IETF 101, Day 4: The Brass Tacks about DNS and Routing

This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. And Thursday is probably the busiest day for us, covering the whole range of our interests.

ROLL has its first of two sessions starting at 09.30 GMT/UTC; continuing on Friday morning. There are several drafts being discussed dealing with the issues of routing over resource constrained networks where limited updates are possible.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

There’s a choice between a couple of working groups after lunch, starting at 13.30 GMT/UTC.

DOH was chartered to create a single RFC, so clearly the draft DNS queries over HTTPS is going to be the primary focus of discussion. However, there will also be updates on the practical implementation work, and a discussion about possible future work if there is a decision to re-charter the group.

6LO runs in parallel and has a fairly busy agenda with Registration Extensions for 6LoWPAN Neighbor Discovery, and Address Protected Neighbor Discovery for Low-power and Lossy Networks having received feedback from the IESG. The drafts related to IPv6 Backbone Router and Packet Delivery Deadline time in 6LoWPAN Routing Header are being prepared for Working Group Last Calls, and there will also be updates on the 6LO applicability and use cases and from the fragmentation design team (draft-watteyne-6lo-minimal-fragment-00 and draft-thubert-6lo-forwarding-fragments-04). Finally, there’s a proposed update to RFCs 6550 and 6775 where 6LoWPAN ND nodes in a RPL domain do not participate in the routing protocol.

Following the afternoon break there’s the choice of SIDROPS, T2TRG or a joint NTP/TICTOC meeting, commencing at 15.50 GMT/UTC.

SIDROPS will be discussing several drafts related to the operational management of certificates in the RPKI, and in particular how to perform RPKI checks via a route server. There are also two drafts related to Trust Anchor Locators – one defining a TAL for RPKI with support for HTTPS URIs, whilst RPKI signed object for TAL defines how a RPKI signed object can be used to communicate a new Trust Anchor Locator to already deployed Relying Parties. There’s a working group sponsored draft on Requirements for RPKI Relying Parties, and finally a new proposed draft on Origin Validation Policy Considerations for Dropping Invalid Routes (not yet published).

T2TRG researches the issues of turning the IoT into reality, and will be discussing a key draft State-of-the-Art and Challenges for the Internet of Things Security. There will also be presentations on Deep learning on microcontrollers, Secure Computations in Decentralized Environments, and Semantic Interoperability Testing.

The NTP/TICTOC joint session is focusing on Network Time Security (NTS). This represents a significant update for NTP server authentication as secure and accurate time synchronization is vitally important for the proper operation of security protocols.

If you still have any remaining energy, there’s a couple of evening sessions starting at 18.10 GMT/UTC.

DNSOP holds its second session of the week, and the main draft of interest is the Multi-Provider DNSSEC Model that relates to deploying DNSSEC in environments where multiple DNS providers are in use.

Last but not least, UTA will be discussing drafts on Strict Transport Security (STS) for mail (SMTP) transfer agents and mail user agents as well as SMTP Require TLS Option.

For more background, please read the Rough Guide to IETF 101 from Olaf, Dan, Andrei, Steve, Karen and myself.

Relevant Working Groups

Deploy360 Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security IPv6 Open Internet Standards

IETF 101, Day 2: A Bit of Rosie Lee (Mobility)

This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. After a hectic Monday there’s less dashing around needed today, although there’s a few things to highlight, even if you’ll have to choose between them as they’re unfortunately all scheduled at the same time.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

DNSOP starts its first of two sessions at 15.50 GMT/UTC (it continues on Thursday. Several of the drafts under discussion relate to the Root KSK Rollover and how to better automate and monitor key rollovers.

At the same time, DOTS is also meeting and has a bit of a mixed agenda with four drafts up for discussion, implementation reports, and feedback on the Hackathon.

There are two drafts covering the Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel and Data Channel specifications, one that establishes an architecture for establishing and maintaining signalling within and between domains, with the last one presenting use cases describing the interactions expected between DOTS components and messaging exchanges.

Alternatively, DMM has a very busy agenda with no less than thirteen drafts under discussion. A selection of these includes DMM deployment Models and Architectural Considerations, Proxy Mobile IPv6 extensions for Distributed Mobility ManagementSegment Routing IPv6 for Mobile User Plane, and Segment Routing IPv6 as Data Plane for 3GPP N9 Interface (still awaiting draft to be published). Worth highlighting too, is the draft on Optimized Mobile User Plane Solutions for 5G.

For more background, please read the Rough Guide to IETF 101 from Olaf, Dan, Andrei, Steve, Karen and myself.

