Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Jan 17
New IETF “openv6″ Mailing List For IPv6 Application Developers
Do we need an “open interface and a programmable platform to support various IPv6 applications? That is the question posed for a new “openv6″ IETF discussion mailing list announced yesterday. The openv6 list, which is open to anyone to subscribe to, has this description:
This list is to discuss a open interface and a programmable platform to support various IPv6 applications, which may include IPv6 transition technologies, SAVI (Source Address Validation and Traceback), security, data center and etc. This discussion will focus on the problem space, use case and possible protocol extensions. The following questions are listed to be solved via this discussion:
(1) What are the problems and use cases existing in various IPv6 applications, e.g., multiple IPv6 transition technologies co-exist?
(2) How to enable the applications to program the equipment to tunnel IPv6 traffic across an IPv4 data plane?
(3) How this work can be done through a general interface, e.g., to incorporate the transition policies, simplifying the different stages through the transition and guaranteeing that current decisions do not imply a complicated legacy in
the future?(4) How to make the end-to-end configuration of devices: concentrator/CGN, CPE and the provisioning system?
(5) How to extend the existing IETF protocols, e.g., netconf, to support this open interface?
The list is not for forming a new IETF working group (WG). It is at this point purely for discussing this topic. The mailing list archive seems to be empty at the moment (or the link is not correct), but given that the list was just announced yesterday the list owners may be waiting for people to join the list before kicking off discussion. In searching IETF archives I found this recent draft from October 2013, “Problem Statement for Openv6 Scheme,” that may be part of the discussion. I expect we should see more information soon as the discussion begins.
Anyway, if you are an application developer looking to look at how you help your applications work over IPv6 this may be an interesting mailing list to join, if for no other reason than to monitor it and see what work is happening.
I’m looking forward to seeing the discussion begin!
Jan 16
TDYR #071 – A Very Cool Trick To Type Special Characters On A Mac Keyboard
I learned a very cool trick to type special characters while on a Mac... where before to type a "ü" I would press "Alt+u" to get an umlaut and then the "u" key, now I just use what I describe in this episode... VERY cool! (And presumably only for Macs - I don't know if there is a similar trick for Windows.)
Jan 16
W3C/IAB “Strengthening the Internet” Workshop: Deadline Monday to Submit Position Papers (Featured Blog)
How can the open standards organizations of the IETF and W3C "strengthen the Internet" against large-scale pervasive monitoring? That is the topic up for discussion at the "Strengthening the Internet Against Pervasive Monitoring (STRINT)" workshop planned for February 28 and March 1, 2014, and jointly sponsored by the Internet Architecture Board (IAB) and the W3C. The workshop is by invitation-only and has a deadline of Monday, January 20, 2014 (by 11:59 UTC) for submission of either position papers or Internet drafts. More...
Jan 16
Deutsche Telekom IPv6 Traffic Passes 15%, Verizon Wireless IPv6 Traffic Passes 40%!
The latest World IPv6 Launch measurements are up, and as noted in a blog post by Mat Ford, Deutsche Telekom has shown impressive growth over the past few months with this month’s metrics showing that 15.50%
Also rather significantly you can see in the list that now over 40% of the traffic coming from Verizon Wireless’ network is all going over IPv6! This is all through the fact that Verizon Wireless’ LTE network support IPv6.
The cool part of these World IPv6 Launch measurements is that they are a combination of data collected by Google, Facebook, Yahoo and Akamai. All of those sites are available over both IPv6 and IPv4 and so the sites are measuring the connections that come in to their sites over each protocol.
This shows that as access networks roll out IPv6 availability the content providers are very definitely seeing the connections coming in to their sites over IPv6!
The networks around the world are changing over to IPv6! If you are a website operator or provide other content online, have you thought about how you can make your content available over IPv6?
Jan 16
CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC)
We were very pleased to see this recent post over at the CircleID site, “Domain Name System (DNS) Security Should Be One of Your Priorities“, by Rick Rumbarger. He makes a number of great points, particularly about the fact that so many people take DNS for granted and don’t give it the attention they should.
Naturally, given our focus on getting DNSSEC deployed, we were delighted to see his paragraph:
Activate DNSSEC On Your Domain Names – DNSSEC counters cache poisoning attacks by verifying the authenticity of responses received from name servers. It effectively prevents responses from being tampered with, because in practice, signatures are almost impossible to forge without access to the private keys. If your DNS provider is not DNSSEC capable… make a switch.
He’s right! DNSSEC is critical for protecting the integrity of the information you get out of DNS queries. In his paragraph, he talks about the signing of domain names with DNSSEC, but it is important to remember that this is only half the equation with DNSSEC. The other piece you need to do is to enable validation of DNSSEC on your local DNS resolver.
The local validation of DNSSEC information protects the inquiries your computer makes for DNS info, and the signing protects the integrity of your own domain name.
