Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Feb 27
TDYR #113 – The Challenge Of Packing All The Gear For Audio And Video Content Creation
TDYR #113 - The Challenge Of Packing All The Gear For Audio And Video Content Creation by Dan York
Feb 27
8 Sessions About DNSSEC / DANE / DNS At IETF 89 Next Week
Wow! IETF 89 next week in London is going to be an extremely busy week for those of us interested in DNSSEC, DANE and DNS security in general. As I explained in a post today, “Rough Guide to IETF 89: DNSSEC, DANE and DNS Security“, there are 5 new working groups and BOFs related to DNS and DNSSEC in addition to the three already existing working groups.
I go into a great bit of detail in the Rough Guide blog post, but here are the quick summaries of what is happening this week:
- The DANE Working Group is focused on how to use the DANE protocol to add more security to TLS/SSL connections. The DANE WG agenda at IETF 89 is about using DANE with email and IM, operational guidance and much more.
- The DNS Operations (DNSOP) Working Group has a very full agenda with the biggest DNSSEC-related piece being the drafts around how to deal with the critical issue of the uploading of DS records from DNS operators to registries. Some other great DNSSEC work being discussed there, too.
- The brand new Using TLS in Applications (UTA) Working Group that has as a primary goal to deliver a set of documents that are “go to” security guides aimed at helping developers add TLS support into their applications. We’re interested in the potential DNSSEC/DANE connection there.
- The new Public Notary Transparency (trans) Working Group on Wednesday that is looking at how to update the experimental RFC 6962, “Certificate Transparency”, to reflect recent implementation and deployment experience. Our particular interest is that part of the charter is to ensure that this mechanism can work in the presence of DANE records in addition to regular web certificate-based system.
- The new EPP Extensions (eppext) working group that is focused is looking at draft-ietf-eppext-keyrelay that defines a mechanism that can be used to securely transfer a DNSSEC-signed domain from one operator to another.
- The “Encryption of DNS requests for confidentiality” (DNSE) BOF is exploring how to protect the confidentiality of DNS requests from sniffing. The DNSE BOF will use draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality as starting points for discussion.
- The Domain Boundaries (dbound) BOF is looking at how domain names are used in setting security policies. Our interest is in understanding how this may fit into the other DNS security components of the work we are doing such as DNSSEC and DANE.
- The Extensions for Scalable DNS Service Discovery (dnssd) Working Group is continuing their discussions about how DNS-SD (RFC6763) and mDNS (RFC6762) can be used beyond the local network. Our interest is in how this all gets done securely.
We will finish out the week with a breakfast meeting Friday morning with people involved in the DNSSEC Coordination effort (and anyone can join the mailing list) where we’ll have some conversation and food before heading off to the DNSOP and/or UTA working groups.
It’s going to be a crazy-busy week… but I’m looking forward to seeing all that we can get done!
Relevant Working Groups and BoFs
dnssd (Extensions for Scalable DNS Service Discovery) WG
Monday, March 3, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/
dnse (Encryption of DNS request for confidentiality) BOF
Tuesday, March 4, 2014, 1420-1550 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnse/
List of BOFs: http://trac.tools.ietf.org/bof/trac/
trans (Public Notary Transparency) WG
Wednesday, March 5, 2014, 1520-1620 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/
dane (DNS-based Authentication of Named Entities) WG
Thursday, March 6, 2014, 0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/
dbound (Domain Boundaries) BOF
Thursday, March 6, 2014, 1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/
eppext (Extensible Provisioning Protocol Extensions) WG
Thursday, March 6, 2014, 1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charter/
dnsop (DNS Operations) WG
Friday, March 7, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/
uta (Using TLS in Applications) WG
Friday, March 7, 2014, 0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charter/
Remote Participation
You don’t have to be in London to participate in the meetings of IETF 89. You can also:
- Listen to live audio streams.
- Participate in Jabber chat rooms to ask questions.
- Download the slides planned for each session.
- Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.
Information about how to participate can be found on the IETF 89 Remote Participation page. Keep in mind that times for London are in UTC.
Feb 27
Rough Guide To IETF 89: DNSSEC, DANE and DNS Security
At IETF 89 next week in London there is a huge amount of activity related to DNSSEC, DANE and DNS security in general, largely due to three brand new working groups and two new birds-of-a-feather (BOF) sessions.
Dan York
Feb 26
Papers Now Available Publicly for W3C/IAB “Strengthening the Internet” Workshop (Featured Blog)
Want to read a wide range of views on how to strengthen the security and privacy of the Internet? Interested to hear how some of the leaders of the open standards world think we can make the Internet more secure? As I wrote about previously here on CircleID, the W3C and the Internet Architecture Board (IAB) are jointly sponsoring a workshop on "Strengthening The Internet" (STRINT) on February 28 and March 1 in London just prior to the IETF 89 meeting happening all next week. More...
Feb 26
TDYR #112 – Getting Ready For IETF 89 Next Week In London
Next week is IETF 89 in London and in this episode I talk about the craziness of getting everything ready for the trip where I leave on Friday morning...
Feb 26
6 Sessions About IPv6 At IETF 89 Next Week In London
As you might expect, IETF 89 next week in London will be filled with activity related to IPv6. My colleague Phil Roberts writes today in “Rough Guide to IETF 89: All About IPv6“:
While the standard for IPv6 has long-since been finished, there are ongoing discussions in the IETF of maintenance issues in the protocols, IPv6 operational issues and management, and possible uses in home networks and very large-scale networks (of small scale devices). Many of these discussions will happen next week in London next week.
