Tomáš Kirňák: Intro to non-WiFi wireless protocols

Last year, Tomáš Kirňák opened the event with his talk on the principles of wireless data transmission using Wi-Fi. This year, he prepared an introduction to other wireless technologies that focus on different properties of data transmission.

HaLow

HaLow is essentially Wi-Fi operating in lower frequency bands below one gigahertz. It follows the 802.11ah standard, so it is still Wi-Fi, but with different parameters. “We sacrifice speed but gain range, energy efficiency, lower cost, and support for up to thousands of clients on a single SSID.”

The used bands vary depending on regulatory domains. In the United States, up to 21 MHz of spectrum is available, which can be divided into channels of different widths. In Europe, we only have 4 MHz available, which can be used either as one wide channel or four narrower ones. “Depending on modulation, the widest channel allows data rates from 1.5 up to 25 Mbps.”

Such a protocol is suitable for large numbers of sensors, warehouse radios, and monitoring vehicles on farms or in mines. “A farm can cover many square kilometers, and a single access point in the middle can communicate with all nearby devices.” HaLow propagates well over water surfaces and allows the creation of large-scale networks for smaller volumes of transmitted data.

Another advantage is low cost; for example, PCIe cards from Speed studio cost 5 to 15 euros, while standalone devices cost 50 to 70 euros. An advantage is that the standard IP layer is used here, just like with Wi-Fi. “For us network engineers, this is probably the most friendly protocol.”

Z-Wave

This is no longer Wi-Fi, and the physical layer is fully proprietary. “It is a classic IoT network for sensors, controllers, monitoring, and similar uses.” Depending on the generation, data rates from 9.6 up to 100 Kbps can be expected. The main characteristics are long range, low battery requirements, resistance to interference, and mesh support. “Routing is available at lower layers, where devices can forward messages for others.” This makes it possible to achieve distances of up to kilometers.

The foundation of the network is the primary controller, which manages the entire network, along with individual nodes with specific roles. “They can forward individual messages and use hop limits.” This also solves the problem of loops, ensuring that even under heavy load the network is not overwhelmed by a broadcast storm.

The control unit costs between 20 and 60 euros, and hundreds of different devices and sensors for home automation can be purchased in many stores.

Zigbee

Zigbee is an evolution of the original Z-Wave standard. “It is still mesh, well scalable, but more open.” It has versioned features similar to Wi-Fi, but remains both forward and backward compatible. The physical layer is defined by the 802.15.4 standard. Only one central coordinator is supported in each network.

This standard focuses on improving upon Z-Wave. It can operate at 2.4 GHz or 868 MHz. It is more scalable and less demanding on battery power. “Please do not buy anything older than Zigbee 3.0, which introduced many improvements.”

The biggest problems when deploying Zigbee arise during configuration of the radio layer. “For example, it is necessary to consider bidirectional communication, meaning both sides must be able to hear each other.” The theoretical limit is eight messages per second, but in practice a typical IoT network carries significantly fewer.

Last year, the Zigbee 4 standard was released, adding support for 868/915 MHz. “If you want to use both 2.4 and 868, you must have a coordinator that supports it.” Just because something is marketed as Zigbee 4 does not necessarily mean it supports both bands.

The center of the network is the coordinator, which acts as a gateway: on one side it uses standard IP and on the other it communicates with Zigbee. Some devices may function as end devices or also as routers. “If some elements cannot see the coordinator directly, they can use an intermediary.”

Thread and Matter

Thread and Matter are a family of protocols for the future of IoT. Thread is the physical layer, while Matter is the control protocol itself. “Its goal is to be better than Zigbee. It has higher resilience at the physical layer and is more open.” Matter runs entirely over IPv6, using link-local addresses.

The physical layer again uses the 802.15.4 standard, creating a mesh network with a limit of eight messages per second. The roles of individual elements are selected automatically within the network, and there may be several of them. “It is a dynamic routing protocol at a lower layer.” There can be multiple leaders, routers, end devices, and border routers for transforming messages into other networks.

The Matter communication protocol can also operate over Ethernet or Wi-Fi. “If I want to have a sensor connected via Wi-Fi, I can, because everything is unified under the Matter protocol.” It is therefore a unifying protocol that enables communication with individual devices.

