Tech – Page 27 – Simon Lyall's Blog

DevOpsDownUnder – Day 2 – John Ferlio

John Ferlio – Commit Early, Deploy Often

Flickr claim to deploy multiple times per day, not for everybody

Various ways to deploy, tarballs, versions control, packages

Usaing Package management to deploy

Treat internal apps same as external apps
Works with config management
Use CM and VMs to give devs a sample of production on their laptop
Devs can then develop directly to what prod looks like

Example for Deploy for Ruby Apps

Use bundle to setup ruby dependencies for app
Simple makefile to install install bundle and run it. Bundle installs apps and then compiles them. Then files put in right dirs (prod and stating versions)
dh_make to create base deb env
delete unwanted extra debian template files.
create staging and a production package, basic fill in of debian control files to buuild packages
Package contains whole website and files. Maybe 200MB. More advanced users might want to split some stuff off.
He has little bit to put the bzr revision in a file in the package for later reference.

Lauchpad PPAs – lets you build your source for various debian distributions/archetectires. He Blogged about a simplier system he created (you can host locally) this a month or two back.

Use to deploy rubu-on-rails and WordPress apps.

Don’t have to compile things on box, don’t have to install gems, don’t have to svn update.
Maybe use pre-init script to stop app server during the upgrade nd restart afterwards
Some talk about how to sync deployment of updated app and new database schema that it requires. Thoughts seem to be that new app version should be able to handle the old schema during the transition.
Rails libararies evolve so fast which is why libraries need to be bundled. Other languages can sometimes use OS provided libraries

NZ National Party claims copyright of Diplomat’s photos?

Last night I posted about how copyright of photographs of New Zealand Prime Minister John Key are owned by the New Zealand National party. In the post I assumed that the photos that were being claimed by National were taken by political staffers in the Prime Minister’s office.

However looking though the a New Zealand Herald’s photogallery of a John Key’s recent visit to Washington I noticed that the photos 5 and 6 in this gallery match these two photos on the “National Party” flickr page.

However the photo’s in the Herald are credited to “Tania Garry” who appears ( from a bit of googling) to be a career New Zealand diplomat currently posted to Washington.

So what is happening here? A New Zealand diplomat takes a photograph which is released to some news media (with full rights to publish it commercially I assume) but somehow the National Party is allowed to put it on their website/flickr under their own conditions?

So who owns the copyright for this photo? Who released a copy under what conditions and to who?

From my point of view it appears that a NZ diplomat takes a photo and then it’s made available to “friendly” news media for publication (but not the New Zealand public) before copyright is claimed by the National Party?

Like I said in my previous post, photos and other material like this should not be claimed by Political parties but should be released under a liberal license for use by anyone (which includes commercial use like newspapers).

Who owns John Key’s history?

The current Prime Minister of New Zealand is John Key , he’s a nice (well most people say so) guy who leads the right-of-centre National Party in parliament.

As a 21st century politician he has staff members who look after a twitter feed , he has a video blog on youtube and photos from his activities go on flickr.

The problem is that the copyright of images and videos of John key taken in the course of his official duties don’t appear to belong to the country or even be released into the public domain but are in fact claimed by The National Party.

Presumably this claim comes about because the persons recording the material are politically appointed staffers (although the salary is paid for by the New Zealand taxpayer) and they in turn have given their copyright to the National party (hopefully this is a formal arrangement and not some ah-hoc thing).

The problem is that while some photos and other material are posted to flickr under a restrictive license (which I’ll admit is more than previous PMs appear to have done) ownership and control of the material resides with a political party rather than the public.

So while the Whitehouse flickr stream allows photographs to be downloaded, reprinted and used in websites and media a photograph of John Key meeting the US Agriculture Secretary is locked down to Attribution-Noncommercial-No Derivative Works . Even worse attempts to contact the National Party Flickr person and ask if specific photos can be used have been universally rejected.

So my big questions are:

What are photos of the Prime Minister performing his official duties, taken by staff members owned by a political party rather than the government (or the people)
Why is used of the photos so harshly restricted?
How does it help promote New Zealand and New Zealand culture when photographs of our politicians can’t be used or reproduced by sites such as wikipedia?
What happens in 50 years when future historians want photographs of our politicians and they don’t exist or the ownership is unclear since they were not correctly transferred to the National party (if it still exists) by the original photographer or got lost at some point?

