited user interaction. Smart objects are designed to operate autonomously, in the background, without requiring user intervention and offering a limited user interface (if there is one at all). That means that the user won’t administer the device – install updates, monitor its performance, scan for malware and clean it up. But quite frankly, this does not happen much with computers and smartphones either. The difference is that in the latter area the industry has matured and consolidated, realizing the need and offering proven security solutions without relying on a user.

Constrained. On one hand, that means that implementing security functions is more difficult, but on the other – malware has to deal with the same constraints. As recent attacks showed in the context of a DDoS, we should be more afraid of unconstrained devices such as home routers and set top boxes. Such devices have presented a threat since 2003, when a software flaw in Netgear cable modems cased a DDoS attack on the University of Wisconsin, USA. Also, many of these unconstrained devices are always on – another useful feature for a bot.

Increasing complexity, expanding code base, larger attack surfaces as new users and devices are connected to the Internet, less reliance on the user as the Internet has become a commodity – these are general trends related to growth and development, not just an IoT revolution.

The report seems to confirm this: “While there were plenty of IoT-fuelled DDoS attacks in the fourth quarter, none of the fourth quarter’s attacks over 300 Gbps were IoT-based. The Attack Spotlight looks at the botnet that generated the top 3 largest DDoS attacks and delves more deeply into the largest attack this quarter, a 517 Gbps attack with signatures from the Spike DDoS toolkit.”

Another interesting trend highlighted in the report is related to competition for resources: “Our examination of the use of ntp reflection as an attack amplifier last quarter suggests that new attack types peak shortly after they appear. But as these attacks gain in popularity, competition for the resources needed to make them begins. While the number of attacks goes up, the size of individual attacks is pushed down, as there are fewer resources available for each of the botnets.”

What does this mean?

I think that if we talk about DDoS attacks and botnets we must build on more than two decades of experience dealing with this phenomenon. So far three strategies have been applied with relative success:

1. Making the edge more secure

The frightening trend here is that many device manufacturers put features and price on top, and security at the bottom of their priority list. That also includes absence of a software or firmware update mechanism. This creates a long-lasting vulnerability at the edges.

A positive trend here is that the standards development and open source communities are putting a lot of efforts into designing building blocks and ready-to-use solutions in this area. Last year the IAB organised a workshop, “ Internet of Things (IoT) Software Update (IoTSU)”, where participants discussed the software/firmware update mechanisms. A BoF to further work in this area is scheduled for the IETF 98 meeting in Chicago from March 26-31: “A Protocol for Dynamic Trusted Execution Environment Enablement (TEEP) BoF”. Significant efforts are being put into building IoT frameworks, some of which are open source, like AllJoyn by the Open Connectivity Foundation (OCF), and some of which are closed, such as HomeKit by Apple.

2. Detection and disinfection

A good example here is the ” Anti-Bot Code of Conduct for Internet Service Providers” outlining five areas where ISPs can take action and help reduce end-user bots. These are: Education, Detection, Notification, Remediation, and Collaboration.

Users can also take responsibility and keep their home networks clean. This is more and more in their own interest – from performance degradation to privacy and even physical threats as the IoT penetrates our material life. Developments like SENSE from F-Secure can provide households with necessary tools.

3. Mitigation

Botnets usually rely on so-called Command & Control (C&C) servers to get instructions for their operation. Disabling the C&C server effectively means disabling the botnet. For example, this approach was successfully applied in mitigating the Conficker botnet.

Interestingly, there is no (at least not that I have found) mention of this approach when addressing the Mirai botnets. Given that the source code has been released, tracing and taking down C&C servers should be easier.

Does the IoT change this?

The emergence of the IoT makes addressing the issue more challenging, but so is the growth of the Internet in terms of bandwidth and number of connected users. That makes it more important to re-inforce and foster the approaches that worked.

It is true that the IoT brings new challenges and threats, and at different scale. Imagine cars colliding without reason, or smart cities getting the time of day wrong, or power plants misreading parameters of the reactor. What could make these nightmares materialize themselves are vulnerabilities of the components, not only devices, but also communication links and protocols, software, apps, etc. And the question is – how do we secure these systems? A common approach is based on holistic risk assessment. But this is a topic for another post.

So, does the IoT bring a radical change to the DDoS attack landscape? If it does, which of the current approaches in addressing botnet issues and DDoS mitigation work and which do not? What new approaches are required? We welcome your thoughts, opinions and ideas here in the comments.

