[Newsclips] IETF SYN-ACK Newspack 2022-01-10

[David Goldstein <david@goldsteinreport.com>]

Hi IETF Participants,

 

Here’s the first SYN-ACK Newspack for 2022. It’s a bit of a bumper edition and includes some searches I do once a year of some sources, including some searching of academic papers. Some of these papers require a subscription, but I thought it worthwhile just to know about them.

 

And just the usual reminder, the IETF SYN-ACK Newspack collects IETF-related items from a variety of news outlets and other online publications. They do not represent the views of the IETF and are not checked for factual accuracy.

 

Happy reading!

David

 

**********************

IETF IN THE NEWS

**********************

IETF 112: Tim Wicinski explains DPRIVE, what happened at IETF 112 and why, if possible, TLDs should be involved

The final in our series of Q&As with participants at IETF 112 is with Tim Wicinski. Tim is one of the chairs of the DNS PRIVate Exchange (dprive) working group that “develops mechanisms to provide confidentiality to DNS transactions in order to address concerns surrounding pervasive monitoring.” Here Tim explains the path that led to him being involved in the IETF, but more importantly, the significance of DPRIVE for TLDs and why they should be involved, underlinging that he also understands they may not have the resources or time to do so.

< <https://www.centr.org/news/blog/ietf112-dprive.html> https://www.centr.org/news/blog/ietf112-dprive.html>

 

IAB Seeks Feedback on Candidates for the IETF appointment to the ISOC Board of Trustees

In 2022, the IAB is responsible for selecting one individual to serve a 3-year term on the ISOC Board of Trustees. The procedure is described in RFC 3677. The candidates who accepted nominations are:

< <https://www.iab.org/2022/01/05/iab-seeks-feedback-on-candidates-for-the-ietf-appointment-to-the-isoc-board-of-trustees-7/> https://www.iab.org/2022/01/05/iab-seeks-feedback-on-candidates-for-the-ietf-appointment-to-the-isoc-board-of-trustees-7/>

 

SMB over QUIC in Windows Server 2022: What you need to know

Change is afoot: The internet is moving away from the venerable TCP protocol that's been its foundation since the very start. Google began work on what eventually became QUIC in the early 2010s, with it becoming the foundation of HTTP/3 in 2018. Finally, in May 2021, the IETF issued RFC 9000, turning QUIC into an internet standard.

< <https://www.techrepublic.com/article/smb-over-quic-in-windows-server-2022-what-you-need-to-know/> https://www.techrepublic.com/article/smb-over-quic-in-windows-server-2022-what-you-need-to-know/>

< <https://www.msn.com/en-us/news/technology/smb-over-quic-in-windows-server-2022-what-you-need-to-know/ar-AASbxwA> https://www.msn.com/en-us/news/technology/smb-over-quic-in-windows-server-2022-what-you-need-to-know/ar-AASbxwA>

 

ICANN DNS Resolver Symposium – the Session Had Several Interesting Presentations That I Would Like to Comment On by Geoff Huston 

ICANN hosted a Resolver Operator Forum in mid-December, and the session had several interesting presentations that I would like to comment on here. ... A failure in the original model, which Paul asserts continues through to today, is that data types are hard to create (although the recent experience with the SVCB and HTTPS data types appears to point to a different conclusion, that data types are relatively easy to create!). As Paul suggests perhaps it was the overly complex IETF registration procedures that were pushing DNS users to overload the TXT record as an alternative to creating more data types.

< <https://www.potaroo.net/ispcol/2021-12/dns-sym.html> https://www.potaroo.net/ispcol/2021-12/dns-sym.html>

< <https://circleid.com/posts/20211222-icann-dns-resolver-symposium> https://circleid.com/posts/20211222-icann-dns-resolver-symposium>

 

The biggest tech trends of 2022, according to over 40 experts

Startup founders, Big Tech execs, VCs, and tech scholars offer their predictions on how Web3, the metaverse, and other emerging ideas will shape the next year.  ... Eric Rescorla, CTO, Firefox: 2022 is going to be the start of us having real tools to work with people’s data while preserving their privacy. A lot of the data collection that powers the internet, and particularly advertising, might be done in much less invasive ways. Cryptographers have been working on technologies like multiparty computation, zero-knowledge proofs, and homomorphic encryption for years, but they’ve finally gotten good enough that they’re practical for real world problems. We saw a little bit of this in 2021 but between the W3C Private Advertising Technology Community Group and the work on Privacy Preserving Measurement in the IETF, this is going to be a real area to watch in 2022.

< <https://www.fastcompany.com/90704618/the-biggest-tech-trends-of-2022> https://www.fastcompany.com/90704618/the-biggest-tech-trends-of-2022>

 

tsuNAME: DNS loops are a well-known problem, but aren't properly addressed by current RFCs

Last May, we publicly disclosed tsuNAME, a DNS vulnerability that could be exploited to mount DDoS attacks, where resolvers, clients and/or forwarders send endless queries to authoritative DNS servers. Although earlier RFCs have documented the existence of DNS name loops, none of them have fully addressed the problem. To fix that, we have proposed a new IETF draft to the DNS Operations Working Group (DNSOP WG).

< <https://www.sidnlabs.nl/en/news-and-blogs/tsuname-dns-loops-are-a-well-known-problem-but-arent-properly-addressed-by-current-rfcs> https://www.sidnlabs.nl/en/news-and-blogs/tsuname-dns-loops-are-a-well-known-problem-but-arent-properly-addressed-by-current-rfcs>

 

Changing minds and machines: a case study of human rights advocacy in the IETF

Abstract: Below the visible aspects of social media and other Internet applications lies a vast infrastructure, where opaque organisations and unaccountable technologists exercise significant power over the Internet. This dissertation is a first-hand anthropological study of how the culture of one such important organisation, the IETF, influences infrastructural politics thereby shaping the development of technology across the Internet. I propose a framework for ‘Critical Internet Governance’ to focus on the cultural forces shaping Internet governance and which groups have the power to define it.