An advantage is support from many different manufacturers, although there are still significantly fewer devices on the market compared to Zigbee. “These elements will certainly continue to coexist for some time.” Many devices can be software-converted from Zigbee to Matter and vice versa, because the physical layer remains the same.

LoRa

LoRa offers extremely long range, reportedly up to one hundred kilometers. At the same time, it has very high resistance to interference and uses a special modulation called chirp spread spectrum. “It is a very flexible solution that allows the construction of large-scale networks.” LoRa can operate in virtually any band, such as 433 MHz, 868 MHz, or even 2.4 GHz.

Previous solutions provide bidirectional communication, a centralized protocol, predictable latency, and a network that can be tuned. “LoRa does not address this at all — we can have a sensor that broadcasts its status once a day and does not need to care whether anyone received the message.” For some applications, this may be entirely sufficient. LoRa forms the physical layer, above which the LoRaWAN communication protocol can operate.

Andreas Glatz: Basics of Optics for IP Engineers

Most of today’s IP networks depend on optical fibers. Many of the properties of these networks stem from optics itself: capacity, distance, and reliability limits. "This is where the limits of all today’s networks lie, and as network administrators you must know them." Most network problems begin at the physical layer.

An optical fiber consists of a core that carries light, a cladding that prevents it from escaping, and an outer protective layer. "Total internal reflection occurs inside the core, so the light is trapped inside until it reaches the receiver." The core is usually made of silica glass with precisely defined parameters.

The most common types of fiber are multi-mode (MMF) and single-mode (SMF). In the case of multi-mode, the core is larger, with a diameter of about 50 micrometers, and therefore carries the signal along multiple paths, which leads to gradual signal degradation. This limits its use to shorter distances of up to two kilometers. "The advantage is cheaper hardware."

In contrast, single-mode uses a core with a diameter of nine micrometers, which carries the signal along a single path and, with amplifiers, can transmit data over hundreds of kilometers. "However, you need more complex and more expensive optical equipment."

Three types of connectors are most commonly used: LC, SC, and MPO/MTP. The smallest LC connector is the most common today, contains only a single fiber, and is used by most transceivers. The older SC connector is larger and mechanically more durable. MPO stands for Multi-fiber Push On and can contain up to 16 fibers. "In any case, you should keep connectors clean, because even small contamination can cause problems."

It is also necessary to pay attention to the shape of the fiber termination. UPC stands for Ultra Physical Contact, is usually used in blue connectors, and has a flat termination. APC stands for Angled Physical Contact, uses an eight-degree angled termination typically found in green connectors, and has lower back reflection. "Be careful with different connectors, because crossing them will cause physical damage to the termination."

To convert an electrical signal into an optical one, a transmitter is required, and for the reverse conversion, a receiver. The cheapest solutions use LEDs, but they have worse parameters and are suitable only for multi-mode. A more modern solution is VCSEL, which is already a laser suitable for data centers and shorter distances. The most advanced is DBF, used in single-mode and offering long reach and high capacity. "It is required for single-mode and CWDM and DWDM."

Similarly, there are receivers of varying complexity. The simplest use a PIN photodiode, better ones use an Avalanche Photodiode (APD), and the most advanced are coherent receivers using multiple diodes and very advanced signal detection.

Various bands are used for transmitting optical signals, each suitable for different applications. The highest losses occur in the 850 nm band, making it suitable only for short distances. The 1310 nm band is called the O-Band and is suitable for medium distances. The following 1550 nm is the C-Band and has the lowest losses, making it suitable for long distances and DWDM. The 1600 nm band is called the L-Band and allows further capacity increases.

To achieve truly high capacity, it is necessary to use Wavelength Division Multiplexing (WDM). Optical filters allow multiple optical signals to be combined into a single fiber. The CWDM variant allows up to 18 wavelengths spaced 20 nm apart to be transmitted in a single fiber over distances of 80 to 120 kilometers. "It is cheaper than the more advanced DWDM."

DWDM, on the other hand, uses only the C-Band and L-Band, with channels spaced at 0.4 nm, and the solution requires significantly more precise lasers. In the C-Band, there are roughly forty 100 GHz channels.

