IETF 90 Report – DNS, DHCP, IPv6 and DANE

©!Men!&!Mice!!http://menandmice,com!

IETF!90!Review

6th!August!2014

1

http://www.menandmice.com



IETF

•The!Internet!Engineering!Task!Force!(IETF)!is!a!large!open!international!community!of!network!designers,!operators,!vendors,!and!researchers!concerned!with!the!evolution!of!the!Internet!architecture!and!the!smooth!operation!of!the!Internet.!It!is!open!to!any!interested!individual.!The!IETF!Mission!Statement!is!documented!in!RFC!3935.

•http://www.ietf.org/about/

2



http://www.ietf.org/glossary.html#IETF

http://www.ietf.org/glossary.html#IETF

http://www.ietf.org/rfc/rfc3935.txt

http://www.ietf.org/rfc/rfc3935.txt

http://www.ietf.org/about/

http://www.ietf.org/about/


Agenda

• IETF!90!in!Toronto!

• DNS

• DNSSEC!/!DANE!(review!moved!to!September!Webinar)

• DHCP

• IPv6

• the!following!information!is!an!excerpt!of!the!IETF!working!group!activities

• for!a!full!overview!of!all!activities!at!IETF!90,!see!https://datatracker.ietf.org/meeting/90/materials.html

3



https://datatracker.ietf.org/meeting/89/materials.html

https://datatracker.ietf.org/meeting/89/materials.html


Generic!IETF!news/RFCs

• RFC!7282!“On!Consensus!and!Humming!in!the!IETF”!(Informal)

• Chapters:

• Lack!of!disagreement!is!more!important!than!agreement

• Rough!consensus!is!achieved!when!all!issues!are!addressed,!but!not!necessarily!accommodated!

• Humming!should!be!the!start!of!a!conversation,!not!the!end

• Consensus!is!the!path,!not!the!destination!

• One!hundred!people!for!and!five!people!against!might!not!be!rough!consensus!

• Five!people!for!and!one!hundred!people!against!might!still!be!rough!consensus

4




Generic!IETF!news/RFCs

•RFC!7258!“Pervasive!Monitoring!Is!an!Attack”!(BCP)

•“Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.”

5




DNS

6




new!RFCs!published!since!last!IETF

RFC Title Category

7208Sender Policy Framework (SPF) for Authorizing Use of

Domains in Email, Version 1Standards Track

7218Adding Acronyms to Simplify Conversations about

DNS-Based Authentication of Named Entities (DANE)Standards Track

7314 Extension Mechanisms for DNS (EDNS) EXPIRE Option Experimental

7




DNSOPs!charter!update

•the!IETF!DNSOPS!working-group!has!updated!its!charter

• it!is!now!possible!to!“tweak”!the!existing!DNS!protocols!(now!that!DNSEXT!--!DNS!extensions!--!has!been!shut!down)

•but!no!work!on!completely!new!DNS!protocols

8




draft-ietf-dnsop-dnssec-key-timing

ñDNSSEC Key Rollover Timing Considerations

•new!version!04

•Updated!diagrams!and!text!to!better!reflect!key!states!and!key!lifetimes

•new!WGLC

9




draft-ietf-dnsop-resolver-priming

ñInitializing a DNS Resolver with Priming Queries

•queries!a!DNS!resolver!sends!to!fill!it’s!cache!with!the!required!information!about!the!root-zone!(NS!records!and!address!records)

•document!has!open!issues

10




draft-wkumari-dnsop-dist-root

ñSecurely Distributing the DNS Root

•give!every!DNS!resolver!a!copy!of!the!root!zone

•benefits:

• less!(junk)!queries!to!the!real!DNS!root!servers

• DNS!resolver!can!operate!even!if!the!DNS!root!server!system!is!under!DDoS!attack

• privacy!--!less!information!leaking

11




draft-wkumari-dnsop-dist-root

ñ Securely Distributing the DNS Root

• give!every!DNS!resolver!a!copy!of!the!root!zone

• possible!issues:

• more!complex!DNS!resolver!software

• no!central!monitoring!at!the!root-servers

• root!zone!changes!would!propagate!slowly

• change!of!nature!of!traffic!hitting!the!Internet!root!server!(only!“bad”!resolvers)

12




draft-lee-dnsop-scalingroot

ñHow to scale the DNS root system?

