Read full story: SC Magazine

The case studies, which cover the Former Yugoslav Republic of Macedonia, Panama, the Philippines, and Romania, look at the effect of broadband connectivity on economic growth and access to basic services like education and health. They offer regulatory guidance and best practices, showcasing success stories and lessons learned.

Romania and TFYR Macedonia both provide strong examples of how adopting pro-ICT policies, establishing effective regulatory frameworks and developing strategic private and public partnerships can play a key role in boosting broadband access, affordability and demand.

A nation with a strong commitment to connectivity as a driver of national growth, TFYR Macedonia already boasts an impressive broadband penetration rate of 32%. Internet access in schools and Wi-Fi-based public Internet access points have been rolled out throughout the country, including remote areas. Schools now offer one Web-enabled computer for every 1.45 children, while university students and academics can freely access knowledge and research resources via the academic network MARnet.

Meanwhile, near-neighbour Romania ranks among the top countries in the world for broadband speed, and scores well for affordability too. The average cost of a baseline monthly broadband subscription represents less than 5% of average monthly income — well within the global targets established by the Broadband Commission last October. Public access is promoted through initiatives like 'Biblionet', which was launched in 2009 and which provides free library-based access through some 795 public libraries equipped with 3,318 computers.

Case studies on Panama and the Philippines, meanwhile, explore the impact of broadband on the economy and on job creation. Both studies evaluate the development of e-applications in the areas of education, public health, media and government services — all of which can help further stimulate broadband adoption.

In Panama, fixed broadband is having a significant economic impact. Analysis of a structural econometric model for the period 2000-2010 indicates that fixed broadband now contributes an annual 0.44% of GDP, with the indirect effects of fixed broadband use estimated to have contributed almost 9.6% of total national economic growth. Accelerating take-up means that this impact has now almost doubled to reach 0.82% of annual GDP, and contributed 11.3% of all economic growth over the decade.

In the Philippines' case study, analysis over the same 10-year period indicates that mobile broadband adoption has contributed an annual 0.32% to GDP, representing 6.9% of total GDP growth for the economy over the past decade. Given the acceleration of mobile broadband penetration since 2005, this impact has also now almost doubled, reaching 0.61% of GDP, representing 7.3% of total economic growth over the decade.

Download the full set of case studies at:
www.broadbandcommission.org/work/documents/case-studies.aspx

Written by Paul Budde, Managing Director of Paul Budde Communication

Frontline Systems Australia, an NTT company, is building on a longstanding partnership with Nominum, the worldwide leader in integrated DNS-based applications and solutions, to deliver a new carrier grade DNS/DHCP platform targeted at high end enterprises who are especially exposed to the now pervasive threat of malware and botnets.

Unlike proprietary appliances that rely on open source engines with minimal security, constant patches, and moderate performance, the new solution takes advantage of Nominum's Vantio DNS software running on "off the shelf", carrier grade HP hardware and hardened Red Hat Linux. Frontline Level 1 technical support, coupled with the proven stability and resilience of the Nominum software, as well as extremely robust hardware and OS will ensure an easy, out of the box deployment and ongoing operation.

Nominum's solution is based on a unique three-tier architecture — DNS engines, platforms and applications. The platforms are designed with layers of security protections that remain unmatched, protecting critical DNS servers and the data they contain against DDoS and cache poisoning attacks. Optional Nominum applications add additional protections from malware, botnets and a multitude of other Internet exploits. Every device on the network can be protected and there is no need to introduce any new equipment into the network. Any enterprise that deals with valuable or sensitive data can quickly take advantage of advanced botnet identification and mitigation without any significant changes to their existing network.

"Any enterprise that deals with valuable or sensitive data can quickly identify and quarantine malware-infected hosts frequently missed by other network security equipment. By leveraging Nominum's open three-tier architecture and 3rd-party API's, enterprises can also integrate their own threat intelligence or have alerts published to third-party products such as Security Information and Event Management (SIEM) consoles", said Craig Sprosts, General Manager of Security Solutions at Nominum.

The DNS based security application will be available from Frontline Systems with full technical support and virtualization services. "We're taking the expertise we've gained deploying mission critical solutions at the largest and most demanding networks in Australia, and providing security and IT teams a critical new layer of protection against loss of company or customer data," said Chris Ford, Frontline Systems Australia. "We'll give CIOs and Security Operations teams a brand new tool for monitoring and managing malicious threats brought into their networks from employee devices including iPads, smartphones, USB sticks, or other IP devices."

About Frontline Systems Australia

Established in 1992, Frontline Systems was a privately held IT business headquartered in Sydney Australia with 200+ employees and offices in Singapore, Brisbane, Canberra, Melbourne and Adelaide. In May, 2011, NTT Communications Corp, the global Japanese telecommunications provider, purchased a significant portion of Frontline. Frontline's business is built around the provisioning of managed services, professional services and enabling infrastructure to its large client base in Australia and Singapore. Our clients include the very largest of Australian businesses from telecommunications, banking and government. Now with NTT's involvement, Frontline expansion locally and through Asia will continue, offering complimentary business solutions to those of NTT Communications Corp.

