www.internetsociety.org

Collaborative SecurityReflections about Security and the Open Internet

27th Annual First Conference June 18, 2015

Collaborative Security | 18 June 2015

http://www.internetsociety.org/get-involved/individuals

2

independ

ent sour

ce of

leadersh

ip for I

nternet

policy,

technolo

gy

standard

s, and f

uture

developm

ent

Mission:To promote the open

development, evolution,

and use of the Internet

for the benefit of all

people throughout the

world.

Founded

in 1992

by Inter

net

Pioneers

Global and Inclusive

Independent and Not-for-Profit Org

anizat

ional

home f

or the

IETF

www.internetsociety.org

The Open InternetWhat was that about again?

Collaborative Security | 18 June 20154

Collaborative Security | 18 June 20155

Collaborative Security | 18 June 20156

Global R

each &

Integrit

y

http

://ww

w.in

tern

etso

ciety.

org/

inte

rnet

-inva

riant

s-wh

at-re

ally-

mat

ters

General

Purpose

Permissi

onless

Innovati

on

Accessib

le

Accessible

Interoperability& mutual agreement

Collaborat

ion

Interoperable Building Blocks

No Permanent Favorites

Collaborative Security | 18 June 20157

Security, stupid

Collaborative Security | 18 June 20158

Open Platform

Open for attack and intrusion

Permission

less

innovation

Malware

development

& deployment

Global Reach

Attacks and crime are

cross-border

Voluntary

collaboration

Hard to

mandate

Collaborative Security | 18 June 20159

Collaborative Security | 18 June 201510

Collaborative Security | 18 June 201511

Fosterin

g

Confiden

ce and

Protecti

ng

Opportun

ities

Collecti

ve

Responsi

bility

Evolutio

n and

Consensu

s

Fundamental Properties and Values

Think Globally Act Locally

Collaborative Security | 18 June 2015

Where the rubber meets the road.

12

Collaborative Security | 18 June 2015

OARC Ops

-t

Researchers

13

Development

OPS

Devops

SDOs

Orgs

NSP Security

Collaborative Security | 18 June 201514

STIX

Taxii

Examples of Standardization

One goal of the workshop is to improve mutual awareness of the participating organizations, to understand their roles, and improve communication between them.  A key outcome of the workshop is to provide greater awareness of existing efforts to mitigate specific types of attacks and greater understanding of the options others have to collaborate and engage with these efforts.  Another goal is to improve end user experience through stronger coordination between the security, operations, and research  communities.

CARIS Workshop

DOTS

MILEIODEFv2

RIDRolie

SACM

XMPPgrid

TelemetryIPfix

Collaborative Security | 18 June 2015

{ "handle" : "2001:0DC0:2000::/35", "startAddress" : "2001:dc0:2000::", "endAddress" : "2001:dc0:3fff:ffff:ffff:ffff:ffff:ffff", "ipVersion" : "v6", "name" : "APNIC-AP-V6-BNE", "type" : "ASSIGNED PORTABLE", "country" : "AU", "parentHandle" : "2001:0DC0::/32", "objectClassName" : "ip network", "entities" : [ { "handle" : "DNS3-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "DNS Administration" ], [ "kind", { }, "text", "group" ], [ "adr", { "label" : "6 Cordelia Street\\nSouth Brisbane\\nQLD 4101" }, "text", [ "", "", "", "", "", "", "" ] ], [ "tel", { "type" : "voice" }, "text", "+61 7 3367 0490" ], [ "tel", { "type" : "fax" }, "text", "+61 7 3367 0482" ], [ "email", { }, "text", "dns-admin@apnic.net" ] ] ], "roles" : [ "administrative" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "DNS in-addr.arpa zone files maintainer" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/DNS3-AP", "type" : "application/rdap+json" } ] }, { "handle" : "IRT-APNIC-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "IRT-APNIC-AP" ], [ "kind", { }, "text", "group" ], [ "email", { "pref" : "1" }, "text", "security@apnic.net" ], [ "adr", { "label" : "Brisbane, Australia" }, "text", [ "", "", "", "", "", "", "" ] ], [ "email", { }, "text", "helpdesk@apnic.net" ] ] ], "roles" : [ "abuse" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "APNIC is a Regional Internet Registry.", "We do not operate the referring network and", "is unable to investigate complaints of network abuse.", "For more information, see www.apnic.net/irt" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self",

15

RDAP

Restful Queries

RFC 7480-7485

Query and Response

are standardized,

structured and

parseable

JSON responses

"Registry Operator shall implement a new standard supporting access to domain name registration data (SAC 051) no later than one hundred thirty--five (135) days after it is requested by ICANN if: 1) the IETF produces a standard (i.e., it is published, at least, as a Proposed Standard RFC as specified in RFC 2026); and 2) its implementation is commercially reasonable in the context of the overall operation of the registry."