•restriction!for!13!DNS!root!name!servers!came!from!IPv4!UDP!“don’t!fragment”!requirement!(512!byte!max!payload)

•this!restriction!is!not!relevant!anymore!(IPv6,!modern!IPv4!environment,!Ethernet!everywhere![1500!MTU])

•now,!up!to!20!DNS!root!servers!are!possible

• but!where!to!place!the!7!new!ones?

13




Optimizing!DNS!Authority!Server!Placement

•discusses!a!way!to!calculate!the!optimal!placement!for!authoritative!DNS!server!based!on!

•processing!capacity!(queries!per!seconds)

• latency!(round!trip!time!of!queries!from!client)

•deployment!costs

14





15





16




draft-mekking-dnsop-kasp

ñKey and Signing Policy

•common!data!format!(YANG)!to!describe!a!DNSSEC!key-!and!signing!policy

• Signature!validity!period,!NSEC!or!NSEC3,!Key!sizes!and!algorithms,!signing!scheme,!etc...

•makes!it!possible!to!import/export!the!DNSSEC!policy!between!products

17




draft-howard-dnsop-ip6rdns

ñ Reverse DNS in IPv6 for Internet Service Providers

• service!provider!cannot!pre-populate!all!IPv6!PTR!records!for!a!customer!(as!is!sometimes!done!for!IPv4)

• “38!trillion!year!to!populate!a!/64!for!one!customer”

• draft!discusses!alternatives:

• No!Response

• Wildcard!match

• Dynamic!DNS

• Delegate!DNS!to!customer

• Dynamically!Generate!PTR!When!Queried!("On!the!Fly")

18




draft-jabley-multicast-ptr

ñDNS Reverse Mapping for Multicast Addresses

•how!to!name!“well!known”!multicast!addresses!to!DNS!names

• fix!IPv4!naming

• provide!IPv6!naming

19




draft-jabley-multicast-ptr

• IPv4!multicast!reverse!today:

% dig -x 224.0.1.1 +noall +answer

; <<>> DiG 9.10.0-P1 <<>> -x 224.0.1.1 +noall +answer;; global options: +cmd1.1.0.224.in-addr.arpa. 28787 IN PTR ntp.mcast.net.

• use!of!MCAST.ARPA!instead!of!MCAST.NET

• IPv6!multicast!scope!mapped!via!DNS!name!hierarchy

• ff05::fb!-->!MDNSV6.SITE-LOCAL.MCAST6.ARPA.

• ff01::fb!-->!MDNSV6.LINK-LOCAL.MCAST6.ARPA.

20




DHCP

21




new!RFCs!published!since!last!IETF

RFC Title Category

7227 Guidelines for Creating New DHCPv6 Options BCP

7283 Handling Unknown DHCPv6 MessagesStandards

Track

7291 DHCP Options for the Port Control Protocol (PCP)Standards

Track

22




Secure!DHCPv6!with!Public!Keydraft-ietf-dhc-sedhcpv6-03

•Authentication!of!DHCPv6!server!towards!the!client

•PKI!or!pre-configured!trust!anchor

•two!public!key!based!mechanisms!with!different!security!strengths

• strong:!only!signed!certificate!or!pre-shared!key!accepted

• leap-of-faith:!un-authenticated!key!exchange!of!first!contact

23




Dynamic!Allocation!of!Shared!IPv4!Addressesdraft-ietf-dhc-dynamic-shared-v4allocation

•allocate!the!same!IPv4!address(es)!to!multiple!clients

• in!DHCP4over6!scenario

•the!client!transmits!“OPTION_V4_PORTPARAMS”!(port!set!ID!to!be!used)

• combined!tuple!of!IPv4!address!and!Port!Set!ID!MUST!be!unique!for!each!active!lease

