December 2012 archive

Introducing a New Deploy360 Topic: Routing Resiliency / Routing Security

© istock photo / Andrey Prokhorov

How reliable and secure is the Internet’s underlying routing infrastructure? How well does it hold up in the face of a major event such as the recent Hurricane Sandy that hit the US? How well can it withstand attacks and misconfiguration errors?  As we continue to move more and more of our communication into the “cloud” of the Internet, how secure and reliable is the underlying routing fabric that holds it all together?

Over the past year here at Deploy360, we have been talking a great deal about how we need to get IPv6 deployed to enable more connections to the Internet… more networks, more devices, more “Internet of Things” and more people as there are still 5 billion people yet to get online.  We’ve also been talking about how we need to get DNSSEC more widely deployed to create a more secure Internet and to enable a whole new realm of innovations such as the DANE protocol that can create a stronger security layer.

But it’s become increasingly clear to us that as we get more people connected to the Internet and even as we add security layers like DNSSEC, there is another area where we need to greatly increase the conversation.

The truth is… the Internet today IS highly reliable, even in the cases of events like Hurricane Sandy. The Internet, as we like to say, “routes around damage.”  Even in the face of malicious attacks to sections of the Internet, the overall network has continued to function.

But…

… as the Internet continues to evolve and the number of network operators expands… as we bring the next billion people online… as we interconnect even more devices and things… we need to ensure that the Internet’s underlying routing infrastructure is both reliable and secure.  There is room today for improvement.

A New Topic: Routing

And so we are launching a new area on our site that we are calling simply “Routing“, where we will focus on providing real-world deployment information to the global operator community related to “routing security” and “routing resiliency.”

The term “resiliency” is an important one, and a common definition for a network is:

the ability of the network to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation.

Ultimately that is our goal – doing what we can to work with the operator community to ensure the resilience of the Internet’s routing infrastructure.  A part of that is “routing security,” but the topic is really much larger and dives into operational practices, policies and other areas.

As we have with IPv6 and DNSSEC (and will be continuing to do as we build out our roadmaps for those topics), we’ll start with a foundation of information including:

  • Reports and studies on best current operational practices (BCOPs) for routing resiliency and security
  • Case studies of how BCOPs are deployed and effectively used – as well as case studies of recent routing incidents
  • Tools that can be used to help better understand how resilient and secure your routing infrastructure is
  • Sites with statistics and data to help you understand the overall situation

We’ll focus on finding or creating the best tutorials, whitepapers, reports, videos, statistics, sites and tools, just as we’ve done with IPv6 and DNSSEC. As in the other topics, we’ll be looking to promote resources created by many of you who are reading this message.  And where we can’t find resources others have created, we’ll go ahead and create them either ourselves or through partners. We’ll also naturally be adding in routing-related posts to our constant stream of more news-related blog posts.

Note that this “routing resiliency/security” topic will be a bit different than our other areas in that we are not focusing on a specific protocol but rather on a broader topic.

Certainly over the next few months after we’ve built the foundation we will explore some of the protocols that are being discussed now within the IETF such as Secure BGP (BGPSEC) and the Resource Public Key Infrastructure (RPKI) – but they will again be discussed within this broader context of how they are part of the puzzle – “building blocks,” really – of making the Internet more resilient and secure.  We’ll also be integrating and promoting some of the routing security work we’ve been doing for some time now, such as the routing security “operator roundtables” we’ve held.

It’s an ambitious topic … and more than one person has said to us something like “Wow! Making DNSSEC and IPv6 interesting was hard enough… now you are going to dive down into BGP and the guts of routing? Are you crazy?” And yes, we’re aware that the community of people who even know about all this stuff is tiny, let alone those who reallyunderstand it.

But that’s what we want to change!  We want more people to understand how the Internet really works down underneath, so that they, too, can understand what we need to do to ensure it continues to be the vibrant Internet we’ve come to expect.

It’s important, too, for the future of the open Internet… and for the billions of people and devices yet to connect.  As a report from ENISA so nicely puts it:

There may well not be an immediate cause for concern about the resilience of the Internet interconnection ecosystem, but there is cause for concern about the lack of good information about how it works and how well it might work if something went very badly wrong.

We aim to help change that!

