20140618 - First keynote · 2015-06-22 · Collaborative Security Reflections about Security and...
Transcript of 20140618 - First keynote · 2015-06-22 · Collaborative Security Reflections about Security and...
www.internetsociety.org
Collaborative SecurityReflections about Security and the Open Internet
27th Annual First Conference June 18, 2015
Collaborative Security | 18 June 2015
http://www.internetsociety.org/get-involved/individuals
2
independ
ent sour
ce of
leadersh
ip for I
nternet
policy,
technolo
gy
standard
s, and f
uture
developm
ent
Mission:To promote the open
development, evolution,
and use of the Internet
for the benefit of all
people throughout the
world.
Founded
in 1992
by Inter
net
Pioneers
Global and Inclusive
Independent and Not-for-Profit Org
anizat
ional
home f
or the
IETF
www.internetsociety.org
The Open InternetWhat was that about again?
Collaborative Security | 18 June 20154
Collaborative Security | 18 June 20155
Collaborative Security | 18 June 20156
Global R
each &
Integrit
y
http
://ww
w.in
tern
etso
ciety.
org/
inte
rnet
-inva
riant
s-wh
at-re
ally-
mat
ters
General
Purpose
Permissi
onless
Innovati
on
Accessib
le
Accessible
Interoperability& mutual agreement
Collaborat
ion
Interoperable Building Blocks
No Permanent Favorites
Collaborative Security | 18 June 20157
Security, stupid
Collaborative Security | 18 June 20158
Open Platform
Open for attack and intrusion
Permission
less
innovation
Malware
development
& deployment
Global Reach
Attacks and crime are
cross-border
Voluntary
collaboration
Hard to
mandate
Collaborative Security | 18 June 20159
Collaborative Security | 18 June 201510
Collaborative Security | 18 June 201511
Fosterin
g
Confiden
ce and
Protecti
ng
Opportun
ities
Collecti
ve
Responsi
bility
Evolutio
n and
Consensu
s
Fundamental Properties and Values
Think Globally Act Locally
Collaborative Security | 18 June 2015
Where the rubber meets the road.
12
Collaborative Security | 18 June 2015
OARC Ops
-t
Researchers
13
Development
OPS
Devops
SDOs
Orgs
NSP Security
Collaborative Security | 18 June 201514
STIX
Taxii
Examples of Standardization
One goal of the workshop is to improve mutual awareness of the participating organizations, to understand their roles, and improve communication between them. A key outcome of the workshop is to provide greater awareness of existing efforts to mitigate specific types of attacks and greater understanding of the options others have to collaborate and engage with these efforts. Another goal is to improve end user experience through stronger coordination between the security, operations, and research communities.
CARIS Workshop
DOTS
MILEIODEFv2
RIDRolie
SACM
XMPPgrid
TelemetryIPfix
Collaborative Security | 18 June 2015
{ "handle" : "2001:0DC0:2000::/35", "startAddress" : "2001:dc0:2000::", "endAddress" : "2001:dc0:3fff:ffff:ffff:ffff:ffff:ffff", "ipVersion" : "v6", "name" : "APNIC-AP-V6-BNE", "type" : "ASSIGNED PORTABLE", "country" : "AU", "parentHandle" : "2001:0DC0::/32", "objectClassName" : "ip network", "entities" : [ { "handle" : "DNS3-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "DNS Administration" ], [ "kind", { }, "text", "group" ], [ "adr", { "label" : "6 Cordelia Street\\nSouth Brisbane\\nQLD 4101" }, "text", [ "", "", "", "", "", "", "" ] ], [ "tel", { "type" : "voice" }, "text", "+61 7 3367 0490" ], [ "tel", { "type" : "fax" }, "text", "+61 7 3367 0482" ], [ "email", { }, "text", "[email protected]" ] ] ], "roles" : [ "administrative" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "DNS in-addr.arpa zone files maintainer" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/DNS3-AP", "type" : "application/rdap+json" } ] }, { "handle" : "IRT-APNIC-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "IRT-APNIC-AP" ], [ "kind", { }, "text", "group" ], [ "email", { "pref" : "1" }, "text", "[email protected]" ], [ "adr", { "label" : "Brisbane, Australia" }, "text", [ "", "", "", "", "", "", "" ] ], [ "email", { }, "text", "[email protected]" ] ] ], "roles" : [ "abuse" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "APNIC is a Regional Internet Registry.", "We do not operate the referring network and", "is unable to investigate complaints of network abuse.", "For more information, see www.apnic.net/irt" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self",
15
RDAP
Restful Queries
RFC 7480-7485
Query and Response
are standardized,
structured and
parseable
JSON responses
"Registry Operator shall implement a new standard supporting access to domain name registration data (SAC 051) no later than one hundred thirty--five (135) days after it is requested by ICANN if: 1) the IETF produces a standard (i.e., it is published, at least, as a Proposed Standard RFC as specified in RFC 2026); and 2) its implementation is commercially reasonable in the context of the overall operation of the registry."
