This document discusses the challenges with adoption of IPv6 and DNSSEC. It proposes new business models and technologies could help drive adoption, such as a pilot project providing low-cost mobile broadband using IPv6, and a Dutch pilot allowing universities to outsource DNS management through a portal that integrates DNSSEC support. Overall, IPv6 and DNSSEC need to be tied to new services and capabilities to encourage adoption, rather than just addressing security and infrastructure issues, and funding/early adopter programs will be important to promote deployment.
Breaking the Kubernetes Kill Chain: Host Path Mount
IPv6 and DNSSEC adoption through new business models and services
1. Dead
Men
Walking:
IPv6
and
DNSSEC
Bill.St.Arnaud@gmail.com
ION
-‐
Toronto
November
14,
2011
2. The
IPv6
Challenge
• Despite
considerable
publicity
and
predicMons
of
IPv4
address
Armageddon
adopMon
of
IPv6
is
anemic
• Although
IPv6
is
deployed
on
many
networks,
take
up
by
end
users/
devices
is
slow
• Carrier
grade
NAT
seems
to
be
the
default
path
for
IPv4
exhausMon
– RouMng
vendors
like
it
because
they
can
sell
more
complex
and
expensive
gear
– Carriers
like
it
because
they
can
lock
in
their
customers
• If
aSer
10
years
we
sMll
can’t
make
IPv6
fly,
then
maybe
its
Mme
to
rethink
our
strategy,
especially
for
those
of
who
believe
in
the
original
Internet
vision.
Two
approaches:
– New
business
models
for
market
adopMon
– New
technology
3. New
Market
AdopMon
IPv6
SURFnet-‐KPN
pilot
• Most
future
internet
access
will
be
mobile
devices
like
iPad
and
iPhone
• SURFnet-‐KPN
pilot
will
be
world’s
fist
enterprise
centric
integrated
LTE-‐mobile
network
-‐
extremely
low
data
prices
• SURFnet
“leasing
/8”
to
KPN
in
exchange
for
pilot
on
naMonal
wireless
mobile
broadband
for
universiMes
and
students
• SURFmobile
will
be
LTE
with
IPv6
only
with
integrated
campus
Wifi
at
universiMes,
coffee
shops,
trains,
etc
• Will
use
IPv6
Eduroam
to
allow
free
internaMonal
roaming
• Other
pilots
under
development
in
UK,
US,
Australia,
etc.
Canada??
• h`p://www.blogger.com/blogger.g?blogID=8586756976616257717#editor/
target=post;postID=2782224431972329057
4. IPv6
alternaMve?
• Most
Internet
traffic
is
not
end-‐to-‐end
– 45-‐90%
of
traffic
terminates
at
CDN
or
cloud
– Major
implicaMon
in
terms
for
IPv4/IPv6
desMnaMon
based
rouMng
and
addressing
• Numeric
addressing
is
an
anachronism
imposed
by
limitaMons
of
forwarding
engine
on
routers
• Possible
IPv6
alternaMves:
– Named
Data
Networking
(NDN)–
Van
Jacobson
– Delay
Tolerant
Networking
(DTN)
–
Vint
Cerf
-‐
late
binding
of
DNS
+
XML
– XML
rouMng
and
addressing
(W3C)
• h`p://billstarnaud.blogspot.com/2011/11/named-‐data-‐networking-‐how-‐
lte-‐networks.html
5. DNSSEC
–
the
next
IPv6?
• Again,
to
us
techies,
there
seems
to
be
a
clear
and
compelling
need
for
DNSSEC
• Already
several
events
of
DNS
cache
poisoning
in
Brazil
and
elsewhere
• Is
signing
and
delegaMng
the
root
sufficient?
• Do
we
just
sit
back
and
wait
for
ISPs
and
users
to
adopt?
• Or
do
we
try
to
be
more
proacMve
with
new
business
models
that
make
life
easier
for
end
users
and
insMtuMons?
6. Netherlands
pilot
to
deploy
DNSSEC
at
universiMes
• Many
universiMes
in
Netherlands
starMng
to
outsource
DNS
management
• SURFdomeinen
is
a
web-‐based
portal
that
allows
DNS
operators
of
connected
insMtuMons
to:
– register
or
migrate
domain
names
in
the
following
top-‐level
domains
(TLDs):
.nl,
.com,
.net,
.org,
.info
and
.eu;
– manage
contact
details
for
contacts
associated
with
registered
domains;
– create
secondary
DNS
configuraMons
on
SURFnet
name
servers
for
their
domains;
– manage
complete
DNS
zones
that
are
then
served
out
by
SURFnet
name
servers.
– DNSSEC
support
has
been
integrated
into
the
managed
DNS
funcMonality.
• Not
yet
deliver
a
full
end-‐user
service
due
to
restricMons
imposed
by
the
fact
that
SIDN
does
not
yet
have
a
process
for
automated
submission
of
secure
delegaMons
(DS)
for
the
.nl
zone.
• h`ps://dnssec.surfnet.nl/wp-‐content/uploads/2011/01/D1c-‐DNSSEC-‐in-‐
SURFdomeinen-‐end-‐report-‐v1.0.pdf
7. Conclusions
• IPv6
and
DNNSEC
is
hard
and
costly
• On
its
own
provides
NO
new
benefits,
only
protecMon
from
possible
real
and
hypotheMcal
negaMve
externaliMes
• To
promote
success
need
to
link
these
technologies
to
services
that
enable
new
capabiliMes
e.g.
– Low
cost
broadband
mobile
wireless
– Out
sourcing
DNS
management
• Need
funding
program
and
early
adopters
such
as
universiMes
and
R&E
networks
to
promote
adopMon
– A
sitng
back
and
hope
strategy
will
not
work