Category: IETF

Deploy360@IETF91, Day 2: UTA, DPRIVE, BGP in ARNP, 6LO and IOT, DNSOP

IETF 91 mic lineFor us at Deploy360, Day 2 of IETF 91 brings a heavy focus on DNSSEC and DNS security in general with both DNSOP and DPRIVE meeting. Today also brings one of the key working groups (UTA) related to our “TLS in Applications” topic area.  There is a key WG meeting related to using  IPv6 in “resource-constrained” environments such as the “Internet of Things” (IoT) … and a presentation in the Internet Research Task Force (IRTF) about BGP security and the RPKI.

These are, of course, only a very small fraction of the many different working groups meeting at IETF 91 today – but these are the ones that line up with the topics we write about here at Deploy360.

Read on for more information…


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.


In the morning 9:00-11:30 block we once again will be splitting ourselves across multiple working groups.  In Coral 2 will be the “Using TLS in Applications” (UTA) working group looking at how to increase the usage of TLS across applications.  The UTA WG is a key part of the overall work of the IETF in strengthening the Internet against pervasive monitoring and should be quite a well-attended session.  The UTA agenda includes multiple drafts related to TLS and email, a discussion of a proposal around “token binding” and what should be an involved discussion about the TLS “fallback dance”, i.e. what should happen when a TLS connection cannot be made at the requested level of security?

On the topic of UTA, I’ll note that one of the groups main documents, draft-ietf-uta-tls-bcp, a best practice document on “Recommendations for Secure Use of TLS and DTLS“, has a new version out that incorporates all of the feedback received to date.  This document should soon be at the point where it will enter the publication queue.

Meanwhile, over in the Kahili room the 6LO WG will be talking about using IPv6 in “resource-constrained” and low power environments. The work here is important for sensor/device networks and other similar “Internet of Things” (IoT) implementations.   Among the 6LO agenda items are a discussion of using IPv6 in near field communications (NFC) and what should be quite an interesting discussion around the challenges of using different types of privacy-related IPv6 addresses in a constrained environment.

Simultaneously over in Coral 4 will be the open meeting of the Internet Research Task Force (IRTF) and of particular interest will be the presentation by one of the winners of the Applied Networking Research Prize (ANRP) that is focused on BGP security and the Resource Public Key Infrastructure (RPKI).  As the IRTF open meeting agenda lists the abstract:

The RPKI (RFC 6480) is a new security infrastructure that relies on trusted authorities to prevent attacks on interdomain routing. The standard threat model for the RPKI supposes that authorities are trusted and routing is under attack. This talk discusses risks that arise when this threat model is flipped: when RPKI authorities are faulty, misconfigured, compromised, or compelled (e.g. by governments) to take certain actions. We also survey mechanisms that can increase transparency when RPKI authorities misbehave.

The slides for the presentation are online and look quite intriguing!

After that we’ll be spending our lunch time at the “ISOC@IETF” briefing panel that is focused this time on the topic of “Is Identity an Internet Building Block?”  While not directly related to our work here at Deploy360 we’re quite interested in the topic.  I will also be directly involved as I’ll be producing the live video stream / webcast of the event.  You can join in and watch directly starting at 11:45 am HST (UTC-10). It should be an excellent panel discussion!

As I described in my Rough Guide post about DNSSEC, the 13:00-15:00 block brings the first meeting of the new DPRIVE working group that is chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.”  The DPRIVE agenda shows the various documents under discussion – there are some very passionate views on very different perspectives… expect this session to have some vigorous discussion!

In the last 15:20-17:20 meeting block of the day we’ll focus on the DNS Operations (DNSOP) Working Group where the major DNSSEC-related document under discussion will be Jason Livingood’s draft-livingood-dnsop-negative-trust-anchors that has generated a substantial bit of discussion on the dnsop mailing list.  The DNSOP agenda contains a number of other topics of interest, including a couple added since the time I wrote about DNS for the Rough Guide.  The discussion about root servers running on loopback addresses should be interesting… and Brian Dickson (now employed by Twitter instead of Verisign) is bringing some intriguing new ideas about a DNS gateway using JSON and HTTP.

After all of that, they’ll let us out of the large windowless rooms (granted, in the dark of evening) for the week’s Social event that will apparently be a Hawaiian Luau.  After all the time inside it will be a pleasure to end the day in casual conversations outside. Please do look to find us and say hello… and if you are not here in Honolulu, please do join in remotely and help us make the Internet work better!