Signal quality is affected by several optical issues. One of them is loss, which influences the achievable distance of the signal. "Losses are caused both by the fiber itself and by the number of connectors used along the route."

Another issue is dispersion, which causes signal spreading over time. It is caused by different propagation paths (modal dispersion) as well as by color separation of signals (chromatic dispersion). Noise can also significantly contribute to signal degradation, caused by amplifiers, crosstalk, and nonlinear effects at high power levels.

To determine whether a planned link will work at all, it is necessary to consider transmitter power and receiver sensitivity. At the same time, losses in cables, connectors, and individual joints must be taken into account. "It is also necessary to include an appropriate tolerance with respect to aging of all components, temperatures, and future repairs." In practice, planning requires a certain degree of estimation and careful decision-making.

Miroslav Hampl: DNS PATROL – Secure DNS for the Vysočina Region

The Vysočina Region issued a public tender because it needed not only a DNS resolver, but also convenient management, control, monitoring, and analysis of DNS traffic. "The service had to be available to many organizations and had to be easy to use." DNS PATROL is therefore designed as a comprehensive system rather than a collection of tools.

The foundation consists of Knot Resolver, a separate anycast infrastructure, a new web management application, and new client applications for Windows, iOS, and Android. More details can be found on the Dnspatrol.cz website, where tools are available for download under the GNU GPL license.

Within the customer’s internal network, Knot Resolver runs and is used by users. Administrators connect to a web application running at CZ.NIC, where the anycast resolver intended for users outside the home network also operates. "Client applications are configured so that once the user returns to their home network, the application turns off and the user again uses the local resolver."

Approximately thirty new modules had to be written to address specific types of threats as well as various exceptions. The output consists of separate RPZ zones, allowing individual security policies to be defined for different parts of the network. "White lists have higher priority and serve for controlled exceptions and suppression of false positives." The modules are continuously updated and are based on real DNS traffic, passive DNS, threat databases, machine learning, and anomaly detection.

CZ.NIC also creates its own lists of safe domains, including government domains, trusted European and international sources, and manually verified domains. Within the ADAM department, lists of blocked domains are also created, for example based on legislative requirements, suspicious domains, targeted phishing domains, or domains with unethical e-shops.

The administrative portal uses OIDC login at a substantial assurance level. Administrators can have different roles and can monitor the status of individual resolvers, manage subnets, and customize rules for individual networks. "An administrator of one organization sees only activity within their organization and subordinate networks."

The interface displays traffic statistics filtered by time, specific resolver, or record type. "I can look at the most common sources of queries and track them by source country." It is also possible to see the ratio of queries that are allowed, audited, or blocked. "In real operation, the number of blocked domains is below one percent."

Vladimír Smotlacha: Transmission of Precise Time and Frequency Using the White Rabbit System

Precise time is needed in transportation, navigation, power transmission systems, telecommunications, and many other areas. Scientific applications have even higher requirements for precise time. Time transfer and frequency transfer are two different tasks. In the case of frequency, one period is transmitted and the original frequency is obtained at the other end. "Of course, there is some delay and signal distortion, so the quality of the transmission channel must also be addressed." In time transfer, transmission delay must be compensated.

The standard NTP protocol has been used for time transfer for forty years and is based on a structure of existing servers. "Accuracy is stated to be at the millisecond level; over shorter distances it is possible to reach about 100 microseconds." Higher accuracy is not possible due to inaccurate oscillators in computers.

For local transfer in L2 networks, the telecommunications protocol PTP is used, where accuracy is typically around one microsecond, but hardware support in all devices along the path is assumed. "White Rabbit is an extension of PTP and allows accuracy of around one nanosecond." It is worth noting that in that time, light travels about 30 centimeters in a vacuum.

White Rabbit was developed at CERN to synchronize sensors and other equipment in accelerator experiments. Documentation is published under the CERN Open Hardware License, meaning anyone can manufacture the equipment. "There are several commercial manufacturers from whom finished components can be purchased."

In the case of NTP, the client periodically queries the server and calculates its time offset from the result. "This places a relatively high load on the server and assumes full interaction between both sides." With PTP, a master–slave relationship is created, and the master is also active, periodically sending messages. "At longer intervals, both sides verify whether the delay is the same and correct it if necessary."