Categories
Building Trust Improving Technical Security Open Internet Standards Privacy Technology

NDSS 2017 is Coming into Focus

The Network and Distributed System Security Symposium (NDSS 2017) is just around the corner (26 February – 1 March), and details of the program are quickly coming into focus. The full slate of activities includes two keynotes, two workshops, and a full program of excellent peer-reviewed academic research papers.

The Monday keynote speaker, J. Alex Halderman, is a Professor of Computer Science and Engineering at the University of Michigan and Director of Michigan’s Center for Computer Security and Society. In his keynote, “Recount 2016: A Security Audit of the Presidential Election”, he will be talking about electronic voting and his recent experience with recounts from the 2016 presidential election. He will explain how the recounts took place, what was learned, and what needs to change in the future. He will highlight the risks and opportunities associated with computerized voting.

The Wednesday keynote will feature Trent Adams, the Director of Information Security for PayPal, leading the Ecosystem Security team. In his keynote, “Securing the Ecosystem – Collaborating Inside and Out”, he will be talking about all the various approaches that PayPal takes to ensure the security of their systems and the information that those systems contain. He will highlight external collaborations with various organizations to help define standards and best operating procedures for security. This keynote will highlight PayPal’s Ecosystem Security approach including some success stories and next steps.

The main program of NDSS 2017 contains 68 high quality peer-reviewed research papers organized into 15 sessions spread over three days. A poster session will feature roughly 20 posters highlighting new and emerging work in its early stages.

Finally, NDSS 2017 will feature two workshops on the Sunday before the main symposium begins. The first workshop, Useable Security (USEC), is another in a series of Usable Security workshops held in conjunction with NDSS. This year’s USEC Mini-Conference will feature two keynotes, 11 peer-reviewed papers, and a panel discussion.

The second workshop, DNS Privacy, will bring together a mixture of research from a number of sources for a focused working session on the topic. The final programme is still under development, but this workshop promises to be an interactive working session involving a number of key researches, developers, and implementers in this space.

All in all, I am excited by the development of the program, and I hope to see many of you in San Diego in a few weeks! You can also follow along via our social media channels – Twitter, Facebook, and LinkedIn, or search/post using #NDSS17.

Categories
IETF Internet of Things (IoT) Open Internet Standards Technology

Rough Guide to IETF 97: Internet of Things

The Internet of Things (IoT) is a buzzword around the Internet industry and the broader technology and innovation business. We are often asked what the IETF is doing in relation to IoT and in this short post for the IETF Rough Guide to IETF 97, I’d like to highlight some of the relevant sessions scheduled during the upcoming IETF 97 meeting in Seoul. First, though, I’d like to add a small advertisement for you to tune into the ISOC@IETF Briefing Panel on Tuesday, 15 November, during lunch on “The I in IoT: Implications for a Global Open Internet.” Registration to attend onsite is full, but you can watch the webcast live via this page.

Before talking about specific activities taking place in Seoul, I’d like to highlight a couple of recent IETF Journal articles that provide some background on IETF activity related to IoT. In “The Internet of Things Unchecked,” Dave Plonka provides a very timely call to take the threat posed by unmanaged IoT devices more seriously. Dave also includes some fascinating measurement results. “Low-Power Wide-Area Networks at the IETF” provides an excellent overview of the new breed of wireless technologies that are emerging to support a huge variety of IoT applications and introduces the new ipwave WG (more below). And finally, Samita Chakrabarti provides an update on the activity of the IPv6 over Networks of Resource-Constrained Nodes (6lo) Working Group that is developing specifications for running IPv6 over a range of wireless technologies suitable for IoT applications. More details of their meeting are provided below.

It’s also worth noting that the IAB is concerned about the risks posed by unmanaged IoT devices and recently held a workshop to discuss the challenges of providing software update mechanisms for constrained embedded devices. A draft report of the workshop proceedings is now available. The technical plenary in Seoul is also relevant and will include a moderated discussion of the recent Denial-of-Service attacks involving the use of compromised or misconfigured nodes and the architectural issues associated with the network being vulnerable to these attacks. There is some more detail here.

The Thing-to-Thing Research Group investigates open research issues in turning the IoT into reality. They will be meeting on Wednesday afternoon in Seoul to report out on various recent activities. The group will also be meeting jointly with the Information Centric Networking RG on Sunday November 13 in the morning (0900-1200), and there is a ‘Managing Networks of Things’ workshop taking place, also on Sunday, in the afternoon (1300-1700) at the Kensington Hotel Yoido.

