This document summarizes Natasha Rooney's presentation on QUIC and the evolution of HTTP. Some key points include:
- QUIC aims to improve performance over TCP by eliminating head-of-line blocking and reducing latency through 0-RTT connections.
- It achieves this by multiplexing streams over a UDP connection and integrating TLS 1.3 for encryption to provide security.
- Early results show QUIC reducing page load times by 15-18% for video and 3.6-8% for search queries on Google's services.
- As QUIC becomes more widely adopted, it may continue to improve performance for a "long tail" of users on slower or more unreliable networks.
Solving HTTP Problems With Code and ProtocolsNatasha Rooney
The document discusses HTTP and protocols related to transporting data over the internet. It describes the layered model including the physical, network, transport, and application layers. It then focuses on protocols like HTTP/1, SPDY, HTTP/2 and QUIC that operate at the application layer, with the goal of improving performance by reducing latency through techniques like header compression, multiplexing, and avoiding head-of-line blocking. It also discusses how QUIC aims to solve issues with TCP by operating over UDP while providing encryption, reliability and other features normally provided by TCP.
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
HTTP/3 is the designated name for the coming next version of the protocol that is currently under development within the QUIC working group in the IETF. HTTP/3 is designed to improve in areas where HTTP/2 still has some shortcomings, primarily by changing the transport layer. HTTP/3 is the first major protocol to step away from TCP and instead it uses QUIC.
Daniel Stenberg does a presentation about HTTP/3 and QUIC. Why the new protocols are deemed necessary, how they work, how they change how things are sent over the network and what some of the coming deployment challenges will be.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
DMVPN allows for secure dynamic overlay networks using mGRE tunnels, NHRP for next-hop resolution, and dynamic routing protocols. The document provides a configuration example where a hub router connects to multiple remote routers using DMVPN. IPsec is configured on each remote router to encrypt traffic. EIGRP is configured as the dynamic routing protocol to allow communication between the routers.
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
IPv6 addresses are 128-bit and represented by 8 colon-separated 16-bit segments in hexadecimal format. IPv6 introduces more efficient address representation methods and a standardized interface identifier generation technique using MAC addresses. IPv6 headers are simpler than IPv4 headers and introduce new address types like anycast. Transition from IPv4 to IPv6 requires dual stack support and new security practices as many old IPv4 attacks still apply to IPv6. First hop security features like RA guard help prevent rogue devices and address spoofing. Overall, IPv6 deployment faces challenges around network segmentation, firewall rules, and router configurations.
Solving HTTP Problems With Code and ProtocolsNatasha Rooney
The document discusses HTTP and protocols related to transporting data over the internet. It describes the layered model including the physical, network, transport, and application layers. It then focuses on protocols like HTTP/1, SPDY, HTTP/2 and QUIC that operate at the application layer, with the goal of improving performance by reducing latency through techniques like header compression, multiplexing, and avoiding head-of-line blocking. It also discusses how QUIC aims to solve issues with TCP by operating over UDP while providing encryption, reliability and other features normally provided by TCP.
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
HTTP/3 is the designated name for the coming next version of the protocol that is currently under development within the QUIC working group in the IETF. HTTP/3 is designed to improve in areas where HTTP/2 still has some shortcomings, primarily by changing the transport layer. HTTP/3 is the first major protocol to step away from TCP and instead it uses QUIC.
Daniel Stenberg does a presentation about HTTP/3 and QUIC. Why the new protocols are deemed necessary, how they work, how they change how things are sent over the network and what some of the coming deployment challenges will be.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
DMVPN allows for secure dynamic overlay networks using mGRE tunnels, NHRP for next-hop resolution, and dynamic routing protocols. The document provides a configuration example where a hub router connects to multiple remote routers using DMVPN. IPsec is configured on each remote router to encrypt traffic. EIGRP is configured as the dynamic routing protocol to allow communication between the routers.