But really all I’m after is for the photographs to be released under a more liberal license much like the photographs from the Whitehouse. As a New Zealander I really shouldn’t have to wait till a New Zealand politician meets the US president before a free photograph of him is released and our PM’s wikipedia article doesn’t have him wearing a Green Tie.

NZNOG 2010 – Day 2 – Session 4

Metro WDM for the fiscally prudent – Simon Blake

CWDM – Split into various bands – uncooled lasers –
Single mode fibre – G.652c ideally – coloured optics – components
DOM/DDM support (SFF-8472) – query SFP and see what signal level it’s getting (over or under strength )
1-8 Channel MUX/demux – 8 channels 1471-1611 over a pair of fibre
Cisco 8 port mux/demux $6k/end ,
ebay 8 port mux/demux $800-1000/end
Direct import 8 port mux/demux $US 550/end
2 x 10GE on one pair – 2 channel 1310-1550 CWDW splitter (mux not a splitter) – $40 kit on direct import – vs numbers above
1x10GE on single fibre- optical circulators $NZ 1000k , $US14 imported
6 node network, 4 dark fibres – $27K
Trying to solve problem with lots of small hops, upstream building losing power (unpowered gear)
Pros: Multiprotocol, Perf/Security/reliability
Cons: Short Haul (sub 120km) , only 18 channels , Doesn’t do >10GE per channel, You need fibre
Direct Import Pro: cheaper , especially in bulk – design flexability
Direct Import con: No support except swaps – Freight – Language/Culture chellenges
traps – Waterpeak , Wideband receivers , Near end reflection , Avaibility of 10GE optics – DOM (ask for it) and untrusted optics – Measurement equipment/Circuits recording – Link Budgets and insertion loss

Monkeying around on the APE – Michael Jager

Plug in new port at APE and found things very open
PAcket sniffer + APE – should see boracast and traffic desinted for me
What did sniffer see – lots of APE for non-APE address space – DHCP
Borrowing transit – see how many networks will accept packets – 46 out of 75 will accept frame from unknown address detinated for their MAC
3 ports provide proxyarp for random address
How many networks have an interface in your mngt network?
6 will accept for 192.168.1.254
Customer can try and grab as many packaets as possible across cheap APE link rather than expensive transit link
Possible things untried – ARP spoofing – responding to un-answered ARP requests (old BGP session of removed neighbour ) – respond to DHCP requests
Speaking OSPF to OSPF-speaker – sending TCP RSTs – sending IPv6 RAs and answering IPv6 RS (like DHCP but for v6)
Read IM2tubes slide from Jonny and Philip’s slides from Monday
AMS-IX configuration guide
Don’t take packet from IXP if you arn’t expecting it
Don’t announce IXP network from anywhere

NZNOG 2010 – Day 2 – Session 3

Announcement at start of session that Telecom New Zealand now has an official Interconnect/Paid Peering Policy and Contact. Details to be Published. Ask Greg from Telecom for help.

Internetnz Update – Jordan Carter

General updates and new structure, new CEO
4 main areas ( Openness, rights and responsibilities, security)
IPv6 Task force , replace steering group
Copyright – replacement policy looks better, but sneaky changes might come back
ACTA – Key concern , lack of transparency, http://www.acta.net.nz
DIA filtering – voluntary and uses BGP . Give webpage, can report false alarm
Filter – only http, erodes end-to-end , privacy concerns , might be later abused (scope creep)
Filter – Send signal that “The government has made the Internet safe”
Internet opposed – DIA unhappy with that angle
Fibre Stuff – “Last day for 1.5 billion lolly scramble”
Regional Networks or one big National Network
Hard to tell what will happen – Similar exercise in Aus and Govt went back to drawing board
What happens to International Bandwidth?
Please join, followon twitter http://twitter.com/internetnz