24




DHCP!Privacy!Considerations

•presentation!of!problem!statement!and!initial!discussion:

•DHCP!is!susceptible!to!surveillance

•DHCP!can!be!used!to!track!users!and!devices

•Users’!mobility!patterns!may!be!revealed

•Users’!personal!information!may!be!revealed

25




Support!for!multiple!provisioning!domains!in!DHCPv6draft-kkb-mpvd-dhcp-support

•notes!can!be!attached!to!multiple!networks

• each!network!might!run!a!DHCPv6!service

• provisioning!data!from!different!networks!might!be!in!conflict

•proposed!solution!sends!the!identity!of!an!provisioning!domain!inside!a!DHCPv6!option

• encapsulates!the!options!that!contain!the!configuration!information

• encapsulates!any!accompanying!authentication/authorization!!!information

26




IPv6/IPv4-sunset

27




published!new!RFCs!since!last!IETF

RFC Title Category

7157 IPv6 Multihoming without Network Address Translation Informal

7217 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)

Standards Track

7219 SEcure Neighbor Discovery (SEND) Source Address Validation Improvement (SAVI)

Standards Track

7225 Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)

Standards Track

7269 NAT64 Deployment Options and Experience Informational

28




draft-ietf-sunset4-noipv4-00

•Turning off IPv4 Using DHCPv6 or Router Advertisements

•How!to!tell!a!client!“there!is!no!IPv4!no!more!in!this!network”

• stop!useless!traffic!(DHCPv4!broadcasts)

• Power!Consumption!in!mobile!nodes

•DHCPv6!option!and/or!IPv6!Router-Advertisement!option

29




draft-liu-v6ops-running-multiple-prefixes

•Operational Considerations & Problems of Running Multiple IPv6 Prefixes

•Network!Management!Tools

•multiple!provisioning!domains

•ND!cache!of!Layer!2!switches

•“exit!router”!selection

30




draft-kitamura-ipv6-zoneid-free

•Free from Using Zone Identifier for IPv6 Link-Local

•link-local!(unicast)!communication!without!the!need!to!zone-ids

• the!IPv6!stack!can!use!some!heuristics!to!find!the!interface/zone-id

• Goal:

% ssh fe80::226:b0ff:fed6:a4e0instead!of% ssh fe80::226:b0ff:fed6:a4e0%en0

31




ULA!experience!at!JANOG!34!

•Japan!Network!Operators!Group!(JANOG)!meeting

• ULA!(IPv6)!+!GUA!(IPv6)!+!IPv4!segment

• ULAs!not!used!except!in!ND!and!mDNS!traffic

• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT64/DNS64

• most!applications!work

• ULA!(IPv6!via!SLAAC!and!DHCPv6)!+!NAT66!(stateless)

• most!applications!work

32




upcoming!Men!&!Mice!events

• 23.!Aug!2014!-!FrOSCon!lecture!(German):!DANEn!lügen!nicht!--!SSL/TLS!Zertifikate!mit!DNSSEC!absichern;!http://programm.froscon.de/2014/events/1407.html

• Men!&!Mice!WebinarDNSSEC!&!DANE!-!E-Mail!security!reloadedWed,!Sep!3,!2014!4:00!PM!-!5:00!PM!GMThttp://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/

• Tutorial!@!GuuG!“Transportverschlüsselung!-!jetzt!aber!mal!richtig”!(German),!Wednesday,!Sep!24,!2014!10:00-18:00,!http://www.guug.de/veranstaltungen/ffg2014/abstracts.html

33



http://programm.froscon.de/2014/events/1407.html

http://programm.froscon.de/2014/events/1407.html

http://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/




http://www.guug.de/veranstaltungen/ffg2014/abstracts.html

http://www.guug.de/veranstaltungen/ffg2014/abstracts.html


Q/A

?Slides,!Links,!Recording!and!errata!will!be!posted!@

https://www.menandmice.com/resources/educational-resources/webinars/

34



Technology

IETF 90 Report – DNS, DHCP, IPv6 and DANE