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

UTA (Using TLS in Applications) WG
Tuesday, 11 Nov 2014, 900-1130, Coral 2
Agenda: https://tools.ietf.org/wg/uta/agenda
Documents: https://tools.ietf.org/wg/uta
Charter: https://tools.ietf.org/wg/uta/charter

6LO (IPv6 over Networks of Resource-constrained Nodes) WG
Tuesday, 11 Nov 2014, 900-1130, Kahili
Agenda: https://tools.ietf.org/wg/6lo/agenda
Documents: https://tools.ietf.org/wg/6lo
Charter: https://tools.ietf.org/wg/6lo/charter

IRTF (Internet Research Task Force) Open Meeting
Tuesday, 11 Nov 2014, 900-1130, Coral 4
Agenda: http://tools.ietf.org/agenda/91/agenda-91-irtfopen.html
Charter: https://irtf.org/

DPRIVE (DNS PRIVate Exchange) WG
Tuesday, 11 November 2014, 1300-1500 HST, Coral 5
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSOP (DNS Operations) WG
Tuesday, 11 November 2014, 1520-1720 HST, Coral 4
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Deploy360@IETF91, Day 1: v6OPS, SIDR, EPPEXT, TRANS

Sunset at IETF 91On the first full day here at IETF 91, we have to leave behind the palm trees of the beautiful welcoming reception (pictured at right) to head indoors for a packed agenda of working group sessions.

For us on the Deploy360 team, this first day hits on three of our major topics:  IPv6, DNSSEC and securing BGP.

A big focus  for our group will be the 4.5 hours of IPv6 Operations (v6OPS) Working Group meetings happening in two blocks today: 9:00-11:30 and then 15:20-17:20 Hawaii Standard Time (HST). As our colleague Phil Roberts noted, IPv6 is everywhere within IETF activity, but the v6OPS sessions are particularly important as IPv6 continues to move into mainstream production and experience real operational deployment.


NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US).


At the same 9:00-11:30 block as v6OPS in the morning will be the Secure Inter-Domain Routing (SIDR) Working Group that is really the lead working group we’re monitoring for efforts to increase the security of the BGP routing protocol. As Andrei Robachevsky wrote in his Rough Guide post, there is a great amount of work happening with regard to routing security and resiliency and the discussions within SIDR today will contribute to that.

Amazingly, the 13:00-15:00 time block is a quiet one for us (pretty much the only one all week!), although I may wander into the CDN Interconnections (CDNI) working group to check in purely out of my own interest in CDNs.

The 15:20-17:20 block has v6OPS back for its second session, but also has two of the working groups meeting with DNSSEC-related topics going on.  As I described in my Rough Guide post about DNSSEC, the EPPEXT working group will be discussing how to progress a draft about the secure transfer of signed domain names between registrars – and simultaneously the TRANS working group will be looking at the possibility of applying Certificate Transparency (CT) methods to DNSSEC.

In the final 17:30-18:30 meeting block, the TRANS working group will continue their discussions and the GROW working group will also be meeting to discuss route leaks and de-aggregation issues, two major areas that Andrei indicated are of concern to the routing community.

We’ll finish up the day from 18:50-19:50 with the Technical Plenary that will focus on the IAB’s Privacy and Security Program and should be interesting.

All in all it’s going to be a very busy day!  Do note, of course, that all that I’ve mentioned here is just a small part of the overall activity happening at IETF 91 today – these are just the sessions that WE are interested in for the topics we cover here at Deploy360. Please do look to find us and say hello… and if you are not here in Honolulu, please do join in remotely and help us make the Internet work better!

Relevant Working Groups:

v6OPS (IPv6 Operations) WG
Monday, 10 November 900am-1130am, Coral 4
Monday, 10 November 320pm-520pm, Coral 3
Agenda: https://datatracker.ietf.org/meeting/91/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/documents/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

SIDR (Secure Inter-Domain Routing) WG
Monday, 10 November 2014, 0900-1130 HST, Coral 1
Agenda: https://datatracker.ietf.org/meeting/91/agenda/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/

TRANS (Public Notary Transparency) WG
Monday, 10 November 2014, 1300-1500 HST, Hibiscus
Agenda: https://datatracker.ietf.org/meeting/91/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/

EPPEXT (Extensible Provisioning Protocol Extensions) WG
Monday, November 10, 2014, 1520-1720 HST, Lehua Suite
Agenda: https://datatracker.ietf.org/meeting/91/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: https://datatracker.ietf.org/wg/eppext/charter/

GROW (Global Routing Operations) WG
Monday, 10 November 2014, 1730-1830 HST, Coral 4
Agenda: https://datatracker.ietf.org/meeting/91/agenda/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/


For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Comments? What Can We Learn From Existing DANE Deployments?

