Categories
Deploy360 IETF

ION Cape Town: IETF to Africa?

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Our final post for the week is to mention what’s happening in Africa with respect to Internet Standards Development. Whilst the IETF started in 1986 and recently held its 95th meeting in Japan, an IETF meeting has still yet to be held anywhere in Africa and there is believed to be just one RFC (7479) with a sole African authorship.

The reasons for this are many and varied, but IETF participants pay their own way and there have historically not been many participants from Africa in IETF Working Groups. However, the Internet is growing in Africa and there are an increasing number of Internet experts who could be actively involved with the IETF.

The Internet Society is supporting this through its Fellowship to the IETF programme, whilst other IETF awareness activities have been held at the Africa Internet Summit. A 2010 survey by the IAOC also showed that nearly 40% of respondents were in favour of holding an IETF in Africa, so the aim is to mobilise the African Internet community around bringing a meeting to the continent by 2018.

Please help support this initiative by raising awareness of the IETF and identifying individuals who could actively contribute towards making the IETF a truly global standards effort.

ION Cape Town – IETF, Operational Experience, and Africa from Deploy360 Programme (Internet Society)

 

Please also check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Categories
Deploy360 Mutually Agreed Norms for Routing Security (MANRS)

ION Cape Town: Mind Your MANRS

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Today we turn our attention to the global routing system and the collective responsibility for its resilience and security as discussed by Andrei Robachevsky, one of the ISOC Technology Program Managers. The issue is that BGP is based on global trust and there’s no validation of the legitimacy of routing updates. Whilst RPKI is currently being rolled out by the Regional Internet Registries, this will have limited effectiveness until BGPSEC is fully implemented and more widely deployed.

The consequences are that network prefixes can be hijacked, resulting in denial-of-service, impersonating of a network or service, or traffic interception. Route leaks can also occur, as well as IP spoofing which is the root cause of DDoS attacks.

Whilst tools such as network address prefix and AS-PATH filtering, RPKI and IRR are available to help mitigate these problems, the reality is that the security of your traffic is often reliant on others. Implementing security measures at network interfaces does not solve the wider issues.

The Mutually Agreed Norms for Routing Security (MANRS) programme therefore aims to promote a culture of collaborative responsibility by defining four concrete actions that network operators should implement. These four ‘Good MANRS’ include:

  • Filtering to prevent propagation of incorrect routing information by ensuring that customers hold the AS numbers and address space they’re announcing.
  • Anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving a network.
  • Facilitate operational communication and coordination between network operators by maintaining globally accessible and up-to-date information.
  • Validation of routing information on a global scale by publicly documenting routing resources that are intended to be advertised to external parties.

MANRS is a commitment by network operators to support the principles of the programme and implement at least one of the four actions for the majority of its infrastructure. There is a growing list of participants, but routing security is the sum of all contributions and a critical mass will raise the baseline and persuade others they should participate.

If you’re interested in finding out more about MANRS, please head to the Routing Resilience Manifesto. You can also find out more from the START HERE! page of the Deploy360 website.

ION Cape Town – Collective Responsibility for Routing Security and MANRS from Deploy360 Programme (Internet Society)

 

Please also check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Categories
Deploy360 Events IPv6

ION Cape Town: Good COP, BCOP

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Today we’re looking at the presentation from Jan Zorz, the Internet Society’s Operational Engagement Manager, on Best Current Operational Practices or BCOP. These are living documents covering, as the name suggests, best current operational practices as agreed by subject matter experts and periodically reviewed by the global networking engineering community.

BCOP aims to address the issue of knowledge being passed in an informal and unstructured way, quite often through word-of-mouth rather than through a documentation and review process. This leads to information being difficult to find and potentially restricted to certain communities or even lost, so BCOP draws on a variety of efforts to produce community derived best practices. There are currently BCOP groups under NANOG (North America), LACNOG (Latin America), RIPE (Europe & Middle East),  JANOG (Japan), NZNOG (New Zealand) and most recently AfNOG (Africa), producing BCOPs on Deploy360 topics such as IPv6 question and answers, IPv6 troubleshooting, IPv6 address (de)aggregation, IP peering, anti-DDOS measures, and DNSSEC operational practice.

