RE: BGP certificate insanity was: (DHS insanity - offtopic)
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it. If the whois directories actually operated under some set of guidelines defining their purpose and scope which was enforced by the directory publishers, then there would be no need for this certificate nonsense. Why force the routers to do crypto and check certificates when it is easier, less fragile, and more reliable to have some kind of operational support system checking the RIR whois diirectory? If the RIRs actually took whois directories seriously and RIGOROUSLY cleaned the information in those directories, then there would be no need for putting crypto in the BGP protocol or on the routers. This whole BGP-security-based-on-certificates idea is using a sledgehammer to fix an administrative problem with the whois directories. Note that RIPE is already moving to a more rigorous whois directory because of European Data Protection laws. It is no longer acceptable to just do whois like it was done 20 years ago just because that is the net tradition. Now we must have policies which define the purpose of whois directories and rigorously check the data to ensure that it meets those policies. This is an area where every ISP can get involved with a small amount of effort, much smaller than dealing with crypto on the routers and certificate systems. No governments involved. Fixing whois is even better. No security experts involved. There are just far too few real security experts to go around. This push for signing routes and signing DNS is just madness because it means that net operations people will not be able to determine whether a data source is trustable or not without becoming a security expert themselves. This is a wholly inappropriate application of certificates and crypto. --Michael Dillon
RE: IP Block 99/8 (DHS insanity - offtopic)
(email string deleted...) I'm deeply saddened that the very folks who work so hard to run the Internet are publicly speculating that DHS wants to take over the 'net. Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS. Can somebody point to DHS quotes that lend support to this idea? Or are the ideas coming from a bunch of pseudo-news hacked together by non-technical reporters that have absolutely no idea what they are talking about? Maybe you need to take your own advice here... The fact is that *ANY* public agency attracts criticism. This is a good thing. It is a good thing that people are criticising the DHS for what it is doing and for what they imagine that it might be doing. This kind of criticism, whether warranted or not, is what keeps public agencies on their toes. Public agencies are complex beasts and one person cannot fully understand all the activities and motives of the DHS. In fact, the DHS itself changes as its personnel change, so what may be true of today's DHS will not be true of tomorrow's. Also note, that people can cooperate with and support certain DHS work, while at the same time being vocal critics of the DHS. It's not a zero-sum game. --Michael Dillon
Re: BGP certificate insanity was: (DHS insanity - offtopic)
On 24-Apr-2007, at 10:15, [EMAIL PROTECTED] wrote: You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it. If the whois directories actually operated under some set of guidelines defining their purpose and scope which was enforced by the directory publishers, then there would be no need for this certificate nonsense. How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address? A faxed LOA on company letterhead? Given a polished toolset, I'd take a signed ROA over any of those. Joe
Re: IP Block 99/8 (DHS insanity - offtopic)
On Mon, 23 Apr 2007, Chris L. Morrow wrote: I think the strawman proposals so far were something like: 1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites) This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that: 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1 with some level of authority... It's nothing really more than that. You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better. The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for me. An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
Re: IP Block 99/8 (DHS insanity - offtopic)
Sean Donelan wrote: On Mon, 23 Apr 2007, Chris L. Morrow wrote: I think the strawman proposals so far were something like: 1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites) This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that: 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1 with some level of authority... It's nothing really more than that. You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better. IMHO ISP's that are not maintaining their entries correctly should not have a place on the Internet. In IPv6 one can see it quite well actually, when one has route6 entries the prefix has more of a chance of piercing through filters than when it has none. Adding a signature to this chain of checks and enforcing BGP announcements to be signed would definitely weed out a lot of bad ISP's who can't care less as they suddenly start loosing connectivity. Do also note that, like DNS roots, anybody can setup their private signing authority and provide certs to their buddy ISP's in a similar manner. The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for me. This is also more about who is responsible