RIPE 71 and IETF 94 reports webinar

© Men & Mice http://menandmice.com
IETF 94 Review
 
10th December 2015
1
IETF 94 Yokohama
November 1-6, 2015

before we start
… please note: Windows DNS security issue
December 8, 2015
MS15-127: Security update for Microsoft
Windows DNS to address remote code execution:
https://support.microsoft.com/en-us/kb/3100465
2

Agenda
DNS, DNSSEC, DANE, IPv6
IETF 94 in Yokohama
RIPE 71 in Bucharest
the following information is an excerpt of the IETF
working group activities
for a full overview of all activities at IETF 94, see  
https://datatracker.ietf.org/meeting/94/materials.html
3

DNS
4

new DNS related RFCs  
published since last IETF
5
RFC Title Category
7720
DNS Root Name Service Protocol and Deployment
Requirements
BCP
7712
Domain Name Associations (DNA) in the Extensible
Messaging and Presence Protocol (XMPP)
Proposed
Standard
7706
Decreasing Access Time to Root Servers by Running One
on Loopback
Informational
7686 The ".onion" Special-Use Domain Name
Proposed
Standard
7673
Using DNS-Based Authentication of Named Entities
(DANE) TLSA Records with SRV Records
Proposed
Standard

new DNS related RFCs  
published since last IETF
6
RFC Title Category
7672
SMTP Security via Opportunistic DNS-Based
Authentication of Named Entities (DANE) Transport Layer
Security (TLS)
Proposed
Standard
7671
The DNS-Based Authentication of Named Entities (DANE)
Protocol: Updates and Operational Guidance
Proposed
Standard
7646 Definition and Use of DNSSEC Negative Trust Anchors Informational
7626 DNS Privacy Considerations Informational

DNS Record Type for SMIMEA
SMIMEA-Records now have a dedicated DNS record
type (Type 53)
!
SMIMEA - store x509 Certificate information for  
S/MIME in DNSSEC secured DNS
7

draft-jabley-dnsop-ordered-answers
do resource records in a DNS section have an order
some WinDNS expects OPT as first record(?)
TSIG/SIG(0) need order
some DNS resolver need Data-Records and RRSIG
to be in order (first data, then RRSIG)
document was rejected by the working group, but
interesting discussion
8

draft-ogud-dnsop-maintain-ds
Paul Wouters 
presented a new  
draft on how the 
management of DS- 
Records can be auto- 
mated
•how to publish the initial DS-record
•how to remove an existing DS-record
9

draft-wessels-edns-key-tag
Goal: measure RFC 5011 Root-KSK- 
Rollover trust-anchor updates
DNS resolver send KSK- 
Trust-Anchor-Keytags to  
authoritative server
•only for QTYPE=DNSKEY, SHOULD for configured trust
anchors
•DNS forwarding is tricky (can be different trust anchors)
•privacy/security considerations
10

DNAME in the Root?/
NXDOMAIN = NXDOMAIN
DNAME in the Root?
• ".local" is 2nd or 3rd popular TLD
• redirect ".local" with DNAME to AS112 
 
NXDOMAIN means NXDOMAIN
• DNS resolver should stop domain search when encountering a
NXDOMAIN in the cache tree
• helps with QNAME minimisation and with some random
qname attack
• breaks Split-Horizon setups
11

IPv6
12

published new RFCs since last IETF
13
RFC Title Category
RFC 7610 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers BCP
RFC 7653 DHCPv6 Active Leasequery
Proposed
Standard
RFC 7668 IPv6 over BLUETOOTH(R) Low Energy
Proposed
Standard
RFC 7676 IPv6 Support for Generic Routing Encapsulation (GRE)
Proposed
Standard

draft-jjmb-v6ops-unique-ipv6-prefix-
per-host
•ComCast public WIFI trial
• /64 Prefix for each WIFI access device
• solves DAD, isolation between devices
14

draft-ietf-v6ops-design-choices
•Enterprise IPv6  
networks are in scope of the document
• all options for enterprises today have issues
• long discussion on ULA and "NPT66" (Option 3 of
the "how to get IPv6 address space" section)
15

Temporal and Spatial Classification of
Active IPv6 Addresses
• IPv6 operational study by Akamai
•classifies IPv6 addresses seen by their
CDN network
•temporal - how long are IPv6 addresses/
prefixes used
•spatial - location of IPv6 addresses
• almost no EUI48 Host-Identifier (good)
• > 90 % IPv6 are privacy addresses
• maps the IPv6 address space in use
16

RIPE 71
17

Impact of DNS over TCP 
a Resolver Point of View
•study made with an medium  
size ISP (200-400 qps)
•TCP timeout management 
is important
•message sizes due to  
DNSSEC no problem, most  
DNSSEC answers are below Ethernet MTU < 1500 byte
• connection reuse only beneficial for certain servers
(DNS resolver for a mail server)
18
https://ripe71.ripe.net/archives/video/1209/