APNIC update and much more – Elly Tawhai

Over 2000 members
1400+ monthly helpdesk enquiries ( 55% growth since last year)
Allocations around 100 per month
Various Policy changes coming up – Prop-050 (xfering address space ) , Prop-073 (sinple IPv6 allocations – 1 click) , Prop-074 (32 bit ASNs treatment same as 16 bit ones pushed back a year) , Prop-075 (recover historical ASNs)
Policies under discussion – Prop-78 ( Final /8 , only people deploying ipv6) , Prop-079 (abuse contact info in objects ) , Prop-080 ( Removal of IPv4 prefix exchange policy )
Several more allocation policies in pipeline
Recent Survey leading to priorities
Various my.apnic updates (web services even), support of research
More DNS root servers (Taiwan , Mongolia)
Please Participate

RIPE News – Tools and news – George Michaelson

RIPE used to be a research place and then became a RIR. RIPE labs is a return to the past
http://labs.ripe.net
Platform to test and evaluate new tools, feedback cycle
INRDB – big cloud of assignments, table dumps, dumps
Resource explainer
Various measurements , visualisation and links to tools. DNS reply size tester
Why – fast turnaround, engagement, no service g’tees

IPv6 flow chart – Nathan Ward

Make decission which IPv6 or IPv4/Ipv4 translation technology you should use
Tunnel Broker, 6to4, 6RD, Teredo, Dual stack lite, Double NAT, Dual stack
Other stuff that I wasn’t paying attention two
IPv6 addressing schemes
Sparse allocations
gives a sample which I won’t copy, look at his slides
Customer assignmesnt. Nathan likes /56s or RFC recomended /48. Take your pick

Andy is Curious – Andy Linton

Are Universities turning out the right people?
Good at turning out applications programmers not systems programmers

NZNOG 2010 – Day 2 – Session 2

DNSSEC at the root zone – Joe Abley

ICANN – Manges the Ket-signing-key (KSK) – accepts DS records from zone operators – sends update to DoCfor auth and to veriSign for implimentation
DoC auth changes and Verisign impliments the change
New process has Verisign signs the keys. V gets a few weeks of of KSKs that Doc signs in batches beforehand
DNSSEC Practice Statement – describes procedures, currently drafts
Around 20 Community Trusted Representative ( TCR ) have an active roll in the mangement of the KSK
2 copies of the Keys, west coats and east coast. Plus distributed backup
“ceromony” for each step in procedure, required what you do and how many people and which people are present.
Similar to what x.509 CAs do
KSK is 2048 RSA key rolled every 2-5 years ( RFC 5011 but not all have that support) – Signature using SHA-256
ZSK is 1024 RSA key – signed with NSEC – rolled 4 times year – Signature is SHA-256
Time cycle every 90 days – ZSK overlap of a couple of weeks
Root trust Anchor – published in XML document with constant URL – plain DNS record – PKCS#10 cert CSR , as self signed pub key, signable by others if they want
DO=1 part of EDNS0 – says client wants DNSSEC – many clients set bit even though most won’t really want them right now – will cause all queries to jump in size
Hard to sign root and then rollback
Staged deployment – Start servering DNSSEC for 1 root server at a time – L-Root first, then A, then the others with J last
DURZ – Unverifiable key published as placeholder
Measurement – Packet captures , diologue with operators – wide range of pre-testing with various software – test with clients that drop large packets
DS change requests – TLD procedure to be decided – DS requests 1-2 months before zone published
http://www.root-dnssec.org
Timeline – Test key signing Dec 2009 – Jan 2010 . Jan – July 2010 roll out signed roots . July 2010 Full Production
Lots of documentation on website
Indication of big jump in tcp queries presumably because udpreplies are too big

