Category: IETF

Meet The Deploy360 Team At IETF 89 Next Week

DO Team 2013Will you be at IETF 89 next week in London?  If so, please feel free to say hello to one of our team members there.  We’ll all be there: myself (Dan York), Chris Grundemann, Megan Kruse and Jan Žorž.

You can expect to find at least one of us in any of the sessions that relate to IPv6, DNSSEC or securing BGP.  Specifically, some of the sessions we’ll be at can be found in these posts:

We’re always interested in talking to people about the work we do here and also how we can help you get these technologies more rapidly deployed.  Got a question for us?  Find us at the IETF sessions and let us know.

You can also send an email to us at “deploy360@isoc.org” if you’d like to set up a time to meet.

See you in London!

8 Sessions About DNSSEC / DANE / DNS At IETF 89 Next Week

IETF LogoWow! IETF 89 next week in London is going to be an extremely busy week for those of us interested in DNSSEC, DANE  and DNS security in general. As I explained in a post today, “Rough Guide to IETF 89: DNSSEC, DANE and DNS Security“, there are 5 new working groups and BOFs related to DNS and DNSSEC in addition to the three already existing working groups.

I go into a great bit of detail in the Rough Guide blog post, but here are the quick summaries of what is happening this week:

  • The DANE Working Group is focused on how to use the DANE protocol to add more security to TLS/SSL connections. The DANE WG agenda at IETF 89 is about using DANE with email and IM, operational guidance and much more.
  • The DNS Operations (DNSOP) Working Group has a very full agenda with the biggest DNSSEC-related piece being the drafts around how to deal with the critical issue of the uploading of DS records from DNS operators to registries.  Some other great DNSSEC work being discussed there, too.
  • The brand new Using TLS in Applications (UTA) Working Group that has as a primary goal to deliver a set of documents that are “go to” security guides aimed at helping developers add TLS support into their applications.  We’re interested in the potential DNSSEC/DANE connection there.
  • The new Public Notary Transparency (trans) Working Group on Wednesday that is looking at how to update the experimental RFC 6962, “Certificate Transparency”, to reflect recent implementation and deployment experience.  Our particular interest is that part of the charter is to ensure that this mechanism can work in the presence of DANE records in addition to regular web certificate-based system.
  • The new EPP Extensions (eppext) working group that is focused is looking at draft-ietf-eppext-keyrelay that defines a mechanism that can be used to securely transfer a DNSSEC-signed domain from one operator to another.
  • The “Encryption of DNS requests for confidentiality” (DNSE) BOF is exploring how to protect the confidentiality of DNS requests from sniffing.   The DNSE BOF will use draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality as starting points for discussion.
  • The Domain Boundaries (dbound) BOF is looking at how domain names are used in setting security policies.  Our interest is in understanding how this may fit into the other DNS security components of the work we are doing such as DNSSEC and DANE.
  • The Extensions for Scalable DNS Service Discovery (dnssd) Working Group is continuing their discussions about how DNS-SD (RFC6763) and mDNS (RFC6762) can be used beyond the local network. Our interest is in how this all gets done securely.

We will finish out the week with a breakfast meeting Friday morning with people involved in the DNSSEC Coordination effort (and anyone can join the mailing list) where we’ll have some conversation and food before heading off to the DNSOP and/or UTA working groups.

It’s going to be a crazy-busy week… but I’m looking forward to seeing all that we can get done!

Relevant Working Groups and BoFs

dnssd (Extensions for Scalable DNS Service Discovery) WG
Monday, March 3, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/

dnse (Encryption of DNS request for confidentiality) BOF
Tuesday, March 4, 2014, 1420-1550 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnse/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

trans (Public Notary Transparency) WG
Wednesday, March 5, 2014, 1520-1620 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/

dane (DNS-based Authentication of Named Entities) WG
Thursday, March 6, 2014, 0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

dbound (Domain Boundaries) BOF
Thursday, March 6, 2014, 1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

eppext (Extensible Provisioning Protocol Extensions) WG
Thursday, March 6, 2014, 1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charter/

dnsop (DNS Operations) WG
Friday, March 7, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/

uta (Using TLS in Applications) WG
Friday, March 7, 2014, 0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charter/


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

6 Sessions About IPv6 At IETF 89 Next Week In London

IETF LogoAs you might expect, IETF 89 next week in London will be filled with activity related to IPv6.  My colleague Phil Roberts writes today in “Rough Guide to IETF 89: All About IPv6“:

While the standard for IPv6 has long-since been finished, there are ongoing discussions in the IETF of maintenance issues in the protocols, IPv6 operational issues and management, and possible uses in home networks and very large-scale networks (of small scale devices). Many of these discussions will happen next week in London next week.