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
IPv6 addresses are 128-bit and represented by 8 colon-separated 16-bit segments in hexadecimal format. IPv6 introduces more efficient address representation methods and a standardized interface identifier generation technique using MAC addresses. IPv6 headers are simpler than IPv4 headers and introduce new address types like anycast. Transition from IPv4 to IPv6 requires dual stack support and new security practices as many old IPv4 attacks still apply to IPv6. First hop security features like RA guard help prevent rogue devices and address spoofing. Overall, IPv6 deployment faces challenges around network segmentation, firewall rules, and router configurations.
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
Introduzione alle funzionalità di sicurezza offerta dalle famiglie di switch gestiti di NETGEAR, SMART e FULL MANAGED, per proteggere la tua rete LAN: Protected Ports, Port Security, DHCP Snooping, 802.1x .....
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
HTTP/3 is a new version of the HTTP network protocol that is expected to be finalized in late 2019. It uses QUIC, a new transport protocol built on UDP, to address issues with HTTP/1.1 and HTTP/2 like head-of-line blocking and network ossification. By running at the transport layer in userspace over encrypted connections, QUIC and HTTP/3 provide features like 0-RTT handshakes, stream multiplexing and faster connection establishment compared to TCP. HTTP/3 maintains the HTTP request/response API but delivers it over QUIC's multiplexed streams for improved performance and reliability compared to previous HTTP versions over TCP.
Now we hear a word “DMVPN” more and more often, then what is “DMVPN” and what is the advantages DMVPN owning? Here we give a brief introduction of DMVPN.
This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
OverTheBox is a solution which combines up to 4 Internet connections. You can connect it to any operator using only one RJ45 port. Find out how!
1. Introduction to OverTheBox
2. Part I - What it is
3. OVH launches the OverTheBox
4. Schematics : Aggregation
5. Schematics : Load Balancing
6. Schematics : Active Fail-Over
7. Technical specifications
8. Part II - Why did we do it ?
9. The choice is a luxury
10. Do you mix ?
11. The different combinations
12. Part III - How does it works ?
13. Implementation, and end-to-end schematics 14. The box is equipped with 1 RJ45 1Gbps port 15. You can connect up to 4 modems 16. The OverTheBox’s DHCP is in control 17. Wifi is managed by the modems
18. Part IV - Our recipe
19. The technologies we used
20. Infrastructure details
21. Part V - Quick start
22. Before starting
23. Subscription & first WAN
24. The funnel of activation
25. Service subscription and activation
26. Subscription
27. Running
28. Adding another WAN
29. Everything is green ? All is OK
30. Test the aggregate and the fail-over
31. Part VI - Go further
32. Onboarding center
33. GitHub
34. Thank you
The document describes the Simple Mail Transfer Protocol (SMTP) which is used for sending and receiving email. It outlines the key components of SMTP including Mail Transfer Agents (MTAs), Mail Delivery Agents (MDAs), and the core SMTP commands used to send mail such as HELO, MAIL FROM, RCPT TO, and DATA. It also provides examples of using the telnet command line tool to interact with an SMTP server and send a basic email.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
JANOG39 トラフィック可視化 BoF 発表資料
Japanese - https://www.janog.gr.jp/meeting/janog39/program/traffic
English - https://www.janog.gr.jp/meeting/janog39/en/programs/y-bof-traffic
This document provides instructions for cracking wireless networks encrypted with WEP and WPA. It discusses the theoretical vulnerabilities in WEP that can be exploited to decrypt the network key. For WEP cracking, it describes how to use airodump to capture initialization vectors (IVs), aircrack to crack the key using the IVs, and aireplay to force traffic if needed. It also covers differences between WPA and WEP, capturing the handshake for WPA networks, and dictionary attacks to crack weak WPA passwords.
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
This document discusses how to improve detection of DDoS attacks using an open-source solution involving FastNetMon, InfluxDB, Grafana, Redis, Morgoth, BIRD, and an experimental code called Net Healer. FastNetMon detects attacks and reports them to Redis. Net Healer watches Redis for attack reports and can trigger actions like alerting on-call teams or injecting routes based on policy thresholds over a 5 minute period to mitigate attacks faster without relying solely on humans. The solution integrates various open source tools for scalable metrics storage, routing, anomaly detection, and triggering automated responses to detected attacks.