< <https://ora.ox.ac.uk/objects/uuid:9b844ffb-d5bb-4388-bb2f-305ddedb8939> https://ora.ox.ac.uk/objects/uuid:9b844ffb-d5bb-4388-bb2f-305ddedb8939>

 

Characterizing the IETF through its consensus mechanisms

We propose analysis into the consensus mechanism of IETF that promotes internet drafts into RFCs. Using the data publicly available from IETF, such as mailing lists, internet draft action history, minutes of meeting, affiliation records, etc, we identify various mechanisms with which to characterize its dynamics. Through the use of novel text mining, time series clustering, graph mining and psycholinguistic approaches to understand the consensus mechanism within IETF deeply, we propose to derive actionable insights to facilitate greater diversity, inclusion and fairness in its operations.

< <https://www.iab.org/wp-content/IAB-uploads/2021/11/Sinha.pdf> https://www.iab.org/wp-content/IAB-uploads/2021/11/Sinha.pdf>

 

Who is the Average IETF Participant?

This paper proposes that it would be useful for data analysis activities to agree on a shared definition of active IETF participation, and then attempt to identify classes of participants that share common participation patterns. One step towards identifying such classes could be a characterization of the average active IETF participant, which by itself might generate valuable insights for the IETF operations and management teams. I. WHO IS THE COMMUNITY?

< <https://www.iab.org/wp-content/IAB-uploads/2021/11/Eggert.pdf> https://www.iab.org/wp-content/IAB-uploads/2021/11/Eggert.pdf>

 

Identifying temporal trends in IETF participation

Researchers at USC/ISI have begun performing some large scale communication analysis using data from datasets like those from the IETF RFC, Internet-Draft and E-Mail archives. Although this work is very much work-in-progress, below we show some preliminary results in analyzing datasets that show the fruitfulness of our larger plans. We specifically look at labeled datasets that contain markings for organizations, countries, and authorship.

< <https://www.iab.org/wp-content/IAB-uploads/2021/11/Hardaker.pdf> https://www.iab.org/wp-content/IAB-uploads/2021/11/Hardaker.pdf>

 

Observations about IETF process measurements

The uses are important, though, and they affect what data should be made available and in which way it should be visualized. The author has found that there’s a fair amount of demand for various uses, e.g., authors are interested in how their publications are referenced or about getting an easy listing of what documents they have, companies are interested in how their efforts and topics compare to what other companies are doing, for diversity it is interesting to understand geographical split of various levels of activities, same for gender distribution, and so on.

< <https://www.iab.org/wp-content/IAB-uploads/2021/11/Arkko.pdf> https://www.iab.org/wp-content/IAB-uploads/2021/11/Arkko.pdf>

 

Characterising the IETF through the lens of RFC deployment

Protocol standards, defined by the IETF, are crucial to the successful operation of the Internet. This paper presents a large-scale empirical study of IETF activities, with a focus on understanding collaborative activities, and how these underpin the publication of standards documents (RFCs). Using a unique dataset of 2.4 million emails, 8,711 RFCs and 4,512 authors, we examine the shifts and trends within the standards development process, showing how protocol complexity and time to produce standards has increased. With these observations in mind, we develop statistical models to understand the factors that lead to successful uptake and deployment of protocols, deriving insights to improve the standardisation process.

< <http://eprints.gla.ac.uk/250206/2/250206.pdf> http://eprints.gla.ac.uk/250206/2/250206.pdf>

< <https://dl.acm.org/doi/abs/10.1145/3487552.3487821> https://dl.acm.org/doi/abs/10.1145/3487552.3487821>

 

RSSAC056 - RSSAC Advisory on Rogue DNS Root Server Operators

Abstract: In this report, the ICANN Root Server System Advisory Committee (RSSAC) examines both measurable and subjective activities of a root server operator (RSO) that could be considered rogue to inform future Root Server System (RSS) governance bodies. Future RSS governance bodies may use this document to develop a more complete definition of rogue RSO actions and will ultimately be the authority in determining subjective factors such as intent, when judging the actions of a RSO. The audience of this report is the Board of Directors of the Internet Corporation for Assigned Names and Numbers (ICANN), future root server system governance bodies, and, more broadly, the Internet community.

< <https://research.google/pubs/pub50527/> https://research.google/pubs/pub50527/>

 

Interdependence And Network Oversight In 1990s Internet Governance

Abstract: In October 2016, the contract between the United States Department of Commerce and ICANN officially expired. This contract represented a long-standing and close relationship between the United States government and ICANN, a relationship that positioned the U.S. as a kind of linchpin in determining the shape and coordination of the global, extraterritorial internet. This research seeks to address the question: what interests and values shaped ICANN at the time of its establishment and in what ways do debates about this system reflect broader concerns about the U.S.-centric nature of early internet governance policy? I address this question using archival analysis focusing on the Ira Magaziner Electronic Commerce papers at the Clinton Presidential Library in Little Rock, Arkansas. In examining this archive, there are repeated concerns about the U.S.-centric nature of early internet governance policy, concerns that were clear as early as the mid-1990s and which remained at issue with the oversight of ICANN until 2016.

< <https://spir.aoir.org/ojs/index.php/spir/article/view/11926> https://spir.aoir.org/ojs/index.php/spir/article/view/11926>

 

DNS Security—Overview and Analysis [subscription]

Abstract: In an age where data security and encryption is the highest priority in any kind of data communication, DNS are still vulnerable to various kinds of threats and attacks since domain names are still communicated in plaintext. Most of the attacks take place in the Top Level Domains (TLDs) that controls the DNS system. Given below is a study of the current situation and the possible solutions.

< <https://link.springer.com/chapter/10.1007/978-981-15-8221-9_110> https://link.springer.com/chapter/10.1007/978-981-15-8221-9_110>

 

Europäische IP-Adressvergabestelle: Datenschutz versus Datenhort [European IP Address Allocation Authority: Data Protection versus Data Hoard]

Computeradressen für den Internetzugang (IP-Adressen) fallen nicht vom Himmel: Die IETF spezifiziert Internet-Protokolle und hat damit die Kapazität der Adressräume festgelegt: 4,3 Milliarden bei IPv4, 340 Sextillionen bei IPv6.