ENUM – Jay Daley

Why Doesn’t telephony work like email?
Email you choose how to published your email record, where to host, what emails to accept, can outsource, totally in control
So IP telephony should be easy too?
Unfortunately not
Non site-local numbers MUST go to telcoto get delivered
Missing – single , global directory linking telephone nmbers to voip numbers
This is ENUM . Telephone Number -> Domain Name – Simple Algorithm – e164.arpa – 04 931 6970 -> 0.7.9.6.1.3.9.4.4.6.e164.arpa
Won’t be typed, Translation done by a device – people still type out over fashon numbers
Register your number, create zone. Add NAPTOR records to DNS zone. Special records to specifiy endpoints (usually sip records), receive calls
NAPTO records do interesting stuff . eg “dig +short nsrs.tel naptr”
how? Option 1- enable on your VOIP PBX that is internet connected
Option 2 – on session border controller – “enterprise”
Option 3 – ENUM proxy ( if existing SBC doesn’t handle enum)
Registration process – not same as for domains since numbers already registered – needs authentication
Various methods of authentication in different places
No ENUM in NZ . Available in UK, Holland, Ireland, Germany, Austria but not significant takeup
Reasons for lack of takeup in those countries – lack of mindshare – hostility from telcos
Why not in NZ – TCF 2006 report – Privacy issues (but only publish what you like) – Emergancy services access (no idea where callers are) (but all VOIP has problem ) – Polcy/Goverance – “Carrier Issues”
ENUM isabout control – movingit from carrier to you
Key users – Call centres , ENUM instead of 0800 – Large supply chains (mandate VOIP ) – Multiple sites , simplyfy provisioning
Won’t happen without demand
“On the Internet voice is just another application”
Significant political and commercial resistence from Telcos

Day in the Life of the Internet – Sabastian Castro

4 years of DNS data
DITL motivation – network measurement – collection of data from DNS root servers – yearly since 2006
More and more root servers, Alt root servers, gTLDs etc passive traces, 48-72 hours
concentrate on root server data
Pick best 24 hours out of total window
4-8 billion queries, 3-6 million unique clients – sm5-12% recursive queries
Mostly A queries, AAAA increasing due to gluerecords being added (why are IPv4 clients sending AAAA queries when they probably won’t/can’t use)
70% of clients are EDNS are capable ( 90% of these are D0 enabled )
However clients sending lots of of queries (probably broken) have good support – But clients that query less have lover level of support
10 invalid TLDs represent 10% of queries ( .local , .localdomain , wpad , invalid , home , belkin , corp , lan )
Impossible to track down
Most queries from NZgoing to Auckland root and Brisbane root but some going to overseas servers (those might be use simple round-robin picking)
Lessons – Data collection is hard – clock skew , dat loss , wrong command line options , bad network taps
Data management – moredat , more participants – more formats – big effortto normalize data , fill gaps , fix clock skew .

NZNOG 2010 – Day 2 – Session 1

Lightning Talk

Geoff Huston – Stateless TCP and DNS
TCp limitations – Rough a high load
UDP Limitations – Requires IP fragmentation
Problems when response bigger than MTU , Fragments of UDP IPv6 often dropped. Switching to TCP drives up load again
Simulate UDP with TCP – do minimal crappy respose to fill headers
Ignore options, server doesn’t retransmit, ignore anything else from client, just closes connection
No reliability, No Flow Control, bad Idea but seems to work
Olof Kasselstrant – IXOR
Small IX in Malmo and Copenhagen (2nd site being looked at)
DIX only IX in Denmark
Sponsors for Fibre and Equipment
Exchange in 2 countries. Does it affect “must peer in 4 countries” agreement.
Dream to be in 4 sites soon
CCIP – Barry Brailey
Getting out of rewriting Microsoft patch notices
“investigation and analysis” function being dropped
Infomation and Alerting – website , newsletter, alerts – alerts targetted and highish threshold –
Outreach and partnering – main function – lease with overseas certs – talk to various groups – Education: presentation, newsletters, exercises (CyberStorm III – volenteers )
Security Information exchanges – Various groups – traffic light protocol – Looking at some new forums – Maybe ISP SIE
Cloud Computing for Service Providers – Richard Wade
As a service provider – should I care?
Infrastructure Foundation (Cisco, EMC, HP)
Infrastructure as a service (Amazon , Sun , Savvis )
Platform as a swervice (Amazon, MS Azure )
Software as a Service ( Salesforce, Google apps)
Integrate mngt ( network, servers, hypervisor, storage ) – unified fabric
Why and Why Should I care
Customer Ads – Eliminate Capex – Reduce Opex – IT as a utility
Customer Probs – No LAN apps (overseas often) – WAN now biz critical – Operational relationship with overseas provider – Legal jurisdiction of data
Service Provider ads – Understand managed services – Existing datacentres and infrastructure – OSS , process staff and contacts – SLAs – Domestic provider
Sp Probs – Managed cust revenue declining – Race to bottom? – Increase International transit – High expectations of quality and relaibility
Lame aternative IX Update technique – Simon Blake
New system to update filter lists for IXs
Citylink can instead download list of networks from customer URL
Pulls list daily
If diff email for confirmation or action it immediately
ALTO – LLyod
Helping p2p users select local/nearby peers
GeoIP and anycasting – rough
ALTO allows ISP to provide application, localtion, routing information, charging information, performance.
ISP puts on network some servers (itrackers) that deliver to p2p client the policy information
p2p caches (very close to edge) can be advertised
No currently in use in the wild
IPv6 taskforce – Dean Pemberton
Internetnz+ MED
TechSIG – 3 Hui in 2009 – Aimed at CIO/CTO – Went really well
Looking at more training (session in 2009 already)
Other things Task Force can do?

