Upload
men-and-mice
View
419
Download
2
Tags:
Embed Size (px)
DESCRIPTION
At this webinar, Mr. Carsten Strotmann from the Men & Mice Services team gives an overview of interesting developments from the working groups inside the IETF, after attending online at the IETF 90 in Toronto. Hear more on: - DNS - DNS-Privacy - IPv6 - DANE - DHCP(v6) - and new RFCs that have been published since the last IETF in March 2014
Citation preview
©!Men!&!Mice!!http://menandmice,com!
IETF!90!Review
6th!August!2014
1
©!Men!&!Mice!!http://menandmice,com!
IETF
•The!Internet!Engineering!Task!Force!(IETF)!is!a!large!open!international!community!of!network!designers,!operators,!vendors,!and!researchers!concerned!with!the!evolution!of!the!Internet!architecture!and!the!smooth!operation!of!the!Internet.!It!is!open!to!any!interested!individual.!The!IETF!Mission!Statement!is!documented!in!RFC!3935.
•http://www.ietf.org/about/
2
©!Men!&!Mice!!http://menandmice,com!
Agenda
• IETF!90!in!Toronto!
• DNS
• DNSSEC!/!DANE!(review!moved!to!September!Webinar)
• DHCP
• IPv6
• the!following!information!is!an!excerpt!of!the!IETF!working!group!activities
• for!a!full!overview!of!all!activities!at!IETF!90,!see!https://datatracker.ietf.org/meeting/90/materials.html
3
©!Men!&!Mice!!http://menandmice,com!
Generic!IETF!news/RFCs
• RFC!7282!“On!Consensus!and!Humming!in!the!IETF”!(Informal)
• Chapters:
• Lack!of!disagreement!is!more!important!than!agreement
• Rough!consensus!is!achieved!when!all!issues!are!addressed,!but!not!necessarily!accommodated!
• Humming!should!be!the!start!of!a!conversation,!not!the!end
• Consensus!is!the!path,!not!the!destination!
• One!hundred!people!for!and!five!people!against!might!not!be!rough!consensus!
• Five!people!for!and!one!hundred!people!against!might!still!be!rough!consensus
4
©!Men!&!Mice!!http://menandmice,com!
Generic!IETF!news/RFCs
•RFC!7258!“Pervasive!Monitoring!Is!an!Attack”!(BCP)
•“Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.”
5
©!Men!&!Mice!!http://menandmice,com!
new!RFCs!published!since!last!IETF
RFC Title Category
7208Sender Policy Framework (SPF) for Authorizing Use of
Domains in Email, Version 1Standards Track
7218Adding Acronyms to Simplify Conversations about
DNS-Based Authentication of Named Entities (DANE)Standards Track
7314 Extension Mechanisms for DNS (EDNS) EXPIRE Option Experimental
7
©!Men!&!Mice!!http://menandmice,com!
DNSOPs!charter!update
•the!IETF!DNSOPS!working-group!has!updated!its!charter
• it!is!now!possible!to!“tweak”!the!existing!DNS!protocols!(now!that!DNSEXT!--!DNS!extensions!--!has!been!shut!down)
•but!no!work!on!completely!new!DNS!protocols
8
©!Men!&!Mice!!http://menandmice,com!
draft-ietf-dnsop-dnssec-key-timing
ñDNSSEC Key Rollover Timing Considerations
•new!version!04
•Updated!diagrams!and!text!to!better!reflect!key!states!and!key!lifetimes
•new!WGLC
9
©!Men!&!Mice!!http://menandmice,com!
draft-ietf-dnsop-resolver-priming
ñInitializing a DNS Resolver with Priming Queries
•queries!a!DNS!resolver!sends!to!fill!it’s!cache!with!the!required!information!about!the!root-zone!(NS!records!and!address!records)
•document!has!open!issues
10
©!Men!&!Mice!!http://menandmice,com!
draft-wkumari-dnsop-dist-root
ñSecurely Distributing the DNS Root
•give!every!DNS!resolver!a!copy!of!the!root!zone
•benefits:
• less!(junk)!queries!to!the!real!DNS!root!servers
• DNS!resolver!can!operate!even!if!the!DNS!root!server!system!is!under!DDoS!attack
• privacy!--!less!information!leaking
11
©!Men!&!Mice!!http://menandmice,com!
draft-wkumari-dnsop-dist-root
ñ Securely Distributing the DNS Root
• give!every!DNS!resolver!a!copy!of!the!root!zone
• possible!issues:
• more!complex!DNS!resolver!software
• no!central!monitoring!at!the!root-servers
• root!zone!changes!would!propagate!slowly
• change!of!nature!of!traffic!hitting!the!Internet!root!server!(only!“bad”!resolvers)
12
©!Men!&!Mice!!http://menandmice,com!
draft-lee-dnsop-scalingroot
ñHow to scale the DNS root system?
