Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Jan 25

New Internet-Draft: Balanced IPv6 Security for Residential CPE

By Dan York in Security

What should the appropriate IPv6 security policy be for residential customers? How can they get the benefits of IPv6 while still ensuring that their home networks are secure? These are the questions pursued in a new Internet-Draft available today:

http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security

The abstract and introduction explain quite well how this applies to “customer premise equipment (CPE)”:

Internet access in residential IPv4 deployments generally consist of a single IPv4 address provided by the service provider for each home. Residential CPE then translates the single address into multiple private IPv4 addresses allowing more than one device in the home, but at the cost of losing end-to-end reachability. IPv6 allows all devices to have a unique, global, IP address, restoring end-to-end reachability directly between any device. Such reachability is very powerful for ubiquitous global connectivity, and is often heralded as one of the significant advantages to IPv6 over IPv4. Despite this, concern about exposure to inbound packets from the IPv6 Internet (which would otherwise be dropped by the address translation function if they had been sent from the IPv4 Internet) remain. This document describes firewall functionality for an IPv6 CPE which departs from the “simple security” model described in [RFC6092] . The intention is to provide an example of a security model which allows most traffic, including incoming unsolicited packets and connections, to traverse the CPE unless the CPE identifies the traffic as potentially harmful based on a set of rules. This model has been deployed successfully in Switzerland by Swisscom without any known security incident.

This document is applicable to off-the-shelves CPE as well to managed
Service Provider CPE.

The authors welcome comments to the draft and their email addresses can be found at the end of the document. It’s definitely a worthwhile contribution to the IPv6 security discussion and could provide useful guidance to operators seeking to understand how they should configure customer equipment to allow IPv6 yet still remain secure.

IPv6

Jan 25

Last Day To Submit Speaking Proposals for SIPNOC2013

By Dan York in network operators, Security, SIP Forum, SIPNOC, Telecom Industry

Got a great idea for a talk to give to an excellent gathering of SIP/VoIP network operators? Have a new way of handling security? Have a case study you'd like to present for how you solved an operational issue?

The SIP Network Operators Conference (SIPNOC) is an outstanding event happening in Herndon, Virginia, USA, from April 22-25. It brings together network operators working with SIP / VoIP networks for several days of talks, networking (of the human kind) and education. I've gone the past two years, speaking about IPv6, and they are truly excellent conferences. Not too big, not too small... and with an extremely high quality of people both attending and speaking.

If you think you'd like to present, TODAY, January 25, 2013, is the end of the call for presentations for SIPNOC 2013. They are seeking presentations on topics such as (see the CFP for more detail):

Peering
SIP Trunking
Congestion Control
Applications/content Development
Interoperability
Call Routing
Security
Monitoring/Troubleshoooting and Operational Issues
Testing Considerations and Tools
Availability/Disaster-Recovery
WebRTC and SIP
SIP-Network Operations Center Best Practices
Standardization Issues and Progress
FoIP/T.38 Deployment
User-Agent Configuration
IPv6 Deployment Challenges
Emergency Services
Scaling and Capacity Issues
HD-Voice Deployment Challenges
Video Interop Issues

They are seeking individual talks, panel sessions, research sessions and BOFs.

Even if you just have an idea for a session, I'd encourage you to submit a proposal so that the SIPNOC 2013 Program Committee will know of your interest and can reach out to you for more details. More info about the process can be found on the CFP page.

If you aren't interested in speaking, but are now intrigued by SIPNOC and would like to be learning from all the excellent sessions, you can go to the SIPNOC 2013 main page and find out information about how to register and attend.

If you work at or for a telecom/network operator who is involved with SIP and VoIP, I highly recommend SIPNOC as a conference you should attend - you'll learn a huge amount and make great connections.

P.S. I have no affiliation with SIPNOC other than being a speaker there in the past. SIPNOC is a production of the SIP Forum, a great group of people focused on advancing the deployment and interoperability of communications products and services based on SIP.

If you found this post interesting or useful, please consider either:

Conferences, SIP, Telecom, VoIP

Jan 24

TED Video: Shawn Achor on the happy secret to better work

By Dan York in Inspiration

I enjoyed this presentation very much... and it's interesting to think about the processes he describes toward the end that relate to "rewiring our brains" to focus on the positive and to move us toward more happiness:

Jan 24

One Image To Show The Incredible Importance Of Sharing Web Pages Versus PDFs

By Dan York in Facebook

So you have that report, infographic or other document as a PDF, right? And now you want to get that massively shared out in social media, right? So that everyone can see your document and learn from it?

Do you...

Start distributing the link to the PDF and ask people to share it?
Wrap the PDF in a basic web page, share THAT link and ask people to share it?

