January 2014 archive
Jan 16
W3C/IAB “Strengthening the Internet” Workshop: Deadline Monday to Submit Position Papers (Featured Blog)
Jan 16
Deutsche Telekom IPv6 Traffic Passes 15%, Verizon Wireless IPv6 Traffic Passes 40%!
The latest World IPv6 Launch measurements are up, and as noted in a blog post by Mat Ford, Deutsche Telekom has shown impressive growth over the past few months with this month’s metrics showing that 15.50%
Also rather significantly you can see in the list that now over 40% of the traffic coming from Verizon Wireless’ network is all going over IPv6! This is all through the fact that Verizon Wireless’ LTE network support IPv6.
The cool part of these World IPv6 Launch measurements is that they are a combination of data collected by Google, Facebook, Yahoo and Akamai. All of those sites are available over both IPv6 and IPv4 and so the sites are measuring the connections that come in to their sites over each protocol.
This shows that as access networks roll out IPv6 availability the content providers are very definitely seeing the connections coming in to their sites over IPv6!
The networks around the world are changing over to IPv6! If you are a website operator or provide other content online, have you thought about how you can make your content available over IPv6?
Jan 16
CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC)
We were very pleased to see this recent post over at the CircleID site, “Domain Name System (DNS) Security Should Be One of Your Priorities“, by Rick Rumbarger. He makes a number of great points, particularly about the fact that so many people take DNS for granted and don’t give it the attention they should.
Naturally, given our focus on getting DNSSEC deployed, we were delighted to see his paragraph:
Activate DNSSEC On Your Domain Names – DNSSEC counters cache poisoning attacks by verifying the authenticity of responses received from name servers. It effectively prevents responses from being tampered with, because in practice, signatures are almost impossible to forge without access to the private keys. If your DNS provider is not DNSSEC capable… make a switch.
He’s right! DNSSEC is critical for protecting the integrity of the information you get out of DNS queries. In his paragraph, he talks about the signing of domain names with DNSSEC, but it is important to remember that this is only half the equation with DNSSEC. The other piece you need to do is to enable validation of DNSSEC on your local DNS resolver.
The local validation of DNSSEC information protects the inquiries your computer makes for DNS info, and the signing protects the integrity of your own domain name.
The one point I do take issue with in Rick Rumbarger’s article is his suggestion to outsource ALL your DNS services on both the authoritative side (distributing your domain records) and the recursive resolver side (making inquiries to DNS). On the authoritative side, I agree that outsourcing DNS services can make a whole lot more sense than running your own DNS servers. Most of the DNS hosting companies out there have put a great amount of effort into performance, security, DDoS protection and more – and since they are focused on that can provide better protection and performance than many of us can do ourselves (unless, of course, we operate our own data centers).
However, on the recursive resolver side, I am much more of a fan of having the DNS resolution occur as close to the end user as possible. This is particularly true when you enable DNSSEC validation. Your DNS query is going from the stub resolver on your local computer to the whatever recursive resolvers you have configured in your computer. These are the ”DNS servers” in most operating system network control panels and are often supplied via DHCP to computers on a local network.
The connection between your stub resolver and the recursive resolver you use is typically unencrypted and represents an area where an attacker could inject bogus DNS information. Ideally the connection occurs over a “trusted” network, such as your local area network. If the recursive resolver is on the edge of your local network and is performing DNSSEC validation from that point on, then the attacker would have to somehow get on your local network in order to attack your DNS queries.
If you can’t have a recursive resolver at the edge of your local network, the next best option to me is to use the recursive resolvers at your ISP . You are then only widening the attack surface to be between your local network and that of your ISPs network.
If you can’t do DNSSEC validation at either your local network edge or your ISP, you then do need to go out and use an external recursive resolver that does DNSSEC validation such as Google’s Public DNS. However… the attack surface against your DNS queries has now been expanded to include the entire part of the public Internet that is between your computer and Google’s Public DNS servers (to use the example of Google). An attacker now has a better chance of getting in the middle and injecting false DNS information that goes back to your stub resolver running on your machine.
So for those reasons, I prefer to run the recursive DNS resolver as close to the end user as possible. In the ideal world, the DNSSEC validation might even be performed on the local machine (which can be done today using something like DNSSEC-Trigger) or in the application the user is using.
Outside of that point, I agree with the points Rick Rumbarger raises – and it’s great to see attention being given to this issue of DNS security!
P.S. And to perfectly illustrate one of Rumbarger’s other points about having strong access control for your DNS records there is this post today about how easy it was to get a DNS hosting provider to change DNS records with a simple email message. This is something that DNSSEC will NOT protect against because the DNS hosting provider is changing the actual zone file that would then be encrypted with DNSSEC. It shows again how “DNS security” is really composed of many different layers!
Jan 15
TDYR #070 – Have You Planned Your Own Funeral Yet?