Talking technical is easy. Distilling technical detail, complex threats and operation nuances down to something that can be consumed by people whose responsibility for dealing with cybercrime lays three levels below them in their organizational hierarchy is somewhat more difficult. Since so many readers here have strong technical backgrounds and often face the task of educating upwards within their own organizations, I figured I'd share 4 slides from my recent presentation that may be helpful in communicating how the world has changed.

The overall context of the hour long presentation was related to the paradigm change from protection back to detection — given the scope and capabilities of modern organized crime. The following slides came from the first quarter of the hour — setting the scene for how protection technologies have failed and what organizations need to do in light of that failure.

In essence, this slide talks about how that adversary has changed from old. Gone are the days of a single hacker looking to break in to an organization and toast all the systems. Sure, some of these guys still exist, but that's not where the threat lies today by any statistical analysis. Instead, what organizations are facing is a complex ecosystem where expertise is plentiful and available for relatively low prices. Most importantly, the adversary is now a professional in every sense of the word and needs to be respected for such. Failure to do so is at your peril.

While the adversary has changed for the worse, so too has the target. Consumerization of IT and BYOD, while buzzwords in every sense of the word, really are fundamentally changing the threat landscape and the ability of organizations to combat sophisticated threats. Speaking with lots of people charged with defending their corporations from within, they really do feel powerless to combat Mac threats, Android malware, etc. or enforce application and desktop policies (for whatever that means in the world of iPads and App stores).

Everything is playing in to the bad guys hands. The devices their targets are using are varied and widespread, they roam and bridge networks, they have hundreds of applications yet few are patched in a timely manner, and the threat of personal information being leached has ensured that encryption of communications is the norm — too bad that those nosey IT security guys can inspect traffic for malicious attacks.

In essence, the onus of securing the enterprise has slipped from the corporate IT folks and landed firmly in to the hands of their enabled workforce — who happen to be poorly suited to the task.

Oh, and then there's the "Cloud". Not the Cloud supplying cheap processing power and high availability mission-critical applications at a fraction of the cost of legacy systems. Rather the Cloud that is the 2nd millennium USB stick — the mechanism for transporting infected files between one device and the next.

IT security departments have invested millions of dollars in their defense in depth strategies. Multiple layers of "protection" (and expense), overlapping redundancies and a continuous stream of alerts have had debilitating effects on thinly-stretched security teams.

Even if those layers of defense had been working, the "solution" for the bad guys was (and is) to "attack in depth". The tools and techniques they now employ are multi-facetted and their complexity is hidden from the attacker. The hard work of innovation and coding was done by some expert far away, and their expertise (along with dozens of others) has been combined into a single campaign.

Last but not least, I talked about the "marginalization of protection". My objective in this part of the discussion was to point out that trying to protect everything has never worked, and will be even less successful going forward. The consumerization of IT and the diversity of devices out there have also forced organizations (including vendors) into an area in which it is simply uneconomical to try and secure.

While effort still needs to be applied to "protecting" the enterprise, my advice is to consolidate those expensive resources around the most valuable things of the organization and only grow outwards from there if you're successful.

In response, organizations need to assume that they are compromised and will continue to be compromised many times over, and often in many interesting ways. The onus shifts to how an organization can rapidly detect a compromise and how seamless the remediation needs to become.

I used to say that the most economical course of action was to simply reimage the computer when you were able to confirm the compromise. Nowadays that may not be quick enough, nor appropriate. Today you should reimage when your threshold of suspiciousness has been reached and, if you can't reimage (e.g. iPads, etc.), then remotely reset the device to factory defaults and wipe any stored content so it can't re-infect itself.

What about those critical devices — such as the CFO's laptop — which can't be reimaged without a lot of disruption? Let's be clear, just because you detected one piece of malware or remote control agent on the device doesn't mean that it's the only one installed. And if you're thinking you can safely remove everything related to the infection, then you're either ill-informed or it wasn't a threat to begin with.

Frankly, if you have critical devices that cannot be reimaged for any reason at the turn of a hat, then you've got bigger problems with your IT operations than mere breaches by professional criminals, and your organization needs to reevaluate its security operations at a fairly fundamental level. If a device is so critical that it cannot be recovered, it most certainly shouldn't be a roaming laptop, accessible via the Internet, and is operated by personnel with higher than average probabilities of being targeted.

