"Innovation requires serendipity." - Eli Pariser in "The Filter Bubble"
November 2014 archive
Nov 06
New MANRS Initiative Aims to Improve Security of Internet Routing (Featured Blog)
How can we work together to improve the security and resilience of the global routing system? That is the question posed by the "Routing Resilience Manifesto" site with the suggested answer launched today of the "Mutually Agreed Norms for Routing Security (MANRS) document, to which a number of network operators have already signed on as participants, including: Comcast, Level 3, NTT, RUNNet, ClaraNet, SURFnet, SpaceNet, KPN and CERNET. More...
Nov 06
TDYR 180 – Minding Your Network Routing MANRS
How can we work together to improve the security and resilience of the global routing system? A new "MANRS" initiative was launched today to answer that question! See http://www.manrs.org/ to read the MANRS document and sign up!
Nov 06
Arabic Translations Of IPv6 And DNSSEC Fact Sheets Now Available For Download
Rounding out the translations of our IPv6 Fact Sheet and our DNSSEC Fact Sheet into the six official U.N. languages, we are pleased to announce that the Arabic versions are now available:
From the IPv6 Fact Sheet and the DNSSEC Fact Sheet pages you can now get these fact sheets in English, Arabic, Chinese, French, Russian and Spanish.
As we noted in our earlier posts about the IPv6 Fact Sheet and about the DNSSEC Fact Sheet, these simple documents are available for you to use in whatever way you wish. Please feel free to download them and share them widely.
Please do let us know any feedback you have on these documents. Our goal is to help you get IPv6 and DNSSEC deployed within your organizations and networks. Please let us know how we can help.
And if you want to get started with IPv6 or DNSSEC, please visit our Start Here page to find resources to help you get started!
Nov 06
Show Your Commitment To Routing Security – Join the MANRS Initiative!
Do you want to make the Internet’s routing infrastructure more secure? Have you implemented anti-spoofing techniques to help protect against attacks such as DDoS attacks? Have you secured your use of BGP on your network?
If so, why not consider publicly showing your support by signing up as a participant in the MANRS initiative?
This new routing security initiative, launched today, aims to promote better collaboration between network operators to make the Internet more secure and resilient. As the home page says:
How can we work together to improve the security and resilience of the global routing system?
Originally called the “Routing Resilience Manifesto”, the initiative published today the “Mutually Agreed Norms for Routing Security” (MANRS) at:
With the announcement came news of an initial set of participants that includes some of the largest global network operators such as Comcast, Level 3 and NTT. More companies will be added and signups are already coming in!
To participate, a network operator needs to agree to at least 2 (and ideally all 4) of these actions:
- Filtering – Prevent propagation of incorrect routing information.
- Anti-spoofing – Prevent traffic with spoofed source IP addresses.
- Coordination – Facilitate global operational communication and coordination between network operators.
- Global Validation – Facilitate validation of routing information on a global scale.
Basically you could think of this as a “code of conduct” for network routing… an agreement that companies publicly say they are going to follow to help the overall Internet’s routing infrastructure be more resilient and secure.
Our colleague Andrei Robachevsky has been heading this project and working with a team of people from network operators around the world (some of whom have already signed on as formal participants, others who hope to do so soon). It’s great to see this out there and we look forward to seeing the list of participants grow.
Please do read the MANRS document and sign up if your network can undertake those actions. If every network operator can mind their MANRS, we’ll all have a much safer, more secure and more resilient Internet!
P.S. If you are looking for information about how to get started with anti-spoofing or securing BGP, please see our Network Operators Start Here page to get started.
Nov 06
News Release Announcing MANRS – And Asking Network Operators To Sign Up!
We are pleased to announce that the MANRS document was officially launched this morning, November 6, 2014.
Or read the text below… and better yet, check out the list of participants and then sign up!
NETWORK OPERATORS AROUND THE WORLD DEMONSTRATE THEIR COMMITMENT TO A SECURE AND RESILIENT INTERNET
Mutually Agreed Norms for Routing Security (MANRS) recommendations provide a coordinated approach to improve global routing system
[Washington, D.C., USA and Geneva, Switzerland] – 6 November 2014 – Leading network operators around the world today announced that they have implemented a package of recommended measures that help improve the security and resilience of the global Internet.
Working together, network operators have developed a tightly defined set of concrete actions to improve the global Internet routing system. The recommendations, called Mutually Agreed Norms for Routing Security (MANRS) recognize the interdependent nature of the global routing system and integrate best current practices related to routing security and resilience. More network operators from across the globe are encouraged to sign onto the movement and participate by visiting the website and completing the form.
Organized by the Internet Society, and building on the demonstrated success of coordinated industry activities such as World IPv6 Day and World IPv6 Launch, MANRS represents a significant step forward towards building a more resilient and secure Internet infrastructure.
“The security of the Internet as a network of networks often relies on specific collaborative action. This initiative increases the security of the Internet by improving resiliency and stability of the underlying routing infrastructure,” commented Olaf Kolkman, the Internet Society’s Chief Internet Technology Officer. “Participating network operators committed to the MANRS initiative are taking actions that address problems with incorrect routing information and spoofed traffic, demonstrating their collective responsibility to a healthy and secure Internet ecosystem. We encourage and look forward to other network operators around the world publicly taking these steps.”
Participating network operators have taken one or several of the expected actions defined by the MANRS framework. These include preventing propagation of incorrect routing information, preventing traffic with spoofed IP addresses, and facilitating global operational communication and coordination between network operators. Committed network operators are:
● CERNET
● Claranet
● Comcast
● KPN
● Level 3
● NTT
● RUNNet
● SpaceNet
● SURFnet
Several of the participating network operators commented on their actions and today’s announcement:
“Adherence to MANRS is an important commitment that operators make back to the Internet community. Together we aim to remove the havens from which miscreants maintain the freedom and anonymity to attack our network and our customers.”
