Rants

Nem^H^H^HNejID

So now it's going to be obligatory to use NemID for authenticating and securing transactions with public services in Denmark (for instance, taxes, social security information) but also for Electronic Banking (i.e. "netbank"), after the 1st of July 2010.

The problem is that there's a perfectly functional solution existing today in the form of "Digital Signature", which is widely used. It's an X.509 solution using public key cryptography. In layman's terms: a private key is owned and maintaned by you, and no one else, and a public key, widely distributed, is signed by a trusted public authority. The key (no pun intended) element here is "private key". You are the sole administrator of that key, in fact if you lose that key or forget the password that protects (decrypts) it, you will have to contact the issuer (DanID) and ask for a new key pair to be generate (a new "Digital Signature").

Apart from the new pricing model (NemID will be more expensive for businesses), and the fact that the signature will be combined with a "one-time password" list of passwords (which is always an improvement) there is a major flaw in how NemID will be implemented:

The public and private keys will be stored by NemID. What it means is that your private key, is no longer private. This is not mentioned on the NemID website, but a couple of articles (in Danish -- the NemID website itself is in Danish only as well) have detailed the problem:

Here are the issues as I see them:

If NemID stores the private keys, they are no longer private
There are no advantages whatsoever to using a public/private key system if the key is no longer private
NemID is promoting NemID as a Digital Signature solution, when in fact "Digital Signature" has a very specific meaning in Danish law, i.e.: the private key must remain private, among other requirements. One could argue that NemID is at the very least misrepresenting the product they are promoting, and maybe even breaking Danish law. I'm no expert, I'll leave it up to the lawyers to decide.
The fact that a single company, with a monopoly on electronic payment solutions in Denmark, will have acccess to all private keys for all citizens and residents, AND these keys will be used to access ALL public online services AND online banking services in Denmark, makes me very uncomfortable.
I could say more about the operational stability of PBS, or a few of their past technical breakdowns, but that is unfortunately not something I want to detail here. Just searching on http://version2.dk/ for PBS should give you an idea.

NemID argues that if they wanted to abuse their position of trusted party and defraud their customers, they could have done so long ago. The issue is not so much that of trust (an entire discussion by itself) but the fact that NemID becomes a choice target for industrial attacks ("hacking"). Except it's not credit card numbers we're talking about, but entire digital identities. Before, this was mitigated by the fact that one had to install spyware on many personal computers and use keyboard loggers to capture passphrases. Now, it's the old Egyptian tomb raider solution: forget the big granite door in front, just dig around the limestone walls.

Finally, NemID argues that since the certificates are not "qualified" (the identity of the person to which the certificate is assigned is not physically verified, but only implied through you Danish CPR number and paper post), there is no requirement to treat NemID as a "Digital Signature". So why market it/promote it as such ?

As a result of this, I've written to my bank, Danske Bank, with which I have been very happy so far. Here is a list of the mails exchanged so far. I'm relatively positive about the answer I have received, but I'm not holding my breath.

I encourage you to write to your bank and ask them to which extent they intend to enforce NemID as the sole solution to access your electronic banking. Maybe we can make enough noise to attract the attention of lawmakers and politicians. If we make it their problem, they'll get grumpy and start asking questions to the Danish National IT and Telecom Agency (the regulators, who until now have been suspiciously quiet in this matter), and maybe to PBS/NemID themselves...

From: me
To: Danske Bank

Hej,

Jeg har et sp�rgsm�l ang�ende NemID.  Planl�gger Danske Bank
om at sk over til NemID ogs� ?  Jeg har nemlig et problem me
NemID, idet den ikke overholder lovkrave om Digital Signatur, og
det vil tvinge mig v�k fra Danske Bank hvis I bruger NemID :(

- - - -

From: Danske Bank
To: me

Hej

Som det fremg�r af nedenst�ende planl�gger Danske Bank og alle andre
pengeinstitutter at overg� til NemID.

For at der i Danmark kan udbredes en standardiseret digital signatur, er de
danske pengeinstitutter enedes om at drive en f�lles sikkerhedsl�sning til
netbanker. L�sningen kaldes NemID, og den er ogs� accepteret af Staten som
adgangsgivende til f.eks. Skat, Borgerservice, eTinglysning m.m. Dermed
bliver en v�sentlig foruds�tning for en digitalisering af samfundet
opfyldt.