How You Can Help

Want to join us in this quest to improve routing resiliency and security?  While we’re starting to add resources and pages to the site, there are a couple of ways you can help us out:

1. Read the reports we’ve listed. You may want to start with the excellent report, “Inter-X: Resilience of the Internet Interconnection Ecosystem,” that summarizes the situation and offers suggestions for how to move forward.  The 31-page summary document is enough to get started … although the truly hard-core may enjoy the 239-page “full” report. From there you can move on to the other documents for a deeper understanding.

2. Send us suggestions – if you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – if you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you plugged in when we get the volunteer effort going in the next few months.

4. Help us spread the word – As we publish resources and blog posts relating to routing resiliency / security, please help us spread those links through social networks so that more people can learn about the topic.

With your help, we can build out this Routing area of Deploy360 to be an outstanding resource for the Internet community and to help make the Internet more resilient and secure!

 

Routing

ENISA Report: Resilience of the Internet Interconnection Ecosystem

Seeking to understand routing resiliency and routing security? In this April 2011 report, “Inter-X: Resilience of the Internet Interconnection Ecosystem
“, the European Network and Information Security Agency (ENISA) provides an extremely thorough understanding of the complex ecosystem of connections between networks.

This document is highly recommended to anyone looking to understand how the Internet operates – and where there are opportunities for improvement.

As noted on the introductory web page, the study:

…looks at the resilience of the Internet interconnection ecosystem. The Internet is a network of networks, and the interconnection ecosystem is the collection of layered systems that holds it together. The interconnection ecosystem is the core of the Internet, providing the basic function of reaching anywhere from everywhere.

where “resilience” is defined as:

the ability to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation.

The comprehensive study outlines the challenges to both measuring the infrastructure of the Internet and to understanding the resilience of the network.  A key point is:

There may well not be an immediate cause for concern about the resilience of the Internet interconnection ecosystem, but there is cause for concern about the lack of good information about how it works and how well it might work if something went very badly wrong.

The report sets out to capture a good bit of that information and to lay out recommendations about how further work may be undertaken.  The document is available in two versions:

  • a 31-page “Executive Summary” report (PDF) that presents the major findings and recommendations and provides a decent tutorial into the issues and challenges.
  • a 239-page “Full” report (PDF) that goes into great detail about the “state of the art” with regard to routing and Internet interconnections, includes a section about how the report was developed and then includes a lengthy bibliography that is very useful in and of itself.

While originating in Europe, the document and its recommendations are globally applicable.

For a taste of the document, here is the table of contents of the Executive Summary report:

1 Summary

  • 1.1 Scale and Complexity
  • 1.2 The Nature of Resilience
  • 1.3 The Lack of Information
  • 1.4 Resilience and Efficiency
  • 1.5 Resilience and Equipment
  • 1.6 Service Level Agreements (SLAs) and ‘Best Efforts’
  • 1.7 Reachability, Traffic and Performance
  • 1.8 Is Transit a Viable Business?
  • 1.9 The Rise of the Content Delivery Networks
  • 1.10 The “Insecurity” of BGP
  • 1.11 Cyber Exercises on Interconnection Resilience
  • 1.12 The “Tragedy of the Commons”
  • 1.13 Regulation

2 Recommendations

  • Incident Investigation
  • Data Collection of Network Performance Measurements
  • Research into Resilience Metrics and Measurement Frameworks
  • Development and Deployment of Secure Inter‐domain Routing
  • Research into AS Incentives that Improve Resilience
  • Promotion and Sharing of Good Practice on Internet Interconnections
  • Independent Testing of Equipment and Protocols
  • Conduct Regular Cyber Exercises on the Interconnection
  • Infrastructure
  • Transit Market Failure
  • Traffic Prioritisation
  • Greater Transparency – Towards a Resilience Certification Scheme

More information about the report can be found on the ENISA web site.

Call For Presenters – ICANN DNSSEC Deployment Workshop, April 10 in Beijing

Do you have some DNSSEC deployment experience you would like to share with the broader community? Could you present a case study of how you deployed DNSSEC resolvers within your network?  Have you created a new tool that automates or simplifies the usage of DNSSEC?

