Category: IETF

Jul 17

A Huge Amount Of DNSSEC Activity Next Week At IETF 90 In Toronto

DNSSEC badgeIf you are interested in DNSSEC and/or “DNS security” in general, there is going to be a great amount of activity happening in a number of different working group sessions at IETF 90 next week in Toronto.

I wrote about all of this in a post on the ITM blog, “Rough Guide to IETF 90: DNSSEC, DANE and DNS Security“, a part of the Rough Guide to IETF 90 series of posts.

You can read the full details (and find links to all the drafts), but here’s a quick summary:

  • The DNSOP (DNS Operations) Working Group will be talking about DNSSEC key and signing policies and requirements for DNSSEC validation in DNS resolvers.  The group will also talk about the “DNSSEC roadblock avoidance” draft before getting into what should be a lively discussion about how we better optimize the distribution of data in the root zone of DNS.
  • The DANE Working Group will discuss a number of ways the DANE protocol can be used with applications such as OpenPGP, SMIME, SMTP and more.  There will also be a discussion of turning the “DANE Operational Guidance” draft into an actual update/replacement for RFC 6698 that defines DANE. It should be very interesting session!
  • The SIPCORE Working Group will discuss a draft about using DANE and DNSSEC for SIP-based Voice-over-IP (VoIP).
  • The TRANS Working Group will explore whether or not there is a role for Certificate Transparency (CT) to play with DNSSEC and/or DANE.
  • The HOMENET Working Group will discuss two different drafts relating to DNSSEC and customer-premise equipment (CPE) such as home wifi routers.

And a couple of other working groups may have DNSSEC-related discussions as well.  All in all it will be a very busy week at IETF 90!

Again, more details and links to all of the associated drafts can be found in the Rough Guide to IETF 90 article about DNSSEC.

If you aren’t able to actually be in Toronto, you still can participate remotely – see the IETF 90 Remote Participation page for more information about how you can join in to the discussions.

If you are in Toronto, please do feel free to say hello and introduce yourself.  You can pretty much expect to find me in all of these various DNSSEC-related sessions (and many of the IPv6-related sessions, too).

May 15

Video: Chris Grundemann on our “Operators and the IETF” Project (RIPE 68)

What is our “Operators and the IETF” project all about?  Why should you care?  How can you help?  Chris Grundemann is in Warsaw this week at the RIPE 68 meeting and the video is now available (as are his slides) of his lightning talk:

ripe68-grundemann-operatorsIf you are interested in helping more, please check out our project page – and take the online survey! Thanks!

 

 

Mar 31

New RFC 7157 Out About IPv6 Multihoming Without NAT

IETF LogoWhat are the challenges with connecting a small network or device to multiple ”upstream” IPv6 networks? How can you set up such a network while avoiding the Network Address Translation (NAT) required in IPv4?  To address these questions and provide useful guidance, a group of engineers wrote a document that was just published as RFC 7157, “IPv6 Multihoming without Network Address Translation that is available at:

http://tools.ietf.org/html/rfc7157

The document has an abstract of:

Network Address and Port Translation (NAPT) works well for conserving global addresses and addressing multihoming requirements because an IPv4 NAPT router implements three functions: source address selection, next-hop resolution, and (optionally) DNS resolution. For IPv6 hosts, one approach could be the use of IPv6-to-IPv6 Network Prefix Translation (NPTv6). However, NAT and NPTv6 should be avoided, if at all possible, to permit transparent end-to-end connectivity. In this document, we analyze the use cases of multihoming. We also describe functional requirements and possible solutions for multihoming without the use of NAT in IPv6 for hosts and small IPv6 networks that would otherwise be unable to meet minimum IPv6-allocation criteria. We conclude that DHCPv6-based solutions are suitable to solve the multihoming issues described in this document, but NPTv6 may be required as an intermediate solution.

The document goes into quite some detail for both multihomed hosts (individual computers or servers) and multihomed networks and provides many good points to consider in considering how to set up multihomed environments.  It also includes many links for those interested in learning more.  Definitely worth reading for anyone looking to configure IPv6 to work with multiple Internet connections.

Mar 29

Want To Attend IETF 90 In Toronto? Apply For An IETF Fellowship

IETF LogoAre you interested in attending the next meeting of the Internet Engineering Task Force (IETF) in Toronto in July 2014? Have you never been to an IETF meeting but would like to participate in the face-to-face aspect of the open standards process of the IETF?

