Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Jun 23

Great To See Full (And Faster) IPv6 At ICANN 50 In London

Here at ICANN 50 in London (where I am focused on DNSSEC sessions) it was great to connect to the WiFi network and find that that I had full IPv6 connectivity.  Here’s a shot of the IPvFoo plugin for Chrome when I went to the main ICANN 50 website:

ICANN 50 IPv6

Even more fascinating was how much faster the IPv6 connectivity is here versus IPv4, undoubtedly because most of the 2,200+ 3,300+ attendees are using primarily IPv4.  Using Comcast’s Speedtest we wrote about back in February, I was amazed to see the dramatically different speeds:

ICANN 50 IPv6 Speed Test

I was so surprised that I had to run Comcast’s speed test several more times and test against multiple different servers. (Yes, I’m a network geek who is fascinated by this kind of thing!)  All of them gave similar results… one even offering an even higher IPv6 upload speed:

icann50-ipv6-comcast-speedtest2

Sadly, I don’t have any large videos I need to upload to YouTube or anything like that, because clearly this ICANN 50 network would be the place to do so! (Assuming the sites were all over IPv6, as YouTube is.)

To double-check, I also went to ipv6-test.com’s speed test, where IPv4/IPv6 is also differentiated, and again saw a difference (it seems to only test download speed):

IPv6 test from ipv6-test.com

All in all it is great to see that not only is ICANN offering IPv6 connectivity to all attendees… but it is faster than that over IPv4.

Way to go, ICANN!

UPDATE: Article updated with the information that there are now over 3,300 registrants at this ICANN meeting!

Jun 23

FIR #761 – 6/23/14 – For Immediate Release

Book review still coming; Quick News: FDA's proposed healthcare social media rules, annoying LinkedIn notifications, new paid-editing Wikipedia rules, debate on ethics of wearables; Ragan promo; News That Fits: How Edelman enforces Wikipedia best practices, podcasters reading paid sponsor spots, Media Monitoring Minute from CustomScoop, Dan York's Tech Report, listener comments, caveats on paid Facebook promotions, Igloo Software promo, the past week on the FIR Podcast Network, the rise of proximity-aware communication; how to comment; music from Eli Uno; and more.

Jun 18

3 DNSSEC Sessions Happening At ICANN 50 Next Week in London (Featured Blog)

As I mentioned in a post to the Deploy360 blog today, there are three excellent sessions relating to DNSSEC happening at ICANN 50 in London next week: DNSSEC For Everybody: A Beginner's Guide; DNSSEC Implementers Gathering; DNSSEC Workshop. Find out more. More...

Jun 18

3 DNSSEC Sessions Happening At ICANN 50 Next Week In London (Featured Blog)

More...

Jun 18

3 DNSSEC Sessions At ICANN 50 In London Next Week

ICANN 50 logoNext week (June 23-26, 2014), we’ll be at ICANN 50 in London for the usual excellent DNSSEC sessions, two of which will be streamed live for remote participants.

The three activities are…

DNSSEC For Everybody: A Beginner’s Guide

First up on Monday, June 23, 2014, in the late afternoon from 17:00 – 18:30 BST (London time) will be the DNSSEC For Everybody: A Beginner’s Guide session where we start at the very basic level of why should anyone care about DNSSEC and get into what kind of problem we are trying to solve.  This session includes a skit (seriously!) where we act out DNS and DNSSEC transactions and talk about blue smoke (seriously!).  It’s a good bit of fun and people tell us that it definitely helps them understand DNS and DNSSEC – or maybe they just like watching a bunch of DNS geeks act out in a skit. :-)

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

DNSSEC Implementers Gathering

Next, on Monday evening from 19:30-21:30 (or later) some of us will join in an “informal gathering of DNSSEC implementers” at a nearby restaurant/bar. This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

DNSSEC Implementers are invited to attend an informal gathering to discuss and exchange information on their DNSSEC implementation experiences during the ICANN meeting in London, sponsored by Nominet UK. This is a unique opportunity to meet with and talk to key implementers, such as Nominet UK, CNNIC, JPRS, NZNIC, CIRA, CZNIC, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences. This is a peer-to-peer event for implementers.

It’s been a fun time at past events and generated both good conversations and connections for future work activities after the meetings are over.

It should perhaps be obvious but this event will NOT be available for remote participation.  If you will be in London, though, and are interested in interacting with others who are deploying DNSSEC, you are welcome to join us.  As Julie requests, RSVP by close of business on this Thursday, June 19, 2014.

DNSSEC Workshop

The BIG event of the week is the DNSSEC Workshop on Wednesday, June 25, where we meet from 8:30 – 14:45 London time for this detailed session diving into many different aspects of DNSSEC.  I’m on the Program Committee for the workshop and I can tell you that there will be some excellent presentations at this session.  The slides and full agenda will be available soon, but the major areas of discussion will include:

  • Introduction and DNSSEC Deployment Around the World
  • DNSSEC Activities in the European region
  • The Operational Realities of Running DNSSEC
  • DANE and DNSSEC Applications
  • DNSSEC Automation
  • Panel Discussion/Demonstrations on Hardware Security Modules (HSMs)

The workshop continues to attract some of the best technical people involved with DNSSEC and the conversations and discussions that happen there provide outstanding value to those interested in these topics.  If you’re interested in DNSSEC and how it can make the Internet more secure, I highly recommend you tuning in!