ION Cape Town – Best Current Operational Practices Update from Deploy360 Programme (Internet Society)

The Deploy360 team is heavily involved with the BCOP communities, and as well as fostering new BCOP initiatives, is seeking input as to what new BCOPs should be developed. Suggestions include testing visibility from the global Internet, use of the Internet Routing Registry (IRR), IPv6 enterprise renumbering scenarios, and ICMP filtering, but please get in touch if you have other suggestions.

The full list of current BCOPs can be found on the Deploy360 website.

Please also check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

ION Cape Town: Great DANE

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Today we’re looking at DANE (DNS-based Authentication of Named Entities) which allows X.509 certificates which are commonly used for TLS, to be bound to DNS names using DNSSEC. The rationale for this is covered quite nicely in the presentation by Michuki Mwanga, ISOC’s Regional Development Manager for Africa, which is that TLS typically relies on X.509 certificates for its encryption keys. These are either issued by one of the many CAs trusted by the major operating system and browser vendors, by a CA where trust has been established through other means, or are self-signed. The fundamental problems are that CAs can in principle issue a certificate for any domain, there are differing standards of domain verification amongst CAs, and there are many CAs issuing certificates which increases the chances of a incorrect or fraudulent certificate being issued.

DANE builds on the DNS concept of domain name holders controlling their name resources, and on DNSSEC that enables them to assert these resources through the use of digital signatures.

Jan Zorz, the Internet Society’s Operational Engagement Manager, has also undertaken some testing of DANE with SMTP in the Go6lab. This sent an e-mail to the top one million Alexa domains, which showed 99% of those had mail servers and nearly 70% of all the attempted SMTP sessions were encrypted with TLS. Of those, 41% used certificate from a trusted CA, 17% used an untrusted certificate, 11% was opportunistic and unsigned, whilst just 0.13% were verified with TLSA by DANE. However, the testing did serve to demonstrate that 70% of e-mail can be encrypted in some manner, even though there needs to be greater deployment of DNSSEC before the benefits of DANE can be realised.

ION Cape Town – DANE: The Future of Transport Layer Security (TLS) from Deploy360 Programme (Internet Society)

DANE/DNSSEC/TLS Testing in the go6Lab – ION Cape Town from Deploy360 Programme (Internet Society)

Please do check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

ION Cape Town: Implementing DNSSEC

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

To kick-off we’re looking at DNSSEC which is increasingly being implemented by ccTLD registries around the world. Simon Balthazar of tzNIC (Tanzania) presented a concise but clear case for deploying DNSSEC, pointing out the wide reaching implications of the DNSChanger trojan since 2007. DNS validation will greatly reduce the impact of these sorts of hijackings, and with significant effort and money being expended to improve other areas of Internet security, it’s important to ensure that you’re actually connecting to an authenticated host.

Mark Elkins of Posix Systems also provides a deployment case study for this small South African ISP. They’ve been implementing DNSSEC since 2008, and have signed all their gTLD domains as well as 90 co.za and other domains using tools available from posixafrica.com. However, the .za root and second-level domains have still to be signed which limits the effectiveness of this initiative, although there are signs this may happen in the coming months.

ION Cape Town – Why Implement DNSSEC? from Deploy360 Programme (Internet Society)

Deploying DNSSEC: A .ZA Case Study – ION Cape Town from Deploy360 Programme (Internet Society)

Please do check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Categories
Deploy360 Events

iWeek and ION meeting in Cape Town is starting…

ion-capetown-ai-pngToday the iWeek meeting in Cape Town starts and I was asked to talk about some new features in the IPv6 Toolkit at today’s “Operator tool BOF” and show live how to test the firewalls for IPv6 as we described in one of the previous Deploy360 blog posts. This time I’ll connect remotely to go6lab and issue the attacks from the virtual server outside the firewall (attacker) towards the victim virtual server behind the PaloAltoNetworks firewall and show the difference between protected and non-protected environments.