< <https://www.heise.de/news/Europaeische-IP-Adressvergabestelle-Datenschutz-versus-Datenhort-6304675.html> https://www.heise.de/news/Europaeische-IP-Adressvergabestelle-Datenschutz-versus-Datenhort-6304675.html>

 

Gỡ nút thắt cho hệ thống tài trợ thương mại toàn cầu [Unwinding the bottleneck for the global trade finance system]

... Điều này sẽ tạo ra một thứ giống như tiêu chuẩn chất lượng ISO toàn cầu cho hệ thống thương mại và sẽ hoạt động theo đường lối của Nhóm đặc nhiệm kỹ thuật Internet (IETF), đơn vị phát triển các tiêu chuẩn Internet. Tuy nhiên, quá trình xây dựng sẽ đòi hỏi một cam kết mạnh mẽ từ các ngân hàng, chính phủ, cơ quan thương mại và các tổ chức phi chính phủ.

< <https://vietnambiz.vn/go-nut-that-cho-he-thong-tai-tro-thuong-mai-toan-cau-20211226111143579.htm> https://vietnambiz.vn/go-nut-that-cho-he-thong-tai-tro-thuong-mai-toan-cau-20211226111143579.htm>

 

未來城市：元宇宙之DAO 無大台社群 投票話事 [Future City: The DAO of the Metaverse]

... 在技術層面上，元宇宙裏的標準如何定？科大計算媒體與藝術教授許彬說現時國際上主要有3個機構負責標準化（standardization）工作，讓產品或服務可使用共通的制式，「IEEE主要對應network（網絡）底層制定標準，如Wi-Fi、光纖、藍牙、以太網；而IETF專門做網絡傳輸協議，即如TCP/IP；而最高層的web（網絡應用層面），如world wide web的標準化，就是由W3C去做，這些機構的共通點是通過共識傾出標準」。他舉例IEEE標準化工作經歷多重步驟，包括設立工作小組、起草標準、投票，投票會由用戶、供應商、政府、學者、大小公司等組成投票團，要有75%投票率，再有75%同意票才可通過進行下一重工作，而且若是團體（即公司、政府部門等）項目，一個團體就是一票；若是個人項目即一人一票，防止企業壟斷結果。

< <https://news.mingpao.com/pns/副刊/article/20211226/s00005/1640456257406/未來城市-元宇宙之dao-無大台社群-投票話事> https://news.mingpao.com/pns/副刊/article/20211226/s00005/1640456257406/未來城市-元宇宙之dao-無大台社群-投票話事>

 

崔勇：让科技创新成果能被企业真正地用起来 [Cui Yong: Let the achievements of scientific and technological innovation be truly used by enterprises]

在日前召开的IPv6下一代互联网技术创新与国际标准研讨会上，清华大学教授、中国互联网协会学术工作委员会秘书长崔勇对IETF做了相关介绍。

< <https://www.edu.cn/xxh/focus/li_lun_yj/202112/t20211224_2194672.shtml> https://www.edu.cn/xxh/focus/li_lun_yj/202112/t20211224_2194672.shtml>

 

网络根基面临“卡脖子”风险，下一步该往哪走？ [The network foundation faces the risk of "stuck neck", where should we go next?]

... 他建议，在网络空间领域，要面向“基础设施”和“治理体系”来构建网络空间命运共同体，在互联网码号资源公钥基础设施（RPKI）国际标准建设、多语种域名（IDN）技术实现等关键领域持续引领；广泛参与域名系统生态国际组织（ICANN、IETF）的社群工作，做到“有贡献、有声音、有地位”。

< <https://news.sciencenet.cn/htmlnews/2021/12/471886.shtm> https://news.sciencenet.cn/htmlnews/2021/12/471886.shtm>

 

网络密码方式将发生重大改变 [The way network passwords are encrypted will change significantly]

... 互联网领域的标准化团体——互联网工程任务组（IETF）也宣布了将会遵从NIST决定的方针，从而成为事实上的世界标准。支持现行“RSA密码”的通信规格在网络普及的1990年代后期被广泛应用于全世界。此次改变将是世界标准的通信规格首次发生重大变化。

< <https://www.36kr.com/p/1559209911553920> https://www.36kr.com/p/1559209911553920>

< <https://zh.cn.nikkei.com/industry/itelectric-appliance/47219-2022-01-06-01-32-53.html> https://zh.cn.nikkei.com/industry/itelectric-appliance/47219-2022-01-06-01-32-53.html>

 

毛伟：打造下一代DNS，重塑网络根基 [Mao Wei: Build the next generation of DNS and reshape the foundation of the network]

... 下一代DNS是承载了构建网络空间命运共同体（Domain）、掌握网络关键基础资源（Name）、筑牢网络核心技术（System）三大使命的关键信息基础设施，将全面重塑网络根基。对此毛伟建议，在网络空间领域，要面向“基础设施”和“治理体系”来构建网络空间命运共同体，在互联网码号资源公钥基础设施（RPKI）国际标准建设、多语种域名（IDN）技术实现等关键领域持续引领；广泛参与域名系统生态国际组织（ICANN、IETF）的社群工作，做到“有贡献、有声音、有地位”。

< <https://news.tom.com/202112/4116011056.html> https://news.tom.com/202112/4116011056.html>

 

DNSの設定ミスで大規模障害、会合のオンライン化など2021年の「ドメイン名ニュース」 ["Domain name news" in 2021, such as large-scale failure due to MISCONFIGURATION of DNS, online of meetings, etc.]

... 実際、オンライン開催が続くことで面識のない参加者が交流しづらくなっているという懸念の声が上がっているとあるように、会合の性格によっては大きな課題になっているようである。IETF[*4]などでは、オンライン交流ツール「Gather」を使い会議や交流を行う試みを行っているそうだが、対面での集まりに勝るものは無さそうである。

< <https://ascii.jp/elem/000/004/079/4079206/> https://ascii.jp/elem/000/004/079/4079206/>

 

Россия предлагает соглашение о межгосударственном управлении интернетом [Russia proposes an agreement on interstate internet governance]

... На данный момент есть несколько организаций, которые влияют на управление интернетом: ICANN — Корпорация по присвоению имен и адресов в интернете, IETF — Рабочая группа проектирования интернета, RIRs — Региональные регистратуры, ISOC — Общество интернета.