Written by Gunter Ollmann, VP of Research at Damballa

Yet that's an incomplete picture. At the other major UDRP arbitration provider, the National Arbitration Forum (NAF), 2011 case filings were down 4% in 2011, declining from 2,177 cases in 2010 to 2,082 in 2011. The vast majority of these cases (96.2%) involved gTLDs like .com and .net; cases were concluded an average of 35 days after filing, but some were resolved in as few as 20 days — and 17%, a full one-sixth of filed complaints, were resolved directly by the parties with no need for panel arbitration. (That noteworthy record again raises the question of why a supplemental Uniform Rapid Suspension (URS) process is even needed for new gTLDs, but that's a separate subject.)

So, overall, the WIPO 2.5% increase was balanced out by the NAF 4% decrease and total UDRP filings at the two principal ICANN-accredited arbitration providers were essentially flat in 2011.

The Internet Commerce Association's (ICA's) Code of Conduct condemns intentional cybersquatting, so we are happy to see filings stabilize and would be delighted to see them decline further in the future. But we do think these filing figures need to be calmly placed in the broader context of total domain registrations. And, according to VeriSign's December 2011 Domain Name Industry Brief, domain registrations increased by 8.9 percent in the preceding year.

So, we think it's quite significant that total 2011 UDRP case filings did not increase notwithstanding a near-9% increase in total domain registrations. This marks yet another year in which UDRP filings declined as a percentage of all domain registrations.

While the NAF press release does not include the total number of domains involved in the cases filed with them we can guesstimate that, when we also include the additional second tier UDRP arbitration providers, approximately 9,000 domains were at issue in all 2011 cybersquatting cases filed with all UDRP providers.

That's 9,000 out of a total of about 220 million registered domain names. In other words, for each million domain registrations there are about 41 domains alleged to be cybersquatting in UDRP cases.

We expect that trademark interests will counter that the number of UDRP filings represents just "the tip of the iceberg" of abusive domain registrations, and will also point out that some but not all ccTLDs are subject to UDRP. And we'll concede those points — while also noting that .com and .net registrations totaled 112 million, just over half of all domains, and that these are the gTLDs that attract the most Internet traffic and are therefore most likely to be abused by intentional cybersquatters. So, while UDRP filings are not an exact proxy for the full extent of cybersquatting, they are the best measure we have of instances in which the resulting harm or domain value were judged sufficient by a trademark owner to invest the relatively modest sums of a $1300 filing fee plus associated attorney fees.

We are also well aware of studies — like this from Sophos — indicating that major brand names are subject to significant typosquatting. Despite finding that malware was virtually nonexistent on such websites, that study nonetheless observed that "typosquats are by no means harmless". Yet, other than the 2.7% of typosquatted domains that "fell into the loose category of cybercrime", a significant portion of the remainder of typosquatted websites appear to fall outside the scope of the "bad faith registration and use" standard required for a successful UDRP filing. So it's not just that rights holders have concluded that a particular typosquatted domain isn't worth the monetary cost of filing and pursuing a UDRP — they may have also concluded that they would not prevail. That is, those domains may fall more into the category of annoying nuisance rather than bad faith infringement, and are not generally associated with criminal activities such as phishing or with bad acts such as malware distribution.

Notwithstanding this contextual decline of 2011 UDRP filings, we are quite sympathetic to the costs imposed on brand owners of maintaining portfolios of defensively registered domain names that could be easily cybersquatted if released back for public sale. Reducing this cost is a subject that could certainly be addressed by an open and inclusive UDRP reform process within ICANN — if trademark interests will ever stop working to defer the initiation of such a process.

We'd also point out that if even one-one-hundredth of one percent of all domains registered today were cybersquatting in a manner sufficient to justify a UDRP filing that would currently total about 22,000 domains, and the actual number of UDRP filings last year involved less than half as many domains. In other words, based just on UDRP filings, more than 99.995 percent of all domains are not cybersquatting. That's right, 2011 UDRP filings involved less than one-two-hundredth of one percent of all registered domains. Even if the filed cases understate the incidence of UDRP-violating cybersquatting by a factor of one hundred, the problem would rise to just under one-half of one percent of all domains, with the remaining 99.5 percent being non-infringing.

We note all this not to excuse cybersquatting but to indicate that the problem appears to be small, manageable, and diminishing as a percentage of registered domains year after year based on UDRP filings — and that the UDRP provides a relatively fast and inexpensive alternative to litigation in court. So any trademark interest advocacy for 'rights protections' that are more numerous and stringent than what's already available is not strongly supported by the available evidence.

We'd also note that many ICA member providers of "parking" or other domain monetization services, as well as of secondary domain marketplaces, have established either formal or informal means by which trademark owners can bring alleged infringement claims to their attention and block clearly infringing domains. These services are available at no cost to trademark owners, and should often be their first recourse in advance of filing a UDRP claim.

As for the WIPO press release declaration that, "With the domain name coordinating body, ICANN, allowing for a massive increase in the number of new domains, brand owners' resources will likely be stretched further.", that seems entirely speculative for now — especially since brand owner resources were not stretched further in 2011 with total UDRP filings being flat, and actually declining in the context of an expanding DNS environment. WIPO's statement also ignores the fact that the Trademark Clearinghouse will let trademark owners secure, block, and issue warnings in regard to new gTLD domains in an unprecedented manner to reduce cybersquatting.

