Tuesday, December 16, 2014

DNSSEC Survey Report

BT Diamond IP just published its latest report detailing results of its DNSSEC industry survey, conducted in November, 2014. This year’s survey yielded strong participation from active DNSSEC deployers, meaning those who have already deployed or are deploying DNSSEC. While not likely representative of overall industry deployment status, opinions regarding complexity and business case as obstacles and lack of interest in high security module (HSM) appliances for private key storage prove insightful.

Among the key findings of the survey:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

The survey report documents participants' opinions about the level of concern for securing DNS via DNSSEC, their stage of DNSSEC deployment if any, the perceived value of DNSSEC, deployment obstacles, other DNS security concerns, which groups internally are responsible for DNSSEC management, and even which DNSSEC vendor implementations respondents use.

The full report is available in pdf format at http://www.globalservices.bt.com/static/assets/pdf/products/diamond_ip/BT-Diamond-IP-2014-DNSSEC-Survey.pdf.

If you have any comments regarding the report please don't hesitate to contact me.

Monday, October 20, 2014

You're invited to participate in our DNSSEC Survey

Signing DNS data with DNSSEC enables an organization to authenticate its web addresses and other published DNS information, i.e., to secure its namespace. DNSSEC also protects against DNS cache poisoning attacks when DNSSEC validation is enabled on DNS recursive server resolvers. As such DNSSEC is a critical component of a comprehensive DNS security strategy which should also include use of functional and port access control lists (ACLs), transaction signature keys to sign updates and transfers among servers, detection of DNS anomalies, and possibly domain name filtering or firewalling to restrict communications among malware-infected devices and corresponding command and control centers.

BT Diamond IP is sponsoring a DNSSEC survey to gather input from DNS and network administrators regarding their opinions about the value of DNSSEC, potential obstacles to implementation, and relative priority of deployment. And you are hereby invited to participate! The survey consists of twelve questions plus a thirteenth if you'd like to enter your contact information to be entered for a drawing for a $100 VISA gift card. The survey will remain open through November 3, 2014, after which we will compile the results and publish a free survey report. Make your opinions count, take the survey today!

Friday, October 10, 2014

What Exactly is a DNS Firewall?

When you think of an Internet firewall, you likely think of a gateway device which examines IP packets flowing through it and which selectively blocks or redirects those packets meeting certain criteria. Such criteria may include filtering parameters such as IP addresses or ports such that when an IP packet under inspection matches such parameter settings, the packet is blocked or otherwise handled according to policy settings. A DNS firewall performs similar examination and policy handling functions for DNS queries to prevent unwelcome DNS and subsequent data traffic.

Another common assumption associated with Internet firewalls is that they are deployed on the perimeter of a network with the intention of protecting the network from attacks originating external to the network. DNS firewalls however protect the network against attacks that originate within the network. Why worry about internal attacks if morale is sky high and IP firewalls are seemingly impervious? With the proliferation of smart phones and "bring your own device" (BYOD) initiatives intentionally or unintentionally established, it's quite possible that devices physically leaving the domain of a perfectly firewalled network may elsewhere become infected with malware when operated on less secure networks such at as the coffee house wifi or at home.

Certain forms of malware infiltrate a device as a remote agent or "bot" which, along with several other similarly infected devices, forms a "botnet" where an attacker can command several bots to perform attacks such as distributed denial of service attacks. A bot on an infected device will typically attempt to contact the attacker's command and control (C&C) center to receive its marching orders, and the means of contacting the C&C starts with a DNS lookup. The primary goal of a DNS firewall is to identify such C&C contact attempts, to block such attempts and to identify the infected device.

The leading DNS server reference implementation, BIND from the Internet Systems Consortium (ISC) supports the establishment of DNS firewall policies via its response policy zones (RPZ) feature. RPZ enables a DNS administrator to define policies in standard DNS resource record format to enable filtering of DNS queries. Filtering triggers can be defined based on the queried name (QNAME), resolved IP address (IP address within A or AAAA query response), resolving name server IP (NSIP) as resolved within a response to the A or AAAA query for an NS RRSet, and resolving name server name (NSDNAME) as resolved within an NS RRSet. Thus throughout the resolution process for a particular query, the recursive DNS server can filter at multiple points along the way, then enact the corresponding policy action. Such action can be defined as responding with NXDOMAIN, NODATA, pass through, or inclusion of predefined response data, such as directing the session to a walled garden.

The beauty of this technique is in defining policies as resource records within a zone or zones which enables DNS administrators to create their own policies and/or to subscribe to a provider or providers of malicious domain (filtering) information, which can simply zone transfer such domain information to the corresponding recursive DNS servers. Updates of this zone information of course should be secured via the use of standard BIND ACLs as well as transaction signatures (TSIG) to sign incremental or full zone updates.

BT Diamond IP's IP address management products support configuration of DNS firewall functions via its web user interface for our Sapphire appliances as well as stock ISC BIND servers you may already operate. We also partner with Internet Identity as a provider of bad domain information which can be easily configured with our systems though customers are free to implement their own policies using our systems or use other or additional bad domain providers. Feel free to contact me to learn more.

