Categories
Deploy360 Events

IPv6 and DNSSEC Videos from ION Islamabad Now Online

In January, we hosted ION Islamabad alongside the South Asia Network Operators Group (SANOG) conference, SANOG 29. Our half-day program covered topics including IPv6, DNSSEC, Securing BGP, and TLS for Applications. Now, all the presentations and video archives are available online.

Kevin Meynell did a great job recapping the ION in his blog post, “ION Islamabad: Pushing IPv6 and DNSSEC deployment in Pakistan.” Now is your chance to watch the video archives and relive it for yourself.

Thank you to everyone who joined us in person or via the webcast. If you attended, I hope you found the event enjoyable and informative. If you missed it, you can still catch up! We’d love to hear your feedback on these sessions or the ION Conferences as a whole.

We would like to once again thank Afilias for supporting ION Islamabad as an ION Conference series sponsor. Stay tuned for announcements about the rest of our 2017 ION Conference lineup, continuing next with ION Costa Rica in July, and of course we’ll be in touch on our social media channels until then.

(And, as always, if you’re eager to get started deploying these technologies, visit our “Start Here” page to find resources targeted at your type of organization or role.)

Categories
Deploy360 IPv6

The Business Case for IPv6 in Pakistan

We had a very successful ION conference in Islamabad on 25 January 2017, and amongst the interesting topics presented at the conference, it’s worth highlighting the statistics on IPv4 and IPv6 allocation in Pakistan. Let me share those in detail here.

As per the APNIC resource delegation data (as of 1 January 2017). There are 5,314,816 IPv4 address allocated to ISPs and enterprises in Pakistan. However, if you look at the graph then it shows PTCL as the holder of nearly 73% IPv4 addresses in Pakistan, leaving the remaining 27% to the rest of the ISPs and enterprises. PTCL is undoubtedly the biggest broadband provider in Pakistan and also provides services to Ufone (telco operator), so you’d expect them to have the largest user base for both wired and mobile broadband services.

The main concern though, is that it’s now only possible to obtain a /22 IPv4 prefix from APNIC (as per the last /8 policy), and those will soon be exhausted. This means that if ISPs need more IPv4 address, the only option will be to buy them open market. The current going rate for IPv4 addresses is around USD 10 for each address  in a /18 block, plus the APNIC transfer fees, which amounts to nearly USD 164K for 16,384 IPv4 addresses.

The other option is deploying Carrier Grade NAT (CGN) to put many users behind a single IPv4 address.In theory, it’s safe to consider that each user may have around 250 concurrent sessions, so with around 65,000 sessions available per IP address, it’s possible to put 250 users behind a single IPv4 address with CGN. The downside though, are that you need powerful boxes to manage that many sessions and it is difficult to guarantee performance.

There’s another graph showing IPv6 delegations in Pakistan, with a very uniform address allocation to all existing APNIC members (with few negligible exceptions). No single entity has an edge over another, and it doesn’t cost anything extra (if you already hold IPv4 addresses) to obtain IPv6 addresses from APNIC. There’s no need to install complex and difficult to manage CGN solutions, nor buy expensive IPv4 addresses from the open market. It’s an open and level playing field for all operators wanting to serve the 200 million plus population of Pakistan.

For many years there was a big debate in Pakistan about the financial benefit of deploying IPv6, but these statistics clearly illustrate the business case for doing it. You can either deploy IPv6 at minimal cost by upgrading some old hardware (very rare), or deploy CGN and buy IPv4 from open market at significant expense. The choice is yours!

Deploy360 aims to help you deploy IPv6, so please take a look at our Start Here page to understand how you can get started with IPv6.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

ION Islamabad: Pushing IPv6 and DNSSEC deployment in Pakistan

The Deploy360 team was straight into action in 2017 with our first ION Conference of the year. This was held on 25 January 2017 at the Higher Education Commission Headquarters in Islamabad, Pakistan, and attracted 71 participants from across South Asia. The event was hosted by the Pakistan Telecommunications Authority and the Higher Education Commission of Pakistan, was sponsored by Afilias, and was co-located with the 29th South Asia Networking Operators Group (SANOG) meeting which was held over the previous two days.

The conference was chaired by Kevin Meynell from the Deploy360 team who opened proceedings with an overview of the Deploy360 programme, before handing over to Champika Wijayatunga (ICANN) who discussed deploying DNSSEC.

He outlined the problems that DNSSEC aims to solve, whereby end users are assured that information returned from a DNS query is the same as that provided by the domain name holder; running through examples of how the DNS can be compromised such as cache poisoning and query interception. These assurances are established using cryptographic principles through a chain-of-trust originating from the root DNS servers, and propagated through signed Top-Level Domain (TLD) and subsequent sub-domain zones.

All major DNS resolvers support DNSSEC validation and 87% of TLDs were now signed, although this unfortunately didn’t currently include the .pk TLD. However, this dropped to only 3% for Second-Level Domains (SLDs), which could be attributed to a lack of knowledge and interest in deploying DNSSEC, as well as a lack of support from registrars claiming a subsequent lack of demand.

