March 2012 archive

Mar 06

3 Months To World IPv6 Launch… Are You Getting Ready?

World IPv6 Launch is only 3 months away on June 6, 2012 -

What are you doing today to be ready?

If you don’t already have plans underway, can you think of a simple project to get started?  Perhaps look at how to get your home network running IPv6?  Or get your website running IPv6?

Here at the Deploy360 Programme, we’ve got some resources that can help – and we’ll be adding more and more to those resources over the next few months:

Beyond our constant stream of new Deploy360 blog posts related to IPv6, you can also now follow World IPv6 Launch activities directly in social media and interact with others who are launching IPv6:

Please follow, like or add the World IPv6 Launch accounts to a circle… and help spread the word that IPv6 launches permanently on June 6, 2012!

And please let us know how we can help you get started with IPv6!

Mar 06

Gandi.net Adds Support For DNSSEC DS Records

Gandi netOn Friday we learned that Gandi.net is joining the ranks of domain name registrars supporting DNSSEC. In a blog post on their “Gandi Bar” site, “Thomas” outlines the level of support Gandi.net is providing and points over to a wiki post explaining in more detail how to set up DNSSEC for your domains.

It’s important to note that Gandi.net is not providing DNSSEC-signing services – and in fact you cannot use Gandi.net’s own DNS servers for hosting your DNS as their hosting servers do not provide DNSSEC support yet. However, if you host your DNS records on a service that does support DNSSEC, Gandi.net can handle all the relevant Delegation Signer (DS) records for you. We previously provided a step-by-step example of configuring DNSSEC in this manner using GKG.net. It seems that Gandi.net works in a similar manner although it appears you provide them with your full public key and they then generate the relevant DS records.

What is nice to see is that Gandi.net supports a wide range of top-level domains (TLDs), including:

  • .be
  • .biz
  • .com
  • .de
  • .eu
  • .fr (+ .re, .yt, .pm, .wf, .tf)
  • .net
  • .se
  • .us

Further, in their blog post they commit to providing support for even more TLDs in the future.  Given that ICANN’s list of DNSSEC-enabled registrars only lists a few registrars supporting multiple TLDs, this news out of Gandi.net is great to see.

We’ve queued them up to add to our list of tutorials for signing your domain with DNSSEC using domain name registrars and look forward to seeing more DNSSEC-signed domains coming out of Gandi.net customers.

P.S. Have you signed your domain today?

Mar 06

Congrats to Skype On Hitting 35 Million Online Users!

Skypelogo-shadowCongrats to the folks at Skype as they cross over the milestone of having 35 million users online at the same time, just a week after crossing over the 34 million mark! That's certain a great accomplishment and the recent growth is quite interesting.

It's not entirely clear to me the source of the growth, but perhaps it is most attributable to the Windows Phone beta version of Skype they released last week. Any Skype users with Windows Phones (and given that they are part of Microsoft now there are probably a good number just within Microsoft) are now going to have a way to stay online more. Perhaps it's also the new Skype-enabled TVs. Regardless, it's great to learn of the growth.

Of course, on the Mac 5.5 version of Skype I can't see the growth myself as there still seems to be no way to see the number of online users in the Mac client.

As I wrote about way back in November 2010, the Skype 2.8 client used to show the number of online users in the lower right corner of the client:

skypeusercount.jpg

Now that number is nowhere to be seen. As I noted in that article, with the early 5.0 version for the Mac there was a "/mac users" command you could type in a chat window to get the number, but that command no longer works in the 5.5 client.

So I haven't a clue how we in the Mac world can know for ourselves the number of people online.

UPDATE: It turns out that simply "/users" in any Skype chat on the Mac will give you the number of online users. Here's an example: 

[3/6/12 8:24:01 AM] System: There are 32,145,771 Skype users online

Thanks to Jim Courtney for confirming this after a tip from a Skype contact.

Not that it really matters... I mean... I'd far rather see a Skype developer work on giving us the ability to see multiple chat windows simultaneously (like Skype for Windows users can) than to work on a way to display a number that is perhaps only of interest to techies like me. Still, it would be fun to have some way to see it. (And the lack of such a display is probably why I haven't written about milestones like this since back in January 2011 when Skype crossed over 27 million.)

I left a comment asking about this on Skype's blog post, but it hasn't yet been approved. We'll see if it gets posted and if there is an answer.

Regardless of all of that, I'll again say CONGRATULATIONS to the folks at Skype... and I'm looking forward to seeing Skype's continued growth in the months and years ahead.

If you found this post interesting or useful, please consider either:

Mar 05

NSA Develops Secure Android Phones For Top Secret Calls

An interesting piece in the Australian edition of SC Magazine covers a recent presentation at RSA 2012 by Margaret Salter, head of the US National Security Agency (NSA) Information Assurance Directorate. She spoke about the NSA's "Mobility Program that aims to provide secure communication for government agencies using commercial "off the shelf" equipment.

