Monday, June 8, 2020

The Open Standatds Everywhere : Overview

Do you believe that your security depends on Open Standards?

According to Cisco, the number of connected devices worldwide will rise to 50 billion or more by 2021. Due to this growth of devices, new solutions, and IT services, we will face potential new security issues. Security is both the key to the success or failure, of the interconnected internet. The key to a successful and secure system is using open standards. It allowing public inspection of code and the contribution of patches is the best way to ensure security devices, systems, and solutions.




The Open Standards Everywhere (OSE) training conducted by ISOC provided me with insights into future web security. 

As I learned it would be everyone's responsibility to guarantee open, globally-connected, trustworthy, and secure internet for everyone.

Therefore making your web server as secure as possible and ensuring its availability across the global network of networks is a challenging task.

The latest open and most secure standards introduced by the Internet Engineering Task Force (IETF) are geared for this task. 

ISOC initiated series training of programs through its chapters to build awareness among web server administrators to support the latest security standards and protocols, value in new open Internet standards and also understand how to deploy those standards.

The objective of the ISOC 2020 action plan is to increase security and availability of web servers by promoting the latest IETF standards and new protocols that can help promote to build a bigger, stronger Internet.

This training provided information on IPV6 which increases connectivity and security of web servers as well as billions of IoT devices that would be connected to the internet.

HTTP/2 provides faster connections that work better for low bandwidth, mobile that is secure and trustworthy. 

Another important cryptographic protocol is  Transport Layer Security (TLS), the successor to SSL. It is designed to provide increased communications security over a computer network to ensure privacy and data integrity between two or more communicating computer applications.


DNSSEC increases security in DNS systems and prevents attackers from poisoning the responses to DNS requests. 

Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks. 

These new standards help increase openness, Interoperability, and security of the web.


In this blog, you will find :

What is Interoperability?

What is Open Web

Open standards everywhere on the internet

What are Open Standards?

Open Standards Testing Tools

ISOC Training session on open web standards


IPV6 Concepts


IoT - everything-connected-to-Internet

History of IPV6 

Internet Protocol 6 for IoT

More from the Internet...

IPV6


DNSSEC

TLS

HSTS


What is DNSSEC?

DNS technology was not designed with security in mind. It uses clear text requests where attackers can easilily manipulate in the middle.

DNSSEC is a security feature in the Domain Name System (DNS). It  authenticates the responses to domain name lookups on internet. 

DNSSEC prevents attackers from manipulating or poisoning the responses to DNS requests . 

DNS spoofing is an example of an attack on DNS infrastructure where 
an attacker hijacks a DNS resolver’s cache, causing users who visit a website to receive an incorrect IP address, to direct the user to attacker’s malicious site instead of the one that was actually requested by the user.

How DNSSEC works?

DNSSEC once actuvated, generates a public and private key for your zone. The public key is provided to you in the form of DS or DNSKEY records. The records should be configured at the domain provider, where the domain name is registered.

During the deployment of your zone in the network, the network will use the private key to sign all your records. These signatures will be received and checked by the end-user resolver if they match with the public keys.

Saturday, June 6, 2020

Open Standard website testing

Test framework 
Test your web server and record the data.

• 

including TLS 1.3, HSTS, more
• Developed by NLNet Labs with support from many orgs, including ISOC and ISOC NL Chapter



• HTTP/2

Monday, June 1, 2020

IPV6 Concepts

IPv6 Concepts

The layered model used in the Internet.


Internet Protocol stack

image001








IPv6 sits in layer 3  network layer.
It handles pieces of data called packets.


Devices connected to the Internet are hosts or routers. A host can be a PC, a laptop, embedded device with sensors and actuators.

They can send and/or receive data packets.


Hosts are the source or destination of the packets. Routers are in charge of packet forwarding.


They also responsible of choosing the next router.


The packet finally forward towards the final destination.

Internet is composed of a lot of interconnected routers. They receive data packets in one interface and send then as quick as possible using another interface towards another forwarding router.

IoT - everything-connected-to-Internet

I

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Future IPV6 IoT
IPv6 sensors world-wide mesh
Physical value measurement
Storage and and processing for applications.
Smart Cities, Security .. what else?

DHCPv6
You need to configure a dedicated server that after a brief negotiation with the device assigns an IP address to it. DHCPv6 allows IP devices to be configured automatically.

stateful address autoconfiguration
DHCPv6 keeps state of assigned addresses.





SLAAC: Stateless address autoconfiguration
configure automatically
using the router connectivity to a network.


SLAAC simplifies the configuration of "dumb" devices, like sensors, cameras or any other device with low processing power.

"plug and net". simplifies the network infrastructure
Can build a basic IPv6 network without a server.

We use the same router to send packets outside your network to configure the IP devices. We are not going to enter into details, but you just need to know that



Hstory of IPV6

HiHstory of IPV6

ARPAnet was first decentralized network created by
US Department of Defense (DoD) in seventies
In 1983 TCP/IP protocols introduced. We are still using TCP/IP today in internet.

World Wide Web based on the HTML protocol an graphic interface browser populared the internet. But IPV4 protocol with 32 bits was not enough to support billions on IoT devices to come in homes, office, business, manufacturing etc.

The solution is to use a longer IP address space.
IETF created IPv6 in RFC 1752. (Request for Comment. Today IPv6 coexists with IPv4 in the Internet. Most ISPs and content providers are supporting IPv6.

IPv6 uses

global addressing
host’s address autoconfiguration
every IP device can communicate with every IP device.
End-to-end bidirectional communication
collaborative applications
collecting, storing, sending and accessing information.