for the address. Not who actually uses the address space. With hacked computers and botnets and the likes that is an unknown anyway. But when the responsible organization crosses the line a couple of times, it is easy to see where the bad ones really are. An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative. What is the problem here then? You simply mark the LIR as untrustworthy when they peep up a number of times and as more and more ISP's do that they silently disappear from the Internet, at least the one where the 'trusted' ISP's are in. This is the same as de-peering ones who are not being nice to you, but now you at least know it is them being bad and not somebody just hijacking them. It's just a little step up from what already gets done. With every verification mechanism that involves trust and signing there usually is also a need for a white and a blacklist, you can manage these yourself or you can let some 3rd party do it, like what is done with many of the spam cases. Greets, Jeroen signature.asc Description: OpenPGP digital signature
RE: BGP certificate insanity was: (DHS insanity - offtopic)
How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address? Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings. In any case, if it is email authentication that you are after, putting certificates in your router will not help you. Also, normal business practices can be very useful to establish the identity of people. For instance, call the company where said peering tech works, and ask for their extension. If you can't reach them by phone, then tell them that you need to discuss the matter with their boss. Everybody has a boss and should be willing to identify the boss by name. Then phone the company and ask for the boss by name. If there is still no luck, then you know that your leg is being pulled. A faxed LOA on company letterhead? A lot of people do require LOAs on company letterhead to begin peering but I'm not sure faxed documents are good enough. In addition, a lot of companies define the contact points in the peering agreeements so you know who is who at the other side and how to reach them (direct dial phone numbers). There is also INOC-DBA where somebody else has done some level of authentication of people at your peers. In other words, there are lots of reasonable ways to solve this problem without having to put the complexity and load of crypto on your routers. The advantage of applying reasonable processes to the problem is that any reasonably intelligent person in your business can verify that the process works. Once you go to crypto, it all becomes a mysterious blackbox that nobody in your company can verify. You just have to trust it all because somebody, somewhere, says that it should be trusted. There just isn't enough security expertise to go around for every company to examine the whole thing to be sure that it really is as secure as it claims to be. There is a long history of crypto technology being applied to problems and then being discovered to be faulty in some way. Trust was misplaced. People trusted untrustworthy systems just because it had the magic air of crypto about it. Quite frankly, the Internet is too important to trust critical infrastructure to magic crypto systems. There are other, better ways to solve these problems, that do not introduce single points of failure into the system. --Michael Dillon P.S. when I said system above, I was using the term in the sense that C.W. Churchman did when he wrote his book, The Systems Approach.
Re: UK ISP threatens security researcher
Dragos Ruiu wrote: On Thursday 19 April 2007 18:25, Simon Lyall wrote: If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything. There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police. Bullshit. And when we start propagating messages like this, it will be bad news. Just report the bug. Unless they are ignorant idiots they should thank you in some way. cheers, --dr Yeah but in this case the company the bug was being reported to deliberately setup this back door password and had previously ignored people bringing it to their attention. There is a point where, as you say, their being ignorant idiots takes over. So what do you do then? Yer damned if you do and everybody's pwned if you don't! -- Leigh
RE: IP Block 99/8 (DHS insanity - offtopic)
Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS. Scroll backwards through the emails to the first one in this modified thread (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in. Marc
RE: IP Block 99/8 (DHS insanity - offtopic)
Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS. Scroll backwards through the emails to the first one in this modified thread (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in. Did that. The first three are from J. Oquendo, Valdis Kletnieks and Kradorex Xeron. Of these three, Valdis has some sort of netops responsibility at Virginia Tech, and the other two are aliases for unknown individuals. J. Oquendo seems to be joking in Spanish and the other seems to be a garbled version of dark stranger. Are you seriously asserting that these are THE FOLKS who work so hard to run the Internet? I know of thousands of people who would strongly disagree with you on that account. --Michael Dillon P.S. NANOG is just a mailing list and the people who are on it are just people having a chat.