Tomorrow the ION meeting starts as a track in the iWeek agenda and I’m really looking forward to a good discussion, great speakers, and packed agenda that we managed to pull together.

If you are around – stop by and we can chat about many things Internet! I’ll be around for the whole week, don’t be shy 😉

Categories
Deploy360 Events

Under a Month Until IPv6, DNSSEC, & Security Info at ION Cape Town

ion-capetown-ai-pngLess than one month until we get to ION Cape Town to talk about IPv6, DNSSEC, DANE, MANRS and Routing Security, the IETF, and more! We’re co-locating this ION with South Africa iWeek 2015; iWeek runs from 7-11 September, with the ION happening all day on Tuesday, 8 September.

Here’s an overview of the agenda and confirmed speakers:

  • Welcome from the Internet Society South Africa Chapter
    Alan Levin
  • Welcome from the Internet Society South Africa-Gauteng Chapter
    Gabriel Ramokotjo
  • Collaborative Security: Routing Resilience Manifesto and MANRS
    Andrei Robachevsky, Internet Society
  • Why Implement DNSSEC?
    Simon Balthazar, TZNIC
  • Deploying DNSSEC: A Case Study
    Mark Elkins, Posix Systems – (South) Africa
  • DANE: The Future of Transport Layer Security (TLS)
    Michuki Mwangi, Internet Society
  • DANE/DNSSEC/TLS Testing in the Go6lab
    Jan Žorž, Internet Society
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
    Andrei Robachevsky, Internet Society
  • IETF, Operational Experience, and Africa
    Michuki Mwangi, Internet Society
  • Best Current Operational Practices – An Update
    Jan Žorž, Internet Society
  • Three Years After World IPv6 Launch: Are We There Yet?
    Mukom Akong Tamon, AfriNIC
  • IPv6 Success Stories– Network Operators Tell All!
    Moderator: Nishal Gorbudhan, Packet Clearing House.
    Panelists:
    Andrew Alston, Liquid Telecom; Graham Beneke; Ben Maddison, Workonline Communications (Pty) Ltd.; Mark Tinka, SeaCom

Best of all, ION Cape Town is FREE to attend! Pre-register at http://www.iweek.org.za/ today for the ION Conference and all the other great events happening that week. (You can check out the full programme at http://www.iweek.org.za/programme-2015/.)

Afilias logoWe remain excited to have Afilias as our ION Conference Series Sponsor. Afilias has proven to be a great partner for the past several IONs and we’re proud to have them on board.

Webcast

If you can’t be there in person, we’re planning to webcast the event so check these pages for more information as we work out the details. After the event, check the ION Cape Town page to find presentations, video archives, and highlights.

Social Media

If you’ll be there, please let us know by joining the Facebook event or Google+ event, talking to us on FacebookTwitter, or Google+ (using the hashtag #IONConf), or emailing us.

We hope to see you there or online during ION Cape Town!

Categories
Deploy360 Events

DNSSEC, IPv6, MANRS, and More at ION Cape Town

ion-capetown-ai-pngWe are busy organizing another ION Conference, this time ION Cape Town on 8 September. We’re co-locating with the South Africa iWeek, and today we’re happy to share our draft agenda, initial speaker lineup, and some logistical details.