Tuesday, July 8, 2014

IPv6 Growth Inflection Point

Now that the percentage of IPv6 users accessing Google's websites has reached 4%, I decided to revisit my prior post projecting IPv6 growth. Assuming that people around the world use google as it sits atop Alexa’s list of top websites, it would seem such a measurement provides data that could be loosely projected to the Internet at large. It took just 140 days for the IPv6 user rate to climb from 2% to 3%, and interestingly only 140 days from 3% to 4%. Is IPv6 growth going linear? Or more likely have just passed an inflection point beyond which growth will accelerate?

Reiterating our view that the historical IPv6 user data is comprised of two segments, the first being the nearly linear component of near zero penetration up through 2011, and the second representing the present growth phase, we plot the measured IPv6 penetration since the end of 2011. Applying both exponential and second order polynomial curve fittings as before in Figure 1, we see that our exponential curve, the solid red line, fits very well with a R2 of over 0.99 while our polynomial curve fit, the dashed green line yields a respectable R2 of 0.9844.

Figure 1: Curve fittings for most recent Google IPv6 users data

The exponential curve predicts IPv6 penetration at 6.2% by the end of this year, while the polynomial predicts 5.6%. These predictions are both a bit higher than the corresponding points from my prior post at 5.9% and 4.9% respectively. The trend curves are getting steeper though they diverge rapidly after these near term predictor points, with the former model predicting nearly 15% penetration by the end of 2015 and polynomial indicating only about 10%. Incidentally, the linear 140-day percentage point increase model predicts 8.0% by the end of 2015. Stay tuned for my next post on this topic and an update when this particular penetration measure hits 5%.

Friday, June 6, 2014

Take our annual IPv6 survey to celebrate World IPv6 Launch

On this second anniversary of World IPv6 Launch, are you among the growing population of those having deployed IPv6? The World IPv6 Launch site has a nice infographic to commemorate the anniversary which indicates growing IPv6 momentum. The Internet Society links to several measurement sites, many of which indicate an increasing volume of IPv6 traffic.
Whether you have already deployed IPv6 or you have no plans at all, you are invited to complete our annual IPv6 survey. This year's survey is very similar to last and prior years' surveys in order to help us identify trends and changing perceptions about IPv6. The survey should take about five minutes to complete so we invite you to let us know what you think. We're also going to be drawing the name of one survey respondent to whom we will award a $100 Visa gift card, so I invite you to complete the survey.

Thursday, April 24, 2014

Internet only has room for another 1.4% of world pop

As I pondered my prior post regarding ARIN's announcement of its IPv4 address capacity dwindling down to a single /8, I began to wonder how long it would be before those supporting only IPv4 communications would feel the impact. The "impact" of ignoring IPv6 may be the inability to communicate with THE growth segment of the Internet. Once IPv4 is totally depleted, ALL growth will by necessity utilize IPv6.

And this total depletion time may come very soon. As I pointed out in that post, the sum total IPv4 address space that's available globally is about 0.1 billion. Truthfully, ISPs that obtain space from RIRs and enterprises from ISPs, likewise have their own stock of IPv4 capacity, but once the RIRs run out, there will be no additional space to be had. Consider that the 0.1 billion IP addresses represents a mere 1.4% of the world's population of 7.2 billion. One simple minded conclusion would be that the IPv4 Internet can support a mere 1.4% increase in Internet user penetration.

The current Internet user penetration as reported by Internet Live Stats is about 40% today. The penetration at the end of 2013 was 38.5%, so it took less than four months to grow further than 1.4% in penetration. So could it be another four months until we're totally out of space? Not likely, but it is likely that within a year, IPv4 space will be very hard to come by.

The world's insatiable appetite for IP addresses derives primarily from the proliferation of IP-addressable devices, from consumer communications devices like tablets and mobile phones, to industrial or public safety sensors, to developing countries deploying broadband and wireless networks. If you desire to share information, conduct business, or otherwise communicate with users of such devices, you should consider deploying IPv6 support in the very near future if you have not already. As use of such devices flourishes, they will ultimately use IPv6 addresses as that is all wireless and broadband operators will have available to assign. If you'd like them to be able to reach you online, you'll need IPv6-accessible resources, which means you'll need IPv6 address space. Don't know where to start? Contact us to learn more and for help.

Wednesday, April 23, 2014

ARIN Reaches Final Stage for IPv4 Address Space

ARIN today announced that it is now down to its last /8 of IPv4 address space. This is the point when remaining IPv4 capacity is considered "depleted" and more stringent allocation policies are put into effect, as outlined in the announcement. The analogous depletion state was announced and similar policies enforced by APNIC in 2011 and by RIPE in 2012. LACNIC crossed the /8 threshold in 2011 but will engage its depletion policies when it reaches one /11 (2.1M IP addresses).