So let's wait and see what applications are actually filed for new gTLDs, and then wait to see what registrants they attract and what visitor traffic they generate, and then make a judgment on the impact of new gTLDs on trademark owners that is informed by facts rather than speculation. (We note in passing that NAF's statement makes no similar gloomy predictions regarding cybersquatting at new gTLDs.)

One final thing to remember is that arbitration providers like WIPO can affect the number of UDRP filings by allowing its panelists to alter long-established practices and thereby change UDRP policy in a one-sided manner. For example, recently a WIPO panel ruled that ceat.com must be transferred to CEAT Ltd., an Indian tire company, even though there was scant evidence that the domain had been registered, much less used, in bad faith (See: CEAT Limited, CEAT Mahal, v. Vertical Axis Inc. / Whois Privacy Services Pty Ltd). Another WIPO panel recently ruled in FACI Industries v. BuyDomains.com, Inventory Management that faci.com be transferred to the non-famous metal casting firm of FACI Industries of Bolingbrook, Illinois even though there was ample evidence that the registrant exercised due diligence to avoid infringing the complainant's trademark rights (See: FACI Industries v. BuyDomains.com, Inventory Management). As the dissenting panelist in CEAT stated, "To hold that such a valuable word cannot be used as a domain name simply because "the domain name is a trademark and has no descriptive meaning" is not supported by the Policy and is a very severe restriction on the right to register a domain name that is not contemplated by ICANN in its policies or practices… That is simply a rewriting of the Policy that is entirely unsupported. Clearly, registering a word that both parties say is an acronym and using it for purposes unconnected with the Complainant or its activities does not violate the Complainant's trademark rights or the Policy.”

These rulings open the door to any short domain name that can constitute an acronym for one or multiple organizations being subject to "first to file" UDRP actions encouraged by trademark attorneys. We are already seeing an uptick of new UDRPs related to acronym domains, and if this becomes a flood in the remainder of 2012 — encouraged by the ceat.com and faci.com rulings, which deviate from years of UDRP practice related to acronym domains — does that mean that cybersquatting is up, or that cybersquatting has been unilaterally redefined down by WIPO panelists and that as a result the trademark bar sees a new UDRP opportunity to bring to clients' attention?

These disturbing and controversial acronym domain rulings again illustrate why WIPO and other UDRP providers should reconsider allowing panelists deemed "neutrals' to also serve as advocates for complainants or registrants, given the clear potential for conflicts of interest, and the certain appearance of potential conflicts. It also illustrates that prior decisions should have a more binding precedential effect that they are accorded under the current WIPO Overview. The UDRP process should remain an available remedy for squelching a declining pool of infringing domains, but not permitted to be a mercurial full employment program for creative trademark attorneys.

ICA will continue to press for meaningful UDRP reform, including changes to assure that arbitration "neutrals" do not have inherent conflicts. But for now we are happy to note that total UDRP filings continue to decline as a percentage of all domains and remain a tiny fraction of the overall DNS infrastructure. That's something worth remembering the next time you see allegations that cybersquatting is out of control.

Mr. Corwin serves as Counsel to the Internet Commerce Association

Written by Philip S Corwin, Founding Principal, Virtualaw LLC; Counsel, Internet Commerce Association

So where should we look to find a business case for IPv6?

Over the last year or two, the shift towards cloud computing paradigm has started to make some pretty impressive waves. Although still at a relatively early stage, we are seeing both service providers and enterprises coming out with brand new strategies for public and private clouds. Based on the recent developments, we estimate that by 2015, the way in which applications and network services are consumed will be very different from what it is today. The discontinuity here will be just as big as the Internet was some 15 years ago.

As far as the IPv6 business case is concerned, not many people have realized how critical IP addresses and DNS is for the cloud orchestration process. To commission or decommission a virtual machine, one needs to reserve or to free an IP address, preferably within a window of 300 milliseconds. Further, in order for that newly commissioned virtual machine to be easily accessed, a DNS entry is also needed. With Infrastructure 1.0 utilizing IPv4 spaces managed with Excel spreadsheets, the cloud doesn't scale.

To address this issue, anyone serious about cloud computing will have to come to accept that Infrastructure 2.0 is required in order for the cloud computing paradigm to work as intended. If someone is to make a considerable investment in cloud environment, protecting the investment for at least the next 10 years becomes essential. And the way I see it, this is where IPv6 comes in.

In this light, IPv6 can be viewed as a similar enabler to the cloud as IPv4 was for the Internet. From the business perspective, IPv6 enables the cloud to scale into the foreseeable future. Furthermore, by making IPv6 a standard feature in clouds, organizations investing in them can make sure that their basic architecture will stand the test of time, thereby optimizing the cloud ROI.