Developers and researchers are confronted with a huge number of tools and technologies in their daily work, each of which has its own pros and cons. This realization is important for network devices intended to stop attacks — they should be “omnivores” with regard to network protocols. The speaker’s passion is to study and recreate various hacker attacks, exploits and tactics at the network level in order to develop reliable detection techniques for intrusion detection systems. While working on lots of attacks he noticed some tiny network conditions when a packet sequence slip away from IDS system but get to the target. Will your IDS system detect data network connection was broken? Using nc and a Linux machine, the speaker will demonstrate 4 CVEs he found for bypassing IDS systems, based on the example of the popular Suricata IDS.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
This document discusses how Coloclue, a non-profit volunteer-driven ISP, automated the detection and mitigation of DDoS attacks through the use of FastNetMon and BIRD. FastNetMon allows for detection of attacks within 3 seconds by monitoring traffic levels. BIRD then injects selective blackhole routes within 1 second to mitigate attacks by dropping traffic for 1 IP or subnet for 60 seconds. This approach solves the DDoS problem within 4 seconds through 100% automated detection and mitigation.
This document discusses various topics related to transport layer security (TLS) including:
- A brief history of TLS and its predecessors SSL.
- An overview of the TLS handshake process and how it establishes encryption between a client and server.
- Explanations of key TLS concepts like public-key cryptography, certificates, and different types of encryption.
- Performance considerations for TLS including reducing latency in the handshake process and optimizing TLS configuration.
- Methods for improving TLS performance such as using session tickets, TLS false start, HTTP/2, and content delivery networks.
- The document summarizes Daniel Stenberg's presentation on HTTP/3 and QUIC.
- It describes how QUIC improves on TCP by allowing multiple streams over a single connection and enabling faster handshakes. HTTP/3 runs over QUIC and provides improvements like 0-RTT handshakes.
- There are still challenges to widespread HTTP/3 adoption like CPU overhead and lack of standardization, but implementations are progressing and benefits include faster page loads.
This document summarizes Daniel Stenberg's presentation on HTTP/3 and QUIC. Some key points include:
- HTTP/3 uses the QUIC transport protocol over UDP to enable faster handshakes, earlier data transmission, and independent streams.
- QUIC improves on TCP by eliminating head-of-line blocking and supporting faster connection establishment through 0-RTT handshakes.
- While HTTP/3 is similar to HTTP/2, it runs over QUIC rather than TCP, allowing improvements like multiplexed streams that are not blocked by each other.
- There are still challenges to widespread HTTP/3 adoption like CPU overhead and lack of support in some browsers and servers, but it promises performance benefits
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
Introduzione alle funzionalità di sicurezza offerta dalle famiglie di switch gestiti di NETGEAR, SMART e FULL MANAGED, per proteggere la tua rete LAN: Protected Ports, Port Security, DHCP Snooping, 802.1x .....
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
HTTP/3 is a new version of the HTTP network protocol that is expected to be finalized in late 2019. It uses QUIC, a new transport protocol built on UDP, to address issues with HTTP/1.1 and HTTP/2 like head-of-line blocking and network ossification. By running at the transport layer in userspace over encrypted connections, QUIC and HTTP/3 provide features like 0-RTT handshakes, stream multiplexing and faster connection establishment compared to TCP. HTTP/3 maintains the HTTP request/response API but delivers it over QUIC's multiplexed streams for improved performance and reliability compared to previous HTTP versions over TCP.
Now we hear a word “DMVPN” more and more often, then what is “DMVPN” and what is the advantages DMVPN owning? Here we give a brief introduction of DMVPN.
This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
OverTheBox is a solution which combines up to 4 Internet connections. You can connect it to any operator using only one RJ45 port. Find out how!
