January 2014 archive

Introducing A New Deploy360 Topic: Securing BGP

BGPHow can we help network operators ensure that their usage of the Border Gateway Protocol (BGP) is as secure as possible?  How can we help enterprises who operate their own routing infrastructure make sure that they are keeping their own networks secure?  How can we help network operators at all levels make sure they are doing their part to keep the Internet’s routing infrastructure as secure and resilient as possible?

A year ago we launched the “Routing” topic on Deploy360 to explore these kind of questions.  We’ve written many articles about routing resiliency and featured panels about improving routing resiliency/security at our ION conferences, such as a recent session at ION Toronto.

However, as we went around speaking with people about the need to make the Internet’s routing infrastructure more resilient and secure,  one extremely important bit of feedback we received from people was that our topic here on Deploy360 of “Routing” was far too broad.  It wasn’t as specific as our areas on IPv6 and DNSSEC, and that provided multiple challenges both in terms of creating a logical flow of providing deployment information and also in finding resources and/or people to create new materials.

We’ve listened to all that feedback and are changing how we address the overall routing resiliency topic.  Instead of one massive topic, we’re going to be breaking the area down into several smaller topics that we will be rolling out over the course of 2014.

Today we’re pleased to announce the first new topic area, Securing BGP, where we will be focusing on the tools, services and technologies that can help make BGP routing more secure.  We’ll be talking about not only basic “good hygiene” for routing but also specific tools that can help secure BGP such as prefix filtering, ACLs, RPKI, BGPSEC and much more.  We have created a set of initial pages related to the topic which will be populating with more content over the weeks and months ahead:

Perhaps more importantly we have outlined a content roadmap for the resources related to securing BGP that we want to add to the site and are now actively looking for resources that are out there now that we can point to – or identifying authors who can write some of the resources that don’t yet exist. Naturally we’ll be adding blog posts related to securing BGP to our Deploy360 blog – and you can expect sessions related to securing BGP to appear at our future ION conferences.

How You Can Help

We need your help!  In order to provide the best possible resources to help network operators secure their use of BGP, we need to hear from you!  We need your feedback to help us know that we are helping you make your network more secure.  A few specific requests:

1. Read through our pages and content roadmap - Please take a look through our “Securing BPG” set of pages, and also please take a look at our content roadmap for BGP.  Are the current resources listed helpful?  Is the way we have structured the information helpful?  Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

Join The “dnssec-maps” List To Receive Weekly DNSSEC Deployment Maps

2014-01-23-2014-01-23We’re pleased to announce that for those of you interested in the current status of DNSSEC deployment, you can now receive a weekly email with the latest DNSSEC deployment maps with both a global and regional perspective.

All you need to do is subscribe to the public “dnssec-maps” mailing list and each Monday you will receive a message containing:

  • Maps showing the current state of DNSSEC deployment among country-code top-level domains (ccTLDs):
    • A global view of ccTLD DNSSEC status
    • Regional views for Africa, Asia-Pacific, Europe, Latin America and North America
  • Maps showing the past state of DNSSEC deployment one year prior to the date
  • Maps showing the predicted future state of DNSSEC deployment one year ahead based on information provided from various sources.
  • Comma-separate-value (CSV) files containing the DNSSEC status of all the ccTLDs and the “generic top-level-domains (gTLDs)”, including all the “newgTLDs” (which are all required to be DNSSEC-signed when they launch).

You are free to use these images for presentations, articles, reports, etc., subject to a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (Rough translation: you need to credit us and you can’t sell the maps.)

As noted on our “DNSSEC Deployment Maps” page, these maps are a bit different than many of the other sources of DNSSEC statistics in that they are based on both factual observed data (ex. is there a DS record in the root zone?) and also information gathered from various other sources such as industry presentations, news articles, DNSSEC-related mailing lists and other venues.  The intent is to provide the best possible view of DNSSEC deployment both now and in the future.

The database behind these maps and the software to produce them was developed and operated by Steve Crocker’s Shinkuro, Inc.  The responsibility and ownership of the maps was recently transferred to the Internet Society Deploy360 Programme as part of our ongoing working relationship with Shinkuro and Parsons Technology to accelerate DNSSEC deployment.  We are definitely grateful to Shinkuro for all the great work they put into this extremely useful project and for their assistance in the transfer of operations.

We hope you find the public availability of these maps to be useful and encourage you to join the mailing list.  Please do send along any and all feedback, particularly if you see any errors in the current maps.  We also welcome your ideas and interest in enhancements we could potentially make.  For instance, we’re thinking about how we might be able to visualize the DNSSEC status of all the generic TLDs that are not tied to a country and cannot therefore be placed on a map.  Ideas and suggestions are always welcome, either as comments to this blog post or as email or messages to us.  Thanks for your interest in DNSSEC!