Phil goes on to write a bit more in detail about what is happening within the 6man and v6ops working groups at IETF 89 next week.
Given our focus on IPv6 here at Deploy360, it should come as no surprise that you’ll be able to find our team at pretty much all of the working groups focused around IPv6. We’ll be in homenet looking at IPv6 in home networks, v6ops discussing operational issues, 6man to look at maintenance of the IPv6 specification, sunset4 to talk about how we phase out IPv4 and 6lo and 6tisch to look at IPv6 in low power or resource-constrained networks. Beyond these groups, of course, there will be many others that discussion IPv6, but these are the main groups we’ll be focusing on.
Relevant Working Groups
homenet (Home Networking) WG
Tuesday, March 4, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/homenet/ (not yet posted)
Documents: https://datatracker.ietf.org/wg/homenet/
Charter: https://datatracker.ietf.org/doc/charter-ietf-homenet/
6man (IPv6 Maintenance) WG
Tuesday, March 4, 2014, 1610-1840 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6man/
Documents: https://datatracker.ietf.org/wg/6man/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6man/
v6ops (IPv6 Operations) WG
Wednesday, March 5, 2014, 0900-1130 UTC, Sovereign Room
Thursday, March 6, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
6lo (IPv6 over Networks of Resource Constrained Nodes) WG
Wednesday, March 5, 2014, 1520-1730 UTC, Balmoral Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6lo/
sunset4 (Sunsetting IPv4) WG
Thursday, March 6, 2014, 0900-1130 UTC, Palace C
Agenda: https://datatracker.ietf.org/meeting/89/agenda/sunset4/(combined with the Multiple Interface (mif) WG meeting)
Documents: https://datatracker.ietf.org/wg/sunset4/
Charter: http://tools.ietf.org/wg/sunset4/charters
6tisch (IPv6 over TSCH mode of 802.16e4)
Thursday, March 6, 2014, 1300-1500 UTC, Buckingham Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/
Remote Participation
You don’t have to be in London to participate in the meetings of IETF 89. You can also:
- Listen to live audio streams.
- Participate in Jabber chat rooms to ask questions.
- Download the slides planned for each session.
- Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.
Information about how to participate can be found on the IETF 89 Remote Participation page. Keep in mind that times for London are in UTC.
Feb 25
TDYR #111 – New Report Out About Protecting Against DDoS Attacks On DNS
How can we best protect the Domain Name System (DNS) against distributed denial of service (DDoS) attacks? There's a new report from ICANN's SSAC on this issue:
http://www.internetsociety.org/deploy360/blog/2014/02/ssac-issues-new-report-on-ddos-attacks-against-dns/
Feb 25
What Devices And Software Support The Opus Audio Codec? Here Is A List
What devices support the Opus audio codec? What softphones? hardphones? call servers? Obviously given that Opus is the "mandatory to implement" audio codec for WebRTC, it will be in many web browsers... but what other I was asked this question by a colleague recently and when I couldn't easily find a list on the Opus codec web site, I turned to the VUC community inside of Google+ and posted there. The great folks there naturally were a huge help, and quickly came up with this list:
UPDATE: No sooner had I hit "Publish" then I discovered that Wikipedia has a list of devices and software supporting the Opus codec. As that list is much longer than this one below, I'd encourage you to look at that list.
- Web browsers supporting WebRTC:
- Google Chrome
- Mozilla Firefox
- Softphones:
- Blink
- Counterpath Bria
- Jitsi
- Linphone
- Mumble
- (Maybe Skype? They talked about it.)
- "Hard" IP phones:
- Mobile applications:
- Acrobits (iOS)
- Counterpath Bria (iOS)
- csipsimple (Android)
- Switches / Call Servers / IP-PBXs:
What other devices or software supports the Opus codec? (Or what other lists are out there listing devices supporting the Opus codec?) Please do let me know either by comments here or on social media.
Thanks!
P.S. If you don't understand WHY the Opus codec matters so much, please read my earlier post on this topic.
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- following me on App.net
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Feb 25
SSAC Issues New Report On DDoS Attacks Against DNS
What can be done to prevent Distributed Denial of Service (DDoS) attacks against the DNS infrastructure? What can individuals or organizations who operate DNS servers do to their own systems to help reduce the threat of DDoS attacks? ICANN’s Security and Stability Advisory Committee (SSAC) took on this issue recently and released a new report this week: “SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure“. It is available as a free PDF download in English.
While the report is not about DNSSEC, per se, it is about the overall issue of “DNS security” and outlines steps that can be taken to reduce the potential of DNS-based DDoS attacks. This is critical if we are to get DNSSEC more widely deployed because there are some DNS server operators who have pushed back about DNSSEC citing concerns about the larger size of DNSSEC packets could help amplify DDoS attacks.
The recommendations for the industry include the following (with the report providing more detail on each):
Recommendation 2: All types of network operators should take immediate steps to prevent network address spoofing.
Recommendation 3: Recursive DNS server operators should take immediate steps to secure open recursive DNS servers.
Recommendation 4: Authoritative DNS server operators should investigate deploying authoritative response rate limiting.
Recommendation 5: DNS operators should put in place operational processes to ensure that their DNS software is regularly updated and communicate with their software vendors to keep abreast of latest developments.
Recommendation 6: Manufacturers and/or configurators of customer premise networking equipment, including home networking equipment, should take immediate steps to secure these devices and ensure that they are field upgradable when new software is available to fix security vulnerabilities, and aggressively replacing the installed base of non-upgradeable devices with upgradeable devices.
We agree with those recommendations and definitely encourage people to read the SSAC report and implement as many recommendations as possible.
Working together we can make the Internet more secure!
