Categories
Deploy360 Events

IPv6, DNSSEC, Security Videos Online from ION Bucharest

We held ION Bucharest last year alongside the Romanian Network Operators’ Group (RONOG). It took a little longer than usual, but now all the presentations and video archives are available online. As we gear up for ION Islamabad next week on 25 January, this is a chance to get a sneak peak at the type of content we’ll be presenting! Bucharest was filled with IPv6, DNSSEC, DANE, TLS, IETF, and Routing Security information, and now you can watch it all from the comfort of your own device.

Thank you to everyone who joined us in person in Bucharest or via the webcast. If you attended, I hope you found the event enjoyable and informative. If you missed it, you can still catch up!

We’d love to hear your feedback on these sessions or the ION Conferences as a whole.

We would like to once again thank Afilias for supporting ION Bucharest as an ION Conference series sponsor.

Stay tuned to this blog for announcements about the rest of our 2017 ION Conference lineup, and of course we’ll be in touch on our social media channels until then.

(And, as always, if you’re eager to get started deploying these technologies, visit our “Start Here” page to find resources targeted at your type of organization or role.)

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) IPv6

ION Bucharest / RONOG 3: The Case for DNSSEC & IPv6

ION Bucharest

The Deploy360 team has just returned from Romania where we held our third ION Conference of the year. This was organised jointly with RONOG 3 – the meeting of the Romanian Network Operators Group – on 12 October 2016 at the Novotel Bucharest Hotel, and attracted 85 participants from several countries.

Kevin Meynell opened the event with an overview of the Deploy360 programme, before handing over to Dan York who discussed Deploying DNSSEC. He outlined the problems that DNSSEC aims to solve, whereby end users are assured that information returned from a DNS query is the same as that provided by the domain name holder; running through examples of how the DNS can be hijacked. These assurances are established using cryptographic principles through a chain-of-trust originating from the root DNS servers, and propagated through signed Top-Level Domain (TLD) and subsequent sub-domain zones .

All major DNS resolvers support DNSSEC validation, although some require a configuration change, and around 15% of all global DNS queries are currently validated. Romania was actually significantly better with around 43% of DNS queries being validated overall, with some network operators even validating more than 90%.

ion-openingA common question was why DNSSEC was required if TLS/SSL is being used. The answer is that whilst TLS can validate a remote site and provide encryption between a server and client, a Certificate Authority (CA) can actually issue a digital certificate for any domain and have done so erroneously in the past. Middle boxes such as firewalls can also re-sign sessions, so end users cannot guarantee that the presented certificate is actually the one the remote site intends them to use. This is where DNS-based Authentication of Name Entities (DANE) is beneficial, as it allows certificate information to be stored in the DNS and signed with DNSSEC to allow end users to validate that the correct certificate is being used. DANE is particularly useful for non-web applications such as SMTP (e-mail) and XMPP (Jabber) where it is difficult to visually identify the validity of a certificate.

Dan finally touched on new developments in DNS Privacy that aims to encrypt queries between clients and resolvers. These are currently sent in the clear, which means it is possible to determine which sites users are visiting. The IETF DPRIVE Working Group is therefore developing a standard to encrypt DNS queries using TLS, with implementations expected in the near future.

Jan Žorž followed-up on DANE adoption in more depth, and how he’d deployed it in the Go6lab. Information on how this was undertaken has previously been covered in the Let’s Encrypt certificates for mail servers and DANE blogs, but the message is that it can be straightforward and with the .ro domain supporting DNSSEC, there are no reasons not to deploy this significant enhancement to network security.

Catalin Leanca (ROTLD) then discussed how they had implemented DNSSEC for the .ro domain. ROTLD is a department of the National Institute for Research and Development in Informatics (ICI), which is a state-owned company coordinated by the Ministry of Communications. As such it is the IANA delegated ccTLD authority for .ro, and currently registered just under 849,000 domains.

ROTLD started experiments with DNSSEC back in 2012, testing different implementations of hardware and software, and then upgrading their registration and monitoring systems to support DNSSEC. This culminated in the signing of the .ro domain in May 2016, with general public availability being introduced in July 2016. At the present time, around 150 domains had been signed in .ro, and ROTLD were currently working to raise awareness through workshops organised for registrars and registrants.

img_0917Following the break, Kevin presented the MANRS initiative and Routing Resilience Manifesto which aims to help network operators around the world to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and address prefix validation.

