January 29, 2014 archive

TDYR #084 – On The Launch Of “Securing BGP” On The Deploy360 Site

Today in my work at the Internet Society we launched a new topic area around "Securing BGP". In this episode I talk about what that is all about and why it matters to the health of the Internet... See more at: http://www.internetsociety.org/deploy360/blog/2014/01/introducing-a-new-deploy360-topic-securing-bgp/

Introducing A New Deploy360 Topic: Securing BGP

BGPHow can we help network operators ensure that their usage of the Border Gateway Protocol (BGP) is as secure as possible?  How can we help enterprises who operate their own routing infrastructure make sure that they are keeping their own networks secure?  How can we help network operators at all levels make sure they are doing their part to keep the Internet’s routing infrastructure as secure and resilient as possible?

A year ago we launched the “Routing” topic on Deploy360 to explore these kind of questions.  We’ve written many articles about routing resiliency and featured panels about improving routing resiliency/security at our ION conferences, such as a recent session at ION Toronto.

However, as we went around speaking with people about the need to make the Internet’s routing infrastructure more resilient and secure,  one extremely important bit of feedback we received from people was that our topic here on Deploy360 of “Routing” was far too broad.  It wasn’t as specific as our areas on IPv6 and DNSSEC, and that provided multiple challenges both in terms of creating a logical flow of providing deployment information and also in finding resources and/or people to create new materials.

We’ve listened to all that feedback and are changing how we address the overall routing resiliency topic.  Instead of one massive topic, we’re going to be breaking the area down into several smaller topics that we will be rolling out over the course of 2014.

Today we’re pleased to announce the first new topic area, Securing BGP, where we will be focusing on the tools, services and technologies that can help make BGP routing more secure.  We’ll be talking about not only basic “good hygiene” for routing but also specific tools that can help secure BGP such as prefix filtering, ACLs, RPKI, BGPSEC and much more.  We have created a set of initial pages related to the topic which will be populating with more content over the weeks and months ahead:

Perhaps more importantly we have outlined a content roadmap for the resources related to securing BGP that we want to add to the site and are now actively looking for resources that are out there now that we can point to – or identifying authors who can write some of the resources that don’t yet exist. Naturally we’ll be adding blog posts related to securing BGP to our Deploy360 blog – and you can expect sessions related to securing BGP to appear at our future ION conferences.

How You Can Help

We need your help!  In order to provide the best possible resources to help network operators secure their use of BGP, we need to hear from you!  We need your feedback to help us know that we are helping you make your network more secure.  A few specific requests:

1. Read through our pages and content roadmap – Please take a look through our “Securing BPG” set of pages, and also please take a look at our content roadmap for BGP.  Are the current resources listed helpful?  Is the way we have structured the information helpful?  Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

The post Introducing A New Deploy360 Topic: Securing BGP appeared first on Internet Society.

Introducing A New Deploy360 Topic: Securing BGP

BGPHow can we help network operators ensure that their usage of the Border Gateway Protocol (BGP) is as secure as possible?  How can we help enterprises who operate their own routing infrastructure make sure that they are keeping their own networks secure?  How can we help network operators at all levels make sure they are doing their part to keep the Internet’s routing infrastructure as secure and resilient as possible?

A year ago we launched the “Routing” topic on Deploy360 to explore these kind of questions.  We’ve written many articles about routing resiliency and featured panels about improving routing resiliency/security at our ION conferences, such as a recent session at ION Toronto.

However, as we went around speaking with people about the need to make the Internet’s routing infrastructure more resilient and secure,  one extremely important bit of feedback we received from people was that our topic here on Deploy360 of “Routing” was far too broad.  It wasn’t as specific as our areas on IPv6 and DNSSEC, and that provided multiple challenges both in terms of creating a logical flow of providing deployment information and also in finding resources and/or people to create new materials.

We’ve listened to all that feedback and are changing how we address the overall routing resiliency topic.  Instead of one massive topic, we’re going to be breaking the area down into several smaller topics that we will be rolling out over the course of 2014.

Today we’re pleased to announce the first new topic area, Securing BGP, where we will be focusing on the tools, services and technologies that can help make BGP routing more secure.  We’ll be talking about not only basic “good hygiene” for routing but also specific tools that can help secure BGP such as prefix filtering, ACLs, RPKI, BGPSEC and much more.  We have created a set of initial pages related to the topic which will be populating with more content over the weeks and months ahead:

Perhaps more importantly we have outlined a content roadmap for the resources related to securing BGP that we want to add to the site and are now actively looking for resources that are out there now that we can point to – or identifying authors who can write some of the resources that don’t yet exist. Naturally we’ll be adding blog posts related to securing BGP to our Deploy360 blog – and you can expect sessions related to securing BGP to appear at our future ION conferences.

How You Can Help

We need your help!  In order to provide the best possible resources to help network operators secure their use of BGP, we need to hear from you!  We need your feedback to help us know that we are helping you make your network more secure.  A few specific requests:

1. Read through our pages and content roadmap - Please take a look through our “Securing BPG” set of pages, and also please take a look at our content roadmap for BGP.  Are the current resources listed helpful?  Is the way we have structured the information helpful?  Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

Join The “dnssec-maps” List To Receive Weekly DNSSEC Deployment Maps

2014-01-23-2014-01-23We’re pleased to announce that for those of you interested in the current status of DNSSEC deployment, you can now receive a weekly email with the latest DNSSEC deployment maps with both a global and regional perspective.

All you need to do is subscribe to the public “dnssec-maps” mailing list and each Monday you will receive a message containing:

  • Maps showing the current state of DNSSEC deployment among country-code top-level domains (ccTLDs):
    • A global view of ccTLD DNSSEC status
    • Regional views for Africa, Asia-Pacific, Europe, Latin America and North America
  • Maps showing the past state of DNSSEC deployment one year prior to the date
  • Maps showing the predicted future state of DNSSEC deployment one year ahead based on information provided from various sources.
  • Comma-separate-value (CSV) files containing the DNSSEC status of all the ccTLDs and the “generic top-level-domains (gTLDs)”, including all the “newgTLDs” (which are all required to be DNSSEC-signed when they launch).

You are free to use these images for presentations, articles, reports, etc., subject to a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (Rough translation: you need to credit us and you can’t sell the maps.)

As noted on our “DNSSEC Deployment Maps” page, these maps are a bit different than many of the other sources of DNSSEC statistics in that they are based on both factual observed data (ex. is there a DS record in the root zone?) and also information gathered from various other sources such as industry presentations, news articles, DNSSEC-related mailing lists and other venues.  The intent is to provide the best possible view of DNSSEC deployment both now and in the future.

The database behind these maps and the software to produce them was developed and operated by Steve Crocker’s Shinkuro, Inc.  The responsibility and ownership of the maps was recently transferred to the Internet Society Deploy360 Programme as part of our ongoing working relationship with Shinkuro and Parsons Technology to accelerate DNSSEC deployment.  We are definitely grateful to Shinkuro for all the great work they put into this extremely useful project and for their assistance in the transfer of operations.

We hope you find the public availability of these maps to be useful and encourage you to join the mailing list.  Please do send along any and all feedback, particularly if you see any errors in the current maps.  We also welcome your ideas and interest in enhancements we could potentially make.  For instance, we’re thinking about how we might be able to visualize the DNSSEC status of all the generic TLDs that are not tied to a country and cannot therefore be placed on a map.  Ideas and suggestions are always welcome, either as comments to this blog post or as email or messages to us.  Thanks for your interest in DNSSEC!