Category: Securing BGP

May 31 Deadline For $40,000 Cybersecurity Grant For DNSSEC, RPKI, BPG and more

ISOC Cybersecurity GrantDo you have an idea for a project related to DNSSEC, RPKI, BGP security or other security technologies? And will that project’s activities take place in the Asia-Pacific region?  (View the list of eligible countries and economies.)

If so, the Information Society Information Fund (ISIF) Asia is seeking proposals for projects that can be funded up to a maximum of $56,000 AUD (roughly $40,000 USD). This “Cybersecurity Grant” is sponsored by the Internet Society as part of our support for the Seed Alliance.

THE DEADLINE TO SUBMIT APPLICATIONS IS TUESDAY, MAY 31!

Please read the Cybersecurity Grant page for more information and follow the instructions for applying.  Please do remember that the project activities must be conducted within one of the economies that ISIF considers to be the Asia Pacific region.  ISIF also provides some guidelines for applicants and a FAQ.

As noted on the page, the focus is around practical solutions for resiliency and security in one of these areas:

  • Naming: innovative approaches to DNSSEC that enhance user confidence in Internet-based services.
  • Routing: support for wider deployment of secure routing technologies (RPKI, BGPSEC) and best practices (MANRS).
  • Measurement: investigate the nature and extent of deployment of security solutions on the Internet.
  • Traffic management: tools to measure Internet traffic congestion and/or traffic management practices OR analysis of traffic management policies and practices.
  • Confidential communications: strategies or solutions to enhance the confidentiality of Internet traffic.
  • Data security and integrity: options for improved data security and/or data breach detection and mitigation.
  • Internet of Things (IoT): security of IoT.
  • Critical Infrastructure: security of computer-controlled systems such as energy grids, transport networks, water supply, sewage, etc.) from cyber attacks.
  • End-user device security: options for improved end-user security.
  • Building security skills in your local community.

We hope that people and organizations within the AP region will apply for this excellent grant opportunity. The application period opened up February 24 – but we thought we’d give one final notice in case people weren’t aware.

We look forward to learning in September about how the recipients will work to make the Internet more secure and resilient!

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 5, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:  the Africa DNS Forum 2016 and the 55th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN).

Some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.


Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016


Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016

I will be in the audience listening to what looks to be a great set of panelists.


DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.


DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

https://meetings.icann.org/en/marrakech55/schedule/wed-board-technical


If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Deploy360@IETF92, Day 3: IPv6 Operations, Sunset4, ACME and Global Internet Routing (GROW)

Jen Linkova at IETF 92Today’s third day of IETF 92 turns out to be a quieter one for the topics we cover here on Deploy360.  The big activity will be in the first of two IPv6 Operations (v6OPS) working group sessions.  There will also be a reboot of the SUNSET4 working group and what should be an interesting discussion about “route leaks” in the GROW working group.  Here’s what our day looks like…

NOTE: If you are unable to attend IETF 92 in person, there are multiple ways to participate remotely.

In the 0900-1130 CDT block this morning, we’re not actively tracking any of the listed working groups as they don’t tie directly into our Deploy360 topics. However the BESS session about BGP-enabled services could be interesting, as could the SPUD BOF looking at what are barriers to implementing new transport protocols on the Internet (more info in the SPUD overview presentation).

After lunch from 1300-1500 CDT in the International Room will be the first of two IPv6 Operations (v6OPS) sessions (the second being tomorrow) with a packed agenda looking at design choices for IPv6 networks, IPv6 deployment case studies / lessons learned and more.  As IPv6 deployment continues to grow month over month, incorporating feedback from that deployment process back into the standards process is an essential part of ensuring continued growth.

In the 1520-1620 CDT block over in the Gold Room, the IPv6 discussion will continue in the SUNSET4 working group that is chartered to document and explore how well things will work in an IPv6-only environment when IPv4 is no longer available (i.e. IPv4 has “sunsetted”).  As noted in the SUNSET4 agenda, the working group has had a loss of momentum and will be looking today at how to restart efforts to move work items along.