Attention then turned to IPv6, with Alvaro Vives (RIPE NCC) making the case for why IPv6 should be deployed. 2016 has seen substantial uptake of IPv6 with global adoption (as measured by Google) having risen by nearly 50% since January. The leading region is North America (ARIN) with nearly 18%, with Europe (RIPE) coming in around 11% although Belgium leads the world with over 46% usage. The situation in Romania is actually quite positive at just under 7% usage, especially when compared to neighbouring countries, and whilst no Local Internet Registries (LIRs) currently qualified for the 5-star RIPEness rating, 32% of LIRs did qualify for a 4-star rating and just 17% employed no IPv6 at all.

This led into the lively panel session on IPv6 success stories moderated by Lucian Constantin (IDG News Service) and including Jan and Alvaro. The panel focused on the message that deploying IPv6 was not a complex or expensive process, but IPv4 addresses were a finite resource and were increasingly only obtainable through recovery and trading which would impose a real cost on network providers. The expected growth in mobile and IoT (Internet-of-Things) devices would further pressure existing IPv4 resources, and with major network operator and content providers now actively moving to IPv6, non-adopters would be gradually left behind.

view-from-the-front

There were questions from the audience about the perceived poorer performance of IPv6 (which we’ve covered in a previous post), as well as the maturity of the protocols. However, it was pointed out it was an unequal comparison as IPv6 peerings were not currently the same or as comprehensive as with IPv4, so connections were sometimes having to take different routes. Similarly, some IPv6 connections were having to traverse gateway or tunnels, but the indications were that under the same conditions, IPv6 performed as well or even better than IPv4. The issue was not the underlying protocol, and as more IPv6 was deployed it was expected that many of the currently observed differences in performance would diminish.

Rounding off the day, Kevin talked about what was happening at the IETF and how to get involved. He pointed out that had been 1,902 registered participants from 70 countries at the recent IETF in Berlin, but just 2 from Romania. There was clearly an active Internet community in Romania but limited engagement with the IETF, so he encouraged the local community to check out the IETF Fellows and Regulators to the IETF programmes.

img_0918Deploy360 would like to thank RONOG for hosting this ION, as well as Platinum Sponsors InterLan IX and InfoBlox, Gold Sponsors Tata Communications and IP Broker, Silver Sponsors Internet Society and RIPE NCC, Bronze Sponsor Starnet Media, and Streaming Sponsor Media Sat. Thanks also to the media partners, and to everyone else who contributed towards making the event a successful and productive one.

Further Information

The proceedings from ION Bucharest are available here, and the webcast is also available on our YouTube channel.

If you’re inspired by what you see and read, then please check out our Start Here page to understand how you can get started with DNSSEC, DANE and IPv6.

Categories
Deploy360 Events To archive

Watch ION Bucharest LIVE TODAY!

ION BucharestToday’s the Day! Tune in today starting at 2PM EEST (UTC+3) for ION Bucharest, where we’ll be discussing IPv6, DNSSEC, MANRS and Routing Security, the IETF, and more!

Click Here To Watch the Webcast (over IPv6, of course)

We’ll also be active on our social media channels over the course of the day, so follow along with #IONConf and get involved!

I hope you can join us for what is sure to be an interesting and informational afternoon.

Categories
Deploy360 Events

Agenda, Speakers, and Webcast Information for ION Bucharest on 12 Oct

ION Bucharest LogoIt’s almost here! ION Bucharest is just two days away, taking place on Wednesday, 12 October, alongside the Romanian Network Operators’ Group (RONOG). Our final agenda and great lineup of speakers are all set.