Building a Datacentre for less than $1 million – Gerald Creamer

When it’s your own money you care so much more
Had to move datacenter to another building
Short is that you can’t do it for less than $1m
Significant cost areas – Physical – power – cooling – network – time
The right building – 18 m search – 100 sites looked at – 7 sites investigated – 4 site due diligence
Engineers – “consultation” vs “converstaion”
First culling – all concrete – Not ground , not top floor – Strong 5kPa – high stud – no sprinklers – built between 50 and mid-80s – CBD fringe
$400 per m2 to strength building
2nd culling – close to street transformer – shorter power cables runs in building – shorter pipes for colling – outdoor space – generater space – near data networks
Useful – friendly landlord – nice bank – recession (kean landlord)
Save money – quality pre-owned hardware – “free” stuff – Ask experts – do some stuff yourself – Get experts to do others
Cables up abandoned lift shaft
2nd hand generator – not as large as final requirement but bigenough for current build
Room to upgrade UPS, generator, cables and space spec’d for more
domestic meters to measure power in each rack
Process Coolers (cheaper) 28KW each $1500/KW cost – $70k of aircon for $7k – check serial number with manufacter to find product history
Seismic Bracing – $30k
Helped corps clear out datacenters they were moving out of rooms ( “make good” on leases) and picked up some equipment
Citylink and Telstra provisioned fibre. Telecom less helpful.

NZNOG 2010 – Day 1 – Session 4

IPv6 deployment scenarios – Brian Carpenter

Assumed v6 deployed by v4 ran out
change transition model
More internetworking than original ipv6 design originally anticipated. Assume v6 clients will need to access v4 servers forever
Tunnels – Dual Stack Lite ( share ipv4 addr amung custs by combining UPv4-in-IPv6 and NAT, Driven by Comcast BB model ) – 6rd ( blend of 6to4 and ISTAP providing atumatic tunning of IPv6-in-IPv4 to ISP subscribers. Deployed by Freenet.fr)
Older mesh and hub+spoke models also documented.
NAT64 – old NAT-PT deprecated
NAT64 – millions of IPv6-only custs needing access to IPv4-only services
NAT64 only solves 1 problem – cannot be met my dual-stack – DNS64 dns server creates AAAA of site only with A record. Packets to NAT64 box and translated
Various problems. 7 ietf drafts. Only solving since case
V6OPS WG- Emerging Service Provider Scenarios for IPv6 Deployment – ID and survey ISPs then publish draft 03/2010

