Dead Men Walking: IPv6 & DNSSEC (ION Toronto 2011)
•
0 gostou•414 visualizações
If after 10 years we still can't make IPv6 fly, is it time to rethink our strategy? That was one of the questions posed in this presentation by consultant Bill St. Arnaud as part of a panel on IPv6 and DNSSEC at the Internet ON (ION) Conference in Toronto on November 14, 2011. St. Arnaud examined the issues around deployment of IPv6, examined alternatives and talked about some successes - and then gave DNSSEC a similar treatment before giving his conclusions about what we need to do to move deployment forward. A video recording of the session will be available for viewing. Details will be posted at http://www.isoc.org/do/blog/ when the video is available. More information about the global series of ION conferences can be found at http://www.isoc.org/ion/
Recomendados
Recomendados
Mais conteúdo relacionado
Destaque
Destaque (10)
Mais de Internet Society
Mais de Internet Society (20)
Último
Último (20)
Dead Men Walking: IPv6 & DNSSEC (ION Toronto 2011)
- 1. Dead Men Walking: IPv6 and DNSSEC Bill.St.Arnaud@gmail.com ION -‐ Toronto November 14, 2011
- 2. The IPv6 Challenge • Despite considerable publicity and predicMons of IPv4 address Armageddon adopMon of IPv6 is anemic • Although IPv6 is deployed on many networks, take up by end users/ devices is slow • Carrier grade NAT seems to be the default path for IPv4 exhausMon – RouMng vendors like it because they can sell more complex and expensive gear – Carriers like it because they can lock in their customers • If aSer 10 years we sMll can’t make IPv6 fly, then maybe its Mme to rethink our strategy, especially for those of who believe in the original Internet vision. Two approaches: – New business models for market adopMon – New technology
- 3. New Market AdopMon IPv6 SURFnet-‐KPN pilot • Most future internet access will be mobile devices like iPad and iPhone • SURFnet-‐KPN pilot will be world’s fist enterprise centric integrated LTE-‐mobile network -‐ extremely low data prices • SURFnet “leasing /8” to KPN in exchange for pilot on naMonal wireless mobile broadband for universiMes and students • SURFmobile will be LTE with IPv6 only with integrated campus Wifi at universiMes, coffee shops, trains, etc • Will use IPv6 Eduroam to allow free internaMonal roaming • Other pilots under development in UK, US, Australia, etc. Canada?? • h`p://www.blogger.com/blogger.g?blogID=8586756976616257717#editor/ target=post;postID=2782224431972329057
- 4. IPv6 alternaMve? • Most Internet traffic is not end-‐to-‐end – 45-‐90% of traffic terminates at CDN or cloud – Major implicaMon in terms for IPv4/IPv6 desMnaMon based rouMng and addressing • Numeric addressing is an anachronism imposed by limitaMons of forwarding engine on routers • Possible IPv6 alternaMves: – Named Data Networking (NDN)– Van Jacobson – Delay Tolerant Networking (DTN) – Vint Cerf -‐ late binding of DNS + XML – XML rouMng and addressing (W3C) • h`p://billstarnaud.blogspot.com/2011/11/named-‐data-‐networking-‐how-‐ lte-‐networks.html
- 5. DNSSEC – the next IPv6? • Again, to us techies, there seems to be a clear and compelling need for DNSSEC • Already several events of DNS cache poisoning in Brazil and elsewhere • Is signing and delegaMng the root sufficient? • Do we just sit back and wait for ISPs and users to adopt? • Or do we try to be more proacMve with new business models that make life easier for end users and insMtuMons?
- 6. Netherlands pilot to deploy DNSSEC at universiMes • Many universiMes in Netherlands starMng to outsource DNS management • SURFdomeinen is a web-‐based portal that allows DNS operators of connected insMtuMons to: – register or migrate domain names in the following top-‐level domains (TLDs): .nl, .com, .net, .org, .info and .eu; – manage contact details for contacts associated with registered domains; – create secondary DNS configuraMons on SURFnet name servers for their domains; – manage complete DNS zones that are then served out by SURFnet name servers. – DNSSEC support has been integrated into the managed DNS funcMonality. • Not yet deliver a full end-‐user service due to restricMons imposed by the fact that SIDN does not yet have a process for automated submission of secure delegaMons (DS) for the .nl zone. • h`ps://dnssec.surfnet.nl/wp-‐content/uploads/2011/01/D1c-‐DNSSEC-‐in-‐ SURFdomeinen-‐end-‐report-‐v1.0.pdf
- 7. Conclusions • IPv6 and DNNSEC is hard and costly • On its own provides NO new benefits, only protecMon from possible real and hypotheMcal negaMve externaliMes • To promote success need to link these technologies to services that enable new capabiliMes e.g. – Low cost broadband mobile wireless – Out sourcing DNS management • Need funding program and early adopters such as universiMes and R&E networks to promote adopMon – A sitng back and hope strategy will not work