Phil  goes on to write a bit more in detail about what is happening within the 6man and v6ops working groups at IETF 89 next week.

Given our focus on IPv6 here at Deploy360, it should come as no surprise that you’ll be able to find our team at pretty much all of the working groups focused around IPv6.  We’ll be in homenet looking at IPv6 in home networks,  v6ops discussing operational issues, 6man to look at maintenance of the IPv6 specification, sunset4 to talk about how we phase out IPv4 and 6lo and 6tisch to look at IPv6 in low power or resource-constrained networks.  Beyond these groups, of course, there will be many others that discussion IPv6, but these are the main groups we’ll be focusing on.

Relevant Working Groups

homenet (Home Networking) WG
Tuesday, March 4, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/homenet/ (not yet posted)
Documents: https://datatracker.ietf.org/wg/homenet/
Charter: https://datatracker.ietf.org/doc/charter-ietf-homenet/ 

6man (IPv6 Maintenance) WG
Tuesday, March 4, 2014, 1610-1840 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6man/
Documents: https://datatracker.ietf.org/wg/6man/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6man/ 

v6ops (IPv6 Operations) WG
Wednesday, March 5, 2014, 0900-1130 UTC, Sovereign Room
Thursday, March 6, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

6lo (IPv6 over Networks of Resource Constrained Nodes) WG
Wednesday, March 5, 2014, 1520-1730 UTC, Balmoral Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6lo/
Documents: https://datatracker.ietf.org/wg/6lo/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6lo/ 

sunset4 (Sunsetting IPv4) WG
Thursday, March 6, 2014, 0900-1130 UTC, Palace C
Agenda: https://datatracker.ietf.org/meeting/89/agenda/sunset4/(combined with the Multiple Interface (mif) WG meeting)
Documents: https://datatracker.ietf.org/wg/sunset4/
Charter: http://tools.ietf.org/wg/sunset4/charters

6tisch (IPv6 over TSCH mode of 802.16e4)
Thursday, March 6, 2014, 1300-1500 UTC, Buckingham Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/ 


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

3 Sessions About Securing BGP At IETF89 Next Week

BGPNext week at IETF 89 in London there will be a good bit of discussion around the security and resilience of the Internet’s routing infrastructure.  Given our interest in securing BGP, members of our team will be attending the SIDR, GROW and IDR Working Groups next week and engaging in other routing discussions as well.

My colleague Andrei Robachevsky wrote about routing as part of the IETF 89 “Rough Guide” today and explained some of the activities that will be happening during the week.  I’d encourage you to read his post as he goes into some detail about the different drafts that are being considered by the three working groups.


Relevant Working Groups

SIDR (Secure Inter-Domain Routing)
Tuesday, March 4, 0900-1130 UTC, Balmoral Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/sidr/
Documents: https://datatracker.ietf.org/wg/sidr/
Charter: https://datatracker.ietf.org/wg/sidr/charter/

GROW (Global Routing Operations)
Tuesday, March 4, 1300-1400 UTC, Blenheim Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/grow/ (not yet available)
Documents: https://datatracker.ietf.org/wg/grow/
Charter: https://datatracker.ietf.org/wg/grow/charter/

IDR (Inter-Domain Routing Working Group)
Thursday, March 6, 1300-1500 UTC, Blenheim Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/idr
Documents: https://datatracker.ietf.org/wg/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

RFC 7123 – Security Implications of IPv6 on IPv4 Networks

What are the security issues around IPv6 support and IPv6 transition mechanisms on an IPv4-only network?  Could the unplanned and perhaps even unknown support of IPv6 by operating systems introduce additional security concerns into an enterprise network?

In an Informational RFC 7123 published in February 2014, Fernando Gont and Will Liu explore the security implications of native IPv6 support and also of IPv6 tunneling mechanisms.  They walk through the different transition mechanisms, explain potential security issues and outline ways to potentially mitigate the security concerns.  The document is available at:

http://tools.ietf.org/html/rfc7123

The introduction of the document gives a taste of what the rest of the document covers:

Most general-purpose operating systems implement and enable native IPv6 [RFC2460] support and a number of transition/coexistence technologies by default. Support of IPv6 by all nodes is intended to become best current practice [RFC6540]. Some enterprise networks might, however, choose to delay active use of IPv6.