Better accuracy is achieved by having the source measure the packet transmission time and then sending a new packet with adjusted information about how long the packet was delayed within the device. "Only the delay on the links remains, which is constant and will not change." The same concept is used in the White Rabbit protocol.

White Rabbit is now specified in IEEE-1588 as the new HA (High Accuracy) profile. Devices are built on SFP ports using gigabit optical Ethernet. "Achieving precise values is made possible by synchronized Ethernet SyncE." This ensures the same frequency across the entire network.

Stable delay is required in both directions, so separate fibers or at least dedicated channels are typically used for each direction. Both directions must also have the same length; although this would be the case in a single fiber, using different frequencies would result in different effective lengths.

Precise measurement of phase differences is also required, achieved using DDMTD (Digital Dual Mixer Time Difference) implemented in FPGA. The link model then assumes constant delay on the link.

Tomáš Hála, Lukáš Vacek: DNS Under Control

A non-functioning DNS resolver usually causes a very extensive outage, and after the network itself it should therefore be the second most important element to manage. Requirements for a modern DNS resolver include speed, reliability, high availability, threat filtering, DNSSEC validation, and privacy. "The choice of hardware and software is important."

Hardware selection should not be sized for normal operation but should provide several times higher performance to handle traffic spikes. High availability requires multiple independent instances, whose use depends on the client. "If you have multiple resolvers configured, failure of the first will result in timeouts."

A better solution is, for example, VRRP and keepalived, where servers share a VIP address that can easily be transferred to another resolver in case of problems. "The second resolver becomes the primary one for the given network and continues responding." The drawback of this solution is that the DNS resolver must be restarted with the new address. "This causes a short outage and some delay."

A better solution is IP anycast, where all resolvers use a single shared address and clients query the network-nearest resolver. This can be further improved using VXLAN and anycast VRRP, which allows load distribution and adjustable weighting. It also makes it possible to conserve addresses and use /32 and /128 ranges. "Do not be afraid to use anycast even for resolvers in internal networks."

Threat filtering at the DNS level is controversial, and it is debated whether a resolver should interfere with traffic. "The reality of recent years is that so much problematic activity occurs on the internet that filtering traffic is starting to make sense." Threat filtering is now necessary to meet legal requirements but also protects users from malicious domains.

To prevent abuse of the service, rate limiting must be deployed, and it is beneficial to limit not only incoming but also outgoing traffic. A resolver can otherwise be abused for reflection attacks, DNS floods, DoS, and similar attacks. DNSSEC validation is now considered standard and should be part of every resolver. "We want to prevent the falsification of domain information." Knot Resolver has validation enabled by default and requires no additional configuration.

Almost all internet communication is encrypted today, but DNS often still is not. Knot Resolver allows both DoT and DoH. "However, trusted certificates must be handled and their timely renewal monitored."

Ondřej Surý: DNS Evolution – the New DELEGation

The DNS protocol is very old and uses NS records, which can exist at the zone apex or at the delegation point. "It often happens that these are two different sets of nameservers, which causes various problems." The record content is always a domain name, the server must run on port 53, and no encryption may be used.

Delegation also includes glue records, which are used when nameservers are located in the same domain. "A loop is created there, which is resolved by glue records in the parent zone." This again creates room for errors and desynchronization of changes.

Within the IETF, a proposal for a new standard is being developed that introduces a new record type called DELEG. It is extensible, secure, and appears only once within the entire zone. "The goal is to simplify the entire chain." If a resolver does not understand the new record, it can still use the original NS records.

Two records are added to DNS: the delegation itself in DELEG and a DELEGI record containing additional delegation information. The registry will contain the DELEG record, while the provider will include DELEGI. "If you are a hosting provider with thousands of customers to whom you have delegated your server set, you cannot change it in one place now."

The DELEG record is textual, making it possible to add additional information such as alternative transport protocols, TCP ports, and similar parameters. "If a new protocol arrives, I can improve security for all customers with a single change." With direct delegation, IP addresses can be specified directly and glue records are no longer necessary.

The DELEG standard does not yet exist, but that may change very soon. "Then it will take a long time before implementations appear, and even longer before it starts being used." NS records will remain in use for a long time, with a gradual transition to a more modern alternative. "DNS is like a Cinderella — every change takes a long time. As long as it works, nobody touches it."

