NANOG87

Earlier this week I went to Atlanta for NANOG87. I hadn’t been at a NANOG meeting for a while – I even missed the legend “World IPv6 Reunion Tour 2022” panel with my friend Jason Fester + some other fine IPv6 folks at NANOG85 in Montréal. Many people mainly join NANOG meetings for the hallway track,Continue reading “NANOG87”

Reflections on certificates, Part 2

I had initially planned to focus the sequel of the 1st part on discussing more use cases, but I meanwhile think it couldn’t hurt to insert a quick presentation of some certificate best practices, in order to make this little series more practical 😉 The following little pieces of advice are addressing three main risksContinue reading “Reflections on certificates, Part 2”

Reflections on certificates, Part 1

I’ve written a couple of posts on (X.509v3) certificates in the past, starting with this one in 2001. In the two decades since then a number of developments have taken place (to name a few: OCSP, ACME, Let’s Encrypt certificates and the general role of automation). On the other hand the fundamental mechanisms of certificatesContinue reading “Reflections on certificates, Part 1”

Hexacon 2022

I spent the last two days in Paris to attend Hexacon 2022. As usual when I write here about conferences I’ll summarize some talks & observations. I don’t go to many offensive security-only events (it’s well-known that I have thoughts on a certain scene and its [non-] ethics, but on the other hand a periodicContinue reading “Hexacon 2022”

RIPE 84

What a lovely week! An in-person RIPE meeting – Jan Žorž said to me over dinner “it immediately felt like home”, and I totally agree.Following some tradition I will summarize a few interesting, IPv6-related talks & other observations from last week in this post. Constanze Bürger: Challenges and Chances of IPv6 Deployment in Public AuthoritiesContinue reading “RIPE 84”

IETF 113

Last week I attended the IETF 113 meeting in Vienna. I primarily went there to reconnect in person with some old IPv6 fellows, but also to see what’s going on in the IPv6 standardization space which I hadn’t been following closely in recent times. In this post I’ll shortly summarize some contributions presented in theContinue reading “IETF 113”

RFC 9099 / Intro & Overview

Recently RFC 9099 Operational Security Considerations for IPv6 Networks was published. It was authored by Éric Vyncke,  Kiran Kumar ‘KK’ Chittimaneni, Merike Kaeo und myself, and we plan to write a little series on its objectives & main recommendations on the APNIC Blog. To prepare for that let me provide a short overview of itContinue reading “RFC 9099 / Intro & Overview”

IPv6 in Enterprise Wi-Fi Networks

At first I wish all readers a very happy new year and all the best for 2022! May the force be with you for your IPv6 efforts ;-). In this post I’m going to discuss some characteristics of IPv6 in common organization-level (as opposed to home networks) Wi-Fi deployments. These characteristics have to be keptContinue reading “IPv6 in Enterprise Wi-Fi Networks”

Disaggregated Security Enforcement / Self-service ACLs

In large environments security controls based on packet filtering, such as firewalls and ACLs on network devices, often face an unfortunate dilemma: there’s a gap between the parties understanding the communication needs of an application (say: the application owners) and the parties implementing the actual security enforcement (e.g. the firewall ops team). Those also haveContinue reading “Disaggregated Security Enforcement / Self-service ACLs”

IPv6 Reporting

I know that some of the readers of this blog are IPv6 cheerleaders in their respective organizations, and as such they might occasionally face questions along the lines of “what’s the state of IPv6 in our company?” or “are we progressing IPv6-wise?” (the latter in particular when dedicated resources are spent on the IPv6 transitionContinue reading “IPv6 Reporting”

The Role of IP Addresses in Security Processes

Reflecting on IP addresses, and about factors contributing to having a proper inventory of active ones, recently led me to putting up a Twitter poll. Here are the results: Looking at these numbers it seems that quite a few organizations struggle with maintaining a more or less accurate inventory of active addresses in their networks.Continue reading “The Role of IP Addresses in Security Processes”