RE: IP Block 99/8 (DHS insanity - offtopic)
NANOG is just a mailing list and the people who are on it are just people having a chat. Whew. That's refreshing good news. And here I thought that this was a place to discuss operational issues. OK, back to the real world and thanks for the chat. Marc
Re: BGP certificate insanity was: (DHS insanity - offtopic)
On 24-Apr-2007, at 11:51, [EMAIL PROTECTED] wrote: How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address? Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings. Your view of the world is far from universal. In any case, if it is email authentication that you are after, putting certificates in your router will not help you. I never suggested putting certificates in a router. Also, normal business practices can be very useful to establish the identity of people. For sure, but I don't need to care about the identity of people if I have am given a signed ROA which checks out back to a trust anchor I am prepared to trust. No crypto on routers involved. Joe
Re: IP Block 99/8 (DHS insanity - offtopic)
Marcus H. Sachs wrote: Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS. Scroll backwards through the emails to the first one in this modified thread (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in. Marc Getting back to the original articles here is where my notions and the notions of many others comes from: // END QUOTE // The US Department of Homeland Security (DHS), which was created after the attacks on September 11, 2001 as a kind of overriding department, wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. ... At the ICANN meeting, Turcotte said that the managers of country registries were concerned about this proposal. When contacted by heise online, Turcotte said that the national registries had informed their governmental representatives about the DHS's plans. http://www.heise.de/english/newsticker/news/87655 // END QUOTE // This is not something I chopped together for spite, this is what I've read and am reading. So when experts from ICANN, the security world (Schneier) and others take a quick step back and questioned this, I read more into it. ... // QUOTE // The issue of who holds signing keys has until recently been pretty much an academic one. ... But that might be changing, with the U.S. government leading the way, as DNSSEC becomes a requirement under the Federal Information Security Management Act. http://www.gcn.com/online/vol1_no1/43443-1.html // END QUOTE // So now I ask, on the DHS' Cyber Security Research paper, how should I infer the following comment: // COPIED // Actively pursue strategies for facilitating technology tranfer and diffusion of Federally-funder RD into coommercial product and services, and private sector use http://www.infragard.net/library/congress_05/cyber_security/cyber_security_research.ppt#266,17,Portfolio Mission and Strategic Objectives (concluded) // END COPY // Let me play devil's advocate a bit further... What if Canada, Italy or some other country was asking that I abide by something I don't agree with especially when they're trying to get ahold of something they have no control over... Should I roll over and play dead. That in itself would direct some form of control to any said country. I don't know about you but its fundamentally fraud. Now logically in accordance to the way this country has become, even less so would I give the authority to any government to direct the flow of information lest I be in a drunken stupor for 28 days(daze). [EMAIL PROTECTED] wrote: Did that. The first three are from J. Oquendo, Valdis Kletnieks and Kradorex Xeron. Of these three, ... J. Oquendo seems to be joking in Spanish You mean after all this time I never controlled my Internet :( On a serious note now... NANOG is just a mailing list and the people who are on it are just people having a chat. I've always enjoyed seeing other perspectives on NANOG but I now await the gracious Mr. Bellovin's response (if would be kind enough to provide on)... Using Bloom Filters for Authenticated Yes/No Answers in the DNS // More off topic // Who is responsible for the sorry state of Internet security? http://isc.sans.org/poll.html?pollid=75results=Y 21.2 % =Users 18.2 % =Vendors 12.9 % =I am responsible! 10.4 % =Programmers 8.8 % =Software Architects 5.4 % =Nobody 3.4 % =Schools/Universities (for not teaching better programming and such) 3 % =Government 16.6 % =Other (please comment) Total Answers: 2265 -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato Using Bloom Filters for Authenticated Yes/No Answers in the DNS smime.p7s Description: S/MIME Cryptographic Signature
New AS Number Block allocated to the RIPE NCC
Dear Colleagues, The RIPE NCC received the AS Number Block 43008 - 44031 from the IANA in April 2007. You may want to update your records accordingly. Best regards, Alex Le Heux RIPE NCC
RE: IP Block 99/8 (DHS insanity - offtopic)
J. Oquendo wrote: http://www.heise.de/english/newsticker/news/87655 That is the article that started a very unfortunate chain of events. The reporter got all of the facts wrong, then people who I thought had some clue jumped into the mess and only made it worse. http://www.gcn.com/online/vol1_no1/43443-1.html DHS does not want the keys to the Internet anymore than they want the keys to your car. The DNSSEC initiative gets funding from DHS' Science and Technology directorate as directed by the National Strategy to Secure Cyberspace, published by the White House in 2003 (disclaimer - I was part of the team at the WH that wrote that document, so feel free to toss barbs at me about it, keeping in mind that it was published over four years ago and A LOT has changed since then...) The DNSSEC initiative is supported by many countries, not just the United States. The root key (actually, the root zone's Key Signing Key or KSK) will be held by the Root Key Operator (RKO), which is some yet-to-be designated organization or group. Details about all of this is at http://www.dnssec-deployment.org if you want to get into the weeds of the initiative. It would be nice if reporters had bothered to contact DHS to request an interview before making statements like, The Homeland Security Department has stirred up online controversy with its suggestion that the government should hold a master key for digitally signing the root zone of the Domain Name System under the DNS Security scheme. For a more accurate perspective, see this: http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th e_keys_to_the_internet. Marc
