December 20, 2012 archive

Routing

ENISA Report: Resilience of the Internet Interconnection Ecosystem

Seeking to understand routing resiliency and routing security? In this April 2011 report, “Inter-X: Resilience of the Internet Interconnection Ecosystem
“, the European Network and Information Security Agency (ENISA) provides an extremely thorough understanding of the complex ecosystem of connections between networks.

This document is highly recommended to anyone looking to understand how the Internet operates – and where there are opportunities for improvement.

As noted on the introductory web page, the study:

…looks at the resilience of the Internet interconnection ecosystem. The Internet is a network of networks, and the interconnection ecosystem is the collection of layered systems that holds it together. The interconnection ecosystem is the core of the Internet, providing the basic function of reaching anywhere from everywhere.

where “resilience” is defined as:

the ability to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation.

The comprehensive study outlines the challenges to both measuring the infrastructure of the Internet and to understanding the resilience of the network.  A key point is:

There may well not be an immediate cause for concern about the resilience of the Internet interconnection ecosystem, but there is cause for concern about the lack of good information about how it works and how well it might work if something went very badly wrong.

The report sets out to capture a good bit of that information and to lay out recommendations about how further work may be undertaken.  The document is available in two versions:

  • a 31-page “Executive Summary” report (PDF) that presents the major findings and recommendations and provides a decent tutorial into the issues and challenges.
  • a 239-page “Full” report (PDF) that goes into great detail about the “state of the art” with regard to routing and Internet interconnections, includes a section about how the report was developed and then includes a lengthy bibliography that is very useful in and of itself.

While originating in Europe, the document and its recommendations are globally applicable.

For a taste of the document, here is the table of contents of the Executive Summary report:

1 Summary

  • 1.1 Scale and Complexity
  • 1.2 The Nature of Resilience
  • 1.3 The Lack of Information
  • 1.4 Resilience and Efficiency
  • 1.5 Resilience and Equipment
  • 1.6 Service Level Agreements (SLAs) and ‘Best Efforts’
  • 1.7 Reachability, Traffic and Performance
  • 1.8 Is Transit a Viable Business?
  • 1.9 The Rise of the Content Delivery Networks
  • 1.10 The “Insecurity” of BGP
  • 1.11 Cyber Exercises on Interconnection Resilience
  • 1.12 The “Tragedy of the Commons”
  • 1.13 Regulation

2 Recommendations

  • Incident Investigation
  • Data Collection of Network Performance Measurements
  • Research into Resilience Metrics and Measurement Frameworks
  • Development and Deployment of Secure Inter‐domain Routing
  • Research into AS Incentives that Improve Resilience
  • Promotion and Sharing of Good Practice on Internet Interconnections
  • Independent Testing of Equipment and Protocols
  • Conduct Regular Cyber Exercises on the Interconnection
  • Infrastructure
  • Transit Market Failure
  • Traffic Prioritisation
  • Greater Transparency – Towards a Resilience Certification Scheme

More information about the report can be found on the ENISA web site.

Call For Presenters – ICANN DNSSEC Deployment Workshop, April 10 in Beijing

Do you have some DNSSEC deployment experience you would like to share with the broader community? Could you present a case study of how you deployed DNSSEC resolvers within your network?  Have you created a new tool that automates or simplifies the usage of DNSSEC?

On April 10, 2013, there will be another “DNSSEC Deployment Workshop” at ICANN 46 in Beijing, China.  The recent DNSSEC workshop at ICANN 45 in Toronto was outstanding and had an excellent collection of case studies, statistics, new tools and more.

The program committee for the ICANN 46 workshop in Beijing has now issued a call for presentations and is seeking speakers on a variety of DNSSEC-related topics.  The full call for presenters is included below.

The deadline for submitting a proposal is JANUARY 15, 2013!

As noted below, you only need to send in a brief couple of sentences about what you would like to speak about.  If accepted you will then need to send in more information, slides, etc.  You need to send your proposal to dnssec-beijing@shinkuro.com by January 15th.

In full disclosure, I’ll note that I will be joining the program committee and so I will be one of the group of people reviewing proposals.  These events have turned out to be an excellent place for a gathering of the DNSSEC community and I would strongly encourage you to consider submitting a proposal!

As far as logistics go, attendance at ICANN 46 is free… you just need to get yourself to Beijing and pay for lodging, etc.  If you have never been to an ICANN meeting, the entire week is quite a fascinating view into the governance of domain names.

And here is the full call for presenters…


The DNSSEC Deployment Initiative, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Beijing, China on 10 April 2013.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN Toronto meeting on 17 October 2012. The presentations and transcripts are available at http://toronto45.icann.org/node/34375.

We are seeking presentations on the following topics:

1.  DNSSEC Activities in Asia Pacific

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the Asia Pacific region as well as those who have a keen interest in the challenges and benefits of deployment.  Key questions are to consider include: What would help to promote DNSSEC deployment?  What are the challenges you have faced when you deployed DNSSEC?

2. The Operational Realities of Running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? Has DNSSEC made DNS more ‘brittle’ or is it just a run-of-the-mill operational practice? What operational statistics have we gathered about DNSSEC? Is it changing DNS patterns? How are our nameservers handling DNSSEC traffic? Is the volume as expected? Have we seen anything unusual?  Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3.  DNSSEC and Enterprise Activities

DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:

  • What is the current status of DNSSEC deployment among enterprises?
  • What plans do the major enterprises have for their DNSSEC roadmaps?
  • What are the challenges to deployment for these organizations?  Do they foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5.  Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover.  In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys

6.  DNSSEC: Regulative, Legislative and Persuasive Approaches to Encouraging Deployment

There are many models in discussion for encouraging the take-up of DNSSEC amongst TLDs. In some jurisdictions we have seen governmental edicts insisting that DNSSEC is deployed across a Top Level Domain. In others, we have seen reports produced for governments highlighting the lack of take up and the need for tighter control amongst operators. Recently, we have witnessed the consideration  of mandated DNSSEC signing of zones by some TLDs in order to gain access to newer premium domains.  Have any of these approaches worked in encouraging take up of DNSSEC? What role does a national government have in assisting deployment of DNSSEC? How are some of these measures perceived by registrars, DNS operators, ISPs and registrants?

7. DANE and Other DNSSEC Applications

Using DNSSEC as a means of authentication for http transactions is an exciting development of DNSSEC. What is the progress of the DNS-Based Authentication of Named Entities (DANE) initiative?  How soon could DANE become a deployable reality and what will be the impact of such a deployment, e.g. impact on traditional certification authorities (CAs)?

8.  Use of DNSSEC in the Reverse Space

This topic includes signed reverse zones, security products using reverse DNS lookup for DNSSEC validation?

9.  The Great DNSSEC Panel Quiz

Ever fancied pitting your wits against your colleagues?  Demonstrate your knowledge and expertise in DNSSEC in our Great DNSSEC Panel Quiz.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-beijing@shinkuro.com by 15 January 2013.