< <https://officelife.media/news/29957-rossiya-predlagaet-soglashenie-o-mezhgosudarstvennom-upravlenii-internetom/> https://officelife.media/news/29957-rossiya-predlagaet-soglashenie-o-mezhgosudarstvennom-upravlenii-internetom/>

 

**********************

SECURITY & PRIVACY

**********************

UK military chief warns of Russian threat to vital undersea cables [PA Media]

The head of the UK’s armed forces has warned that Russian submarine activity is threatening underwater cables that are crucial to communication systems around the world.

< <https://www.theguardian.com/uk-news/2022/jan/08/uk-military-chief-warns-of-russian-threat-to-vital-undersea-cables> https://www.theguardian.com/uk-news/2022/jan/08/uk-military-chief-warns-of-russian-threat-to-vital-undersea-cables>

 

Preparing for the next large-scale IoT botnet attack

Network operators, CERTs, vendors, and other stakeholders should be aware of emerging Internet of Things (IoT) threats that are quickly evolving and adapting to current defences.

< <https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-iot-botnet-attack/> https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-iot-botnet-attack/>

 

Surviving The New Era of Terabit-Class DDoS Attacks

In March 2018, a massive DDoS disrupted service for the developer platform GitHub. The attack, which lasted for approximately 20 minutes, was the largest on record.

< <https://www.cyberdefensemagazine.com/surviving-the-new/> https://www.cyberdefensemagazine.com/surviving-the-new/>

 

CDN Cache Poisoning Allows DoS Attacks Against Cloud Apps

A Romanian vulnerability researcher has discovered more than 70 flaws in combinations of cloud applications and content delivery networks (CDNs) that could be used to poison the CDN caches and result in denial-of-service (DoS) attacks on the applications.

< <https://www.darkreading.com/cloud/cache-poisoning-of-cdns-allows-dos-attacks-against-cloud-apps> https://www.darkreading.com/cloud/cache-poisoning-of-cdns-allows-dos-attacks-against-cloud-apps>

 

Cache Poisoning at Scale: Identifying and Exploiting over 70 Cache Poisoning vulnerabilities

Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper I will present the techniques I used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs. If you aren't already familiar with the basics of Web Cache Poisoning, I highly recommend you read Practical Web Cache Poisoning by albinowax.

< <https://youst.in/posts/cache-poisoning-at-scale/> https://youst.in/posts/cache-poisoning-at-scale/>

 

The New Normal of Cybersecurity: Examining the Top Three 2021 Trends and 2022 Predictions

The past year has shown organizations that uncertainty and a transformed reality are the new normal in business. While remote work was intended as a temporary response to the global pandemic, it is now considered a regular part of the business environment—fundamentally altering the way companies operate.

< <https://www.cpomagazine.com/cyber-security/the-new-normal-of-cybersecurity-examining-the-top-three-2021-trends-and-2022-predictions/> https://www.cpomagazine.com/cyber-security/the-new-normal-of-cybersecurity-examining-the-top-three-2021-trends-and-2022-predictions/>

 

How widely adopted is anycast in the DNS?

Much has been written about anycast and its effectiveness in enhancing the resilience of the DNS against attacks and failures, and its scaling of DNS nameserver capacity, both in the authoritative and recursive resolver infrastructure.

< <https://blog.apnic.net/2021/12/22/how-widely-adopted-is-anycast-in-the-dns/> https://blog.apnic.net/2021/12/22/how-widely-adopted-is-anycast-in-the-dns/>

 

Cybersecurity Trends for 2022

With the Omicron variant now sweeping through the population at pace and booster jabs well underway, we are expecting 2022 to cement the hybrid working we put in place this year by continuing to work remotely as well as in the office.  This emphasizes, rather than changes, the focus for cybersecurity in 2022 – but that’s not to say it will be ‘just like last year.’ 

< <https://www.infosecurity-magazine.com/opinions/cybersecurity-trends-for-2022/> https://www.infosecurity-magazine.com/opinions/cybersecurity-trends-for-2022/>

 

2021 Cybersecurity Wrap-up and Trends for 2022

As 2021 wraps up, we’re taking stock of the year from our cybersecurity point of view. After a tumultuous 2020, this year continued to be a roller coaster of new workplace conditions, disruptive cyberattacks and optimism in government action. Below we list our top 3 trends and hacks that stood out for 2021, followed by what we see are the trends to watch for in 2021.

< <https://securityboulevard.com/2022/01/2021-cybersecurity-wrap-up-and-trends-for-2022/> https://securityboulevard.com/2022/01/2021-cybersecurity-wrap-up-and-trends-for-2022/>

 

Predicting What 2022 Holds For Cybersecurity

2021 was a fascinating and somewhat terrifying year for cybersecurity, as all our fears regarding cyber-threats have come true in one way or another.  2021 was tricky, as many organizations have been slow to adapt to the new security climate. Predictions aside, complacency is not an option if you plan to survive and thrive in 2022.

< <https://www.forbes.com/sites/emilsayegh/2022/01/06/predicting-what-2022-holds-for-cybersecurity/> https://www.forbes.com/sites/emilsayegh/2022/01/06/predicting-what-2022-holds-for-cybersecurity/>

 

2022 Cybersecurity Predictions to Watch Out For

As eventful as 2020 was – with the world of work turned upside down, thanks to COVID-19 – 2021 was equal to its predecessor. It was a year that bounced from hope to cautious optimism, then back to disquiet. While some of our cybersecurity predictions for 2021 were accurate, like the importance of securing the remote workforce and the ever-increasing sophistication of ransomware, the year came to a close as organizations are forced to address the significant challenges of dealing with the Log4j vulnerability.

< <https://www.cisecurity.org/blog/2022-cybersecurity-predictions-to-watch-out-for/> https://www.cisecurity.org/blog/2022-cybersecurity-predictions-to-watch-out-for/>

 

CISA, FBI, NSA and International Partners Issue Advisory to Mitigate Apache Log4J Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint cybersecurity advisory with technical details, mitigations, and resources to address known vulnerabilities in the Apache Log4j software library. This advisory provides critical guidance that any organization using products with Log4j should immediately implement.

