Download - RIPE 71 and IETF 94 reports webinar
© Men & Mice http://menandmice.com
IETF 94 Review
10th December 2015
1
IETF 94 Yokohama November 1-6, 2015
© Men & Mice http://menandmice.com
before we start
… please note: Windows DNS security issue
December 8, 2015
MS15-127: Security update for Microsoft Windows DNS to address remote code execution: https://support.microsoft.com/en-us/kb/3100465
2
© Men & Mice http://menandmice.com
AgendaDNS, DNSSEC, DANE, IPv6
IETF 94 in Yokohama
RIPE 71 in Bucharest
the following information is an excerpt of the IETF working group activities
for a full overview of all activities at IETF 94, see https://datatracker.ietf.org/meeting/94/materials.html
3
© Men & Mice http://menandmice.com
DNS
4
© Men & Mice http://menandmice.com
new DNS related RFCs published since last IETF
5
RFC Title Category
7720DNS Root Name Service Protocol and Deployment
RequirementsBCP
7712Domain Name Associations (DNA) in the Extensible
Messaging and Presence Protocol (XMPP)Proposed Standard
7706Decreasing Access Time to Root Servers by Running One
on LoopbackInformational
7686 The ".onion" Special-Use Domain Name Proposed Standard
7673Using DNS-Based Authentication of Named Entities
(DANE) TLSA Records with SRV RecordsProposed Standard
© Men & Mice http://menandmice.com
new DNS related RFCs published since last IETF
6
RFC Title Category
7672SMTP Security via Opportunistic DNS-Based
Authentication of Named Entities (DANE) Transport Layer Security (TLS)
Proposed Standard
7671The DNS-Based Authentication of Named Entities (DANE)
Protocol: Updates and Operational GuidanceProposed Standard
7646 Definition and Use of DNSSEC Negative Trust Anchors Informational
7626 DNS Privacy Considerations Informational
© Men & Mice http://menandmice.com
DNS Record Type for SMIMEA
SMIMEA-Records now have a dedicated DNS record type (Type 53)
!
SMIMEA - store x509 Certificate information for S/MIME in DNSSEC secured DNS
7
© Men & Mice http://menandmice.com
draft-jabley-dnsop-ordered-answers
do resource records in a DNS section have an order
some WinDNS expects OPT as first record(?)
TSIG/SIG(0) need order
some DNS resolver need Data-Records and RRSIG to be in order (first data, then RRSIG)
document was rejected by the working group, but interesting discussion
8
© Men & Mice http://menandmice.com
draft-ogud-dnsop-maintain-ds
Paul Wouterspresented a new draft on how the management of DS-Records can be auto-mated
•how to publish the initial DS-record
•how to remove an existing DS-record
9
© Men & Mice http://menandmice.com
draft-wessels-edns-key-tag
Goal: measure RFC 5011 Root-KSK-Rollover trust-anchor updates
DNS resolver send KSK- Trust-Anchor-Keytags to authoritative server
•only for QTYPE=DNSKEY, SHOULD for configured trust anchors
•DNS forwarding is tricky (can be different trust anchors)
•privacy/security considerations
10
© Men & Mice http://menandmice.com
DNAME in the Root?/NXDOMAIN = NXDOMAIN
DNAME in the Root?
• ".local" is 2nd or 3rd popular TLD
• redirect ".local" with DNAME to AS112NXDOMAIN means NXDOMAIN
• DNS resolver should stop domain search when encountering a NXDOMAIN in the cache tree
• helps with QNAME minimisation and with some random qname attack
• breaks Split-Horizon setups
11
© Men & Mice http://menandmice.com
IPv6
12
© Men & Mice http://menandmice.com
published new RFCs since last IETF
13
RFC Title Category
RFC 7610 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers BCP
RFC 7653 DHCPv6 Active LeasequeryProposed Standard
RFC 7668 IPv6 over BLUETOOTH(R) Low EnergyProposed Standard
RFC 7676 IPv6 Support for Generic Routing Encapsulation (GRE)Proposed Standard
© Men & Mice http://menandmice.com
draft-jjmb-v6ops-unique-ipv6-prefix-per-host
•ComCast public WIFI trial
• /64 Prefix for each WIFI access device
• solves DAD, isolation between devices
14
© Men & Mice http://menandmice.com
draft-ietf-v6ops-design-choices
•Enterprise IPv6 networks are in scope of the document
• all options for enterprises today have issues
• long discussion on ULA and "NPT66" (Option 3 of the "how to get IPv6 address space" section)
15
© Men & Mice http://menandmice.com
Temporal and Spatial Classification of Active IPv6 Addresses
• IPv6 operational study by Akamai
•classifies IPv6 addresses seen by their CDN network
•temporal - how long are IPv6 addresses/prefixes used
•spatial - location of IPv6 addresses
• almost no EUI48 Host-Identifier (good)
• > 90 % IPv6 are privacy addresses
• maps the IPv6 address space in use
16
© Men & Mice http://menandmice.com
RIPE 71
17
© Men & Mice http://menandmice.com
Impact of DNS over TCPa Resolver Point of View
•study made with an medium size ISP (200-400 qps)
•TCP timeout managementis important
•message sizes due to DNSSEC no problem, most DNSSEC answers are below Ethernet MTU < 1500 byte
• connection reuse only beneficial for certain servers (DNS resolver for a mail server)
18
https://ripe71.ripe.net/archives/video/1209/
© Men & Mice http://menandmice.com
Preparing the Root-Zone KSK Roll