Rapid IPv6 Deployment in ISp Network – Skeeve Stevens

AIM – Get people to use IPv6
eintellego runs ISPs
What stopping ISps implimenting IPv6
Why not? – Too expensive , bigger ISPs yes, smaller ISPs perhaps not, NOT expensive to do enough to be able to play with it
Why not? – Too Hard – Lack of internal skills – IPv6 is NOT hard, cisco admin should be basic IPv6 in 2h and IPv6 BGP in under a day – Play now or else you will be overwhelmed later when everybody is yelling
Why Not? – Don’t know where to start – Start with a external co-lo box in the US – Allocate small amount of time – Get access to a lab – Start at the border
Why Not? – No one asking for it – True enough – Don’t know about Ipv4 exhaustion, but they will
Why Not? – Little vendor support – improving – DSL CPE equipment getting better – Carrier Grade NAT ( CGN/LSN)
Why Not? – What is IPv6? – From Many IT professionals – Integrators have minimal experience
Why Not? – Who can help me? – commerially, very few people – Some training courses – Community helps
IPv6 is big, break it down into stages
Experiment Externally
Get allocation from APNIC
Enable your Edge (BGP)
Enable Core
Enable desktop
Enable your hosting
Enable Operation Support Systems
One hosting company just took 1 week
Very rapid training, just a couple of days
Simplified addressing – short to medium term – rapid deployment – format – 2406:9800::F:203.18.102.99 – Use F0 instead of”F” for next pop – Using /128s will increase routing table – “chazwazza” is ipv6 equiv of “octet”
We use /64 for all end customer assignments – static routes to make v4-in-v6 work
NTP might not work
Some security concerns
Go through commons OS, Daemons, Hardware ( phones, printers, UPS, gameboys)
Might have to tunnel
Hassel carrier if not provided
Hassel vendors if they don’t work
Some parts won’t happen overnight
Predictions – Telstra selling IPv6 mid 2010 – Resource rush to grab IPv4 IPs while they can , surge in APNIC membership – exhaustion brought forward – secondary market will come – APNIC will lose control

Simply allocation of ipv6 addr to ipv4 holders – Elly Tawhai

Policy 73
Encourage greater uptake of IPv6
An APNIC member with IPv4 allocation is eligible /32 . Member with assignment gets a /48
One-Click IPv6 from my.apnic.net

NZ/IPv6 from (offshore) DNS – GGM (no name)

Passive tap on DNS servers – spot reverse lookups for in-addr.arpa
Capture all DNS in 1 day look for NZ IPs
1 in 10,000 lookups are doing IPv6
1 in 200 queries for DNS using IPv6
87.5% active delegattions in 24 hour period
45% of V6 networks live in 24 period
52% of v6 is Macs
IPv6 not on the phone
6to4 common even with providers that do IPv6 native

Things running late so IPv6 panel skipped.

NZNOG 2010 – Day 1 – Session 3

NZ Internet Task Force – Paul McKitrick

Out of Cyberstorm planning session – “what to do about botnets?”
Task Force has Steering Committee
Trust is essential – New members vetted – slow growth of membership
Protocol on how widely specific pieces of information can be shared
Information sharing – networking – training courses ( honeynet, shadow server foundation, team cymru )
Focus areas – Telecommunications (telecom honeynet, Uni grads seconded to telecom, Walled Gardens) – Research (Botsearch.py , VUW honeynet , data Brokerage ) – Stretegy ( Phishing site takedowns, Nat Cyber Security day 2010 , NZ Computer crime and Secuity project )
NZ Ips sending 110 million spams per day
Why – good for “.nz inc” , Opportunities for research, networking, conduit for disclosure

Bits on a Budget – Perry and Jamie

chellenging the belief that PCs running linux useful only for slow, small, un-important routing jobs
changes in last few years means this may need to be re-evaluated
What changed – PC Arch, Intel stopped sucking , Quick Path Interconnect , PCIe , Multicore – Substantial improvement in Linux – Multiqueue RX/TX to take advatage of multicore
Intel x520 10 GigE cards – Significant hardwareoffload – TCP segmentation, generic receive offload , checksumming , multiple input/output queues, input flow director
Well over 10Gb/s to hardware from CPU to IOwith PCIe
Server $9k – Dual intel x5570 – 6 x 4GB DDR3 – SuperMicro X8DTE with 1 io hub – Server grade redundant PSU – NIC $3k , 2x Dual port Intel x520 10GE Nic + optics – Debian Lenny – Linux 3.6.32.5 vanilla
created traffic generators as test setup – 45 machines
1 sender 1 receiver ( 11 boxes to 11 boxes ) – 9.8Gb/s – 1.2Mpps
2 senders , 2 receivers – 18Gb/s [ missed getting other stats but saturated links ]
3.5Mpps before collapse , PCIe thrashing, NUMA inefficiencies , Young NIC drivers
Bridging instead of routing – L2 filters – performance approx same as IP routing
firewalling – Stress box with lots of small TCP connections (hard to create, generator needs to hold up 100s thousands of sessions) – Open, receive 4k data, close – lots of tweaks to create traffic – Conntrack entrydefaults to 65k, upped to 10mil-
firewalling – 150,000 connections/second reached ( 5Gb/s)
firewalling – without contrack – saturates 10Gb/s
Number of Rules in Fw – 10Gb bi-directional , packetloss at 128-256 rules , no tuning – double that for single-direction – test has each packet going through each rule
Do you need to be an expert ? – If very fast, very cheap, then yes
Vyatta busy making this very easy – only pay for support, software is free
GigE (even lots of ports) is pretty easy
What experts do – Results over 90GB/s ( 40 in , 40 out ) on current hardware – People investigating for commercial reasons