If you answered #1, read on for why you should think of #2.

This morning the World Economic Forum (happening this week in Davos, Switzerland) published an excellent infographic about the Internet as "The Innovation Engine" outlining a series of recommendations for leaders with regard to key Internet issues.

The only problem was that they only published the document as a PDF file on their site. The link that was being sent around was just for the PDF.

Links to PDF files do not "share" very well in social media!

Thankfully, someone on our (Internet Society, my employer) Communications team was able to put up a simple web page that provided a nicer link for sharing.

Notice the difference in the image of my Facebook NewsFeed this morning:

Sharing a pdf vs a web page

The first link, from LACNIC, was for the PDF-only link. It has a URL you can't understand and just the domain name listed. No preview image. No title. No text. Sure, I can know from the status update text what the link is about... but the "link preview" doesn't grab me in and make me want to click it.

The second link, from the Internet Society Comms Team, is to the web page wrapping the PDF. Note here it has a preview image. It has a title. It has some descriptive text. This "link preview" provides enough information that I may want to click on it right away without even reading the Facebook status update.

Ultimately, both links bring you to the same PDF file. The difference is that the second link is to a web page that provides enough "meta" information that the social network can use that information to build a "link preview". While my example here shows Facebook, it works similarly on Google+ and probably works the same way on other social networks.

Note, too, that the web page wrapping the PDF is nothing special. It's a very basic page with a preview image of the PDF, a couple paragraphs of text, a title and the link to the PDF.

That's it.

But that's all that's needed to provide a much better sharing experience when that link is passed around in social networks.

Something to think about the next time you are looking to share out a PDF of a image, infographic, report or other document. Wrap it in a simple web page and your sharing will be much more effective!

If you found this post interesting or useful, please consider either:

Social Media

Jan 24

RFC 6841 Outlines How To Write DNSSEC Policies and Practice Statements

By Dan York in DNSSEC, IETF

Back in July 2012, we wrote about “How To Write a DNSSEC Practice Statement (DPS)” and referenced an Internet-Draft that explained the process. We’re very pleased to see that that I-D was just published this month as a formal RFC:

RFC 6841 – A Framework for DNSSEC Policies and DNSSEC Practice Statements

As the abstract says:

This document presents a framework to assist writers of DNS Security Extensions (DNSSEC) Policies and DNSSEC Practice Statements, such as domain managers and zone operators on both the top level and secondary level, who are managing and operating a DNS zone with Security Extensions implemented.

In particular, the framework provides a comprehensive list of topics that should be considered for inclusion into a DNSSEC Policy definition and Practice Statement.

It’s well worth a read not only if you are an operator of a Top-Level-Domain (TLD) or one of the newgTLDs (all of whom are mandated to support DNSSEC), but also if you are with an enterprise/company that is considering hosting all the DNSSEC-signing for your domains yourself.

If you want examples of what these DPS documents look like, we maintain a list of DNSSEC Practice Statements that includes documents from many of the major TLDs. (And we’re always open to adding more if you have a published DPS online. Just let us know.)

Jan 24

New “Internet Of Things Consortium” Launched

By Dan York in Internet of Things, m2m

Earlier this month at the Consumer Electronics Show (CES) in Las Vegas, a new “Internet of Things Consortium” was announced bringing together 10 companies with the stated goal of fostering and supporting the growth of Internet-connected devices for consumers. The consortium has a website now visible at iofthings.org.

The term “Internet of Things” has been around for some time (Wikipedia dates the first use to 1999) and is generally used to refer to the networks of devices and objects that we are connecting to the Internet and that are using the Internet for communication. Sensor networks are an example. Another is connected homes where lights, appliances and even power outlets might all be connected. A number of the companies involved with this consortium make game consoles, televisions and other entertainment devices that would be connected to a home network and on out to the public Internet.

All of these devices are ultimately connected to the Internet – and communicating often amongst themselves in so-called “machine-to-machine” or “m2m” connections.

Now, this new Internet Of Things Consortium is not the first or only such consortium out there. There are other alliances and groups that are working on promoting open standards for connected homes and devices. But it’s great to see another group of companies working in this space. The CEO of Ube, one of the participants, was quoted in a TechCrunch article as saying in part this:

“The successful adoption of [machine-to-machine] and connected home technologies is dependent on open standards for the provisioning and control of millions of headless devices.”

Exactly!

Here at Deploy360 we’ve been interested in the “Internet of Things” for a long time because to bring all the billions of devices (and power outlets!) onto the Internet, we’re going to need more IP addresses than what we can get with IPv4. I queried the new consortium about their IPv6 support and the consortium chairman Jason Johnson came back with this response:

We should absolutely support IPv6 – or there won’t be billions of devices with IP addresses.

