RIPE 71 and IETF 94 reports webinar

© Men & Mice http://menandmice.com

IETF 94 Review

10th December 2015

1

IETF 94 Yokohama November 1-6, 2015


before we start

… please note: Windows DNS security issue

December 8, 2015

MS15-127: Security update for Microsoft Windows DNS to address remote code execution: https://support.microsoft.com/en-us/kb/3100465

2


AgendaDNS, DNSSEC, DANE, IPv6

IETF 94 in Yokohama

RIPE 71 in Bucharest

the following information is an excerpt of the IETF working group activities

for a full overview of all activities at IETF 94, see https://datatracker.ietf.org/meeting/94/materials.html

3


DNS

4


new DNS related RFCs published since last IETF

5

RFC Title Category

7720DNS Root Name Service Protocol and Deployment

RequirementsBCP

7712Domain Name Associations (DNA) in the Extensible

Messaging and Presence Protocol (XMPP)Proposed Standard

7706Decreasing Access Time to Root Servers by Running One

on LoopbackInformational

7686 The ".onion" Special-Use Domain Name Proposed Standard

7673Using DNS-Based Authentication of Named Entities

(DANE) TLSA Records with SRV RecordsProposed Standard


new DNS related RFCs published since last IETF

6

RFC Title Category

7672SMTP Security via Opportunistic DNS-Based

Authentication of Named Entities (DANE) Transport Layer Security (TLS)

Proposed Standard

7671The DNS-Based Authentication of Named Entities (DANE)

Protocol: Updates and Operational GuidanceProposed Standard

7646 Definition and Use of DNSSEC Negative Trust Anchors Informational

7626 DNS Privacy Considerations Informational


DNS Record Type for SMIMEA

SMIMEA-Records now have a dedicated DNS record type (Type 53)

!

SMIMEA - store x509 Certificate information for S/MIME in DNSSEC secured DNS

7


draft-jabley-dnsop-ordered-answers

do resource records in a DNS section have an order

some WinDNS expects OPT as first record(?)

TSIG/SIG(0) need order

some DNS resolver need Data-Records and RRSIG to be in order (first data, then RRSIG)

document was rejected by the working group, but interesting discussion

8


draft-ogud-dnsop-maintain-ds

Paul Wouterspresented a new draft on how the management of DS-Records can be auto-mated

•how to publish the initial DS-record

•how to remove an existing DS-record

9


draft-wessels-edns-key-tag

Goal: measure RFC 5011 Root-KSK-Rollover trust-anchor updates

DNS resolver send KSK- Trust-Anchor-Keytags to authoritative server

•only for QTYPE=DNSKEY, SHOULD for configured trust anchors

•DNS forwarding is tricky (can be different trust anchors)

•privacy/security considerations

10


DNAME in the Root?/NXDOMAIN = NXDOMAIN

DNAME in the Root?

• ".local" is 2nd or 3rd popular TLD

• redirect ".local" with DNAME to AS112NXDOMAIN means NXDOMAIN

• DNS resolver should stop domain search when encountering a NXDOMAIN in the cache tree

• helps with QNAME minimisation and with some random qname attack

• breaks Split-Horizon setups

11


IPv6

12


published new RFCs since last IETF

13

RFC Title Category

RFC 7610 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers BCP

RFC 7653 DHCPv6 Active LeasequeryProposed Standard

RFC 7668 IPv6 over BLUETOOTH(R) Low EnergyProposed Standard

RFC 7676 IPv6 Support for Generic Routing Encapsulation (GRE)Proposed Standard


draft-jjmb-v6ops-unique-ipv6-prefix-per-host

•ComCast public WIFI trial

• /64 Prefix for each WIFI access device

• solves DAD, isolation between devices

14


draft-ietf-v6ops-design-choices

•Enterprise IPv6 networks are in scope of the document

• all options for enterprises today have issues

• long discussion on ULA and "NPT66" (Option 3 of the "how to get IPv6 address space" section)

15


Temporal and Spatial Classification of Active IPv6 Addresses

• IPv6 operational study by Akamai

•classifies IPv6 addresses seen by their CDN network

•temporal - how long are IPv6 addresses/prefixes used

•spatial - location of IPv6 addresses

• almost no EUI48 Host-Identifier (good)

• > 90 % IPv6 are privacy addresses

• maps the IPv6 address space in use

16


RIPE 71

17


Impact of DNS over TCPa Resolver Point of View

•study made with an medium size ISP (200-400 qps)

•TCP timeout managementis important

•message sizes due to DNSSEC no problem, most DNSSEC answers are below Ethernet MTU < 1500 byte