Written by Juha Holkkola, Managing Director of Nixu Software

Nominum, the worldwide leader in integrated DNS-based applications and solutions, announces the Nominum Security Suite for fixed broadband and mobile service providers in Russia. This suite offers network and end-user solutions and applications for stopping outbound spam, botnet mitigation, phishing and malware prevention, illegal content filtering, managed security, mobile security, and more. All of these solutions leverage Nominum's high-performance DNS engines, which are proven in the world's largest networks and designed to meet the incredible growth rate experienced by Russian operators.

More than 500 million Internet users depend on Nominum-powered networks around the world every day. To help optimize broadband service speed and safety, fixed broadband and mobile service providers rely on Nominum's three-tiered architecture: the engines, which make networks faster and more efficient, platforms which increase business agility, and applications that increase competitive differentiation.

Russia is fast becoming an area where cyber-attacks are launched since its broadband and mobile data penetration is increasing so quickly. In Russia alone over the last three years, broadband customer growth is more than 110 percent, or just under 30 percent per year. Russia's 3G mobile broadband service providers grew from just over 1.5M customers at the end of 2008 to nearly 16M at the end of 2011. With growth comes a promising market for hacking and theft. In fact, Russia was just reported by Microsoft as the third most malware-infected country in the world.

Nominum's solutions will help service providers in Russia manage the most pressing issues they face today, including:

• Reducing outbound spam — preventing the inadvertent blocking of legitimate consumer and business email due to blacklisting of a service provider's network
• Identifying and protecting infected subscribers — protecting end-users on fixed or mobile networks from data theft and reducing the risk of network downtime due to botnet attacks
• Preventing phishing and malware — proactively warning end-users before they get infected with malware
• Filtering Illegal content — preventing users from accessing prohibited content such as child sexual abuse
• Managed security — protecting enterprises from theft of confidential customer information or intellectual property

The foundation of these solutions is Nominum's market-leading DNS engines. The advanced security capabilities and leading performance eliminate risk of network downtime while improving the subscriber experience by reducing DNS latency 50-70%. Other unique innovations include the ability to log massive volumes of DNS data in real-time without degrading performance, built-in anti-DDoS protections and the ability to apply unique policies for millions of households on a single server.

"Our legacy began when our Chief Scientist, Paul Mockapetris, invented DNS. As a company, we have focused on evolving DNS from a protocol to an efficient network infrastructure tool that provides high performance and security, to a necessary business tool that addresses the most pressing issues that fixed and mobile service providers face today," said Craig Sprosts, GM Security Solutions "We are excited to bring our tested solutions to the fast-changing Russian broadband market, and help service providers here generate more revenue while protecting Internet users."

In addition to the suite of security solutions, Nominum will also offer the other solutions built for fixed broadband and mobile service providers. These solutions are built on the same three-tiered architecture and are designed to solve a variety of non-security issues such as device provisioning, mobile spectrum efficiency, broader network and subscriber visibility, and more. These solutions have gained worldwide acceptance and adoption and are now going to be available throughout the Russia and CIS markets.

Thought leaders across the industry are focusing on transition topics that matter: from economic lifecycles, security, and business continuity to the promising future of the Internet of Things. This is what drives most of us, and those on the front lines in the IPv6 evolution have every right to rise up and celebrate. It's not only a great technological milestone, but a testament to their collective abilities to work together for the greater good of the connected planet.

Today's Internet is the foundation for everything we do and the IPv6 Internet will be too but unfortunately some things never change. While the majority have been busy working on IPv6 for the greater good, evidence makes clear we're likely to come face to face with a growing number of technologists (aka criminals) with malicious intentions. IPv6 hinders them in some ways, but helps them in others. If you have any doubts, a quick search will show a growing number of software tools intended to break or exploit IPv6. Everything we build offers potential for those who are malicious to use their skills for disruption. Security is a continuum and experience suggests it might be worth some cycles to make sure your IPv6 project does not end up on your CEO's shortlist of things that keep them up at night.

Preparing for the transition requires looking beyond just software support and interoperability testing to identifying strategic partners and understanding the long-term cost of ownership. If IPv6 is important to your future you owe it to your business, investors and customers to make sure you have the best technology but are also on the right path with the best, forward looking partners. It's refreshing to see that on the Internet, as has always been the case, a global initiative can transcend the boundaries of political, social, and economic agendas. Maybe we can all even learn a lesson or two from IPv6 on how to tackle some of the critical long-term social and economic challenges facing the world today.

Want to learn more about the transition to IPv6, join us at our webinar on May 30. Click here.

Written by Craig Sprosts, General Manager of Fixed Broadband Solutions at Nominum

How are attackers themselves sourcing so much bandwidth? It's actually easier than you might think. While botnets comprised of malware-infected computers can be used to launch attacks, you don't actually need thousands of devices. In some cases, attackers are infiltrating hosting company resources (shared hosting, virtual private servers, dedicated hosting, etc.), availing themselves of bandwidth by using hacked, stolen and fraudulent accounts.  