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

Rough Guide To ICANN 50

These DNSSEC events are just a part of all the many activities happening at ICANN 50 that we at the Internet Society are interested in.  To understand all of what is happening at ICANN 50 that lines up with our organization’s priorities, please see the Internet Society Rough Guide to ICANN 50.

Say Hello!

I (Dan York) will be there in London.  Please do say hello – you can find me at any of these events and also around other areas of ICANN. You can also email me at deploy360@isoc.org if you’d like to meet with me.  You can also contact us via Twitter, Facebook or Google+.

Jun 17

TDYR #159 – Can You Come Up With A Better Topic Name Than Anti-Spoofing?

TDYR #159 - Can You Come Up With A Better Topic Name Than Anti-Spoofing? by Dan York

Jun 17

Cloud Provider Digital Ocean Announces IPv6 Support In Singapore

digital-ocean-ipv6We were very pleased to see the news that cloud platform provider Digital Ocean announced IPv6 support in their Singapore data center.  The announcement says in part:

Since our launch, IPv6 has been one of the most requested features in our community. Today we are excited to announce that public IPv6 addresses are now available for all Droplets in our Singapore region. IPv6 can be enabled during Droplet creation, or added to existing Droplets without the need for a reboot. This will be the standard for all new datacenter locations going forward – several of which will be launching within the next few months.

The article goes on to point to a number of articles that help users get started on IPv6.  There’s an ongoing discussion thread on the article where it seems that in this initial deployment Digital Ocean is not allocating a full /64 to each virtual private server (VPS) but rather allocating a smaller /124 instead. To their credit, the folks from Digital Ocean are engaged in the conversation and seeking feedback and information from people there.  (My only comment would be to point to the links off of our IPv6 address planning page and to RFC 6177/BCP 157, all of which generally recommend at least /64 for end networks. Still, there is no “one-size-fits-all” approach and it will be interesting to see what evolves in the cloud marketplace.)

More importantly, Digital Ocean moderators reconfirm in the comments that they will be implementing IPv6 across all their data centers and that all new data centers will support IPv6 from the start.

As we’ve written here over the past week, cloud providers need to get with the IPv6 program … and Microsoft ran out of “U.S.” IPv4 addresses for their Azure cloud … so it’s great to see a cloud provider starting down the path to having IPv6 everywhere!

If you want to join with Digital Ocean in making the transition to IPv6, please visit our “Start Here” page to find IPv6-related resources focused on your type of organization – and please do let us know if you can’t find what you are looking for!

P.S. There are of course discussion threads on this topic on both Hacker News and Reddit.

UPDATE: Moments after I hit “Publish” on this post, Digital Ocean tweeted out a chart showing the nice big spike in their IPv6 usage as people went in and enabled IPv6 on their VPS’. Very nice to see spikes like this!

TweetDeck

Jun 16

Critical Need To Update Tweetdeck (If You Haven’t Already)

Tweetdeck logoIf you are a user of Tweetdeck, as I am, and you somehow missed the security warnings from last week, you need to update Tweetdeck!

There is a critical security vulnerability that allows an attacker to remotely execute code on your system. Granted, "all" it can go is send out tweets from your account, follow users or do other tasks that your Twitter account can do, i.e. it can't access your local hard drive or system. Still, though, having tweets go out from your account(s) via Tweetdeck could be harmful in any number of ways.

More information is available in these articles:

It seems to be the stereotypical case where a programmer didn't check to see if the text that is about to be displayed contains only allowed HTML code. This is the kind of error that has been found in any number of web applications over the years.

The net is that you need to update Tweetdeck to the latest version through whatever means you use to update your computer.

If you are a regular user of Tweetdeck you should have seen an update notice come up last week - and hopefully you did so! If you only occasionally use Tweetdeck, you may want to go in now and make sure you update to the latest version.

If you found this post interesting or useful, please consider either:

Jun 16

What Shall We Call Our New Topic Area On “Anti-Spoofing” Of IP Addresses?

question markWe need your help.  We are struggling with what to name the new topic area we are planning to launch related to preventing the “spoofing” of IP addresses.

In routing security circles this topic is generally referred to as “anti-spoofing” and we’ve talked about it ourselves that way such as in our report on an anti-spoofing panel at RIPE66 and the associated videos and whitepapers.  But that name has a couple of problems I’ll talk about below.

First, for some context, back in January 2014 we announced that we were changing how we covered the general topic of “routing resiliency and security”.  Rather than one broad – and vague – topic on “Routing”, our plan was to launch smaller focused topic ares – and with that announcement we  launched our “Securing BGP” topic.

