CA Landscape · Internet Exchange Points (IXPs) •Canadian IXPs should be; –Community based –Vendor neutral –Non profit organizations –Member driven –Open peering policy

.CA Landscape

Canadian Internet Registration Authority (CIRA)Jacob Zack

Sr. DNS AdministratorApril 2014

1ORION Tech Workshop – April 2014:

.CA Landscape

Agenda:

• CIRA: History and Mandate

• .CA DNS

• Fundamentals of DNS

• Why DNSSEC?

• Why IPv6?

• Canadian IXP’s (Internet Exchange Points)

ORION Tech Workshop – April 2014: .CA Landscape

2

History of .CA

• .CA delegated to volunteers at UBC in 1987 (John Demco).

• First .CA domain name was “UPEI.CA” on Jan 12, 1988.

• .CA Operated by UBC until late 2000.

• CIRA receives mandate for .CA from Industry Canada in 2000.

• In 2000, .CA contained ~140,000 domain names.

• .CA hit 1 million domain mark in April 2008.

• .CA hit 2 million domain mark in November 2012.

• .CA currently at 2,227,000 domains (April 2, 2014).

• CIRA is a self-funded, non-profit, member-driven organization.


3

CIRA’s Mandate

• Operate a robust, reliable, secure, and always available .CA registry and DNS infrastructure

• Preserve this virtual natural resource for Canadians

• To develop, carry out and/or support any other Internet-related activities in Canada


4

.CA DNS

• The .CA domain is delegated from IANA (“The Root”) to CIRA.

• CIRA delegates “Second-level” domains to registrants.– Ex: “gc.ca” is delegated to servers operated by Govt. Of Canada.

• CIRA operates multiple .CA DNS sites within Canada.– Vancouver, Calgary, Winnipeg, Toronto, Ottawa, Montreal

• CIRA utilizes third-party DNS providers outside of Canada.

• CIRA has maintained 100% uptime of .CA DNS

• Emerging threats a catalyst for coming changes…

• Emerging technology providing new opportunities…


5

DNS Hierarchy


6

When operating a domain, you control said

domain for all levels beneath. You can,

however, delegate authority to a third-party, as

CIRA does for ~2.2 million domains.

DNS Operation Modes

• Authoritative– An authoritative server receives and responds to queries for domains

that it knows about and is responsible for.

– This would include ICANN’s Root servers, CIRA’s TLD DNS Servers, and (should include) any DNS servers listed for a domain in WHOIS.

• Recursive– A recursive server responds to all queries, generally from “end-users”.

– A recursive server asks questions of authoritative servers.

– Often, recursive servers will cache DNS information for some period.


7

CIRA operates the .CA authoritative servers.

CIRA operates the CIRA.CA authoritative servers (and other corp domains).

CIRA operates recursive DNS servers for staff/servers to lookup others DNS.

CIRA’s recursives query CIRA’s authoritatives like any other entity.

DNS Query Flow


8

DNSSEChttp://www.internetsociety.org/deploy360/dnssec


9

Why DNSSEC?


10

• DNSSEC Cache Poisoning:– A weak point in the DNS protocol allows for exploitation.

– Attacker fools a recursive DNS server into giving out bad data.

1) Make an ISP recursive server ask a predictable question.Ex: Where is WWW.CIBC.CA?

2) Flood the ISP recursive server with bogus answers to the question.

3) ISP recursive server now accepts “CIBC.CA” == hacked host in China

4) ISP recursive tells ISP customers “CIBC.CA” == hacked host in China

5) Customers send username/password details to hacked host

6) Profit.

Why DNSSEC?


11

12

• RFCs for adding digital signatures to DNS data• Provides authenticity of data

• Secure delegations from parent to child, creating a chain of trust

• Compromised name servers detected and ignored• DNS data manipulation detected and ignored

• Data authenticity and integrity by signing the zone with private key

• Public DNSKEYs published, used to verify the signatures

What is DNSSEC?What is DNSSEC?