< <https://www.cisa.gov/news/2021/12/22/cisa-fbi-nsa-and-international-partners-issue-advisory-mitigate-apache-log4j> https://www.cisa.gov/news/2021/12/22/cisa-fbi-nsa-and-international-partners-issue-advisory-mitigate-apache-log4j>

< <https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2881834/cisa-fbi-nsa-and-international-partners-issue-advisory-to-mitigate-apache-log4j/> https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2881834/cisa-fbi-nsa-and-international-partners-issue-advisory-to-mitigate-apache-log4j/>

 

lk: Role of cyber security policies and standards in 5G age

The second session of the eighth Annual Daily FT-CICRA Cyber Security Summit held recently covered important aspects of network security standards and compliance with regard to rolling out 5G technology. As global cellular networks evolve to 5G, they are enabling and expanding a more all-things-connected world. However, with this comes an increase in cyberattacks on essential infrastructure like communications systems or power grids. Now, not only will devices like phones be at risk, but perhaps even things like cars, home appliances, or even pacemakers. Therefore, robust network security standards are essential for modelling potential cyber threats on a national level, a personal level, and everywhere in between.

< <https://www.ft.lk/it-telecom-tech/Role-of-cyber-security-policies-and-standards-in-5G-age/50-728621> https://www.ft.lk/it-telecom-tech/Role-of-cyber-security-policies-and-standards-in-5G-age/50-728621>

 

**********************

INTERNET OF THINGS

**********************

IoT predictions for 2022: the what, why and how of the year ahead

We live in connected times. The technology landscape has been reshaped in the wake of the COVID-19 pandemic. Businesses are leaning on automation, data mining and machine learning more than ever before, and the convergence of multiple technologies is creating a groundswell of innovation. Against this backdrop, IoT is moving into the spotlight, providing tangible competitive advantages for businesses operating across a wide range of verticals. At EMnify, we expect to see a raft of transformative market developments as we move into 2022 and beyond. Whatever your strategic focus for 2022, the year ahead is loaded with potential for business and IT leaders, so read on for our top IoT predictions.

< <https://www.information-age.com/iot-predictions-for-2022-what-why-how-of-year-ahead-123498180/> https://www.information-age.com/iot-predictions-for-2022-what-why-how-of-year-ahead-123498180/>

 

3D IoT lidar solutions for smart cities unveiled at CES 2022

Quanergy Systems will showcase its suite of solutions that focus on areas such as retail flow management analytics, building occupancy management, and perimeter intrusion detection.

< <https://www.smartcitiesworld.net/internet-of-things/3d-iot-lidar-solutions-for-smart-cities-unveiled-at-ces-2022> https://www.smartcitiesworld.net/internet-of-things/3d-iot-lidar-solutions-for-smart-cities-unveiled-at-ces-2022>

 

Smart hospitals projected to deploy more than 7 million connected devices by 2026

Internet of medical things devices enable healthcare providers to use remote monitoring sensors and surgical robotics to improve patient care, staff productivity and operational efficiency.

< <https://www.smartcitiesworld.net/health-and-social-care/smart-hospitals-projected-to-deploy-more-than-7-million-connected-devices-by-2026> https://www.smartcitiesworld.net/health-and-social-care/smart-hospitals-projected-to-deploy-more-than-7-million-connected-devices-by-2026>

 

Integrating Nanotechnology into the Internet of Things

The internet of things (IoT) paradigm has long been considered a key incentive to the Fourth Industrial Revolution with the potential to transform the way we live our lives. Yet its impact promises to be enhanced further through the integration of nanotechnology.

< <https://www.azonano.com/article.aspx?ArticleID=5939> https://www.azonano.com/article.aspx?ArticleID=5939>

 

Internet of things hiring levels in the pharmaceutical industry rose in November 2021

The proportion of pharmaceutical companies hiring for internet of things related positions rose in November 2021 compared with the equivalent month last year, with 16.9% of the companies included in our analysis recruiting for at least one such position.

< <https://www.pharmaceutical-technology.com/features/internet-of-things-hiring-levels-in-the-pharmaceutical-industry-rose-in-november-2021/> https://www.pharmaceutical-technology.com/features/internet-of-things-hiring-levels-in-the-pharmaceutical-industry-rose-in-november-2021/>

 

Smart Cities, Data Protection and the Public Interest Conundrum: What Legal Basis for Smart City Processing?

Abstract: Smart city initiatives are projects leveraging information technology and data, often in and/or from the public space, to pursue various public interest and economic related objectives. They process vast amounts of data that in many cases are personal data, triggering the application of the relevant legal framework. This paper analyses the application of the lawfulness principle, which is a fundamental principle of data protection law, in the smart city context. It provides a detailed analysis of the relevant legal bases in the General Data Protection Regulation and the Data Protection Law Enforcement Directive. Two key challenges are demonstrated.

< <https://ejlt.org/index.php/ejlt/article/view/822> https://ejlt.org/index.php/ejlt/article/view/822>

 

Climate, Cyber Risk, and the Promise of the Internet of Things (IoT)

Abstract: The continued cost decline of computer processing capacity along with rapid growth in microprocessor speed, results in today’s increasing rate of technological change and is of historical import. The daily life of billions of individuals worldwide has been forever changed by technological productivity in just the last few years. However, costly and extinction threatening climate change and disruptive data breaches continue at an alarming rate. The challenge and promise facing humans attempting to govern the process of artificial intelligence, machine learning, and the impact of billions of sensory devices connected to the Internet is the subject of this Article.

< <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3969506> https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3969506>

 

**********************

NEW TRANSPORT PROTOCOLS

**********************

Identifying unexpected Internet services

Internet-wide scanning — the process of connecting to every public IPv4 address on a targeted port — is a standard research technique for understanding real-world service configuration and deployment. However, scanning studies often assume that services are hosted on their IANA-assigned ports (for example, HTTPS on TCP/443) and overlook scanning additional ports for unexpected services.