Secure BGP – Geoff Huston

Anything evil is possible on the Internet
If I was evil , Through routing I’d attack DNS and forward to interceptor web server. Attack NZ based banks overseas so appears ok here
Through routing attack – route registry system, DNS root, trust anchors for TLS, critcal public servers, overwhelm routing system
Large networks advertised ( /8s etc) by various networks with no ovious reasons why. Same with AS numbers – v6 too
Nobody notices or cares about bogus routes beingoriginated
today’s networking is very insecure
Easy to – grab traffic , drop traffic , added false addresses to routing system , isolating or removing router from system . Don’t need to hack router just inject false routing information
what to do – protect you routers – standard security ( ssh access, maintain filter lists, user accts mngt, access log maintenance, snmp acls , etc )
what to do – bgp filters, md5 , passwords, prefix limits, watch out for errors causing bgp session to reset or come down – look at Rod Thomas’ BGP config templates
what to do – Check validity of routes your customers as you to route before adding to access control
alternatively – can BGP check each update to make sure it reflects the way things actually
RIRs sign who owns IPs , so routing changes for that network are in turned signed, resource certifcates. sign derivtive certs for sub-delegations of that resource
“AS 65000 can route 192.2.200.0/24” signed by the owner of that network.
What about path validation (signed AS above can just be prepended). A bit harder. – some progress and funding and test implimentations
Solution must cope with “partial use and deployment” , some good players will not use it any time soon.
Partially secured enviroment may be more operationally expensive but no more secure than what we have today.
Trust hierarchy is a “concentrating of vulnerability” – single point of attack
Only what to achieve useful outcomes?
Perhaps just anomaly detection to spot a large percentage of the problems
Will need key management systems and processes within companies like with website SSL certs

Trends in Cybercrime – Marcel van der Berg

Plenty of bots in NZ
Few comand and control servers in NZ
Approx 5000 unique IPs in NZ seen each day – trending up slightly long term
Increase in http botnets vs IRC botnets more static – around 500 controllers
C&C servers – IRC based in US and Eu – http based US , China , Russia
1 million open recursive DNS servers just used in 1 attack
Resurgance of “pay per install” business – stable botnet platforms offer lucrative models
“dumps” – information on magnetic stripe card – reseller network – from ATMs / POS / Payment processors / personally / In transit / Any datbase holding data
“CVV” – personal data (addresses, names, etc )
Make credits cards to match info from dump
“201” cards with chip on them harder to write/use and numbers are worth less. Perhaps $50 for the blank card
It’s all about the people. It’s all about the money

