September 2014 archive

Video: Geoff Huston – what if everyone did DNSSEC? (APNIC 38)

What if everyone enabled DNSSEC?  What would happen to your network? Should you be scared?

The good folks at APNIC are out with a video from Geoff Huston answering these questions:

If you want to get started with DNSSEC so that your domain name can be secure from being impersonated, please visit our Start Here page to find resources targeted for your type of organization.

Help us make the Internet more secure – deploy DNSSEC validation and start signing your domains NOW!

P.S. For a good example of HOW DNSSEC can help protect you, please read our recent article about email hijacking attacks that are going on now – but could be prevented by the use of DNSSEC.

BGPmon: Using BGP Data To Fight Spam

BGPmon logoCan we use BGP data to find email spammers? And could securing BGP provide a mechanism to help reduce spam?

In a fascinating article on BGPmon’s site, Andree Toonk explores how they found that “IP squatting” is used by spammers.  Essentially the attack seems to work like this:

  1. The spammers identify a block of IP addresses (IPv4) that are not currently being used on the actual Internet.
  2. The spammers send out BGP announcements routing that block of IP addresses to their servers.
  3. The spammers send out their spam email messages.
  4. When done (or when the IP address block is blocked by anti-spam tools), the spammers stop announcing the BGP routes for those IP address blocks.

They then can move on to announcing other IP address blocks to send more spam.

The article provides a very compelling and very readable description of two case studies where they found this to happen. In one case the spammers also used an Internet Route Registry (IRR) to attempt to give their BGP route announcement more legitimacy.

The BGPmon article doesn’t get into solutions… but preventing these kind of attacks is precisely why we set up the Securing BGP topic area of this site.

A general area of “source address validation” is critical here – the idea being to have some way to know that the router announcing the BGP routes has the actual authority to do so. New tools such as RPKI are emerging that let us securely validate the origin of route announcements to prevent spammers from performing the attacks like this.  With such tools a router would reject BGP announcements that came from the spammers’ systems because the spammers would not be able to securely assert that they had the right to announce those IP address blocks.  The challenge, of course, is to get more routers start signing route announcements – and more routers start validating route announcements.  (Read about how Jan set up RPKI for his lab.)  There are other tools and methods being explored, too.  The point is to not allow “spoofed” IP address blocks to get into the global routing tables.

This idea of securing BGP route announcements is also part of the “Routing Resilience Manifesto” that continues to be developed as (voluntary) guidelines for network operators.

If we are collectively able to implement some of these mechanisms for securing BGP we can potentially make a significant reduction in the ability of spammers to send their email – and make the Internet more secure and working better in the process.  Please do check out our Securing BPG section and consider what you can do in your network today!

FIR #773 – 9/15/14 – For Immediate Release

FIR's Andrea Vascellari joins Edelman; Quick News: Measurement Week in the UK, PR agency bribes journalist, CIPR's nine recommendations for flexible working in PR, what it's like for a reporter to read and reply to every PR email for a week; Ragan promo; News That Fits: blogging declines among Fortune 500, Dan York's Tech Report, why every content marketer needs an editor, Media Monitoring Minute from CustomScoop, listener comments, the past week on the FIR Podcast Network, how to run a successful webinar, Igloo Software promo, a look at the Indie Web; music from Louie Prima Jr. and the Witnesses; and more.

Email Hijacking – New Research Shows Why We Need DNSSEC Now!

Want a great example of why we need DNSSEC now?  Consider this new research from the CERT/CC team at Carnegie Mellon University that finds that someone is hijacking email messages to relay them through another email server.  The messages are being delivered, but it’s unknown whether they are being modified before delivery or simply logged and monitored.  As they say:

The disconcerting aspect of this work is not how many domains we see being poisoned, as there are relatively few, but which domains they are. We observe changes in A records so that a domain resolves to a different IP address. But the domains being targeted are often listed as name servers or mail exchanges for other domains. The biggest free webmail providers have been repeatedly victimized on some unknown (but likely smaller) subsection of the Internet sometime during the last year.

Someone… or multiple entities… appear to be poisoning DNS caches so that they can interject their own mail server into the delivery path of the email messages.  The CERT/CC team goes on to explain the attack and provides a very useful diagram:

Figure 2 diagrams how this usual process can be thwarted if the DNS answer for the IP address of the destination MX is changed. The mail message makes an unintended pit stop at the poisonous IP address. That server can then forward the message to its intended destination. Since mail is transmitted asynchronously, the sender and recipient are not likely to notice anything out of the ordinary. The sending IP address in the message header would likely reflect the diversion, but since mail handling often has a few exchanges before the final destination, it is not immediately obvious to anyone along the path that the diversion was out of the ordinary. 

