ca landscape · internet exchange points (ixps) •canadian ixps should be; –community based...
TRANSCRIPT
.CA Landscape
Canadian Internet Registration Authority (CIRA)Jacob Zack
Sr. DNS AdministratorApril 2014
1ORION Tech Workshop – April 2014:
.CA Landscape
Agenda:
• CIRA: History and Mandate
• .CA DNS
• Fundamentals of DNS
• Why DNSSEC?
• Why IPv6?
• Canadian IXP’s (Internet Exchange Points)
ORION Tech Workshop – April 2014: .CA Landscape
2
History of .CA
• .CA delegated to volunteers at UBC in 1987 (John Demco).
• First .CA domain name was “UPEI.CA” on Jan 12, 1988.
• .CA Operated by UBC until late 2000.
• CIRA receives mandate for .CA from Industry Canada in 2000.
• In 2000, .CA contained ~140,000 domain names.
• .CA hit 1 million domain mark in April 2008.
• .CA hit 2 million domain mark in November 2012.
• .CA currently at 2,227,000 domains (April 2, 2014).
• CIRA is a self-funded, non-profit, member-driven organization.
ORION Tech Workshop – April 2014: .CA Landscape
3
CIRA’s Mandate
• Operate a robust, reliable, secure, and always available .CA registry and DNS infrastructure
• Preserve this virtual natural resource for Canadians
• To develop, carry out and/or support any other Internet-related activities in Canada
ORION Tech Workshop – April 2014: .CA Landscape
4
.CA DNS
• The .CA domain is delegated from IANA (“The Root”) to CIRA.
• CIRA delegates “Second-level” domains to registrants.– Ex: “gc.ca” is delegated to servers operated by Govt. Of Canada.
• CIRA operates multiple .CA DNS sites within Canada.– Vancouver, Calgary, Winnipeg, Toronto, Ottawa, Montreal
• CIRA utilizes third-party DNS providers outside of Canada.
• CIRA has maintained 100% uptime of .CA DNS
• Emerging threats a catalyst for coming changes…
• Emerging technology providing new opportunities…
ORION Tech Workshop – April 2014: .CA Landscape
5
DNS Hierarchy
ORION Tech Workshop – April 2014: .CA Landscape
6
When operating a domain, you control said
domain for all levels beneath. You can,
however, delegate authority to a third-party, as
CIRA does for ~2.2 million domains.
DNS Operation Modes
• Authoritative– An authoritative server receives and responds to queries for domains
that it knows about and is responsible for.
– This would include ICANN’s Root servers, CIRA’s TLD DNS Servers, and (should include) any DNS servers listed for a domain in WHOIS.
• Recursive– A recursive server responds to all queries, generally from “end-users”.
– A recursive server asks questions of authoritative servers.
– Often, recursive servers will cache DNS information for some period.
ORION Tech Workshop – April 2014: .CA Landscape
7
CIRA operates the .CA authoritative servers.
CIRA operates the CIRA.CA authoritative servers (and other corp domains).
CIRA operates recursive DNS servers for staff/servers to lookup others DNS.
CIRA’s recursives query CIRA’s authoritatives like any other entity.
DNS Query Flow
ORION Tech Workshop – April 2014: .CA Landscape
8
DNSSEChttp://www.internetsociety.org/deploy360/dnssec
ORION Tech Workshop – April 2014: .CA Landscape
9
Why DNSSEC?
ORION Tech Workshop – April 2014: .CA Landscape
10
• DNSSEC Cache Poisoning:– A weak point in the DNS protocol allows for exploitation.
– Attacker fools a recursive DNS server into giving out bad data.
1) Make an ISP recursive server ask a predictable question.Ex: Where is WWW.CIBC.CA?
2) Flood the ISP recursive server with bogus answers to the question.
3) ISP recursive server now accepts “CIBC.CA” == hacked host in China
4) ISP recursive tells ISP customers “CIBC.CA” == hacked host in China
5) Customers send username/password details to hacked host
6) Profit.
Why DNSSEC?
ORION Tech Workshop – April 2014: .CA Landscape
11
12
• RFCs for adding digital signatures to DNS data• Provides authenticity of data
• Secure delegations from parent to child, creating a chain of trust
• Compromised name servers detected and ignored• DNS data manipulation detected and ignored
• Data authenticity and integrity by signing the zone with private key
• Public DNSKEYs published, used to verify the signatures
What is DNSSEC?What is DNSSEC?