If so, our colleagues who operate the “Internet Society Fellowship to the Internet Engineering Task Force (IETF) Programme” have alerted us that the next application window is open and applications will be accepted until April 11, 2014.  This “Fellows” program is open to men and women from developing and emerging economies who might not otherwise be able to attend an IETF meeting.  The goal is to help bring in more people from various regions of the world so that more voices are heard within the IETF discussions.

The most recent group of Fellows to IETF 89 in London included people from Venezuela, India, Morocco, Argentina, Tuvulu, Ecuador and Ethiopia.  At past IETF meetings I’ve had the opportunity to record video interviews with some of the Fellows and it has been amazing and inspiring to learn their stories.

If you are interested to learn more and apply, I would suggest starting with reading through the selection criteria and then down the main page on the Fellows program.  The links to apply as well as additional material can be found at the bottom of that main page.  As I noted above, the application window closes on April 11 for this upcoming IETF 90 in Toronto.  (It will then open up again a few months later for IETF 91 in November.)

If you’re interested in IPv6, DNSSEC, securing BGP… or, well, really any topic covered by the IETF, we’d encourage you to apply!  And we look forward to meeting up with some of you at future IETF meetings!

Mar 27

New IETF Mailing List To Discuss Privacy and Confidentiality of DNS

IETF LogoHow can we better protect the privacy and confidentiality of DNS queries? While DNSSEC protects the integrity of answers coming back from DNS (i.e. ensuring they aren’t modified in transit), what can be done to protect the confidentiality and privacy of information retrieved from DNS?  Particularly against the kind of pervasive monitoring and large-scale network sniffing we’ve become aware of?

We mentioned previously that at IETF 89 this month in London there was the “Encryption of DNS requests for confidentiality” (DNSE) BOF looking at these topics.  There was vigorous discussion during that BOF and then at the DNSOP working group meeting.  That large amount of interest has now sparked the creation of a new mailing list for all those interested in participating.  This “dns-privacy” list is public and open to anyone to subscribe:

List address: dns-privacy@ietf.org
To subscribe: https://www.ietf.org/mailman/listinfo/dns-privacy
Archive: http://www.ietf.org/mail-archive/web/dns-privacy/

As you can see from the mailing list archive, there is already some discussion underway.  If you want some background the Internet drafts draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality may be useful.

While this doesn’t specifically related to the DNSSEC topic we cover here on Deploy360, it is part of the same overall space of “making DNS more secure” and so I thought it would be useful to point people to this new list.

Working together as an industry and community, we can make DNS more secure!  Please do join in and help out.

Mar 07

Deploy360@IETF89, Day 5: dnsop, uta

IETF LogoIt’s our last day here at the 89th IETF meeting and it’s been a very exhausting but exhilirating meeting so far!  A lot of excellent work happening in so many areas! Our final day here ends with a number of DNSSEC-related topics being presented in the DNSOP Working Group – while at the exact same time is the first meeting of the brand new UTA Working Goup that is part of the inspiration for our new TLS for Applications area of Deploy360.

After that, there is an afternoon meeting of the Internet Society Advisory Council which a few of us will attend… and then we’ll be heading back home!  Thanks for all the many people who have come up to us and told us about how they appreciate our work – that kind of feedback means a lot and is greatly appreciated!

If you do want to meet with us in these few remaining hours of IETF 89, either find us at one of these sessions or send us email to deploy360@isoc.org.

Thanks, again, for all the great feedback!

Friday, March 7, 2014

dnsop (DNS Operations) WG
0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

uta (Using TLS in Applications) WG
0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charters/

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Mar 06

Deploy360@IETF89, Day 4: dane, sunset4, v6ops, 6tisch, idr, dbound, eppext, sipcore and dnsop

IETF LogoThe fourth day for our Deploy360 team at the 89th IETF meeting could perhaps best be described as “utter madness” as there are multiple working groups meeting on ALL of the topics we cover here:  IPv6, DNSSEC, securing BGP and even our new TLS for Applications area. In particular, several of the major DNS groups are holding their only meetings today.