Relevant Working Groups

Deploy360 Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security IPv6 Open Internet Standards

IETF 101, Jour 2: Un peu de Rosie Lee (Mobilité)

IETF 101 se déroule cette semaine à Londres. L’équipe de technologie Internet de l’ISOC vous apporte tous les jours des articles de blog mettant en évidence les sujets que nous jugeons intéressants.  Après un lundi mouvementé, il y a moins de choses à faire aujourd’hui, bien qu’il y ait quelques points à souligner, même si vous devez choisir entre eux car ils sont malheureusement tous programmés en même temps.

À savoir : Si vous ne pouvez pas être présent à l’IETF 101 en personne, il y a plusieurs façons de participer à distance.

Pour plus de détails cliquez ici



Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF IPv6

Deploy360@IETF99, Day 2: IoT, IPv6, DNSSEC, DPRIV & TLS

Tuesday is another hectic day at IETF 99 in Prague with a lot of relevant sessions for us. Each day we’re bringing you blog posts pointing out what Deploy360 will be focusing on.

The morning starts at 09.30 CEST/UTC+2 with a very full V6OPS meeting (which continues on Thursday afternoon). There’s a couple of deployment case studies up first – on turning IPv4 off in the Microsoft enterprise network, followed by some experiences of using dual-stacked websites with Happy Eyeballs – before a presentation on the current status of IPv6 deployment.

There are ten drafts being discussed, including requirements for IPv6 routers that aims to document a set of IPv6 requirements for routers, switches and middle boxes based on design and architectural experiences; specifying requirements for zero-configuration IPv6 CPEs; and using conditional router advertisements for connecting an enterprise network to multiple ISPs using address space assigned by an ISP. Version 2 of Happy Eyeballs is also being proposed, tweaking the algorithm whereby a dual-stack host tries to establish connections with both IPv4 and IPv6; and there’s an interesting draft proposing deployment of IPv6-only Wi-Fi at IETF meetings.

NOTE: If you are unable to attend IETF 99 in person, there are multiple ways to participate remotely.

Running in parallel is DPRIVE, which will be discussing the DNS over the QUIC protocol, measuring the usage of DNS-over-TLS, as well as next steps. At the same time, PERC will be discussing a draft related to DTLS tunnelling.

First up in the afternoon at 13.30 CEST/UTC+2 is T2TRG which is reviewing the outcome of the Workshop on IoT Semantic/Hypermedia Interoperability (WISHI), and will discuss what its future activities and deliverables should be.

In the late afternoon session starting at 15.50 CEST/UTC+2, there’s DNSOP (which continues on Thursday afternoon). There doesn’t look to be much DNSSEC-wise on the agenda today, although there is a draft to enhance the automatic updating of DNSSEC trust anchor process (as specified in RFC 5011).

Also running in parallel is CFRG, which discusses and reviews cryptographic mechanisms for network security. There are five drafts being discussed, including on the transition from classical to post-quantum cryptography. In addition, there are two proposals for new cryptographic techniques.

If you’re interested in the Internet-of-Things, then you can also check-out 6LO. This group focuses on facilitating IPv6 connectivity over node networks with limited power, memory and processing resources, and will be discussing drafts on Neighbour Discovery, IPv6 over low-power Bluetooth mesh networks, and transmission of IPv6 over electrical power lines.

For more background, please read the Rough Guide to IETF 99 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups

Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF Transport Layer Security (TLS)

Deploy360@IETF98, Day 1: IoT, IPv6, DNSSEC & TLS

It’s a busy week IETF 98 in Chicago, and we’ll be bringing you daily blog posts that highlight what Deploy360 will be focused on during that day. And Monday is the busiest day, with a couple of working groups on the Internet-of-Things, along with sessions relevant to IPv6, DNSSEC and TLS.

The day kicks off at 09.00 CDT/UTC-6 with Homenet which is developing protocols for residential networks based on IPv6. This has one new draft up for discussion on a name resolution and service discovery architecture for homenets, but there’s been a lot of discussion recently about the recommendation to replace the use of  .home with .homenet as the default top-level name for local name resolution.

NOTE: If you are unable to attend IETF 98 in person, there are multiple ways to participate remotely.

Running in parallel is DMM that’s working on solutions to allow traffic to/from mobile nodes to take optimal routes, and has two IPv6-related items on the agenda. This includes an extension to the DHCPv6 protocol to support mobile hosts, and whether mobility extensions for ICMPv6 router advertisement messages are needed.