1. Introduction to OverTheBox
2. Part I - What it is
3. OVH launches the OverTheBox
4. Schematics : Aggregation
5. Schematics : Load Balancing
6. Schematics : Active Fail-Over
7. Technical specifications
8. Part II - Why did we do it ?
9. The choice is a luxury
10. Do you mix ?
11. The different combinations
12. Part III - How does it works ?
13. Implementation, and end-to-end schematics 14. The box is equipped with 1 RJ45 1Gbps port 15. You can connect up to 4 modems 16. The OverTheBox’s DHCP is in control 17. Wifi is managed by the modems
18. Part IV - Our recipe
19. The technologies we used
20. Infrastructure details
21. Part V - Quick start
22. Before starting
23. Subscription & first WAN
24. The funnel of activation
25. Service subscription and activation
26. Subscription
27. Running
28. Adding another WAN
29. Everything is green ? All is OK
30. Test the aggregate and the fail-over
31. Part VI - Go further
32. Onboarding center
33. GitHub
34. Thank you
The document describes the Simple Mail Transfer Protocol (SMTP) which is used for sending and receiving email. It outlines the key components of SMTP including Mail Transfer Agents (MTAs), Mail Delivery Agents (MDAs), and the core SMTP commands used to send mail such as HELO, MAIL FROM, RCPT TO, and DATA. It also provides examples of using the telnet command line tool to interact with an SMTP server and send a basic email.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
JANOG39 トラフィック可視化 BoF 発表資料
Japanese - https://www.janog.gr.jp/meeting/janog39/program/traffic
English - https://www.janog.gr.jp/meeting/janog39/en/programs/y-bof-traffic
This document provides instructions for cracking wireless networks encrypted with WEP and WPA. It discusses the theoretical vulnerabilities in WEP that can be exploited to decrypt the network key. For WEP cracking, it describes how to use airodump to capture initialization vectors (IVs), aircrack to crack the key using the IVs, and aireplay to force traffic if needed. It also covers differences between WPA and WEP, capturing the handshake for WPA networks, and dictionary attacks to crack weak WPA passwords.
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
This document discusses how to improve detection of DDoS attacks using an open-source solution involving FastNetMon, InfluxDB, Grafana, Redis, Morgoth, BIRD, and an experimental code called Net Healer. FastNetMon detects attacks and reports them to Redis. Net Healer watches Redis for attack reports and can trigger actions like alerting on-call teams or injecting routes based on policy thresholds over a 5 minute period to mitigate attacks faster without relying solely on humans. The solution integrates various open source tools for scalable metrics storage, routing, anomaly detection, and triggering automated responses to detected attacks.
Developers and researchers are confronted with a huge number of tools and technologies in their daily work, each of which has its own pros and cons. This realization is important for network devices intended to stop attacks — they should be “omnivores” with regard to network protocols. The speaker’s passion is to study and recreate various hacker attacks, exploits and tactics at the network level in order to develop reliable detection techniques for intrusion detection systems. While working on lots of attacks he noticed some tiny network conditions when a packet sequence slip away from IDS system but get to the target. Will your IDS system detect data network connection was broken? Using nc and a Linux machine, the speaker will demonstrate 4 CVEs he found for bypassing IDS systems, based on the example of the popular Suricata IDS.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
This document discusses how Coloclue, a non-profit volunteer-driven ISP, automated the detection and mitigation of DDoS attacks through the use of FastNetMon and BIRD. FastNetMon allows for detection of attacks within 3 seconds by monitoring traffic levels. BIRD then injects selective blackhole routes within 1 second to mitigate attacks by dropping traffic for 1 IP or subnet for 60 seconds. This approach solves the DDoS problem within 4 seconds through 100% automated detection and mitigation.
This document discusses various topics related to transport layer security (TLS) including:
- A brief history of TLS and its predecessors SSL.
- An overview of the TLS handshake process and how it establishes encryption between a client and server.
- Explanations of key TLS concepts like public-key cryptography, certificates, and different types of encryption.
- Performance considerations for TLS including reducing latency in the handshake process and optimizing TLS configuration.
- Methods for improving TLS performance such as using session tickets, TLS false start, HTTP/2, and content delivery networks.
- The document summarizes Daniel Stenberg's presentation on HTTP/3 and QUIC.
- It describes how QUIC improves on TCP by allowing multiple streams over a single connection and enabling faster handshakes. HTTP/3 runs over QUIC and provides improvements like 0-RTT handshakes.
- There are still challenges to widespread HTTP/3 adoption like CPU overhead and lack of standardization, but implementations are progressing and benefits include faster page loads.