TDYR #083 – How To Keep Track Of All The New gTLDs Appearing Weekly

Want to register a domain in .PLUMBING? .SEXY? .CLUB? .PHOTO? .PINK? With more new generic top-level domains (newgTLDs) appearing each week, how do you keep track of what is going to be out in DNS soon? In this episode I talk a bit about the newgTLDs and about an article I wrote on CircleID where I talked about how to keep track of all the newgTLDs: http://www.circleid.com/posts/20140120_how_to_keep_track_of_new_generic_top_level_domains_newgtlds/

TDYR #082 – A Monday Morning Reality Check On What Are Really “Problems”

I started my Monday morning in a way that made me realize that any "problems" I may have right now really pale in comparison to what others are facing out there... (and yes, I said it was TDYR #81 when it was in fact #82.)

FIR #740 – 1/27/14 – For Immediate Release

What's new on the FIR Podcast Network; Quick News: Pinterest is changing how people blog, UK university accepts Bitcoin for tuition, agencies don't know if blogging is working, Churck of England diocese issues social media guidelines; Ragan promo and farewell to Jenny Fukumoto; News That Fits: social media returns companies to traditional communication, Michael Netzley's Asia Report, Google's Matt Cutts advises against guest posts as an SEO strategy, Media Monitoring Minute from CustomScoop, listener comments, Wikipedia adds audio intros, Dan York's Tech Report, astroturfing proposal leads one company to defect from an industry coalition; music from The Taters; and more.

TDYR #081 – Skating On A Pond On A Sunny Sunday Afternoon

TDYR #081 - Skating On A Pond On A Sunny Sunday Afternoon by Dan York

Video/Slides – Geoff Huston On Measuring DNSSEC Usage at RIPE67

How many people are actually performing DNSSEC validation on DNS queries? What is the true penetration of DNSSEC usage?  While there are many sites offering DNSSEC statistics about the number of signed domains or TLDs, what kind of measurements can be done on the validation side of DNSSEC?  And what is the performance impact of doing DNSSEC validation?

At the RIPE67 meeting Geoff Huston of APNIC gave an entertaining presentation around these exact questions based on measurements through a system of Flash-based web advertisements he has been using.  His slides are available online and the video presentation runs about 28 minutes:

Geoff Huston speaking

The information is certainly useful and we look forward to future presentations based on these measurements!


TDYR #080 – Survived Organizing My First Curling Bonspiel

TDYR #080 - Survived Organizing My First Curling Bonspiel by Dan York

Weekend Project: Add IPvFoo or IPvFox To Your Web Browser To See What Is IPv6

IPvFoxHere’s a quick project for you that will quickly enable you to see what sites work over IPv6 – and what sites don’t! If you use either Google Chrome or Mozilla Firefox as your web browser you can add an “extension” or “add-on” that helpfully adds an icon to the location bar in your browser, as shown in the image with this post. You can get them at these links:

As we wrote about in the past, the cool part about these add-ons is that they enable you to see what parts of your website are NOT working with IPv6.  For instance, in preparing this post I noticed that our Deploy360 site is no longer showing only a “6″ like it used to do a few weeks ago.   By clicking on that icon in the location bar, I saw this:

Detail of the IPvFox plugin

This clues me in to the fact that when I recently installed the JetPack plugin for WordPress I wound up using two services that are only available over IPv4. :-(  Given that we want this site to be available to people on IPv6-only networks, now it’s time for me to go off and file bug reports with those sites to indicate that they are not reachable over IPv6.  (Either that or turn off the features that use IPv4, but bug reports are a critical way for people to get more attention to the need to be accessible over IPv6!)

Anyway, I’ve installed these extensions and add-ons into all my instances of Chrome or Firefox and it’s great now to see the places where I can get IPv6 connectivity!

Give it a try!

P.S. This assumes, of course, that you have IPv6 connectivity… if you do not have IPv6 these add-ons won’t be of much help. But hey, if you don’t have IPv6, maybe now is a good time to try setting up an IPv6 tunnel so that you can try these add-ons out!  

TDYR #079 – Excited About A Little Rocks Curling Bonspiel Tomorrow

Tomorrow my 11-yr-old daughter will be playing in a "Little Rocks Bonspiel" at the Petersham Curling Club - http://www.petershamcurling.org/ - competing against teams from Cape Cod, Nashua (NH), Broomstones (Wayland, MA) and Bridgeport (CT). In this episode I talk about some of the excitement about that upcoming event...