IETF LogoWhat can we learn from existing deployments of the DANE protocol?  As more people start implementing DANE in their applications, are there lessons we can learn to feed back into the standards development process?  What are the barriers people are finding to using DANE? How can we help accelerate the deployment of DANE and DNSSEC?

As I mentioned in my Rough Guide to IETF 91 post and also my post here on Deploy360, I have a short bit of time at the end of the DANE Working Group agenda on next Wednesday, November 12, 2014, to raise these questions and try to get some feedback. To help with that, I wrote an Internet-Draft that you can find at:

https://tools.ietf.org/html/draft-york-dane-deployment-observations

In the document, I outline some of the concerns and issues that I have observed related to DANE deployment, including:

  • Lack of awareness of DANE
  • Challenges creating TLSA records
  • Inability to enter TLSA records at DNS hosting operators
  • Availability of developer libraries
  • Perception that DANE is only for self-signed certificates
  • Performance concerns
  • Cryptographic concerns

I then offered these questions for discussion:

  • What roadblocks are people running into with implementing DANE? (outside of the broader issue of getting DNSSEC validation and signing more widely available) are there lessons we can feed back into our process of developing DANE-related standards?
  • Are there more “Using DANE with <foo>” types of documents that we can or should create? (And who is willing to do so?)
  • Are there some good examples/case studies of DANE implementations that we could perhaps capture as informational RFCs? (The Jabber community’s implementation comes to mind)
  • Are there places where it would be helpful if there were reference implementations of DANE support? For example, DANE for email got a boost when support was added to postfix. Are there other commonly-used open source projects where the addition of DANE support would help move deployment along?
  • Are there test tools that need to be developed? Or existing ones that need to be better promoted? Are there interop tests we can arrange?

I’m looking forward to the discussion on Wednesday… but I also welcome any comments you may have NOW on this topic.  You are welcome to send comments directly to me, send them to the DANE mailing list (you need to subscribe first), post them here as comments to this article – or post them on any of the social networks where this post appears. (although either email or posting the comments here on our site are the best ways to make sure I actually see your comments)

What can we learn from DANE deployment so far – and how can we use that to help get more DANE usage happening?

Two More Rough Guides To IETF 91 On IPv6 And Security / TLS

IETF LogoTwo more “Rough Guide to IETF 91″ posts have been published that may be of interest to Deploy360 readers:

and

Phil’s post naturally talks about all the great work related to IPv6 happening within the various working groups at IETF 91 next week.  The reality is that IPv6 is now the main IP protocol discussed in so many different working groups – and all new work is assumed that it will (or must) work on IPv6 … and so IPv6 discussions are taking place in many different places.   You can expect that you’ll find members of the Deploy360 team in the dedicated IPv6 sessions Phil mentions!

Karen’s post highlights a number of the security and privacy efforts under way within the IETF and IAB.  She also mentions the TLS working group and the Using TLA in Applications (UTA) working groups, both of which are important to the TLS in Applications topic area we have here on Deploy360.

Combined with all the activities related to DNSSEC / DANE and all the activities related to routing security/resiliency … it’s going to be a very busy week next week!  We’re looking forward to it and to meeting up with many of you.

In the meantime, if you’d like to get started with IPv6 or TLS, please visit our Start Here page to begin!

IETF 91 Rough Guide On Routing Resilience And Security – De-aggregation, Route Leaks and more

IETF LogoWhat will be happening next week at IETF 91 with regard to improving the security and resilience of the Internet’s routing infrastructure?

Our colleague Andrei Robachevsky tackles this question in his post this week: “Rough Guide to IETF 91: Routing Resilience & Security“.

Andrei explains that one of the major issues in routing right now is the growth in the size of the global routing tables and the growth of “de-aggregation”… and the challenges that lie therein.  He also writes about “route leaks” and what is being done to address this issue and he writes about the ongoing work related to RPKI in the SIDR working group.

He finishes up talking about the MANRS initiative announced yesterday  and how that can help with overall routing security and resiliency.

Please do read Andrei’s Rough Guide post … and then do check out our topic areas on Securing BGP and Anti-spoofing to learn more about how you can secure your routing infrastructure.  We will look forward to seeing some of you next week at IETF 91!