Let's say that an attacker manages to get his/her hands on 5 hosting accounts with 5 different hosting companies. It's not unusual for these hosting companies to have 1 Gbps+ of connectivity to the Internet. A lot of hosters don't look at their outbound traffic all that closely or have difficulty policing what their customers do. All an attacker needs to do is install a script on each account and he/she has easy access to gigabits of connectivity.

For hosters, finding the trouble spot can be like looking for a needle in a haystack (especially if thousands of accounts share resources). While the offender might be found eventually and the account shut down, the damage has already been done.
 
What can hosters do to help prevent this or detect this better?

Restrict outbound traffic from your customers by using ACLs (Access Control Lists). For example, there are few reasons your customers will ever need to make port 80 UDP connections to other hosts on the Internet. Put policies in place to block all outbound traffic except to specific, acceptable, understood destinations or ports. If customers have legitimate reasons to make an outbound connection from your infrastructure, they should be able to notify you and justify it (this will affect a only tiny percentage of your base) so you can make the appropriate arrangements. Some hosters do not even accommodate these requests.

Throttle outbound traffic from your customers. Even for legitimate outbound connections, most likely they don't need to take up 500 Mbps of outbound bandwidth. Simply set a lower limit. 

Put alarms in place when outbound traffic utilization spikes. If, for example, all of a sudden the amount of data leaving your network increases by 40%, there's probably an issue somewhere and your tech folks should be investigating.

Restricting and monitoring your outbound traffic will probably save you money on bandwidth costs and decrease the amount of abuse reports. Best of all, attackers will realize they're not getting what they want out of your platform. The less you have to worry about, the better, right?

Written by Miguel Ramos, Sr. Product Manager, Neustar Enterprise Services

Recent IPv6 statistics from the RIPE NCC show an accelerated uptake of IPv6 in Norway, both in terms of the number of allocated prefixes, and visible announcements in the routing system. This is based on a comparison over time of the amount of IPv6 addresses allocated to each economy, and the amount of visible prefixes per Autonomous System (AS) in the routing tables each day. The graph below shows 50% of ASes in Norway now announce one or more IPv6 prefix.

Some have interpreted this to mean that over 50% of the end users in Norway have now access to IPv6. However, a measurement of end user IPv6 capability by APNIC doesn't necessarily support that, rather, it suggests that end user access to IPv6 remains low in Norway, as in other economies. The graph below shows the percentage of IPv6 preference at the end user level.

Keep in mind that this only includes data until mid-May, hence the drop at the end. For the most up-to-date graph, please visit the APNIC Labs IPv6 Measurements pages.

Are these measurements in conflict?

No, not really. One is a measure of capacity and capability in routing and forwarding, and the other is a measure of end user access. There are many reasons why some routing-active entities don't show up in an end user measurement: the AS may be servicing content delivery and not offering access services, or may be providing transit and data management services for others and have no direct end user traffic.

Perhaps the AS is servicing segments of the user base who only gain access to the global Internet occasionally, or to restricted URLs, or not even the web but only VOIP (which we can't measure in the APNIC technique.)

The difference is not a conflict. It exposes differences in what we see on the Internet and the different conclusions drawn from each.

APNIC's measurement focuses on end user access, and in large part, suggests that there is a continuing problem with end user access to IPv6, even when the AS in question may have associated IPv6 allocations visible in global routing.

In the background article on RIPE Labs you can find much more information, including the methodology and an analysis of the specific situation in Norway and in Japan.

Written by Mirjam Kuehne

The industry is working to establish shared access networks — would it not be nice if they did this everywhere, all the time? They are also working very closely with British Olympic Association, London Transport, the broadcasters and content providers.

Mobile coverage will be the biggest shared infrastructure in the world. There are already 80 million mobile devices in the UK, and to this will be added the millions of devices from overseas visitors and athletes. There will be more people taking photos and videos and sending them around the world. And, of course, the same applies to the thousands of professional photographers and journalists attending the Games. The mobile operators have indicated that there may be periods of 'controlled service', particularly in relation to mobile broadband.

There will be two dimensions to this network — one for officials and athletes, and one for the general public. The network will go live on 1 June and will cater for a range of related and other events:

• Olympic Torch Relay, 27 May-27 July;
• Diamond Jubilee, 2 June-5 June;
• Euro 2012, 8 June-1 July (IPTV);
• Farnborough Airshow;
• Olympic Games, starting on 25 July.
• Over 1,000 BT workers have been assigned to the communications activities surrounding the Games.

Next-generation access network rollouts have been accelerated and core network bandwidth has been increased to facilitate the backbone network, as well as increased fibre access to all facilities, venues, etc.