12

13 2013 CCS Workshop - Ottawa - 2013-11-5

DNSSEC Chain of Trust

Root [.]

Root [.]Zone File

Public Root

Key & trust

anchors

.ca[.ca]Zone File

.ca delegation signer

.ca public key

holds digest of .ca public key

gc.ca delegation signer

gc.ca[gc.ca]Zone File

gc.ca public key

holds digest of gc.ca public key

ic.gc.ca delegation signer

DNSSEC Enabled DNS Query(Highly simplified )

AuthoritativeServers

Web Serverwww.cira.ca

“.”ROOT

“.ca”TLDs

“cira.ca”DNS OperatorsConnect to 2001:500:80:2::12

192.228.29.1

InternetUser

DNSSEC

End-user application

becoming DNSSEC Aware

AuthoritativeServers

DNSSEC EnabledRecursive Servers

Cache Results(ISPs)

All DNSSEC enabled responses includeDNSSEC signatures that must

be validated against the DNSKEY


14

DNSSEC Validation


15

• What is recursive DNSSEC validation?

– The caching recursive name servers validates the DNSSEC signatures received for an answer with the domain’s DNSKEY keys. (and more)

• http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf

http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf

DNSSEC Validation


16

To enable DNSSEC validation at an ISP/Enterprise:

• Ensure the DNS software on your caching recursive servers supports DNSSEC

– Bind version 9.7 and up

– Unbound version 1.4 and up

– Microsoft DNS on Windows Server 2012 and up

– Many other open source and commercial versions

DNS Safe & Trusted


17

• Security extensions on top of DNS to provide authentication of DNS data

A Platform for Innovation

• DANE (DNS-based Authentication of Named Entities)

• Application can use DNSSEC for enhanced security

• A ‘new’ technology to be leveraged

• SSL certs inside DNS!


18

How to Sign Your Zones

• Simplest Commands:

dnssec-keygen mydomainname.ca

dnssec-keygen –fk mydomainname.ca

…creates the KSK and ZSK


19

• Config Change:

• Add these lines to the zone statement for “mydomainname.ca”:

• zone mydomainname.ca {

• type master;

• file "/etc/namedb/master/mydomainname.ca";

• key-directory "/etc/namedb/keys";

• auto-dnssec maintain;

• inline-signing yes;

• };

IPv6http://www.internetsociety.org/deploy360/ipv6


20

IPv6 Addresses

• IPv4:

– 32 bits.

– 134.23.240.6

• IPv6:

– 128 bits.

– 2001:0db8:0f34:3345:02fc:45e1:1940:0032

• Not backward compatible


21

IPv4 Address Exhaustion

• Internet Protocol V4 (IPv4) -> 40+ years old! 192.168.1.3

• Exhaustion is real problem: – we’re actually running out of IPv4 addresses– Not so much in Canada now, but in ASIA and Europe for sure.

• Trying to keep IPv4 alive, we’re breaking the Internet with:– Address and port translation NAT/PAT– Carrier Grade NAT (double NAT!)

• ~4.2 Billion addresses, ~half usable < number of mobiles


22

About IPv6

• Internet Protocol V6 (IPv6) -> ~17 years old!

– 2001:500:80:2::12

• Not a migration!

• Not a transition!

• IPv4 will coexist with IPv6 for 10+ years

• We have to adopt IPv6

The Internet is not IPv4 or IPv6

The Internet is IPv4 and IPv6ORION Tech Workshop – April 2014:

.CA Landscape23

IPv6 Adoption


24

Source: https://www.google.com/intl/en/ipv6/statistics.html

GERMANY: 7.4 % Adopted

USA: 6.79% Adopted

PERU: 5.26% Adopted

FRANCE: 4.86% Adopted

JAPAN: 3.57% Adopted

CHINA: 0.7% Adopted

CANADA: 0.43% Adopted

Canadian IXP’s


25

• An IXP is a physical infrastructure through which Internet Service Providers, Research Networks, Businesses, and Content Distribution Networks exchange traffic between their networks!