The 6lo WG defines mechanisms to adapt IPv6 to a wide range of radio technologies, including “Bluetooth Low Energy” (RFC 7668), ITU-T G.9959 (as used in Z-Wave, RFC 7428), and the Digital Enhanced Cordless Telecommunications (DECT) Ultra Low Energy (ULE) cordless phone standard and the low-cost wired networking technology Master-Slave/Token-Passing (MS/TP) that is widely used over RS-485 in building automation. They will be meeting on Tuesday afternoon in Seoul.

The 6tisch WG was chartered in 2014 to enable IPv6 for the Time-Slotted Channel Hopping (TSCH) mode that was recently added to IEEE 802.15.4 networks. They are meeting on Thursday morning in Seoul.

Following on from a successful BoF meeting during IETF 96 in Berlin, the IPv6 over Low Power Wide-Area Networks (lpwan) WG has been chartered and will be meeting in Seoul for the first time. Typical LPWANs provide low-rate connectivity to vast numbers of battery-powered devices over distances that may span tens of miles, using license-exempt bands. This new WG will meet on Monday afternoon in Seoul.

Another relatively new WG is the IP Wireless Access in Vehicular Environments (ipwave) WG. This group’s primary deliverable is a specification for mechanisms to transmit IPv6 datagrams over IEEE 802.11-OCB mode. ipwave will meet on Wednesday afternoon in Seoul.

The core WG aims to extend the Web architecture to most constrained networks and embedded devices. This is one of the most active IoT working groups and they will be meeting twice in Seoul, on Wednesday afternoon and Friday morning.

Security for IoT is addressed in several WGs including the ace WG that is concerned with authenticated authorization mechanisms for accessing resources hosted on servers in constrained environments. ace will meet on Thursday afternoon.

Routing for IoT is tackled by the roll WG which focuses on routing protocols for constrained-node networks. Wednesday morning is the time for them to meet in Seoul.

Finally, in addition to the new protocols and other mechanisms developed by IETF working groups, IoT developers often benefit from additional guidance for efficient implementation techniques and other considerations. The Lightweight Implementation Guidance (lwig) WG is developing such documents and they will meet in Seoul on Thursday morning.

If you have an interest in how the IoT is developing and being standardised in the IETF, I hope to see you in person or online at some of these meetings during IETF 97.

Relevant Working Groups, BoFs, and Events at IETF 97

Technical Plenary
Wednesday, 16 November 2016, 1640-1910, Grand Ballrooms
Agenda: https://datatracker.ietf.org/meeting/97/agenda/ietf/

t2trg (Thing-to-Thing) RG
Wednesday, 16 November 2016, 1520-1620, Park Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/t2trg/
Charter: https://irtf.org/t2trg

6lo (IPv6 over Networks of Resource-constrained Nodes) WG
Tuesday, 15 November 2016, 1550-1820, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: http://datatracker.ietf.org/wg/6lo/charter/

6tisch (IPv6 over the TSCH mode of IEEE 802.15.4e) WG
Thursday, 17 November 2016, 0930-1100, Park Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: http://datatracker.ietf.org/wg/6tisch/charter/

lpwan (IPv6 over Low Power Wide-Area Networks) WG
Monday, 14 November 2016, 1550-1750, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/lpwan/
Documents: https://datatracker.ietf.org/group/lpwan/
Charter: https://datatracker.ietf.org/group/lpwan/charter/

core (Constrained RESTful Environments) WG
Wednesday, 16 November 2016, 1330-1500, Studio 2
Friday, 18 November 2016, 0930-1130, Studio 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/core/
Documents: https://datatracker.ietf.org/wg/core/
Charter: http://datatracker.ietf.org/wg/core/charter/

ace (Authentication and Authorization for Constrained Environments) WG
Thursday, 17 November 2016, 1520-1750, Studio 4
Agenda: https://datatracker.ietf.org/meeting/97/agenda/ace/
Documents: https://datatracker.ietf.org/wg/ace/
Charter: http://datatracker.ietf.org/wg/ace/charter/

roll (Routing Over Low power and Lossy networks) WG
Wednesday, 16 November 2016, 1110-1210, Park Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/roll/
Documents: https://datatracker.ietf.org/wg/roll/
Charter: http://datatracker.ietf.org/wg/roll/charter/

lwig (Light-Weight Implementation Guidance) WG
Thursday, 17 November 2016, 1110-1210, Grand Ballroom 3
Agenda: https://datatracker.ietf.org/meeting/97/agenda/lwig/
Documents: https://datatracker.ietf.org/wg/lwig/
Charter: http://datatracker.ietf.org/wg/lwig/charter/

ipwave (IP Wireless Access in Vehicular Environments) WG
Wednesday, 16 November 2016, 1330-1500, Grand Ballroom 3
Agenda: https://datatracker.ietf.org/meeting/97/agenda/ipwave/
Documents: https://datatracker.ietf.org/wg/ipwave/
Charter: http://datatracker.ietf.org/wg/ipwave/charter/

Follow Us

There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf97.