This document describes operational practices to prevent security exposure in enterprise networks resulting from unplanned use of IPv6 on such networks. This document is only applicable to enterprise networks: networks where the network operator is not providing a general-purpose internet, but rather a business-specific network. The solutions proposed here are not practical for home networks, nor are they appropriate for provider networks such as ISPs, mobile providers, WiFi hotspot providers, or any other public internet service.

In scenarios in which IPv6-enabled devices are deployed on enterprise networks that are intended to be IPv4-only, native IPv6 support and/or IPv6 transition/coexistence technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes. For example,

  • A Network Intrusion Detection System (NIDS) might be prepared to detect attack patterns for IPv4 traffic, but might be unable to detect the same attack patterns when a transition/coexistence technology is leveraged for that purpose.
  • An IPv4 firewall might enforce a specific security policy in IPv4, but might be unable to enforce the same policy in IPv6.
  • A NIDS or firewall might support both IPv4 and IPv6, but might not be configured to enforce on IPv6 traffic the same controls/policies it enforces on IPv4 traffic.
  • Some transition/coexistence mechanisms could cause an internal host with otherwise limited IPv4 connectivity to become globally reachable over IPv6, therefore resulting in increased (and possibly unexpected) host exposure.
  • IPv6 support could, either inadvertently or as a result of a deliberate attack, result in Virtual Private Network (VPN) traffic leaks if IPv6-unaware VPN software is employed by dual-stacked hosts.

In general, most of the aforementioned security implications can be mitigated by enforcing security controls on native IPv6 traffic and on IPv4-tunneled IPv6 traffic. Among such controls, is the enforcement of filtering policies to block undesirable traffic. While IPv6 widespread/global IPv6 deployment has been slower than expected, it is nevertheless happening; and thus, filtering IPv6 traffic (whether native or transition/coexistence) to mitigate IPv6 security implications on IPv4 networks should (generally) only be considered as a temporary measure until IPv6 is deployed.

Useful Internet-Draft: IPv6 Operational Guidelines for Datacenters

IETF LogoWhat should data center operators think about with regard to IPv6? One of the Internet Drafts in the V6OPS working group within the IETF aims to address this issue.  The latest version was just released two weeks ago on February 3, 2014, and can be found at:

http://tools.ietf.org/html/draft-ietf-v6ops-dc-ipv6

As the abstract notes:

This document is intended to provide operational guidelines for datacenter operators planning to deploy IPv6 in their infrastructures. It aims to offer a reference framework for evaluating different products and architectures, and therefore it is also addressed to manufacturers and solution providers, so they can use it to gauge their solutions. We believe this will translate in a smoother and faster IPv6 transition for datacenters of these infrastuctures.

The document focuses on the DC infrastructure itself, its operation, and the aspects related to DC interconnection through IPv6. It does not consider the particular mechanisms for making Internet services provided by applications hosted in the DC available through IPv6 beyond the specific aspects related to how their deployment on the Data Center (DC) infrastructure.

Apart from facilitating the transition to IPv6, the mechanisms outlined here are intended to make this transition as transparent as possible (if not completely transparent) to applications and services running on the DC infrastructure, as well as to take advantage of IPv6 features to simplify DC operations, internally and across the Internet.

The document then goes on to look at the various stages of a transition to IPv6 and explores various methods by which the transition can occur. It also addresses operational considerations such as IPv6 address planning, monitoring and logging, and management systems.  Like other similar documents, it also includes many links for data center operators seeking to learn more.

If you operate a data center, you may find this document quite helpful!

P.S. I’ll note that the authors are definitely looking for feedback and so if you have suggestions based on your own experience with IPv6 in your data center, please do contact them – their email addresses are at the end of the document.

New IETF “openv6″ Mailing List For IPv6 Application Developers

IETF LogoDo we need an “open interface and a programmable platform to support various IPv6 applications? That is the question posed for a new “openv6″ IETF discussion mailing list announced yesterday. The openv6 list, which is open to anyone to subscribe to, has this description:

This list is to discuss a open interface and a programmable platform to support various IPv6 applications, which may include IPv6 transition technologies, SAVI (Source Address Validation and Traceback), security, data center and etc. This discussion will focus on the problem space, use case and possible protocol extensions. The following questions are listed to be solved via this discussion:

(1) What are the problems and use cases existing in various IPv6 applications,  e.g., multiple IPv6 transition technologies co-exist?

(2) How to enable the applications to program the equipment to tunnel IPv6 traffic across an IPv4 data plane?

(3) How this work can be done through a general interface, e.g., to incorporate  the transition policies, simplifying the different stages through the transition  and guaranteeing that current decisions do not imply a complicated legacy in
the future?

