Wednesday, July 25, 2018

TLS v1.3: How Do We Get from Here to There?

Spirent has been leading the way in providing companies with the tools they need to prepare for TLS v1.3. I had a chance to sit down with David DeSanto, Director, Products and Threat Research for Spirent to talk about the transition to TLS v1.3 and some of the hurdles that organizations face as they make the switch to the new de facto standard.

Jim Carroll, OND: Tell me about the evolution of TLS. How did we get to this point?

David DeSanto, Spirent: Transport Layer Security, or TLS, is a cryptographic protocol used by many applications and services such as web browsing, email communications, and multimedia communications.  It made Secure Sockets Layer, or SSL, obsolete as it offered better encryption properties such as perfect forward secrecy (PFS), newer cipher suites, etc.

TLS v1.2 is a considered the current de facto standard for cryptography when paired with a strong cipher suite and large private key (i.e., asymmetric key).  However, this comes at an impact to the user’s experience, as the protocol itself and the cipher suites offering elliptic curve with PFS and large asymmetric keys come at a performance hit.  Even in today’s world of data breach roulette, organizations choose to go with a lower encryption standard or cipher suite such that cryptographic steps do not overburden the user and potentially have them stop using their services altogether.
TLS v1.3 looks to address the concerns commonly seen with TLS v1.2.  This new standard includes performance improvements such that the user does not have as much overhead or burden in initializing the secure connection.  It also makes additional insecure cryptographic practices obsolete, which can lead to attackers improperly gaining access to the encrypted communication.

Jim Carroll, OND: What's the current status of TLS v1.3 and what is the next phase of specification development?

David DeSanto: TLS v1.3 is still in draft—specifically draft-28—and this draft has been submitted as the official standard. This was submitted in March to the IETC and is going through the IETF process to be a ratified standard.  It is expected to be ratified this year, and you can track its progress at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/.

Jim Carroll, OND: What is the market reaction so far?  Are customers implementing TLS v1.3 in big numbers?

David DeSanto: The market adoption has varied depending on the specific technology and vertical.
As TLS v1.3 is a cryptographic protocol used by a client and server to provide privacy and data integrity, users can be put into a “forced adoption” model without realizing it.  The best example of this is with one of the bigger champions of TLS v1.3: Google.  Google rolled out TLS v1.3 earlier this year within its services and consumer solutions.  If you have a Gmail account and access it using the Chrome browser, you are using TLS v1.3 and may not even know it.

There is a parallel effort—started by development at Google in 2016—to build a new transport layer protocol named QUIC (short for Quick UDP Internet Connections).  It was first submitted to the IETF in 2016 and is currently still in draft with draft-12 being the current working draft.  QUIC has encryption requirements built right into its standard and these requirements are based on TLS v1.3.  


Just these two examples show strong adoption of TLS v1.3 so far and it is expected to grow at a consistent rate.  TLS v1.3 is expected to be adopted at a much faster rate than previous iterations of the TLS protocol—due in large part to the providers we rely on today who are actively making the switch to support it quickly.  Google is joined by many others who have already implemented and have enabled support by default.

Jim Carroll, OND: What technical hurdles are there to implementing TLS v1.3?

David DeSanto: There are three crucial considerations that organizations need to keep in mind as they prepare to migrate to TLS v1.3. Every organization should be thinking about three crucial considerations:

1.      How to handle zero round trip time resumption (0-RTT)
2.      Preparing for downgrades to TLS v1.2
3.      The need for infrastructure and application testing

The 0-RTT option has the potential to significantly increase performance during an encrypted session between endpoints. With TLS v1.2, secure web communications requires two round trips between the client and server prior to the client making an HTTP request and the server generating a response. TLS v1.3 reduces this requirement to one round trip and offers the ability to inherit trust to accomplish zero round trips, or 0-RTT. 0-RTT potentially provides better performance, but it also creates a significant security risk. With 0-RTT, a transaction could be easy prey for a replay attack, in which a threat actor can intercept an encrypted client message and resend it to the server, tricking the server into improperly extending trust to the threat actor and thus potentially granting the threat actor access to sensitive data. Organizations should be wary of allowing or using 0-RTT due to the potential security risks.  Unless your application or service is highly latency sensitive, the new option is simply not worth the security risk.

Another concern is that TLS v1.3 is backward compatible to TLS v1.2 to allow for interoperability with legacy clients and servers during the transition to the new standard. It’s important to configure the security settings to ensure fallback to TLS v1.2 uses higher security standards. Organizations should disable lower cryptographic algorithms to prevent security breaches such as man-in-the-middle attacks. Select strong cipher suites, including ones that leverage elliptic curve key exchange, use large asymmetric keys, and implement PFS.