Re: IP Block 99/8 (DHS insanity - offtopic)
Alrighty... Since you pointed out this article I already read. // QUOTE // This is the U.S. government stepping forward and showing leadership, Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END // Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead? // MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system. One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org. ... The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END // You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned. // QUOTED // Nowhere in the document do we make any proposal about the identity of the Root Key Operator, said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE// Uh... In the same article it states The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. Yet here is Maughan stating Oh no... DHS and the US government won't pick who holds keys... // QUOTE // The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly. // END // The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own. I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature
RE: IP Block 99/8 (DHS insanity - offtopic)
Mr. Oquendo (I presume Mr. but if it's Ms. please accept my apologies...), it appears that there is little common ground between you and me. So, rather than stringing this out for the next several days and boring everybody else to tears, I will say thanks for the chat and I look forward to continuing this in person over a beer or other libation at some future gathering. Marc -Original Message- From: J. Oquendo [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 9:58 AM To: Marcus H. Sachs Cc: nanog@merit.edu Subject: Re: IP Block 99/8 (DHS insanity - offtopic) Alrighty... Since you pointed out this article I already read. // QUOTE // This is the U.S. government stepping forward and showing leadership, Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END // Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead? // MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system. One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org. ... The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END // You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned. // QUOTED // Nowhere in the document do we make any proposal about the identity of the Root Key Operator, said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE// Uh... In the same article it states The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. Yet here is Maughan stating Oh no... DHS and the US government won't pick who holds keys... // QUOTE // The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly. // END // The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own. I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato
Re: IP Block 99/8 (DHS insanity - offtopic)
Don't forget to post to the list where you will do this so I can come and watch ;-) Marcus H. Sachs wrote: Mr. Oquendo (I presume Mr. but if it's Ms. please accept my apologies...), it appears that there is little common ground between you and me. So, rather than stringing this out for the next several days and boring everybody else to tears, I will say thanks for the chat and I look forward to continuing this in person over a beer or other libation at some future gathering. Marc -Original Message- From: J. Oquendo [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 9:58 AM To: Marcus H. Sachs Cc: nanog@merit.edu Subject: Re: IP Block 99/8 (DHS insanity - offtopic) Alrighty... Since you pointed out this article I already read. // QUOTE // This is the U.S. government stepping forward and showing leadership, Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END // Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead? // MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system. One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org. ... The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END // You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned. // QUOTED // Nowhere in the document do we make any proposal about the identity of the Root Key Operator, said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE// Uh... In the same article it states The draft lays out a series of options for who could be the holder, or operator, of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. Yet here is Maughan stating Oh no... DHS and the US government won't pick who holds keys... // QUOTE // The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly. // END // The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own. I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato
RE: BGP certificate insanity was: (DHS insanity - offtopic)