Ondřej Surý: Post-Quantum Cryptography for DNSSEC

Current algorithms such as RSA, ECDSA, or Ed25519 rely on mathematical problems that are difficult for classical computers but easy for quantum computers. "Current quantum computers have very few qubits, but the theoretical risk exists." With sufficiently powerful quantum computers, DNSSEC would fail. "Other protocols would of course also have problems, but DNSSEC has its own specifics."

Post-quantum cryptography (PQC) runs on today’s conventional computers, but algorithms are designed to resist attacks from quantum computers. However, DNSSEC faces several challenges with new algorithms. New keys and signatures are often significantly larger than current ones. DNS transmitted over UDP has strict packet size limits due to fragmentation. "The question is how to fit large PQC signatures into small DNS packets without destroying internet performance."

Several new algorithms are being developed, such as HAWK based on lattice problems, SQISign using mappings between elliptic curves over finite fields, and MAYO based on the difficulty of solving systems of multivariable polynomial equations. Key sizes range from 65 to 1420 bytes, while signatures are typically several hundred bytes.

Implementation status varies: HAWK has efficient and compact code, SQISign is unsuitable for external use, and implementations of MAYO and ANTRAG are not yet usable. "If you are a cryptologist, do not write code unless supervised by a software engineer."

Future plans include testing different DNS hierarchy levels, additional algorithms, focusing on patterns of pseudo-random subdomains, enforced re-keying, and similar topics. "When writing DNS software, you must always think like an attacker."

Marian Rychtecký: Matrix – an Open Standard for Secure Communication

Modern communication platforms have several disadvantages: they are centralized, it is unclear how they handle data, and they depend on a single company. "We wanted to address operational chat and internal coordination. We explored several alternatives, and Matrix was one of them." The requirements included an open protocol, federation with other organizations, and encryption outside the server.

Matrix is the name of a federated communication protocol with a defined standard describing how clients communicate with servers, how servers communicate with each other, and how individual events are structured. "It is therefore not the name of any implementation, but a protocol definition." All standards are publicly available, and it is possible to develop custom servers and clients. Everything is built on JSON transmitted over HTTPS.

The Matrix architecture includes a homeserver to which users connect, which stores and forwards events if necessary. Clients then provide the user interface and correct cryptographic functions. Transport uses HTTPS over TCP/443, the application layer uses REST and transmits JSON. A specific implementation can use the Synapse server and clients such as ElementX or FluffyChat. "It depends on which operating system you use and how many clients you have."

Individual events are stored in a graph that is cryptographically linked and cannot be modified. "It is something like a blockchain, where the room state is a deterministic computation derived from events."

Users can use multiple devices that share keys. Each device has its own key, but it is derived from a single central key. "Losing a device does not mean losing identity." All cryptography is handled on the client side; the server does not participate in encryption.

The Megolm algorithm is used for group encryption in rooms, allowing a single key to be created for the entire group of devices. The reason is optimization for large rooms and low overhead. "It is essentially an encryption multicast."

The Synapse server is written in Python and configured using YAML. "Including reading the documentation, installation takes about an hour." LDAP or OAuth2 can be used for user registration, and TCP port 8448 must be enabled for federation.

Matrix development is progressing quickly, but clients are currently the weaker point — ElementX is the most advanced. "Users are accustomed to the comfort of other applications, but they can choose a suitable client themselves." Decentralization also has disadvantages; for example, large rooms require thousands of HTTPS connections to be established. "Joining a room takes significantly longer and can heavily load your server."

Ladislav Loub: How to Draw Network Maps Using NetBox

NetBox serves as a database of various network objects, their coordinates, and interconnections. To display maps and integrate monitoring, Grafana can be used, while the actual rendering is done using standard HTML and JavaScript. NetBox serves as a data structure where the entire network is stored in a reasonable format.

To load data into Grafana, the Infinity plugin can be used, allowing integration with NetBox via the GraphQL API. "It is used only for reading, and we only want to read the data." After formatting the data, another extension called Business Text can be deployed, allowing output rendering using HTML.

In such a rendered map, monitoring data is missing, but this can be retrieved from InfluxDB. The result is the visualization of the same topology, with the additional ability to display link status. "After clicking on a link, it is possible to add statistics about how much data has passed through the link or other information."