The one point I do take issue with in Rick Rumbarger’s article is his suggestion to outsource ALL your DNS services on both the authoritative side (distributing your domain records) and the recursive resolver side (making inquiries to DNS). On the authoritative side, I agree that outsourcing DNS services can make a whole lot more sense than running your own DNS servers. Most of the DNS hosting companies out there have put a great amount of effort into performance, security, DDoS protection and more – and since they are focused on that can provide better protection and performance than many of us can do ourselves (unless, of course, we operate our own data centers).
However, on the recursive resolver side, I am much more of a fan of having the DNS resolution occur as close to the end user as possible. This is particularly true when you enable DNSSEC validation. Your DNS query is going from the stub resolver on your local computer to the whatever recursive resolvers you have configured in your computer. These are the ”DNS servers” in most operating system network control panels and are often supplied via DHCP to computers on a local network.
The connection between your stub resolver and the recursive resolver you use is typically unencrypted and represents an area where an attacker could inject bogus DNS information. Ideally the connection occurs over a “trusted” network, such as your local area network. If the recursive resolver is on the edge of your local network and is performing DNSSEC validation from that point on, then the attacker would have to somehow get on your local network in order to attack your DNS queries.
If you can’t have a recursive resolver at the edge of your local network, the next best option to me is to use the recursive resolvers at your ISP . You are then only widening the attack surface to be between your local network and that of your ISPs network.
If you can’t do DNSSEC validation at either your local network edge or your ISP, you then do need to go out and use an external recursive resolver that does DNSSEC validation such as Google’s Public DNS. However… the attack surface against your DNS queries has now been expanded to include the entire part of the public Internet that is between your computer and Google’s Public DNS servers (to use the example of Google). An attacker now has a better chance of getting in the middle and injecting false DNS information that goes back to your stub resolver running on your machine.
So for those reasons, I prefer to run the recursive DNS resolver as close to the end user as possible. In the ideal world, the DNSSEC validation might even be performed on the local machine (which can be done today using something like DNSSEC-Trigger) or in the application the user is using.
Outside of that point, I agree with the points Rick Rumbarger raises – and it’s great to see attention being given to this issue of DNS security!
P.S. And to perfectly illustrate one of Rumbarger’s other points about having strong access control for your DNS records there is this post today about how easy it was to get a DNS hosting provider to change DNS records with a simple email message. This is something that DNSSEC will NOT protect against because the DNS hosting provider is changing the actual zone file that would then be encrypted with DNSSEC. It shows again how “DNS security” is really composed of many different layers!
Jan 15
TDYR #070 – Have You Planned Your Own Funeral Yet?
Have you planned your own funeral/memorial service yet? Does anyone know how you would like your death handled? Do you want to be buried? cremated? In this episode I reflect on how a recent experience made me realize how important thinking about these questions can be - as well as sharing that information with others.
Jan 15
RFC 6555 – Happy Eyeballs
If an application gets back both an IPv4 and IPv6 address from DNS, which one should the application use to connect? This dilemma for a “dual-stack” host is one that Dan Wing and Andrew Yourtchenko addressed in RFC 6555, “Happy Eyeballs: Success with Dual-Stack Hosts“ that can be found at:
At a high level, the premise is quite simple: open up a connection over BOTH IPv4 and IPv6 and use whichever one is fastest.
The idea being that the user will experience the best possible speed and will therefore have “happy eyeballs” if they are using something like a web browser where visual content is being viewed. RFC 6555 offers a number of suggestions and offers ideas for application developers to consider.
A variation of “happy eyeballs” is now implemented in most major web browsers, but the idea is not just for web browsers. Basically any application operating on a dual stack computer can use this idea to make the user experience as fast as possible.
Jan 14
Slides: Security In An IPv6 World – Myth & Reality
What are the myths about IPv6 security? What is the reality? How secure is IPv6 really? What new security advantages does it offer? What should IT system administrators be thinking about with regard to security as they move into an IPv6 world?
In a talk to the South Asian Network Operators Group (SANOG) today, our Chris Grundemann discussed these questions and many more in a talk titled “Security In An IPv6 World – Myth & Reality“. His slides are now online for viewing:
If a recording of the presentation becomes available we’ll update this post with more information.
Jan 14
TDYR #069 – On The Awesomeness Of Jetpack’s Connection Into Google+
The Jetpack plugin for WordPress now lets you publicize posts to your blog out to Google+ in addition to Twitter, Facebook and other services. In this episode I talk about the power of that and all the other features of the Jetpack plugin. More info:
http://jetpack.me/
http://www.disruptiveconversations.com/2013/12/awesomeness-jetpack-27-lets-wordpress-users-auto-post-content-to-google.html
Jan 13
TDYR #068 – Are You Enabling “Rapid Content Creation” Within Your Organization?
Are you thinking of your organization as a "media company"? Are you fully embracing the opportunity the Internet provides to tell your own story in your own words? Are you enabling people within your company to rapidly create content online?
See: http://www.disruptiveconversations.com/2014/01/are-you-in-the-business-of-rapid-content-creation.html