Testing is also crucial. The change to TLS v1.3 may be disruptive, and it’s important to discover and address issues proactively. Businesses should test for interoperability, security, and performance in a combined, holistic manner. Use a realistic load, generating, inspecting, and processing appropriate levels of encrypted traffic. Validate how internal and external users will interact with your systems and consider what this change in encryption may mean for an employee, customer, partner, or any other relevant stakeholder. You also have to test all clients—including mobile devices and tablets, and the entire network infrastructure, such as identity and access management systems, firewalls, web proxies, etc.

<Jim Carroll, OND: How can Spirent help with the transition to TLS v1.3?

David DeSanto: Spirent added functional security testing for TLS v1.3 to its industry-leading CyberFlood product line in July of 2017 when adding TLS v1.3 support to its Advanced Fuzzing solution.  This allowed protocol developers, QA teams, and security researchers to confirm the stability and reliability of the TLS v1.3 implementations they have built or are validating.  This includes hunting for software defects within the implementation, which could lead to software vulnerabilities.

We entered the market one year ago and extended our TLS v1.3 support in February of this year when we added performance security testing for TLS v1.3 to our CyberFlood product line. Spirent’s goal is to provide thought leadership and be a partner to allow customers to launch new solutions with confidence in network functionality, performance, and security at scale.  Others are now following our lead in providing solutions to help enterprises validate their security posture. 


Google expands its cloud database capabilities

Google Cloud Platform (GCP) is expanding its portfolio of managed database services and announcing new cloud partnerships. Here are the highlights:

  • Oracle workloads are now supported in GCP
  • SAP HANA workloads can run on GCP persistent-memory VMs
  • Cloud Firestore launching for all users developing cloud-native apps. Cloud Firestore, which is a serverless, NoSQL document database, brings the ability to store and sync app data at global scale. 
  • Regional replication, visualization tool is now available for Cloud Bigtable, which is a high-throughput, low-latency, and massively scalable NoSQL database.
  • Cloud Spanner updates, by popular demand
  • GCP is partnering with Intel and SAP to offer Compute Engine virtual machines backed by the upcoming Intel Optane DC Persistent Memory for SAP HANA workloads. GCP is scaling up its instance size roadmap for SAP HANA production workloads from a max of 4TB currently to 12TB of memory by next summer, and 18TB of memory by the end of 2019.
  • Google Compute Engine gains additional resource-based pricing options. With resource-based pricing, Google will add up all the resources you use across all your machines into a single total and then apply a usage discount. 

euNetworks brings data center interconnect to Dublin and Hilversum

euNetworks completed network investment projects in Ireland and the Netherlands.

In Ireland, euNetworks’ dc connect solution is now enabled in Dublin, giving customers access to an interconnected network of near instant capacity between 15 data centres in the city.
In the Netherlands, Hilversum has also been enabled with dc connect, supporting existing media clients in the region. euNetworks’ dc connect solution is available across the Netherlands, in Amsterdam, Rotterdam, Utrecht and now Hilversum, with pre-deployed capacity to 34 data centres in-country.

euNetworks first rolled out dc connect in London in 2014. Since then, the solution has been added to 8 of the company’s 14 fibre based city networks including Frankfurt, Paris, Manchester, Amsterdam, Utrecht, Rotterdam, and through key sites in Switzerland. Further euNetworks cities will follow as dc connect’s pre-deployed capacity delivers simple and seamless connectivity to customers, with a 20 day working day delivery SLA commitment between data centres in these locations.

“We invest in our network and deploy capital to provide high bandwidth scalable connections in the markets in which we operate,” said Jennifer Smith, Chief Financial Officer of euNetworks. “We have owned and operated a fibre network in Dublin for a number of years. The acquisition of Inland Fibre in 2015 added a number of unique features to our footprint, with routes along canalways, diversity options to key data centres as well as access to business parks. Enabling dc connect in Dublin for our customers offers further service differentiation and support as the demand for rapid turn up of high bandwidth services between data centres, including hyperscale facilities, continues.”

Facebook posts weaker financial, stock tanks

Facebook reported weaker than expected financials and trimmed its guidance for the rest of the year. Daily average usage in Europe appears to have peaked perhaps as fallout from its troubles with user privacy,

Some Facebook metrics for Q2:

  • Daily active users (DAUs) – DAUs were 1.47 billion on average for June 2018, an increase of 11% year-over-year.
  • Monthly active users (MAUs) – MAUs were 2.23 billion as of June 30, 2018, an increase of 11% year-over-year.
  • Mobile advertising revenue – Mobile advertising revenue represented approximately 91% of advertising revenue for the second quarter of 2018, up from approximately 87% of advertising revenue in the second quarter of 2017.
  • CAPEX – Capital expenditures for the second quarter of 2018 were $3.46 billion.
  •  Cash and cash equivalents and marketable securities – Cash and cash equivalents and marketable securities were $42.31 billion at the end of the second quarter of 2018.
  • Headcount – Headcount was 30,275 as of June 30, 2018, an increase of 47% year-over-year.