Collaborative Security | 18 June 2015

{ "handle" : "2001:0DC0:2000::/35", "startAddress" : "2001:dc0:2000::", "endAddress" : "2001:dc0:3fff:ffff:ffff:ffff:ffff:ffff", "ipVersion" : "v6", "name" : "APNIC-AP-V6-BNE", "type" : "ASSIGNED PORTABLE", "country" : "AU", "parentHandle" : "2001:0DC0::/32", "objectClassName" : "ip network", "entities" : [ { "handle" : "DNS3-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "DNS Administration" ], [ "kind", { }, "text", "group" ], [ "adr", { "label" : "6 Cordelia Street\\nSouth Brisbane\\nQLD 4101" }, "text", [ "", "", "", "", "", "", "" ] ], [ "tel", { "type" : "voice" }, "text", "+61 7 3367 0490" ], [ "tel", { "type" : "fax" }, "text", "+61 7 3367 0482" ], [ "email", { }, "text", "dns-admin@apnic.net" ] ] ], "roles" : [ "administrative" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "DNS in-addr.arpa zone files maintainer" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/DNS3-AP", "type" : "application/rdap+json" } ] }, { "handle" : "IRT-APNIC-AP", "vcardArray" : [ "vcard", [ [ "version", { }, "text", "4.0" ], [ "fn", { }, "text", "IRT-APNIC-AP" ], [ "kind", { }, "text", "group" ], [ "email", { "pref" : "1" }, "text", "security@apnic.net" ], [ "adr", { "label" : "Brisbane, Australia" }, "text", [ "", "", "", "", "", "", "" ] ], [ "email", { }, "text", "helpdesk@apnic.net" ] ] ], "roles" : [ "abuse" ], "objectClassName" : "entity", "remarks" : [ { "title" : "remarks", "description" : [ "APNIC is a Regional Internet Registry.", "We do not operate the referring network and", "is unable to investigate complaints of network abuse.", "For more information, see www.apnic.net/irt" ] } ], "links" : [ { "value" : "http://rdap.apnic.net/ip/2001:dc0:2000::/35", "rel" : "self", "href" : "http://rdap.apnic.net/entity/IRT-APNIC-AP", "type" : "application/rdap+json" } ]

16

RDAP

Top-Leve

l Domain

s (TLDs)

, Autono

mous Sys

tem (AS)

numbers

, and ne

twork

blocks a

re deleg

ated by

IANA to

Internet

registr

ies such

as TLD

registri

es and R

egional

Internet

Registr

ies (RIR

s) that

then iss

ue

further

delegati

ons and

maintain

informa

tion abo

ut them.

Thus,

the

bootstra

p inform

ation ne

eded by

RDAP cli

ents is

best gen

erated f

rom

data and

process

es alrea

dy maint

ained by

IANA; t

he relev

ant

registri

es alrea

dy exist

at [ipv

4reg], [

ipv6reg]

, [asreg

], and

[domainr

eg].

How to find these services?

Collaborative Security | 18 June 201517

Governan

ce of th

e Intern

et Governance in an Internet

connected world

Collaborative Security | 18 June 201518

Collaborative Security | 18 June 201519

This is not a

representation of

the proposal

http://www.internetsociety.org/who-makes-internet-work-internet-ecosystem

just a mental model

RIPE CRISP Team Members, 12 May 2015

Overview of the process

20

AFRINIC

LACNIC

ICG

NTIA

CWGCWG

IETF

ARIN

RIPE CRISP

APNIC

Dec 2014 Jan 2015 June 2015

[NAMES]

RIPE 70

CRISP team report

(numbers centric)

IANACG.O

RG

Collaborative Security | 18 June 201521

Mutually Agreed Norms for Routing Security (MANRS)

Stimulate visible improvements in security and resilience of Internet Routing by changing towards a culture of collective responsibility

Collaborative Security | 18 June 2015

common problems to be addressed

22

incorrec

t routin

g

informat

iontraffic with spoofed source IP addresses

coordination and collaboration between network operators

1 The organization (ISP/network operator) recognizes the interdependent nature of the global routing system and its own role in contributing to a secure and resilient Internet.

2 The organization integrates best current practices related to routing security and resilience in its network management processes in line with the Actions.

3 The organization is committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Actions.

4 The organization encourages its customers and peers to adopt these Principles and Actions.

Principles

Collaborative Security | 18 June 201523

Prevent propagation of incorrect routing information.

Prevent traffic with spoofed source IP addresses.

Facilitate global operational communication and coordination between network operators.

Facilitate validation of routing information on a global scale.

Action 1

Action 2

Action 3

Advanced

Action 4

Collaborative Security | 18 June 201524

http://www.routingmanifesto.org/

http://manrs.org/

or

Please h

ave this

conversa

tion wit

h

your sta

keholder

s

Contact routingmanifesto@ISOC.org

www.internetsociety.org

Kolkman@isoc.org twitter: @kolkman

Chief Internet Technology Officer

Olaf M. Kolkman