• connection reuse only beneficial for certain servers (DNS resolver for a mail server)

18

https://ripe71.ripe.net/archives/video/1209/


Preparing the Root-Zone KSK Roll

•Root-KSK roll with use RFC 5011 protocol

•KSK roll will probably take 6-9 month in total

•KSK rollover plan notyet final

• announce mailing listhttps://mm.icann.org/mailman/listinfo/root-dnssec-announce

19



DNSSEC for legacy applications

•getdns nsswitch module to replace default OS stub resolver

• works on nsswitch enabledapplications, but not with Chrome and related browsers (or application with an internalDNS resolver)

• configuration web-ui

• supports caching and DNS over TLS

• checks process name, rewrites answer in case a known web browser is detected

• only proof of concept, not production code

• SIDN is working on a similar signalling with Unbound

20



Implementation Challenges of Geographic Split-Horizon

•overview of DNS-GeoIP implementations available in open source DNS servers today

•APIs and Databases

•Motivation: GeoIP in Knot-DNS

•discusses EDNS Client ID Subnet option

• available in PowerDNS

• will be in Knot-DNS

• Remark from Vicky Risk (ISC): Client ID Subnet will be in BIND 9.11

21



Turris Router / Turris Omnia• open source router software and hardware

• motivation: probe for security research

• automatic quick updates

• check outgoing traffic - find IoT devices that "talk home"

• can run honeypots (telnet and ssh), tunneled to central servers

• attacker similarity analysis

• container virtualisation for own application (e.g. OwnCloud, Mailserver …)

• based on OpenWRT Linux

• https://www.turris.cz

22



Turris Router / Turris Omnia•Turris Omnia - Indiegogo Crowdfounded Turris Router for everyone

• powerful home router with VLAN support

• Fiber support on WAN port

• Hardware RNG

• programmable LEDs

• runs Knot-Resolver for DNSSEC validation

•https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/

23


A Measurement of SMTP over TLS

•Measurement of TLS use between mail servers

•motivated by DANE

•"there’s no secure e-mail without DNSSEC"

24



Automatic Certificate Issuance•Let's encrypt - CA

• ACME Protocol - can be used with any CA

• Internet Draft "draft-ietf-acme-acme"

•Alternative ACME clients

•BASH Shell Script:https://github.com/lukas2511/letsencrypt.sh

•Tiny (200 Lines) Python Script:https://github.com/diafygi/acme-tiny

•Let's encrypt statistics https://letsencrypt.org/stats/

25



Todays mobile internet•Mobile devices are 40% of the Internet hosts

•Desktop/Laptop devices are on the decline

• Mobile world is build on NAT and CGN, a different Internet as we know it

• no End-to-End

• Dual-Stack costs double in Mobile

• IPv6 in the mobile device market

26



IPv6 Performance•another online ad measurement

• TCPv6 reliability

• IPv6 vs IPv4 performance

• comparison 2011 vs 2015

• 2011 - 40% IPv6 failure rate - tunnels

• 2015 - 4.1% IPv6 failure rate - still 6to4

• 2015 - 2% failure without tunnel

• IPv6 failure still not good

• 48% of connections IPv6 is faster (unicast)

• 52% of connections IPv4 is faster (unicast)

27



A look under the Hood at Devices, Networks and IPv6

•another APNIC Advertisement-Network-measurement story

• AD network measurements switch from Flash to HTML5 (Sep 11 2015)

• since then, more mobile devices in the data set

• 464XLAT = Android and iOS (no XLAT464) (comparison of different provider)

• 25% of devices in the US are IPv6 capable

28



don't miss our next webinar•"DNSTap", Wednesday,December 16th, 2015

•Time: 4:00 CET/ 3:00 GMT / 10 EDT / 7 PDT

•DNSTAP- have a deep look into DNS server operations (featuring Unbound and Knot-DNS).

•Administrators want to know about the queries their DNS server is working on, and about the responses sent back to clients. Using traditional logging (to file or syslog) is resource intensive and can slow down the whole DNS server.

•DNSTAP is a new open technology, reading DNS server state events directly from the core of the DNS server, and making sure that performance loss is minimal while instrumentation is enabled.

•The webinar will show DNSTAP implementation in Knot-DNS and Unbound,together with available tools to analyze the DNSTAP datastream.Signup @ https://www.menandmice.com/resources/educational-resources/webinars/

29


Q/A

30

?2015 Schedule, Slides, Links, Recording and errata

can be found @https://www.menandmice.com/resources/educational-resources/webinars/

RIPE 71 and IETF 94 reports webinar

Technology

Transcript of RIPE 71 and IETF 94 reports webinar