Categories
Building Trust IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 97: Internet Infrastructure Resilience

Let’s look at what’s happening in the IETF and the upcoming IETF 97 meeting in the area of Internet infrastructure resilience. My focus in this Rough Guide to IETF 97 post is primarily on the routing and forwarding planes and specifically routing security and unwanted traffic of DDoS attacks. There is interesting and important work underway at the IETF that can help address problems in both areas.

The Secure Inter-Domain Routing (SIDR, http://datatracker.ietf.org/wg/sidr/) WG has made a significant contribution to the area of routing security by developing the RPKI system and security extensions to BGP – BGPSEC. Its work is almost done, with the core specifications being either approved as IETF standards, or waiting in the IESG queue for approval.

Now the real focus is on the deployment of these technologies and related to this maintenance of the corresponding standards. This deployment must be properly handled to avoid the division of the Internet into separate networks.

A newly chartered SIDR Operations Working Group (sidrops) is aimed at developing guidelines for the operation of SIDR-aware networks, and providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks.

From the charter (https://datatracker.ietf.org/wg/sidrops/charter/): “In the space of sidrops, the term operators will encompass a range of operational experience: CA Operators, Regional/National and Local Internet Registries, Relying Party software developers as well as the research/measurement community all have relevant operational experience or insight that this working group will consider in its work. The sidrops working group is focused on deployment and operational issues and experiences with SIDR technologies that are part of the global routing system, as well as the repositories and CA systems that form part of the SIDR architecture.”

The expectation is that the working group if formed will meet first at IETF 98. The proposed charter includes work items which are already underway.

In the area of route leaks there are still two proposals. One is an IDR WG document,“Methods for Detection and Mitigation of BGP Route Leaks”, where the authors suggest an enhancement to BGP that would extend the route-leak detection and mitigation capability of BGPSEC. Another is an independent submission “Route Leak Detection and Filtering using Roles in Update and Open messages”. This proposal enhances the BGP Open message to establish an agreement of the (peer, customer, provider, internal) relationship of two BGP neighboring speakers in order to enforce appropriate configuration on both sides. Propagated routes are then marked with a flag according to agreed relationship allowing detection and mitigation of route leaks.

There was no discussion of either approach on the mailing list, but a new version of “Route Leak Detection and Filtering using Roles in Update and Open messages” is on the agenda of the IDR WG meeting in Seoul.

Related to the forwarding plane and DDoS specifically, a few meetings ago a draft “BLACKHOLE BGP Community for Blackholing” was introduced initially to document a well-known community used for triggering blackholing at IXPs, similar to what DE-CIX is doing (https://www.de-cix.net/products-services/de-cix-frankfurt/blackholing). Several concerns about the risk of abusing IXPs as a “filtering sink of the internet,” for example by law enforcement, were raised that led to a more general document describing use of this attribute for just networks. The document was adopted by the GROW WG and is recently published as an informational RFC (https://datatracker.ietf.org/doc/rfc7999).

Also in the same problem area a DDoS Open Threat Signaling (DOTS, http://datatracker.ietf.org/wg/dots/) WG is making good progress. The goal of the group is to develop a communications protocol intended to facilitate the programmatic, coordinated mitigation of such attacks via a standards-based mechanism. This protocol should support requests for DDoS mitigation services and status updates across inter-organizational administrative boundaries.

The agenda of the WG meeting at IETF 97 contains discussion of use cases, requirements draft, architecture of the system, data and information model, including the telemetry specification.

I hope this work will lead to an effective solution for this huge problem of the Internet and facilitate necessary cooperation across network administrative domains.

Related Working Groups at IETF 97

SIDR (Secure Inter-Domain Routing) WG
Thursday, 17 November, 15:20-17:50, Studio 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/

GROW (Global Routing Operations) WG
Wednesday, 16 November, 11:10-12:10, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/

IDR (Inter-Domain Routing Working Group) WG
Tuesday, 15 November, 15:50-18:20, Grand Ballroom 3
Agenda: https://datatracker.ietf.org/meeting/97/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

DOTS (DDoS Open Threat Signaling) WG
Friday, 18 November, 09:30-11:30, Park Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dots/
Charter: https://datatracker.ietf.org/wg/dots/charter/

Follow Us

There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://dev.internetsociety.org/tag/ietf97/.

