cira - home network registry–cira creates the .ca domain name in the registry –cira signs the...

24
Tech Day Home Network Registry Idea Jacques Latour, CTO Canadian Internet Registration Authority October 30, 2017 1

Upload: others

Post on 02-Jan-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Tech Day

Home Network Registry Idea

Jacques Latour, CTOCanadian Internet Registration Authority

October 30, 2017

1

Page 2: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Today’s Home Network & IoTimplementation are disparate,kind of scary & need structure!

ICANN60 – Abu Dhabi - Home Network Registry Idea2

Page 3: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

The home network of the future should be safe, secure

and simple to use!

ICANN60 – Abu Dhabi - Home Network Registry Idea3

Page 4: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

The home network should be reachable from the internet

seamlessly and securely

ICANN60 – Abu Dhabi - Home Network Registry Idea4

Page 5: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Maybe even your car should be connected to your home network

ICANN60 – Abu Dhabi - Home Network Registry Idea5

because your home is bigger than your house

Page 6: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

And the home network grows to include personal and wearable IoT,

inside and outside the home…

ICANN60 – Abu Dhabi - Home Network Registry Idea6

Page 7: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Your home network both internal and external traffic should be secured

using a common key

ICANN60 – Abu Dhabi - Home Network Registry Idea7

Page 8: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Do I need to say more?

ICANN60 – Abu Dhabi - Home Network Registry Idea8

Page 9: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Seriously, what does this bring to the domain industry?

A domain name per household!!!

la-house-a-latour.ca

ICANN60 – Abu Dhabi - Home Network Registry Idea9

Page 10: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Leveraging the chain of trust in DNSSEC and some innovation to create

a secure home network platform

ICANN60 – Abu Dhabi - Home Network Registry Idea10

Page 11: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

home.arpa.draft-ietf-homenet-dot-14

<<The naming mechanism needs to function without configuration from the user. While it

may be possible for a name to be delegated by an ISP, homenets must also function in the

absence of such a delegation.>>

• Let’s make delegated “home” domains function without user configuration!

ICANN60 – Abu Dhabi - Home Network Registry Idea11

Page 12: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

The focus is on Automation

+

Registry Automation

Home Network Automation

ICANN60 – Abu Dhabi - Home Network Registry Idea12

Innovation

Page 13: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Your local ccTLD will provision your domain, sign it with DNSSEC and establish a secure chain of trust to your local home gateway, magically solve all your worries

and keeping your online family safe

ICANN60 – Abu Dhabi - Home Network Registry Idea13

Page 14: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Remember, it’s an idea. So far it looks like this…

That’sSupposed

to be a napkindesign

ICANN60 – Abu Dhabi - Home Network Registry Idea14

Page 15: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Step 1

• When you buy a home gateway, it comes bundled with a .CA home network domain

ICANN60 – Abu Dhabi - Home Network Registry Idea15

+RFID card

(Code to activate provisioning and

domain)

Page 16: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Step 2

• Then you follow the provisioning instructions

– Install & open the CIRA Home Gateway app

– Turn on the Home Gateway

– “TAP” your mobile to discover the home gateway

– Pick a domain name

– Enter the secret code (“TAP” RFID card)

– Home Gateway ready for configuration

ICANN60 – Abu Dhabi - Home Network Registry Idea16

la-house-a-latour.ca code+

Page 17: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Step 3

• Automated Backend Provisioning @ CIRA

– CIRA creates the .CA domain name in the registry

– CIRA signs the .CA domain with DNSSEC

– CIRA is primary for the external DNS view of the .CA domain

– CIRA provides secondary DNS to the .CA domain

ICANN60 – Abu Dhabi - Home Network Registry Idea17

+ +DNSSEC(Keys)

EXTERNAL(Internet)

Page 18: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Step 4

• Automated Home Gateway provisioning– Establish secure connection to Home Gateway

– Securely send private DNSSEC key to Home Gateway, setup internal DNS and DNSSEC

– Configure Home Gateway for DNS integration with registry (à la dynamic DNS) for external services

ICANN60 – Abu Dhabi - Home Network Registry Idea18

+ DNSSEC(Keys)EXTERNAL

(Internet)

+INTERNAL

(Home Network)Dynamic DNS

Page 19: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Step 5

• Setup secure home network infrastructure

– Using your trusted mobile & the app, “TAP” the Home Gateway to:

• Learn the WIFI password

• Get the IPSec password to VPN in your home network

– Use your mobile and “TAP” all your IoT devices to add on your home WIFI network, easy peasy

ICANN60 – Abu Dhabi - Home Network Registry Idea19

Page 20: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

High Level Architecture

ICANN60 – Abu Dhabi - Home Network Registry Idea20

OpenWrtHome Gateway

Internet Home Network Trust

Home Network Registry

Internal DNS/DNSSECExternal IPSECD-Zone firewall

la-house-a-latour.ca

Home Gateway Provisioning

.CA home domain

Primary DNS.CA home domain

IPv6 ONLY

IoT CloudServices

(D-Zone Firewall)

Remote Home Network Access

(VPN IPSec)

Wifi MiFiZigbeeNFC RFID

Page 21: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

What do you think?

ICANN60 – Abu Dhabi - Home Network Registry Idea21

Want to help?

Page 22: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Going forward, it’s a journey!

• Motivation

– Ensure long term ccTLD relevance in the future of IoT

• Proposing ccTLD to develop a solution

– To keep the home network safe and secure

– To create a secure <internet home> IoT environment

– To leverage DNSSEC as an innovation platform to create a hub for “home trust”

– That leverages the ccTLD registry expertise

– To enhance OpenWRT with this functionality

ICANN60 – Abu Dhabi - Home Network Registry Idea22

Page 23: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

Next Steps

• Develop a Proof of Concept and prototype using .CZ Omnia

• Use public GitHub with functional specification and prototype software

• Research IETF Homenet DNS related drafts/RFC

• Opportunity:– Put .CA domains in the forefront as a trusted homenet

domain name for personal _HOME_ usage when end to end security is required

– Sell CIRA Home Gateways

ICANN60 – Abu Dhabi - Home Network Registry Idea23

Page 24: CIRA - Home Network Registry–CIRA creates the .CA domain name in the registry –CIRA signs the .CA domain with DNSSEC –CIRA is primary for the external DNS view of the .CA domain

The new <Internet Home>

https://github.com/CIRALabs/Home-Network-Registry-Gateway

ICANN60 – Abu Dhabi - Home Network Registry Idea24