Deploy360 2 August 2016

ION Hangzhou: IoT & Collaborative Security

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement
ION Hangzhou

Our second ION Conference of the year was held on 14 July 2016 in Hangzhou, China. As well as being the first time an ION has been held in the country, it also saw our highest ever attendance of around 200 participants. The event was hosted by CNNIC and sponsored by Afilias, and was co-located with the IP Alliance Conference which was held the following day.

The conference was chaired by Megan Kruse from the Deploy360 team who kicked-off proceedings with a short overview of the Deploy360 programme. It was then straight into the excellent keynote on the Internet-of-Things provided by Ram Mohan, Afilias.

Megan openingThe Internet-of-Things is oft discussed but seldom well defined, but can perhaps be identified as extending network connectivity to objects, devices and sensors that are not ordinarily considered to be computers. This represents a paradigm shift with respect to an exponential increase in the number of devices, but also brings significant security and privacy challenges. Many devices will require minimal human interaction, yet will interact with remote data collection, data analysis and management services.

It stands to reason that IPv6 is essential in order to ensure sufficient addresses for the sheer number of connected devices, but it’s also necessary to consider that many of these devices will be low cost, utilise proprietary technologies, and as a result have built-in obsolescence. This means it could be difficult to update these devices in future, which substantially increases the risk of them being compromised. This is not just an issue for the users of these devices, but one for the industry as a whole as vast numbers of compromised devices could seriously impact the rest of the Internet.

Guangliang Pan & Ram MohanA recent survey by TRUSTe also suggests that 42% of consumers are more worried about their online privacy than a year ago, so vendors will need to implement technologies such as DNSSEC to provide reassurances about systems being connected, as well as TLS to ensure transmitted data remains confidential. Internet technologies develop quicker than government policy makers can regulate them, so it’s important that the industry itself promotes standardised protocols, adopts a shared commitment to security and privacy, as well as allowing users to take control of their own data.

This discussion was continued during the panel session on establishing trust in Internet-of-Things. The panel was moderated by ISOC’s Chief Internet Technology Office Olaf Kolkman, and involved Ram; Xing Tao from the Zuxi Research Institute, Zhang Xuguang from the Zhejiang Insigma Technology Co. Ltd, and Honbo Zhou from UbiLink who discussed the role of trust in creating globally interoperable IoT services.

Later in the conference, Olaf expanded on the theme of collaborative security in the context of the wider Internet. We usually think of the Internet as a complex network of networks, each operated by autonomous operators whose services are only loosely coupled to a best efforts service. However, the security and resilience of the Internet not only depends on how well risks to your own assets are managed, but also on the management of risk you present to the Internet ecosystem. This is the notion of collective and shared risk management that is aligned with the “public interest” nature of the Internet.

Kevin Meynell of the Deploy360 team followed this up with a presentation on the MANRS initiative and Routing Resilience Manifesto, with Suogong Li relating the experiences of CERNET, the Chinese Research and Education Network who had already signed up to this. MANRS aims to help network operators around the world to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and address prefix validation. Following the conference, several other local network operators expressed interest in signing-up.

1Another aspect of collaborative security is the use of Resource Public Key Infrastructure (RPKI) that was presented by Zhiwei Yan from CNNIC. The Border Gateway Protocol (BGP) is critical to Internet routing, but is currently susceptible to hijacking attacks which is why RPKI is needed to provide cryptographic attestations about route advertisements. This establishes a hierarchy of trust using an X.509-based Public Key Infrastructure that allows a network operator to establish whether another is authorised to use the IP address prefixes being advertised in its routing updates. The five Regional Internet Registries have rolled-out RPKI which is beginning to be adopted around the world. CNNIC has also published two white papers making the case for RPKI and BGPSEC, and has recently started an RPKI pilot within China.

One of the major themes of any ION conference is IPv6, and Guangliang Pan from APNIC provided an in-depth overview of IPv6 adoption in the Asia-Pacific region. This was lagging in the Asia-Pacific both in terms of Local Internet Registries (LIRs) that had obtained IPv6 addresses (48% in the Asia-Pacific compared with 85% in Latin America and 76% in Europe) and in terms of actual usage according to various indicators. In fact, just 0.51% of Internet traffic in China was IPv6 and this was a concern given Internet growth in the region and the lack of availability of IPv4 addresses (APNIC has just 51% left of its final /8). China actually had more IPv4 addresses per LIR on average, and indeed significantly more IPv6 addresses compared to IPv4 ones, but the issue was limited deployment of these. Guangliang’s message was therefore to start planning for the transition to IPv6 by applying for addresses from CNNIC, sending technical staff to IPv6 training, and looking into how to provide IPv6 services to customers.

IPv6 PanelThis theme continued during the panel session on IPv6 success stories that was moderated by Kevin and with participation from Professor Xing Li from CERNET, Lu Huang from China Mobile Research Institute, Amante Alvaran from Brocade and Tomohiro Fujisaki from NTT Laboratories. Professor Li talked about the experiences at CERNET which was the first network operator to deploy IPv6 in China, Amante discussed the experiences of deploying an IPv6-only Internet Exchange in the Philippines, whilst Tomohiro focussed on how IPv6 was being rolled-out in the home. However, Lu made the important point that China was currently needing to use multiple layers of Network Address Translation in order to accommodate demand with IPv4. This was not only causing severe performance and management issues, but the increase in mobile networks meant there were insufficient IPv4 addresses even using NAT.

The other important technology promoted at ION conferences is the security of the DNS, and the case for implementing DNSSEC was made by Champika Wijayatunga from ICANN. He outlined the risks and threats inherent with the existing DNS such as cache poisoning and query interception, and how DNSSEC utilises cryptographic principles to establish the legitimacy and trustworthiness of data retrieved from the DNS. DNSSEC is the biggest security upgrade to the Internet in 20 years,  and represents a key differentiator in improving cybersecurity. However, whilst over 85% of Top-Level Domains (including .cn) are now DNSSEC signed, this drops to around 5% for Second-Level Domains.

West Lake HangzhouPart of the reason for this is a lack of support from DNS registrars who see no demand for it, but equally customers are unable to implement it without support from their registrar. Whilst implementing DNSSEC takes some technical knowledge, this should be well within the capabilities of most enterprise IT departments, and many of the former reasons for not deploying DNSSEC have long since been resolved.

Qi Zhao from CNNIC then provided a case study of how DNSSEC was deployed in the .cn domain, sharing information on technical set-up and configurations for those wishing interested in using it in their enterprises.

Olaf and Ning Kong from CNNIC also provided an overview of what was happening at the IETF and how to get involved. There were 1,002 participants from 55 countries onsite at the last IETF in Buenos Aires, and China was well represented. Nevertheless, the local community was encouraged to check out the opportunities offered by the Internet Society’s IETF Fellows and Regulators to the IETF programmes.

The conference was rounded off with a presentation by Zihua Yang on Alibaba’s next generation network. Alibaba was founded in Hangzhou and is one of the largest e-commerce enterprises in the world.

ION Hangzhou Team Photo

The Internet Society and Deploy360 team would like to thank CNNIC and their staff for helping us organise an extremely successful and productive conference. We would also like to thank our sponsor Afilias for supporting the ION series of conferences.

Further Information

The proceedings from ION Hangzhou are available here.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...