Whilst the new ICANN registrar agreement requires registrars to support DNSSEC, organisations could increase deployment by signing their zones and turning on validation on their DNS resolvers. A number of DNSSEC management tools were available for BIND, NSD and PowerDNS, as well as DNS appliances offering fully automated key generation, signing and roll-over. Users should similarly request their ISPs to turn on validation, as it was in the interests of all Internet users for DNSSEC to be widely deployed.

Jan Žorž followed-up on another application of DNSSEC, whereby it can be used in conjunction with DNS-based Authentication of Name Entities (DANE) to validate digital certificates. These are commonly used by TLS to validate a remote site and provide encryption between a server and client, but are currently issued by Certificate Authorities (CAs) who can actually issue a certificate for any domain and may do so erroneously. DANE provides an alternative by allowing certificates to be stored in the DNS and signed with DNSSEC, enabling end users to validate that the correct certificate is being used.

Jan explained how he’d deployed and tested DANE in the Go6lab which has previously been covered in the Let’s Encrypt certificates for mail servers and DANE blogs. However, the message is that deployment can be straightforward and is particularly useful for non-web applications such as SMTP (e-mail) and XMPP (Jabber) where it is difficult to visually identify the validity of a certificate.

Following the break, Aftab Siddiqui presented the MANRS initiative and Routing Resilience Manifesto which aims to help network operators around the world to improve the security and resilience of the global routing system. The Boundary Gateway Protocol (BGP) underpins the Internet routing system, but is substantially based on global trust and there is little validation of the legitimacy of routing updates. For example, there was a particularly well-known incident in 2008 whereby a local routing update in Pakistan resulted in YouTube becoming unavailable in large parts of the world.

There are some techniques that can be employed to improve trust such as IP prefix and AS-PATH filtering, RPKI, IRR, Whois and Peering databases, whilst BGPSEC is under development at the IETF. Nevertheless, these could be more effectively deployed, and a particular issue is that it’s only beneficial for network operators to take these if a significant number of others are also doing the same. MANRS therefore aims to promote a culture of collective responsibility through four actions that include filtering, anti-spoofing, coordination and address prefix validation.

90 network operators had already signed-up to MANRS, and a number of resources have been developed to help others implement the actions. This includes the MANRS Best Current Operational Practice which is a technical document providing step-by-step instructions, along with a set of online training modules. MANRS was currently looking for partners interested to include the modules within their own training curricula, as well as helping develop a MANRS certification programme. Network operators can sign-up for this on the Routing Resilience Manifesto website.

A major theme of any ION Conference is IPv6, and Pubudu Jayasinghe (APNIC) provided an overview of IPv6 adoption in the Asia-Pacific region. Over 48% of Internet users were located in the Asia-Pacific region, with China and India accounting for over a billion of the approximately 3.4 billion users globally. However, with over 3.5 billion potential users in the region, it was clear that IPv4 would be insufficient to meet future needs, and APNIC had less than 50% of its final /8 available.

Unfortunately, IPv6 deployment was lagging in South Asia, with just over 5% of users being IPv6 capable. Even this belied realities as India distorted the figures with a 15% capability, whereas all other countries bar Sri Lanka (2%) barely registered. Pakistan had a 0.1% deployment rate for IPv6, with Google (97%) being far ahead of the Pakistan Education and Research Network (0.66%) in second place.

Aftab then provided some additional information about the status of IPv6 in Pakistan. The country currently had around 5.3 million IPv4 addresses for a population of over 200 million, which effectively meant that even using Network Addressing Translation (NAT) techniques, current address allocations could serve a maximum of 1.5 sessions per user. This would simply be insufficient for a functional Internet, but it would simply not be possible to obtain any more IPv4 addresses in future.

Turning to IPv6 in Pakistan, there were currently 69 Local Internet Registries (LIRs) that had obtained IPv6 addresses. The interesting factor though, was that the most prolific deployers of IPv6 were smaller operators, whereas the larger operators other than PERN barely appeared in the figures. A conclusion that might be drawn is these smaller operators will have a competitive advantage over the others in future, which means they need to be planning for the transition to IPv6 by applying for addresses, sending technical staff to IPv6 training, and looking into how to provide IPv6 services to customers.

This theme continued during the lively panel session on IPv6 success stories that was moderated by Kevin with participation from Zaeem Arshad (Rapid Compute), Yoshinobu Matsuzaki (Internet Initiative Japan), Jawad Raza (PERN) and Jan. The discussion kicked-off with the IPv6 deployment experiences of the local network operators, and the reasons why there appeared to be reluctance to deploy IPv6 in Pakistan. The feeling was that local operators did not see it as a priority, combined with a concern that it might prove problematic. However, it was clear that NAT was causing significant performance and management issues, and neither could it accommodate future demand for IPv4 within Pakistan.