Categories
IETF IPv6 Open Internet Standards

Rough Guide to IETF 97: All About IPv6

In this post for the Internet Society Rough Guide to IETF 97, I’ll take a look at some recent IPv6 activity and what’s happening at IETF 97 in Seoul next week.

It’s been a good year for IPv6 with several sources indicating that global IPv6 adoption rates have increased by nearly 50% during 2016, with a number of large ISPs, mobile operators and content providers actively deploying the protocol. Whilst IPv6 has been supported by major operating systems for some time, native IPv6 is also increasingly being supported by applications and networks, thus reducing reliance on transition mechanisms and tunnelling. This in turn is improving the performance and reliability of IPv6, therefore increasing the chances of establishing an IPv6 connection in preference to one using IPv4.

IANA has recently been able to allocate an additional /18 from the recovered pool of IPv4 to each of the Regional Internet Registries, and has further allocations planned every six months until March 2019. However, if no more blocks are returned, then this will be the last allocation of IPv4 addresses. Furthermore, network operators have increasingly been running into limitations with the available size of private IPv4 space, especially for mobile markets and upon acquisition of other operators using overlapping addresses. The complexity this introduces is another reason why more operators are increasingly realising the need to deploy IPv6.

IPv6 therefore continues to be an important aspect of the standardisation work within the IETF, with both the IPv6 Operations (v6ops) and IPv6 Maintenance (6man) Working Groups meeting at IETF 97 in Seoul. We should highlight though, that the Sunsetting IPv4 Working Group will also be meeting on Thursday morning to discuss another new draft proposing that the IETF stops working on IPv4 except to address security issues or facilitate the transition to IPv6. A previous draft by the same author that proposed to move IPv4 to historic status and thereby no longer recommended for use on the Internet did not reach RFC status, although it generated some interesting discussion and thought as to whether the IETF should continue to work on IPv4 technologies.

The IPv6 Operations (v6ops) Working Group is fairly early in the week this time, meeting on Monday afternoon. There are four drafts up for discussion, including two new ones. The draft related to enterprise multihoming aims to define a solution to the problem of connecting an enterprise site to multiple ISPs using provider-assigned addresses without the use of Network Address Translation. The other new draft suggests reserving the IPv6 prefix 64::/16 for use with IPv4/IPv6 translation mechanisms.

An updated existing draft provides advice on routing-related design choices when designing IPv6 networks, and compares IPv4 and IPv6 best practices. Last but not least, there’s an update on the draft relating to unique IPv6 prefixes per host that aims to address certain issues related to IPv6 deployment in community wi-fi scenarios.

The IPv6 Maintenance (6man) Working Group meets on Tuesday morning to once again discuss a number of updates to the IPv6 specification as currently defined in RFC 2460, RFC 4291, and RFC 1981. Another draft outlines an optional mechanism for IPv6 Neighbour Discovery whereby hosts are instructed by routers to use router solicitations rather than multicast advertisements where it’s not desirable for all hosts to be continually woken-up (e.g. when in powered down mode).

Three other individually sponsored drafts define a new control bit in IPv6 RA PIO flags to indicate that the receiving node is the exclusive receiver of traffic destined to any address within a prefix; specify requirements for IPv6 nodes; and specify a packet format for transporting IPv6 payloads to multiple IPv6 destinations using Bit Index Explicit Replication, which is a method of multicasting.

The Homenet (homenet) Working Group develops protocols for residential networks based on IPv6, and will meet on Wednesday afternoon. Although normally one of the more active groups, it has a relatively quiet agenda this time after publishing RFCs 7787 and 7788 earlier in the year.

There’s a couple of new drafts though, one of which proposes an update to the Home Networking Control Protocol (HNCP) specification to eliminate the recommendation for a default top-level name for local name resolution ( https://tools.ietf.org/html/draft-ietf-homenet-redact-00). The other one defines .homenet as a special use top-level domain to replace .home as there is evidence that .home queries frequently leak out of their local environments and reach the root name servers ( https://tools.ietf.org/html/draft-pfister-homenet-dot-00). There’s also an updated draft being discussed ( https://tools.ietf.org/html/draft-lemon-homenet-naming-architecture-01) on the Homenet Naming and Service Discovery Architecture that covers how services advertise and register themselves both on the homenet and public Internet

The IPv6 over Networks of Resource-Constrained Nodes (6lo) Working Group is meeting on Tuesday afternoon, and has a very full agenda with two new drafts and five updated drafts up for discussion. The two drafts of wider interest are probably those on 6lo Applicability and Use Cases which describe practical deployment scenarios, and on 6lo privacy threats.