ORION Tech Workshop – April 2014: .CA Landscape
12
13 2013 CCS Workshop - Ottawa - 2013-11-5
DNSSEC Chain of Trust
Root [.]
Root [.]Zone File
Public Root
Key & trust
anchors
.ca[.ca]Zone File
.ca delegation signer
.ca public key
holds digest of .ca public key
gc.ca delegation signer
gc.ca[gc.ca]Zone File
gc.ca public key
holds digest of gc.ca public key
ic.gc.ca delegation signer
DNSSEC Enabled DNS Query(Highly simplified )
AuthoritativeServers
Web Serverwww.cira.ca
“.”ROOT
“.ca”TLDs
“cira.ca”DNS OperatorsConnect to 2001:500:80:2::12
192.228.29.1
InternetUser
DNSSEC
End-user application
becoming DNSSEC Aware
AuthoritativeServers
DNSSEC EnabledRecursive Servers
Cache Results(ISPs)
All DNSSEC enabled responses includeDNSSEC signatures that must
be validated against the DNSKEY
ORION Tech Workshop – April 2014: .CA Landscape
14
DNSSEC Validation
ORION Tech Workshop – April 2014: .CA Landscape
15
• What is recursive DNSSEC validation?
– The caching recursive name servers validates the DNSSEC signatures received for an answer with the domain’s DNSKEY keys. (and more)
• http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf
DNSSEC Validation
ORION Tech Workshop – April 2014: .CA Landscape
16
To enable DNSSEC validation at an ISP/Enterprise:
• Ensure the DNS software on your caching recursive servers supports DNSSEC
– Bind version 9.7 and up
– Unbound version 1.4 and up
– Microsoft DNS on Windows Server 2012 and up
– Many other open source and commercial versions
DNS Safe & Trusted
ORION Tech Workshop – April 2014: .CA Landscape
17
• Security extensions on top of DNS to provide authentication of DNS data
A Platform for Innovation
• DANE (DNS-based Authentication of Named Entities)
• Application can use DNSSEC for enhanced security
• A ‘new’ technology to be leveraged
• SSL certs inside DNS!
ORION Tech Workshop – April 2014: .CA Landscape
18
How to Sign Your Zones
• Simplest Commands:
dnssec-keygen mydomainname.ca
dnssec-keygen –fk mydomainname.ca
…creates the KSK and ZSK
ORION Tech Workshop – April 2014: .CA Landscape
19
• Config Change:
• Add these lines to the zone statement for “mydomainname.ca”:
• zone mydomainname.ca {
• type master;
• file "/etc/namedb/master/mydomainname.ca";
• key-directory "/etc/namedb/keys";
• auto-dnssec maintain;
• inline-signing yes;
• };
IPv6http://www.internetsociety.org/deploy360/ipv6
ORION Tech Workshop – April 2014: .CA Landscape
20
IPv6 Addresses
• IPv4:
– 32 bits.
– 134.23.240.6
• IPv6:
– 128 bits.
– 2001:0db8:0f34:3345:02fc:45e1:1940:0032
• Not backward compatible
ORION Tech Workshop – April 2014: .CA Landscape
21
IPv4 Address Exhaustion
• Internet Protocol V4 (IPv4) -> 40+ years old! 192.168.1.3
• Exhaustion is real problem: – we’re actually running out of IPv4 addresses– Not so much in Canada now, but in ASIA and Europe for sure.
• Trying to keep IPv4 alive, we’re breaking the Internet with:– Address and port translation NAT/PAT– Carrier Grade NAT (double NAT!)
• ~4.2 Billion addresses, ~half usable < number of mobiles
ORION Tech Workshop – April 2014: .CA Landscape
22
About IPv6
• Internet Protocol V6 (IPv6) -> ~17 years old!
– 2001:500:80:2::12
• Not a migration!
• Not a transition!
• IPv4 will coexist with IPv6 for 10+ years
• We have to adopt IPv6
The Internet is not IPv4 or IPv6
The Internet is IPv4 and IPv6ORION Tech Workshop – April 2014:
.CA Landscape23
IPv6 Adoption
ORION Tech Workshop – April 2014: .CA Landscape
24
Source: https://www.google.com/intl/en/ipv6/statistics.html
GERMANY: 7.4 % Adopted
USA: 6.79% Adopted
PERU: 5.26% Adopted
FRANCE: 4.86% Adopted
JAPAN: 3.57% Adopted
CHINA: 0.7% Adopted
CANADA: 0.43% Adopted
Canadian IXP’s
ORION Tech Workshop – April 2014: .CA Landscape
25
• An IXP is a physical infrastructure through which Internet Service Providers, Research Networks, Businesses, and Content Distribution Networks exchange traffic between their networks!
