Sunday, January 29, 2012

Dictionary Needed: IPv4-IPv6, French-English

I was fiddling with a London Underground ticket machine to purchase a "tube" (subway) ticket upon my arrival here today, and a couple on the next machine over starting asking me questions...in French. Through gestures and pointing to the ticket machine screen display, I figured out that while the screen stated the Oyster card they wished to purchase covered the tram and bus, it did not mention use on the tube. I was experiencing some screen information shortcomings myself in desiring to purchase a zones 1-3 ticket, but only 1-1, 1-2 and 1-4 were offered. So given my prior research on the Oyster card and the incompleteness of our respective ticket machine user interfaces, I assured them that they Oyster card would work for the tube as well.

But this experience struck me later in the day in that we were only able to successfully communicate when we supplemented our verbal attempts at communication with gestures and visual clues. Had they rang me on my phone and asked me the same question, we would gone around in circles with little likelihood of success. This naturally brought me back to one of my favorite topics, IPv6. Speaking French to an English (non-French) speaker is a lot like an IPv6 device trying to communicate with an IPv4 (non-IPv6) device: it will not work!

Of course if I was bi-lingual (analogous to dual-stack) we would have easily and natively communicated. Otherwise, if we had no visual ability, a translator would have been required, analogous to a protocol translation gateway for IPv4-IPv6. But as we know in speech translation, something usually gets "lost in the translation", which is possible in IP communications, especially for sophisticated IP applications like SIP traversing a translation gateway. By the way, the third technology of IPv4-IPv6 co-existence, tunneling, doesn't really apply to our analogy, which would have been more like I had written a note in English, sealed it in an envelope on which delivery instructions were written in French and asked my French friends to deliver it!

The bottom line is that if you want to communicate globally, speak the language! Keep learning and gearing up for IPv6! It's the Internet "language" of the future.


Thursday, January 26, 2012

Combat DNS Hijacking

Dark Reading reported this morning that the ufc.com, coach.com and coachfactory.com domains were hijacked using DNS attacks earlier this week. The attack was performed by hacking the DNS servers authoritative for these zones and re-pointing web addresses to the attacker's site. Anyone attempting to access UFC's or Coach's websites was unwittingly directed to the imposter's site. Apparently these domains were targeted due to their organizations' support of SOPA/PIPA anti-piracy bills. The attack was detected by a sudden large influx of web traffic at the attacker's hosting provider. Administrators monitoring the attacked domains' web resources would have noticed a corresponding drop in traffic, which is one way to detect such an attack.

Had these zones been signed via DNSSEC, perhaps this attack impact would have been minimized. This would have been the case if a) the attacker was unable to "re-sign" each zone after modifying it, which would have depended on the depth of the hack to initiate zone signing or not and b) the resolvers performed DNSSEC validation. While it's debatable that an attacker having file access to a zone file also would have had access to run "dnssec-signzone" (or that auto-signing was configured), it's probably more likely that the resolver would not have been configured to validate DNSSEC signatures in the first place and thereby detect that the signature did not match the returned resolution data.

If you aren't already aware, you should know that configuring DNSSEC validation is relatively simple with BIND 9.8 and above. Simply configure your recursive servers with the DNS root public key within a "managed-keys" statement, and set dnssec-enable and dnssec-vailidation to "yes" within the BIND configuration file. BIND supports additional DNSSEC options to configure recursive servers but the beauty of this is that once setup, it runs on "auto-pilot." The managed-keys statement instructs BIND to detect updates to the root zone key (as defined in RFC 5011) and to automatically update its "trust anchor" accordingly.

Of course DNSSEC validation is only useful if queried zones (and parent zones up to the root) are signed. But BIND releases are also progressing towards making the authoritative side of equation easier as well (recursive servers ask, authoritative servers answer). BIND 9.9 promises some improvements in this area with in-line signing but does not yet automate key re-generation for automated rollovers. If you need an automated authoritative solution, check out BT Diamond IP's Sapphire Sx20 appliance, which enables creation of key, signature and rollover policies once, then it runs on "auto-pilot." DNSSEC cryptography technology is a bit foreign to DNS administrators; an automated solution can help provide the security required but minimize associated administrative support.

Tuesday, January 24, 2012

Happy Chinese New Year! Half a Billion Internet Users!

Global Times, a leading English news periodical in China, reported last week that the number of Internet uses in China surpassed half a billion by the end of last (calendar) year, according to the China Network Information Center. According to the report, China now counts 513 million Internet users, up from about 457 million at the end of 2010, about 12% growth.

The question I've been trying to answer is how many of these 513 million users have IPv6 addresses vs. IPv4 addresses? As yet I have been unsuccessful in answering my own question. But I've found that Mike Leber from Hurricane Electric publishes a daily Global IPv6 Deployment Progress Report. This report lists the TLDs with IPv6 (surprisingly only 85.9% have IPv6 addressable name servers today), a summary of A and AAAA records for "next level domains" for each TLD, a summary of advertised autonomous systems (ASes) for IPv6 networks, top websites available over IPv6 and more.