On April 10, 2013, there will be another “DNSSEC Deployment Workshop” at ICANN 46 in Beijing, China.  The recent DNSSEC workshop at ICANN 45 in Toronto was outstanding and had an excellent collection of case studies, statistics, new tools and more.

The program committee for the ICANN 46 workshop in Beijing has now issued a call for presentations and is seeking speakers on a variety of DNSSEC-related topics.  The full call for presenters is included below.

The deadline for submitting a proposal is JANUARY 15, 2013!

As noted below, you only need to send in a brief couple of sentences about what you would like to speak about.  If accepted you will then need to send in more information, slides, etc.  You need to send your proposal to dnssec-beijing@shinkuro.com by January 15th.

In full disclosure, I’ll note that I will be joining the program committee and so I will be one of the group of people reviewing proposals.  These events have turned out to be an excellent place for a gathering of the DNSSEC community and I would strongly encourage you to consider submitting a proposal!

As far as logistics go, attendance at ICANN 46 is free… you just need to get yourself to Beijing and pay for lodging, etc.  If you have never been to an ICANN meeting, the entire week is quite a fascinating view into the governance of domain names.

And here is the full call for presenters…


The DNSSEC Deployment Initiative, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Beijing, China on 10 April 2013.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN Toronto meeting on 17 October 2012. The presentations and transcripts are available at http://toronto45.icann.org/node/34375.

We are seeking presentations on the following topics:

1.  DNSSEC Activities in Asia Pacific

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the Asia Pacific region as well as those who have a keen interest in the challenges and benefits of deployment.  Key questions are to consider include: What would help to promote DNSSEC deployment?  What are the challenges you have faced when you deployed DNSSEC?

2. The Operational Realities of Running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? Has DNSSEC made DNS more ‘brittle’ or is it just a run-of-the-mill operational practice? What operational statistics have we gathered about DNSSEC? Is it changing DNS patterns? How are our nameservers handling DNSSEC traffic? Is the volume as expected? Have we seen anything unusual?  Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3.  DNSSEC and Enterprise Activities

DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:

  • What is the current status of DNSSEC deployment among enterprises?
  • What plans do the major enterprises have for their DNSSEC roadmaps?
  • What are the challenges to deployment for these organizations?  Do they foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5.  Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover.  In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys

6.  DNSSEC: Regulative, Legislative and Persuasive Approaches to Encouraging Deployment

There are many models in discussion for encouraging the take-up of DNSSEC amongst TLDs. In some jurisdictions we have seen governmental edicts insisting that DNSSEC is deployed across a Top Level Domain. In others, we have seen reports produced for governments highlighting the lack of take up and the need for tighter control amongst operators. Recently, we have witnessed the consideration  of mandated DNSSEC signing of zones by some TLDs in order to gain access to newer premium domains.  Have any of these approaches worked in encouraging take up of DNSSEC? What role does a national government have in assisting deployment of DNSSEC? How are some of these measures perceived by registrars, DNS operators, ISPs and registrants?

7. DANE and Other DNSSEC Applications

Using DNSSEC as a means of authentication for http transactions is an exciting development of DNSSEC. What is the progress of the DNS-Based Authentication of Named Entities (DANE) initiative?  How soon could DANE become a deployable reality and what will be the impact of such a deployment, e.g. impact on traditional certification authorities (CAs)?

8.  Use of DNSSEC in the Reverse Space

This topic includes signed reverse zones, security products using reverse DNS lookup for DNSSEC validation?

9.  The Great DNSSEC Panel Quiz

Ever fancied pitting your wits against your colleagues?  Demonstrate your knowledge and expertise in DNSSEC in our Great DNSSEC Panel Quiz.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-beijing@shinkuro.com by 15 January 2013.

Live Webcast at 8:30am: WCIT Post Mortem with ISOC DC Chapter

ISOC DC ChapterWhat happened with the World Conference on International Telecommunications (WCIT) last week in Dubai? In about 25 minutes, at 8:30 US Eastern time, the Internet Society DC Chapter will be hosting a panel discussion doing a "post mortem" on the WCIT event. Details are here:
http://isoc-ny.org/p2/4609
And you can tune in to the livestream here:
http://livestream.com/internetsocietychapters

The session will be archived for those who can't attend. It should be a very interesting discussion!