The panel added that all modern operating systems could support IPv6, and that hardly anyone would think of using older obsolete versions. The same consideration should apply to the IP protocols, especially as it was possible to ensure that IPv6 had backwards compatibility with IPv4 using NAT64 and DNS64. By employing these techniques, the user experience should not be worsened when accessing IPv4 services, but will provide a better service when using IPv6 natively. Many major services such as Google, Facebook and LinkedIn already support IPv6, and as more switch over, clients would automatically connect with IPv6 without the need for an intervening translation mechanism.

To conclude the day, Kevin talked about what was happening at the IETF and how to get involved. He pointed out that had been 1,042 participants from 52 countries at the last IETF in Seoul, but just 3 from Pakistan. There was clearly an active Internet community in Pakistan but limited engagement with the IETF, so he encouraged the local community to check out the IETF Fellowship and IETF Policy programmes.

Deploy360 would like to thank SANOG, the Pakistan Telecommunication Authority and the Higher Education Commission of Pakistan for hosting and supporting this ION. Thanks also to the speakers and everyone else who contributed towards making the event a successful and productive one.

Further Information

The proceedings from ION Islamabad are available here, and the webcast will  also be available on our YouTube channel shortly.

If you’re inspired by what you see and read, then please check out our Start Here page to understand how you can get started with DNSSEC, DANE and IPv6.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) IPv6

Agenda, Speakers, and Webcast Information for ION Islamabad on 25 Jan

ION IslamabadJust a reminder that ION Islamabad is this week, taking place on Wednesday, 25 January 2017 in Islamabad, Pakistan. This is being held in conjunction with the 29th South Asian Network Operators Group (SANOG), and we have a great half-day programme lined-up.

Aftab Siddiqui, Jan Žorž and Kevin Meynell will be there from Deploy360, and will be joined by our colleague Naveed Haq from ISOC’s Asia-Pacific Bureau, so please come and say hello.

Agenda

  • Introduction to the Internet Society and Deploy360
    Kevin Meynell, Internet Society
  • Deploying DNSSEC
    Champika Wijayatunga, ICANN
  • DANE/DNSSEC/TLS Testing in the Go6lab
    Jan Žorž, Internet Society
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
    Kevin Meynell, Internet Society
  • Mind Your MANRS & the Routing Resilience Manifesto
    Aftab Siddiqui, Internet Society
  • IPv6 Status Update
    Pubudu Jayasinghe, APNIC & Aftab Siddiqui, Internet Society
  • Panel Discussion: IPv6 Success Stories
    Moderator: Kevin Meynell, Internet Society; Zaeem Arshad, Rapid Compute Pvt Ltd; Yoshinobu Matsuzaki, Internet Initiative Japan; Jawad Raza, PERN & Jan Žorž, Internet Society
  • Closing Remarks
    Kevin Meynell, Internet Society

Webcast & Social Media

Please visit the live streaming page to follow the event. We’ll also be active on our social media channels over the course of the day, so follow along with #IONConf and get involved!

Sponsors

As usual, we are thankful that this ION has generous support from our ION Conference Series Sponsor Afilias. We would also like to thank PTA, HEC and PCTL for their support, as well as SANOG for offering the opportunity to co-locate with them.

Join Us

We hope you can join us in Islamabad on 25 January at the HEC Headquarters. Register online if you can join us in person, or just tune into the webcast starting at 0900 PKT (UTC+5).

Categories
Deploy360 Events

ION Islamabad: IPv6, DNSSEC and Much More

ION Islamabad

We are excited to announce that the agenda for ION Islamabad has been finalized. This will take place on Wednesday, 25 January 2017, alongside the South Asia Network Operators Group (SANOG) conference, SANOG 29. As always, this ION is generously supported by our series sponsor Afilias.

The agenda is already online and it’s our patented mix of IPv6, DNSSEC, Securing BGP, and TLS for Applications. A quick preview of some of our session titles:

  • Deploying DNSSEC – Champika Wijayatunga, ICANN
  • DANE/DNSSEC/TLS Testing in the Go6lab – Jan Žorž, Internet Society
  • What’s Happening at the IETF? Internet Standards and How to Get Involved – Kevin Meynell, Internet Society
  • Mind Your MANRS & the Routing Resilience Manifesto – Aftab Siddiqui, Internet Society
  • IPv6 Regional Status – An Update – APNIC representative (tbc) & Aftab Siddiqui, Internet Society 
  • IPv6 Success Stories! – Panel Discussion

In order to register for the event, kindly use the SANOG 29 registration page. If you’re only interested in attending the ION conference then you may register for “Tutorial Only” and it will give you access to all SANOG 29 Tutorials as well as the ION Conference.

ION helps network operators stay ahead of the curve to understand and deploy emerging Internet technologies, and presents a unique opportunity to discuss the future of the Internet with the people who help craft it.

We’re also planning the rest of the 2017 calendar, so if you’re organising something that might lend itself to co-locating an ION then please let us know! We usually hold four events each year in locations all over the world, and we’re open to all sorts of opportunities. Contact us to discuss co-location possibilities, or how your company could sponsor an ION Conference.