Zbyněk Pospíchal: Defending Against IP Spoofing

IP spoofing causes packets to appear in the network whose sender is unknown. "They are well used for reflection or amplification attacks." However, the administrator of the source network is usually not motivated to address the problem because it does not directly affect them. Spoofing means that someone is able to send communication from IP addresses that were not assigned to them.

Unlike BGP hijacking, the attacker does not expect to receive responses. "On the contrary, they expect the responses to reach the target of their attack." Defending against it is very difficult. In the last twenty years, almost nothing has changed in this area. "It’s like during COVID: your mask protects me, my mask protects you."

You can protect the rest of the world by preventing outgoing traffic from your network that uses foreign IP addresses. "It’s also good to prevent traffic from arriving from your own IP addresses." If you have other customers behind you, it is also good to protect them from attacks between each other.

Hardware routers support the uRPF (unicast Reverse Path Filtering) function, which allows checking whether the FIB table contains a route that leads back to the source of the communication via the same interface. "This filtering was also implemented in the Linux kernel, but most small providers don’t know about it." It is enabled by default and usually works. However, if the operator adds a second transit, they are often surprised why everything breaks.

A large provider can use ACLs but must manage their regeneration in case of changes. "How often should they be regenerated? Should they respond to an event, or should they be generated regularly?" Problems also occur at peering centers, where someone may send traffic from another’s addresses. "NIX.CZ doesn’t have this problem because it monitors it via sFlow, but it is rather an exception."

The router has two routing tables: RIB in the control plane and FIB in the data plane. To perform filtering, we would need to look at the RIB, but we work with it very slowly. Therefore, RFC 8704 was created, in which the authors define the EFP-uRPF table, which usually has only a few thousand entries.

However, there is great inertia in this area, and we will wait many years for new devices, software updates, and real deployment. "None of us can solve spoofing, but together it can be confronted." Significant progress in this area was enabled by the Phoenix project, which monitors traffic and informs the respective operator of problems.

Tomáš Košňar, Petr Adamec: Evolution of Network Defense at CESNET

The CESNET association was established in 1996 and connects universities and the Academy of Sciences. It creates a large infrastructure for very diverse networks, which differ in traffic volume, flow characteristics, and, for example, IP address ranges. "At the beginning, we started with ACLs and uRPF like everyone else."

Around 2004, QoS was deployed, but the goal was always not to limit traffic. "They were there just to be safe, but we preferred to always increase the link capacities." Around 2016, experiments with FlowSpec began, in 2019 RPKI was deployed, and in 2020, after a threat and DDoS demonstration, external scrubbing was implemented. Between 2024 and 2026, a DDoS protector developed by CESNET was deployed.

Information about restrictions was available in various places, and it was difficult to determine the current status. Therefore, an internal system called ExaFS was created, into which information was initially manually entered. The FTAS system was then used as a data source, allowing collection of information from many sources. "It could be up to a hundred records per hour, so we deployed an API and started entering it automatically."

Currently, BGP Community and BGP Address Family are automatically fed into the system, and support for ACL is planned. Sources of mitigation rules may vary; besides FTAS, it could be fail2ban, FastNetMon, or manual entry. The result is then distributed to routers via exaBGP.

As a network operator, you want to maintain network functionality and prevent saturation. CESNET tries to relieve users but does not interfere with normal operations, only responding to anomalies. "Unless you agree with the user and they ask you to."

Flow-based monitoring is used for default defense control, collecting data from network devices and custom probes. Initially, NetFlow was collected from border devices into the FTAS system, which managed ExaFS. "It gives an answer to the question of where and through which path it was transferred and roughly what was transferred." However, information about how it was processed and where it was sent is missing.

The key for automation is that everything is resolved quickly. "It is more acceptable to have worse sampling, but the main thing is you need to know about it quickly." It is always some compromise, and timeouts must be kept very low, depending on what each platform allows.

The current model is based on segmentation, where groups of users with similar traffic characteristics are enclosed in VRFs. "We operate on the principle that what is bad for one is bad for all." Such a system is very flexible because any detection tool can control any ExaFS, if it has the rights to do so.