I think a backup and level-set is in order... The original comment that started this discussion was talking about ONLY signing allocations down from IANA-RIR-LIR-EndSite, only in the whois system and NOT for use in routing devices. The papers/preso's that Sandy pointed to all talk only about using cert-material to help figure out who really is the owner of the space and use that knowledge to update prefix-list/policy in the field. Randy's preso at: http://www.nanog.org/mtg-0602/pdf/bush.pdf has a very clear walk through of this (and nice font too... but that's beside the point). So, all FUD about 'certs on routes in bgp' aside (which is the mission of sBGP/soBGP and NOT the mission of the discussion so far) is there a real issue with giving operators a way to see, in a programmatic and simple fashion, if there's little overhead/cost on the system (whois system) as a whole? ...a little more below... On Tue, 24 Apr 2007 [EMAIL PROTECTED] wrote: How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address? Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings. In any case, if it is email authentication that you are after, putting certificates in your router will not help you. The scenario I worry about isn't the 'peering tech' (mostly because I don't know any aside from Sri...) it's the 'random customer' who calls in or emails in and 'needs this prefix change quickly, something got screwy and we need you to accept this post-haste!' (insert 'millions of dollars/sec lost!' conversation and escalation to senior-exec-management... yes, this is a real-life example) Those cases are painful and we have no method of knowing easily who the 'customer' is and who the 'ip owner' (user/end-site) is and if there is proper LOA in place :( Making a simple shell script to do 5 whois lookups and 3 openssl cert checks seems like a 'big win', eh? Also, normal business practices can be very useful to establish the identity of people. For instance, call the company where said peering tech works, and ask for their extension. If you can't reach them by phone, then tell them that you need to discuss the matter with their boss. Everybody has a boss and should be willing to identify the boss by name. Then phone the company and ask for the boss by name. If there is still no luck, then you know that your leg is being pulled. call my office I'll get our president on the phone with you.. pardon his voice though, he's got a little bit of a cold :( Is this really something you'd trust in the real world? If so, could you route: 209.173.48.0/20 for me? A faxed LOA on company letterhead? A lot of people do require LOAs on company letterhead to begin peering but I'm not sure faxed documents are good enough. In addition, a lot of they are not good enough :( you wouldn't imagine the word-template-crap we get as LOA from obvious scammer/spammer/bad-peeps :( it's sad really. companies define the contact points in the peering agreeements so you know who is who at the other side and how to reach them (direct dial phone numbers). There is also INOC-DBA where somebody else has done some level of authentication of people at your peers. peering is a whole-nuther-land ... customer prefix attestation/ajudication is where the real rubber hits the road (for me atleast). In other words, there are lots of reasonable ways to solve this problem without having to put the complexity and load of crypto on your routers. correct, here we agree... We may be a minority, but :) -Chris
Re: IP Block 99/8 (DHS insanity - offtopic)
On Tue, 24 Apr 2007, Sean Donelan wrote: On Mon, 23 Apr 2007, Chris L. Morrow wrote: I think the strawman proposals so far were something like: 1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites) This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that: 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1 with some level of authority... It's nothing really more than that. You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better. yes, but: 1) there is no discussion of certs+bgp 2) they need to cleanup/tightenup anyway, adding some helpful (to operators) bits is a nice thing, yes? The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for me. Is it really that easy? I recall a few people having LOTS of trouble getting their address block information changed so it was once again usable... I know we had some headaches getting our information switched around to reflect corporate changes. An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative. yes, but the math makes, hopefully. the checking simpler... and it's a better system than exists today at many places where 'if you put yer object in the IRR we'll accept it!' (see ConEd incident of 2 years back for one example). Without any programmatic checking of this data the only thing accomplished with use of an IRR is to increase the speed with which you can change prefix-list data :( there is no check for accuracy nor authority. -Chris
Re: IP Block 99/8 (DHS insanity - offtopic)
On Tue, 24 Apr 2007 12:34:25 BST, [EMAIL PROTECTED] said: Did that. The first three are from J. Oquendo, Valdis Kletnieks and Hey - I stayed out of the signed-BGP and signed-DNS lunacy. The only thing *I* commented on was the reported leakage of 10 to 20 terabytes of data. And I think we can all agree that filters and firewalls that leak terabytes of data qualify as operational (the topic, not the filters). (I'm going to ignore the alternate interpretation, that Chinese downloaded that much *open* data from NIPRNet, along with multiple (unreported) terabytes of open data from Akamai, CNN, Apple's iTunes, and hundreds of other similar data sources. After all, conflating secure and open data like that in order to create an issue would be just wrong.. :) pgpozYj9ZKWra.pgp Description: PGP signature
from the academic side of the house
For the first set of IPv6 records, a team from the University of Tokyo, WIDE Project, NTT Communications, JGN2, SURFnet, CANARIE, Pacific Northwest Gigapop and other institutions collaborated to create a network path over 30,000 kilometers in distance, crossing 6 international networks - over 3/4 the circumference of the Earth. In doing so, the team successfully transferred data in the single and multi-stream categories at a rate of 7.67 Gbps which is equal to 230,100 terabit-meters per second (Tb-m/s). This record setting attempt leveraged standard TCP to achieve the new mark. The next day, the team used a modified version of TCP to achieve an even greater record. Using the same 30,000 km path, the network was able to achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both the IPv6 multi and single stream categories. In doing so, the team surpassed the current IPv4 records, proving that IPv6 networks are able to provide the same, if not better, performance as IPv4. --bill
