Monthly Archives: September 2013

China

countrydistrhist

Last week I toured China, talking to the local IETF contributors. And there are so many! I talked to people from equipment vendors, operators, researcher institutions, and local standards organisations. We have said that we want to increase the participation of all parts of the world at IETF work. China’s rise is definitely a success story for others to follow: many new RFCs today have authors from China (soon 2nd after US), Chinese contributors have roles in the IETF as working group chairs or IAB members, we’ve held a meeting in Beijing (hosted by Tsinghua), and our next meeting has a host from China (Huawei). And of course, the growth trend is not accidental, but has come about due to the large importance of networking for the industry everywhere, moving telecommunications on top of IP, and various industry trends.

Some of the things that came up relate to detailed issues in getting a particular proposal moving forward, others were at a higher level, pointing to the need to further develop some aspect of the Internet. The most common topics on last week’s trip were:

  • IPv6 – this continues to be a high priority topic. In many cases the deployment effort is more practical effort than further development of standards, of course. But address space expansion is particularly important for China’s large population, and I think we can expect large efforts on this. Just as an example, China Telecom plans to enroll 3 million subscribers to its IPv6-based broadband network by the end of the year. Exciting times ahead, and that is just a tiny fraction of the population!
  • Internet of Things draws a lot of attention from developers, and it is clear that further standards work is needed there in areas such as security, energy consumption, and group communication.
  • Managing the time-to-market delay for standardized solutions. BOF-to-RFC time has been one of the problems that I have identified, but the overall time-to-market for new technology is a critical issue for many participants. One of the approach that I think will help this is also our recent trend in producing frameworks that are programmable for specific applications, rather than protocols that have all features built in. For instance, the Web of Things and WebRTC will help developers come up with applications quickly, as soon as the fundamental framework is in place.
  • By the way, the WebRTC project is a joint effort between the IETF and W3C. We often see this with new technologies, co-operation with different organisations is necessary. Such co-operation was a topic on my visit to China as well, for instance, the China Communications Security Association depends on many IETF technologies, and information sharing to understand what different parties are doing is important.
  • Software Defined Networking. This is a hot topic in several standards organisations. At the IETF, we have one working group and one research group – I’m sure there will be more work in this space in the future, as the industry learns how we can use this technology.
  • The role of Future Internet research vs. the IETF. I think research on this topic has been very interesting. My favourite result from this work is Information Centric Networking (ICN). We have a research group at the IRTF where this technology can be discussed. When and if there are results that we can take for production use, I at least would be happy to host working groups at the IETF. I do believe, however, that deployment of new technology is a challenge and as a result, incremental deployment models for ICN may be the most useful ones.

But, of course, there is plenty of work left. My trip to China was just a part of an overall effort to try to understand what various people need from the  IETF. I would be very happy to receive feedback on what the IETF is doing, how it is doing it, and Internet technology at any time. For instance, what does networking need in South America or Africa, two areas that have a growing attendance in the IETF but are not yet so visible in the RFC publication graph? Also, if there is a problem in the IETF process somewhere, I would be happy to know and try to improve.

Feel free to contact me and let me know what is on your mind!

Jari Arkko, Chair of the IETF

Security and Pervasive Monitoring

The Internet community and the IETF care deeply about how much we can trust commonly used Internet services and the protocols that these services use.  So the reports about large-scale monitoring of Internet traffic and users disturbs us greatly.  We knew of interception of targeted individuals and other monitoring activities, but the scale of recently reported monitoring is surprising. Such scale was not envisaged during the design of many Internet protocols, but we are considering the consequence of these kinds of attacks.

Of course, it is hard to know for sure from current reports what attack techniques may be in use.  As such, it is not so easy to comment on the specifics from an IETF perspective.  Still, the IETF has some long standing general principles that we can talk about, and we can also talk about some of the actions we are taking.

In 1996, RFC 1984 articulated the view that encryption is an important tool to protect privacy of communications, and that as such it should be encouraged and available to all.  In 2002, we decided that IETF standard protocols must include appropriate strong security mechanisms, and established this doctrine as a best current practice, documented in RFC 3365. Earlier, in 2000 the IETF decided not to consider requirements for wiretapping when creating and maintaining IETF standards, for reasons stated in RFC 2804. Note that IETF participants exist with positions at all points of the privacy/surveillance continuum, as seen in the discussions that lead to RFC 2804.

