date:20070424


 You might try taking a look at the various presentations at 
 NANOG/RIPE/ARIN/
 APNIC/APRICOT about the whole idea.  Central point: the 
 entity that gives
 you a suballocation of its own address space signs something 
 that says you
 now hold it.

If the whois directories actually operated under some set of guidelines
defining their purpose and scope which was enforced by the directory
publishers, then there would be no need for this certificate nonsense.

Why force the routers to do crypto and check certificates when it is
easier, less fragile, and more reliable to have some kind of operational
support system checking the RIR whois diirectory? If the RIRs actually
took whois directories seriously and RIGOROUSLY cleaned the information
in those directories, then there would be no need for putting crypto in
the BGP protocol or on the routers.

This whole BGP-security-based-on-certificates idea is using a
sledgehammer to fix an administrative problem with the whois
directories.

Note that RIPE is already moving to a more rigorous whois directory
because of European Data Protection laws. It is no longer acceptable to
just do whois like it was done 20 years ago just because that is the net
tradition. Now we must have policies which define the purpose of whois
directories and rigorously check the data to ensure that it meets those
policies. 

This is an area where every ISP can get involved with a small amount of
effort, much smaller than dealing with crypto on the routers and
certificate systems.

 No governments involved.

Fixing whois is even better. No security experts involved. There are
just far too few real security experts to go around. This push for
signing routes and signing DNS is just madness because it means that net
operations people will not be able to determine whether a data source is
trustable or not without becoming a security expert themselves. This is
a wholly inappropriate application of certificates and crypto.

--Michael Dillon

RE: IP Block 99/8 (DHS insanity - offtopic)


 (email string deleted...)
 
 I'm deeply saddened that the very folks who work so hard to 
 run the Internet
 are publicly speculating that DHS wants to take over the 
 'net.  

Please provide some evidence of your assertion. I have seen no evidence
that the very folks who work so hard to run the Internet are making any
speculations at all about the DHS.

Can somebody point to DHS 
 quotes that lend
 support to this idea?  Or are the ideas coming from a bunch 
 of pseudo-news
 hacked together by non-technical reporters that have 
 absolutely no idea what
 they are talking about?

Maybe you need to take your own advice here...

The fact is that *ANY* public agency attracts criticism. This is a good
thing. It is a good thing that people are criticising the DHS for what
it is doing and for what they imagine that it might be doing. This kind
of criticism, whether warranted or not, is what keeps public agencies on
their toes. Public agencies are complex beasts and one person cannot
fully understand all the activities and motives of the DHS. In fact, the
DHS itself changes as its personnel change, so what may be true of
today's DHS will not be true of tomorrow's.

Also note, that people can cooperate with and support certain DHS work,
while at the same time being vocal critics of the DHS. It's not a
zero-sum game.

--Michael Dillon

Re: BGP certificate insanity was: (DHS insanity - offtopic)

2007-04-24 Thread Joe Abley




On 24-Apr-2007, at 10:15, [EMAIL PROTECTED] wrote:


You might try taking a look at the various presentations at
NANOG/RIPE/ARIN/
APNIC/APRICOT about the whole idea.  Central point: the
entity that gives
you a suballocation of its own address space signs something
that says you
now hold it.


If the whois directories actually operated under some set of  
guidelines

defining their purpose and scope which was enforced by the directory
publishers, then there would be no need for this certificate nonsense.


How can anybody be sure that the random peering tech they are talking  
to really works for the organisation listed in the whois record? By  
visual inspection of the e-mail address? A faxed LOA on company  
letterhead?


Given a polished toolset, I'd take a signed ROA over any of those.


Joe

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread Sean Donelan



On Mon, 23 Apr 2007, Chris L. Morrow wrote:

I think the strawman proposals so far were something like:

1) iana has 'root' ca-cert
2) iana signs down certs for RIR's
3) RIR's sign down certs for LIR's
4) LIR's sign down certs for 'users' (where 'users' is probably
address-space users, like corporations or end-sites)

This seemed not-too-insane, and would give ISP/operator type folks that
ability to easily and quickly verify that:

157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1

with some level of authority... It's nothing really more than that.


You can do online or offline verification of a trust chain.  RSA, certs, 
etc are just the math.  But the math doesn't change the trust.  If the
LIR/RIR directories are poorly maintained, their signatures aren't going 
to be any better.


The problem in your trust chain above is the LIR's don't actually verify 
much about the 'users'; and its very easy to spoof the LIRs (i.e. I 
forgot my password) to change their directory information.  And the same

thing will probably be true when you ask LIRs to sign things.  I lost my
RSA cert, please sign a new one for me.

An online chain of RWHOIS delegations or a offline chain of RSA 
certificates (which you will still need an online CRL check), doesn't

change the problems in the LIRs (or even RIRs or IANA).  A lot of math
won't make the answer more authoritative.