Agenda

We’ve got a half-day program, and we’ll cover the following topics:

  • Introduction to the Internet Society and Deploy360
    Kevin Meynell, Internet Society
  • Deploying DNSSEC
    Dan York, Internet Society
  • Romanian DNSSEC Case Study
    Catalin Leanca, ICI ROTLD
  • Let’s Encrypt & DANE
    Jan Žorž, Internet Society
  • Mind Your MANRS & the Routing Resilience Manifesto
    Kevin Meynell, Internet Society
  • The Case for IPv6
    Alvaro Vives, RIPE NCC
  • Panel Discussion: IPv6 Success Stories
    Moderator: Lucian Constantin, IDG News Service
    Panelists: George Puiu, Telekom Romania; Alin Stefanescu, Bestnet Service; Alvaro Vives, RIPE NCC; Jan Žorž, Internet Society
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
    Kevin Meynell, Internet Society

Webcast & Social Media

Please visit the Webcast Information page where we’ll be livestreaming the event (over IPv6, of course). We’ll also be active on our social media channels over the course of the day, so follow along with #IONConf and get involved!

Sponsors

As usual, we are thankful that this ION has generous support from our ION Conference Series Sponsor Afilias. There are still sponsorship opportunities available for future events if you’re interested! RONOG is being hosted by InterLAN.

Join Us

We hope you can join us in Bucharest on 12 October at the Novotel Bucharest City Center. Register online if you can join us in person, or just tune into the webcast starting at 2PM local time (UTC+2)

Categories
Deploy360 Events

Draft Agenda for ION Bucharest on 12 October

ION Bucharest LogoION Bucharest will take place on Wednesday, 12 October 2016, alongside the Romanian Network Operators’ Group (RONOG). We’ll have a half-day program so we can cover topics including IPv6, DNSSEC, MANRS and Routing Security, and the IETF.

We’re excited to announce the draft agenda for this great event, including:

  • Introduction to the Internet Society and Deploy360
  • Deploying DNSSEC
  • Romanian DNSSEC Case Study
  • Let’s Encrypt & DANE
  • Mind Your MANRS & the Routing Resilience Manifesto
  • The Case for IPv6
  • Why Deploy IPv6 Panel
  • What’s Happening at the IETF? Internet Standards and How to Get Involved

This is a draft agenda, so if there’s something you’d love to see or you’d like to participate as a speaker on this agenda, please let us know.

As usual, we are thankful that this ION has generous support from our ION Conference Series Sponsor Afilias. There are still sponsorship opportunities available if you’re interested!

We hope you can join us in Bucharest on 12 October at the Novotel Bucharest City Center. We’re planning to webcast the event, so stay tuned for more information on that as well as registration information, agenda updates, speaker announcements and more!

Categories
Deploy360 Events

ION Bucharest on 12 October: IPv6, DNSSEC, RPKI & More!

ION Bucharest LogoIt’s official! Our next ION Conference will be ION Bucharest on 12 October 2016. This time, we’ll be co-locating with the Romanian Network Operators’ Group (RONOG). We’re very thankful for the enthusiasm and support we’ve received from RONOG. Also, as usual, this ION has generous support from our ION Conference Series Sponsor Afilias.

We’ll have a half-day program and cover some combination of our favorite topics including IPv6, DNSSEC, Securing BGP, and the IETF. We’re working on a draft agenda and will soon be filling the speaker slots, so if you’ll be in Romania in October or are already planning to attend RONOG and you think you might make a good candidate, please speak up in the comments below or via our social media channels. The agenda may include things like:

  • Update from ISOC Romania Chapter
  • IPv6 Update
  • IPv6 Deployment panel
  • DNSSEC & DANE
  • RPKI & Routing Security
  • Collaborative Security & Mutually Agreed Norms for Routing Security (MANRS)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved

We’re still working out the logistics and registration details, so stay tuned to the ION Bucharest website or this blog for more information. We’re also hoping to live stream the ION, so even if you can’t be there in person you’ll be able to follow along online. (Stay tuned for more information on that as we get closer.)

We’re also working on one more ION Conferences for 2016, as well as our 2017 and beyond locations. Are you part of something that might lend itself to co-locating with an ION? Let us know! We hold three or four events each year in locations all over the world, and we are open to all sorts of opportunities. Contact us to discuss co-location possibilities, or how your company could sponsor ION Bucharest or a future ION Conference.

We hope to see you in Bucharest on 12 October, or at a future event!