Re: from the academic side of the house
On Tue, Apr 24, 2007, [EMAIL PROTECTED] wrote: The next day, the team used a modified version of TCP to achieve an even greater record. Using the same 30,000 km path, the network was able to achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both the IPv6 multi and single stream categories. In doing so, the team surpassed the current IPv4 records, proving that IPv6 networks are able to provide the same, if not better, performance as IPv4. As one of the poor bastards still involved in rolling out VoIP over satellite delivered IP at the moment, I can safely say I'm (currently) happy noone's trying to push H.323 over IPv6 over these small-sized satellite links. Lord knows we have enough trouble getting concurrent calls through 20 + 20 + byte overheads when the voice payload's -20- bytes. (That said, I'd be so much happer if the current trend 'ere wasn't to -avoid- delivering serial ports for the satellite service so we can run VoFR or PPP w/header compression - instead being presented IP connectivity only at either end, but you can't have everything..) Adrian
Re: from the academic side of the house
Adrian Chadd wrote: On Tue, Apr 24, 2007, [EMAIL PROTECTED] wrote: The next day, the team used a modified version of TCP to achieve an even greater record. Using the same 30,000 km path, the network was able to achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both the IPv6 multi and single stream categories. In doing so, the team surpassed the current IPv4 records, proving that IPv6 networks are able to provide the same, if not better, performance as IPv4. As one of the poor bastards still involved in rolling out VoIP over satellite delivered IP at the moment, I can safely say I'm (currently) happy noone's trying to push H.323 over IPv6 over these small-sized satellite links. Lord knows we have enough trouble getting concurrent calls through 20 + 20 + byte overheads when the voice payload's -20- bytes. (That said, I'd be so much happer if the current trend 'ere wasn't to -avoid- delivering serial ports for the satellite service so we can run VoFR or PPP w/header compression - instead being presented IP connectivity only at either end, but you can't have everything..) Adrian Does anybody have any working v6 header suppression/compression working yet? When I was doing VoIP over VSAT people kept trying to give me modems with Ethernet on them, not good for doing any header compression. -- Leigh
Re: from the academic side of the house
[EMAIL PROTECTED] writes: The next day, the team used a modified version of TCP to achieve an even greater record. Using the same 30,000 km path, the network was able to achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both the IPv6 multi and single stream categories. In doing so, the team surpassed the current IPv4 records, proving that IPv6 networks are able to provide the same, if not better, performance as IPv4. Good job. Two questions, though: (1) Do the throughput figures count only the data payload (i.e., anything above the TCP layer), or all the bits from the protocol stack? If the latter, it seems a little unreasonable to credit IPv6 with its own extra overhead -- though I'll concede that with jumbo datagrams, that's not all that much. (2) Getting this kind of throughput seems to depend on a fast physical layer, plus some link-layer help (jumbo packets), plus careful TCP tuning to deal with the large bandwidth-delay product. The IP layer sits between the second and third of those three items. Is there something about IPv6 vs. IPv4 that specifically improves perfomance on this kind of test? If so, what is it? Jim Shankland
Re: from the academic side of the house
Jim Shankland wrote: [EMAIL PROTECTED] writes: The next day, the team used a modified version of TCP to achieve an even greater record. Using the same 30,000 km path, the network was able to achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both the IPv6 multi and single stream categories. In doing so, the team surpassed the current IPv4 records, proving that IPv6 networks are able to provide the same, if not better, performance as IPv4. Good job. Two questions, though: (1) Do the throughput figures count only the data payload (i.e., anything above the TCP layer), or all the bits from the protocol stack? If the latter, it seems a little unreasonable to credit IPv6 with its own extra overhead -- though I'll concede that with jumbo datagrams, that's not all that much. (2) Getting this kind of throughput seems to depend on a fast physical layer, plus some link-layer help (jumbo packets), plus careful TCP tuning to deal with the large bandwidth-delay product. The IP layer sits between the second and third of those three items. Is there something about IPv6 vs. IPv4 that specifically improves perfomance on this kind of test? If so, what is it? Jim Shankland Also, it's a modified TCP not just tuned. I wonder how modified it is? Will it talk to an un-modified TCP stack (whatever that really is) ? -- Leigh Porter
Re: IP Block 99/8 (DHS insanity - offtopic)
-Marcus H. Sachs wrote: Mr. Oquendo (I presume Mr. but if it's Ms. please accept my apologies...), it appears that there is little common ground between you and me. So, rather than stringing this out for the next several days and boring everybody else to tears, I will say thanks for the chat and I look forward to continuing this in person over a beer or other libation at some future gathering. -- --- [EMAIL PROTECTED] wrote: : Don't forget to post to the list where you will do this so : I can come and watch ;-) Same here. Original challenge; challenge accepted; challenger backs out quickly. I want to see the answers. Not sure about the AUP, but this'd seem to affect all network operators, so if others here agree how about we continue the show here? ;-) scott
BGP cost community
Hello, I know Cisco routers has the BGP cost community feature. Could anyone tell me whether Juniper and other router vendors offer same/similar feature? Thanks, Yi