Simultaneously over in the Parisian Room the Global Routing Operations (GROW) working group will be looking at how to improve the operations of the Internet’s global routing infrastructure.  As my colleague Andrei Robachevsky wrote in his Rough Guide to IETF 92 post:

In general, the focus of the GROW WG is on operational problems associated with the global routing system, such as routing table growth, the effects of interactions between interior and exterior routing protocols, and the effect of operational policies and practices on the global routing system, its security and resilience.

One of these items, which originally emerged in the SIDR WG and is now being discussed in the GROW WG, is so-called “route-leaks.” Simply speaking, this describes a violation of “valley-free” routing when, for example, a multi-homed customer “leaks” an announcement from one upstream provider to another one. Since usually customer announcements have the highest priority, if no precautions are taken this results in traffic from one provider to another bypassing the customer – potential for a staged MITM attack. But this is an explanation in layman terms, and the group was working on nailing down the definition and the problem statement, see https://datatracker.ietf.org/doc/draft-ietf-grow-route-leak-problem-definition/.

This issue of “route leaks” is one that comes up repeatedly and is causing problems on the global Internet. For instance, yesterday DynResearch tweeted about a route hijack of Google’s site by Belarus Telecom – now I don’t know if that was an actual “route leak”, but it’s the kind of routing issue we do see often on the Internet… which is why this class of issues needs to be identified and solutions proposed.

And just because we really want to be in three places at once… over in the Venetian Room during this same 1520-1620 time block will be the “Automated Certificate Management Environment (ACME)” BOF looking at ways to automate management of TLS certificates. As the agenda indicates, the session is primarily about discussing draft-barnes-acme and the efforts being undertaken as part of the Let’s Encrypt initiative.  The ideas are intriguing and proposals that help automate the security of the Internet can certainly help reduce the friction for regular users.

After all of that is over we’ll be joining in for the Operations and Administrative Plenary from 1640-1910 CDT.  You can view a live video stream of the plenary at http://www.ietf.org/live/    And then… we’ll be getting ready for Day 4…

For some more background, please read these Rough Guide posts from Andrei, Phil and I:


Relevant Working Groups:


For more background on what is happening at IETF 92, please see our “Rough Guide to IETF 92″ posts on the ITM blog:

If you are at IETF 92 in Dallas, please do feel free to say hello to our Chris Grundemann. And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Image: a photo by Olaf Kolkman of Jen Linkova at IETF 92. Part of a larger set of IETF 92 photos Olaf has published.

At IETF92 Next Week, Much Happening With IPv6, DNSSEC, DANE, TLS and more…

Dallas skylineNext week is IETF 92 in Dallas, Texas, and there will be a great amount of activity happening with the topics we cover here on Deploy360: IPv6, DNSSEC (and DANE), TLS, anti-spoofing and securing BGP.  As part of the Rough Guide to IETF 92, several of us have written posts outlining what’s happening in the various topic areas:

In each of those posts you’ll find a summary of what’s happening and a list of the relevant working groups and the associated links about how to learn more.  More information about IETF 92 in general can be found on the main Rough Guide to IETF 92 page at:

https://www.internetsociety.org/rough-guide-ietf92

Beyond all of that, Chris Grundemann will also be talking about our “Operators and the IETF” work and discussing Best Current Operational Practices (BCOP) with people as well.

If you can’t get to Dallas next week, you can attend remotely!  Just visit the IETF 92 remote participation page or check out http://www.ietf.org/live/ for more options.

To that end, as a bit of a change both Megan Kruse and I (Dan York) will be participating in this IETF 92 remotely.  It’s very strange to not be attending an IETF meeting in person, but different circumstances have made it not possible for both of us.  Jan Žorž will also be remote having just returned from v6 World Congress in Paris and about to head off to another event.   Chris Grundemann will be there on site in Dallas, though, and so if you have any questions about Deploy360 activities or want to get more involved, please contact Chris!

We’re looking forward to the usual crazy busy blur of a week that is an IETF meeting… and we’re looking forward to learning what else we can do to help accelerate the deployment of these key Internet technologies to make the Internet work better, faster and be more secure!