MX cache poisoning

They go on to outline the potential outcome of the attack:

Unless the whole message is cryptographically protected, the intermediate server can read and modify the message, or append malicious content. This attack would defeat opportunistic TLS encryption between MXs that is meant to ensure the confidentiality of messages in transit. And there are some small changes the intermediary could make to the mail that would make the attack worthwhile, such as changing a bank account number for a home purchase deposit.

Essentially, the attacker could do anything they want with the email message as it is now in their possession, including:

  • Modify the message to either add, change or remove content
  • Log the message (and all of its content) in some large database
  • Simply drop the message (i.e. don’t deliver it) so that the recipient never gets the message

The researchers don’t yet know who is behind this redirection.  It could be:

  • Criminals
  • Nation states (ex. intelligence agencies)
  • Other security researchers

All they know is someone is hijacking delivery of email messages for some reason – and they are seeking help from the larger Internet community!  (Please see the bottom of their post.)

How To Protect Your Email Delivery

As the researchers note, DNSSEC is designed to prevent this type of hijacking of DNS information.  This type of hijacking would be prevented if:

1. The recipient’s domain name was signed with DNSSEC which means that the MX records (and all other DNS records) would have a cryptographic signature added.

2. The sender’s local DNS resolver was performing DNSSEC validation in which it checked the DNSSEC signatures.

Had this been in place, then the sending mail server would not have received the false MX record and would not have delivered the email to the attacker’s server.  You can read more in our document about the two sides of DNSSEC.

This hijacking of email messages is going on right now on an ongoing basis according to the researchers, and so you can take two steps to ensure that your email messages are not being hijacked:

1. Sign Your Domain With DNSSEC

The first step is to sign your domain with DNSSEC so that your MX records are protected.  If you do not operate your own DNS servers, this may involve you contacting your DNS hosting provider or DNS registrar to ask them to perform DNSSEC-signing on your domain.  We have some information about how to do this here:

and ICANN has a list of some of the registrars that provide some degree of DNSSEC support.

If you do operate your own authoritative name servers for your domain, then you can determine what you need to do to sign the domain with DNSSEC.  Many of the common authoritative name servers such as BIND, NSD, Knot and Microsoft Windows Server 2012 all include support now for DNSSEC signing.  There are also additional tools such as OpenDNSSEC that can help make this work smoothly.  Some of the resources that may help:

Once you have signed your domain, you will then need to communicate your “DS record” to your parent zone (often the top-level domain) by way of your registrar.  See our page about working with registrars for more information.

2. Turn On DNSSEC Validation On Your Network

With signing, inbound email messages to you will not be hijacked (assuming the sender is performing DNSSEC validation), but the possibility will still exist for outbound messages you send to be hijacked if your mail server doesn’t learn the correct address for the recipient’s mail server.

To enable this layer of protection, all you need to do is turn on DNSSEC validation on your local DNS server – or whatever DNS resolver your email server uses.   That is the important part because in this instance we are trying to protect email delivery.  You want your email server to be getting the correct DNS information.

We wrote about how to do this and recommend an excellent whitepaper from SURFnet that explains how to easily do this with three of the common DNS resolvers: BIND, Unbound and Microsoft Windows Server.

Now… if you don’t control the local DNS server – for instance, if you use the DNS resolver at your local Internet service provider (ISP) – then you need to contact that organization to find out if they can enable DNSSEC validation.

If your ISP is unwilling/unable to turn on DNSSEC validation, you could set your mail server to use external DNS servers that perform DNSSEC validation such as Google’s Public DNS, but we don’t recommend this unless it is your last resort because using such a distant DNS server provides a lot of room for an attacker to still inject fake packets.  As we wrote about in our “plan for DNSSEC validation“, the ideal is to have the DNSSEC validation happening as close as possible to the mail server (in this case).    It would be much safer, and perhaps quite easy, to install a local DNSSEC-validating resolver on or near your mail server itself.

 

With those two steps, you will protect the delivery of email to your domains – and protect your mailserver from delivering email to whomever is out there right now hijacking all these messages.

Let’s do that today, okay?  If we all do it now we can make the Internet that much safer and more secure!

If you’d like more information about DNSSEC, please see our “Start Here” page to find resources tailored to your type of organization and role – and please let us know if you need even more information!

How Do We Define ‘SIP’ for Telecom In 2014? (Featured Blog)

"What is a minimum set of specifications that a vendor must implement to be able to say that it is SIP-compliant?" A friend asked me that question and my response was: "It depends." and even more unfortunately: "I don't know." It turns out to be a challenging question to answer... and it led me to ask: "How do we define what "SIP" is for telecommunications in 2014? How do we help vendors move their products/services to be based on SIP? As we talk about "turning off the PSTN" and "moving all telecom to IP", how can we make it easier for companies to switch to using SIP? More...