Here’s an overview of the agenda and confirmed speakers:

  • Welcome from the Internet Society South Africa Chapter (Alan Levin)
  • Welcome from the Internet Society South Africa-Gauteng Chapter (Gabriel Ramokotjo)
  • Collaborative Security: Routing Resilience Manifesto and MANRS (Michuki Mwangi, Internet Society)
  • Why Implement DNSSEC? (Mark Elkins, Posix Systems – (South) Africa)
  • Deploying DNSSEC: A Case Study
  • Lock it Up: TLS for Network Operators
  • DANE: The Future of Transport Layer Security (TLS)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved (Michuki Mwangi, Internet Society)
  • Best Current Operational Practices – An Update (Jan Zorz, Internet Society)
  • Three Years After World IPv6 Launch: Are We There Yet?
  • IPv6 Success Stories– Network Operators Tell All! (Moderator: Nishal Gorbudhan, Packet Clearing House. Panelists: Ben Maddison, Workonline Communications (Pty) Ltd.; Mark Tinka, SeaCom)

Call for Interested Speakers

You’ll notice we have not filled all the agenda’s speaker slots yet. We’re close to announcing several more, but if you have an expertise and a strong interest in presenting, please let us know by contacting us at deploy360@isoc.org.

About ION Conferences

We continue to build on the success of our past events, where we’ve had industry experts from across the globe answer your specific deployment questions and provided a mix of high-level strategic discussions, real-world deployment experiences, and hands-on technical training. ION Conferences also help us get your direct feedback on what else you need to get started so that we know what new resources to add to the Deploy360 site next.

Logistics & Registration

ION Cape Town and iWeek are FREE to attend. Pre-registration is open on the iWeek site at http://www.iweek.org.za.

If you’ll be there, please let us know by joining the Facebook event or Google+ event, talking to us on FacebookTwitter, or Google+ (using the hashtag #IONConf), or emailing us.

If you can’t be there in person, we’re planning to webcast the event and will provide more information later. After the event, please check the ION Cape Town page to find the featured presentations and other highlights. We can’t wait for ION Cape Town and we look forward to sharing insights from industry experts.

Register today!

Categories
Deploy360 Events

Announcing ION Cape Town with South Africa iWeek in September

Flag_of_South_AfricaAfter two great ION Conferences so far this year in Kandy, Sri Lanka, and Port of Spain, Trinidad, we are very pleased to announce that we’re hard at work on ION Cape Town, which will take place on Tuesday, 8 September, alongside the South Africa iWeek.

We’re lucky to once again have a *full day* program so we can cover all our favorite topics including IPv6, DNSSEC, Securing BGP, and TLS for Applications. As usual, this ION has generous support from our ION Conference Series Sponsor Afilias and both the ISOC South Africa Chapter and the ISOC Gauteng Chapter.

Our draft agenda is online already and we’re working on filling the speaker slots, so if you’ll be attending iWeek and you think you might make a good candidate, please speak up in the comments below or via our
social media channels. A quick preview of some of our draft session titles:

  • Why Implement DNSSEC?
  • Deploying DNSSEC: A Case Study
  • Lock it Up: TLS for Network Operators
  • Three Years After World IPv6 Launch: Are We There Yet?
  • DANE: The Future of Transport Layer Security (TLS)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
  • Operators & the IETF
  • Collaborative Security: Routing Resilience Manifesto and MANRS
  • Best Current Operational Practices – An Update
  • IPv6 Success Stories – Network Operators Tell All!

iWeek is South Africa’s leading annual Internet industry conference, and has been held each year since 2001. iWeek brings together all of South Africa’s major Internet organizations for a series of presentations, workshops, training programs, and social events. The event partners are:

  • The Internet Service Providers’ Association (ISPA)
  • The ZA Central Registry (ZACR)
  • The ZA Domain Name Authority (ZADNA)
  • The South African Internet Exchange (INX-ZA)

We’re still working out the logistics and registration details, so stay tuned to the ION Cape Town website or
this blog for more information. We’re also planning to live stream the ION, so even if you can’t be there in person you’ll be able to follow along online.

We’re also still working on one more ION Conference for 2015, as well as our 2016 and beyond locations. Are you part of something that might lend itself to co-locating with an ION? Let us know! We hold three or four events each year in locations all over the world, and we are open to all sorts of opportunities. Contact us to discuss co-location possibilities, or how your company could sponsor an existing ION Conference.

We hope to see you in Cape Town, or at a future event!