Jan 15
RFC 6555 – Happy Eyeballs
If an application gets back both an IPv4 and IPv6 address from DNS, which one should the application use to connect? This dilemma for a “dual-stack” host is one that Dan Wing and Andrew Yourtchenko addressed in RFC 6555, “Happy Eyeballs: Success with Dual-Stack Hosts“ that can be found at:
At a high level, the premise is quite simple: open up a connection over BOTH IPv4 and IPv6 and use whichever one is fastest.
The idea being that the user will experience the best possible speed and will therefore have “happy eyeballs” if they are using something like a web browser where visual content is being viewed. RFC 6555 offers a number of suggestions and offers ideas for application developers to consider.
A variation of “happy eyeballs” is now implemented in most major web browsers, but the idea is not just for web browsers. Basically any application operating on a dual stack computer can use this idea to make the user experience as fast as possible.
Jan 14
Slides: Security In An IPv6 World – Myth & Reality
What are the myths about IPv6 security? What is the reality? How secure is IPv6 really? What new security advantages does it offer? What should IT system administrators be thinking about with regard to security as they move into an IPv6 world?
In a talk to the South Asian Network Operators Group (SANOG) today, our Chris Grundemann discussed these questions and many more in a talk titled “Security In An IPv6 World – Myth & Reality“. His slides are now online for viewing:
If a recording of the presentation becomes available we’ll update this post with more information.
Jan 14
TDYR #069 – On The Awesomeness Of Jetpack’s Connection Into Google+
Jan 13
TDYR #068 – Are You Enabling “Rapid Content Creation” Within Your Organization?
Jan 13
Are You In The Business Of Rapid Content Creation?
It's 2014. If you are in PR, marketing or communications - or have that as part of your role, even if you are not formally in that "department" - is part of your business the rapid creation of online content?
The Internet provides all of us with a fundamental opportunity on a scale great than we've ever had before:
We can tell our OWN story, in our OWN words, through our OWN channels.
The gatekeepers of the past to whom you had to beg permission for them to publish news about your organization are now... gone. Disrupted by the Internet.
As Tom Foremski famously wrote, "every company is a media company." (Also see these posts.)
But have YOU embraced that?
Are you thinking like a "media company"? Are you thinking about how you can best tell your story online? Are you thinking about how you enable many people within your organization to tell your story?
I'm not just talking about social media and encouraging employees to share or retweet corporate tweets or posts on Facebook or Google+.
Are you enabling people within your organization to rapidly create online content related to their roles?
Can they easily post blog posts? Can they post videos to YouTube? Can they create an audio podcast episode? Can they post photos to Instagram or Pinterest or Flickr?
Or does everything have to go through YOU in the PR or Marketing department? Are YOU the only one who can post information about the company online?
And if so, can you/your department scale to truly represent your company online when thinking like a media company?
Unless you've got a large staff and budget, I think the answer for most people is that to truly embrace the "media company" thinking, you have to look at how you enable more people within your organization to rapidly post content about their aspects of the company. Your role can then evolve to be in helping with the overall strategy and with enabling the individual groups within the company to rapidly create online content - and also to post
If you are embracing the "every company is a media company" opportunity that is out there (and guess what, if you aren't your competitors either already are or will be soon), then you need to start asking yourself some questions:
Authority
Do people within your organization have the authority to create online content related to their part of the organization? Can they do so rapidly? Or does everything have to go through 15 layers of approvals before it can go out?
Do you trust certain people within your organization to communicate online on behalf of your organization?
Tools
On a purely practical level, CAN they rapidly create content? Does your website or blog system allow them to rapidly create content? Do they have the tools - and training on the tools - to be able to create content?
Have you reduced the "latency" in your processes? Is the user experience as fast as it can be?
If someone wants to post something online, particularly someone who might only be doing this as a small part of their larger work, can they get into your system, enter in their content fast, and publish it quickly?
Or is your system slow, with many different screens and fields that just don't make sense?
If you have a non-tech-savvy person who just wants to post an article with maybe a photo, can they do that fast?
Skills
To that point, do the people in your organization have the skills to rapidly create content? Do you have people who can write well who are tasked with communicating for their group? Do you have people knowledgable in how to create videos or well-done photographs? Do you have people who understand the nuances of using different types of social media services?
Think about this - have you ever considered "embedding reporters" into the different groups and teams within your organization? Hiring people with communications skills who don't work directly for, say, the PR department, but instead are working within the actual product teams or other divisions within your company?
Could you do something like that with those embedded communications people having some connection to your central team? (And some companies are doing exactly this by hiring some of the journalists who have been laid off from the true "media companies" (ex. newspapers) who have been disrupted.)
Can you help people within your organization to gain the skills to help tell their part of your larger story?
The Internet has fundamentally disrupted the traditional view of PR, marketing and communications. The opportunity is there for people who can embrace the new world to truly rise above the others out there and tell their story in their own words.
Are you embracing that change?
Are you enabling the people in your organization to rapidly create their own content?
Are you thinking like a "media company"?
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- following me on App.net;
- subscribing to my email newsletter; or
- subscribing to the RSS feed.
Jan 13