How Do We Define ‘SIP’ For Telecom In 2014? (Featured Blog)

More...

Facebook Launches IPv6-Only Data Cluster

If you are a Facebook user and are also interested in using IPv6 wherever possible, Facebook’s Paul Saab just announced yesterday that there is now a special link where you can connect to Facebook’s IPv6-ONLY data cluster. In the IPv6 group on Facebook (of course!) he posted:

Back in March I announced we were working towards having IPv6-only clusters. I’m happy to announce that we’ve successfully launched our latest cluster as IPv6-only. If you want to make sure that you’re using the IPv6-only cluster, we’ve redirected traffic for http://www.v6.facebook.com/ so that it uses it

Just to be 100% clear, you have been able to access Facebook over IPv6 ever since World IPv6 Launch back in 2012 just by going to the regular http://www.facebook.com/ URL.  Users of the IPvFoo/IPvFox browser add-ons have been able to see that we’ve been connecting to Facebook over IPv6.  It’s all worked great.

However, while the connection to the main Facebook page has been over IPv6, that page has also still required some connections over the legacy IPv4 network.

With yesterday’s news from Paul Saab, those of us who want to truly do everything over IPv6 can now do so by connecting to http://www.v6.facebook.com/. Admittedly, this may only be of interest to those of us who are advocates of IPv6, but still, it’s pretty cool to have full access to a major site like Facebook entirely over IPv6!

You may recall that back in March, Paul Saab gave an excellent presentation about how Facebook is moving to entirely using IPv6 within their internal networks.

fb-internal-ipv6

 

His slides are available and you’ll note that on his second to last slide he wrote:

  • Plans for first IPv6 only cluster (no RFC1918) by end of 2014

This news yesterday is the completion of those plans (and well before the end of 2014, too!).

Kudos to Paul and his team at Facebook – it’s great to see this work happening and to have a way we can work with Facebook in pure IPv6-only network. Thanks!

What are you waiting for?  Visit our “Start Here” page to find resources available to help you make the move to IPv6 – and let us know if there is anything more we can do to help you!

US DoD’s DREN Will Only Buy Products With An IPv6 Website

Want a good reason for making sure your website works over IPv6?  How about that some companies and organizations may only consider your products if they can get to your website over IPv6?

In a June 10, 2014, presentation, Ron Broersma explained why the US Department of Defense (DoD) Defense Research and Engineering Network (DREN) adopted a policy for acquiring products/services for the DREN III network where they would only consider products where the company website was available over IPv6 (click/tap image for a larger view):

DREN IPv6 product evaluation

The text of the slide says:

  • Our #1 rule:
    • if we can’t get to the company or product website via IPv6, we won’t consider such products.
  • Why this hard line?
    • we learned the hard way that without strong corporate commitment to IPv6 support, it will take forever to get IPv6 bugs fixed or features added.
    • we learned that the corporate website being IPv6Y-enabled was a good indicator of corporate commitment to IPv6.
    • this has been tested many times, and it works.
    • in the process, we encourage industry to IPv6-enable their public facing services.

It sounds like pretty good logic to me! Having a website available over IPv6 certainly is one way of showing a corporate commitment to the production Internet.

Ron’s full slides are available online which explain more about the DREN III build-out that occurred during 2013 and the acquisition process they used for products and services. As Ron notes on his slide 4, vendors will often say that their products support IPv6 but very often the vendors really don’t have an understanding about IPv6.

There are some other good points in the slides, too, such as where Ron notes on slide 9 their pleasant surprise that the “mainstream” customer premise equipment all seemed to work fine with IPv6.  He also notes that all of their network management takes place over IPv6, with none happening over legacy IPv4. It’s also good to see his “vision”:

DREN is identified as an IPv6 network with IPv4 legacy support.

It is an IPv6 network first, with IPv4 support only to get to legacy systems.  The slides are all well worth a read.

What do you think?  Can you adopt this as a requirement in your product acquisition process?

And is your website available over IPv6?   If not, please consider our steps for content providers / website owners and start making your site available over IPv6 today!

P.S. Hat tip to Phil Benchoff for posting about Ron’s slide in the ‘IPv6 Promotion’ community on Google+ (which is, of course, available over IPv6!)

How Do We Define ‘SIP’ For Telecom In 2014?

Sip question"What is a minimum set of specifications that a vendor must implement to be able to say that it is SIP-compliant?"

A friend asked me that question and my response was:

It depends.

and even more unfortunately:

I don't know.

It turns out to be a challenging question to answer... and it led me to ask:

  • How do we define what "SIP" is for telecommunications in 2014?
  • How do we help vendors move their products/services to be based on SIP?
  • As we talk about "turning off the PSTN" and "moving all telecom to IP", how can we make it easier for companies to switch to using SIP?