< <https://blog.apnic.net/2021/12/21/identifying-unexpected-internet-services/> https://blog.apnic.net/2021/12/21/identifying-unexpected-internet-services/>

 

Getting the Most Out of Sandboxing

Chris Palmer discusses the nature and particulars of the OS limitations we face, what security gap they leave us with, and what we are doing to make Chromium's large codebase less memory-unsafe. ... Schuster: In what functional areas are your main challenges, so rendering, JavaScript, networking, stuff like that? Palmer: It's mostly JavaScript. Networking is tricky. WebAssembly is tricky. When we give the attacker the ability to run code, like with JavaScript, or WebAssembly, and it used to be Flash before Flash was removed, you're giving the attacker a lot of power and a lot of chances to win. Those have always been tricky. The renderer, therefore, we sandbox it the most heavily because the most dangerous stuff is in there. Similarly, the network process has to parse and deserialize a ton of complicated stuff. QUIC and TLS and HTTP are quite complicated, actually, and there's a fair amount of risk there for attack. We have had some nasty bugs. It's not as dangerous as JavaScript, but it's not exactly easy. I really would like to break out the network process into one per site, because if you take over the network process now, you get access to networking for every site. That's not great. It's harder, but you get more power, and so I'd like to stop that.

< <https://www.infoq.com/presentations/chrome-sandboxing/> https://www.infoq.com/presentations/chrome-sandboxing/>

 

QUIC-EST: A QUIC-Enabled Scheduling and Transmission Scheme to Maximize VoI with Correlated Data Flows [subscription]

Abstract: Progress in communication technologies has fostered the development of advanced interactive applications that require multi-sensor data transmission with low latency and high reliability.

< <https://ieeexplore.ieee.org/document/9433511> https://ieeexplore.ieee.org/document/9433511>

 

Robust QUIC: Integrating Practical Coding in a Low Latency Transport Protocol

Abstract: We introduce rQUIC, an integration of the QUIC protocol and a coding module. rQUIC has been designed to feature different coding/decoding schemes and is implemented in go language. We conducted an extensive measurement campaign to provide a thorough characterization of the proposed solution. We compared the performance of rQUIC with that of the original QUIC protocol for different underlying network conditions as well as different traffic patterns. Our results show that rQUIC not only yields a relevant performance gain (shorter delays), especially when network conditions worsen, but also ensures a more predictable behavior. For bulk transfer (long flows), the delay reduction almost reached 70% when the frame error rate was 5%, while under similar conditions, the gain for short flows (web navigation) was ≈ 55%. In the case of video streaming, the QoE gain (p1203 metric) was, approximately, 50%.

< <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9559926> https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9559926>

 

Formal Analysis of QUIC Handshake Protocol Using Symbolic Model Checking

Abstract: This work presents a security analysis of the QUIC handshake protocol based on symbolic model checking. As a newly proposed secure transport protocol, the purpose of QUIC is to improve the transport performance of HTTPS traffic and enable rapid deployment and evolution of transport mechanisms. QUIC is currently in the IETF standardization process and will potentially carry a significant portion of Internet traffic in the emerging future.

< <https://ieeexplore.ieee.org/document/9328313> https://ieeexplore.ieee.org/document/9328313>

 

QuicTor: Enhancing Tor for Real-Time Communication Using QUIC Transport Protocol

Abstract: In the past decades, the internet has emerged as the fastest way to access information. However, this revolutionary information age comes with its own set of challenges. The privacy of Internet users is at increasing risk with the advances in surveillance techniques. Users' online behavior, activities, and even personal information are being tracked by ISPs and major tech companies.

< <https://ieeexplore.ieee.org/document/9354777> https://ieeexplore.ieee.org/document/9354777>

 

Programmable Session Layer MULTI-Connectivity

Abstract: Our devices can use a wide range of communication technologies such as multiple cellular technologies (4G/5G), WiFi, and also Ethernet. At the same time, applications have a choice of a wide range of transport protocols such as QUIC and TCP that can be fine-tuned and optimized according to their needs. However, in spite of these advances, offering seamless multiconnectivity to applications continues to be a hard problem.

< <https://ieeexplore.ieee.org/document/9661364> https://ieeexplore.ieee.org/document/9661364>

 

Cheetah: A High-Speed Programmable Load-Balancer Framework With Guaranteed Per-Connection-Consistency

Abstract: Large service providers use load balancers to dispatch millions of incoming connections per second towards thousands of servers. There are two basic yet critical requirements for a load balancer: uniform load distribution of the incoming connections across the servers, which requires to support advanced load balancing mechanisms, and per-connection-consistency (PCC), i.e., the ability to map packets belonging to the same connection to the same server even in the presence of changes in the number of active servers and load balancers.

< <https://ieeexplore.ieee.org/document/9552525> https://ieeexplore.ieee.org/document/9552525>

 

Beyond QUIC v1: A First Look at Recent Transport Layer IETF Standardization Efforts

The transport layer is ossified. With most of the research and deployment efforts in the past decade focusing on the Transmission Control Protocol (TCP) and its extensions, the QUIC standardization by the IETF is to be finalized in early 2021. In addition to addressing the most urgent issues of TCP, QUIC ensures its future extendibility and is destined to drastically change the transport protocol landscape. In this work, we present a first look at emerging protocols and their IETF standardization efforts beyond QUIC v1. While multiple proposed extensions improve on QUIC itself, Multiplexed Application Substrate over QUIC Encryption (MASQUE) as well as WebTransport present different approaches to address long-standing problems, and their interplay expands on QUIC's take to address transport layer ossification challenges.

< <https://arxiv.org/pdf/2102.07527.pdf> https://arxiv.org/pdf/2102.07527.pdf>

 

A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer

Drawing on earlier protocol-verification work, we investigate the security of the QUIC record layer, as standardized by the IETF in draft version 30. This version features major differences compared to Google’s original protocol and early IETF drafts. It serves as a useful test case for our verification methodology and toolchain, while also, hopefully, drawing attention to a little studied yet crucially important emerging standard.We model QUIC packet and header encryption, which uses a custom construction for privacy. To capture its goals, we propose a security definition for authenticated encryption with semi-implicit nonces. We show that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher. We formalize and verify the security of this construction in F.

