Deploy360 3 May 2016

SEE 5 in Tirana

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

IMG_0413The Deploy360 team was in Tirana, Albania last week to attend the SEE 5 meeting. This the annual RIPE Regional Meeting for South-East Europe which aims to encourage the cooperation of network operators in the region, as well as present the latest Internet developments to interested parties who are not always able to attend the main RIPE meetings. The meeting was hosted by RASH, the Albanian National Research and Education Network, and sponsored by the Internet Society and ABCom.

With the Chair of the Programme Committee being Deploy360’s own Jan Žorž, it was a good opportunity to focus on some of the key Deploy360 technologies, ably supported by Maarit Palovirta from ISOC’s European Regional Bureau who covered IXP developments.

One of the highlights was the presentation from Gunter Van der Velde (Nokia) on IPv6 Community Wi-Fi which advocates the use of unique IPv6 prefixes for hosts. A community Wi-Fi service allows hosts to connect to a shared network providing Internet and/or other services, and in a typical network they’d acquire unique IPv6 addresses from a common IPv6 prefix through mechanisms such as SLAAC or DHCPv6. However, this can introduce some performance issues related to router and neighbour discovery, as well as security issues with numerous untrusted devices belonging to lots of different customers.

The Internet draft draft-ietf-v6ops-unique-ipv6-prefix-per-host-00 is therefore proposing to allow hosts to be assigned a unique IPv6 prefix (typically a /64) to better support IPv6. This would provide each subscriber with more flexibility to utilise IPv6, whilst ensuring traffic can be directed to a default wireless LAN gateway. In addition, whilst is aimed at a solution for wireless networks, it could also have applicability to any other network where multiple subscribers access a shared media.

Sergey Myasoedov (NetArt Group) provided some interesting statistics on DNSSEC deployment. More than 110 ccTLDs were currently DNSSEC signed, including Bulgaria (.bg), Croatia (.hr), Greece (.gr), Montenegro (.me) and Slovenia (.si) in the South-East Europe region. This leaves Albania (.al), Macedonia (.mk), Romania (.ro) and Serbia (.rs)  still to implement DNSSEC.

SEE 5 Closing Session

Of the gTLDs, there were around 600k DNSSEC enabled domains in .com, representing about 0.6% of the total. This percentage was similar for .net and slightly less for .org at 0.5%, although for some of new gTLDs the situation was significantly better. However, a higher penetration rate was observed in the smaller gTLDs with nearly 47% of domains being DNSSEC enabled under .ovh (a French telecoms business), 25% under .amsterdam, and 11% under .webcam.

A potential driver for DNSSEC is of course DANE and the ability to publish digital certificates in the DNS. Jan therefore reprised his experiences of implementing DANE it in the go6lab, which has previously been covered in the Deploy360 blog, but hopefully reaching a new audience and encouraging them to deploy it.
It’s also worth checking out the presentation from Paul Neumann (Tirana Metropolitan University) on Low-Intensity DoS attack on BGP Infrastructure. These are a new trend in cyberattacks as they’re difficult to distinguish from regular traffic and therefore can avoid triggering traditional countermeasures. Nevertheless, they use protocols such as HTTP, SMTP and DNS to periodically flood a host with useless packets, often close to the time-out of an open session in order to keep it alive. This can prevent the anomalous traffic from being detected, but gradually overloads server and router buffers as well as exploiting vulnerabilities in TCP stacks.

The analysis that was undertaken suggests that a number of participating or comprised hosts are required, and that attacks generally require misconfiguration of network devices to succeed, although the default configuration of some routers proved to be susceptible in some cases. It does though demonstrate the importance of developing and adopting best practices for configuring routers and servers.

Jan on stage

If you’re interested in how to set-up and run an Internet Exchange Point (IXP), then it’s worth checking out the presentation from Goran Slavić (SOX) on the Serbian Open eXchange. Aleaxander Isavnin (The Open Net) also offered some interesting statistics on country connectivity in South-East Europe, with Christian Teuschel (RIPE NCC) supporting this with measurement data on Internet resource usage, routing and DNS queries in the region.

The final presentation worth highlighting was the nice overview of the IETF provided by Matthijs Mekking (Dyn), who also related his personal experiences of involvement.

The number of participants was an impressive 136 from 19 countries including 88 from Albania, demonstrating the importance of having these sorts of regional forums for discussing new technologies and deployment issues.

 

 

 

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...