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread Jeroen Massar

Sean Donelan wrote:
 
 On Mon, 23 Apr 2007, Chris L. Morrow wrote:
 I think the strawman proposals so far were something like:

 1) iana has 'root' ca-cert
 2) iana signs down certs for RIR's
 3) RIR's sign down certs for LIR's
 4) LIR's sign down certs for 'users' (where 'users' is probably
 address-space users, like corporations or end-sites)

 This seemed not-too-insane, and would give ISP/operator type folks that
 ability to easily and quickly verify that:

 157.242.0.0/16 is in point of fact permitted to originate by the
 org-id: LMU-1

 with some level of authority... It's nothing really more than that.
 
 You can do online or offline verification of a trust chain.  RSA, certs,
 etc are just the math.  But the math doesn't change the trust.  If the
 LIR/RIR directories are poorly maintained, their signatures aren't going
 to be any better.

IMHO ISP's that are not maintaining their entries correctly should not
have a place on the Internet. In IPv6 one can see it quite well
actually, when one has route6 entries the prefix has more of a chance of
piercing through filters than when it has none. Adding a signature to
this chain of checks and enforcing BGP announcements to be signed would
definitely weed out a lot of bad ISP's who can't care less as they
suddenly start loosing connectivity.

Do also note that, like DNS roots, anybody can setup their private
signing authority and provide certs to their buddy ISP's in a similar
manner.

 The problem in your trust chain above is the LIR's don't actually verify
 much about the 'users'; and its very easy to spoof the LIRs (i.e. I
 forgot my password) to change their directory information.  And the same
 thing will probably be true when you ask LIRs to sign things.  I lost my
 RSA cert, please sign a new one for me.

This is also more about who is responsible for the address. Not who
actually uses the address space. With hacked computers and botnets and
the likes that is an unknown anyway. But when the responsible
organization crosses the line a couple of times, it is easy to see where
the bad ones really are.

 An online chain of RWHOIS delegations or a offline chain of RSA
 certificates (which you will still need an online CRL check), doesn't
 change the problems in the LIRs (or even RIRs or IANA).  A lot of math
 won't make the answer more authoritative.

What is the problem here then? You simply mark the LIR as untrustworthy
when they peep up a number of times and as more and more ISP's do that
they silently disappear from the Internet, at least the one where the
'trusted' ISP's are in. This is the same as de-peering ones who are not
being nice to you, but now you at least know it is them being bad and
not somebody just hijacking them. It's just a little step up from what
already gets done.

With every verification mechanism that involves trust and signing there
usually is also a need for a white and a blacklist, you can manage these
yourself or you can let some 3rd party do it, like what is done with
many of the spam cases.

Greets,
 Jeroen




signature.asc
Description: OpenPGP digital signature

RE: BGP certificate insanity was: (DHS insanity - offtopic)


 How can anybody be sure that the random peering tech they are 
 talking  
 to really works for the organisation listed in the whois record? By  
 visual inspection of the e-mail address?

Do people really talk to random peering techs? I thought that peering
contacts were all set up via face-to-face meetings. In any case, if it
is email authentication that you are after, putting certificates in your
router will not help you.

Also, normal business practices can be very useful to establish the
identity of people. For instance, call the company where said peering
tech works, and ask for their extension. If you can't reach them by
phone, then tell them that you need to discuss the matter with their
boss. Everybody has a boss and should be willing to identify the boss by
name. Then phone the company and ask for the boss by name. If there is
still no luck, then you know that your leg is being pulled.

 A faxed LOA on company  
 letterhead?

A lot of people do require LOAs on company letterhead to begin peering
but I'm not sure faxed documents are good enough. In addition, a lot of
companies define the contact points in the peering agreeements so you
know who is who at the other side and how to reach them (direct dial
phone numbers). There is also INOC-DBA where somebody else has done some
level of authentication of people at your peers.

In other words, there are lots of reasonable ways to solve this problem
without having to put the complexity and load of crypto on your routers.

The advantage of applying reasonable processes to the problem is that
any reasonably intelligent person in your business can verify that the
process works. Once you go to crypto, it all becomes a mysterious
blackbox that nobody in your company can verify. You just have to trust
it all because somebody, somewhere, says that it should be trusted.
There just isn't enough security expertise to go around for every
company to examine the whole thing to be sure that it really is as
secure as it claims to be. There is a long history of crypto technology
being applied to problems and then being discovered to be faulty in some
way. Trust was misplaced. People trusted untrustworthy systems just
because it had the magic air of crypto about it.

Quite frankly, the Internet is too important to trust critical
infrastructure to magic crypto systems. There are other, better ways to
solve these problems, that do not introduce single points of failure
into the system. 

--Michael Dillon

P.S. when I said system above, I was using the term in the sense that
C.W. Churchman did when he wrote his book, The Systems Approach.

