Security Implications of QUIC
- Paul Vixie
The Internet has long served as the Web's communications substrate, and historically that has meant TCP/IP. TCP is a clear text reliable stream protocol which predates the Web by about two decades and is usually implemented in the operating system's kernel. Starting in 2013, the Web community has reconsidered the use of clear text protocols and kernel resident protocols. The result is QUIC, a fully encrypted protocol intended to be implementable at the application layer. Adoption of QUIC will radically alter the security profile and performance characteristics of managed private edge networks including home and enterprise, for both Web servers and Web clients. Let's discuss.
Recent developments in the application of Information and Communication Technologies (ICTs) demand that we look at new approaches to providing solutions that respond to fast-changing requirements in the marketplace. I suggest that we focus attention on the needs of small to medium-size enterprises (SMEs) and how they can be enabled to utilize available ICT resources in a more efficient and effective way.
I believe that using the “digital enterprise ecosystems approach” will help SMEs actively participate in bringing about the appropriate digital transformation in their respective enterprise ecosystems. However, ICT service providers will have to reinvent themselves if they are to benefit from this emerging opportunity.
Sophisticated attackers, typically nation-state actors, have begun to leverage access to key DNS infrastructure to then hijack target organization domains. Target organizations now not only include government domains, but also large network operators. Most concerningly, these domain hijacks bypass traditional DNS protections, and are imperceptible to the users. In this talk, we describe our methodology for identifying domain hijacks in the wild, and our results from using this methodology to identify a range of victims demonstrating that domain hijacks have evolved into a favored intrusion tactic. Finally, we also discuss what these findings mean for organizations looking to secure their infrastructure.
A presentation that looks at our experiences in setting up a QUIC measurement platform and some results from the measurement
This paper summarizes the current state-of-the-art in how submarine cable transmission technologies are evolving to support even more capacity over longer distances, not only as the content providers dominate the space, but also as older cables run out of capacity and need to be replaced with new systems.
A road trip: The journey of how we imagined doing anycast, built a prototype and deployed it, the lessons learned and what we think is required in terms of measurements to actually deploy a good anycast network.
In the recent years there has been a lot of industry interest and hype around Segment Routing for IPv6 (SRv6). In this session, Aditya will attempt to separate the hype from reality and focus on the ground realities of implementing an SRv6 based network and present a case study.
The session will cover the following topics:
The transition of network traffic from TCP to QUIC is happening extremely fast with measurements across the world showing QUIC has already reached nearly 50% of total traffic, doubling approximately every 18 months. The new protocol stack, comprising QUIC, encrypted over UDP, HTTP/3, DNS over HTTP (DoH) and eSNI/ECH, all over TLS (Transport Layer Security) 1.3, completely obfuscates the traffic between application nodes and simultaneously drives a phenomenal change in traffic flow behaviour with applications now fully in control of how they get delivered to end-users, disintermediating the network in the process. Large Internet & Cloud players and many emerging application players are rapidly adopting the new protocol stack and traditional TCP/IP derived technologies, combined with L4+ monitoring techniques, are proving largely insufficient in keeping up with this evolution. Application detection and visibility is significantly impaired by this stack and the key technological paradigms on which communications service providers have built their network capabilities are now being challenged and obsoleted by these new protocols. In this session, we will show how the new protocol stack is constructed, how it behaves in terms of both visibility and congestion management, the impact it has on mobile infrastructure elements including the RAN (Radio Access Network) - and not only - and an analysis of how much traffic it occupies today in mobile and fixed networks. In addition, we will discuss the techniques Communication service providers can use to evolve their network architecture and services capabilities to keep pace with this evolving protocol stack, enabling better traffic visibility, Quality of Experience and more efficient use of precious 5G spectrum.
This short talk is a personal perspective on Segment Routing and, in particular, SRv6.
I intend to dispel some of the myths around SRv6 as I see them and highlight some major concerns around its current state of development.
I also intend to bring the conversation back to one that is led from actual network requirements instead of one that starts with 'how can I deploy SRv6'
What changed in the Internet's routing environment across 2022? In this presentation I look at the change in the size of the routed prefix collection in IPv4 and IPv6, and also look at the churn rate in BGP. Is BGP still able to scale efficiently as we cross the 1M routing prefix threshold?
This session will bring to notice various developments and activities happening at IETF that would be of interest to the APRICOT/APNIC community.
This presentation will focus on the KINDNS framework to a wide variety of DNS operators to promote voluntary adherence to a clear set of security best practices and more effective DNS operations.
Merchant silicon switch can get benefit directly from Semi Conductor development. CMOS technology now finally reached A angstrom from nanometer. Share how to adapt these technology to switching chip, and how to support 800Gbps and 1.6Tbps.
This talk examines why new technologies are failing to deliver affordable connectivity to rural and remote populations. It explores access gaps and details technological, regulatory, and investment strategies that can help close the digital divide. Explaining how last-mile connectivity can provide affordable, resilient, and reliable solutions, it shows why it is central to building an inclusive digital future for all.