Details and links are farther down below (along with remote participation info), but as we mentioned in our pre-IETF89 posts about IPv6, DNSSEC and Securing BPG,  today will bring:

  • The meeting of the DANE Working Group (read more about the DANE protocol).
  • The work in SUNSET4 on phasing out IPv4 and the second meeting of v6OPS focused on operational guidance for IPv6.
  • The 6TiSCH work on IPv6 in resource-constrained “Internet of Things” kinds of networks.
  • The IDR working group has many work items relating to BGP.
  • There is a new DBOUND BOF session that is looking into boundaries in the DNS related to domain names and how those could apply to security policies.
  • In EPPEXT there is an extension proposed for how to securely pass DNSSEC keying material between operators and registries.

Beyond all of those, there are two other Thursday meetings that have come to our attention:

  • In the 1300-1500 block when we already have 3 other sessions of interest, the SIPCORE Working Group is planning a 45 minute discussion on “Happy Eyeballs for SIP” looking at what needs to be done to make SIP work over IPv6. (Where SIP is the dominant open standard used in voice-over-IP.)
  • At the end of the day, a brand new timeslot was opened up from 1840-2040 where the DNSOP Working Group is going to get a head-start on their Friday morning agenda and very specifically focus on the outcome of yesterday’s DNSE BOF around what can be done to protect the confidentiality of DNS queries.  The main point of this evening timeslot is so that TLS can be discussed with some of the people from the UTA Working Group joining in to the discussion (since UTA and DNSOP are scheduled at the same time on Friday morning).

All in all its going to be an extremely busy day for all of us!  We’re looking forward to it, though, as great things are definitely happening!

Thursday, March 6, 2014

dane (DNS-based Authentication of Named Entities) WG
0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

sunset4 (Sunsetting IPv4) WG
0900-1130 UTC, Palace C
Agenda: https://datatracker.ietf.org/meeting/89/agenda/sunset4/(combined with the Multiple Interface (mif) WG meeting)
Documents: https://datatracker.ietf.org/wg/sunset4/
Charter: http://tools.ietf.org/wg/sunset4/charters

v6ops (IPv6 Operations) WG
1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

6tisch (IPv6 over TSCH mode of 802.16e4)
Thursday, March 6, 2014, 1300-1500 UTC, Buckingham Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/ 

idr (Inter-Domain Routing Working Group)
1300-1500 UTC, Blenheim Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/idr
Documents: https://datatracker.ietf.org/wg/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

sipcore (Session Initiation Protocol Core)
1300-1500 UTC, Palace C
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/sipcore
Documents: https://datatracker.ietf.org/wg/sipcore/
Charter: https://datatracker.ietf.org/wg/sipcore/charter/

dbound (Domain Boundaries) BOF
1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

eppext (Extensible Provisioning Protocol Extensions) WG
1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charters/

dnsop (DNS Operations) WG
1840-2040 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Mar 05

Deploy360@IETF89, Day 3: v6ops, trans, 6lo

IETF LogoToday at the 89th IETF meeting we’re talking a good bit about IPv6.  The day starts with the first session of the IPv6 Operations Working Group (v6ops) that today will be looking at a number of documents about the impact of Neighbor Discovery multicasting on WiFi networks and exploring what can be done to provide operational guidance to network operators.

Later in the day we’ll be looking at IPv6 in the “Internet of Things” and other environments that are “resource-constrained”, i.e. devices with low levels of power, networking or processing capabilities.  That will be in the IPv6 over Networks of Resource-constrained Nodes (6lo) working group, one of the many IPv6 groups we’re monitoring at this IETF meeting.

At the same time that 6lo is meeting (for the first part), at least one of us will also be over in the Public Notary Transparency (trans) Working Group where, as I wrote about last week, they are looking at updating the “Certificate Transparency” work for logging TLS certificate usage.  This has some connection to the work we’re doing with DANE and now as well with TLS for applications.

Along the way, we’ll also be at the IRTF Open Meeting and in various other groups leading up to the Operations and Adminstration Plenary happening tonight and being broadcast live at http://www.ietf.org/live/ starting at 17:50-20:20 UTC.

If you’d like to meet with us, please do say hello in one of these sessions!

