October 24, 2014 archive

Somehow Friday seems to have snuck up on me…

Somehow Friday seems to have snuck up on me...

Internet Society Posting Updates from ITU Plenipot 2014 in Busan (Featured Blog)

If you are, like me, not in Busan, South Korea, for the 2014 ITU Plenipotentiary Conference but are curious about what is going on there, my Internet Society colleagues on our public policy team have been posting regular updates to the Internet Society's blog and to the @ISOCPolicy Twitter account... Given that I work in the technology side of Internet Society's work and don't have the cycles to keep up-to-date with everything going on there in Busan, I've found these updates very helpful in understanding some of the major events happening at the ITU Plenipot 2014. More...

DNSSEC Is A Building Block, Not A Magic Bullet

Olaf KolkmanSpeaking at Broadband World Forum (BBWF) in Amsterdam this week, our CITO Olaf Kolkman was quoted as saying a key point we’ve been emphasizing throughout our work:

“There is no magic solution to any cyber security or internet security type of threat. But there are a number of building blocks that are promising.”

They include domain name system security extensions (DNSSEC), which help to secure certain kinds of information on networks.

“But they’re building blocks, they’re not magic bullets,” he said.

Exactly!

When we speak about DNSSEC or TLS  or BGP security, we are often immediately met by detractors with “But it doesn’t do ______” which, in their minds, immediately disqualifies the technology from further usage.  Often this is said, even though DNSSEC/TLS/BGP was never intended to do whatever it is they want.  They just expect the technology to magically do it all!

For example, with DNSSEC, some people immediately say “but it doesn’t protect against the confidentiality of your DNS queries!”  Well, no, it was never intended for that.  DNSSEC is entirely about protecting the integrity of your DNS queries, i.e. ensuring that the information you receive from DNS is the identical information that the operator of the domain put into DNS.  That’s it.  Confidentiality of DNS queries is something completely different! (And is now being discussed by the new DPRIVE working group inside the IETF.)

And by being a smaller building block, DNSSEC can be built upon to bring about powerful new innovations such as the DANE protocol, where we can add an additional layer of trust to TLS / SSL certificates and interactions.

What has made the Internet work so well on a technical level and evolve into the amazing communications medium that it has become is the fact that it is built from small building blocks that are then loosely coupled together in ways that make sense.

Building blocks, not magic bullets!

P.S. And if you want to get started with security building blocks like DNSSEC, please visit our Start Here page!

New RFC 7381: Enterprise IPv6 Deployment Guidelines

RFC 7381Would you like guidelines for how IPv6 can best be deployed in an enterprise environment?  Yesterday the IETF published a new informational RFC 7381, “Enterprise IPv6 Deployment Guidelines” available at:

https://tools.ietf.org/html/rfc7381

The abstract for the document reads:

Enterprise network administrators worldwide are in various stages of preparing for or deploying IPv6 into their networks. The administrators face different challenges than operators of Internet access providers and have reasons for different priorities. The overall problem for many administrators will be to offer Internet-facing services over IPv6 while continuing to support IPv4, and while introducing IPv6 access within the enterprise IT network. The overall transition will take most networks from an IPv4-only environment to a dual-stack network environment and eventually an IPv6-only operating mode. This document helps provide a framework for enterprise network architects or administrators who may be faced with many of these challenges as they consider their IPv6 support strategies.

The document then goes on to outline several phases of IPv6 deployment within an enterprise.  The Table of Contents gives a good sense of what is in the document:

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Enterprise Assumptions . . . . . . . . . . . . . . . . . 5
1.2. IPv4-Only Considerations . . . . . . . . . . . . . . . . 5
1.3. Reasons for a Phased Approach . . . . . . . . . . . . . . 6
2. Preparation and Assessment Phase . . . . . . . . . . . . . . 7
2.1. Program Planning . . . . . . . . . . . . . . . . . . . . 7
2.2. Inventory Phase . . . . . . . . . . . . . . . . . . . . . 8
2.2.1. Network Infrastructure Readiness Assessment . . . . . 8
2.2.2. Application Readiness Assessment . . . . . . . . . . 9
2.2.3. Importance of Readiness Validation and Testing . . . 9
2.3. Training . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4. Security Policy . . . . . . . . . . . . . . . . . . . . . 10
2.4.1. IPv6 Is No More Secure Than IPv4 . . . . . . . . . . 10
2.4.2. Similarities between IPv6 and IPv4 Security . . . . . 11
2.4.3. Specific Security Issues for IPv6 . . . . . . . . . . 11
2.5. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.6. Address Plan . . . . . . . . . . . . . . . . . . . . . . 14
2.7. Tools Assessment . . . . . . . . . . . . . . . . . . . . 16
3. External Phase . . . . . . . . . . . . . . . . . . . . . . . 17
3.1. Connectivity . . . . . . . . . . . . . . . . . . . . . . 18
3.2. Security . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3. Monitoring . . . . . . . . . . . . . . . . . . . . . . . 20
3.4. Servers and Applications . . . . . . . . . . . . . . . . 20
3.5. Network Prefix Translation for IPv6 . . . . . . . . . . . 21
4. Internal Phase . . . . . . . . . . . . . . . . . . . . . . . 21
4.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2. Network Infrastructure . . . . . . . . . . . . . . . . . 22
4.3. End-User Devices . . . . . . . . . . . . . . . . . . . . 23
4.4. Corporate Systems . . . . . . . . . . . . . . . . . . . . 24
5. IPv6 Only . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6. Considerations for Specific Enterprises . . . . . . . . . . . 26
6.1. Content Delivery Networks . . . . . . . . . . . . . . . . 26
6.2. Data Center Virtualization . . . . . . . . . . . . . . . 26
6.3. University Campus Networks . . . . . . . . . . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 28
8. Informative References . . . . . . . . . . . . . . . . . . . 28

The document is a good one for all people involved with enterprises to read and we’ll be adding the document to our “IPv6 for Enterprises” page soon.  We’d encourage you to read this RFC 7381 and share it with others.  Please do also check out other resources that are available for enterprises looking to make the move to IPv6.