- - - -

From: me
To: Danske Bank

Hej Xxxxx,

Problemet er at DanID bevarer en kopi af signaturen -- det er stik
imod lovkrav.  Det er ikke tilf�ldet med den nuv�rende Digital Signatur
l�sning, hvor kun brugeren har en kopi af private n�gle.

http://www.version2.dk/artikel/14483-banker-tvinger-nemid-igennem-til-alle-netbank-brugere

"NemID bryder nemlig med princippet bag den nuv�rende digitale signatur ved at opbevare b�de den offentlige og den private n�gle for en signatur centralt hos DanID"

Det er mit job til daglig om at designe og implementere sikkerheds
l�sninger, og her har PBS/NemID beg�et for alvorlig en overtr�delse
af sikkerhedsprincipper.  Jeg bliver desv�rre n�dt til at meddele at
jeg vil begynde at lede efter en bank der ikke tvinger deres kunde til
at bruge NemID l�sningen som eneste login mulighed til deres netbank.

- - - - -

From: Danske Bank
To: me

Hej

Vi er i gang med at unders�ge sagen og vender tilbage snarest muligt til
dig.

Med venlig hilsen

- - - -

I've heard of code freeze, but please...

The least they could have done is indicate WHICH versions on WHICH hardware. The explanation below reads like the extended version of Excuse Of The Day.

*cough*

From: Customer Services 
Date: xxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxx
Subject: xxxxxxxxx

Re: xxxxxxxxxxxxx Datacentre affected by heavy storm

Dear Valued Customer,

Further to the storm on the XXth of XXXX, we investigated on what  
happened. The Inergen release in XXX has been investigated by  
internal and external experts, and no failures or unexpected  
parameters or tracks have been found. The investigation has covered  
areas such as pressure, temperature, dust, gas, air speed,  
vibrations and turbulence.

Inergen is the industry preferred solution to extinguishing fire in  
data center. However, failed hard drives in connection with the use  
of Inergen in different rooms have been investigated by the  
manufacturer, and their conclusion are:

A sudden temperature change of up to 2-3 degrees within 1 second,  
which some servers have experienced (normal recommendations are max  
5 degrees within 1 hour) have caused some raid controllers, SCSI  
disks and HD to be unstable.

The combination of this instability and a low firmware/driver  
version has caused some of these controllers/disks to fail after a  
period of time (not all failures are recorded at the same time).

The investigation also shows that not all affected disks had  
failures, but the failure in the SCSI/raid has caused the disks to  
fail.

Therefore the conclusion to the failures is that low firmware/driver  
versions are not sufficiently resilient for any Inergen generated  
shift of temperature and an upgrade of firmware/drivers can be  
needed in order to eliminate the chance of failure in the future.

Thus xxxxxxxxxx recommends that all customers ensure that the newest  
supported/tested available version of firmware and drivers are  
installed.

Furthermore, based on the incident, xxxxxxxxxx will continue to  
investigate if change in infrastructure or parameters can reduce the  
impact on the installed hardware in case of any Inergen release.

All related fire extinguishing systems will be back in normal mode  
at end this week.

An incident report has been finalized.

If you have any questions regarding this communication, please  
contact xxxxxxxxxxxx or send an e-mail to customer.services@xxxxxxxxxx.com 

. Please reference above ticket number when you call.

Respectfully,

xxxxxxxxxx European Customer Service Center

Chelonia Mobile -- or -- IPv6 for the people

A couple of weeks ago, I helped my mom, who lives in Paris, to setup her new ADSL connection. Nothing unusual there, most of you reading this have to live with the occasional burden of being the first line of PC support for your family and friend. Those who won't take "... but I don't work with PCs!" for an answer.

I'd decided to migrate her away from her current TV/Internet cable provider which had been getting more expensive with nothing of value to offer for the price hike. We're talking 60 EUR / month (ca. 450 DKK, for the Euro-challenged), which by French Internet market standards is pretty expensive. For this, she was getting 40-or-so channels, IP telephony, and 4/1 Mbps Internet (100/4 Mbps if we renewed the contract, which we didn't).

So I made her subscribe to Free, the second largest DSL provider in France (after France Telecom/Orange, the legacy national operator).

I guided my mom through the installation over the phone, since I live in Copenhagen; and while my mom is no technical guru (she still calls me when she receives popups from Software Update on the Mac, asking me if it's safe to say "Accept"), we got things up and running in under a couple of hours.

Free likes to do things differently. Take for instance the way they price their access. With Free, you don't pay more if you want a higher speed service. Free provisions your DSL at the highest speed the loop will allow, which in the case of the copper at my mom's place, is 18 Mbit/s down and 1 Mbit/s up. Not too bad. Had the DSLAM been closer, it would have been 24 Mbit/s.