This document summarizes Daniel Stenberg's presentation on HTTP/3 and QUIC. Some key points include:
- HTTP/3 uses the QUIC transport protocol over UDP to enable faster handshakes, earlier data transmission, and independent streams.
- QUIC improves on TCP by eliminating head-of-line blocking and supporting faster connection establishment through 0-RTT handshakes.
- While HTTP/3 is similar to HTTP/2, it runs over QUIC rather than TCP, allowing improvements like multiplexed streams that are not blocked by each other.
- There are still challenges to widespread HTTP/3 adoption like CPU overhead and lack of support in some browsers and servers, but it promises performance benefits
The document provides an overview of IT network design and installation topics covered in a MaxWiFi training course, including network models, IP addressing, NAT, routing, DHCP, VLANs, wireless networking, and Cisco device configuration.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. They allow for confidentiality, integrity, and authentication between two applications communicating over TCP. SSL/TLS works by encrypting the segments of TCP connections above the transport layer through the use of symmetric and asymmetric cryptography. It establishes a secure channel over an insecure network such as the internet.
TCP and Mobile Networks Turbulent RelationshipNatasha Rooney
This document discusses TCP and its turbulent relationship with mobile networks. It provides an overview of TCP including that it is connection-oriented, reliable, uses cumulative ACKs, delivers packets in-order, is full-duplex, and uses a sliding window. The document then discusses issues TCP has over mobile networks, including that the congestion window remains small due to disconnections and high bit error rates. It proposes collecting data from mobile operators anonymously to send to the IETF to develop new, more mobile-friendly protocols.
Solving HTTP Problems with Code and ProtocolsC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2G8Jngj.
Natasha Rooney goes through the issues in HTTP, how HTTP2 was developed using Google’s SPDY experiment, and the impact of QUIC. Filmed at qconsf.com.
Natasha Rooney is a member of the W3C Advisory Board and the Stack Evolution Group at IETF. She works as a Engineering Director at GSMA.
If the number of spine switches were to be merely doubled, the effect of a single switch failure is halved. With 8 spine switches, the effect of a single switch failure only causes a 12% reduction in available bandwidth. So, in modern data centers, people build networks with anywhere from 4 to 32 spine switches. With a leaf-spine network, every server on the network is exactly the same distance away from all other servers – three port hops, to be precise. The benefit of this architecture is that you can just add more spines and leaves as you expand the cluster and you don't have to do any recabling. Intuition Systems will also get more predictable latency between the nodes.
As a trend, disaggregation seems to be most useful for very large companies like Facebook and Google, or cloud providers. The technology does not necessarily have significant implications for small or medium sized businesses. Historically, however, technology has a way of trickling down from the pioneering phases of existing only within large companies with tremendous resources, to becoming more standardized across the board.
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebAll Things Open
Presented at All Things Open 2018
Presented by Alexander Krizhanovsky with Tempesta Technologies INC
10/23/18 - 2:00 PM - Networking/Infrastructure Track
The document discusses various types of firewall technologies used to control access between trusted and untrusted networks. It describes packet filtering, session filtering, application-level gateways, and circuit-level proxies. Packet filtering makes decisions on individual packets while session filtering tracks connection state. Application gateways understand specific protocols while circuit proxies operate at the transport layer. The document also covers network address translation, encryption, spoofing attacks, and fragmentation attacks against firewalls.
Communication over the kinds of Data-Links used for unmanned vehicles presents important challenges dues to the low bandwidth, intermittent, and lower reliability of these links. Classic network protocols such as TCP do not operate well in this environment forcing application developers to implement their own reliability and session management. This presentation describes he issues and alternatives.
A technical description of http2, including background of HTTP what's been problematic with it and how http2 and its features improves the web.
See the "http2 explained" document with the complete transcript and more: http://daniel.haxx.se/http2/
(Updated version to slides shown on April 13th, 2016)
This document summarizes a talk given by Chris Conlon from wolfSSL on September 15, 2017 in Tokyo, Japan about TLS 1.3. It provides background on Chris Conlon and his role at wolfSSL, an overview of wolfSSL's products and services including their lightweight SSL/TLS library. It also discusses the history and components of the SSL/TLS protocol, common vulnerabilities, and the goals of the new TLS 1.3 specification.