 

In 5 Days, ION Sri Lanka Will Cover IPv6, DNSSEC, DANE, BGP, TLS, BCOP and more

ION Sri Lanka logoComing up in just over 5 days, our ION Sri Lanka event will take place in Kandy, Sri Lanka, on Sunday, January 18, 2015, beginning at 10:00 am India Standard Time (IST, UTC+5:30).  As our agenda shows, we have an ambitious list of sessions covering pretty much all of the topics we cover here at Deploy360. Sessions include:

  •  Welcome from the Internet Society Sri Lanka Chapter, Prof. Gihan Dias (Internet Society Sri Lanka Chapter)
  • Two Years After World IPv6 Launch: Are We There Yet?, Vivek Nigam (APNIC)
  • Why Implement DNSSEC?, Jitender Kumar (Afilias)
  • Deploying DNSSEC: A .LK Case Study, Sashika Suren (LK Domain Registry)
  • DANE: The Future of Transport Layer Security (TLS), Dan York (Internet Society)
  • Lock it Up: TLS for Network Operators, Chris Grundemann (Internet Society)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved, Dan York (Internet Society) and Thilini Rajakaruna (former IETF Fellow)
  • Operators & the IETF, Chris Grundemann (Internet Society)
  • Best Current Operational Practices – An Update, Jan Žorž (Internet Society)
  • IPv6 Success Stories– Network Operators Tell All!, Asela Galappattige (Sri Lanka Telecom); Senevi Herath (LEARN); Matsuzaki Yoshinobu (IIJ)

We have an excellent set of speakers and are very much looking forward to this event!

REGISTRATION IS FREE! If you can get to the Amaya Hills Hotel in Kandy, Sri Lanka, there is no additional cost to attend ION Sri Lanka.  You do need to register by filling out the SANOG registration form.

If you will not be able to get to the ION Sri Lanka location, we’ll be offering a live video stream / webcast of the event via YouTube Live events. Do note that all events happen on Sunday, January 18, starting at 10:00 am India Standard Time (IST).  Given that this is UTC+5:30, the start of ION Sri Lanka may actually be in the late hours of Saturday, January 17, for people in the United States.  Here are some examples:

  • 10:00 am, Sunday, Jan 18 – IST, Kandy, Sri Lanka
  • 5:30 am, Sunday, Jan 18 – CET, central Europe
  • 4:30 am, Sunday, Jan 18 – UTC
  • 11:30 pm, Saturday, Jan 17EST, east coast, USA
  • 8:30 pm, Saturday, Jan 17PST, west coast, USA

You may find it helpful to use one of the time/date conversion tools to ensure your timing is correct. All the sessions will be recorded for later viewing and the slides will be available online as well.

To stay up-to-date about ION Sri Lanka you can also join:

If you are on Twitter, you can follow @Deploy360 and use hashtag #IONConf for all things ION!

We’re looking forward to seeing many people at the ION Sri Lanka event and joining in the other SANOG 25 activities happening there.  If you are in Sri Lanka (or can get there), please do join us for ION Sri Lanka!

P.S. And if you want to get started today with IPv6, DNSSEC or other topics, please visit our Start Here page to begin – why wait for ION Sri Lanka?  Why not start now?

Deploy360@IETF91, Day 5: IDR (Securing BGP), IPv6 and heading on to ION Tokyo

Minions at IETF91As the final day of IETF 91 opens there are only a few sessions left on the long IETF 91 agenda.  For us at Deploy360, our focus will mainly be on the Inter-Domain Routing (IDR) and IPv6 Maintenance (6MAN) meetings happening this morning.  Read on for more information…


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.


In the 9:00-11:30 HST block today the Inter-Domain Routing (IDR) is meeting in Coral 2 and it will be, as I understand it, a joint meeting with the SIDR working group that will focus on the proposed BGPSEC protocol.  The agenda is:

  • BGPSEC background/goals/context, Sandy Murphy
  • BGPSEC protocol walk-through, Matt Lepinski
  • BGPSEC protocol time, space analysis, K. Sriram
  • BGPSEC issues for implementors, John Scudder

It should be an interesting session that ties in well with our Securing BGP topic area.

Simultaneously over in the large Coral 3 room, the IPv6 Maintenance Working Group (6MAN) has a very full agenda of proposals to improve how IPv6 works.  For IPv6 fans such as me, this looks to be a great set of discussions!