Extra capacity is needed for the BBC iPlayer service, which will drive up telecoms traffic, with each of 24 HD Olympic TV channels using 3Mb/s. Organisations are made aware of the fact that corporate networks could be flooded if people are watching in the office. This will also apply to international links, as overseas viewers could flood these as well.

If an incident occurs that goes viral on YouTube, this could also swamp networks. There have been warnings that the lack of a national high-speed broadband network could see network meltdowns in such circumstances.

It is anticipated that many public websites can expect as much as five times their normal traffic; organisations should be aware of this and take the necessary measures to cope with it.

Another interesting contingency is that call centres are employing extra staff, as it is expected that enquiry call on-hold time will be longer due to foreign languages. Other increases are expected on retailers' card terminals and ATM usage.

Because of increased security awareness there are elaborate security plans in place — to protect not only the people but also all infrastructures, including the existing telecoms infrastructure around the country. Security plans also take into account other 'unpredictables' that can lead to disturbances, such as unforecasted gatherings, cyber attacks, and large increases in free rich content over the networks.

There is a Resilience and Response Group (EC-RRG) operating the National Emergency Alert for Telecommunications (NEAT) coordination points. There are contingency scenarios for engineers, suppliers, colleagues unable to reach site and so on. They also have proactive procedures in place to reduce risks such as internet congestion, the impact on home working, monitoring video-streaming, terrorist/public order incidents.

Some statistics on the Games:

• 5.3 million visitors are expected with half a million extra on Day 8.
• On 9 days there will be more than 1million extra journeys on public transport.
• Greenwich population will be 25% higher on Day 3.
• At the end of an event, 10,000-20,000 people will be exiting individual venues, creating bottlenecks.

During the games, there will be major disruption for London-based workers — there is a four-step approach:

• reduce journey requirements by avoiding planned utility works;
• retime appointments to avoid clashes with busiest times;
• reroute transport and logistics as access roads will be closed;
• review transport types and use alternatives.

For its part, the regulator Ofcom has devised a Spectrum Plan for the Games, which will see the temporary re-allocation of spectrum from public bodies to cater for bandwidth demands. Spectrum from among three separate bands will come from the Ministry of Defence (MOD), the Civil Aviation Authority (CAA) and the Maritime and Coastguard Agency (MCA), while holdings in the 2.5-2.6GHz band have been reserved for the duration of the Games. Ofcom has also conserved spectrum allocated for private mobile radio (PMR), as also spectrum available for DTTV in the 800MHz band which has not yet been sold off. Ofcom is needing all the spare frequencies it can find to cope with the 350 wireless microphones, 75 HD video streams and 780 talkback channels it expects are needed.

It is also expected that there will be greater work and school absenteeism due to large screen displays that are established right around the country. And businesses are adopting greater flexitime procedures and providing facilities in the workplace.

Organisations have also been advised to, where possible, move staff to Disaster Recovery sites and work from there during the Games. Other suggestions include checking standby generator fuel, batteries, firewall resilience, etc. Teleworking is promoted, with companies advised to plan and test the use of technology remotely by home workers.

Written by Paul Budde, Managing Director of Paul Budde Communication

We would like your help in soliciting the best possible nominees for the open seats. We are seeking individuals with significant Internet leadership experience within the nonprofit, nongovernmental organization (NGO) and domain name arenas who represent the broad and geographically diverse spectrum of the global noncommercial community.

Interested individuals are encouraged to submit nominations, including self-nominations. A nomination statement of approximately 400 words should include details of the nominee's experience with the Internet, commitment to promoting the noncommercial use of the Internet, understanding of the technical or policy issues facing the .ORG registry, and perspectives regarding the needs of the .ORG community. A current biography and digital photograph also are requested.

Nominations must be submitted by 15 June, 2012. To submit your nominations or to learn more about the advisory council, please visit our website. New council members will be announced on 30 June, 2012.

The first, more widely known, development is the IETF's ongoing DANE effort. The DANE standard proposes to improve the Transport Level Security (TLS) protocol, which is used worldwide to secure communication between applications (e.g., a browser) and host machines (e.g., a website server). DANE enables administrators of domain names to specify TLS cryptographic key material in a resource record stored in a zone file. Using DNSSEC, an application could validate the resource record with the practical result that communication between an application and host machine is probably more secure — a good thing.

Perhaps the most interesting aspect of DANE is that it takes TLS key distribution out of the hands of the browser/certificate authorities and places it with DNS operators. The browser/certificate authority regime has been shown to be susceptible to attack and lacking in clear lines of accountability. In theory, if an administrator puts signed key material in the DNS, an application can validate it starting from the single trust anchor maintained by ICANN. Like DNSSEC, DANE depends on registrars, registries and Internet service providers not tampering with signed data provided by administrators. Pressure to tamper with data could come from numerous sources, e.g., interests in intellectual property protection, advertising, surveillance, etc. At the end of the day, it will be the DNS contractual regime, the laws that govern the involved parties, and the extent to which those institutions are transnationally interoperable that determines how DANE contributes to various global public policy goals like free expression and free trade in information services. Expect the differences between governments, and their response to domestic pressures, to challenge that interoperability.

