A long long time ago when the Internet was still young and most people were still using clunky Apples, PCs and mainframes; two documents were published by the Advanced Research Projects Agency (ARPA), part of the US Government's Department of Defense. They were called "RFC 821 - Simple Mail Transfer Protocol" and "RFC 822 - Standard for the format of ARPA Internet text messages" respectively. Written by the John Postel and Dave Crocker respectively, often referred to as some of the founding fathers of the Internet, they defined a simple text-based email system for the use of the fledging network then called the "ARPA Internet"... more
Ever since I published an essay exploring the relationship between climate change and the Internet, I have endeavored to bring this subject to the fore as often as possible (and in relevant fora and discussions) since the responsibility of creating a more sustainable world falls on all communities and stakeholder groups. It is particularly pressing now -- at a time when international interest in curbing climate change is strengthening, while it is juxtaposed with the receding commitments of the United States government... more
Network Solutions is having problems with "all" its name servers, according to their tech support and a recent post on North American Network Operators' Group (NANOG) mailing list indicates that it has been under very large-scale UDP/53 DDoS attack for the last 48 hour period. As a result, domain names hosted with Network Solutions' Worldnic have been affected. Network Solutions is one of the leading domain registrars and DNS hosting providers in the world, managing more than 7.6 million domain names. more
In general, a network firewall is just a traffic filter... Filtering rules can be anything from "allow my web server to hear and answer web requests but not other kinds of requests" to "let my users Ping the outside world but do not let outsiders Ping anything on my network." The Internet industry has used firewalls since the mid-1980's and there are now many kinds, from packet layer firewalls to web firewalls to e-mail firewalls. Recently the DNS industry has explored the firewall idea and the results have been quite compelling. In this article I'm going to demonstrate a DNS firewall built using RPZ (Response Policy Zones) and show its potential impact on e-mail "spam". more
Here's a good way to frighten yourself: Learn about something, and then read what the press writes about it. It's astonishing how often flatly untrue things get reported as facts. I first observed this back in 1997 when I was a Democratic lawyer in the U.S. House of Representatives working on the (rather ridiculous) campaign finance investigation. (The investigating committee's conspiracy-minded chairman was famous for shotgunning pumpkins in his backyard in order to figure out exactly how Hillary snuffed Vince Foster)...More recently, I've seen the same discouraging phenomenon in reporting on technology and, in particular, the Internet. more
One of the most prominent denial of service attacks in recent months was one that occurred in March 2013 between Cloudflare and Spamhaus... How did the attackers generate such massive volumes of attack traffic? The answer lies in the Domain Name System (DNS). The attackers asked about domain names, and the DNS system answered. Something we all do all of the time of the Internet. So how can a conventional activity of translating a domain name into an IP address be turned into a massive attack? more
DNS rebinding attacks are real and can be carried out in the real world. They can penetrate through browsers, Java, Flash, Adobe and can have serious implications for Web 2.0-type applications that pack more code and action onto the client. Such an attack can convert browsers into open network proxies and get around firewalls to access internal documents and services. It requires less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. Everyone is at risk and relying on network firewalls is simply not enough. In a paper released by Stanford Security Lab, "Protecting Browsers from DNS Rebinding Attacks," authors Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh provide ample detail about the nature of this attack as well as strong defenses that can be put in place in order to help protect modern browsers. more
Anyone who still is using the "I'll-just-wait-on-IPv6-because-it-will-never-happen" approach is clearly NOT watching the measurements. First, there was the news last week that Google's IPv6 measurement had crossed over 3% less than five months after crossing the 2% mark. Then today comes word from the World IPv6 Launch measurements program that the February 2014 measurements are up... more
What does the crystal ball say for the Internet in 2014? Here are three scenarios for what could happen with the global Internet Governance Eco-System in the coming 12 months... In the worst case scenario the Internet gets more and more fragmented and re-nationalized. A growing number of governments start to define a "national Internet segment" and develop policies to surveil, censor and control access to and use of the Internet. National firewalls will separate the "domestic Internet" from the global Internet and an exit and entrance regime into networks is introduced where users need passwords, handed out by governmental authorities on an annual basis, to go from one domain to another... more
It seems that there is an increasing level of interest in the topic of IPv4 address exhaustion, so I thought I'll share a set of answers to the most common questions I've been asked on this topic in recent times. ... If there is a common factor in many of these challenges, it is scaling the network to meet an ever expanding agenda of more users, more devices, more traffic, more services and more policies. more
Almost every conversation I have with folks just learning about IPv6 goes about the same way; once I'm finally able to convince them that IPv6 is not going away and is needed in their network, the questions start. One of the most practical and essential early questions that needs to be asked (but often isn't) is "how do I lay out my IPv6 subnets?" The reason this is such an important question is that it's very easy to get IPv6 subnetting wrong by doing it like you do in IPv4. more
When preparing a network for IPv6, I often hear network administrators say that their switches are agnostic and that there is no need to worry about them. Not so fast. Yes, LAN switches function mainly at layer 2 by forwarding Ethernet frames regardless of whether the packet inside is IPv4 or IPv6 (or even something else!) However, there are some functions on a switch that operate at layer 3 or higher. more
Much has been said about how Google uses the services they provide, including their mail service, their office productivity tools, file storage and similar services, as a means of gathering an accurate profile of each individual user of their services. The company has made a very successful business out of measuring users, and selling those metrics to advertisers. But can we measure Google as they undertake this activity? How many users avail themselves of their services? Perhaps that's a little ambitious at this stage, so maybe a slightly smaller scale may be better. Let's just look at one Google service. more
Mid-January 2012 marked a major inflection point for digital copyright policy in the United States... Yet no one involved with Congressional interaction on either side of the issue believes it has been sidetracked for long, and "Hollywood" and "Silicon Valley" are both plotting their next moves in this high-stakes game to further define the responsibilities and potential liabilities... The resolution of this dispute will determine the ability of Internet services to move to "the cloud"... more
After hearing over 350 presentations on IPv6 from IPv6-related events in the US (seven of them), China, Spain, Japan, and Australia, and having had over 3,000 discussions about IPv6 with over a thousand well-informed people in the IPv6 community, I have come to the conclusion that all parties, particularly the press, have done a terrible job of informing people about the bigger picture of IPv6, over the last decade, and that we need to achieve a new consensus that doesn't include so much common wisdom that is simply mythical. There are many others in a position to do this exercise better than I can, and I invite them to make a better list than mine, which follows. more