The last /8 threshold means the RIR has about 16.8 million IPv4 addresses available, which may seem like a lot, but each allocation consists of hundreds if not thousands of IP addresses to ISPs and customers. Hence the more stringent allocation policies to extend the lifetime of IPv4 a bit longer. You can follow the current outlook on IPv4 lifetime by RIR on Geoff Huston's potaroo site and summarized below and updated with this recent ARIN information:

RIRProjected Exhaustion DateRemaining /8sIP addresses
APNIC19-Apr-2011 (actual)0.793713.3M
RIPE NCC14-Sep-2012 (actual)0.819313.7M

The net impact is that the Internet has just over 100 million IPv4 addresses available. That's 0.1 billion, which with only about 40% Internet user penetration today, doesn't leave much capacity at all for those 4 billion plus earthlings who do not yet have Internet access. If you haven't been convinced of the inevitability of IPv6, hopefully this helps and provides ample time to plan for it. If you haven't had time or resources to plan for IPv6, now is the time to start planning. BT can help with network assessment, planning and deployment services, free IPv6 addressing tools, and commercial IP address management (IPAM) solutions. Contact us to learn more.

Tuesday, February 11, 2014

Predicting IPv6 Growth

Upon hearing the news that Google’s measurement of IPv6 users hitting their websites hit 3% of total users, having just surpassed 2% in September, 2013, I became less skeptical of the exponential growth predictions for IPv6. Under the assumption that people around the world use google and it is atop Alexa’s list of top websites, it would seem such a measurement provides data that could be loosely projected to the Internet at large. To explore this uptick in hits, I sampled some data points from Google’s statistics site in an attempt to create a future projection.
Figure 1: A pair of curve fittings for Google IPv6 users data

In my first attempt at “curve fitting,” I considered quarterly data points going back to early 2009 when google started measuring IPv6 visitors. Applying curve fitting to these data points, I created the the chart of Figure 1, with sample data points represented as blue diamonds. Applying an exponential curve to this data set yields the more gradually sloping (red) curve in Figure 1. As you can see, this curve seems to overcompensate in early years while flattening growth in the later years. This curve’s estimated penetration yielded less than 2% at the end of 2013, well below measured data. I then applied a second-order polynomial trendline in attempt to more closely map to data samples, shown as the steeper (green) line. This curve seems to better fit the later measurements in the chart, though it predicts passing 3% in mid-2014, a metric that has already been reached. Incidentally, the polynomial curve yields an R2 of 0.95, which is a better fit than the 0.9 value for the exponential curve.
Figure 2: Curve fittings for most recent Google IPv6 users data

I then considered the data as comprising two segments, the first being the nearly linear component of near zero penetration up through 2011, and the second representing the present growth phase. Considering only these latter data points, Figure 2 illustrates another pair of trend lines, exponential, in this case the steeper of the two and polynomial. Interestingly, the exponential curve yields an R2 of over 0.98, representing quite a good fit, and the polynomial fit isn’t too bad at about 0.96. It’s interesting to extrapolate these curves out a couple years to predict the growth in IPv6 Google users and by loose association, Internet IPv6 users. The table below summarizes the predicted percentage of Google users accessing via IPv6, considering data samples back to 2009. These predictions are rather unimpressive, with modest IPv6 penetration with neither reaching double digit penetration even by the end of 2015. But I personally tend to put more stock in the more recent sample data, shown in the far right two columns of the table, illustrating a more rapid adoption of IPv6.

Model prediction
Samples 2009-2013
Samples 2012-2013
End of year

What will the future hold for IPv6 user growth? These models vary quite widely in predicting growth rate, but the trend is definitely upward. Make preparations for IPv6 in your network today.

Tuesday, January 28, 2014

New gTLD Update: Signed TLDs Now Outnumber Unsigned TLDs

In the six weeks since I blogged about the emergence of new generic Top Level Domains (gTLDs) in the root zone, eighty-four new gTLDs have been delegated. This brings the total number of TLDs, including country code TLDs (ccTLDs) to 427. Of the recently added eight-four gTLDs, nine are internationalized, and this brings us to fifty internationalized TLDs, comprising a mix of both gTLDs and ccTLDs.

And thanks to the signing requirement of the new gTLD program, all eighty-four domains are signed with DNSSEC. This brings the number of signed TLDs to 235, with 229 having delegation signer (DS) records in the root zone. Signed TLDs under which you register domain names, especially those with DS records in the root zone, streamline the process for resolvers to validate your signed name space. Resolvers need only maintain the root zone public key (trust anchor) to validate signed subtrees of the global DNS namespace. As long as each domain along this chain down to your zone is signed, a resolver can validate your signatures using the root trust anchor. This "chain of trust" is linked via DS records, which are published in a parent zone and authenticate a child zone's public key.

With more signed TLDs, especially if yours is/are signed, your path to securing your name space becomes simpler. The table below reflects todays status, updated since my prior post. Other than the addition of eighty-four gTLDs (9 IDN and 75 non-IDN), the .name generic-restricted TLD was signed, moving one tally from unsigned non-IDN to signed non-IDN in that row.

Country Code TLD129024159
Generic TLD1410900
Sponsored TLD0708
Infrastructure TLD (.arpa)0100
Generic-restricted TLD0201