Re: UK ISP threatens security researcher



Dragos Ruiu wrote:

On Thursday 19 April 2007 18:25, Simon Lyall wrote:
  

If you are a random person who comes across a security hole in a website
or commercial product then the best thing to do is tell nobody, refrain
from any further investigation and if possible remove all evidence you
ever did anything.

There is almost zero potential upside of reporting these holes vs the very
real potential downside that the company might decide to go after you with
their legal team or the police.



Bullshit.

And when we start propagating messages like this, it will be bad news.

Just report the bug. Unless they are ignorant idiots they should thank
you in some way.

cheers,
--dr

  
Yeah but in this case the company the bug was being reported to 
deliberately setup this back door password and had previously ignored 
people bringing it to their attention. There is a point where, as you 
say, their being ignorant idiots takes over.


So what do you do then? Yer damned if you do and everybody's pwned if 
you don't!



--
Leigh

RE: IP Block 99/8 (DHS insanity - offtopic)


Please provide some evidence of your assertion. I have seen no evidence
that 
the very folks who work so hard to run the Internet are making any
speculations at all about the DHS.

Scroll backwards through the emails to the first one in this modified thread
(RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few
comments that came in.

Marc

RE: IP Block 99/8 (DHS insanity - offtopic)


 Please provide some evidence of your assertion. I have seen 
 no evidence
 that 
 the very folks who work so hard to run the Internet are making any
 speculations at all about the DHS.
 
 Scroll backwards through the emails to the first one in this 
 modified thread
 (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few
 comments that came in.

Did that. The first three are from J. Oquendo, Valdis Kletnieks and
Kradorex Xeron. Of these three, Valdis has some sort of netops
responsibility at Virginia Tech, and the other two are aliases for
unknown individuals. J. Oquendo seems to be joking in Spanish and the
other seems to be a garbled version of dark stranger. 

Are you seriously asserting that these are THE FOLKS who work so hard
to run the Internet?

I know of thousands of people who would strongly disagree with you on
that account.

--Michael Dillon

P.S.
NANOG is just a mailing list and the people who are on it are just
people having a chat.

RE: IP Block 99/8 (DHS insanity - offtopic)


 
 NANOG is just a mailing list and the people who are on it 
 are just people having a chat.

Whew.  That's refreshing good news.  And here I thought that this was a
place to discuss operational issues.

OK, back to the real world and thanks for the chat.

Marc

Re: BGP certificate insanity was: (DHS insanity - offtopic)

2007-04-24 Thread Joe Abley




On 24-Apr-2007, at 11:51, [EMAIL PROTECTED] wrote:


How can anybody be sure that the random peering tech they are
talking
to really works for the organisation listed in the whois record? By
visual inspection of the e-mail address?


Do people really talk to random peering techs? I thought that peering
contacts were all set up via face-to-face meetings.


Your view of the world is far from universal.


In any case, if it
is email authentication that you are after, putting certificates in  
your

router will not help you.


I never suggested putting certificates in a router.


Also, normal business practices can be very useful to establish the
identity of people.


For sure, but I don't need to care about the identity of people if I  
have am given a signed ROA which checks out back to a trust anchor I  
am prepared to trust.


No crypto on routers involved.


Joe

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread J. Oquendo

Marcus H. Sachs wrote:
Please provide some evidence of your assertion. I have seen no evidence
that
the very folks who work so hard to run the Internet are making any
speculations at all about the DHS.

Scroll backwards through the emails to the first one in this modified
thread

(RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few
comments that came in.

Marc

Getting back to the original articles here is where my notions and the
notions

of many others comes from:

// END QUOTE //
The US Department of Homeland Security (DHS), which was created after
the attacks on September 11, 2001 as a kind of overriding department,
wants to have the key to sign the DNS root zone solidly in the hands
of the US government. This ultimate master key would then allow
authorities to track DNS Security Extensions (DNSSec) all the way
back to the servers that represent the name system's root zone on
the Internet.

...

At the ICANN meeting, Turcotte said that the managers of country
registries were concerned about this proposal. When contacted by
heise online, Turcotte said that the national registries had informed
their governmental representatives about the DHS's plans.

http://www.heise.de/english/newsticker/news/87655
// END QUOTE //

This is not something I chopped together for spite, this is what I've
read and am
reading. So when experts from ICANN, the security world (Schneier) and
others

take a quick step back and questioned this, I read more into it. ...

// QUOTE //

The issue of who holds signing keys has until recently been pretty much an
academic one.

...

But that might be changing, with the U.S. government leading the way, as
DNSSEC becomes a requirement under the Federal Information Security
Management

Act.

http://www.gcn.com/online/vol1_no1/43443-1.html
// END QUOTE //

So now I ask, on the DHS' Cyber Security Research paper, how should I infer
the following comment:

// COPIED //
Actively pursue strategies for facilitating technology tranfer and
diffusion

of Federally-funder RD into coommercial product and services, and private
sector use

http://www.infragard.net/library/congress_05/cyber_security/cyber_security_research.ppt#266,17,Portfolio
Mission and Strategic Objectives (concluded)

// END COPY //

Let me play devil's advocate a bit further... What if Canada, Italy or
some other country was asking that I abide by something I don't agree
with especially when they're trying to get ahold of something they
have no control over... Should I roll over and play dead. That in
itself would direct some form of control to any said country. I
don't know about you but its fundamentally fraud.