The second, and in our opinion, more interesting development is the more recently proposed ROVER (Route Origin Verification) effort which seeks to address the problem of misconfigured routing announcements, whether accidental or intentional. Similar to DANE, ROVER proposes to improve the inter-domain routing by creating new resource records published in the secure reverse DNS (i.e., the in-addr.arpa zone). Similar ideas have been proposed previously, but never took hold. The records would allow network operators to indicate whether an IPv4 or IPv6 prefix ought to appear in global routing tables and identify authorized origin Autonomous System Number(s) for that prefix. This is the same data (i.e., Route Origin Announcements) which appears in the Resource Public Key Infrastructure (RPKI) being managed by some RIRs. ROVER would facilitate the comparison of validated records stored in the secure reverse DNS against route announcements being made on the Internet. Discrepancies could be flagged and lead to further action taken by the operator.

Again, the most interesting aspect is the interplay between technology and institutional power. The technical community has been debating the merits of Secure DNS vs. RPKI. The debate occurs in the shadow of the major, ongoing concern for network operators concerning RPKI, i.e., how it could allow certificate authorities (e.g., the RIRs) to impact routing. This concern is further complicated with Border Gateway Protocol Security (BGPSEC), which proposes incorporating cryptographic signing and validation of route announcements directly into the BGP. As an alternative, ROVER suggests leveraging the certified resource allocation data stored in the RPKI (or elsewhere) to create and validate route announcements in the secure reverse DNS. But it allows operators to independently apply that data to routing decisions. If a certificate authority revoked a certificate it would not impact routing unless the operator allowed it to. Less appreciated, however, is that ROVER potentially shifts route announcement data, typically stored in the decentralized Internet Routing Registries (IRRs) now, into the hierarchical secure DNS. Given this, the operation and governance of a few zones, namely .arpa and in-addr.arpa, becomes critical. Those zones are currently managed by ICANN. Its use for routing purposes may raise contention that too much power is centralized with this organization. In theory, as manager of the in-addr zone, ICANN could regulate network operators via contract, similar to the way it does some TLD operators. This will need to be examined more closely.

Written by Brenden Kuerbis, Postdoctoral Researcher at Syracuse University, School of Information Studies

Until regulators create true structural separation between infrastructure and service providers the chances of seeing genuine broadband competition are slim. It is interesting to note telecom regulators in North America have imposed structural separation in the past. In the 1970s when the cable industry was a fledgling startup industry the FCC in the US and the CRTC in Canada passed regulations forbidding telephone companies to acquire and/or compete with cable companies. This enabled the creation of a entirely new business sector — cable television- who now dominates the broadcast and Internet market place. If regulators and governments are interested in stimulating the economy and creating new business opportunities, it is time they study their past successes and breakup up today's oligopolies by imposing structural separation and allow a true competitive market in broadband Internet.

In the mean time the one bright spot in the competitive marketplace is the development of Internet Exchange Points (IXPs) and the collocation of Content Distribution Networks (CDNs). In a recent a talk at RIPE-64 given by Kurtis Lindqvist demonstrated that IXPs will be even more important as broadband speeds increase. With larger and larger data flows the need to interconnect at an IXP to a CDN network or peering network will becoming increasingly important. (See: Kurtis Lindqvist - The History of Peering in Europe and What This Can Teach Us About the Future)

I am very pleased to see that Canadian Internet Registration Authority (CIRA) has taken a very important leadership role in Canada in this regard. (Full disclosure: I am a member of the CIRA board). CIRA has undertaken an active program to help qualified communities, independent ISPs, regional R&E networks and others to deploy IXPs in their community. CIRA's overall goal is to have local members build and operate the IXP, with CIRA bringing technical expertise, stability, back office functions, governance assistance, content providers and, if required, some financial and gear support. Most significantly CIRA will help the IXP provide a variety of DNS hosting services (which can improve responsiveness and reliability for connected users) as well arranging CDN networks to collocate at the facility.

The combination of these services — peering, DNS and CDN — will provide connected independent ISPs, R&E networks, community broadband networks and other organizations the capability to provide services to their targeted communities and provide a modicum of competition to the local incumbent oligopoly. This service by CIRA will be especially important for small business, community and R&E networks as they look to deliver or use cloud services and wireless applications to their local communities. The integration of WiFi with 3G/4G with anytime, anywhere, any device communications for education and research will also be critically dependent on these facilities.

Further reading:
7 ways Comcast is killing the cable killers GigaOm
Keeping the Internet Neutral New York Times

Written by Bill St. Arnaud , Green IT Networking Consultant