NZNOG 2010 – Day 1 – Session 2

Emergence Video Internet EcoSystem – Bill Norton

Tier 1 ISPs , Teir 2 ISPs and Content Providers
Recent changes: Big Content companies peering 70%-80% of traffic, agressively pushing out and peering with cable companies. CDNs also disrupting. Big middle
Video big growth
Perhaps 80% of Internet traffic is video – > Video Internet
How hollywood delivers video and how internet delivers video are parallel and clashing
Hollywood System: creation/production (IP + money + work= movie )
Hollywood Distribution: Staged, theaters, pay-per-view, dvd, premium tv, commercial cable, broadcast TV
Hollywood model vs Internet Model clash
Lots of room for innovation (eg settop boxes, tive, boxeee, hulu) over commodity internet vs over cable infrastructure.
Hollywood system is 100% push
Hollywood system adjusting to take account of Internet model
Worldwide releases all at once
Download buy and rent available
Combo packs movie + dvd + soundtrack all in one package
Mini revolution achienved Vidoe Internet – Cheap cameras + editing software , Free upload and idstrobution (youtube) , dropping CDN/transit prices , broadband to the eyeballs , Home wifi , setop boxes
SkypeTV – killer App – what happens on mothers day?
What would purpose built video Internet look like?
Portable TV, tablet
Video Internet , innovation at lower end of content ( conference, cheap shows ) since cost of movies and primetime shows expensive to make.

Next 3 years – Philip Smith

Internet has been grwoing since the start
“The Long and Windy ROAD”
Work on next generation of IP since mid-1990s
Current Situation: Perception IPv6 hasn’t taken hold. Private sector worried about ROI to migrate
Stauts: Service providers get prefix automaticly. Much discussion about transition about operators, Deployment experience presentations, Many providers made backbones IPv6 compatable.
OS and Apps getting better
Content needs to be on IPv4 and IPv6 (not yet)
Ongoing debates – IPv6 Multhoming – Rigid IpV6 address allocation model “one size fits all” barrier
Ongoing – Not every device is IPv6 cabable (who cares about local lan devices) – We have enough IPv4 – Migration vs Co-existence (both will exist for years, dual-stck OS makes it trivial)
What not NAT? Many serious issues
Is IPv4 running out? Yes!
IPv4 run-out policiys by RIRs (last /8) – soft landing- keep range for 6/4 NAT
Issues today – minimum content on Ipv6 , giving Ipv6 to customers might confuse them
Strategies available – Do Nothing – Extend Ipv4 , push custs to NAT, Buy IPv4 – Deploy Ipv6 , dual stack, Ipv6 and NAT, various others
Proposals for prolong IPv4, various NAT options – NAT444/SP NAT – Dual Stack lite – NAT64 and IVI
Many require lage NAT box to translate all traffic v4/v6
IPv4 address markey – could happen – will addresses need to be registered with RIR to prove buyer has right to advertise them?
Spare /24s being grabbed and sold could cause routing table growth
Deaggregation various across the globe
Large provides marketing dept pointing to high ranking on CIDR report as proof they are “big”. Morons
Reports people towards top of list tend to feel flacky when you use them
BGP instabilitu report ( >5 updates per minute) – People towards top tend to be rough service.
Running low on AS numbers, transition to 32 bit – They are in the wild
Reasonable software support for 32-bits ASNs

Do your Fruit hang low – Adam Boileau

Adam is a penertration tester, Kiwicon organiser
Security guys are Jerks
Maybe you need better security guys
Secuity is fundimantally asymmetric – defenders do lots more work than attackers – Hackers only have to find one hole
completity == insecurity
0day can happen happen to anyone
Full disclosure is dead
Vulnerabilies are worth money
Surity is not a product
Security is a property of the system as a whole
Why do you care? – Sin’t a network problem any more – Network is getting dumber (passive encryption) – clients arn’t exposed any more
Virtual everything – consulation changes everything – VLANs, VRFs, MPLS, Virtul servers, virtual hosting , Virtual firewalls, Virtual network segrigation
Lawful Intercept – Harder to hack 1000 people or 1 telcom LI system? – Vodafone Athens , T-mobile – Google vs China
The Target is you (again) – You are the management plane- you use crappy IE6 boxes on the corp domain
Your Desktop – AD, patch management, AV, outloook, TFTP server, IDS, twitter, facebook, outsourced desktop mangement
Security Metrics . Nobody knows how bad it is and who got hacked , media reporting is useless
Scanned 6.8 million IPs and put in mongoDB
data-mined – lots of A records, self-signed certs , specific apps
Presentened stats of various probably vulnerable boxes
http://lowhangingkiwifruit.com
Tried contacting owners , no luck
Crimes Act very vague, no case law, etc
what to do? Release? Release the toolchain? Release to some people? Just delete it?
Companies: Insomnia or Lateral Security