If you found this post interesting or useful, please consider either:


WAIT! Don’t Delete Your Instagram Account Just Yet…

InstagramWAIT! Don't just delete your Instagram account!

Across a wide range of social networks today, I'm seeing people deleting their Instagram accounts after Facebook changed the Instagram terms of service in a way which allows Facebook/Instagram to potentially use your photos in advertising. At issue in particular are two clauses under "Rights" in the new terms of service (my emphasis added):

2. Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to this provision (and the use of your name, likeness, username, and/or photos (along with any associated metadata)) on your behalf.

3. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.

The first of which is the serious issue, while the second is more just annoying.

UPDATE 19 Dec 2012 - Instagram has responded with a post about the new terms of service. I think it's an open question whether that will help or whether people will continue to take a wait-and-see approach as Neville Hobson is doing (as am I).

I completely understand why people are deleting their Instagram accounts, particularly when directions about how to leave Instagram are published on Wired and being widely circulated - and also when other services like Flickr roll out new mobile apps that rock!

But think about what you are losing:

  • ALL THE LINKS WILL STOP WORKING that are to your Instagram photos. All those links floating around out there in Twitter, Facebook and other sites will no longer work. Presumably they'll all now be 404s.

  • YOU WILL LOSE YOUR ACCOUNT NAME - and someone else may be able to get that name. Maybe your name is unique enough that someone else won't come along and want your account name... but I know mine is NOT unique, and so if I were to give it up, some other Dan York could come along and take it.

  • INSTAGRAM MAY CHANGE ITS TERMS as it deals with all the backlash. You may find yourself wanting to get back in... and someone else may have claimed your username.

  • INSTAGRAM IS PART OF FACEBOOK... and love it or hate it, Facebook is a big player in this space. We don't know how they will (or will not) evolve Instagram. It may be worthwhile to have an account there at some later time.

Now it may be that there is a very simple way to keep your Instagram account yet not fall under the new Terms of Service:

Do not USE Instagram starting on January 16th!

I am NOT a lawyer, but I've seen multiple notes that this Terms of Service only applies to photos you post as of January 16, 2013. I don't know if that is true... but if it is, this may be a simple way to keep your account and links intact. Keep the account, but just stop using it and switch to some other service instead.

Of course, if it is NOT true, then I might be joining you all in deleting accounts... ;-)

Seriously, though, please think carefully about whether or not you want to lose all those links and your account at Instagram before you just go and delete the account.

Links are how the web is constructed... and by deleting your account you'll be tearing a hole in your own personal web of content!


If you found this post interesting or useful, please consider either:


FIR #682 – 12/17/12 – For Immediate Release

Thoughts on Newtown tragedy; new interviews coming; FIR length discussion; Quick News: best practices for social media in the workplace, input for Creative Agency of the Future book, On the Media makes timely use of its podcast, Twitter will let you retrieve all your tweets; Ragan promo; News That Fits: Google Plus Communities and brands, Dan York's report, Media Monitoring Minute, the Human API, listener comments, TemboSocial promo, PR's role in the era of pageview journalism, malware links in QR codes; music from Lily Sparks; and more.

Join The DNSSEC and IPv6 Communities On Google+

DNSSEC community on Google plusAre you are a Google+ user interested in DNSSEC or IPv6? Google+ recently introduced the capability to have “communities” of interest and so I went ahead and set up a “DNSSEC Community“. Separately, TJ Evans created an IPv6 community.

I’ll be honest and say I’m not entirely sure how these communities will be used yet. Perhaps they will be an active discussion area… perhaps it will be another place to post links related to DNSSEC or IPv6 that then get seen by others on Google+.

In any case, if you want to join the experiment, feel free to join the community on DNSSEC or the IPv6 community.

ION Conference At USENIX LISA This Week Features IPv6 and DNSSEC Sessions – Will Be Livestreamed (Featured Blog)

If any of you are attending the USENIX Large Installation System Administration (LISA) conference in San Diego this week, the Internet Society's "Internet ON" (ION) Conference is co-located with LISA12 and will take place tomorrow, December 11, 2012, from 1:30 - 5:00 pm US Pacific time. More...

ION Conference At USENIX LISA This Week Features IPv6 and DNSSEC Sessions – Will Be Livestreamed (Featured Blog)

More...