And of course she gets IP telephony. Flatrate to all landlines in Europe, and North America.

Then you get the 150 channels in the base package. There's 300 to choose from, and you can pick individual channels. Want CNN ? That's 0,7 EUR / month on top (5 DKK).

And it's much cheaper... 30 EUR / month (225 DKK).

Like I mentioned earlier, Free likes to do things differently. Both the founder (Xavier Niel) and technical director (Rani Assaf) have a reputation for being mavericks. For example, Free was one, if not the first ISP to develop in-house combination DSL modem and set-top-box/video recorder, the Freebox. This gave them a huge advantage over the competition when it came to providing extra services, a long time before anyone else.

Features like VideoLan client (VLC) support, allowing you to watch any of the subscribed channels, or a pre-recorded program, from any computer in the home. Or do the reverse: the VLC client in the set-top-box will let you watch films stored on your computer, provided you can serve them over HTTP. Or SIP service so you can use your VoIP line from anywhere in the world. Did I mention the fact that the set-top-box is HD, has a built-in hard disk recorder, and communicates with the DSL modem using PLC ? If for some reason that doesn't work, no problem they'll just switch to WiFi.

I almost forgot the reason I was writing this in the first place.

IPv6.

You know, the protocol that according to various Danish ISPs, "... only Vista implements ...", or "... hasn't been deployed yet ..."

Did I mention that Free doesn't like to do things like anyone else ?

Actually, Free isn't the only French ISP to deploy IPv6. In fact, Nerim was the first to offer native IPv6, already in March 2003, mostly targeted to their semi-professional customers.

But the way it happened in Free's case, was that Rani Assaf got tired of the loud handful of geeks on the Free support newgroups inquiring as to when IPv6 would be available. As a response, he wrote in the same support forum:

- Find 10.000 people who are interested by this gadget, and we'll do it for 1 EUR / month

- Find 100.000 people, and we'll do it for free.

They got 24.000 signatures (they do have 3.5 million subscribers...), and they ended up delivering IPv6 at no additional cost. Some will argue it's not native IPv6 (they tunnel IPv6 back to their core using a variation of 6to4 called 6to4rd, where it's pure IPv6 once again), but hey, ping6 tells me it works.

Since then, other businesses are catching up, and competition is fierce.

OVH, a large hosting company established in France and a few other European countries, offers colocated servers to rent (the Kimsufi) from basic virtual server with 9 GB of space at 40 DKK / month, to dedicated machines for 150 DKK / month. And this includes unlimited bandwidth... and native IPv6. Free has an equivalent, albeit at a slightly higher price.

In the case of my mom's DSL, it was very easy to enable IPv6. By default the Freebox functions as a bridge (probably not a wise choice security wise), but it took only a couple of clicks on the Free's user portal to change the operation mode to router, enabling DHCP, firewall and NAT services on the Freebox, as well as IP6 router advertisement.

All that was left was to enable IPv6 autoconfiguration on my mom's Mac, and once that was done, IPv6 was active.

So what does my mom get out of all this ? Well, she doesn't know or care what IPv6 is. She's 66, and she's a painter. In her most recent mail, she was waiting for one of her friends to pass by and show her how to record stuff on the Freebox. Just before that she'd called me to make sure it was still all right to say OK to the Software Update dialog.

But without knowing it, she's already using IPv6. Nameservers, a few websites, Google if you setup your caching nameservers correctly.

And I know that if I told her to point her browser to www.kame.net the turtle on the screen would move...

(thank you Itojun)

References

http://www.kame.net/ - the KAME IPv6 project
http://rosie.ripe.net/ripe/meetings/ripe-57/presentations/uploads/Thursday/Plenary%2014:00/upl/Colitti-Global_IPv6_statistics_-_Measuring_the_current_state_of_IPv6_for_ordinary_users_.7gzD.pdf - IPv6 for ordinary user
http://www.free.fr/adsl/ - Free.fr
http://ipv6pourtous.free.fr/rani/ - Free IPv6 petition
http://en.wikipedia.org/wiki/Free_(ISP) - Information about Free on Wikipedia
http://iliad.fr/en/presse/2007/CP_IPv6_121207_eng.pdf - Press release about IPv6 availability
http://www.nerim.fr/ipv6 - Nerim, first ISP to offer native IPv6 to DSL subscribers.
http://francois04.free.fr/estimation.php - Free DSL customers estimates
http://www.ietf.org/internet-drafts/draft-despres-6rd-02.txt - 6to4rd
http://en.wikipedia.org/wiki/Power_line_communication - communication over power lines
http://www.kimsufi.co.uk/ / http://www.kimsufi.com/ - Kimsufi hosting
http://en.wikipedia.org/wiki/Local_loop_unbundling - LLU - Local loop unbundling
http://www.bbwo.org.uk/broadband-3044 - 2005 DSL report for western europe
http://www.google.com/intl/en/ipv6/ - Google over IPv6