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
By Andy Wingo.
Refreshing your Twitter feed is such a drag over 3G, taking forever to connect and fetch those precious kilobytes. The reasons for this go deep into the architecture of the internet: making an HTTPS connection simply has terrible latency.
So let’s fix the internet! MinimaLT is an exciting new network protocol that connects faster than TCP, is more secure than TLS (crypto by DJ Bernstein), and allows mobile devices to keep connections open as they change IP addresses. This talk presents the MinimaLT protocol and a Node library that allows JS hackers to experimentally build a new Internet.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
This document provides an overview of HTTPS, how it works to protect data through encryption, and why it is important. HTTPS uses both symmetric and asymmetric encryption as well as digital signatures to authenticate sources and verify data integrity. It discusses HTTPS protocols, certificate authorities, different types of certificates, and considerations for implementing HTTPS including browser compatibility and security best practices.
This document discusses quality of service (QoS) classification on Cisco IOS routers. It explains that applications like voice have different network requirements than bulk file transfers. To ensure each application gets proper treatment, traffic must be classified. Classification methods on IOS routers include header inspection of fields like ports and IP addresses, and deeper payload inspection using Network-Based Application Recognition (NBAR) which can identify applications regardless of port. The document demonstrates simple classification using an access control list matched to a class map in a policy map applied to an interface. It also shows classification using NBAR to match protocols like Telnet in a class map.
The document discusses using tcpdump and ssldump on an F5 device to analyze network traffic. It provides examples of commands to capture full traffic flows, including specifying filters. It also describes how to use tcpdump to troubleshoot issues like traffic not reaching servers. The document discusses using Wireshark with the F5 plugin to decrypt SSL traffic for analysis and provides instructions for configuring Wireshark. It briefly mentions using sFlow for performance monitoring and analytics.
Parity Solutions provides virtualized networking solutions for hotels and other businesses through its rXg platform. The rXg platform offers personal area networks (PANs) that create a private, segmented virtual network for each guest or user. This microsegmentation approach improves security, allows device sharing and casting within each user's network, and enhances the overall experience above what is typically found on shared hotel networks.
Similar to Evolving HTTP and making things QUIC (20)
This document summarizes a workshop on optimizing bandwidth on mobile networks with increasing encryption. It lists the technical program committee and goals of exploring solutions while maintaining privacy and security. Sessions covered setting the scene on challenges with encryption, potential network/transport solutions, optimizing applications, and addressing regulation. Ideas generated included evolving TCP, providing network feedback to endpoints, blind caching, collaboration frameworks, and metrics. Next steps include publishing minutes and reports, and developing ideas on mailing lists.
Web Authentication: a Future Without Passwords?Natasha Rooney
The document discusses web authentication and the future of passwords. It provides an overview of public key cryptography concepts like asymmetric encryption. It then summarizes the FIDO Alliance standards of UAF and U2F which aim to provide passwordless authentication using public key cryptography during a registration process where keys are created and stored locally and on the server. It describes how the W3C Web Authentication working group is developing browser APIs and specifications to enable FIDO-based authentication directly in web applications by creating and validating credentials and assertions. The document provides code examples of how the WebAuthN API could be used for registration and authentication without requiring storage of sensitive user data locally or on the server.
The document discusses the work of the W3C Web Application Security Working Group (WebAppSec WG). It provides updates on several WebAppSec WG specifications and proposals, including Clear Site Data, Confinement with Origin Web Labels (COWL), Credential Management, and others. It notes the goals of each specification, provides examples of their use, and outlines current work and upcoming discussions at the W3C TPAC meeting. The document is a high-level summary of the WebAppSec WG's ongoing efforts to improve web application security.
The document discusses Service Workers and how they can be used to cache assets and manage network requests. It provides code snippets for registering a Service Worker, caching assets during install, detecting and responding to fetch events by checking the cache and falling back to the network if needed, and updating the Service Worker by deleting old caches.
