ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
0 likes393 views
The document discusses the business case for implementing IPV6 and DNSSEC. It outlines some key criteria for a successful business, including high sales, profits, customer satisfaction, quality products, reputation and sustained growth. It then discusses the limited remaining IPv4 addresses and the need to transition to IPv6. The document also summarizes the key components and security objectives of DNSSEC for securing DNS transactions and authenticating data. Finally, it discusses potential business benefits and motivations for early adopters of DNSSEC across different roles like registries, zone operators and registrars.
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
- 1. Driving the Future Business case for IPV6 & DNSSEC - shailesh.gupta@tatacommunications.com © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 2. Criteria for successful Business Case There are different views about what makes a successful business. Typically success should be judged by the ability to meet objectives. Using this definition, success criteria would include : ü High levels of Sales ü High levels of Profits ü High levels of Consumer Satisfaction ü Production of high quality products ü Strong reputation ü Sustained growth Businesses are able to establish targets in relation to each of the aspects of the bottom line e.g. increasing profit by x %, gaining employee satisfaction of y%, and minimizing their environmental impact. The success of businesses can then be judged in terms of their ability to meet important targets and creating a cycle of stakeholder satisfaction. Successful businesses take a long term rather than a short term view of success. Attaining success involves meeting objectives for a range of desirable outcomes, which create a cycle of stakeholder satisfaction. © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 3. IPv4 Address Report (Generated at 07-Oct-2012 08:00 UTC) IANA Unallocated Address Pool Exhaustion: 03-Feb-2011 Projected RIR Address Pool Exhaustion Dates: RIR Projected Exhaustion Date Remaining Addresses in RIR Pool (/8s) Ø APNIC: 19-Apr-2011 (actual) 0.9091 Ø RIPE NCC: 14-Sep-2012 (actual) 0.9847 Ø ARIN: 21-Aug-2013 3.1782 Ø LACNIC: 31-May-2015 3.1733 Ø AFRINIC: 05-Nov-2019 4.1093 © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 4. APNIC Survey in 2009 wrt IPV6 adoption * Source – APNIC Survey report © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 5. Policy decisions taken by Governments ü 2008 US federal agencies IPv6 compliant ü 2010 25% of EU traffic to be over IPv6 ü 2011 JP Govt target to have all JP ISPs over IPv6 ü 2012 AU Govt networks over IPv6 “National IPv6 Deployment Roadmap” was released by the Government of India in July 2010 : ü All major Service providers (having at least 10,000 internet customers or STM-1 bandwidth) will target to handle IPv6 traffic and offer IPv6 services by December-2011 ü All central and State government ministries and departments, including its PSUs, shall start using IPv6 services by March-2012 ü Formation of the IPv6 Task Force with one Oversight Committee, one Steering Committee and 10 working groups. © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 6. IPV6 - Indian context Only 18.5 million IPv4 addresses for a population of 1.2 billion in India. • But the requirement for IP addresses will keep increasing with new services, new networks, new applications. • Telecommunications will be largest consumer of IP addresses in coming years (Broadband, 3G, NGN, 4G, LTE etc.). • IPv4 is a diminishing resource and is very costly @ USD 10 per IPV4 compared to IPv6 (almost free) right now and will be more costlier with passage of time. Its not only about benefits from IPV6 but loosing the opportunities by not adopting it. IPv6 is the only solution ! © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 7. Data flow through the DNS Where are the vulnerable points? DNS Known Threats (RFC 3833) ü Packet Interception - man-in-the-middle attacks ü ID Guessing and Query Prediction ü Name Chaining - Cache Poisoning ü Betrayal By Trusted Server ü Denial of Service ü Wildcards Server vulnarability Registrars & Registrants Secondary Man in the Middle DNS primary DNS Registry spoofing & Secondary Man in the Middle DNS © Copyright 2012 Tata Communications Ltd. All rights reserved.
