IETF 90 Report – DNS, DHCP, IPv6 and DANE

©!Men!&!Mice!!http://menandmice,com!

IETF!90!Review

6th!August!2014

•The!Internet!Engineering!Task!Force!(IETF)!is!a!large!open!international!community!of!network!designers,!operators,!vendors,!and!researchers!concerned!with!the!evolution!of!the!Internet!architecture!and!the!smooth!operation!of!the!Internet.!It!is!open!to!any!interested!individual.!The!IETF!Mission!Statement!is!documented!in!RFC!3935.

•http://www.ietf.org/about/

Agenda

• IETF!90!in!Toronto!

• DNS

• DNSSEC!/!DANE!(review!moved!to!September!Webinar)

• DHCP

• IPv6

• the!following!information!is!an!excerpt!of!the!IETF!working!group!activities

• for!a!full!overview!of!all!activities!at!IETF!90,!see!https://datatracker.ietf.org/meeting/90/materials.html

Generic!IETF!news/RFCs

• RFC!7282!“On!Consensus!and!Humming!in!the!IETF”!(Informal)

• Chapters:

• Lack!of!disagreement!is!more!important!than!agreement

• Rough!consensus!is!achieved!when!all!issues!are!addressed,!but!not!necessarily!accommodated!

• Humming!should!be!the!start!of!a!conversation,!not!the!end

• Consensus!is!the!path,!not!the!destination!

• One!hundred!people!for!and!five!people!against!might!not!be!rough!consensus!

• Five!people!for!and!one!hundred!people!against!might!still!be!rough!consensus

Generic!IETF!news/RFCs

•RFC!7258!“Pervasive!Monitoring!Is!an!Attack”!(BCP)

•“Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.”

new!RFCs!published!since!last!IETF

RFC Title Category

7208Sender Policy Framework (SPF) for Authorizing Use of

Domains in Email, Version 1Standards Track

7218Adding Acronyms to Simplify Conversations about

DNS-Based Authentication of Named Entities (DANE)Standards Track

7314 Extension Mechanisms for DNS (EDNS) EXPIRE Option Experimental

DNSOPs!charter!update

•the!IETF!DNSOPS!working-group!has!updated!its!charter

• it!is!now!possible!to!“tweak”!the!existing!DNS!protocols!(now!that!DNSEXT!--!DNS!extensions!--!has!been!shut!down)

•but!no!work!on!completely!new!DNS!protocols

draft-ietf-dnsop-dnssec-key-timing

ñDNSSEC Key Rollover Timing Considerations

•new!version!04

•Updated!diagrams!and!text!to!better!reflect!key!states!and!key!lifetimes

•new!WGLC

draft-ietf-dnsop-resolver-priming

ñInitializing a DNS Resolver with Priming Queries

•queries!a!DNS!resolver!sends!to!fill!it’s!cache!with!the!required!information!about!the!root-zone!(NS!records!and!address!records)

•document!has!open!issues

draft-wkumari-dnsop-dist-root

ñSecurely Distributing the DNS Root

•give!every!DNS!resolver!a!copy!of!the!root!zone

•benefits:

• less!(junk)!queries!to!the!real!DNS!root!servers

• DNS!resolver!can!operate!even!if!the!DNS!root!server!system!is!under!DDoS!attack

• privacy!--!less!information!leaking

draft-wkumari-dnsop-dist-root

ñ Securely Distributing the DNS Root

• give!every!DNS!resolver!a!copy!of!the!root!zone

• possible!issues:

• more!complex!DNS!resolver!software

• no!central!monitoring!at!the!root-servers

• root!zone!changes!would!propagate!slowly

• change!of!nature!of!traffic!hitting!the!Internet!root!server!(only!“bad”!resolvers)

draft-lee-dnsop-scalingroot

ñHow to scale the DNS root system?

•restriction!for!13!DNS!root!name!servers!came!from!IPv4!UDP!“don’t!fragment”!requirement!(512!byte!max!payload)

•this!restriction!is!not!relevant!anymore!(IPv6,!modern!IPv4!environment,!Ethernet!everywhere![1500!MTU])

•now,!up!to!20!DNS!root!servers!are!possible

• but!where!to!place!the!7!new!ones?

Optimizing!DNS!Authority!Server!Placement

•discusses!a!way!to!calculate!the!optimal!placement!for!authoritative!DNS!server!based!on!

•processing!capacity!(queries!per!seconds)

• latency!(round!trip!time!of!queries!from!client)

•deployment!costs

draft-mekking-dnsop-kasp

ñKey and Signing Policy

•common!data!format!(YANG)!to!describe!a!DNSSEC!key-!and!signing!policy

• Signature!validity!period,!NSEC!or!NSEC3,!Key!sizes!and!algorithms,!signing!scheme,!etc...

