In a response to Bill St. Arnaud's "Dead Men Walking" presentation at the Internet Society's ION Conference in Toronto on November 14, 2011, Jacques Latour, Director of Information Technology, Canadian Internet Registration Authority (CIRA), laid out why he believes there is much promise ahead for both IPv6 and DNSSEC and explained the work they have done at CIRA, their IPv6 adoption strategy, architecture guidelines and more.
A video recording of the session will be available for viewing. Details will be posted at http://www.isoc.org/do/blog/ when the video is available.
More information about the global series of ION conferences can be found at http://www.isoc.org/ion/
1. Good
Men
Rising:
IPv6
&
DNSSEC
Canadian
Internet
Registra:on
Authority
(CIRA)
Jacques
Latour
ION
-‐
Toronto
November
14,
2011
2. About
CIRA
1. Operate
the
.CA
Registry
§ Registrant
ßà
Registrar
ßà
Registry
à
.CA
DNS
2. Operate
the
.CA
Top
Level
Domain
§ Root
“.”
ßà
“.CA”
ßà
2nd
Level
.CA
domains
§ Internet
Users
ßà
ISP
ßà
“.CA”
3. Do
good
things
for
the
Canadian
Internet
§ Promote
digital
literacy,
Canadian
Internet
Forum
§ Promote
IPv6,
DNSSEC,
NTP
and
Canadian
IXPs
2
ION
-‐
Toronto
-‐
2011-‐11-‐14
3. IPv6
Adop8on
Strategy
• IPv6
Discovery
&
Research
• Perform
an
IPv6
Readiness
Assessment
• Define
IPv6
Objec:ves
(can’t
do
everything)
• Develop
a
Project
Plan
• Develop
a
detailed
IPv6
Architecture
&
Design
• Development,
tes:ng
and
pilot
mode
• Implement
in
produc:on
• Monitor
Not
a
migra8on,
not
a
transi8on,
coexistence!
3
ION
-‐
Toronto
-‐
2011-‐11-‐14
4. IPv6
Objec8ve
-‐
WEB
Content
• Not
everything
needs
to
be
IPv6
on
day
1
– World
IPv6
Day,
June
8,
2011
• Internet
Perimeter
&
DMZ
(www.cira.ca)
• IT
Organiza:on
IPv6
Glue Records
CIRA Secondary
Registry
• Permanent
DNS Servers
Primary
IPv6
• Presence
WWW
IPv4
a.ca-servers.ca
• Support
c.ca-servers.ca
Internet …. (j & sns-pb)
m.ca-servers.ca
Registry
Try www.cira.ca on IPv6 Backup
Or
http://[2001:500:80:2::12]/ z.ca-servers.ca
IT Corporate
Operations
Network
4
ION
-‐
Toronto
-‐
2011-‐11-‐14
5. IPv6
Architecture
Guidelines
“Rules
of
engagement”
• Keep
IPv4
as-‐is
• Dual
Stack
– All
systems
par:cipa:ng
in
the
IPv6
implementa:on
must
support
a
concurrent
IPv4
and
IPv6
stack
• No
IPv6
Tunnelling
– Usage
of
IPv6
tunnelling
mechanisms
such
as
ISATAP,
Teredo,
6to4,
6rd
are
disabled
and
not
permibed
• Na8ve
IPv6
Transit
– IPv6
transit
must
support
IPv6
na:vely
without
the
use
of
tunnelling
• No
Network
Address
Transla8on
(NAT)
– NAT66,
NAT64
&
NAT46
technologies
not
permibed
Security
Policy
Template
available
at
www.cira.ca/knowledge-‐centre/ipv6
5
ION
-‐
Toronto
-‐
2011-‐11-‐14
6. IPv6
Benefits
• It
works!
• Some
say
it’s
old
• I
say
it’s
new
• Let’s
make
it
work
in
Canada!
• Enabler
for
future
growth
• We
have
to
think
globally
6
ION
-‐
Toronto
-‐
2011-‐11-‐14
7. DNSSEC
• Developed
by
propeller
heads
J
7
ION
-‐
Toronto
-‐
2011-‐11-‐14
8. DNS
à
Safe
&
Trusted
• Security
extensions
on
top
of
DNS
to
provide
authen:ca:on
of
DNS
data
8
ION
-‐
Toronto
-‐
2011-‐11-‐14
9. A
PlaVorm
for
Innova8on
• DANE
(DNS-‐based
Authen:ca:on
of
Named
En::es)
• Applica:on
can
use
DNSSEC
for
enhanced
security
• A
‘new’
technology
to
be
leveraged
9
ION
-‐
Toronto
-‐
2011-‐11-‐14
10. CIRA
–
DNSSEC
Status
• CIRA
ac:vely
working
on
signing
the
.CA
zone
10
ION
-‐
Toronto
-‐
2011-‐11-‐14
11. Thank
you!
hbp://ca.movember.com/mospace/2531386
11
ION
-‐
Toronto
-‐
2011-‐11-‐14