•Root-KSK roll with use RFC 5011 protocol
•KSK roll will probably take 6-9 month in total
•KSK rollover plan notyet final
• announce mailing listhttps://mm.icann.org/mailman/listinfo/root-dnssec-announce
19
https://ripe71.ripe.net/archives/video/1225/
© Men & Mice http://menandmice.com
DNSSEC for legacy applications
•getdns nsswitch module to replace default OS stub resolver
• works on nsswitch enabledapplications, but not with Chrome and related browsers (or application with an internalDNS resolver)
• configuration web-ui
• supports caching and DNS over TLS
• checks process name, rewrites answer in case a known web browser is detected
• only proof of concept, not production code
• SIDN is working on a similar signalling with Unbound
20
https://ripe71.ripe.net/archives/video/1221/
© Men & Mice http://menandmice.com
Implementation Challenges of Geographic Split-Horizon
•overview of DNS-GeoIP implementations available in open source DNS servers today
•APIs and Databases
•Motivation: GeoIP in Knot-DNS
•discusses EDNS Client ID Subnet option
• available in PowerDNS
• will be in Knot-DNS
• Remark from Vicky Risk (ISC): Client ID Subnet will be in BIND 9.11
21
https://ripe71.ripe.net/archives/video/1223/
© Men & Mice http://menandmice.com
Turris Router / Turris Omnia• open source router software and hardware
• motivation: probe for security research
• automatic quick updates
• check outgoing traffic - find IoT devices that "talk home"
• can run honeypots (telnet and ssh), tunneled to central servers
• attacker similarity analysis
• container virtualisation for own application (e.g. OwnCloud, Mailserver …)
• based on OpenWRT Linux
• https://www.turris.cz
22
https://ripe71.ripe.net/archives/video/1178/
© Men & Mice http://menandmice.com
Turris Router / Turris Omnia•Turris Omnia - Indiegogo Crowdfounded Turris Router for everyone
• powerful home router with VLAN support
• Fiber support on WAN port
• Hardware RNG
• programmable LEDs
• runs Knot-Resolver for DNSSEC validation
•https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/
23
© Men & Mice http://menandmice.com
A Measurement of SMTP over TLS
•Measurement of TLS use between mail servers
•motivated by DANE
•"there’s no secure e-mail without DNSSEC"
24
https://ripe71.ripe.net/archives/video/1344/
© Men & Mice http://menandmice.com
Automatic Certificate Issuance•Let's encrypt - CA
• ACME Protocol - can be used with any CA
• Internet Draft "draft-ietf-acme-acme"
•Alternative ACME clients
•BASH Shell Script:https://github.com/lukas2511/letsencrypt.sh
•Tiny (200 Lines) Python Script:https://github.com/diafygi/acme-tiny
•Let's encrypt statistics https://letsencrypt.org/stats/
25
https://ripe71.ripe.net/archives/video/4/
© Men & Mice http://menandmice.com
Todays mobile internet•Mobile devices are 40% of the Internet hosts
•Desktop/Laptop devices are on the decline
• Mobile world is build on NAT and CGN, a different Internet as we know it
• no End-to-End
• Dual-Stack costs double in Mobile
• IPv6 in the mobile device market
26
https://ripe71.ripe.net/archives/video/1343/
© Men & Mice http://menandmice.com
IPv6 Performance•another online ad measurement
• TCPv6 reliability
• IPv6 vs IPv4 performance
• comparison 2011 vs 2015
• 2011 - 40% IPv6 failure rate - tunnels
• 2015 - 4.1% IPv6 failure rate - still 6to4
• 2015 - 2% failure without tunnel
• IPv6 failure still not good
• 48% of connections IPv6 is faster (unicast)
• 52% of connections IPv4 is faster (unicast)
27
https://ripe71.ripe.net/archives/video/1219/
© Men & Mice http://menandmice.com
A look under the Hood at Devices, Networks and IPv6
•another APNIC Advertisement-Network-measurement story
• AD network measurements switch from Flash to HTML5 (Sep 11 2015)
• since then, more mobile devices in the data set
• 464XLAT = Android and iOS (no XLAT464) (comparison of different provider)
• 25% of devices in the US are IPv6 capable
28
https://ripe71.ripe.net/archives/video/1123/
© Men & Mice http://menandmice.com
don't miss our next webinar•"DNSTap", Wednesday,December 16th, 2015
•Time: 4:00 CET/ 3:00 GMT / 10 EDT / 7 PDT
•DNSTAP- have a deep look into DNS server operations (featuring Unbound and Knot-DNS).
•Administrators want to know about the queries their DNS server is working on, and about the responses sent back to clients. Using traditional logging (to file or syslog) is resource intensive and can slow down the whole DNS server.
•DNSTAP is a new open technology, reading DNS server state events directly from the core of the DNS server, and making sure that performance loss is minimal while instrumentation is enabled.
•The webinar will show DNSTAP implementation in Knot-DNS and Unbound,together with available tools to analyze the DNSTAP datastream.Signup @ https://www.menandmice.com/resources/educational-resources/webinars/
29
© Men & Mice http://menandmice.com
Q/A
30
?2015 Schedule, Slides, Links, Recording and errata
can be found @https://www.menandmice.com/resources/educational-resources/webinars/