Wednesday, March 6, 2014

v6ops (IPv6 Operations) WG
0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
(5 March, 0900-1130, 6 March 1300-1500)

trans (Public Notary Transparency) WG
1520-1620 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/

6lo (IPv6 over Networks of Resource Constrained Nodes) WG
1520-1730 UTC, Balmoral Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6lo/ 

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Mar 04

Deploy360@IETF89, Day 2: homenet, sidr, grow, dnse, 6man

IETF LogoDay 2 for the Deploy360 team here at the 89th IETF meeting is a big day for routing and for IPv6. Two of the main routing groups, SIDR and GROW, meet today, and our colleague Andrei Robachevsky recently wrote about the important work happening in both groups to make the Internet’s routing infrastructure more secure.

Two of the important IPv6 groups we are monitoring are meeting today: HOMENET and 6MAN.  Homenet is focused on “home networks” and the role IPv6 plays there.  They are doing some very cool work within the group and a couple of our members are there.  In the afternoon, the 6man group will be looking at changes to the IPv6 protocol. As our colleague Phil Roberts recently wrote, a big focus here will be around efficient neighbor discovery.

Today will also have a “Birds of a Feather” (BOF) meeting for the “DNSE” group.  This is not a formal working group but rather a meeting to talk about some potential areas of work within other groups within the IETF.  As I wrote about in a recent post:

Another feature of today will be the “Internet Society @ IETF89 Briefing Panel” today from 11:45-12:45 UTC where the topic is “Evolution of end-to-end: why the Internet is not like any other network“.  It should be quite an interesting discussion that will also be live streamed out via Google+ / YouTube.

If you are here at IETF 89, please do say hello!  And if you are remote, you can follow along using the information at the bottom of the page and also follow us on Twitter at @deploy360 and also @isoctech.

Tuesday, March 4, 2014

homenet (Home Networking) WG
0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/homenet/
Documents: https://datatracker.ietf.org/wg/homenet/
Charter: https://datatracker.ietf.org/doc/charter-ietf-homenet/ 

sidr (Secure Inter-Domain Routing)
0900-1130 UTC, Balmoral Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/sidr/
Documents: https://datatracker.ietf.org/wg/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/

grow (Global Routing Operations)
1300-1400 UTC, Blenheim Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/grow/
Documents: https://datatracker.ietf.org/wg/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/

dnse (Encryption of DNS request for confidentiality) BOF
1420-1550 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnse/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

6man (IPv6 Maintenance) WG
1610-1840 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6man/
Documents: https://datatracker.ietf.org/wg/6man/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6man/ 

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Mar 03

Deploy360@IETF89, Day 1: dnssd, sipcore, technical plenary

IETF LogoOur first day here at the 89th IETF meeting for the Deploy360 team starts off with a lighter schedule… which is okay because later in the week we are double- or triple-booked in some session timeslots! Today the main DNSSEC / DANE session is one that I actually did NOT write about in my “Rough Guide to IETF 89: DNSSEC, DANE and DNS” post because at that time I was not aware that DANE would be discussed in this working group. It’s the “SIPCORE” working group focused on the Session Initiation Protocol (SIP) used in voice-over-IP and while the agenda for the SIPCORE session has not yet been posted as I write this note, Olle Johansson let me know that he’d be talking about SIP and DANE in that session.

In fact, Olle’s slides about SIP and DANE are now posted online and they look quite good. I’m looking forward to that discussion this afternoon!

Prior to SIPCORE, the other group on our watch list will be the DNSSD group that, as I mentioned in the Rough Guide post, is looking at how to extend DNS service discovery past the local network.   Before that, in the morning, odds are that at least one of us will be in the DHC working group as it is focused on DHCP and includes a number of IPv6 issues on its agenda.

The day will conclude with the IETF 89 Technical Plenary that will have as a technical focus “Bitcoin, cybercurrencies and Internet payment systems”.  While not directly connected to the work we do here at Deploy360, it should be an interesting discussion!  If you are not here in London, you can watch the IETF 89 Technical Plenary at:

http://www.ietf.org/live/

That’s what our day 1 looks like at IETF 89 – if you are here please do feel free to find us and say hello!

Monday, March 3, 2014

dnssd (Extensions for Scalable DNS Service Discovery) WG
Monday, March 3, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/

sipcore (Session Initiation Protocol Core) WG
1630-1730 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/sipcore/ (not available yet)
Documents: https://datatracker.ietf.org/wg/sipcore/
Charter: https://datatracker.ietf.org/wg/sipcore/charter/

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.