– David Freedman, Claranet Group
”Comcast is committed to helping drive improvements to the reliability of the Internet ecosystem. We are thrilled to be engaged with other infrastructure participants across the spectrum and around the globe in pursuit of these goals.”
– Jason Livingood, Vice President, Internet Services, Comcast
“Good network routing practice is the fundamental requirement for trust between providers, and ultimately creates a safer and stronger Internet for customers. KPN is committed to providing secure and trustworthy communications, and by joining partners in MANRS, we continue to improve security and resiliency for all.”
– Jaya Baloo, Chief Information Security Officer, KPN
“As one of the most connected Internet providers in the world, security of the Internet is top-of-mind at Level 3 Communications. We are dedicated to supporting and protecting the Internet ecosystem and work each day to safeguard customers’ critical communications. The Internet is a shared responsibility, and only through these important collaborative efforts can we continue to ensure the protection of this collective infrastructure.”
– Dale Drew, Senior Vice President, Chief Security Officer at Level 3 Communications
“SURFnet is a big supporter of these initiatives to make the Internet more secure. Committing to the actions as outlined in the MANRS document will make routing on the Internet safer. This impacts every day usage of the Internet and helps with a free, open, and more secure Internet for all users.”
– Erik Huizer, CTO, SURFnet
For more information about MANRS and the Routing Resilience Manifesto visit:
About the Internet Society
The Internet Society (www.internetsociety.org) is the trusted independent source for Internet information and thought leadership around the world. It is also the organizational home for the Internet Engineering Task Force (IETF). With its principled vision, substantial technological foundation and its global presence, the Internet Society promotes open dialogue on Internet policy, technology, and future development among users, companies, governments, and other organizations. Working with its members and Chapters around the world, the Internet Society enables the continued evolution and growth of the Internet for everyone.
Media Contact
Greg Wood
wood@isoc.org
+1-703-439-2145
Nov 06
Meet The Deploy360 Team at IETF 91
If you will be at IETF 91 next week in Honolulu, please do say hello to members of the Deployment & Operationalization (DO) team within the Internet Society. We are the team behind this Deploy360 website and three of us will be there at IETF 91:
- Chris Grundemann, Director, Deployment & Operationalization
- Megan Kruse, Technology Outreach Manager
- Dan York, Senior Content Strategist
You can expect to find us in the sessions related to IPv6, DNSSEC, routing security and network operations, as well as others related to the topics we cover here on Deploy360. If you’d like to meet with us, please send an email to deploy360@isoc.org and if you don’t know what we look like, this photo may help:
DO Team – left-to-right: Chris Grundemann, Dan York, Megan Kruse, Jan Žorž
See you in Hawaii!
Nov 05
Rough Guide to IETF 91: DNSSEC, DANE and DNS Security
IETF 91 will once again be busy for those of us interested in DNSSEC, DANE and DNS security in general. Two of the major DNS-related working groups, DNSOP and DANE, are both meeting with busy agenda and a new working group called DPRIVE will be meeting to talk about DNS privacy concerns. There are naturally other items related to DNSSEC and "DNS security" in general scattered throughout the week - here is what the week looks like...
NOTE: If you are unable to attend IETF 91 in person, there are multiple ways to participate remotely and listen to these sessions.
Dan York
Nov 05
12 Days Until ION Tokyo!
ION Tokyo is coming up soon on Monday, November 17, 2014! We’ll be live in the same venue as the Japan IPv6 Summit with an agenda packed full of technical sessions. To learn more visit our ION Tokyo page at:
http://www.internetsociety.org/deploy360/ion/tokyo2014/
The sessions will include:
- An IPv6 Case Study from NTT
- The Business Case for Implementing DNSSEC
- Best Current Operational Practices Update
- Panel Discussion – IPv6 in Asia
The event has excellent speakers and we’re looking forward to meeting with network operators, enterprises and many others.
If you are going to be in Tokyo for the Japan IPv6 Summit or for Internet Week Japan, please do join us Monday morning for ION Tokyo!
Nov 05
A Great Amount of DNSSEC / DANE / DNS Activity At IETF 91 Next Week
What is happening next week at IETF 91 in Honolulu with regard to DNSSEC, DANE and other “DNS security” topics?
A great amount of activity, it turns out!
So much that my “Rough Guide to IETF 91: DNSSEC, DANE and DNS Security” turned into quite a lengthy article. Please read that article for the full description, but a quick summary can be:
- DNSOP will have discussions around “Negative Trust Anchors”, “DNS Cookies” and more.
- DANE will discuss using DANE for email, and specifically S/MIME, as well as SRV records and a discussion led by me about what we can learn from current deployments of DANE.
- A brand new DPRIVE working group will be exploring challenges around privacy and confidentiality of DNS queries.
- TRANS will look at applying Certificate Transparency (CT) mechanism to DNSSEC keys.
- EPPEXT will discuss how to move a draft forward about secure transfer of DNSSEC-signed domains between registrars.
- HOMENET and DNSSD will both be looking at different aspects of using DNS with small networks or “Internet of Things” (IoT) environments – and the question of course is how this usage gets secured.
… and again you’ll want to read the full article to understand more. The key point is that it will be busy for those of us interested in DNS-related issues! If you are going to be out at IETF 91, please do contact us or find me there. Odds are pretty good you’ll find me in either the DNS or IPv6 sessions!
And if you want to get started today with DNSSEC, please visit our Start Here page to learn how!