Canadian IXP’s
ORION Tech Workshop – April 2014: .CA Landscape
26
• Montreal (QIX) founded 1995.
• Toronto (TORIX) founded 1997.
• Ottawa (OTTIX) founded 2001.
CIRA announces new Canadian IXP initiative in 2012.
• Montreal (QIX) now community driven! (2013)
• Winnipeg (MBIX) founded 2013.
• Calgary (AlbertaIX) founded 2013.
• Calgary (YYCIX) founded 2013.
• Halifax (HFXIX) founded 2013.
Internet Exchange Points (IXPs)
• Canadian IXPs should be;– Community based
– Vendor neutral
– Non profit organizations
– Member driven
– Open peering policy
– Accepts content providers, ISPs, transit providers, government, R&E and any other participant that can gain in exchanging traffic
ORION Tech Workshop – April 2014: .CA Landscape
27
28
Canada
USA
TorontoIXP
CanadianISP
Last Mile
CanadianISP
Last Mile
CanadianISP
CanadianISP
CanadianISP
USAIXP
USAIXP
USAIXP
Internet
Transit$$
Transit$$$
Peering$
Transit$
Transit$$$
Transit$$$
Transit$$$
Transit$$$
Transit$$$
Peering$ Transit
$
Transit$
CanadaUSA
CanadianISP
Last Mile
CanadianISP
Last Mile
CanadianISP
CanadianISP
CanadianISP
USAIXP
USAIXP
USAIXP
Internet
ORION Tech Workshop – April 2014: .CA Landscape
28
Internet Exchange Points (IXPs)
The Internet
Internet Exchange Point (IXP) – Canadian Vision
The Internet
Network of
Networks
Domestic &
International
Intern
et Service Pro
viders
Co
nte
nt
Pro
vid
er N
etw
ork
s
Transit
Peering
DNS Servers
(root & .CA)
NTP
Time Servers
Route
Servers
DNS Servers
for ISPs
ISP: Internet Service
Provider
ISP
Cable / DSL
ISP
Wireless
ISP
Mobile
ISP
VoIP (voice)
CDN: Content
Delivery Network
R&E Research &
Education Networks
CDN
Domestic
CDN
International
Governments
Municipalities
Colocation
Data Centers
Transit Providers
- IXP -
- LOCAL -
Non-profit
Vendor Neutral
Self Regulating
“Peering”
Free or commercial
agreements
FAST / LOW COST
Transit Providers
Domestic
Transit Providers
International
Canadian Internet Services
$
$
$
$
$
$$$
$$$
$$$
$$$
$$$
$$ $$
$$$ $$$
$
$
$
$ $$$
$$$
$$$
$$$
US
US
US
US
US US
US
ORION Tech Workshop – April 2014: .CA Landscape
29
Where Does Your Data Go?
http://vimeo.com/67102223
ORION Tech Workshop – April 2014: .CA Landscape
30
Where Should Your Data Go?
ORION Tech Workshop – April 2014: .CA Landscape
31
TORIX
QIX
OTTIX
> 130Gig/sec
> 4Gig/sec
> 350Meg/sec
Critical Canadian Infrastructure @ IXP’s
ORION Tech Workshop – April 2014: .CA Landscape
32
• Root DNS Servers (PCH via ICANN/IANA)
• .CA DNS Servers (via CIRA)
• NTP Time Sync Servers (via CIRA or IXP)
• Major Content Providers
– Google/Youtube
– Akamai
– Limelight
– Microsoft/Bing/Skype
IXP Walled Gardens
ORION Tech Workshop – April 2014: .CA Landscape
33
• Are you “in the club” or not?
• The “local-only” .CA DNS anycast nodes are reachable by members of the IXP only.
• Attacks from non-members can not affect service negatively for Canadians!
IXP Walled Gardens for .CA (cont.)
ORION Tech Workshop – April 2014: .CA Landscape
34
• Current walled-garden locations inside Canada
• Planned walled-garden locations inside Canada
Calgary
Montreal
Ottawa
Toronto
Winnipeg
.CA Global Vision
ORION Tech Workshop – April 2014: .CA Landscape
35
• Planned walled-garden locations inside of Canada
• Planned globally-reachable locations outside of Canada
Questions?
ORION Tech Workshop – April 2014: .CA Landscape
36