Canadian IXP’s


26

• Montreal (QIX) founded 1995.

• Toronto (TORIX) founded 1997.

• Ottawa (OTTIX) founded 2001.

CIRA announces new Canadian IXP initiative in 2012.

• Montreal (QIX) now community driven! (2013)

• Winnipeg (MBIX) founded 2013.

• Calgary (AlbertaIX) founded 2013.

• Calgary (YYCIX) founded 2013.

• Halifax (HFXIX) founded 2013.

Internet Exchange Points (IXPs)

• Canadian IXPs should be;– Community based

– Vendor neutral

– Non profit organizations

– Member driven

– Open peering policy

– Accepts content providers, ISPs, transit providers, government, R&E and any other participant that can gain in exchanging traffic


27

28

Canada

USA

TorontoIXP

CanadianISP

Last Mile

CanadianISP

Last Mile

CanadianISP

CanadianISP

CanadianISP

USAIXP

USAIXP

USAIXP

Internet

Transit$$

Transit$$$

Peering$

Transit$

Transit$$$

Transit$$$

Transit$$$

Transit$$$

Transit$$$

Peering$ Transit

$

Transit$

CanadaUSA

CanadianISP

Last Mile

CanadianISP

Last Mile

CanadianISP

CanadianISP

CanadianISP

USAIXP

USAIXP

USAIXP

Internet


28

Internet Exchange Points (IXPs)

The Internet

Internet Exchange Point (IXP) – Canadian Vision

The Internet

Network of

Networks

Domestic &

International

Intern

et Service Pro

viders

Co

nte

nt

Pro

vid

er N

etw

ork

s

Transit

Peering

DNS Servers

(root & .CA)

NTP

Time Servers

Route

Servers

DNS Servers

for ISPs

ISP: Internet Service

Provider

ISP

Cable / DSL

ISP

Wireless

ISP

Mobile

ISP

VoIP (voice)

CDN: Content

Delivery Network

R&E Research &

Education Networks

CDN

Domestic

CDN

International

Governments

Municipalities

Colocation

Data Centers

Transit Providers

- IXP -

- LOCAL -

Non-profit

Vendor Neutral

Self Regulating

“Peering”

Free or commercial

agreements

FAST / LOW COST

Transit Providers

Domestic

Transit Providers

International

Canadian Internet Services

$

$

$

$

$

$$$

$$$

$$$

$$$

$$$

$$ $$

$$$ $$$

$

$

$

$ $$$

$$$

$$$

$$$

US

US

US

US

US US

US


29

Where Does Your Data Go?

http://vimeo.com/67102223


30

http://vimeo.com/67102223

Where Should Your Data Go?


31

TORIX

QIX

OTTIX

> 130Gig/sec

> 4Gig/sec

> 350Meg/sec

Critical Canadian Infrastructure @ IXP’s


32

• Root DNS Servers (PCH via ICANN/IANA)

• .CA DNS Servers (via CIRA)

• NTP Time Sync Servers (via CIRA or IXP)

• Major Content Providers

– Google/Youtube

– Akamai

– Limelight

– Microsoft/Bing/Skype

IXP Walled Gardens


33

• Are you “in the club” or not?

• The “local-only” .CA DNS anycast nodes are reachable by members of the IXP only.

• Attacks from non-members can not affect service negatively for Canadians!

IXP Walled Gardens for .CA (cont.)


34

• Current walled-garden locations inside Canada

• Planned walled-garden locations inside Canada

Calgary

Montreal

Ottawa

Toronto

Winnipeg

.CA Global Vision


35

• Planned walled-garden locations inside of Canada

• Planned globally-reachable locations outside of Canada

Questions?


36