URGENT - HELP ME RETRIEVE 170 MILLION U.S. DOLLARS

HELLO MY NAME IS STEIN BAGGERS AND I AM A 41 YEAR OLD BUSINESS MAN AND
CEO OF THE COMPANY IT FACTORY. I HAVE 170 MILLION US DOLLARS THAT I NEED
TO RETRIEVE, FROM A BANK ACCOUNT IN DENMARK.

I AM CURRENTLY LIVING IN THE BAHAMAS, BUT I AM NOT ABLE TO GET THIS HARD
EARNED MONEY TRANSFERRED TO ME, AND THIS IS WHY I NEED YOUR HELP.

I HAVE AN EQUIVALENT 170 MILLION US DOLLARS STUCK IN A BANK IN DENMARK,
BUT THEY ARE IN DANISH KRONER. FOR SOME REASON THEY DON'T LIKE DENMARK
IN DUBAI AND THE REST OF THE MIDDLE EAST, AND IN THE BAHAMAS THEY HAVE
NEVER HEARD OF KRONER, AND KEEP SAYING "EURO! EURO!". I CAN'T BELIEVE I
DIDN'T THINK ABOUT THIS PROBLEM BEFORE I LEFT.

I AGREE TO REWARD YOU WITH PART OF THE MONEY FOR YOUR ASSISTANCE,
KINDNESS AND PARTICIPATION IN THIS CHARITABLE PROJECT. THIS MAIL MIGHT
COME TO YOU AS A SURPRISE AND THE TEMPTATION TO IGNORE IT AS UNSERIOUS
COULD COME INTO YOUR MIND BUT PLEASE CONSIDER IT A HELP TO A POOR FELLOW
WHO HAS TO BUY A NEW MERCEDES AND PORSCHE.

YOU ARE AT LIBERTY TO USE YOUR DISCRETION TO DISTRIBUTE 10% OF THE MONEY
AND FEEL FREE AS WELL TO REIMBURSE YOURSELF WHEN YOU HAVE THE MONEY FOR
ANY EXPENSES YOU INCUR IN THE COURSE OF COLLECTING THE MONEY.

KINDLY EXPEDITE ACTION AND CONTACT ME VIA E-MAIL:
ITFACTORY4EVER@YAHOO.COM IF THIS PROPOSAL IS ACCEPTABLE TO YOU.

BEST REGARDS, MR STEIN BAGGER

We are running out of IPv4 addresses...

and there's no slowing down

I remember messing around with IPv6 for the first time almost 10 years ago, while setting up a training installation at the INET 1998 workshops in Geneva. It was straightfoward to get the the Windows NT (MSRIPv6), BSDi, FreeBSD and Linux hosts to autoconfigure themselves on the local subnet and communicate using IPv6. The general enthusiasm reflected one idea: "We're going to migrate to IPv6". At no point do I remember thinking "gee, and how will they communicate with IPv4 ?". I don't remember anyone talking about the transition itself, or the protocols involved.

As a followup to the recent announcement that the IETF's IPv6 Working Group had effectively been dissolved, some individuals on the NANOG list have been pointing out the apparent fact that, while a lot of time and effort was spent on designing "IPNG", as IPv6 was originally called, including all the bells and whistles that IPv4 lacked, like QoS, IPsec, autoconfiguration, prefix hierarchisation, (effectively a Second System Effect), not a lot of thinking has gone into the effective migration away from IPv4 to IPv6, and more importantly, how IPv6 and IPv4 users are supposed to talk together -- at least not on the massive scale of today's Internet.

Today this issue is very much present in the minds of network operators around the globe. A few are very aware of the wall that's looming ahread, and are trying to spread the message. After the Year 2000 hype (at least, as it was perceived by the general public), it's difficult to get worked up about impending doom scenarios, especially those the date of which keep changing.

The fact is, IPv6 and IPv4 are not compatible on the wire. This means that IPv4 and IPv6 are different protocols, and that an IPv4 host cannot talk to an IPv6 host and vice versa, unless at least one of the hosts is dual stacked (running both protocols), or some sort of translation mechanisms exists (NAT or application level gateway) to allow the hosts to talk to each other. Indirectly this could mean that many more IPv4 addresses than we have left today might be required, to allow for a transition where every IPv6 host could talk to every IPv4 node, and vice-versa.