In this presentation, I don't just want to talk about how the whole project came about. Rather, I would like to talk about our lessons learned. How we structured ourselves and what we think is important in case of a disaster. This is not a politically motivated presentation, but rather a presentation to get the colleagues out of their hamster wheel and maybe rethink things.
In recent years, content operators have been scooping up network engineers from ISP's. Worse, they have been moving those ISP's off continents and to other countries. This has left ISP's in a precarious position, especially since more than 65% of the Internet's traffic is from the content operators, i.e., who will the content networks work with at the eyeball ISP's to peer, troubleshoot, upgrade, e.t.c.?
RIPE Atlas is the largest Internet measurement network offered by the RIPE NCC for the benefit of the global Internet community.
The unique value of RIPE Atlas is the ability to perform active measurements from thousands of vantage points across the Internet for free. With more than 10,000 probes connected globally, you can easily view your network from outside, and spot any 'latency or routing' issues.
Volunteers from across the world help RIPE Atlas reach new places every day by hosting probes, the building blocks of our measurement network. Installing probes in as many networks as possible (top 5 ASNs per country) is what makes the measurements valuable for all. And we need your help here to install RIPE Atlas probes in the Asia-Pacific region to be able to truly serve the global Internet community.
SRv6 become more widely used in mobile networks. It is not easy to implement new architecture in a real network. I would like to share our experience and future challenges regarding SRv6.
This presentation is a report on comparing the service performancs of LEO and GEO services using a number of different TCP protocols. We use RENO, CUBIC and BBR over fibre, LEO and GEO service and note the differences in stability and performance that ensue.
This talk will explore the topic of Artificial Intelligence (AI) and provide an in-depth examination of one of its most cutting-edge applications: ChatGPT. The presentation will begin with a definition of AI and its key concepts. This will be followed by an overview of ChatGPT, its capabilities, and how it is changing the landscape of AI. The focus will then shift to practical applications, including how to use ChatGPT to its fullest potential. The discussion will also delve into both the positive and negative aspects of this technology, as well as explore the rise of AI-powered 'clones.' Finally, the talk will conclude by examining the future of AI and the role ChatGPT is likely to play in shaping this rapidly-evolving field.
OpenLI is a project that was born, and funded, by the New Zealand ISP community to meet their legislative Lawful Intercept needs. Whilst the project was created specifically for New Zealand's requirements, it should be able to fulfil Lawful Intercept needs for for any countries where real time lawful interception is required, especially if it involves the ETSI standards.
RPKI deployment is currently ongoing in each network operated by each ASes. On the other hand, IX also operates networks as IX segments for peering platforms, and ROA registration is important for IP addresses used as IX segments. I have surveyed the current status of IX segment, and would like to introduce the result and suggest ROA registration in the proper manner in this session.
This talk covers concept of setting as well as managing an IXP route server via Gitlab. This involves making use of Gitlab CI/CD pipelines + Docker + Ansible + arouteserver.
Historically, IXPs have been developed by the local Internet industry to facilitate local peering, improving local connectivity for the members of the IXP.
Recent years has seen the emergence of Franchise IXPs, where commercial IXPs are now more involved in establishing franchises around the world.
The panel discussion aims to investigate the advantages and disadvantages of the Franchise IXPs when compared with the Home-grown IXPs, looking at the benefits and pitfalls of each model, and the general overall impacts on local peering and interconnectivity.
This material intends to provide an overview of the key Internet Infrastructure in the Philippines. It is also formatted to complement the Peering Personals information, providing visual reference of the distribution across the three major island group.
The presentation will also talk about insights influencing the local Peering ecosystem and the multiple stakeholders.
Lastly, it culminates to local perspectives that helped drive the peering landscape. (eventually moving forward)
Embedded CDNs have been around for several decades. In the beginning there was Akamai and then Google. About a decade ago more showed up. In 2012, we did a panel at NANOG discussing the challenges for the ISPs who chose to embed. ISPs had to adapt to various differences for each of the solutions. The outlook was that an increased number of providers would offer an embedded solution, the variations would grow in complexity and the request or hope was alignment and standardization.
So what has happened in the last decade? This talk will focus on the most common embedded solutions and their similarities, differences and evolution over the past decade.
IX.br is moving from Data Center Interconnection based on multiple 100G ports to 400ZR using 400G ports. The goal of this presentation is to show many aspects of this change, comparing hardware costs, power consumption, DWDM optical layer and next steps. Prices will not be disclosed due to NDA with vendors, but a relative approach will be used.
SD-WAN has garnered significant traction in the business services market as a credible alternative to MPLS VPNs. However, the proprietary nature of many implementations means that straightforward answers on what SD-WAN means are difficult to find. In this webinar, we will providing a high-level of SD-WAN technology and the benefits it provides over traditional enterprise VPNs. We will also briefly cover SD-WAN standardisation and some of the key use cases.