Now logically in accordance to the way this country has become,
even less so would I give the authority to any government to direct
the flow of information lest I be in a drunken stupor for 28
days(daze).

[EMAIL PROTECTED] wrote:

Did that. The first three are from J. Oquendo, Valdis Kletnieks and
Kradorex Xeron. Of these three, ... J. Oquendo seems to be joking
in Spanish

You mean after all this time I never controlled my Internet :(

On a serious note now...

NANOG is just a mailing list and the people who are on it are just
people having a chat.

I've always enjoyed seeing other perspectives on NANOG but I now await
the gracious Mr. Bellovin's response (if would be kind enough to provide
on)... Using Bloom Filters for Authenticated Yes/No Answers in the DNS

// More off topic //

Who is responsible for the sorry state of Internet security?
http://isc.sans.org/poll.html?pollid=75results=Y
21.2 % =Users
18.2 % =Vendors
12.9 % =I am responsible!
10.4 % =Programmers
8.8 % =Software Architects
5.4 % =Nobody
3.4 % =Schools/Universities (for not teaching better programming and such)
3 % =Government
16.6 % =Other (please comment)
Total Answers: 2265

J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

Wise men talk because they have something to say;
fools, because they have to say something. -- Plato

Using Bloom Filters for Authenticated Yes/No Answers in the DNS

smime.p7s
Description: S/MIME Cryptographic Signature

New AS Number Block allocated to the RIPE NCC

2007-04-24 Thread Alex Le Heux



Dear Colleagues,

The RIPE NCC received the AS Number Block 43008 - 44031 from
the IANA in April 2007.

You may want to update your records accordingly.

Best regards,

Alex Le Heux
RIPE NCC

RE: IP Block 99/8 (DHS insanity - offtopic)


J. Oquendo wrote:

 http://www.heise.de/english/newsticker/news/87655

That is the article that started a very unfortunate chain of events.  The
reporter got all of the facts wrong, then people who I thought had some clue
jumped into the mess and only made it worse.  

 http://www.gcn.com/online/vol1_no1/43443-1.html

DHS does not want the keys to the Internet anymore than they want the keys
to your car.  The DNSSEC initiative gets funding from DHS' Science and
Technology directorate as directed by the National Strategy to Secure
Cyberspace, published by the White House in 2003 (disclaimer - I was part of
the team at the WH that wrote that document, so feel free to toss barbs at
me about it, keeping in mind that it was published over four years ago and A
LOT has changed since then...)  

The DNSSEC initiative is supported by many countries, not just the United
States.  The root key (actually, the root zone's Key Signing Key or KSK)
will be held by the Root Key Operator (RKO), which is some yet-to-be
designated organization or group.  Details about all of this is at
http://www.dnssec-deployment.org if you want to get into the weeds of the
initiative.  

It would be nice if reporters had bothered to contact DHS to request an
interview before making statements like, The Homeland Security Department
has stirred up online controversy with its suggestion that the government
should hold a master key for digitally signing the root zone of the Domain
Name System under the DNS Security scheme.  

For a more accurate perspective, see this:
http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th
e_keys_to_the_internet.


Marc

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread J. Oquendo


Alrighty... Since you pointed out this article I already read.


// QUOTE //
This is the U.S. government stepping forward and showing leadership, 
Douglas Maughan, an official with the Department of Homeland Security's 
Science and Technology Directorate, told United Press International.

// END //

Strong leadership? What are they implying they will lead. They can't
even lead their own security issues and I've yet to see anything
on GCN, FCW implying that mil or gov servers had their DNS servers
hijacked. So what is proposed that they will lead?

// MORE // 
The DNS Security Extensions Protocol, or DNSSec, is designed to end such 
abuse by allowing the instantaneous authentication of DNS information -- 
effectively creating a series of digital keys for the system.


One lingering question -- largely academic until now -- has been who 
should hold the key for the so-called DNS Root Zone, the part of the 
system that sits above the so-called Top Level Domains, like .com and .org.


...

The draft lays out a series of options for who could be the holder, or 
operator, of the Root Zone Key, essentially boiling down to a 
governmental agency or a contractor.

// END //


You mean like Verisign? Why should the US handpick a company or
one of their contractors to manage this. You're implying that a
PRIVATE CORPORATION would never follow the will of the one feeding
it... I could as could anyone else point out the systemic abuse
that would follow. One would have to be ignorant to ignore the
potential for abuse not solely from a government whispering sweet
nothings in the ear for sake of perhaps censorship, but what
about the private abuse... No form of oversight other than the
US and our Department of Terrorism and Paranoia Security are
mentioned.


