ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
Good Men Rising: IPv6 & DNSSEC (ION Toronto 2011)
-
Upload
internet-society -
Category
Technology
-
view
819 -
download
0
Transcript of Good Men Rising: IPv6 & DNSSEC (ION Toronto 2011)
Good Men Rising: IPv6 & DNSSEC
Canadian Internet Registra:on Authority (CIRA)
Jacques Latour
ION -‐ Toronto November 14, 2011
About CIRA
1. Operate the .CA Registry § Registrant ßà Registrar ßà Registry à .CA DNS
2. Operate the .CA Top Level Domain § Root “.” ßà “.CA” ßà 2nd Level .CA domains § Internet Users ßà ISP ßà “.CA”
3. Do good things for the Canadian Internet § Promote digital literacy, Canadian Internet Forum § Promote IPv6, DNSSEC, NTP and Canadian IXPs
ION -‐ Toronto -‐ 2011-‐11-‐14 2
IPv6 Adop8on Strategy
• IPv6 Discovery & Research • Perform an IPv6 Readiness Assessment • Define IPv6 Objec:ves (can’t do everything) • Develop a Project Plan • Develop a detailed IPv6 Architecture & Design • Development, tes:ng and pilot mode • Implement in produc:on • Monitor
Not a migra8on, not a transi8on, coexistence!
ION -‐ Toronto -‐ 2011-‐11-‐14 3
IPv6 Objec8ve -‐ WEB Content • Not everything needs to be IPv6 on day 1
– World IPv6 Day, June 8, 2011 • Internet Perimeter & DMZ (www.cira.ca) • IT Organiza:on • Permanent • Presence • Support
ION -‐ Toronto -‐ 2011-‐11-‐14 4
CIRA SecondaryDNS Servers
…. (j & sns-pb)
RegistryPrimary
CorporateNetwork
RegistryBackup
a.ca-servers.ca
c.ca-servers.ca
m.ca-servers.ca
z.ca-servers.ca
Internet
ITOperations
WWW
IPv6
IPv4
IPv6Glue Records
Try www.cira.ca on IPv6 Or
http://[2001:500:80:2::12]/
IPv6 Architecture Guidelines
• Keep IPv4 as-‐is • Dual Stack
– All systems par:cipa:ng in the IPv6 implementa:on must support a concurrent IPv4 and IPv6 stack
• No IPv6 Tunnelling – Usage of IPv6 tunnelling mechanisms such as ISATAP, Teredo, 6to4,
6rd are disabled and not permibed
• Na8ve IPv6 Transit – IPv6 transit must support IPv6 na:vely without the use of tunnelling
• No Network Address Transla8on (NAT) – NAT66, NAT64 & NAT46 technologies not permibed
ION -‐ Toronto -‐ 2011-‐11-‐14 5
“Rules of engagement”
Security Policy Template available at www.cira.ca/knowledge-‐centre/ipv6
IPv6 Benefits
• It works! • Some say it’s old • I say it’s new • Let’s make it work in Canada! • Enabler for future growth • We have to think globally
ION -‐ Toronto -‐ 2011-‐11-‐14 6
DNSSEC
• Developed by propeller heads J
ION -‐ Toronto -‐ 2011-‐11-‐14 7
DNS à Safe & Trusted
ION -‐ Toronto -‐ 2011-‐11-‐14 8
• Security extensions on top of DNS to provide authen:ca:on of DNS data
A PlaVorm for Innova8on
• DANE (DNS-‐based Authen:ca:on of Named En::es) • Applica:on can use DNSSEC for enhanced security • A ‘new’ technology to be leveraged
ION -‐ Toronto -‐ 2011-‐11-‐14 9
CIRA – DNSSEC Status
• CIRA ac:vely working on signing the .CA zone
ION -‐ Toronto -‐ 2011-‐11-‐14 10
Thank you!
hbp://ca.movember.com/mospace/2531386
ION -‐ Toronto -‐ 2011-‐11-‐14 11