The final block of sessions from 11:50-13:20 HST does not have any meetings directly tied to the topics we cover here, but I’m intrigued by a document in the Internet Area Open Meeting about tunnels in the Internet’s architecture that will probably be a good session to listen to.

And with that… our time here at IETF 91 in Honolulu will draw to a close.  We’ll have the Internet Society Advisory Council meeting this afternoon… and then we are all heading to Tokyo to present about IPv6, DNSSEC, BGP, BCOP and more at our ION Tokyo event on Monday!  (And you can watch ION Tokyo live via a webcast.)

Thanks for following us this week and to all those who greeted us at IETF 91!  See you next time in Dallas!

P.S. Today’s photo is from Jared Mauch and used with his permission.  NBC Universal, who sponsored the IETF 91 Welcome Reception, gave a stuffed “minion” out to anyone who wanted to have one.  Give some engineers something fun like this and… well… photos are bound to happen!  Jared had a good bit of fun coming up with some photos – you can see his “Minions” photo stream – and the minons were present in many other photos, such as this one I took.

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

IDR (Inter-Domain Routing Working Group) WG
Friday, 14 November 2014, 0900-1130 HST, Coral 2
Agenda: https://datatracker.ietf.org/meeting/91/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

6MAN (IPv6 Maintenance) WG
Friday, 14 November 9am-1130am, Coral 3
Agenda: https://datatracker.ietf.org/meeting/91/agenda/6man/
Documents: https://datatracker.ietf.org/wg/6man/documents/
Charter: https://datatracker.ietf.org/wg/6man/charter/


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Deploy360@IETF91, Day 4: TLS, 6TISCH, DNSSD, IDR, SAAG, DHC and DBOUND

Chris Grundemann at IETF 91On the fourth day of IETF 91 we on the Deploy360 return to a focus on the routing / securing BGP side of our work as well as TLS and a number of DNS-related sessions that are not strictly DNSSEC-related, along with a small bit of IPv6 for “Internet of Things” (IoT) mixed in. There are many other working groups meeting at IETF 91 today but the ones I’ll mention below line up with the topics we cover here on the Deploy360 site.

Read on for more information…


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.


In the morning 9:00-11:30 block two working groups are of interest.  The TLS Working Group continues the evolution of the TLS protocol and we’ll be monitoring that session in Coral 5 to understand where TLS is going.  Meanwhile over in the Hibiscus room, the 6TISCH Working Group will be continuing their work on ensuring that IPv6 works well in low-power networks on devices using IEEE 802.15.4 low-power radios.  We haven’t really covered this work much here on Deploy360, but as the 6TISCH charter indicates, the work is aimed at “low-power and lossy networks” (LLNs) among devices that we often commonly talk of these days as the “Internet of Things” (IoT). As we increasingly connect everything to the Internet, this work should prove very useful.

During the lunch period, there looks to be a fascinating speaker on the topic of “Open Standards, Open Source, Open Loop“,  but the timing is such that several of us will be at an informal (and open) meeting about the Mutually Assured Norms for Routing Security (MANRS) document, part of the ongoing Routing Resilience Manifesto project headed by our colleague Andrei Robachevsky (and he discussed MANRS in his Rough Guide post).

In the 13:00-15:00 HST block there are two groups we’ll be watching: DNSSD and IDR.  As I described in my Rough Guide post about DNSSEC, the DNSSD group is looking at how to extend DNS service discovery beyond a local network – and we’re of course curious about how this will be secured.  DNSSEC is not directly on the agenda, but security issues will be discussed.  Simultaneously the Inter-Domain Routing (IDR) is meeting about improving the Internet’s routing infrastructure, although the security focus will primarily be in tomorrow’s (Friday) IDR meeting. Because of that, our attention may be more focused on the Security Area Open Meeting where there are a couple of drafts about routing security including one that surveyed the different kinds of censorship seen around the world.

Finally, in the 16:40-19:10 HST block the Dynamic Host Configuration (DHC) WG will meet to continue their work on optimizing DHCP for IPv6. Today’s agenda includes some discussions around privacy that should fit in well with the ongoing themes of privacy and security at this IETF meeting.