(4) How to make the end-to-end configuration of devices: concentrator/CGN, CPE and the provisioning system?

(5) How to extend the existing IETF protocols, e.g., netconf, to support this open interface?

The list is not for forming a new IETF working group (WG). It is at this point purely for discussing this topic. The mailing list archive seems to be empty at the moment (or the link is not correct), but given that the list was just announced yesterday the list owners may be waiting for people to join the list before kicking off discussion. In searching IETF archives I found this recent draft from October 2013, “Problem Statement for Openv6 Scheme,” that may be part of the discussion.  I expect we should see more information soon as the discussion begins.

Anyway, if you are an application developer looking to look at how you help your applications work over IPv6 this may be an interesting mailing list to join, if for no other reason than to monitor it and see what work is happening.

I’m looking forward to seeing the discussion begin!

A Very Useful New RFC 7059 – A Comparison of IPv6-over-IPv4 Tunnel Mechanisms

RFC 7059If you can’t get a native IPv6 connection for your network from your local Internet Service Provider (ISP), what kind of “tunneling” mechanism can you use to get IPv6 connectivity for your network?  Today a new Informational (non-standard) RFC 7059, A Comparison of IPv6-over-IPv4 Tunnel Mechanisms, was published that explores exactly these issues. It walks through a wide range of available IPv6 tunneling mechanisms and explains the merits (or not) of the various mechanisms, while also providing plenty of links for people to learn more.  The list of  tunneling mechanisms includes:

  • Configured Tunnels (Manual Tunnels / 6in4)
  • Automatic Tunneling
  • IPv6 over IPv4 without Explicit Tunnels (6over4)
  • Generic Routing Encapsulation (GRE)
  • Connection of IPv6 Domains via IPv4 Clouds (6to4)
  • Anything In Anything (AYIYA)
  • Intra-Site Automatic Tunnel Addressing (ISATAP)
  • Tunneling IPv6 over UDP through NATs (Teredo)
  • IPv6 Rapid Deployment (6rd)
  • Native IPv6 behind NAT44 CPEs (6a44)
  • Locator/ID Separation Protocol (LISP)
  • Subnetwork Encapsulation and Adaptation Layer (SEAL)
  • Peer-to-Peer IPv6 on Any Internetwork (6bed4)

If you are frustrated with being unable to obtain native IPv6 connectivity for your network, this RFC may provide a good place to start to learn more about how you can use one of these transition mechanisms to connect your network to the rest of the IPv6-enabled Internet!

 

Deploy360@IETF88: Day 3 – Perpass, IPv6 Operations and Operational Security

IETF LogoOn Day 3 of IETF88 our focus is again on IPv6 as well as the overall topic of hardening the security of the Internet.  The first sessions we’re primarily tracking is the IPv6 Operations (V6OPS) which has a whole range of documents under consideration relating to IPv6 addressing. The second session is Operational Security (OPSEC) where there are two drafts related to IPv6 security.

On a broader topic, we’ll be watching the IETF 88 Technical Plenary focused on “Hardening The Internet” and then the “Perpass” working group coming up after that.

My earlier posts about DNSSEC sessions and IPv6 sessions at IETF 88 explain in more detail what we’ll be watching.

Information about the four sessions today, including the links for the audio streams, the slides and the Jabber chat rooms, is:

For these sessions and all the others, the “tools-style agenda” for IETF 88 provides many helpful links for remote participants.

If you’d like to meet with the Deploy360 team here at IETF88, please see our post about where we’ll be at IETF88.

Deploy360@IETF88: Day 2 – SIDR, DNSOP, 6tisch, 6lo and the IPv6 Briefing Panel

IETF LogoDay 2 at IETF88 includes the primary sessions this week about DNSSEC (in DNSOP) as well as secure routing (SIDR).  There are also two working groups focusing on IPv6 in various network configurations (6lo and 6tisch).  Do note that the meeting of the GROW working group was canceled for today.

The other big event happening in just a few hours is the “Internet Society @ IETF Briefing Panel: IPv6 – What Does Success Look Like?” where we will be live-streaming out what looks like will be an outstanding discussion about the state of IPv6 deployment today and where it will be going.  The session starts at 11:45am Pacific time (19:45 UTC).

For more information about these sessions today, we’d encourage you to read our “Rough Guide to IETF88″ documents about:

Information about the four sessions today, including the links for the audio streams, the slides and the Jabber chat rooms, is:

For these sessions and all the others, the “tools-style agenda” for IETF 88 provides many helpful links for remote participants.

If you’d like to meet with the Deploy360 team here at IETF88, please see our post about where we’ll be at IETF88.