< <https://eprint.iacr.org/2020/114.pdf> https://eprint.iacr.org/2020/114.pdf>

 

Chrome 97 erscheint mit Websocket-Ersatz [Chrome 97 appears with Websocket replacement]

Das Browser-Team von Google hat die aktuelle Version 97 von Chrome veröffentlicht. Die Veröffentlichung umfasst vergleichsweise wenige neue Funktionen. Erstmals erscheint damit aber auch die Umsetzung des Webstransport-Protokolls in einer stabilen Version des Browsers. Das ist als moderne Alternative zu bisher genutzten Websockets gedacht und basiert auf HTTP/3 und Quic.

< <https://www.golem.de/news/webtransport-chrome-97-erscheint-mit-websocket-ersatz-2201-162197.html> https://www.golem.de/news/webtransport-chrome-97-erscheint-mit-websocket-ersatz-2201-162197.html>

 

深入解析QUIC协议 [Deeply analyse the QUIC protocol]

QUIC(Quick UDP Internet Connection)是Google提出的一个基于UDP的传输协议，因其高效的传输效率和多路并发的能力，已经成为下一代互联网协议HTTP/3的底层传输协议。除了应用于Web领域，它的优势同样适用于一些通用的需要低延迟、高吞吐特性的传输场景。本文从QUIC的由来和优势出发，分享实际项目中需要考虑的问题和解决思路，通过测试对比QUIC和TCP的实际传输能力，希望有助于大家理解和实践QUIC协议。

< <https://www.sohu.com/a/514677401_121040280> https://www.sohu.com/a/514677401_121040280>

 

Chrome 97加入實驗性低延遲雙向通訊WebTransport API [Chrome 97 adds the experimental low-latency two-way communication WebTransport API]

WebTransport相較於現有的雙向通訊API，能夠同時支援可靠與不可靠資料傳輸，並且因為底層使用QUIC協定，建立與關閉連接的成本更低，或將取代WebSockets

< <https://www.ithome.com.tw/news/148720> https://www.ithome.com.tw/news/148720>

 

**********************

OTHERWISE NOTEWORTHY

**********************

Everything you always wanted to know about the Internet (but were afraid to ask) - Research and Education Networking from pioneering to path finding (1/5): 28 Mar 2022

ABSTRACT: You think you know how the internet works, but do you really understand the complexity of today’s pervasive internet or do you think of it simply as a scaled up version of the Arpanet just after TCP/IP was introduced? If you aren’t sure what an ASN is or what MPLS does then these lectures are for you. Although our speakers will cover how the internet was born—and touch on the role that institutes such as CERN played in its development—the focus will be on the technologies, both hardware and software, that enable interconnect billions of devices and move exabytes of data. Even if you do know what an ASN is and understand MPLS, you’re be bound to learn something as these experts explain the rules and standards that regulate these technologies and how they are created and agreed.

< <https://indico.cern.ch/event/1083122/> https://indico.cern.ch/event/1083122/>

 

Everything you always wanted to know about the Internet (but were afraid to ask) - How to break the Internet: a talk about outages that never happened (2/5): 29 Mar 2022

ABSTRACT: You think you know how the internet works, but do you really understand the complexity of today’s pervasive internet or do you think of it simply as a scaled up version of the Arpanet just after TCP/IP was introduced? If you aren’t sure what an ASN is or what MPLS does then these lectures are for you. Although our speakers will cover how the internet was born—and touch on the role that institutes such as CERN played in its development—the focus will be on the technologies, both hardware and software, that enable interconnect billions of devices and move exabytes of data. Even if you do know what an ASN is and understand MPLS, you’re be bound to learn something as these experts explain the rules and standards that regulate these technologies and how they are created and agreed.

< <https://indico.cern.ch/event/1083123/> https://indico.cern.ch/event/1083123/>

 

Everything you always wanted to know about the Internet (but were afraid to ask) - Defining Network Protocol standards (3/5) by Colin Perkins: 30 Mar 2022

ABSTRACT: You think you know how the internet works, but do you really understand the complexity of today’s pervasive internet or do you think of it simply as a scaled up version of the Arpanet just after TCP/IP was introduced? If you aren’t sure what an ASN is or what MPLS does then these lectures are for you. Although our speakers will cover how the internet was born—and touch on the role that institutes such as CERN played in its development—the focus will be on the technologies, both hardware and software, that enable interconnect billions of devices and move exabytes of data. Even if you do know what an ASN is and understand MPLS, you’re be bound to learn something as these experts explain the rules and standards that regulate these technologies and how they are created and agreed.

< <https://indico.cern.ch/event/1083124/> https://indico.cern.ch/event/1083124/>

 

Everything you always wanted to know about the Internet (but were afraid to ask) - Technology 1: Router internals: how these manage to handle the traffic flows (4/5) by Giacomo Bernardi: 31 Mar 2022

ABSTRACT: You think you know how the internet works, but do you really understand the complexity of today’s pervasive internet or do you think of it simply as a scaled up version of the Arpanet just after TCP/IP was introduced? If you aren’t sure what an ASN is or what MPLS does then these lectures are for you. Although our speakers will cover how the internet was born—and touch on the role that institutes such as CERN played in its development—the focus will be on the technologies, both hardware and software, that enable interconnect billions of devices and move exabytes of data. Even if you do know what an ASN is and understand MPLS, you’re be bound to learn something as these experts explain the rules and standards that regulate these technologies and how they are created and agreed.

< <https://indico.cern.ch/event/1083125/> https://indico.cern.ch/event/1083125/>

 

Everything you always wanted to know about the Internet (but were afraid to ask) - Technology 2: Optical fibre transmission: how to cram bits into fibres (5/5) by Kent Lindström: 1 Apr 2022

ABSTRACT: You think you know how the internet works, but do you really understand the complexity of today’s pervasive internet or do you think of it simply as a scaled up version of the Arpanet just after TCP/IP was introduced? If you aren’t sure what an ASN is or what MPLS does then these lectures are for you. Although our speakers will cover how the internet was born—and touch on the role that institutes such as CERN played in its development—the focus will be on the technologies, both hardware and software, that enable interconnect billions of devices and move exabytes of data. Even if you do know what an ASN is and understand MPLS, you’re be bound to learn something as these experts explain the rules and standards that regulate these technologies and how they are created and agreed.