// QUOTED //
Nowhere in the document do we make any proposal about the identity of 
the Root Key Operator, said Maughan, the cyber-security research and 
development manager for Homeland Security.

// END QUOTE//


Uh... In the same article it states The draft lays out a series
of options for who could be the holder, or operator, of the
Root Zone Key, essentially boiling down to a governmental agency
or a contractor. Yet here is Maughan stating Oh no... DHS and
the US government won't pick who holds keys...


// QUOTE //
The Root Key Operator is going to be in a highly trusted position. It's 
going to be a highly trusted entity. The idea that anyone in that 
position would abuse it to spoof addresses is just silly.

// END //


The idea that it has a huge potential for abuse is not silly. I
can see where some would be either too good hearted to take heed
to common logic, but the potential for abuse is right smack dab
in anyone's face. You pointed out the article Mr. Sachs, so
please explain to me how you can now come back and state But the
DHS has no intention on controlling the key... Sure they intend
on handpicking who does, but that doesn't mean said company will
not follow what it is mandated to do by US government, nor will
said company abuse it on their own.

I can point out hundreds of contractors with the government who
so blatantly con the government and circumvent laws. But that
would be geared towards a political mailing list, not this one.
So if we're to stick to the facts, getting the gist out of the
article you chose... You just re-confirmed the US government's
underlying desire to somehow control the root keys...


--

J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

Wise men talk because they have something to say;
fools, because they have to say something. -- Plato



smime.p7s
Description: S/MIME Cryptographic Signature

RE: IP Block 99/8 (DHS insanity - offtopic)


Mr. Oquendo (I presume Mr. but if it's Ms. please accept my
apologies...), it appears that there is little common ground between you and
me.  So, rather than stringing this out for the next several days and boring
everybody else to tears, I will say thanks for the chat and I look forward
to continuing this in person over a beer or other libation at some future
gathering.

Marc 

-Original Message-
From: J. Oquendo [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 24, 2007 9:58 AM
To: Marcus H. Sachs
Cc: nanog@merit.edu
Subject: Re: IP Block 99/8 (DHS insanity - offtopic)

Alrighty... Since you pointed out this article I already read.


// QUOTE //
This is the U.S. government stepping forward and showing leadership, 
Douglas Maughan, an official with the Department of Homeland Security's
Science and Technology Directorate, told United Press International.
// END //

Strong leadership? What are they implying they will lead. They can't even
lead their own security issues and I've yet to see anything on GCN, FCW
implying that mil or gov servers had their DNS servers hijacked. So what is
proposed that they will lead?

// MORE //
The DNS Security Extensions Protocol, or DNSSec, is designed to end such
abuse by allowing the instantaneous authentication of DNS information --
effectively creating a series of digital keys for the system.
 
One lingering question -- largely academic until now -- has been who should
hold the key for the so-called DNS Root Zone, the part of the system that
sits above the so-called Top Level Domains, like .com and .org.

...
 
The draft lays out a series of options for who could be the holder, or
operator, of the Root Zone Key, essentially boiling down to a governmental
agency or a contractor.
// END //


You mean like Verisign? Why should the US handpick a company or one of their
contractors to manage this. You're implying that a PRIVATE CORPORATION would
never follow the will of the one feeding it... I could as could anyone else
point out the systemic abuse that would follow. One would have to be
ignorant to ignore the potential for abuse not solely from a government
whispering sweet nothings in the ear for sake of perhaps censorship, but
what about the private abuse... No form of oversight other than the US and
our Department of Terrorism and Paranoia Security are mentioned.


// QUOTED //
Nowhere in the document do we make any proposal about the identity of the
Root Key Operator, said Maughan, the cyber-security research and
development manager for Homeland Security.
// END QUOTE//


Uh... In the same article it states The draft lays out a series of options
for who could be the holder, or operator, of the Root Zone Key,
essentially boiling down to a governmental agency or a contractor. Yet here
is Maughan stating Oh no... DHS and the US government won't pick who holds
keys...


// QUOTE //
The Root Key Operator is going to be in a highly trusted position. It's
going to be a highly trusted entity. The idea that anyone in that position
would abuse it to spoof addresses is just silly.
// END //


The idea that it has a huge potential for abuse is not silly. I can see
where some would be either too good hearted to take heed to common logic,
but the potential for abuse is right smack dab in anyone's face. You pointed
out the article Mr. Sachs, so please explain to me how you can now come back
and state But the DHS has no intention on controlling the key... Sure they
intend on handpicking who does, but that doesn't mean said company will not
follow what it is mandated to do by US government, nor will said company
abuse it on their own.