At the same time as DHC, there will also be a side meeting of the DBOUND (Domain Boundaries) effort that took place at an earlier IETF meeting.  It starts at 16:40 (not 14:40 as went out in email) in the South Pacific II room.  As described in the problem statement, this effort is looking at how “domain boundaries” can be defined for efforts such as the Public Suffix List. From the abstract:

Various Internet protocols and applications require some mechanism for determining whether two Domain Name System (DNS) names are related. In this document we formalize the types of domain name relationships, identify protocols and applications requiring such relationships, review current solutions, and describe the problems that need to be addressed.

While not directly related to the work we do here on Deploy360, it’s interesting from a broader “DNS security perspective”.

And with all of that…  day 4 of IETF 91 will draw to a close for us.  If you are around at IETF 91 in Honolulu, please do find us and say hello!

P.S. Today’s photo is of our own Chris Grundemann making at point at the microphone in the Administrative plenary…

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

6TISCH (IPv6 over the TSCH mode of IEEE 802.15.4e) WG
Thursday, 13 November 2014, 0900-1130 HST, Hibiscus
Agenda: https://tools.ietf.org/wg/6tisch/agenda
Documents: https://tools.ietf.org/wg/6tisch/
Charter: https://tools.ietf.org/wg/6tisch/charter

TLS (Transport Layer Security) WG
Thursday, 13 November 2014, 0900-1130 HST, Coral 5
Agenda: https://tools.ietf.org/wg/tls/agenda
Documents: https://tools.ietf.org/wg/tls/
Charter: https://tools.ietf.org/wg/tls/charter

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 13 November 2014, 1300-1500 HST, Coral 4
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/

SAAG (Security Area Open Meeting) WG
Thursday, 13 November 2014, 1300-1500 HST, Coral 3
Agenda: https://tools.ietf.org/wg/saag/agenda
Documents: https://tools.ietf.org/wg/saag/
Charter: https://tools.ietf.org/wg/saag/charter

IDR (Inter-Domain Routing Working Group) WG
Thursday, 13 November 2014, 1300-1500 HST, Kahili
Agenda: https://datatracker.ietf.org/meeting/91/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

DHC (Dynamic Host Configuration) WG
Thursday, 13 November 2014, 1640-1910 HST, Kahili
Agenda: https://tools.ietf.org/wg/dhc/agenda
Documents: https://tools.ietf.org/wg/dhc/
Charter: https://tools.ietf.org/wg/dhc/charter


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Deploy360@IETF91, Day 2: UTA, DPRIVE, BGP in ARNP, 6LO and IOT, DNSOP

IETF 91 mic lineFor us at Deploy360, Day 2 of IETF 91 brings a heavy focus on DNSSEC and DNS security in general with both DNSOP and DPRIVE meeting. Today also brings one of the key working groups (UTA) related to our “TLS in Applications” topic area.  There is a key WG meeting related to using  IPv6 in “resource-constrained” environments such as the “Internet of Things” (IoT) … and a presentation in the Internet Research Task Force (IRTF) about BGP security and the RPKI.

These are, of course, only a very small fraction of the many different working groups meeting at IETF 91 today – but these are the ones that line up with the topics we write about here at Deploy360.

Read on for more information…


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.


In the morning 9:00-11:30 block we once again will be splitting ourselves across multiple working groups.  In Coral 2 will be the “Using TLS in Applications” (UTA) working group looking at how to increase the usage of TLS across applications.  The UTA WG is a key part of the overall work of the IETF in strengthening the Internet against pervasive monitoring and should be quite a well-attended session.  The UTA agenda includes multiple drafts related to TLS and email, a discussion of a proposal around “token binding” and what should be an involved discussion about the TLS “fallback dance”, i.e. what should happen when a TLS connection cannot be made at the requested level of security?

On the topic of UTA, I’ll note that one of the groups main documents, draft-ietf-uta-tls-bcp, a best practice document on “Recommendations for Secure Use of TLS and DTLS“, has a new version out that incorporates all of the feedback received to date.  This document should soon be at the point where it will enter the publication queue.