The top websites statistic is an interesting one, which today indicates that about 1.1% of the top 1 million websites as reported by Alexa, publishes at least one AAAA record to advertise IPv6 reachability. I view this statistic as the "supply side" of the IPv6 supply and demand relationship. The "demand side" would be represented by the number of IPv6 user devices, or my as yet unanswered question, not only for China but worldwide. At some point in time, I expect this demand side will reach a level where organizations will want to participate in supplying IPv6 content. But having visibility to this demand curve is necessary to make this decision. So I'll keep fishing around but if anyone has any suggestions, please share them!

Thursday, January 19, 2012

Gearing up for World IPv6 Launch

What better time to unveil the IPv6 Resource Center at BT Diamond IP than immediately following the announcement about the World IPv6 Launch! We've amassed a variety of material on IPv6 that hopefully enables people to learn about IPv6, in whatever media they prefer - video, audio, webcast, or reading with white papers and books.

World IPv6 Launch is not a deadline to implement IPv6. It's another means of publicizing the need to consider IPv6 deployment - is it right for you and when? IPv4 space is pretty much gone in Asia so as new IP address consumers in that part of the world comprising over 60% of the world's population begin using broadband and wireless devices, IPv6 address use on the Internet will grow. The homogeneous IPv4 Internet of today will evolve to a mixed IPv4-IPv6 Internet.

How rapidly and to what proportion IPv6 will permeate this mix is unclear. But it makes sense to track this over time and to be ready should the IPv6 density reach a level where substantial potential customers and sellers are unreachable with IPv4-only Internet presence. This is the real decision point for deploying IPv6 for those with plenty of IPv4 address space: at what point will I be missing substantial inbound and outbound sales, collaboration, and partnering opportunities with organizations constrained to only an IPv6 Internet presence? For every organization, this critical "IPv6 density" point will differ - for example, for organizations serving primarily Internet users from Asia, this time will be sooner than those that do not.

I'd recommend estimating that date for you (if you ever believe it will happen) and working backwards to devise a plan to support an IPv6 Internet presence. With a plan at the ready, you can estimate the plan execution time (make sure you add some fudge time due to inevitable unforeseen issues) and be ready to invoke it with enough lead time to complete it by your IPv6 Density or "D-Day."

Where to start? We've put together the IPv6 Resource Center for your perusal of material about IPv6 technology, IPv4-IPv6 co-existence techniques, and even a recorded webinar outlining an IPv6 deployment plan template. Please don't hesitate to contact me with any feedback on the material or suggestions for coverage of additional topics.

Tuesday, January 17, 2012

From World IPv6 Day to World IPv6 Launch!

The Internet Society announced today that several major Internet companies have agreed to transform last year's World IPv6 Day success to a deeper commitment with World IPv6 launch! The World IPv6 Launch is scheduled for June 6, 2012. Last year's event was a one-day "test flight" for IPv6. This year's launch promises a permanent enabling of IPv6 for not only major ISPs and websites, but also home networking equipment providers, which extends IPv6 to the "last mile" to residences.

The goal is to enable IPv6 for enough end users so that at least 1% of wireline residential subscribers' connections to participating websites to use IPv6 by June 6. This may not sound like much but 1% of an estimated 500 million is 5 million users which is substantial. This is an exciting time for Internet companies. The industry is moving deeper into IPv6. Are you ready?


Thursday, January 12, 2012

New gTLD program officially launched!

As of today, ICANN has opened the application process for new gTLDs! Applications for new generic top level domains are now being accepted through April 12, 2012. This is the first time that internationalized domain name (IDN) based gTLD applications are being accepted. Today sub-gTLD domain names may be defined in internationalized format and several country code TLDs (ccTLDs) have been in production for some time, but this is the first time that gTLDs may be defined.

So what's the big deal? Depending on what gTLDs are accepted, organizations may desire to register subdomains beneath new gTLDs in ASCII or IDN format. Considering that every marketing message from an organization includes a website address, advertisting a fully native lanugage URL (and of course content!) may facilitate marketing communications with audiences in certain parts of the world. For example, if your organization is attempting to reach or attract residents in India and a new gTLD is created using the native language Devanagari alphabet, creating a subdomain using the Devanagari alphabet may facilitate this reachability. Putting your information in your target customers' terms, down to the URL, can help improve communications and provide a competitive advantage.

Configuring DNS with IDNs requires no upgrades of DNS, but it does require conversion of native language characters, represented in Unicode, into ASCII which is required in DNS configuration files and the DNS protocol. This conversion process is a bit complex but the IPControl IPAM system automates this conversion to save time. If you'd like more details on IDN conversion for DNS configuration, please see our IDNA white paper, webinar replay or visit the ICANN gTLD website.