I can point out hundreds of contractors with the government who so blatantly
con the government and circumvent laws. But that would be geared towards a
political mailing list, not this one.
So if we're to stick to the facts, getting the gist out of the article you
chose... You just re-confirmed the US government's underlying desire to
somehow control the root keys...
 

--

J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

Wise men talk because they have something to say; fools, because they have
to say something. -- Plato

Re: IP Block 99/8 (DHS insanity - offtopic)




Don't forget to post to the list where you will do this so I can come 
and watch ;-)


Marcus H. Sachs wrote:

Mr. Oquendo (I presume Mr. but if it's Ms. please accept my
apologies...), it appears that there is little common ground between you and
me.  So, rather than stringing this out for the next several days and boring
everybody else to tears, I will say thanks for the chat and I look forward
to continuing this in person over a beer or other libation at some future
gathering.

Marc 


-Original Message-
From: J. Oquendo [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 24, 2007 9:58 AM

To: Marcus H. Sachs
Cc: nanog@merit.edu
Subject: Re: IP Block 99/8 (DHS insanity - offtopic)

Alrighty... Since you pointed out this article I already read.


// QUOTE //
This is the U.S. government stepping forward and showing leadership, 
Douglas Maughan, an official with the Department of Homeland Security's

Science and Technology Directorate, told United Press International.
// END //

Strong leadership? What are they implying they will lead. They can't even
lead their own security issues and I've yet to see anything on GCN, FCW
implying that mil or gov servers had their DNS servers hijacked. So what is
proposed that they will lead?

// MORE //
The DNS Security Extensions Protocol, or DNSSec, is designed to end such
abuse by allowing the instantaneous authentication of DNS information --
effectively creating a series of digital keys for the system.
 
One lingering question -- largely academic until now -- has been who should

hold the key for the so-called DNS Root Zone, the part of the system that
sits above the so-called Top Level Domains, like .com and .org.

...
 
The draft lays out a series of options for who could be the holder, or

operator, of the Root Zone Key, essentially boiling down to a governmental
agency or a contractor.
// END //


You mean like Verisign? Why should the US handpick a company or one of their
contractors to manage this. You're implying that a PRIVATE CORPORATION would
never follow the will of the one feeding it... I could as could anyone else
point out the systemic abuse that would follow. One would have to be
ignorant to ignore the potential for abuse not solely from a government
whispering sweet nothings in the ear for sake of perhaps censorship, but
what about the private abuse... No form of oversight other than the US and
our Department of Terrorism and Paranoia Security are mentioned.


// QUOTED //
Nowhere in the document do we make any proposal about the identity of the
Root Key Operator, said Maughan, the cyber-security research and
development manager for Homeland Security.
// END QUOTE//


Uh... In the same article it states The draft lays out a series of options
for who could be the holder, or operator, of the Root Zone Key,
essentially boiling down to a governmental agency or a contractor. Yet here
is Maughan stating Oh no... DHS and the US government won't pick who holds
keys...


// QUOTE //
The Root Key Operator is going to be in a highly trusted position. It's
going to be a highly trusted entity. The idea that anyone in that position
would abuse it to spoof addresses is just silly.
// END //


The idea that it has a huge potential for abuse is not silly. I can see
where some would be either too good hearted to take heed to common logic,
but the potential for abuse is right smack dab in anyone's face. You pointed
out the article Mr. Sachs, so please explain to me how you can now come back
and state But the DHS has no intention on controlling the key... Sure they
intend on handpicking who does, but that doesn't mean said company will not
follow what it is mandated to do by US government, nor will said company
abuse it on their own.

I can point out hundreds of contractors with the government who so blatantly
con the government and circumvent laws. But that would be geared towards a
political mailing list, not this one.
So if we're to stick to the facts, getting the gist out of the article you
chose... You just re-confirmed the US government's underlying desire to
somehow control the root keys...
 


--

J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

Wise men talk because they have something to say; fools, because they have
to say something. -- Plato

RE: BGP certificate insanity was: (DHS insanity - offtopic)

2007-04-24 Thread Chris L. Morrow


I think a backup and level-set is in order... The original comment that
started this discussion was talking about ONLY signing allocations down
from IANA-RIR-LIR-EndSite, only in the whois system and NOT for use in
routing devices.

The papers/preso's that Sandy pointed to all talk only about using
cert-material to help figure out who really is the owner of the space and
use that knowledge to update prefix-list/policy in the field. Randy's
preso at:

http://www.nanog.org/mtg-0602/pdf/bush.pdf

has a very clear walk through of this (and nice font too... but that's
beside the point).

So, all FUD about 'certs on routes in bgp' aside (which is the mission of
sBGP/soBGP and NOT the mission of the discussion so far) is there a real
issue with giving operators a way to see, in a programmatic and simple
fashion, if there's little overhead/cost on the system (whois system) as
a whole?

...a little more below...

On Tue, 24 Apr 2007 [EMAIL PROTECTED] wrote:


  How can anybody be sure that the random peering tech they are
  talking
  to really works for the organisation listed in the whois record? By
  visual inspection of the e-mail address?