Meet The Deploy360 Team at IETF 91

If you will be at IETF 91 next week in Honolulu, please do say hello to members of the Deployment & Operationalization (DO) team within the Internet Society.  We are the team behind this Deploy360 website and three of us will be there at IETF 91:

You can expect to find us in the sessions related to IPv6, DNSSEC, routing security and network operations, as well as others related to the topics we cover here on Deploy360.  If you’d like to meet with us, please send an email to deploy360@isoc.org and if you don’t know what we look like, this photo may help:

DO Team 2013

DO Team – left-to-right: Chris Grundemann, Dan York, Megan Kruse, Jan Žorž

See you in Hawaii!

A Great Amount of DNSSEC / DANE / DNS Activity At IETF 91 Next Week

IETF LogoWhat is happening next week at IETF 91 in Honolulu with regard to DNSSEC, DANE and other “DNS security” topics?

great amount of activity, it turns out!

So much that my “Rough Guide to IETF 91: DNSSEC, DANE and DNS Security” turned into quite a lengthy article.  Please read that article for the full description, but a quick summary can be:

  • DNSOP will have discussions around “Negative Trust Anchors”, “DNS Cookies” and more.
  • DANE will discuss using DANE for email, and specifically S/MIME, as well as SRV records and a discussion led by me about what we can learn from current deployments of DANE.
  • A brand new DPRIVE working group will be exploring challenges around privacy and confidentiality of DNS queries.
  • TRANS will look at applying Certificate Transparency (CT) mechanism to DNSSEC keys.
  • EPPEXT will discuss how to move a draft forward about secure transfer of DNSSEC-signed domains between registrars.
  • HOMENET and DNSSD will both be looking at different aspects of using DNS with small networks or “Internet of Things” (IoT) environments – and the question of course is how this usage gets secured.

… and again you’ll want to read the full article to understand more.  The key point is that it will be busy for those of us interested in DNS-related issues!   If you are going to be out at IETF 91, please do contact us or find me there.  Odds are pretty good you’ll find me in either the DNS or IPv6 sessions!

And if you want to get started today with DNSSEC, please visit our Start Here page to learn how!

IETF 91 Agenda Available – DNSSEC, IPv6, TLS, BGP and more

IETF LogoIt’s almost time for IETF 91 happening this time in Honolulu, Hawaii! From our DO team, Chris, Megan and I will all be out there and you can expect to see a great amount of IETF-related content coming from us over the next two weeks.  In particular, you can expect to see the normal “Rough Guide” coming out next week in a series of posts on our Internet Technology Matters (ITM) blog.

Today I just wanted to point out that the final agenda for IETF 91 is now available from the IETF’s site in multiple forms:

I personally like the “tools-style” agenda because for each session you can easily get the links to the audio stream, chat room, documents and more.  However, the HTML version on datatracker.ietf.org is also rather cool because you can select which working groups or areas you want to see and get a focused agenda.

Anyway, there is a great amount of work happening at IETF 91 related to ALL of the topics we cover here – IPv6, DNSSEC, TLS, BGP …. All the major Working Groups we follow will be meeting… it will be a VERY busy time for us all!  (I don’t expect we’ll be seeing much of those Hawaiian beaches except out the windows!)

Stay tuned next week for more IETF 91 info… and if you are going to be out there we look forward to seeing you there!

 

New RFC 7381: Enterprise IPv6 Deployment Guidelines

RFC 7381Would you like guidelines for how IPv6 can best be deployed in an enterprise environment?  Yesterday the IETF published a new informational RFC 7381, “Enterprise IPv6 Deployment Guidelines” available at:

https://tools.ietf.org/html/rfc7381

The abstract for the document reads:

Enterprise network administrators worldwide are in various stages of preparing for or deploying IPv6 into their networks. The administrators face different challenges than operators of Internet access providers and have reasons for different priorities. The overall problem for many administrators will be to offer Internet-facing services over IPv6 while continuing to support IPv4, and while introducing IPv6 access within the enterprise IT network. The overall transition will take most networks from an IPv4-only environment to a dual-stack network environment and eventually an IPv6-only operating mode. This document helps provide a framework for enterprise network architects or administrators who may be faced with many of these challenges as they consider their IPv6 support strategies.