•makes!it!possible!to!import/export!the!DNSSEC!policy!between!products

draft-howard-dnsop-ip6rdns

ñ Reverse DNS in IPv6 for Internet Service Providers

• service!provider!cannot!pre-populate!all!IPv6!PTR!records!for!a!customer!(as!is!sometimes!done!for!IPv4)

• “38!trillion!year!to!populate!a!/64!for!one!customer”

• draft!discusses!alternatives:

• No!Response

• Wildcard!match

• Dynamic!DNS

• Delegate!DNS!to!customer

• Dynamically!Generate!PTR!When!Queried!("On!the!Fly")

draft-jabley-multicast-ptr

ñDNS Reverse Mapping for Multicast Addresses

•how!to!name!“well!known”!multicast!addresses!to!DNS!names

• fix!IPv4!naming

• provide!IPv6!naming

draft-jabley-multicast-ptr

• IPv4!multicast!reverse!today:

% dig -x 224.0.1.1 +noall +answer

; <<>> DiG 9.10.0-P1 <<>> -x 224.0.1.1 +noall +answer;; global options: +cmd1.1.0.224.in-addr.arpa. 28787 IN PTR ntp.mcast.net.

• use!of!MCAST.ARPA!instead!of!MCAST.NET

• IPv6!multicast!scope!mapped!via!DNS!name!hierarchy

• ff05::fb!-->!MDNSV6.SITE-LOCAL.MCAST6.ARPA.

• ff01::fb!-->!MDNSV6.LINK-LOCAL.MCAST6.ARPA.

new!RFCs!published!since!last!IETF

RFC Title Category

7227 Guidelines for Creating New DHCPv6 Options BCP

7283 Handling Unknown DHCPv6 MessagesStandards

7291 DHCP Options for the Port Control Protocol (PCP)Standards

Secure!DHCPv6!with!Public!Keydraft-ietf-dhc-sedhcpv6-03

•Authentication!of!DHCPv6!server!towards!the!client

•PKI!or!pre-configured!trust!anchor

•two!public!key!based!mechanisms!with!different!security!strengths

• strong:!only!signed!certificate!or!pre-shared!key!accepted

• leap-of-faith:!un-authenticated!key!exchange!of!first!contact

Dynamic!Allocation!of!Shared!IPv4!Addressesdraft-ietf-dhc-dynamic-shared-v4allocation

•allocate!the!same!IPv4!address(es)!to!multiple!clients

• in!DHCP4over6!scenario

•the!client!transmits!“OPTION_V4_PORTPARAMS”!(port!set!ID!to!be!used)

• combined!tuple!of!IPv4!address!and!Port!Set!ID!MUST!be!unique!for!each!active!lease

DHCP!Privacy!Considerations

•presentation!of!problem!statement!and!initial!discussion:

•DHCP!is!susceptible!to!surveillance

•DHCP!can!be!used!to!track!users!and!devices

•Users’!mobility!patterns!may!be!revealed

•Users’!personal!information!may!be!revealed

Support!for!multiple!provisioning!domains!in!DHCPv6draft-kkb-mpvd-dhcp-support

•notes!can!be!attached!to!multiple!networks

• each!network!might!run!a!DHCPv6!service

• provisioning!data!from!different!networks!might!be!in!conflict

•proposed!solution!sends!the!identity!of!an!provisioning!domain!inside!a!DHCPv6!option

• encapsulates!the!options!that!contain!the!configuration!information

• encapsulates!any!accompanying!authentication/authorization!!!information

IPv6/IPv4-sunset

published!new!RFCs!since!last!IETF

RFC Title Category

7157 IPv6 Multihoming without Network Address Translation Informal

7217 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)

Standards Track

7219 SEcure Neighbor Discovery (SEND) Source Address Validation Improvement (SAVI)

Standards Track

7225 Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)

Standards Track

7269 NAT64 Deployment Options and Experience Informational

draft-ietf-sunset4-noipv4-00

•Turning off IPv4 Using DHCPv6 or Router Advertisements

•How!to!tell!a!client!“there!is!no!IPv4!no!more!in!this!network”

• stop!useless!traffic!(DHCPv4!broadcasts)

• Power!Consumption!in!mobile!nodes

•DHCPv6!option!and/or!IPv6!Router-Advertisement!option

draft-liu-v6ops-running-multiple-prefixes

•Operational Considerations & Problems of Running Multiple IPv6 Prefixes

•Network!Management!Tools

•multiple!provisioning!domains

•ND!cache!of!Layer!2!switches

•“exit!router”!selection

draft-kitamura-ipv6-zoneid-free

•Free from Using Zone Identifier for IPv6 Link-Local

•link-local!(unicast)!communication!without!the!need!to!zone-ids

• the!IPv6!stack!can!use!some!heuristics!to!find!the!interface/zone-id

• Goal:

% ssh fe80::226:b0ff:fed6:a4e0instead!of% ssh fe80::226:b0ff:fed6:a4e0%en0

ULA!experience!at!JANOG!34!