The reality is that being "SIP-compliant" does turn out to depend upon where in the larger SIP interconnection ecosystem the vendor is located.

Is the vendor:

  1. a SIP client, in terms of a "hard" phone, a softphone, or other application that is seeking to connect to a SIP server?
  2. a SIP server seeking to connect to a SIP "service provider" to have connectivity out to the PSTN and other SIP networks?
  3. a SIP service provider seeking to interconnect with other SIP service providers and to the PSTN?
  4. a middlebox such as a firewall or session border controller (SBC) seeking to be in the middle of a SIP communication stream?
  5. an application that interacts with SIP systems in some way? (ex. call recording, IVR, networking monitoring)

To be "SIP-compliant" really means you need to figure out what amount of "SIP" you need to implement to play your part in the larger picture. Particularly when the SIP "architecture" we describe isn't the pretty little picture we use:

Sip architecture

but rather a much more complex reality:

Sip architecture reality

Unfortunately, the "Session Initiation Protocol" (SIP) is no longer just good old RFC 3261 and a few friends. RFC 3261 provided a radical new way to do telecommunications... it was "HTTP for voice"... it was simple, easy and pretty amazing. If you have a moment, go back and read RFC 3261. It's a remarkable document and set of ideas.

However, there were two factors that started to complicate "SIP":

  • the "Internet" community kept thinking of new and innovative ways that they could do more with SIP-based telecommunications; and
  • the traditional telecom companies/vendors kept wanting to bring across more and more legacy PSTN functionality into the world of SIP, typically without changing that PSTN functionality so that they wouldn't have to change their business models or processes.

This combination set SIP up to slowly become more and more of an accretion of various hacks and kludges designed to either enable SIP to unleash new possibilities and/or to take over key functionality from the PSTN.

But in doing so it became so much harder to define what "SIP" was.

Back around 2008/2009, Jonathan Rosenberg tried with his "Hitchiker's Guide to SIP" that was published as RFC 5411 in February 2009:

http://tools.ietf.org/html/rfc5411

Now consider that this contained about 26 pages worth of documents to be referenced... and this was back in 2009! In the 5 years since, the "Realtime Applications and Infrastructure (RAI)" area of the IETF has been extremely busy and a similar document today would be be MUCH longer.

But does such a long list really help?

Going back to to my list of different roles within the SIP ecosystem, do we need more narrower lists for each role? A SIP client connecting to an IP-PBX may not need to implement all of the same specifications as a SIP service provider connecting to the PSTN.

What is the minimum set of SIP specifications for each role?

SIPconnect sipforumThe good news is that for the second role I mention, the SIP server to SIP service provider, the SIP Forum has done some outstanding work with their SIPconnect initiative. You can find more info at:

http://www.sipforum.org/sipconnect

You can download the SIPconnect 1.1 technical specification and see the great amount of work they have done. The idea is that ultimately any "SIPconnect-compliant" IP-PBX or other SIP server can connect to any "SIPconnect-compliant" SIP service provider. It should "just work" with a minimum amount of testing. The goal is to allow the more rapid deployment of SIP-based IP-PBXs and making this part of the interconnection puzzle work that much better.

So if you are a vendor of a SIP server, whether you call it an IP-PBX, a call server, or whatever... or you are a SIP service provider seeking to connect to SIP servers at your customers - in either case you have SIPconnect that you can use to be "SIP-compliant".

But what about the other roles?

What if a vendor has multiple products?

What if a service provider or enterprise is just trying to get "SIP" products to work together? What should they specify beyond the vague statement that a product should support "SIP"?

Now, there are other organizations that have attempted to answer this question. The 3GPP has a list of SIP specifications and the GSMA seems to have similar documents. The ITU-T has many recommendations but since they rename everything it's hard to understand what really links back to SIP - and many of the ITU recommendations are only available to members and so you can't easily view them.

Which brings me back to these questions:

  • Do we need a new IETF document that aims to update RFC 5411 with a newer list and perhaps "profiles" of what would be needed for different roles?
  • Is this something the SIP Forum or some other organization should take on?
  • Has someone else already created a concise list/document/specification and I just haven't yet found it?

And perhaps the even larger question:

  • Do you believe this is an issue that we collectively should be working on as an industry to help make the deployment of SIP easier?

What do you think? How do we define SIP in 2014? What should we do? I'd love to hear your comments either in response to this post here on this blog or out on social media where this is posted. (Thanks!)


An audio commentary on this post is also available:


If you found this post interesting or useful, please consider either:


TDYR #174 – How Do We Define ‘SIP’ For Telecom In 2014

How do we define what it is to be "SIP-compliant" in 2014? Can we even do so? How can we make it easier for companies and vendors to make their systems work with SIP?