To complete the hectic morning is ACE which is developing authentication and authorization mechanisms for accessing resources on network nodes with limited CPU, memory and power.

In the afternoon, DNSOP is meeting from 13.00 CDT/UTC-6 and has a couple of items related to DNSSEC. One of these proposes a new mechanism for authenticated denial of existence, whilst the other proposes the use the BLAKE2 cryptographic hash function in NSEC3 responses. Some of the other items on the agenda such as DNS over TCP also have potential impacts on DNS security and privacy.

At the same time is T2TRG that investigates open research issues of how to turn IoT into reality, and is reporting on its recent activities.

Concluding the day is CURDLE during the evening session. This has published RFCs 8080 and 8103 since the last IETF, and this time will be focusing on the cryptographic aspects of PKIX, CMS and SSH.

For more background, please read the Rough Guide to IETF 98 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups

Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) IETF IPv6 Transport Layer Security (TLS)

Deploy360@IETF97, Day 2: DNS, TLS & More IPv6

Seoul SkylineTuesday at IETF 97 in Seoul represents something of a mixed bag, with sessions on IPv6 DNS and TLS. Each day we’re bringing you blog posts pointing out what Deploy360 will be focusing on.

First up is 6MAN on Tuesday morning at 09.30 KST (UTC+9). On the agenda are several updates to the IPv6 specification as currently defined in RFC 2460RFC 4291 and RFC 1981. Other drafts being discussed outline an optional mechanism for IPv6 Neighbour Discovery whereby hosts are instructed by routers to use router solicitations rather than multicast advertisements where it’s not desirable for all hosts to be continually woken-up; define a new control bit in IPv6 RA PIO flags to indicate that the receiving node is the exclusive receiver of traffic destined to any address within a prefix; specify requirements for IPv6 nodes; and specify a packet format for transporting IPv6 payloads to multiple IPv6 destinations using Bit Index Explicit Replication.

NOTE: If you are unable to attend IETF 97 in person, there are multiple ways to participate remotely.

There’s a clash between the Domain Name System Operations (dnsop) and Privacy Enhanced RTP Conferencing (perc) Working Groups on Tuesday afternoon at 13.30 KST (UTC+9). So we’ll be having to split our efforts between those, before heading to the Transport Layer Security (tls) Working Group for the evening session starting at 15.50 KST (UTC+9).

DNSOP is currently discussing several DNSSEC-related drafts. One recently submitted draft suggests an approach to managing Reverse DNS in IPv6 for Internet Service Providers, as the common practice of providing information using one PTR record for every IPv4 address does not scale with IPv6. There’s also a trance of other updates, including Signaling Trust Anchor Knowledge in DNSSEC which specifies two different ways validating resolvers to signal which keys are being used in their chain-of-trust; Managing DS records from parent via CDS/CDNSKEY which describe policies for signalling changes when undertaking key rollovers, and on Aggressive use of NSEC/NSEC3 resource records to allow DNSSEC validating resolvers to generate negative answers within a particular range as well as positive answers
from wildcards.

PERC will be discussing just a couple of Deploy360 relevant drafts. The first defines a DTLS tunneling protocol that enables a Media Distribution Device (MDD) to facilitate key exchange between an endpoint and a Key Management Function (KMF); whilst SRTP Double Encryption Procedures defines procedures to allow an intermediary node to manipulate RTP parameters while still providing strong end-to-end security.

That just leaves the first session of TLS which has several issues on the agenda. One is whether to rebrand the forthcoming TLS 1.3 to TLS 2.0 given the significant changes in the specification. Another is the ongoing draft defining a new TLS extension to allow clients to perform DANE authentication of a TLS server certificate without needing to perform additional DNS record lookups. Finally, Delegated Credentials for TLS describes a mechanism to allow TLS servers to make delegated changes to certificates or cryptographic algorithms without breaking compatibility with clients.

For more background, please read the Rough Guide to IETF 97 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups:


Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF Internet of Things (IoT)

Deploy360@IETF91, Day 2: UTA, DPRIVE, BGP in ANRP, 6LO and IOT, DNSOP

IETF 91 mic lineFor us at Deploy360, Day 2 of IETF 91 brings a heavy focus on DNSSEC and DNS security in general with both DNSOP and DPRIVE meeting. Today also brings one of the key working groups (UTA) related to our “TLS in Applications” topic area.  There is a key WG meeting related to using  IPv6 in “resource-constrained” environments such as the “Internet of Things” (IoT) … and a presentation in the Internet Research Task Force (IRTF) about BGP security and the RPKI.