•restriction!for!13!DNS!root!name!servers!came!from!IPv4!UDP!“don’t!fragment”!requirement!(512!byte!max!payload)
•this!restriction!is!not!relevant!anymore!(IPv6,!modern!IPv4!environment,!Ethernet!everywhere![1500!MTU])
•now,!up!to!20!DNS!root!servers!are!possible
• but!where!to!place!the!7!new!ones?
13
©!Men!&!Mice!!http://menandmice,com!
Optimizing!DNS!Authority!Server!Placement
•discusses!a!way!to!calculate!the!optimal!placement!for!authoritative!DNS!server!based!on!
•processing!capacity!(queries!per!seconds)
• latency!(round!trip!time!of!queries!from!client)
•deployment!costs
14
©!Men!&!Mice!!http://menandmice,com!
Optimizing!DNS!Authority!Server!Placement
15
©!Men!&!Mice!!http://menandmice,com!
Optimizing!DNS!Authority!Server!Placement
16
©!Men!&!Mice!!http://menandmice,com!
draft-mekking-dnsop-kasp
ñKey and Signing Policy
•common!data!format!(YANG)!to!describe!a!DNSSEC!key-!and!signing!policy
• Signature!validity!period,!NSEC!or!NSEC3,!Key!sizes!and!algorithms,!signing!scheme,!etc...
•makes!it!possible!to!import/export!the!DNSSEC!policy!between!products
17
©!Men!&!Mice!!http://menandmice,com!
draft-howard-dnsop-ip6rdns
ñ Reverse DNS in IPv6 for Internet Service Providers
• service!provider!cannot!pre-populate!all!IPv6!PTR!records!for!a!customer!(as!is!sometimes!done!for!IPv4)
• “38!trillion!year!to!populate!a!/64!for!one!customer”
• draft!discusses!alternatives:
• No!Response
• Wildcard!match
• Dynamic!DNS
• Delegate!DNS!to!customer
• Dynamically!Generate!PTR!When!Queried!("On!the!Fly")
18
©!Men!&!Mice!!http://menandmice,com!
draft-jabley-multicast-ptr
ñDNS Reverse Mapping for Multicast Addresses
•how!to!name!“well!known”!multicast!addresses!to!DNS!names
• fix!IPv4!naming
• provide!IPv6!naming
19
©!Men!&!Mice!!http://menandmice,com!
draft-jabley-multicast-ptr
• IPv4!multicast!reverse!today:
% dig -x 224.0.1.1 +noall +answer
; <<>> DiG 9.10.0-P1 <<>> -x 224.0.1.1 +noall +answer;; global options: +cmd1.1.0.224.in-addr.arpa. 28787 IN PTR ntp.mcast.net.
• use!of!MCAST.ARPA!instead!of!MCAST.NET
• IPv6!multicast!scope!mapped!via!DNS!name!hierarchy
• ff05::fb!-->!MDNSV6.SITE-LOCAL.MCAST6.ARPA.
• ff01::fb!-->!MDNSV6.LINK-LOCAL.MCAST6.ARPA.
20
©!Men!&!Mice!!http://menandmice,com!
new!RFCs!published!since!last!IETF
RFC Title Category
7227 Guidelines for Creating New DHCPv6 Options BCP
7283 Handling Unknown DHCPv6 MessagesStandards
Track
7291 DHCP Options for the Port Control Protocol (PCP)Standards
Track
22
©!Men!&!Mice!!http://menandmice,com!
Secure!DHCPv6!with!Public!Keydraft-ietf-dhc-sedhcpv6-03
•Authentication!of!DHCPv6!server!towards!the!client
•PKI!or!pre-configured!trust!anchor
•two!public!key!based!mechanisms!with!different!security!strengths
• strong:!only!signed!certificate!or!pre-shared!key!accepted
• leap-of-faith:!un-authenticated!key!exchange!of!first!contact
23
©!Men!&!Mice!!http://menandmice,com!
