Reflections on certificates, Part 2

I had initially planned to focus the sequel of the 1st part on discussing more use cases, but I meanwhile think it couldn’t hurt to insert a quick presentation of some certificate best practices, in order to make this little series more practical 😉 The following little pieces of advice are addressing three main risksContinue reading “Reflections on certificates, Part 2”

Reflections on certificates, Part 1

I’ve written a couple of posts on (X.509v3) certificates in the past, starting with this one in 2001. In the two decades since then a number of developments have taken place (to name a few: OCSP, ACME, Let’s Encrypt certificates and the general role of automation). On the other hand the fundamental mechanisms of certificatesContinue reading “Reflections on certificates, Part 1”


What a lovely week! An in-person RIPE meeting – Jan Žorž said to me over dinner “it immediately felt like home”, and I totally agree.Following some tradition I will summarize a few interesting, IPv6-related talks & other observations from last week in this post. Constanze Bürger: Challenges and Chances of IPv6 Deployment in Public AuthoritiesContinue reading “RIPE 84”

RFC 9099 / Intro & Overview

Recently RFC 9099 Operational Security Considerations for IPv6 Networks was published. It was authored by Éric Vyncke,  Kiran Kumar ‘KK’ Chittimaneni, Merike Kaeo und myself, and we plan to write a little series on its objectives & main recommendations on the APNIC Blog. To prepare for that let me provide a short overview of itContinue reading “RFC 9099 / Intro & Overview”

IPv6 in Enterprise Wi-Fi Networks

At first I wish all readers a very happy new year and all the best for 2022! May the force be with you for your IPv6 efforts ;-). In this post I’m going to discuss some characteristics of IPv6 in common organization-level (as opposed to home networks) Wi-Fi deployments. These characteristics have to be keptContinue reading “IPv6 in Enterprise Wi-Fi Networks”

Disaggregated Security Enforcement / Self-service ACLs

In large environments security controls based on packet filtering, such as firewalls and ACLs on network devices, often face an unfortunate dilemma: there’s a gap between the parties understanding the communication needs of an application (say: the application owners) and the parties implementing the actual security enforcement (e.g. the firewall ops team). Those also haveContinue reading “Disaggregated Security Enforcement / Self-service ACLs”

The Role of IP Addresses in Security Processes

Reflecting on IP addresses, and about factors contributing to having a proper inventory of active ones, recently led me to putting up a Twitter poll. Here are the results: Looking at these numbers it seems that quite a few organizations struggle with maintaining a more or less accurate inventory of active addresses in their networks.Continue reading “The Role of IP Addresses in Security Processes”