Segment Routing is an interesting paradigm shift in routing that allows source nodes to steer a packet along an explicit route using information attached to the packet and without the need for per-path state information to be held at transit nodes.
Such a capability is of particular importance when considering SDN approaches which decouple the control plane and data plane, allowing centralised computation of optimal paths which can then be pushed down to source nodes to achieve desired traffic flow steering.
In this technology tutorial, we cover the following:
In this tutorial we will go through a quick review of the RPKI and will focus mainly on installing Relying Party Software and doing the origin validation. Participants will be able to play with the full routing table.
For over a year, a community of major ASNs has been persistently pushing back on the DDoS Miscreaents operating boots, stressors, and other tools used in DDoS Reflection attacks. DBIT was based on community consultation, where the problem we rethought with the desire to shift the economic consequence of DDoS onto the criminals who are perpetrating the DDoS.
One year into DBIT's persistent tempo of action has shifted the types of DDoS to more 'bot/proxy' vs. reflection. We have a community collectively taking action along with new tools, techniques, and BCPs to protect our mutual business interests.
This TLP: RED session will be the first conference DBIT's work is being shared with a broader community. We will focus on:
This tutorial is in-person only. No remote (TLP: AMBER). Participants who wish DBIT briefings can request 1:1 sessions with the individual or the organization.
This tutorial covers DNS and DNSSEC, specifically:
The days of cleartext communication are over. We live in an age where everything needs to be encrypted. A popular solution is to 'rent' integers from well-known for-profit certification authorities, one year at a time. And then forget to renew your certificates every year.
Anything that is done 'annually' ends up being done 'manually'. Learn how to use short-lived Let's Encrypt certificates to secure your infrastructure ... and add some useful automation because you have to.
This lively tutorial goes into a bit of background about certification authorities but most of the time is spent showing a real-world demo of automated issuing of Let's Encrypt certificates with DNS verification.
P4 (programming protocol-independent packet processors) is a special language to define how the network packet forwarding process is built independent from the underlying hardware target, both from the protocol header and the processing logic. So, it is possible to dynamically reconfigure the forwarding process on the different target hardware, such as ASIC, FPGA, or NIC. P4 will act as a compiler providing information and instructions via a 'match-and-action' table into the target device. P4 can also be implemented on SDN networks to check forwarding behavior on SDN switches and add information either in the form of actions or additional information to network packets. Through the P4Runtime protocol, the SDN controller is able to dynamically manage P4 programs through the pipeline of the switch. With P4 users can write complete programs that include the appropriate packet forwarding process and how to test it before being deployed to the entire production network. Many other features of P4 are important for cloud providers, data center managers and service providers, including in-band telemetry/measurement, traffic load-balancing, anti-DDoS, packet broker, and offload protocols. This tutorial also covers live/recorded demo on how to program P4 for different functionalities.
The tutorial is a snapshot of some of the labs that are delivered in the 3 or 5 day Network security workshops that are delivered by APNIC. Thefocus of the tutorial is to introduce packet analysis concepts by explaining various protocols, tools and strategies to analyse packets to enhance security and help with troubleshooting. This tutorial aims at providing attendees a practical approach to:
The circumstances have changed, and gradually some Network Operators Groups (NOGs) have been able to hold its events on-site. Attendees are reminded of the value and importance of NOG and such gatherings.
The purpose of this BoF is for NOG organizers to bring in each other's knowledge and experience to contribute to better NOG activities within the region.
Come to this open TLP: AMBER Security BoF, where we will foster a roundtable consultation on 'Shields Up' priorities. Carriers are now targets. DDoS continues. ISPs are resource-strapped to prioritize security We're in a 2023 recession - meaning we will not get a new security budget. In other words, we must work within our means and leverage the public benefit security community.
This session will focus on public benefit tools, open source, and community activities. These don't need big capital budgets and have proven effective for many other organizations. MANRS, Shadowserver, NSRC, and many other public services will be highlighted from the POV of 'how can I use this in my network right now?'
This session will be facilitated by ISOC/MANRS, M3AAWG Anti-DDoS SIG, the FIRST Multi-Stakeholder Ransomware SIG, and others active in efforts to push back on the cybersecurity threats to our networks.
This session discusses abuses within the Domain Name System (DNS) covering its causes that leads to the disruption of the infrastructure causing it to operate in an abnormal and unintended manner. ICANN has DNS Abuse as one of the tracks within its strategic goals to further foster greater engagement with different stakeholders through mitigating security threats. The Asia-Pacific Regional At-Large Organization (APRALO) of ALAC in ICANN has led the way in making end users be involved in the discussions of creating policies that relates to the topic at hand with the coordination of the local At-Large Structure (ALS). The Internet Society Philippines Chapter (ISOC-PH) is the ALS representing the Philippines with the primary advocacy of elevating awareness of Internet Governance, policy crafting and discussions, issues on infrastructure and security, and the like. The session will also be supported by Southville International School and Colleges through the College of Information Technology and Engineering.