The second focused topic area we want to launch is about steps that network operators and others can do to prevent the spoofing of IP addresses on their networks – and how this can help with prevention of distributed denial-of-service (DDoS) attacks.  Essentially we want to promote the validation of source IP addresses through using tools such as network ingress filtering.  Those who are aware of IETF RFCs/BCPs will know this as BCP 38 and BCP 84.  (And yes, there are the cynics out there who say that getting people to implement BCP 38 is right up there with seeing unicorns and with getting people to deploy IPv6, but hey, we are collectively making some progress with IPv6!  Unicorns are still not walking around, though.)

The simple answer (and where we might end up) would be to call this new topic area: “anti-spoofing“.  But if you look at our other topic areas, they are all technologies that can be deployed:

Okay… so “Securing BGP” is a bit squishy and not as specific as the others, but still, it is about a technology.  All of the topic area names are also short and easy to add to menus.  They all yield nice easy URLs of the form “/deploy360/<topic>/”.

The problems we have with “anti-spoofing” include:

  • “anti-spoofing” … of WHAT?   A web search will show that outside of the routing community the same term is used for efforts against the spoofing of Caller ID, email messages, face recognition, GPS signals, and more.  Many of the results seem to be about spoofing of IP addresses, but not all.
  • It does not reference a technology.

What we are really talking about is preventing the spoofing of source IP addresses inside of a network and the prevention of those spoofed addresses from leaving a network.  We are seeking validation of the original IP address.  However, calling it “IP Spoofing” speaks to the thing we want to prevent, rather than the technology or standards that we want to see deployed.  We want the topic name to reflect what we want people to deploy.

We tried a number of different names:

  • Anti-spoofing
  • Source Address Validation
  • IP Address Source Validation
  • IP Anti-spoofing
  • Ingress Filtering
  • Preventing IP Spoofing
  • Preventing IP Address Spoofing
  • Preventing IP Address Fraud
  • IP Address Validation
  • Stop Spoofing
  • Stop IP Address Spoofing
  • Illegitimate Traffic
  • BCP 38  (or BCP 84)
  • DDoS Prevention

We didn’t find any of those particularly appealing.  Keep in mind that the topic name needs to appear in a number of places on the Deploy360 website including the home page graphic slide, the navigation menus, sidebars, categories, etc.  It also needs to fit in with the other topic areas mentioned earlier.

We thought about “Ingress Filtering”, because that is the technology we ultimately want deployed – but that name is probably even less familiar to people than “anti-spoofing” and just seemed too long.

We toyed with “DDoS Prevention”, as that is really the end goal, and quite frankly would have some SEO/publicity value given the increased reports of DDoS attacks in the news.  But as our summer intern so aptly put it, that “sounds like we are on a crusade” and is also too broad.  We realized that if we open up a topic area on “DDoS Prevention” it is much more than source address validation – we could wind up getting into global load balancers, CDNs and so many other approaches.  And maybe that’s a good thing – but our goal right now is to get out deployment information related to why network operators should deploy source address validation to help the overall resiliency of the Internet.

And so here we are… we want to start promoting some of the tools and methods network operators can use to prevent IP address spoofing.  We want to do this because it is a way to make the Internet more secure and more resilient – and also in part to support some of the other Internet Society efforts underway such as the Routing Resiliency Survey.  We want to be able to talk here on the Deploy360 blog about why is is important to do this.

But we’re struggling with the name because “anti-spoofing” doesn’t seem to fit well with our other names. We’re looking for something specific, short and ideally focused on the technology we want to see deployed.

What do you think?  What should we call this new topic area?  Should we just go with “anti-spoofing”?  Or “ingress filtering”? Or “DDoS Prevention”?  Or one of the other names here? Do any of you have some idea for another name that we’ve missed here?

Any suggestions, ideas and feedback would be greatly appreciated as we’re kind of sitting here spinning our wheels while we try to sort out what name would work best.

Please leave a comment here on the blog or on Twitter, Facebook, Google+ or any of the other social networks where we post this.  Or just send us an email at deploy360@isoc.org if you share your thoughts privately with us.  We’d greatly appreciate any comments BY THIS FRIDAY, JUNE 20, 2014, as we’re trying to move ahead with this topic area soon.

Many thanks!

UPDATE: We’ve had a couple of suggestions coming in already:

Please do keep them coming!

Jun 16

FIR #760 – 6/16/14 – For Immediate Release

Upcoming speaking engagements; Mobile Mind Shift book review forthcoming; Quick News: Kit Kat gives rail passengers in Japan a break, Global PR agencies endorse Wikipedia policies, Jaguar XF owner's novel protest, Robert Peston vs. PR; Ragan promo; News That Fits: New York Times debuts the Snowfall of native ads, advice for adaptive storytelling from the Washington Post, Media Monitoring Minute from CustomScoop, listener comments, Dan York's Tech Report, FleishmanHillard releases 2014 Authenticity Report, Igloo Software promo, the past week on the FIR Podcast Network, Salesforce and others bet the business world is ready for wearables; music from Tab Spencer; and more.