STV (Single Transferable Vote) is a voting system that aims for proportional representation. Voters rank candidates in order of preference. The process involves multiple rounds of counting votes. In each round, candidates who reach a quota threshold are elected, and surplus votes from elected candidates are transferred to voters' next preferred candidates. Candidates with the fewest votes are eliminated and their votes are transferred in subsequent rounds until all seats are filled. There are arguments both for and against STV, including that it gives minority candidates a better chance while complexities may reduce voter understanding, and second choice candidates are at a disadvantage.
JQuery UK February 2015: Service Workers On VacayNatasha Rooney
Webapps are awesome, and travel is awesome, but the two together suck. Roaming, aeroplanes, bad connections and flakey wifi make native apps so much more attractive when travelling. The offline-capable gap between web native needs to be quashed, and Service Worker is coming to do the quashing! This talk will go through the simple use case of creating an offline-capable webapp using caching in ServiceWorker, complete with pulling in data and retaining data for offline view.
The document discusses the GSMA's involvement with the W3C through the Web and Mobile Interest Group. It provides an overview of the GSMA as a telecom association representing mobile operators worldwide. It then discusses the Web and Mobile Interest Group's goals of accelerating the development of web technologies for mobile applications. Specifically, it aims to highlight needs across industries, support W3C work, and create an open ecosystem for innovation. The group was preceded by the Coremob and Webmob communities and focuses on topics like offline capabilities, payments, and security to develop the core mobile web platform.
Making it Work Offline: Current & Future Offline APIs for Web AppsNatasha Rooney
We go through the current APIs for creating offline capable web apps such as LocalStorage, App Cache and a bit of IndexedDB. We also take a look at the work going behind the new solution "ServiceWorker" and how it may change the game.
Demo to support the presentation is here: https://github.com/nrooney/offlineanime
FirefoxOS Meetup - Updates on Offline in HTML5 Web AppsNatasha Rooney
This document summarizes Natasha Rooney's presentation on offline web apps. The presentation discussed issues with the App Cache API and introduced Service Workers as a new solution. It highlighted that App Cache was not well-suited for separating caching of shell content from dynamic content. Service Workers address this by allowing developers more control over caching and fallbacks. The presentation concluded that Service Workers enable better support for offline apps through features like multiple caches, fallbacks, and promises.
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...Natasha Rooney
My slides from my talk "Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks for Cache”" from Over the Air 2013 held in September in Bletchley Park. We had a good run-through of offline APIs in web, the mysteries of App Cache, and updates on the current status of ServiceWorker.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
How to Get CNIC Information System with Paksim Ga.pptx
Evolving HTTP and making things QUIC
1. @thisNatasha
Down the Line:
evolving HTTP and making things QUIC
Natasha Rooney
on version negotiation,
end-point capabilties,
and successful TLS
handshake.”
100. @thisNatasha
ACK Based
- Estimate RTT
- Retransmit when ACK not
received after RTT estimate
threshold
Timer Based
- Aggressive CRYPTO
retransmission
- Tail Loss Probe
- Retransmission timer
Loss Detection
111. @thisNatasha
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret.
Premaster secret is combined with PRF to create master
secret
RSA, DHE_RSA,
ECDHE_RSA,
ECDHE_ECDSA
Authentication Method: Uses public key crypto and
certificates public key together. Once certificate is
validated the client can used public key.
RSA or ECDSA
Certs: X.509, ASN.1
DER encoding.
Server
Hello,
Certificate
- Server selects cipher & compression
method
- Server send certificate
- Client authenticates
Key Exchange Pre-master secret exchanged between
client & server, client validates certificate
Master
Secret
Client & Server can compute Master Secret.
MAC Server verifies MAC, returns to client to
verify also.
Finished Handshake complete.
Client Hello Client sends TLS Version, Ciphersuites,
Compression methods
Ciphers, Standards and Terms
Encryption
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED
[1] Steam: adds MAC [2]
Block: adds IV and
padding after encryption
[3] Encryption (AEAD):
encryption and integrity
validation, using nonce,
no padding, no IV.
Master Secret
Pre-master secret:
combines params to
help client and server
create master secret.