RFC2766, which defines NAT-PT (NAT Protocol Translation) nails the problem description square on the head:

"There is expected to be a long transition period during which it will be necessary for IPv4 and IPv6 nodes to coexist and communicate. A strong, flexible set of IPv4-to-IPv6 transition and coexistence mechanisms will be required during this transition period."

(emphasis mine)

Today, 7 years after NAT-PT was introduced, a new RFC recommends that NAT-PT be deprecated.

The original draft of this RFC stated, in September 2004:

"Description of an alternative protocol translation mechanism is out of scope for this document."

But today, 3 years later, and the Draft made standard, "There are no simple, useful, scalable translation or transition mechanisms" (cf. prev.cit.).

Even here in Denmark, which has a reputation for early adoption of new technologies, and where Internet penetration is among the highest in the world , most larger organizations I talk to are absolutely ignorant or unconcerned about the deployment of IPv6 -- not that they have no idea what IPv6 is, but they have no plans to deploy it, or do not seem to be aware of the issues regarding IPv4 depletion: they have no strategy, or at least intended strategy, with regards to IPv6.

As someone I know who is very knowledgeable with IPv6 wrote a half year ago,

"Still not much going on in Denmark with regards to IPv6. Nobody cares, nobody wants it, nobody works to implement it."

Time to smell the coffee

Learning IPv6 is one more burden for the average network administrator. Administrating IPv6 and IPv4 in parallel even more so. Dual routing tables, dual filtering paths, dual routing protocols, twice the security hassle. Even more reasons to start now. Not while it's early (that was 5 years ago), but while there's still time.

In hindsight, considering that many of the more revolutionary aspects of IPv6 have been dropped, it might have been smarter to just make IPv6 on-the-wire compatible with IPv4, and to use the lower 32 bits of the IPv6 addressing space to map the IPv4 space into it, enabling a simple compatibility mode for IPv6 to communicate with IPv4-only hosts, without the need for extra translation. [a few readers pointed out to me that this is contradictory with the idea of having a 128-bit address space: there can be no compatibility on the wire. Any sort of "compatibility" where an IPv6 host emits IPv4 packets is in fact simpley a dual stack system].

Unfortunately, this is not the case, and we have to deal with an installed base of tens of millions of IPv4-only NAT gateways and CPE (customer premises equipment) that only support IPv4, and will likely never support IPv6. It's in this environment that IPv6 will need to be deployed. The transition will most likely not be "from the core to edge" in one smooth wave. IPv6 is going to pop-up everywhere it makes sense, and for it to function it will have to use all the dirty tricks that IPv4 used to survive, including tunneling, protocol translation, and application level gateways.

Phil R.

Updates

A fractal map illustrating the rate of exhaustion:
http://www.tndh.net/~tony/ietf/IPv4%20Address%20Fractal%20Map.pdf
A new presentation by Geoff Huston at RIPE 55 -- a very good overview of the IPv4 exhaustion problem:
http://www.ripe.net/ripe/meetings/ripe-55/presentations/huston-ipv4.pdf
Factsheet from ICANN about IPv6 -- most useful for management and decision makers:
http://www.icann.org/announcements/factsheet-ipv6-26oct07.pdf

References

A number of announcement of publications were made recently, underlining the problem at hand:

An Informational draft RFC was published, outlining an IPv4 to IPv6 transition plan, with goals of being "ready" by 2011-01-01:
http://www.ietf.org/internet-drafts/draft-jcurran-v6transitionplan-00.txt
LACNIC (the Latin American and Caribbean Internet Addresses Registry) announced that it wants all the region's networks to be adapted to IPv6 by January 1st, 2011

Compare this to a very informative presentation from Randy Bush regarding the reality of such a transition (and, in some cases, why it's plain impossible, since IPv6 is not "backwards compatible" with IPv4):

[IPv6 Transition & Operational Reality]

(the part regarding the emergence of a market for IPv4 addresses, and the transition from allocation to entitlement is worth it by itself).

Some background data and interesting comments from Geoff Huston, who maintains a page which is updated daily with an estimate of when IANA and RIRs will run out of unallocated IPv4 space (and the trading -- whether it's legitimate or not -- will begin):

To get a feel of the context, a very informative read is the transcript of the APNIC Plenary, New Delhi, Sept. 2007.

Some good starting points on IPv6

There are some very interesting reports of the operational experiences of deploying IPv6.