Posts

Showing posts from 2014

DNSSEC Survey Report

BT Diamond IP just published its latest report detailing results of its DNSSEC industry survey, conducted in November, 2014. This year’s survey yielded strong participation from active DNSSEC deployers, meaning those who have already deployed or are deploying DNSSEC. While not likely representative of overall industry deployment status, opinions regarding complexity and business case as obstacles and lack of interest in high security module (HSM) appliances for private key storage prove insightful. Among the key findings of the survey: Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed. Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, bu

You're invited to participate in our DNSSEC Survey

Signing DNS data with DNSSEC enables an organization to authenticate its web addresses and other published DNS information, i.e., to secure its namespace. DNSSEC also protects against DNS cache poisoning attacks when DNSSEC validation is enabled on DNS recursive server resolvers. As such DNSSEC is a critical component of a comprehensive DNS security strategy which should also include use of functional and port access control lists (ACLs), transaction signature keys to sign updates and transfers among servers, detection of DNS anomalies, and possibly domain name filtering or firewalling to restrict communications among malware-infected devices and corresponding command and control centers. BT Diamond IP is sponsoring a DNSSEC survey to gather input from DNS and network administrators regarding their opinions about the value of DNSSEC, potential obstacles to implementation, and relative priority of deployment. And you are hereby invited to participate! The survey consists of twelve que

What Exactly is a DNS Firewall?

When you think of an Internet firewall, you likely think of a gateway device which examines IP packets flowing through it and which selectively blocks or redirects those packets meeting certain criteria. Such criteria may include filtering parameters such as IP addresses or ports such that when an IP packet under inspection matches such parameter settings, the packet is blocked or otherwise handled according to policy settings. A DNS firewall performs similar examination and policy handling functions for DNS queries to prevent unwelcome DNS and subsequent data traffic. Another common assumption associated with Internet firewalls is that they are deployed on the perimeter of a network with the intention of protecting the network from attacks originating external to the network. DNS firewalls however protect the network against attacks that originate within the network. Why worry about internal attacks if morale is sky high and IP firewalls are seemingly impervious? With the proliferat

IPv6 Growth Inflection Point

Image
Now that the percentage of IPv6 users accessing Google's websites has reached 4% , I decided to revisit my prior post projecting IPv6 growth . Assuming that people around the world use google as it sits atop Alexa’s list of top websites, it would seem such a measurement provides data that could be loosely projected to the Internet at large. It took just 140 days for the IPv6 user rate to climb from 2% to 3%, and interestingly only 140 days from 3% to 4%. Is IPv6 growth going linear? Or more likely have just passed an inflection point beyond which growth will accelerate? Reiterating our view that the historical IPv6 user data is comprised of two segments, the first being the nearly linear component of near zero penetration up through 2011, and the second representing the present growth phase, we plot the measured IPv6 penetration since the end of 2011. Applying both exponential and second order polynomial curve fittings as before in Figure 1, we see that our exponential curve, the

Take our annual IPv6 survey to celebrate World IPv6 Launch

On this second anniversary of World IPv6 Launch, are you among the growing population of those having deployed IPv6? The World IPv6 Launch site has a nice infographic to commemorate the anniversary which indicates growing IPv6 momentum. The Internet Society links to several measurement sites, many of which indicate an increasing volume of IPv6 traffic. Whether you have already deployed IPv6 or you have no plans at all, you are invited to complete our annual IPv6 survey . This year's survey is very similar to last and prior years' surveys in order to help us identify trends and changing perceptions about IPv6. The survey should take about five minutes to complete so we invite you to let us know what you think. We're also going to be drawing the name of one survey respondent to whom we will award a $100 Visa gift card, so I invite you to complete the survey.

Internet only has room for another 1.4% of world pop

As I pondered my prior post regarding ARIN's announcement of its IPv4 address capacity dwindling down to a single /8, I began to wonder how long it would be before those supporting only IPv4 communications would feel the impact. The "impact" of ignoring IPv6 may be the inability to communicate with THE growth segment of the Internet. Once IPv4 is totally depleted, ALL growth will by necessity utilize IPv6. And this total depletion time may come very soon. As I pointed out in that post, the sum total IPv4 address space that's available globally is about 0.1 billion. Truthfully, ISPs that obtain space from RIRs and enterprises from ISPs, likewise have their own stock of IPv4 capacity, but once the RIRs run out, there will be no additional space to be had. Consider that the 0.1 billion IP addresses represents a mere 1.4% of the world's population of 7.2 billion. One simple minded conclusion would be that the IPv4 Internet can support a mere 1.4% increase in Interne

ARIN Reaches Final Stage for IPv4 Address Space

ARIN today announced that it is now down to its last /8 of IPv4 address space. This is the point when remaining IPv4 capacity is considered "depleted" and more stringent allocation policies are put into effect, as outlined in the announcement. The analogous depletion state was announced and similar policies enforced by APNIC in 2011 and by RIPE in 2012. LACNIC crossed the /8 threshold in 2011 but will engage its depletion policies when it reaches one /11 (2.1M IP addresses). The last /8 threshold means the RIR has about 16.8 million IPv4 addresses available, which may seem like a lot, but each allocation consists of hundreds if not thousands of IP addresses to ISPs and customers. Hence the more stringent allocation policies to extend the lifetime of IPv4 a bit longer. You can follow the current outlook on IPv4 lifetime by RIR on Geoff Huston's potaroo site and summarized below and updated with this recent ARIN information: RIR Projected Exhaustion Date Remaining /8s

Predicting IPv6 Growth

Image
Upon hearing the news that Google’s measurement of IPv6 users hitting their websites hit 3% of total users, having just surpassed 2% in September, 2013, I became less skeptical of the exponential growth predictions for IPv6. Under the assumption that people around the world use google and it is atop Alexa’s list of top websites, it would seem such a measurement provides data that could be loosely projected to the Internet at large. To explore this uptick in hits, I sampled some data points from Google’s statistics site in an attempt to create a future projection. Figure 1: A pair of curve fittings for Google IPv6 users data In my first attempt at “curve fitting,” I considered quarterly data points going back to early 2009 when google started measuring IPv6 visitors. Applying curve fitting to these data points, I created the the chart of Figure 1, with sample data points represented as blue diamonds. Applying an exponential curve to this data set yields the more gradually slopin

New gTLD Update: Signed TLDs Now Outnumber Unsigned TLDs

In the six weeks since I blogged about the emergence of new generic Top Level Domains (gTLDs) in the root zone, eighty-four new gTLDs have been delegated. This brings the total number of TLDs, including country code TLDs (ccTLDs) to 427. Of the recently added eight-four gTLDs, nine are internationalized, and this brings us to fifty internationalized TLDs, comprising a mix of both gTLDs and ccTLDs. And thanks to the signing requirement of the new gTLD program, all eighty-four domains are signed with DNSSEC. This brings the number of signed TLDs to 235, with 229 having delegation signer (DS) records in the root zone. Signed TLDs under which you register domain names, especially those with DS records in the root zone, streamline the process for resolvers to validate your signed name space. Resolvers need only maintain the root zone public key (trust anchor) to validate signed subtrees of the global DNS namespace. As long as each domain along this chain down to your zone is signed, a r