These are, of course, only a very small fraction of the many different working groups meeting at IETF 91 today – but these are the ones that line up with the topics we write about here at Deploy360.

Read on for more information…

NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.

In the morning 9:00-11:30 block we once again will be splitting ourselves across multiple working groups.  In Coral 2 will be the “Using TLS in Applications” (UTA) working group looking at how to increase the usage of TLS across applications.  The UTA WG is a key part of the overall work of the IETF in strengthening the Internet against pervasive monitoring and should be quite a well-attended session.  The UTA agenda includes multiple drafts related to TLS and email, a discussion of a proposal around “token binding” and what should be an involved discussion about the TLS “fallback dance”, i.e. what should happen when a TLS connection cannot be made at the requested level of security?

On the topic of UTA, I’ll note that one of the groups main documents, draft-ietf-uta-tls-bcp, a best practice document on “Recommendations for Secure Use of TLS and DTLS“, has a new version out that incorporates all of the feedback received to date.  This document should soon be at the point where it will enter the publication queue.

Meanwhile, over in the Kahili room the 6LO WG will be talking about using IPv6 in “resource-constrained” and low power environments. The work here is important for sensor/device networks and other similar “Internet of Things” (IoT) implementations.   Among the 6LO agenda items are a discussion of using IPv6 in near field communications (NFC) and what should be quite an interesting discussion around the challenges of using different types of privacy-related IPv6 addresses in a constrained environment.

Simultaneously over in Coral 4 will be the open meeting of the Internet Research Task Force (IRTF) and of particular interest will be the presentation by one of the winners of the Applied Networking Research Prize (ANRP) that is focused on BGP security and the Resource Public Key Infrastructure (RPKI).  As the IRTF open meeting agenda lists the abstract:

The RPKI (RFC 6480) is a new security infrastructure that relies on trusted authorities to prevent attacks on interdomain routing. The standard threat model for the RPKI supposes that authorities are trusted and routing is under attack. This talk discusses risks that arise when this threat model is flipped: when RPKI authorities are faulty, misconfigured, compromised, or compelled (e.g. by governments) to take certain actions. We also survey mechanisms that can increase transparency when RPKI authorities misbehave.

The slides for the presentation are online and look quite intriguing!

After that we’ll be spending our lunch time at the “ISOC@IETF” briefing panel that is focused this time on the topic of “Is Identity an Internet Building Block?”  While not directly related to our work here at Deploy360 we’re quite interested in the topic.  I will also be directly involved as I’ll be producing the live video stream / webcast of the event.  You can join in and watch directly starting at 11:45 am HST (UTC-10). It should be an excellent panel discussion!

As I described in my Rough Guide post about DNSSEC, the 13:00-15:00 block brings the first meeting of the new DPRIVE working group that is chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.”  The DPRIVE agenda shows the various documents under discussion – there are some very passionate views on very different perspectives… expect this session to have some vigorous discussion!

In the last 15:20-17:20 meeting block of the day we’ll focus on the DNS Operations (DNSOP) Working Group where the major DNSSEC-related document under discussion will be Jason Livingood’s draft-livingood-dnsop-negative-trust-anchors that has generated a substantial bit of discussion on the dnsop mailing list.  The DNSOP agenda contains a number of other topics of interest, including a couple added since the time I wrote about DNS for the Rough Guide.  The discussion about root servers running on loopback addresses should be interesting… and Brian Dickson (now employed by Twitter instead of Verisign) is bringing some intriguing new ideas about a DNS gateway using JSON and HTTP.

After all of that, they’ll let us out of the large windowless rooms (granted, in the dark of evening) for the week’s Social event that will apparently be a Hawaiian Luau.  After all the time inside it will be a pleasure to end the day in casual conversations outside. Please do look to find us and say hello… and if you are not here in Honolulu, please do join in remotely and help us make the Internet work better!

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

UTA (Using TLS in Applications) WG
Tuesday, 11 Nov 2014, 900-1130, Coral 2

6LO (IPv6 over Networks of Resource-constrained Nodes) WG
Tuesday, 11 Nov 2014, 900-1130, Kahili

IRTF (Internet Research Task Force) Open Meeting
Tuesday, 11 Nov 2014, 900-1130, Coral 4

DPRIVE (DNS PRIVate Exchange) WG
Tuesday, 11 November 2014, 1300-1500 HST, Coral 5

DNSOP (DNS Operations) WG
Tuesday, 11 November 2014, 1520-1720 HST, Coral 4

For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.