The SC article focuses on the "Fishbowl" phones designed by the NSA and includes a number of interesting comments on the state of security implementations provided by vendors. It mentions that the NSA was looking to use SSL VPNs but due to a lack of interoperability wound up using IPSEC instead. Similarly they were looking to use DTLS-SRTP, but didn't find the implementations and so instead used "descriptions". The article has this excellent statement by Salter (my emphasis added):

Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.

She urged colleagues to demand vendors improve unified communications interoperability.

“We need to send a message [about] standards, interoperability and plug and play," she said.

This need for interoperability and standards support was certainly one of the themes I tried to bring out in the book. It is indeed critical for the long term success of securing unified communications systems.

I also found it interesting that the NSA encrypts the voice twice:

Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.

While there certainly is value in having multiple layers of security, I do wonder what this means in terms of computational overhead and/or latency. As our mobile phones have become more powerful, perhaps this is no longer a major concern.

Separate from the article, I was intrigued to read over on the NSA Mobility Program page that the first document they are releasing is the "Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP)". From the page:

The first Mobility Capability document to be released is the initial draft release of the Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP). It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures necessary to build and implement a SVoIP capability using commercial grade cellular mobile devices. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the WIFI service with an expanded list of end devices.

The 100+ page PDF file looks to be a fairly comprehensive view into what is involved with rolling out a secure mobile communications solution. It's great to see this from the NSA and it is a great contribution to the ongoing efforts to secure VoIP communications.

NSA SecureVoIP

Mar 05

NIST To Require US Government Agencies to Validate DNSSEC

NIST LogoOur friends over at the DNSSEC Deployment Initiative have noted today that the US National Institute of Standards and Technology (NIST) has announced proposed changes to the Federal Information Security Management Act (FISMA) controls that include among the many changes two relating to DNSSEC. The critical change is “SC-21″ as explained by the DNSSEC Deployment Initiative folks:

SC-21 is changed to require “[t]he information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.”  This means that all Federal systems must either request and validate DNSSEC responses, or have a trusted link to a validator that can provide that service for the system. Control SC-21 is also changed to be required for all security levels (Low, Moderate and High).

Essentially this means that when this is fully implemented all US government systems should be consumers/users of DNSSEC, meaning that they will validate domains if they are signed with DNSSEC.

The article also notes that this new requirement will become official 12 months from the final publication of the NIST document, expected to be July 2012.  The document released last week by NIST is a draft of “Special Publication 800-53 Revision 4″ that is open for public comment through April 6, 2012.

It’s great to see this requirement being added to FISMA controls and as it rolls out it will definitely increase the usage and visibility of DNSSEC.

Mar 05

A new “Introduction to Deploy360″ promotional video – comments?

Last week we had the whole team working on the Deploy360 Programme in our Reston, VA, office and so we took a moment to shoot some video segments describing the program.  I spent some time with iMovie and the result is this “promotional video” about our program. Our intent with this is to have it available to explain to people in a little under 3 minutes what it is we are doing with the Deploy360 Programme.

Comments and feedback are welcome – what do you think of this as a way to promote what we are doing?

P.S. And yes, the audio/podcast guy in me wishes the audio were a bit crisper, but unfortunately I didn’t have my audio recording gear with me and so what you are hearing is the audio recorded by my Nikon D90 DSLR. Another time I’ll have my audio kit with me… :-)

Mar 02

Friday Video: Close Encounters with IPv6

Continuing our trend of providing something humorous about IPv6 or DNSSEC on Friday afternoons, here’s a view on why the Close Encounters aliens might have left our planet before really saying hello:

I’m guessing the folks at BlueCat Networks had a wee bit of fun with that one… :-)

P.S. Seen any funny videos out there related to IPv6 or DNSSEC that we haven’t yet featured? If so, please do let us know! Still looking for that video about IPv6 and kittens… ;-)

Mar 02

Knot DNS – New DNS server supporting DNSSEC

The folks over at CZ.NIC Labs just released a brand new DNS server called “Knot,” available for download at:

http://www.knot-dns.cz/

(Click on “en” at the top left of the page to read it in English.)

As they say on the page:

Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the domain name system including zone transfers, dynamic updates and DNSSEC.

I’ve not yet had a chance to work with it myself, but Jan-Piet Mens wrote about his experience with Knot over on his site.   To try it yourself, you can download Knot DNS from the site as a tarball or clone the git repository.

It’s great to see new tools and servers emerging that include DNSSEC support and it will be interesting to watch how Knot DNS evolves.

Mar 01

BT Launches IPv6 Resource Centre

In preparation for World IPv6 Launch on June 6, BT is launching an IPv6 Resource Center. As BT’s Tim Rooney states:

I’d recommend estimating that date for you (if you ever believe it will happen) and working backwards to devise a plan to support an IPv6 Internet presence. With a plan in place, you can estimate the plan execution time (make sure you add some fudge time due to inevitable unforeseen issues) and be ready to invoke it with enough lead time to complete it by your IPv6 Density or “D-Day.”

BT’s IPv6 Resource Centre includes links to webinars, videos, whitepapers and more.

Mar 01

IETF 83

25/03/2012 - 31/03/2012
00:00 -00:00 IETF 83
,