Meanwhile, over in the Kahili room the 6LO WG will be talking about using IPv6 in “resource-constrained” and low power environments. The work here is important for sensor/device networks and other similar “Internet of Things” (IoT) implementations.   Among the 6LO agenda items are a discussion of using IPv6 in near field communications (NFC) and what should be quite an interesting discussion around the challenges of using different types of privacy-related IPv6 addresses in a constrained environment.

Simultaneously over in Coral 4 will be the open meeting of the Internet Research Task Force (IRTF) and of particular interest will be the presentation by one of the winners of the Applied Networking Research Prize (ANRP) that is focused on BGP security and the Resource Public Key Infrastructure (RPKI).  As the IRTF open meeting agenda lists the abstract:

The RPKI (RFC 6480) is a new security infrastructure that relies on trusted authorities to prevent attacks on interdomain routing. The standard threat model for the RPKI supposes that authorities are trusted and routing is under attack. This talk discusses risks that arise when this threat model is flipped: when RPKI authorities are faulty, misconfigured, compromised, or compelled (e.g. by governments) to take certain actions. We also survey mechanisms that can increase transparency when RPKI authorities misbehave.

The slides for the presentation are online and look quite intriguing!

After that we’ll be spending our lunch time at the “ISOC@IETF” briefing panel that is focused this time on the topic of “Is Identity an Internet Building Block?”  While not directly related to our work here at Deploy360 we’re quite interested in the topic.  I will also be directly involved as I’ll be producing the live video stream / webcast of the event.  You can join in and watch directly starting at 11:45 am HST (UTC-10). It should be an excellent panel discussion!

As I described in my Rough Guide post about DNSSEC, the 13:00-15:00 block brings the first meeting of the new DPRIVE working group that is chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.”  The DPRIVE agenda shows the various documents under discussion – there are some very passionate views on very different perspectives… expect this session to have some vigorous discussion!

In the last 15:20-17:20 meeting block of the day we’ll focus on the DNS Operations (DNSOP) Working Group where the major DNSSEC-related document under discussion will be Jason Livingood’s draft-livingood-dnsop-negative-trust-anchors that has generated a substantial bit of discussion on the dnsop mailing list.  The DNSOP agenda contains a number of other topics of interest, including a couple added since the time I wrote about DNS for the Rough Guide.  The discussion about root servers running on loopback addresses should be interesting… and Brian Dickson (now employed by Twitter instead of Verisign) is bringing some intriguing new ideas about a DNS gateway using JSON and HTTP.

After all of that, they’ll let us out of the large windowless rooms (granted, in the dark of evening) for the week’s Social event that will apparently be a Hawaiian Luau.  After all the time inside it will be a pleasure to end the day in casual conversations outside. Please do look to find us and say hello… and if you are not here in Honolulu, please do join in remotely and help us make the Internet work better!

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

UTA (Using TLS in Applications) WG
Tuesday, 11 Nov 2014, 900-1130, Coral 2
Agenda: https://tools.ietf.org/wg/uta/agenda
Documents: https://tools.ietf.org/wg/uta
Charter: https://tools.ietf.org/wg/uta/charter

6LO (IPv6 over Networks of Resource-constrained Nodes) WG
Tuesday, 11 Nov 2014, 900-1130, Kahili
Agenda: https://tools.ietf.org/wg/6lo/agenda
Documents: https://tools.ietf.org/wg/6lo
Charter: https://tools.ietf.org/wg/6lo/charter

IRTF (Internet Research Task Force) Open Meeting
Tuesday, 11 Nov 2014, 900-1130, Coral 4
Agenda: http://tools.ietf.org/agenda/91/agenda-91-irtfopen.html
Charter: https://irtf.org/

DPRIVE (DNS PRIVate Exchange) WG
Tuesday, 11 November 2014, 1300-1500 HST, Coral 5
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSOP (DNS Operations) WG
Tuesday, 11 November 2014, 1520-1720 HST, Coral 4
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Deploy360@IETF91, Day 1: v6OPS, SIDR, EPPEXT, TRANS

Sunset at IETF 91On the first full day here at IETF 91, we have to leave behind the palm trees of the beautiful welcoming reception (pictured at right) to head indoors for a packed agenda of working group sessions.

For us on the Deploy360 team, this first day hits on three of our major topics:  IPv6, DNSSEC and securing BGP.