Internet Protocol 6 for IoT

IPv6 stands for Internet Protocol version 6
Helps interconnect different data networks.


IP is standardized by the IETF (Internet Engineering Task Force)

IP is to guaranteeing interoperability of software.

Support to send and receive data between devices.

IP address
Each internet connected device uses a unique address to send and receive data. IPV6 uses 128 bit address.

Find your IP

Type

Ipconfig in windows
Ifconfig in linux


IP addresses are representation 

IPv4, IPv6, integer, and hex formats.

IPv4 format

Each address is 32 bits with four 8-bit octets. 

Examples :

192.168.1.0, 198.51.100.0, and 203.0.113.0.

IPv6 

IPv6 addresses are 128-bits.
4 times long as IPv4 addresses (32 bits).


IPv4 addresses can be written in IPv6 notation. 

Two colon characters (::)  eliminates groups of zeroes. 

::ffff:c000:200
::ffff:c633:6400 0000:0000:0000:0000:0000:ffff:cb00:7100.

Integer format

Each section is multiplied by 256n

n is the position of the section from right to left,
starting with 0. 

192.168.1.1 = (192 * 256^3) + (168 * 256^2) + (1 * 256^1) + (1 * 256^0)

Hexadecimal format - IP address in base-16 format.

IPv4 192.168.1.1

IPv6 short  ::ffff:c0a8:101

IPv6 long 0000:0000:0000:0000:0000:ffff:c0a8:0101

Integer 3232235777



Hex   0xC0A80101


MAC address
48 bit unique id of each network card.
Given by the manufacturer.


MAC addresses are unicast Ethernet address.
Represents one interface to the Ethernet LAN.

Each device MAC Address should be unique in order to send/receive data successfully.
8 bits can store one octet. 

MAC addresses are unicast Ethernet address.
Represents one interface to the Ethernet LAN.

Each device MAC Address should be unique in order to send/receive data successfully.
8 bits can store one octlet.






Interface ID
An IPv6 device use the MAC address to generate a unique 64-bit interface ID.



Take the MAC address,
Split it into two.
Insert “FFFE” in between.
You have a unique 64 bit address for the host.



Do it for your computer
Find mac address
C0-d9-62-91-30-f4
divide in middle
c0-d9-62  91-30-f4
add FF FE (11111111 11111110)
c0-d9-62 FF FE 91-30-f4
Now We have 64 bit host Address

Enable IPV6 in your computer
CP > Network & Sharing > LAN Connection

In Raspbian
By default, an IPv6 address is configured in Debian using StateLess Address AutoConfiguration (SLAAC)
See https://wiki.debian.org/DebianIPv6


Explain Following Info on your computer
Host Name : shilpa64
Physical Address : C0-D9-62-91-30-F4
DHCP Enabled  : Yes
Autoconfiguration Enabled: Yes
Link-local IPv6 Address: fe80::39f1:1df2:d62:dcf3%13
IPv4 Address  : 192.168.1.105
Subnet Mask: 255.255.255.0
Default Gateway  : fe80::3861:86ff:fe5e:9964%13
                  192.168.1.1
DHCP Server: 192.168.1.1
DHCPv6 IAID: 331405666
DHCPv6 Client DUID : 00-01-00-01-1C-20-0C-59-02-6E-04-7C-02-08
DNS Servers: 192.168.1.1




fe80::39f1:1df2:0d62:dcf3%13 
13 after % is the interface name whose index is 13.

on Linux fe80::15c3:6bea:aaac:a016%eth0.

ping -6 localhost
ping -6 fe80::39f1:1df2:0d62:dcf3

Use ping6 in linux

https://www.vultr.com/tools/
https://www.ultratools.com/
http://ipv6-test.com




Find IPV4 address of google.com
Convert IP to IPV6, integer and hex formats
Ping -6
Ping 0xDEA5A358


IPv6 addresses

An IPv6 address is 128 bit long

It has 3 main parts

  • Network address -
    the first three groups (first 48 bits) 

  • Subnet address -
    the fourth group (next 16 bit)

  • Device address -
    the last four groups (next 64 bits)

Example:

2001:db8:abcd:0012:0000:0000:0000:0000

.
The network address = 2001:db8:abcd
Subnet address is 0012

IPv6 prefix.
Each network device has a unique device address.

The network address = subnet address for every device in the network. 

First four groups of IPV6 is constant network id.
The last four groups vary with device gives host id. 

Prefix provides indication of range of devices.
/1  to 1/128 

2001:db8:abcd:0012::/64  used in LANs
It divides the network into 64 subnetworks. 

Example
Network
001:0DB8:ABCD:0012:0000:0000:0000:0000     

Network Prefix
2001:db8:abcd:0012::0/64   

0012  is subnet

IP Range

start 2001:0DB8:ABCD:0012:0000:0000:0000:0000 

end  2001:0DB8:ABCD:0012:FFFF:FFFF:FFFF:FFFF


IPV6 Summary address
Example
2001:DB8:1234:ABA2::/64
2001:DB8:1234:ABC3::/64
Each hextet represents 16 bits.
The first three hextets are the same (2001:DB8:1234)
so we have 16 + 16 + 16 = 48 bits 

Look at last hextet:

ABA2
ABC3
convert these from hexadecimal to binary
ABA2    1010101110100010
ABC3    1010101111000011
first 9 bits are the same

To get summary address
zero out last 7 bits
AB80    1010101110000000
The first three hextets are the same and
in the 4th octet we have 9 bits that are the same.
48 + 9 = 57 bits.
summary address is 2001:DB8:1234:AB80::/57





ipconfig /all