Why MEF 3.0?



In terms of network services, customers want simplicity and agility to transform their own businesses.  MEF 3.0 presents a massive opportunity to standardize the automation of services, says Aamir Hussain, EVP and CTO, CenturyLink.

Filmed at the MEF Members' Annual Meeting in Nashville.

See video:  https://youtu.be/jYUPE8pVVtM


Extending MEF's Scope to Layer 1 Services



MEF is extending its service definition work to Layer 1, which is often referred to as wavelength or optical services. Several client protocols are supported, including Ethernet, Fibre Channel, SONET/SDH. David Martin, Senior Systems Engineer, IP/Optical Networking, Nokia, discusses the advantages of this approach.

Filmed at the MEF Annual Members Meeting in Nashville.

See video: https://youtu.be/pZZaQK4Jrvg


Layer 1 Transport API interoperability demo -- MEF, ONF, and OIF



The recently concluded MEF-ONF-OIF interoperability demo that focused on the Software-Defined Networking (SDN) Transport Application Programming Interface (T-API).

NEC's Karthik Sethuraman and Centurylink's Jack Pugaczewski provide an overview of the demo. A proof-of-concept (PoC) on this topic will be presented at #MEF18.

See video: https://youtu.be/kahW_dxoBSk


Qualcomm drops NXP acquisition, announces $30B buyback

Having failed to gain regulatory approval from China, Qualcomm abandoned plans to acquire NXP Semiconductor. The original purchase agreement was announced on October 27, 2016. Qualcomm subsequently raised its offer to approximately US$44 billion. The deal gained regulatory approval in the U.S., the European Union, and other regions, however, the authorities in China expressed concern over the effect on competition and ultimately neither approved nor blocked the deal.

Separately, Qualcomm reported revenue of $5.6 billion for its fiscal third quarter ended June 24, 2018.

“We reported results significantly above our prior expectations for our fiscal third quarter, driven by solid execution across the company, including very strong results in our licensing business,” said Steve Mollenkopf, CEO of Qualcomm Incorporated. “We intend to terminate our purchase agreement to acquire NXP when the agreement expires at the end of the day today, pending any new material developments. In addition, as previously indicated, upon termination of the agreement, we intend to pursue a stock repurchase program of up to $30 billion to deliver significant value to our stockholders.”

Qualcomm said that its results have been negatively impacted by its dispute with Apple and its contract manufacturers (who are Qualcomm licensees).

The company did not record revenues in the first nine months of fiscal 2018 or the third or fourth quarter of fiscal 2017 for royalties due on sales of Apple’s products. We expect the actions taken by these companies will continue until these disputes are resolved.

Qualcomm to Acquire NXP -- Engines for the Connected World

Qualcomm agreed to acquire all of the issued and outstanding shares of NXP for $110.00 per share in cash, representing a total enterprise value of approximately $47 billion. The deal will be financed through cash on hand and $11 billion in new debt. The companies expect total annualized synergies of $500 million within two years of close.

NXP Semiconductors N.V., which headquartered in Eindhoven, Netherlands, employs approximately 45,000 people in more than 35 countries and is known for its mixed-signal semiconductor electronics. The company was known as Philips Semiconductor prior to 2006.

Key markets include automotive, broad-based microcontrollers, secure identification, network processing and RF power. NXP has a broad customer base, serving more than 25,000 customers through its direct sales channel and global network of distribution channel partners.

For Q3 2016, NXP reported revenue of $2.469 billion, up 4.4% over a year ago, and GAAP gross profit of $1.184 billion, up 7.7% over a year ago.

The combined company is expected to have annual revenues of more than $30 billion, serviceable addressable markets of $138 billion in 2020 and leadership positions across mobile, automotive, IoT, security, RF and networking.

F5's quarterly revenue rises 4.7% yoy to $542 million

F5 Networks reported revenue of $542.2 million for its third quarter of fiscal 2018, up 4.7% from $517.8 million in the third quarter of fiscal 2017.

F5 cited growth with its software solutions and services business.

GAAP net income for the third quarter of fiscal 2018 was $122.7 million, or $1.99 per diluted share, compared to $97.7 million, or $1.52 per diluted share in the third quarter of fiscal 2017.