 Do people really talk to random peering techs? I thought that peering
 contacts were all set up via face-to-face meetings. In any case, if it
 is email authentication that you are after, putting certificates in your
 router will not help you.


The scenario I worry about isn't the 'peering tech' (mostly because I
don't know any aside from Sri...) it's the 'random customer' who calls in
or emails in and 'needs this prefix change quickly, something got screwy
and we need you to accept this post-haste!' (insert 'millions of
dollars/sec lost!' conversation and escalation to
senior-exec-management... yes, this is a real-life example)

Those cases are painful and we have no method of knowing easily who the
'customer' is and who the 'ip owner' (user/end-site) is and if there is
proper LOA in place :( Making a simple shell script to do 5 whois lookups
and 3 openssl cert checks seems like a 'big win', eh?

 Also, normal business practices can be very useful to establish the
 identity of people. For instance, call the company where said peering
 tech works, and ask for their extension. If you can't reach them by
 phone, then tell them that you need to discuss the matter with their
 boss. Everybody has a boss and should be willing to identify the boss by
 name. Then phone the company and ask for the boss by name. If there is
 still no luck, then you know that your leg is being pulled.


call my office I'll get our president on the phone with you.. pardon his
voice though, he's got a little bit of a cold :( Is this really something
you'd trust in the real world? If so, could you route: 209.173.48.0/20 for
me?

  A faxed LOA on company
  letterhead?

 A lot of people do require LOAs on company letterhead to begin peering
 but I'm not sure faxed documents are good enough. In addition, a lot of

they are not good enough :( you wouldn't imagine the word-template-crap we
get as LOA from obvious scammer/spammer/bad-peeps :( it's sad really.

 companies define the contact points in the peering agreeements so you
 know who is who at the other side and how to reach them (direct dial
 phone numbers). There is also INOC-DBA where somebody else has done some
 level of authentication of people at your peers.

peering is a whole-nuther-land ... customer prefix attestation/ajudication
is where the real rubber hits the road (for me atleast).


 In other words, there are lots of reasonable ways to solve this problem
 without having to put the complexity and load of crypto on your routers.


correct, here we agree... We may be a minority, but :)

-Chris

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread Chris L. Morrow



On Tue, 24 Apr 2007, Sean Donelan wrote:

 On Mon, 23 Apr 2007, Chris L. Morrow wrote:
  I think the strawman proposals so far were something like:
 
  1) iana has 'root' ca-cert
  2) iana signs down certs for RIR's
  3) RIR's sign down certs for LIR's
  4) LIR's sign down certs for 'users' (where 'users' is probably
  address-space users, like corporations or end-sites)
 
  This seemed not-too-insane, and would give ISP/operator type folks that
  ability to easily and quickly verify that:
 
  157.242.0.0/16 is in point of fact permitted to originate by the org-id: 
  LMU-1
 
  with some level of authority... It's nothing really more than that.

 You can do online or offline verification of a trust chain.  RSA, certs,
 etc are just the math.  But the math doesn't change the trust.  If the
 LIR/RIR directories are poorly maintained, their signatures aren't going
 to be any better.

yes, but:
1) there is no discussion of certs+bgp
2) they need to cleanup/tightenup anyway, adding some helpful (to
operators) bits is a nice thing, yes?

 The problem in your trust chain above is the LIR's don't actually verify
 much about the 'users'; and its very easy to spoof the LIRs (i.e. I
 forgot my password) to change their directory information.  And the same
 thing will probably be true when you ask LIRs to sign things.  I lost my
 RSA cert, please sign a new one for me.

Is it really that easy? I recall a few people having LOTS of trouble
getting their address block information changed so it was once again
usable... I know we had some headaches getting our information switched
around to reflect corporate changes.

 An online chain of RWHOIS delegations or a offline chain of RSA
 certificates (which you will still need an online CRL check), doesn't
 change the problems in the LIRs (or even RIRs or IANA).  A lot of math
 won't make the answer more authoritative.

yes, but the math makes, hopefully. the checking simpler... and it's a
better system than exists today at many places where 'if you put yer
object in the IRR we'll accept it!' (see ConEd incident of 2 years back
for one example). Without any programmatic checking of this data the only
thing accomplished with use of an IRR is to increase the speed with which
you can change prefix-list data :( there is no check for accuracy nor
authority.

-Chris

Re: IP Block 99/8 (DHS insanity - offtopic)

2007-04-24 Thread Valdis . Kletnieks

On Tue, 24 Apr 2007 12:34:25 BST, [EMAIL PROTECTED] said:

 Did that. The first three are from J. Oquendo, Valdis Kletnieks and

Hey - I stayed out of the signed-BGP and signed-DNS lunacy. The only thing *I*
commented on was the reported leakage of 10 to 20 terabytes of data.  And I
think we can all agree that filters and firewalls that leak terabytes of data
qualify as operational (the topic, not the filters).