That’s exactly right… and I look forward to seeing what they do in this regard and helping them if they need it.

Some out there regard the “Internet Of Things” as marketing hype… but the reality is that we are connecting more and more devices to the Internet. It is happening today – and we’re going to need IPv6 to make it all work!

IPv6

Jan 23

ENISA Report On Secure Routing And Network Resiliency

By Dan York in Reports, Routing

What is the state of our routing infrastructure and what can be done to make it more secure and resilient?

In July 2010, the European Network and Information Security Agency (ENISA) published a report on this topic called:

Secure routing: State-of-the-art deployment and impact on network resilience

It begins with a paragraph that I think will resonate with most of us:

Reliable communications networks and services are now critical for public welfare and economic stability. Intentional attacks on the Internet, disruptions due to physical phenomena, software and hardware failures, and human mistakes all affect the proper functioning of public communications networks. Such disruptions reveal the increased dependence of our society on these networks and their services. A vital part of reliable communication networks is the routing infrastructure.

The report goes on at great length to report on the result of a survey of network operators within the European Union about the use of – or plans to use – secure routing technologies within their networks. The report is quite useful in the background that it first provides around routing security concerns and some of the proposed solutions. It then goes into a detailed analysis of the survey results.

While the data is now close to three years old (the interviews were in March/April 2010), many of the points are quite similar to more recent analyses. A key point I noticed was this:

Overall, the lack of available knowledge and skills in routing security is recognised as a major barrier hindering further improvements in routing security, as became clear both from the online survey and the interviews.

Addressing this point by helping promote more awareness and education around routing security / resiliency is a primary aspect of our new Routing section here on Deploy360!

Overall the report makes for good reading if you are looking to understand more about the topic or “routing resiliency / security.” There has been a good bit of progress made within some of the working groups mentioned since the time of the report, but the report still provides a solid foundation and background.

Jan 22

Slides: Early DNSSEC Deployment Observations from Ed Lewis

By Dan York in DNSSEC

What have we seen in terms of DNSSEC deployment around the world? Are there general trends or themes we can understand? Can we dive a bit deeper into some of the algorithms used in DNSSEC signatures?

In an October 2012 presentation to NANOG 56, Ed Lewis of Neustar dug into all these questions and more. The slides make for interesting reading, particularly some of the details about which crypto algorithms were used and what key lengths were used. He also looked at the frequency of key changes, key rollover processes and included a whole section on NSEC/NSEC3 records.

All in all an interesting set of data and some good recommendations around guidance that is needed for the industry. Well worth your time to scan through the slide deck if you are interested in statistics around DNSSEC deployment.

Statistics

Jan 21

10 Updated Internet-Drafts Related to IPv6 Security

By Dan York in IETF, Security

Fernando Gont of SI6 Networks has been a VERY busy man lately! He and his colleagues and co-authors have recently updated a whole host of Internet-Drafts related to IPv6 security. In a post to the full-disclosure mailing list, Fernando provided his list that includes:

Network Reconnaissance in IPv6 Networks

Security Implications of IPv6 on IPv4 Networks

Virtual Private Network (VPN) traffic leakages in dual-stack
hosts/ networks

Security Assessment of Neighbor Discovery (ND) for IPv6

DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers

Security Implications of IPv6 Fragmentation with IPv6
Neighbor Discovery

Security Implications of IPv6 options of Type 10xxxxxx

Security Implications of Predictable Fragment

Processing of IPv6 “atomic” fragments

Recommendations on filtering of IPv4 packets containing IPv4 options

Some of these are broader documents while some dive deep into specific issues or solutions. Altogether they do represent a great amount of work on IPv6 security issues, which is excellent and definitely needed as we continue to move to using more and more IPv6 in our networks.

Thanks to Fernando and the others involved in the work for getting these updated drafts out. If you have any comments on these drafts, I know that Fernando is always looking for feedback – his email address and contact info in Argentina can be found at the end of any of the drafts.

IPv6

Jan 21

PowerDNS Releases Version 3.2 With Increased DNSSEC Support

By Dan York in DNSSEC

Congratulations to Bert Hubert and the rest of the team at PowerDNS for their release 3.2 last Thursday that, if you scroll down through the release announcement and changelog is pretty much mostly about improvements to their already strong DNSSEC support! The list of changes and improvements is rather impressive.

In speaking with Bert last week, he said the team there views DNSSEC as basically “done” now for the authoritative server end and is now moving to focus on what they can do to make DNSSEC easier for deployment in DNS resolvers. We’re looking forward to seeing what the team does there.

Meanwhile, if you are a PowerDNS user, the new release will give you even more DNSSEC power… time to upgrade!

Tools

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Dan York

Author's posts

Tags

Archives