Dynamic!Allocation!of!Shared!IPv4!Addressesdraft-ietf-dhc-dynamic-shared-v4allocation
•allocate!the!same!IPv4!address(es)!to!multiple!clients
• in!DHCP4over6!scenario
•the!client!transmits!“OPTION_V4_PORTPARAMS”!(port!set!ID!to!be!used)
• combined!tuple!of!IPv4!address!and!Port!Set!ID!MUST!be!unique!for!each!active!lease
24
©!Men!&!Mice!!http://menandmice,com!
DHCP!Privacy!Considerations
•presentation!of!problem!statement!and!initial!discussion:
•DHCP!is!susceptible!to!surveillance
•DHCP!can!be!used!to!track!users!and!devices
•Users’!mobility!patterns!may!be!revealed
•Users’!personal!information!may!be!revealed
25
©!Men!&!Mice!!http://menandmice,com!
Support!for!multiple!provisioning!domains!in!DHCPv6draft-kkb-mpvd-dhcp-support
•notes!can!be!attached!to!multiple!networks
• each!network!might!run!a!DHCPv6!service
• provisioning!data!from!different!networks!might!be!in!conflict
•proposed!solution!sends!the!identity!of!an!provisioning!domain!inside!a!DHCPv6!option
• encapsulates!the!options!that!contain!the!configuration!information
• encapsulates!any!accompanying!authentication/authorization!!!information
26
©!Men!&!Mice!!http://menandmice,com!
IPv6/IPv4-sunset
27
©!Men!&!Mice!!http://menandmice,com!
published!new!RFCs!since!last!IETF
RFC Title Category
7157 IPv6 Multihoming without Network Address Translation Informal
7217 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)
Standards Track
7219 SEcure Neighbor Discovery (SEND) Source Address Validation Improvement (SAVI)
Standards Track
7225 Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)
Standards Track
7269 NAT64 Deployment Options and Experience Informational
28
©!Men!&!Mice!!http://menandmice,com!
draft-ietf-sunset4-noipv4-00
•Turning off IPv4 Using DHCPv6 or Router Advertisements
•How!to!tell!a!client!“there!is!no!IPv4!no!more!in!this!network”
• stop!useless!traffic!(DHCPv4!broadcasts)
• Power!Consumption!in!mobile!nodes
•DHCPv6!option!and/or!IPv6!Router-Advertisement!option
29
©!Men!&!Mice!!http://menandmice,com!
draft-liu-v6ops-running-multiple-prefixes
•Operational Considerations & Problems of Running Multiple IPv6 Prefixes
•Network!Management!Tools
•multiple!provisioning!domains
•ND!cache!of!Layer!2!switches
•“exit!router”!selection
30
©!Men!&!Mice!!http://menandmice,com!
draft-kitamura-ipv6-zoneid-free
•Free from Using Zone Identifier for IPv6 Link-Local
•link-local!(unicast)!communication!without!the!need!to!zone-ids
• the!IPv6!stack!can!use!some!heuristics!to!find!the!interface/zone-id
• Goal:
% ssh fe80::226:b0ff:fed6:a4e0instead!of% ssh fe80::226:b0ff:fed6:a4e0%en0
31
©!Men!&!Mice!!http://menandmice,com!
ULA!experience!at!JANOG!34!
•Japan!Network!Operators!Group!(JANOG)!meeting
• ULA!(IPv6)!+!GUA!(IPv6)!+!IPv4!segment
• ULAs!not!used!except!in!ND!and!mDNS!traffic
• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT64/DNS64
• most!applications!work
• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT66!(stateless)
• most!applications!work
32
©!Men!&!Mice!!http://menandmice,com!
upcoming!Men!&!Mice!events
• 23.!Aug!2014!-!FrOSCon!lecture!(German):!DANEn!lügen!nicht!--!SSL/TLS!Zertifikate!mit!DNSSEC!absichern;!http://programm.froscon.de/2014/events/1407.html
• Men!&!Mice!WebinarDNSSEC!&!DANE!-!E-Mail!security!reloadedWed,!Sep!3,!2014!4:00!PM!-!5:00!PM!GMThttp://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/
• Tutorial!@!GuuG!“Transportverschlüsselung!-!jetzt!aber!mal!richtig”!(German),!Wednesday,!Sep!24,!2014!10:00-18:00,!http://www.guug.de/veranstaltungen/ffg2014/abstracts.html
33
©!Men!&!Mice!!http://menandmice,com!
Q/A
?Slides,!Links,!Recording!and!errata!will!be!posted!@
https://www.menandmice.com/resources/educational-resources/webinars/
34