The IPv6 over the TSCH mode of IEEE 802.15.4e (6tisch) Working Group is meeting on Thursday morning, and will consider drafts related to scheduling and security issues. There are particularly interesting drafts on the minimal security framework for 6TiSCH which describes the mechanism required to support secure initial configuration in a device being added to a 6TiSCH network, as well on the Secure Join protocol that defines a standard way of introducing new nodes into a 6tisch network that does not involve any direct manipulation of the nodes themselves.

We don’t often cover the Distributed Mobility Management (dmm) Working Group which focuses on providing solutions for traffic management when mobile hosts or mobile networks change their point of attachment to the Internet. In particular, it has responsibility for maintaining the Mobile IPv6 protocol family, but DMM solutions are not required to support IPv4. This working group will be meeting first thing on Monday morning, and will be discussing five drafts including the mobility needs for 5G wireless ( https://tools.ietf.org/html/draft-ietf-dmm-distributed-mobility-anchoring-02), and extensions to the DHCPv6 protocol to enable mobile hosts to indicate the required mobility service type ( https://tools.ietf.org/html/draft-moses-dmm-dhcp-ondemand-mobility-04).

Finally, there are a couple of IPv6-related drafts in the Dynamic Host Configuration (dhc) Working Group on Friday morning. There is a proposed update to DHCPv6 as currently defined in RFC 3315 which adds prefix delegation and stateless DHCPv6. Meanwhile there’s another updated draft on DHCPv4 over DHCPv6 that provides mechanism for dynamically configuring IPv4 over an IPv6-only network.

At the Internet Society, we continue to promote IPv6 deployment. You can check out the World IPv6 Launch measurements for our latest measurements of IPv6 around the globe: http://www.worldipv6launch.org/measurements

You can also check out the Deploy360 online resources for getting started with IPv6 deployment:

And you can read more about other topics of interest to the technology programs of the Internet Society in the rest of our Rough Guide to IETF 97 posts.

IPv6-related Working Groups at IETF 97:

v6ops (IPv6 Operations) WG
Monday, 14 November 1330-1530 UTC+9, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/documents/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

6man (IPv6 Maintenance ) WG
Tuesday, 15 November 0930-1200 UTC+9, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/6man/
Documents: https://datatracker.ietf.org/wg/6man/documents/
Charter: https://datatracker.ietf.org/wg/6man/charter/

Homenet (Home Networking) WG
Wednesday, 16 November 1330-1500 UTC+9, Grand Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/homenet/
Documents: https://datatracker.ietf.org/wg/homenet/documents/
Charter: https://datatracker.ietf.org/wg/homenet/charter/

6lo (IPv6 over Networks of Resource Constrained Nodes) WG
Tuesday, 15 November 1550-1820 UTC+9, Grand Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/documents/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6lo/

6tisch (IPv6 over the TSCH mode of IEEE 802.15.4e)
Thursday, 17 November 0930-1100 UTC+9, Park Ballroom 1
Agenda: https://datatracker.ietf.org/meeting/97/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/documents/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/

dmm (Distributed Mobility Manager) WG
Monday, 14 November 0930-1200 UTC+9, Studio 4
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dmm/
Documents: https://datatracker.ietf.org/wg/dmm/documents/
Charter: https://datatracker.ietf.org/wg/dmm/charter/

dhc (Dynamic Host Configuration) WG
Friday, 18 November 1150-1320 UTC+9, Park Ballroom 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/dhc/
Documents: https://datatracker.ietf.org/wg/dhc/documents/
Charter: https://datatracker.ietf.org/wg/dhc/charter/

sunset4 (Sunsetting IPv4)
Thursday, 17 November 1110-1210 UTC+9, Studio 2
Agenda: https://datatracker.ietf.org/meeting/97/agenda/sunset4/
Documents: https://datatracker.ietf.org/wg/sunset4/documents/
Charter: https://datatracker.ietf.org/doc/charter-ietf-sunset4/

Follow Us

There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://dev.internetsociety.org/tag/ietf97/.