(I'm going to ignore the alternate interpretation, that Chinese downloaded that
much *open* data from NIPRNet, along with multiple (unreported) terabytes of
open data from Akamai, CNN, Apple's iTunes, and hundreds of other similar data
sources.  After all, conflating secure and open data like that in order to
create an issue would be just wrong.. :)



pgpozYj9ZKWra.pgp
Description: PGP signature

from the academic side of the house

2007-04-24 Thread bmanning



For the first set of IPv6 records, a team from the University of Tokyo, WIDE
Project, NTT Communications, JGN2, SURFnet, CANARIE, Pacific Northwest
Gigapop and other institutions collaborated to create a network path over
30,000 kilometers in distance, crossing 6 international networks - over 3/4
the circumference of the Earth. In doing so, the team successfully
transferred data in the single and multi-stream categories at a rate of 7.67
Gbps which is equal to 230,100 terabit-meters per second (Tb-m/s).  This
record setting attempt leveraged standard TCP to achieve the new mark.

The next day, the team used a modified version of TCP to achieve an even
greater record. Using the same 30,000 km path, the network was able to
achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both
the IPv6 multi and single stream categories. In doing so, the team surpassed
the current IPv4 records, proving that IPv6 networks are able to provide the
same, if not better, performance as IPv4.

--bill

Re: from the academic side of the house

2007-04-24 Thread Adrian Chadd


On Tue, Apr 24, 2007, [EMAIL PROTECTED] wrote:

 The next day, the team used a modified version of TCP to achieve an even
 greater record. Using the same 30,000 km path, the network was able to
 achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both
 the IPv6 multi and single stream categories. In doing so, the team surpassed
 the current IPv4 records, proving that IPv6 networks are able to provide the
 same, if not better, performance as IPv4.

As one of the poor bastards still involved in rolling out VoIP over satellite
delivered IP at the moment, I can safely say I'm (currently) happy noone's 
trying
to push H.323 over IPv6 over these small-sized satellite links. Lord knows
we have enough trouble getting concurrent calls through 20 + 20 + 
byte overheads when the voice payload's -20- bytes.

(That said, I'd be so much happer if the current trend 'ere wasn't to -avoid-
delivering serial ports for the satellite service so we can run VoFR or PPP
w/header compression - instead being presented IP connectivity only at
either end, but you can't have everything..)



Adrian

Re: from the academic side of the house



Adrian Chadd wrote:

On Tue, Apr 24, 2007, [EMAIL PROTECTED] wrote:

  

The next day, the team used a modified version of TCP to achieve an even
greater record. Using the same 30,000 km path, the network was able to
achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both
the IPv6 multi and single stream categories. In doing so, the team surpassed
the current IPv4 records, proving that IPv6 networks are able to provide the
same, if not better, performance as IPv4.



As one of the poor bastards still involved in rolling out VoIP over satellite
delivered IP at the moment, I can safely say I'm (currently) happy noone's 
trying
to push H.323 over IPv6 over these small-sized satellite links. Lord knows
we have enough trouble getting concurrent calls through 20 + 20 + 
byte overheads when the voice payload's -20- bytes.


(That said, I'd be so much happer if the current trend 'ere wasn't to -avoid-
delivering serial ports for the satellite service so we can run VoFR or PPP
w/header compression - instead being presented IP connectivity only at
either end, but you can't have everything..)



Adrian
  

Does anybody have any working v6 header suppression/compression working yet?

When I was doing VoIP over VSAT people kept trying to give me modems 
with Ethernet on them, not good for doing any header compression.


--
Leigh

Re: from the academic side of the house

2007-04-24 Thread Jim Shankland


[EMAIL PROTECTED] writes:

 The next day, the team used a modified version of TCP to achieve an
 even greater record. Using the same 30,000 km path, the network was
 able to achieve a throughput of 9.08 Gbps which is equal to 272,400
 Tb-m/s for both the IPv6 multi and single stream categories. In doing
 so, the team surpassed the current IPv4 records, proving that IPv6
 networks are able to provide the same, if not better, performance as
 IPv4.

Good job.  Two questions, though:

(1) Do the throughput figures count only the data payload (i.e.,
anything above the TCP layer), or all the bits from the protocol
stack?  If the latter, it seems a little unreasonable to credit
IPv6 with its own extra overhead -- though I'll concede that with
jumbo datagrams, that's not all that much.

(2) Getting this kind of throughput seems to depend on a fast
physical layer, plus some link-layer help (jumbo packets), plus
careful TCP tuning to deal with the large bandwidth-delay product.
The IP layer sits between the second and third of those three items.
Is there something about IPv6 vs. IPv4 that specifically improves
perfomance on this kind of test?  If so, what is it?

Jim Shankland

Re: from the academic side of the house