Preparing the Root-Zone KSK Roll
•Root-KSK roll with  
use RFC 5011  
protocol
•KSK roll will probably  
take 6-9 month in total
•KSK rollover plan not 
yet final
• announce mailing list 
https://mm.icann.org/mailman/listinfo/root-dnssec-announce
19

DNSSEC for legacy applications
•getdns nsswitch module to  
replace default OS stub resolver
• works on nsswitch enabled 
applications, but not with  
Chrome and related browsers 
(or application with an internal 
DNS resolver)
• configuration web-ui
• supports caching and DNS  
over TLS
• checks process name,  
rewrites answer in case a known web browser is detected
• only proof of concept, not production code
• SIDN is working on a similar signalling with Unbound
20

Implementation Challenges of
Geographic Split-Horizon
•overview of DNS-GeoIP  
implementations available in 
open source DNS servers today
•APIs and Databases
•Motivation: GeoIP in Knot-DNS
•discusses EDNS Client ID Subnet option
• available in PowerDNS
• will be in Knot-DNS
• Remark from Vicky Risk (ISC): Client ID Subnet will be in BIND 9.11
21

Turris Router / Turris Omnia
• open source router software and
hardware
• motivation: probe for security research
• automatic quick updates
• check outgoing traffic - find IoT devices
that "talk home"
• can run honeypots (telnet and ssh),
tunneled to central servers
• attacker similarity analysis
• container virtualisation for own
application (e.g. OwnCloud, Mailserver
…)
• based on OpenWRT Linux
• https://www.turris.cz
22

Turris Router / Turris Omnia
•Turris Omnia - Indiegogo
Crowdfounded Turris Router for
everyone
• powerful home router with VLAN
support
• Fiber support on WAN port
• Hardware RNG
• programmable LEDs
• runs Knot-Resolver for DNSSEC
validation
•https://www.indiegogo.com/projects/
turris-omnia-hi-performance-open-source-
router#/
23

A Measurement of SMTP over TLS
•Measurement of TLS
use between mail
servers
•motivated by DANE
•"there’s no secure e-
mail without DNSSEC"
24

Automatic Certificate Issuance
•Let's encrypt - CA
• ACME Protocol - can be used
with any CA
• Internet Draft  
"draft-ietf-acme-acme"
•Alternative ACME clients
•BASH Shell Script: 
https://github.com/lukas2511/letsencrypt.sh
•Tiny (200 Lines) Python Script: 
https://github.com/diafygi/acme-tiny
•Let's encrypt statistics 
https://letsencrypt.org/stats/
25

Todays mobile internet
•Mobile devices are 40% of the
Internet hosts
•Desktop/Laptop devices are on
the decline
• Mobile world is build on NAT
and CGN, a different Internet as
we know it
• no End-to-End
• Dual-Stack costs double in
Mobile
• IPv6 in the mobile device market
26

IPv6 Performance
•another online ad measurement
• TCPv6 reliability
• IPv6 vs IPv4 performance
• comparison 2011 vs 2015
• 2011 - 40% IPv6 failure rate - tunnels
• 2015 - 4.1% IPv6 failure rate - still 6to4
• 2015 - 2% failure without tunnel
• IPv6 failure still not good
• 48% of connections IPv6 is faster
(unicast)
• 52% of connections IPv4 is faster
(unicast)
27

A look under the Hood at
Devices, Networks and IPv6
•another APNIC Advertisement-
Network-measurement story
• AD network measurements
switch from Flash to HTML5 (Sep
11 2015)
• since then, more mobile devices
in the data set
• 464XLAT = Android and iOS (no
XLAT464) 
(comparison of different provider)
• 25% of devices in the US are
IPv6 capable
28

don't miss our next webinar
•"DNSTap", Wednesday,December 16th, 2015
•Time: 4:00 CET/ 3:00 GMT / 10 EDT / 7 PDT
•DNSTAP- have a deep look into DNS server operations (featuring Unbound and Knot-
DNS).
•Administrators want to know about the queries their DNS server is working on, and
about the responses sent back to clients. Using traditional logging (to file or syslog) is
resource intensive and can slow down the whole DNS server.
•DNSTAP is a new open technology, reading DNS server state events directly from the
core of the DNS server, and making sure that performance loss is minimal while
instrumentation is enabled.
•The webinar will show DNSTAP implementation in Knot-DNS and Unbound,together with
available tools to analyze the DNSTAP datastream. 
 
Signup @  
https://www.menandmice.com/resources/educational-resources/webinars/
29

Q/A
30
?
2015 Schedule, Slides, Links, Recording and errata
can be found @ 
https://www.menandmice.com/resources/educational-resources/webinars/

RIPE 71 and IETF 94 reports webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to RIPE 71 and IETF 94 reports webinar

Similar to RIPE 71 and IETF 94 reports webinar (20)

More from Men and Mice

More from Men and Mice (12)

Recently uploaded

Recently uploaded (20)

RIPE 71 and IETF 94 reports webinar