The document then goes on to outline several phases of IPv6 deployment within an enterprise.  The Table of Contents gives a good sense of what is in the document:

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Enterprise Assumptions . . . . . . . . . . . . . . . . . 5
1.2. IPv4-Only Considerations . . . . . . . . . . . . . . . . 5
1.3. Reasons for a Phased Approach . . . . . . . . . . . . . . 6
2. Preparation and Assessment Phase . . . . . . . . . . . . . . 7
2.1. Program Planning . . . . . . . . . . . . . . . . . . . . 7
2.2. Inventory Phase . . . . . . . . . . . . . . . . . . . . . 8
2.2.1. Network Infrastructure Readiness Assessment . . . . . 8
2.2.2. Application Readiness Assessment . . . . . . . . . . 9
2.2.3. Importance of Readiness Validation and Testing . . . 9
2.3. Training . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4. Security Policy . . . . . . . . . . . . . . . . . . . . . 10
2.4.1. IPv6 Is No More Secure Than IPv4 . . . . . . . . . . 10
2.4.2. Similarities between IPv6 and IPv4 Security . . . . . 11
2.4.3. Specific Security Issues for IPv6 . . . . . . . . . . 11
2.5. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.6. Address Plan . . . . . . . . . . . . . . . . . . . . . . 14
2.7. Tools Assessment . . . . . . . . . . . . . . . . . . . . 16
3. External Phase . . . . . . . . . . . . . . . . . . . . . . . 17
3.1. Connectivity . . . . . . . . . . . . . . . . . . . . . . 18
3.2. Security . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3. Monitoring . . . . . . . . . . . . . . . . . . . . . . . 20
3.4. Servers and Applications . . . . . . . . . . . . . . . . 20
3.5. Network Prefix Translation for IPv6 . . . . . . . . . . . 21
4. Internal Phase . . . . . . . . . . . . . . . . . . . . . . . 21
4.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2. Network Infrastructure . . . . . . . . . . . . . . . . . 22
4.3. End-User Devices . . . . . . . . . . . . . . . . . . . . 23
4.4. Corporate Systems . . . . . . . . . . . . . . . . . . . . 24
5. IPv6 Only . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6. Considerations for Specific Enterprises . . . . . . . . . . . 26
6.1. Content Delivery Networks . . . . . . . . . . . . . . . . 26
6.2. Data Center Virtualization . . . . . . . . . . . . . . . 26
6.3. University Campus Networks . . . . . . . . . . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 28
8. Informative References . . . . . . . . . . . . . . . . . . . 28

The document is a good one for all people involved with enterprises to read and we’ll be adding the document to our “IPv6 for Enterprises” page soon.  We’d encourage you to read this RFC 7381 and share it with others.  Please do also check out other resources that are available for enterprises looking to make the move to IPv6.

 

DPRIVE – New IETF Working Group On DNS Privacy

IETF LogoHow can we ensure the confidentiality of DNS queries to protect against pervasive monitoring?  What kind of mechanisms can be developed to increase the privacy of an individual’s DNS transactions?

After holding a BOF session (DNSE) at an earlier IETF meeting, the IETF has now chartered a new Working Group called DPRIVE (DNS PRIVate Exchange) to dig into this matter. Part of the WG charter states:

The set of DNS requests that an individual makes can provide an
attacker with a large amount of information about that individual.
DPRIVE aims to deprive the attacker of this information. (The IETF
defines pervasive monitoring as an attack [RFC7258])

The primary focus of this Working Group is to develop mechanisms that
provide confidentiality between DNS Clients and Iterative Resolvers,
but it may also later consider mechanisms that provide confidentiality
between Iterative Resolvers and Authoritative Servers, or provide
end-to-end confidentiality of DNS transactions. Some of the results of
this working group may be experimental. The Working Group will also
develop an evaluation document to provide methods for measuring the
performance against pervasive monitoring; and how well the goal is met.
The Working Group will also develop a document providing example
assessments for common use cases.

The group has adopted its first document for consideration, Stephane Bortzmeyer’s “DNS privacy considerations”, draft-bortzmeyer-dnsop-dns-privacy, and discussion has already begun on the “dns-privacy” mailing list.  This list is open to anyone to join. You can subscribe at:

https://www.ietf.org/mailman/listinfo/dns-privacy

and the archives are available at:

http://www.ietf.org/mail-archive/web/dns-privacy/current/maillist.html

While this group does not directly relate to the work we do here at Deploy360 related to DNSSEC, it is part of the overall effort to increase the security of the DNS, and so I thought it would be of interest to our readers.

If you are interested in monitoring what is being discussed about DNS privacy, or contributing to those discussions, I would definitely encourage you to subscribe and join in the conversations and the work to make the Internet more secure!