As privacy has become increasingly important, the Internet Architecture Board (IAB) developed guidance for handling privacy considerations in protocol specifications, and documented that in RFC 6973. And there are ongoing developments in security and privacy happening within the IETF all the time, for example work has just started on version 1.3 of the Transport Layer Security (TLS, RFC 5246) protocol which aims to provide better confidentiality during the early phases of the cryptographic handshake that underlies much secure Internet traffic.

Recent days have also seen an extended and welcome discussion triggered by calls for the IETF to build better protections against wide-spread monitoring.

As that discussion makes clear, IETF participants want to build secure and deployable systems for all Internet users.  Indeed, addressing security and new vulnerabilities has been a topic in the IETF for as long as the organisation has existed.  Technology alone is, however, not the only factor. Operational practices, laws, and other similar factors also matter. First of all, existing IETF security technologies, if used more widely, can definitely help.  But technical issues outside the IETF’s control, for example endpoint security, or the properties of specific products or implementations also affect the end result in major ways. So at the end of the day, no amount of communication security helps you if you do not trust the party you are communicating with or the devices you are using. Nonetheless, we’re confident the IETF can and will do more to make our protocols work more securely and offer better privacy features that can be used by implementations of all kinds.

So with the understanding of limitations of technology-only solutions, the IETF is continuing its mission to improve security in the Internet.  The recent revelations provide additional motivation for doing this, as well as highlighting the need to consider new threat models.

We should seize this opportunity to take a hard look at what we can do better.  Again, it is important to understand the limitations of technology alone. But here are some examples of things that are already ongoing:

  • We’re having a discussion as part of the development of HTTP/2.0 as to how to make more and better use of TLS, for example to perhaps enable clients to require the use of security and not just have to react to the HTTP or HTTPS URLs chosen by servers.
  • We’re having discussions as to how to handle the potentially new threat model demonstrated by the recent revelations so that future protocol designs can take into account potential pervasive monitoring as a known threat model.
  • We’re considering ways in which better use can be made of existing protocol features, for example, better guidance as to how to deploy TLS with Perfect Forward Secrecy, which makes applications running over TLS more robust if server private keys later leak out.
  • We’re constantly updating specifications to deprecate older, weaker cryptographic algorithms and allocate code points for currently strong algorithm choices so those can be used with Internet protocols.

And we are confident that discussions on this topic will motivate IETF participants to do more work on these and further related topics.

But don’t think about all this just in terms of the recent revelations.  The security and privacy of the Internet in general is still a challenge even ignoring pervasive monitoring, and if there are improvements from the above, those will be generally useful for many reasons and for many years to come.  Perhaps this year’s discussions is a way to motivate the world to move from “by default insecure” communications to “by default secure”.  Publicity and motivation are important, too. There is plenty to do for all of us, from users enabling additional security tools to implementors ensuring that their products are secure.

In the Vancouver IETF meeting, there will be time dedicated to discuss this, and we ask that those interested in working on this topic contribute to the analysis and develop proposals in this area.  Those contributions are very welcome and can start now and continue in Vancouver and beyond.

Relevant mailing lists (from most specific to most general) include:

Jari Arkko, Chair of the IETF and Stephen Farrell, IETF Security Area
Director

Vancouver

Coal_Harbor_002

It seems like yesterday when we were in Berlin, but I wanted to highlight that our Vancouver meeting is coming up soon. Sooner than usual, in fact, given the dates of the meetings this year. The meeting starts in just 60 days, on November 3rd.

The meeting host is Huawei. They are one of the biggest contributors in Internet standards work today and a long time sponsor of the IETF. Thank you for hosting us in Vancouver! The support of the host is an important part of setting up a successful meeting.

And I have high expectations for the meeting, given the exciting work that is ongoing in various working groups, not to mention some proposals for new work. But given that the meeting is so close, I wanted to note that proposals for those new efforts are due September 23rd, just three weeks away. Talk to your Area Directors about these efforts right away, if you have not done so already. Requests to schedule a working group meeting are due also on the 23rd.

And, for everyone, registration is open – please register to the meeting!

I am personally looking forward to going again to Vancouver, a beautiful city, and the location of many productive IETF meetings. IETF-88 is the fifth meeting we hold in Vancouver!

Here are some important links for meeting:

Jari Arkko, IETF Chair

Photo by Brian Campbell