Master Secret: both
server and client create
this from pre-master
secret to symmetrically
encrypt
Integrity Validation
PRF: Pseudorandom
Function. Takes a
secret, a seed, and a
unique label. TLS1.2
suites use PRF based
on HMAC and SHA256
MAC: used for integrity
validation in handshake
and record.
113. @thisNatasha
Traffic
Amplification
Address validation
with byte limitation
Spoofing
Path validation
during connection
migration
Passive
Observation
Changing Connection
IDs. Encryption.
Limited data till
sure of encryption
and valid path.
Denial of
Service
Authentication
through encrypted
handshake
Stream
Commitment
Active streams is
limited by the
concurrent stream
limit transport
parameter.
Explicit
Congestion
Notification
Attacks
Ignore duplicate ECN
packets
Downgrade
Three fields that
encode version
information,
included in TLS
handshake also.
Packet
Reflection
Authenticate source
address, strictly
limiting UDP
datagrams in first
flight
Attack Mitigation
141. @thisNatasha
7. Application Data HTTP /
IMAP
6. Data Presentation,
Encryption
SSL / TLS
5. Session and connection
management
-
4. Transport of packets and
streams
TCP / UDP
3. Routing and delivery of
datagrams on the Network
IP / IPSec
2. Local Data Connection Ethernet
1. Physical data connection
(cables)
CAT5
OSI Model
142. @thisNatasha
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret.
Premaster secret is combined with PRF to create master
secret
RSA, DHE_RSA,
ECDHE_RSA,
ECDHE_ECDSA
Authentication Method: Uses public key crypto and
certificates public key together. Once certificate is
validated the client can used public key.
RSA or ECDSA
Certs: X.509, ASN.1
DER encoding.
Server
Hello,
Certificate
- Server selects cipher & compression
method
- Server send certificate
- Client authenticates
Key Exchange Pre-master secret exchanged between
client & server, client validates certificate
Master
Secret
Client & Server can compute Master Secret.
MAC Server verifies MAC, returns to client to
verify also.
Finished Handshake complete.
Client Hello Client sends TLS Version, Ciphersuites,
Compression methods
Ciphers, Standards and Terms
Encryption
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED
[1] Steam: adds MAC [2]
Block: adds IV and
padding after encryption
[3] Encryption (AEAD):
encryption and integrity
validation, using nonce,
no padding, no IV.
Master Secret
Pre-master secret:
combines params to
help client and server
create master secret.
Master Secret: both
server and client create
this from pre-master
secret to symmetrically
encrypt
Integrity Validation
PRF: Pseudorandom
Function. Takes a
secret, a seed, and a
unique label. TLS1.2
suites use PRF based
on HMAC and SHA256
MAC: used for integrity
validation in handshake
and record.
144. @thisNatasha
Cli-ant Ser-ver
TCP and TLS with Session Tickets
TCP Fast Open Handshake
[1] Client Hello
Server Hello [2]
(Change Cipher Spec) [3]
Finished [4]
[5] (Change Cipher Spec)
[6] Finished
145. @thisNatasha
TLS Encryption Levels
● CRYPTO frames MAY appear in packets of any encryption level except 0-RTT.
● CONNECTION_CLOSE MAY appear in packets of any encryption level other than 0-RTT.
● APPLICATION_CLOSE MAY appear in packets of any encryption level other than Initial and 0-RTT.
● PADDING frames MAY appear in packets of any encryption level.
● ACK frames MAY appear in packets of any encryption level other than 0-RTT, but can only acknowledge
packets which appeared in that packet number space.
● STREAM frames MUST ONLY appear in the 0-RTT and 1-RTT levels.
● All other frame types MUST only appear at the 1-RTT levels.
146. @thisNatasha
Cryptographic handshake
● authenticated key exchange, where
○ a server is always authenticated,
○ a client is optionally authenticated,
○ every connection produces distinct and unrelated keys,
○ keying material is usable for packet protection for both 0-RTT and 1-RTT packets, and
○ 1-RTT keys have forward secrecy
●
● authenticated values for the transport parameters of the peer (see Section 7.3)
● authenticated confirmation of version negotiation (see Section 7.3.3)
● authenticated negotiation of an application protocol (TLS uses ALPN [RFC7301]for this purpose)