A big focus  for our group will be the 4.5 hours of IPv6 Operations (v6OPS) Working Group meetings happening in two blocks today: 9:00-11:30 and then 15:20-17:20 Hawaii Standard Time (HST). As our colleague Phil Roberts noted, IPv6 is everywhere within IETF activity, but the v6OPS sessions are particularly important as IPv6 continues to move into mainstream production and experience real operational deployment.


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US).


At the same 9:00-11:30 block as v6OPS in the morning will be the Secure Inter-Domain Routing (SIDR) Working Group that is really the lead working group we’re monitoring for efforts to increase the security of the BGP routing protocol. As Andrei Robachevsky wrote in his Rough Guide post, there is a great amount of work happening with regard to routing security and resiliency and the discussions within SIDR today will contribute to that.

Amazingly, the 13:00-15:00 time block is a quiet one for us (pretty much the only one all week!), although I may wander into the CDN Interconnections (CDNI) working group to check in purely out of my own interest in CDNs.

The 15:20-17:20 block has v6OPS back for its second session, but also has two of the working groups meeting with DNSSEC-related topics going on.  As I described in my Rough Guide post about DNSSEC, the EPPEXT working group will be discussing how to progress a draft about the secure transfer of signed domain names between registrars – and simultaneously the TRANS working group will be looking at the possibility of applying Certificate Transparency (CT) methods to DNSSEC.

In the final 17:30-18:30 meeting block, the TRANS working group will continue their discussions and the GROW working group will also be meeting to discuss route leaks and de-aggregation issues, two major areas that Andrei indicated are of concern to the routing community.

We’ll finish up the day from 18:50-19:50 with the Technical Plenary that will focus on the IAB’s Privacy and Security Program and should be interesting.

All in all it’s going to be a very busy day!  Do note, of course, that all that I’ve mentioned here is just a small part of the overall activity happening at IETF 91 today – these are just the sessions that WE are interested in for the topics we cover here at Deploy360. Please do look to find us and say hello… and if you are not here in Honolulu, please do join in remotely and help us make the Internet work better!

Relevant Working Groups:

v6OPS (IPv6 Operations) WG
Monday, 10 November 900am-1130am, Coral 4
Monday, 10 November 320pm-520pm, Coral 3
Agenda: https://datatracker.ietf.org/meeting/91/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/documents/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

SIDR (Secure Inter-Domain Routing) WG
Monday, 10 November 2014, 0900-1130 HST, Coral 1
Agenda: https://datatracker.ietf.org/meeting/91/agenda/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/

TRANS (Public Notary Transparency) WG
Monday, 10 November 2014, 1300-1500 HST, Hibiscus
Agenda: https://datatracker.ietf.org/meeting/91/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/

EPPEXT (Extensible Provisioning Protocol Extensions) WG
Monday, November 10, 2014, 1520-1720 HST, Lehua Suite
Agenda: https://datatracker.ietf.org/meeting/91/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: https://datatracker.ietf.org/wg/eppext/charter/

GROW (Global Routing Operations) WG
Monday, 10 November 2014, 1730-1830 HST, Coral 4
Agenda: https://datatracker.ietf.org/meeting/91/agenda/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

IETF 91 Rough Guide On Routing Resilience And Security – De-aggregation, Route Leaks and more

IETF LogoWhat will be happening next week at IETF 91 with regard to improving the security and resilience of the Internet’s routing infrastructure?

Our colleague Andrei Robachevsky tackles this question in his post this week: “Rough Guide to IETF 91: Routing Resilience & Security“.

Andrei explains that one of the major issues in routing right now is the growth in the size of the global routing tables and the growth of “de-aggregation”… and the challenges that lie therein.  He also writes about “route leaks” and what is being done to address this issue and he writes about the ongoing work related to RPKI in the SIDR working group.

He finishes up talking about the MANRS initiative announced yesterday  and how that can help with overall routing security and resiliency.

Please do read Andrei’s Rough Guide post … and then do check out our topic areas on Securing BGP and Anti-spoofing to learn more about how you can secure your routing infrastructure.  We will look forward to seeing some of you next week at IETF 91!