Collaborative Security | 18 June 2015
{ "handle" : "2001:0DC0:2000::/35", "startAddress" : "2001:dc0:2000::", "endAddress" : "2001:dc0:3fff:ffff:ffff:ffff:ffff:ffff", "ipVersion" : "v6", "name" : "APNIC-AP-V6-BNE", "type" : "ASSIGNED PORTABLE", "country" : "AU", "parentHandle" : "2001:0DC0::/32", "objectClassName" : "ip network", "entities" : [ { "handle" : "DNS3-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "DNS Administration" ], [ "kind", { }, "text", "group" ], [ "adr", { "label" : "6 Cordelia Street\\nSouth Brisbane\\nQLD 4101" }, "text", [ "", "", "", "", "", "", "" ] ], [ "tel", { "type" : "voice" }, "text", "+61 7 3367 0490" ], [ "tel", { "type" : "fax" }, "text", "+61 7 3367 0482" ], [ "email", { }, "text", "[email protected]" ] ] ], "roles" : [ "administrative" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "DNS in-addr.arpa zone files maintainer" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/DNS3-AP", "type" : "application/rdap+json" } ] }, { "handle" : "IRT-APNIC-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "IRT-APNIC-AP" ], [ "kind", { }, "text", "group" ], [ "email", { "pref" : "1" }, "text", "[email protected]" ], [ "adr", { "label" : "Brisbane, Australia" }, "text", [ "", "", "", "", "", "", "" ] ], [ "email", { }, "text", "[email protected]" ] ] ], "roles" : [ "abuse" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "APNIC is a Regional Internet Registry.", "We do not operate the referring network and", "is unable to investigate complaints of network abuse.", "For more information, see www.apnic.net/irt" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/IRT-APNIC-AP", "type" : "application/rdap+json" } ]
16
RDAP
Top-Leve
l Domain
s (TLDs)
, Autono
mous Sys
tem (AS)
numbers
, and ne
twork
blocks a
re deleg
ated by
IANA to
Internet
registr
ies such
as TLD
registri
es and R
egional
Internet
Registr
ies (RIR
s) that
then iss
ue
further
delegati
ons and
maintain
informa
tion abo
ut them.
Thus,
the
bootstra
p inform
ation ne
eded by
RDAP cli
ents is
best gen
erated f
rom
data and
process
es alrea
dy maint
ained by
IANA; t
he relev
ant
registri
es alrea
dy exist
at [ipv
4reg], [
ipv6reg]
, [asreg
], and
[domainr
eg].
How to find these services?
Collaborative Security | 18 June 201517
Governan
ce of th
e Intern
et Governance in an Internet
connected world
Collaborative Security | 18 June 201518
Collaborative Security | 18 June 201519
This is not a
representation of
the proposal
http://www.internetsociety.org/who-makes-internet-work-internet-ecosystem
just a mental model
RIPE CRISP Team Members, 12 May 2015
Overview of the process
20
AFRINIC
LACNIC
ICG
NTIA
CWGCWG
IETF
ARIN
RIPE CRISP
APNIC
Dec 2014 Jan 2015 June 2015
[NAMES]
RIPE 70
CRISP team report
(numbers centric)
IANACG.O
RG
Collaborative Security | 18 June 201521
Mutually Agreed Norms for Routing Security (MANRS)
Stimulate visible improvements in security and resilience of Internet Routing by changing towards a culture of collective responsibility
Collaborative Security | 18 June 2015
common problems to be addressed
22
incorrec
t routin
g
informat
iontraffic with spoofed source IP addresses
coordination and collaboration between network operators
1 The organization (ISP/network operator) recognizes the interdependent nature of the global routing system and its own role in contributing to a secure and resilient Internet.
2 The organization integrates best current practices related to routing security and resilience in its network management processes in line with the Actions.
3 The organization is committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Actions.
4 The organization encourages its customers and peers to adopt these Principles and Actions.
Principles
Collaborative Security | 18 June 201523
Prevent propagation of incorrect routing information.
Prevent traffic with spoofed source IP addresses.
Facilitate global operational communication and coordination between network operators.
Facilitate validation of routing information on a global scale.
Action 1
Action 2
Action 3
Advanced
Action 4
Collaborative Security | 18 June 201524
http://www.routingmanifesto.org/
http://manrs.org/
or
Please h
ave this
conversa
tion wit
h
your sta
keholder
s
Contact [email protected]
www.internetsociety.org
[email protected] twitter: @kolkman
Chief Internet Technology Officer
Olaf M. Kolkman