“I’m pleased with results for the third quarter,” said François Locoh-Donou, F5 President and Chief Executive Officer. “We continue to see momentum in our security and software business, traction in our public cloud offerings and customer excitement around new multi-cloud application solutions like BIG-IP Cloud Edition.

F5 also announced the appointment of Chad Whalen to Executive Vice President, Worldwide Sales.He was promoted from his role running F5’s worldwide cloud sales team where he was responsible for the company’s global public cloud sales strategy, program development and execution. Previous to F5, he served as VP of Global Alliances and Cloud Services at Fortinet and the GM/VP of North America Field Operations.

BT to transfer 31,000 employees to Openreach

BT Group is seeking consultations with unions and employees regarding the transfer of 31,000 employees into Openreach, which will soon be a fully independent company. The goal is to complete the transfer on 1 October 2018.

BT said it is making progress in creating the separate legal entity Openreach Limited, with its own independent board and strategy.

“We are absolutely committed to giving Openreach greater strategic independence and ensuring it delivers the connectivity and service that homes and businesses across Britain need," stated BT Group chief executive Gavin Patterson.

SpaceX launches 19 Iridium NEXT satellites

SpaceX successfully launched ten Iridium NEXT satellites from Vandenberg Air Force Base in California. This is the seventh of eight planned launches of Iridium NEXT satellites by SpaceX, bringing the total number of Iridium NEXT satellites in space to 65.

All 10 satellites for this mission will be deployed to Iridium orbital plane number 5, where they will go into operation immediately following a thorough testing and validation process.  The Iridium network is comprised of six polar orbiting planes, each containing 11 operational crosslinked satellites, for a total of 66 satellites in the active constellation. Once all the satellites from the Iridium-7 mission are operational, plane 5 will be the fourth orbital plane to be comprised entirely of Iridium NEXT satellites.  In total, 81 Iridium NEXT satellites are being built, with 66 in the operational constellation, nine serving as on-orbit spares and six serving as ground spares.

Iridium NEXT is the company's $3 billion, next-generation, mobile, global satellite network scheduled for completion in 2018.  Iridium NEXT is replacing the company's first generation global constellation in one of the largest technology upgrades ever completed in space.  It represents the evolution of critical communications infrastructure that governments and organizations worldwide rely on to drive business, enable connectivity, empower disaster relief efforts and more.

http://www.IridiumNEXT.com

ROOT Data Center expands in Montréal

ROOT Data Center will build a third data center at its MTL-R1 La Salle campus in Montreal. MTL-R1B is a greenfield development that will create an additional 10MW of power capacity.

The company says roughly 20 percent of the new facility’s capacity has been pre-sold prior to beginning construction.

This new build follows the recent announcement of an additional 6MW at ROOT’s MTL-R2 facility.

ROOT noted that its Montréal facility uses nearly 100% hydro-electrically generated energy.

Rescale raises $32 million for HPC in the cloud

Rescale, a start-up based in San Francisco, raised $32 million in Series B funding for its enterprise cloud solutions.

Rescale specializes in "enterprise big compute in the cloud." The idea is to transform on-premise HPC systems by enabling access to the world's largest high performance computing infrastructure in the cloud. Rescale offers access to global data centers, the very latest HPC hardware and a complete library of engineering, scientific and mathematical software.

Initialized Capital, Keen Venture Partners and SineWave Ventures led the Series B funding round joining a group of more than 30 existing and new investors in Rescale including Sam Altman, Jeff Bezos, Richard Branson, Chris Dixon, Paul Graham, Ken Hao, Adam Smith, Peter Thiel, Steve Westly, Data Collective, ITV Ventures, Jump Capital, M12 (formerly Microsoft Ventures), Mitsubishi UFJ Capital, Quiet Capital, Streamlined Ventures, Translink Capital, Two Roads Group and Y Combinator.

Rescale has now raised $52 milllion in total.

http://www.rescale.com

C Spire picks Siklu for mmWave backhaul

C Spire has selected Siklu's multi-gigabit wireless technology to backhaul high-speed internet service to thousands of homes and businesses in Mississippi.

C Spire is using Siklu solutions to extend existing fiber optic assets for last mile connections in neighborhoods and business districts in over 150 Mississippi towns and communities.

Siklu's point-to-point and point-to-multipoint radios operate in the uncongested 60,70-80 GHz mmWave bands and can deliver interference-free connections up to 10 Gbps.

"As a leader in mmWave solutions, we're excited to work with C Spire to provide 5G fixed wireless connectivity, which enables them to offer affordable, high-speed internet access to more customers," said Siklu CEO Eyal Assa.  "With our virtually interference-free technology, this network will provide years of reliable service in the future."

See also