< <https://indico.cern.ch/event/1083126/> https://indico.cern.ch/event/1083126/>

 

Boeing and Airbus warn US over 5G safety concerns

Bosses from the world's two biggest plane makers have called on the US government to delay the rollout of new 5G phone services.

< <https://www.bbc.com/news/business-59737194> https://www.bbc.com/news/business-59737194>

 

Airbus and Boeing express concerns over 5G interference in US

The aerospace giants Airbus and Boeing on Tuesday warned that the US aviation industry had “concerns” about the potential interference of 5G networks with vital flight safety equipment.

< <https://www.theguardian.com/science/2021/dec/21/airbus-and-boeing-express-concerns-over-5g-interference-in-us> https://www.theguardian.com/science/2021/dec/21/airbus-and-boeing-express-concerns-over-5g-interference-in-us>

 

eu: Next Generation Internet innovation catalogue

After three years of operation, the Next Generation Internet (NGI) initiative is delivering a number of concrete technology solutions across a wide range of technology areas. These solutions are now accessible through an online catalogue, presenting hardware, software and apps solutions to build an Internet fit for the digital age, fostering diversity, decentralisation and inclusivity.

< <https://digital-strategy.ec.europa.eu/en/news/next-generation-internet-innovation-catalogue> https://digital-strategy.ec.europa.eu/en/news/next-generation-internet-innovation-catalogue>

 

Celebrating tech improvements and innovations at Bahrain Internet Day

Bahrain Internet Day, which celebrates advancements in technology and promotes tech innovations in Bahrain and the Middle East and North Africa (MENA) region, took place in September 2021 on Zoom. This year’s event, now in its second year, focused on the open Internet model, the role of Network Operator Groups (NOGs) as a catalyst for a successful Internet ecosystem, and Wi-Fi 6 and spectrum. It also looked at the Internet’s role in Bahrain’s economic development.

< <https://www.internetsociety.org/blog/2021/12/celebrating-tech-improvements-and-innovations-at-bahrain-internet-day/> https://www.internetsociety.org/blog/2021/12/celebrating-tech-improvements-and-innovations-at-bahrain-internet-day/>

 

RIPE NCC joins talks to back regional Internet ecosystem

The RIPE Network Coordination Centre (RIPE NCC), a not-for-profit membership organisation, joined leaders and experts in a series of hybrid conferences recently in Dubai to support the development of Internet infrastructure in the Arab region.

< <http://www.tradearabia.com/news/IT_391242.html> http://www.tradearabia.com/news/IT_391242.html>

 

Security System For DNS Using Cryptography

Abstract: To reach another person on the Internet we have to type an address into our computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the DNS and it translates names like icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique.

< <http://103.47.12.35/bitstream/handle/1/1621/1613101375_Manisha%20Singh_FinalProjectReport%20-%20manisha%20singh.pdf> http://103.47.12.35/bitstream/handle/1/1621/1613101375_Manisha Singh_FinalProjectReport - manisha singh.pdf>

 

The future of the Internet by 2030

The internet is consistently developing a group of technologies that are used are used as a base upon which other applications, processes, or technologies are developed. platform. The initial internet users who were registering from the 1970s to 1980s could not have a clue about the total revolution and the transformative effect the technology would be now which will change the pace and means of communication. 

< <https://www.linkedin.com/pulse/future-internet-2030-ashutosh-kumar/> https://www.linkedin.com/pulse/future-internet-2030-ashutosh-kumar/>

 

RFC 9170 on Long-Term Viability of Protocol Extension Mechanisms

Abstract: The ability to change protocols depends on exercising the extension and version-negotiation mechanisms that support change.  This document explores how regular use of new protocol features can ensure that it remains possible to deploy changes to a protocol. Examples are given where lack of use caused changes to be more difficult or costly.

< <https://www.iab.org/2021/12/30/rfc-9170-on-long-term-viability-of-protocol-extension-mechanisms/> https://www.iab.org/2021/12/30/rfc-9170-on-long-term-viability-of-protocol-extension-mechanisms/>

 

BGP in 2021 – The BGP Table

At the start of each year, I report on the behaviour of the inter-domain routing system over the past 12 months, looking in detail at some metrics from the routing system that can show the essential shape and behaviour of the underlying interconnection fabric of the Internet.

< <https://www.potaroo.net/ispcol/2022-01/bgp2021.html> https://www.potaroo.net/ispcol/2022-01/bgp2021.html>

< <https://blog.apnic.net/2022/01/06/bgp-in-2021-the-bgp-table/> https://blog.apnic.net/2022/01/06/bgp-in-2021-the-bgp-table/>

 

A banana for scale: Why people don’t understand big numbers

There’s a long-running joke on reddit these days, which is the use of a banana for scale. For some reason, people are randomly amused when a banana is used to confirm sizes that we already know.

< <https://blog.apnic.net/2021/12/24/a-banana-for-scale-why-people-dont-understand-big-numbers/> https://blog.apnic.net/2021/12/24/a-banana-for-scale-why-people-dont-understand-big-numbers/>

 

Gaia-X Federation Services: Implementation Phase begins

Gaia-X Milestone: Federation services have now launched its implementation phase, with the first partner companies drawing up the technical specifications by January 2022.

< <https://www.gaia-x.eu/news/gaia-x-federation-services-implementation-phase-begins> https://www.gaia-x.eu/news/gaia-x-federation-services-implementation-phase-begins>

 

Gaia-X Association Releases its Vision and Strategy Document

Gaia-X, a leading professional organisation, has announced the release of its comprehensive Vision and Strategy document, authored by Francesco Bonfiglio, CEO of the Association.

< <https://www.gaia-x.eu/news/gaia-x-association-releases-its-vision-and-strategy-document> https://www.gaia-x.eu/news/gaia-x-association-releases-its-vision-and-strategy-document>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home