Post on 16-Apr-2017
IoT613 - September 2015
About CIRA
1. Operate the .CA top-level domain registry Registrant Registrar Registry .CA DNS
2. Operate the .CA top-level domain DNS Root “.” “.CA” 2nd Level .CA domains Internet Users ISP “.CA”
3. Invest in the Canadian Internet Promote development & adoption of IPv6 and DNSSEC D-Zone (Canadian DNS Secondary Anycast)
4. CIRA is a member-driven organization of over 70 employees and an elected 12-person board
IoT613 - September 2015
Internet of Things
• Things that are on the Internet• Things that are not on the Internet• Things referencing other Things on the Internet Things connecting to other Things on the Internet
• IoT is not here yet…• But marketing hype sure is!
IoT613 - September 2015
IoT Design Consideration
• Think about the Internet plumbing • For the things that are on the Internet:
Internet Protocol support: IPv6Trusted Domain Names & URL: .CASecurity: DNSSEC, IPSec
thebay.ca/olympics
Internet Infrastructure - Why .CA
• .CA is 2.4 million domain names– 100% Canadian– Top global rank for security, trusted– 800 million authoritative DNS queries a day
1069 TLDs & end-user confusion
IoT613 - September 2015
Internet Infrastructure - Why IPv6
• Design on IPv6 –> “The Future”– Scalable – 128 bits vs. 32 bits address scheme– Peer to peer (no NAT)– End to end security– Tiny stack, extensions, mobility, address mgmt.
Did you know?We ran out of IPv4 addresses (i.e. 1.1.1.1)
IoT613 - September 2015
Internet Infrastructure - Why IPv6
https://www.arin.net/knowledge/ipv6_info_center.html
IoT613 - September 2015
Internet Infrastructure - Why DNSSEC
• Think about integrity in domain name resolution– Domain name DNSSEC validation – prevents
domain/application hijacking
IoT613 - September 2015
Internet Infrastructure - Why DNSSEC
• Think about integrity in domain name resolution– Domain name DNSSEC validation – prevents
domain/application hijacking
IoT613 - September 2015
Internet Infrastructure - Why DNSSEC
• Platform for innovation– Cryptography, PKI based, application security
Signing an authoritative DNS zone with DNSSEC
www.cira.ca A 1.1.1.1 www.cira.ca RRSIG TaHZFGsjp…
DNS record(Private Key)
IoT613 - September 2015
Internet Infrastructure - Why DNSSEC
Resolver DNS Response - Calculate hashwww.cira.ca A 1.1.1.1
Resolver DNS Response - Decrypt signaturewww.cira.ca RRSIG TaHZFGsj….
(Public Key)
Links to Innovation & Research
• Think .CA, IPv6 and DNSSEC• IPv6 | Deploy360 Programme - ISOC• DNSSEC DANE| Deploy360 Programme - ISOC• The Physical web – Scott Jenson• IoT DNS Security - CircleID • IETF working on home network naming architecture
Thank you
Jacques LatourChief Technology Officer
Canadian Internet Registration Authority (CIRA) jacques.latour@cira.ca