- 8. DNS Hierarchy Root “.” .gov .com .org .in TLDs (250) .net nist.gov dhs.gov abc.com xyz.org Enterprise test.in myname.net Level Domain There are 13 name servers associated with the root level; they are called root servers. Two of the root servers are currently run by the U.S private-sector corporation VeriSign; the rest are operated by other organizations around the world as a service to the Internet community. The organizations that run name servers associated with a TLD are called registries. Generally, ccTLDs are run by designated registries in the respective countries, and gTLDs are run by global registries. For example, VeriSign currently manages the name servers for the .com and .net TLDs, a nonprofit entity called Public Internet Registry (PIR) manages the name servers for the .org TLD, and another nonprofit organization called EDUCAUSE manages the name servers for the .edu TLD. © Copyright 2012 Tata Communications Ltd. All rights reserved. 8
- 9. Securing DNS Before security objectives can be determined, the building blocks of the DNS need to be specified. DNS includes the following entities: ü DNS hosting environment Host platform (O/S, file system, communication stack) DNS software (name server, resolver) DNS data (zone file, configuration file) ü DNS transactions DNS query/response Zone transfers Dynamic updates DNS NOTIFY ü Security administration Choice of algorithms and key sizes (TSIG and DNSSEC) Key management (generation, storage, and usage) Public key publishing and setting up trust anchors Key rollovers (scheduled and emergency) ü Install a DNSSEC capable name server implementation. ü Check zone file(s) for any possible integrity errors. ü Generate asymmetric key pair for each zone and include them in the zone file. ü Sign the zone. Load the signed zone onto the server ü Configure name server to turn on DNSSEC processing. © Copyright 2012 Tata Communications Ltd. All rights reserved. 9
- 10. DNSSEC DNSSEC provides message authentication and integrity verification through cryptographic signatures. Before a DNSSEC signed zone can be deployed, a name server must be configured to enable DNSSEC processing. In BIND, it is done by adding the following line to the options statement in the named configuration file (named.conf). DNSSEC features options { * End-to-end data integrity check. dnssec-enable yes; * DNS data origin authentication. }; * Authenticated denial of existence. After restart, the name server will now perform DNSSEC processing for DNS Query/response transactions. Digital Signature Algorithms, Min. Key Sizes, and Crypto Periods Key Type Digital Signature Algorithm Suite Key Size Crypto Period (Rollover Period) Key-‐Signing Key (KSK) RSA-‐SHA1 (RSA-‐SHA-‐256) unGl 2015 2048 bits 12-‐24 months (1-‐2 years) Zone-‐Signing Key (ZSK) RSA-‐SHA1 (RSA-‐SHA-‐256) unGl 2015 1024 bits 1-‐3 months (30-‐90 days) DNS TransacGon Threats and Security ObjecGves DNS Transac+on Threats Security Objec+ves IETF Security (a) Forged or bogus response (a) Data origin authen+ca+on DNS Query/Response (b) Removal of records (RRs) in responses (b) Data integrity verifica+on DNSSEC (c) Incorrect applica+on of wildcard expansion rules Zone Transfer (a) Denial of service (a) Mutual authen+ca+on TSIG (b) Tampering of messages (b) Data integrity verifica+on (a) Unauthorized Updates (a) Mutual authen+ca+on Dynamic Update (b) Tampering of messages (b) Data integrity verifica+on TSIG, GSS-‐TSIG or SIG(0) (c) Replay aNack (c) Signed +mestamps (a) Spurious no+fica+ons (a) To prevent denial of service through Specify hosts from which this DNS NOTIFY increase in workload message can be received TSIG or SIG(0) © Copyright 2012 Tata Communications Ltd. All rights reserved. 10
- 11. Business case for DNSSEC Making a business case for DNSSEC is not easy in comparison to IPV6. DNSSEC is important - securing the DNS is a good thing - Is this enough ? Reducing the effort… • This means bring down the cost of implementing DNSSEC – Research & Share – Simplify – Automate – Reduce risk Examples : • Registrars – Toolkits • Registrants – One click DNSSEC • ISPs – Simple DNSSEC resolvers • End Users – Build it into software and turn on by default © Copyright 2012 Tata Communications Ltd. All rights reserved. 11
- 12. Business case for DNSSEC Make DNSSEC a requirement : – Contractual obligation – Government mandate like IPV6 – ICANN Potential reason for deploying DNSSEC : - Increased Security – Really will only work if visible to end users – Think green-bar in a browser – Requires education Secure DNS as an enabler -DNS is now 100% trust worthy, what can we do with that? -If what I can do is worthy, I will NEED DNSSEC © Copyright 2012 Tata Communications Ltd. All rights reserved. 12
- 13. Business Benefits & Motivation for DNSSEC roles Early adopters lead the pack Cost drivers Ø Infrastructure cost Ø Strategic positioning Registry (Responsible for tech operation of TLDs, manage registration within TLD) ü Become a reliable Trust Anchor ü Lead by example and stimulate parties further down in the chain to adopt DNSSEC ü Earn recognition in the DNS community Zone operator (Responsible for tech operation of DNS zones & domain names) ü Provide assurance to clients that domain name services are reliable and trustworthy ü Look forward to increasing adoption rate when revenue is an important driver. ü Deploying DNSSEC can be profitable Registrar (Accredited by ICANN to manage the reservation of domains as per policy) ü Differentiator and competitive advantage versus others Recursive Resolver Operator (ISPs) ü Assure end-users on DNS reliability and trustworthiness ü Offering differentiator and competitive advantage © Copyright 2012 Tata Communications Ltd. All rights reserved. 13
- 14. Thank You © Copyright 2012 Tata Communications Ltd. All rights reserved. 14 14