IIESoc Connections
IIESoc Connections
Yesterday I had the chance to attend IIESoc Connections organized this year in Bangalore. I felt too lazy to write a coherent article, so here are my notes.
Slides for most talks present at https://github.com/vaibhavsingh1993/iiesoc_connections_slides
https://www.iiesoc.in/
Infosys Bengaluru campus is ACTUALLY beautiful.
IETF vs W3C
Connections first time, themes SDN, Security, IoT, Application Layer Security
IIESoc mission
RFCs we love Monthly webinar, Bootcamps - half/full day instructor led session on Internet Protocols, yearly event
arkko.net
volunteering to IIESoc?
Licklider’s Galactic Network concept
Contextual computing to decrease communication, data leakage
RFC series - way to share notes among researchers - Steve Crocker
ICCC 1973, Kahn
Al Gore found money to invent the internet!!
IETF vs IRTF, ICann IETF vs IEEE - everything is open in IETF IESG (Area director + IETF Chair) JMAP belongs to ART layer Why this separation of concerns between ART and security? How to communicate?
Birds of a Feather (BoF) Session
Internet Drafts vs RFC - RFC’s are implemented after the fact, ID, are discussions they ar what matter - RFCs are leaving breadcrumbs for peopele to share their experiences, not a standard
Standards track RFCs (protocol documents) - Best Current Practices vs proposed standard/internet standard
congestive collapse - router with memories - packet distribution using ip addresses round robin, QoS
IOT vs SDN track, chose IOT.
Time sensitive nature of IoT data is a big issue, latency cannot be ignored now.
IoT important to talk in context of region, as different issues based on regions (agriculture in costa rica)
Scaling up is fine, lots of experince, but scaling down is difficult as cost has to be less, less electricity usage (cent, kilobyte, megahertz)
RFC 7228 - constrained node - assign IP addresses to only things big enough to be “connected”
everything is not the special snowflake it is said to be, everyone is part of a group - IoT
hype iot - NAT, Ipv4, watt power magnitude, $40 cost magnitude, tightly coupled things real iot - ipv6, uWatt, $5, loosely coupled
Low power WAN networks LPWAN - interesting working group to join - anu gupta ma’am 6LoWPAN
Constrained RESTful environments(CoRE) - CoAP is replacement for http with common less expensive transport protocol
JSON is relatively expensive, use CBOR and security formats for CBOR
Reduce total cost of ownership - self description and discovery semantic interoperability
ACE - authentication authorization for constrained requirements (builds on OAuth)
CBOR - data format to transfer binary serialized data
JOSE derived from OAuth JWT
put misbehaving IOT device in a jail (limit connectivity to the device so it cant do much harm to the network)
secure over the air realtime upgrades based on some standard (Secure over-the-air Upgrade) IETF100 SUIT BOF - manifest format for updates
If it is not usably secure it is not IoT - Carsten Bormann
Securing IoT - Syam Madanapalli
IOT device is secure when it does IP, symmetric crypto, has root of trust (how?)
Privacy by Design
functional aspects IoT security - channel security, root of trust, security management, security fusion, cooperation, security bootstrapping
bootstrapping key infrastructure
Compression IoT
temporal compression - send in only delta - sounds like context computing
key management problems DICE working group?
IoT security improvement
device plus transceiver = IOT device, or is it?
showden.io? website which connects to open camera feed?
mud-interest@cisco.common lear@cisco.com
IETF Security
cfrg working group is where the fireworks happen
TLS1.3
humming process for consensus - things are told to vote on something and send random data, and the total strength is calculated. This means that the organizer would not know from where the vote came from.
How LetsEncrypt works? - uses ACME protocol
google DNS server on 8888
Never doubt the power of a few committed individuals to change the world. Throughout history, nothing ever has. - Margaret Mead
Security and Privacy
TLS1.3 on Enterprises - Steve Fenter and Darin Pettis
Steve Fenter - US Bank
RSA is key exchange TLS1.3 cannot support deep packet inspection as RSA is not supported now. Wireshark pcap decryption
TLS1.3 impact on network-based security - Cisco
Stream control transmission protocol and DDoS
DDoS - two types - 1.) Flooding DDoS - causes congestion, 2.) slow loris types Mirai port 23, 2323
Root cause - purely header based acknowledgement, means packet can be generated without opening data
Security analytics
unauthorized data access cannot be targeted by rule based acls, firewalls
apache metron - real time cybersec engine
security analytics - low entropy systems, try finding out heartbeat DNS tunneling, systems probably wont block DNS, but you can probably do x-injection in DNS query (maybe querying for website) to get payment info Spam detection in email - naive bayes? unsupervised learning - k-means, linear regression to find out unknown threats
Certificate validation in TLS - trust - centralized(PKI, DNSSEC) vs decentralized (blockchain, PGP)
X509 cert is cert you see in windows. multi-domain cert (running for, say, 2 services), wildcard certs(eg *.google.com) PKCS#10 CSR - copy paste CSR to CA web page - prove ownership using some means - get a cert
Certificate Transparency - merkle tree of certs polygora.tech
Cert management is big pain - ACME - designed as rest application - LetsEncrypt