•Japan!Network!Operators!Group!(JANOG)!meeting

• ULA!(IPv6)!+!GUA!(IPv6)!+!IPv4!segment

• ULAs!not!used!except!in!ND!and!mDNS!traffic

• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT64/DNS64

• most!applications!work

• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT66!(stateless)

• most!applications!work

upcoming!Men!&!Mice!events

• 23.!Aug!2014!-!FrOSCon!lecture!(German):!DANEn!lügen!nicht!--!SSL/TLS!Zertifikate!mit!DNSSEC!absichern;!http://programm.froscon.de/2014/events/1407.html

• Men!&!Mice!WebinarDNSSEC!&!DANE!-!E-Mail!security!reloadedWed,!Sep!3,!2014!4:00!PM!-!5:00!PM!GMThttp://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/

• Tutorial!@!GuuG!“Transportverschlüsselung!-!jetzt!aber!mal!richtig”!(German),!Wednesday,!Sep!24,!2014!10:00-18:00,!http://www.guug.de/veranstaltungen/ffg2014/abstracts.html

?Slides,!Links,!Recording!and!errata!will!be!posted!@

https://www.menandmice.com/resources/educational-resources/webinars/

IETF 90 Report – DNS, DHCP, IPv6 and DANE

Technology

IETF Report€¦ · About This Presentation This presentation is an official IETF report – This report covers TWO IETFs, IETF 100 and IETF 101 – This is not an in-depth IETF report

DHCP - academic.nimal.info · DHCP Components •DHCP client: •a host using DHCP to obtain an IP address and other configuration information •DHCP server: •a host that returns

Tackling Protocol Diversity: ISOC@IETF Panel at IETF 93

ADMINISTRADOR DHCP QUE ES DHCP :

Cisco Systems J. Korhonen Broadcom Communicationsdatatracker.ietf.org/meeting/88/agenda/dhc-drafts.pdf · Access Network Identifier Option in DHCP draft-ietf-dhc-access-network-identifier-13

¿Cómo funciona el IETF? - ESNOG€¦ · ¿Cómo funciona el IETF? 2 Agenda Presentación Panorámica e historia del IETF Estructura del IETF Documentos en el IETF, proceso de estandarización

1 IETF Status at IETF 85 Russ Housley IETF Chair

Introduction to the DANE Protocol And Updates From IETF 88 fileA browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate

A SAVI Solution for DHCP Draf-ietf-savi-dhcp-06 J. Bi, J. Wu, G. Yao, F. Baker IETF79, Beijing Nov. 9, 2010

Access technologiesinno/pubs/radius-dhcp-reduced3.pdf · 2015-07-16 · DHCP servers : – ISC dhcp server – Windows dhcp – FreeRADIUS/dhcp – Cisco Prime Network Registrar –

1 Chapter Overview Understanding DHCP Configuring a DHCP Server Troubleshooting DHCP

Configure DHCP Server and DHCP-Relay

― 次世代IP ユーザ・網インタフェース（UNI）― 本編[11] IETF RFC2132 (03/1997): DHCP Options and BOOTP Vendor Extensions [12] IETF RFC2181 (07/1997): Clarifications

Windows 2012 DHCP Failover - PCN, Inc.23.235.200.57/.../06/Windows-2012-DHCP-Failover.pdf · ©!Men!&!Mice!!! Centralized!vs.!distributed! DHCP Branch!A DHCP! Server DHCP! Client

Configuring DHCP Service - static.tp-link.com · Configuring DHCP Service CHAPTERS 1. DHCP 2. DHCP Relay Configuration 3. DHCP L2 Relay Configuration 4. Example for DHCP VLAN Relay

School of Computing National University of Singaporetbma/teaching/cs3103y... · first-hop router, addr of DNS server . router (runs DHCP) DHCP UDP IP Eth Phy . DHCP DHCP DHCP DHCP

1 IETF Status at IETF 76 Russ Housley, IETF Chair

DHCP v4 - DHCP v6

Internet Engineering Task Force (IETF) R. Johnson … · RFC 6656 Cisco Systems’ DHCP Subnet Alloc Option July 2012 3.2. Subnet-Information Suboption Format 0 1 2

IETF CodeMatch