The Internet Protocol Journal, Volume 13, No.3

Fragments

Dr. Jianping Wu Receives Postel Award

The Internet Society (ISOC) recently awarded its prestigious Jonathan B. Postel Service Award for 2010 to leading Chinese technologist Dr. Jianping Wu for the pioneering role he has played in advancing Internet technology, deployment, and education in China and Asia Pacific over the last twenty years.

Dr. Wu's best-known contribution is the development of the China Education and Research Network (CERNET) which he designed and developed to be the first Internet backbone network in China. Created to establish a nation-wide advanced network infrastructure to support education and research among universities, CERNET has since become the world's largest national academic network. Since 1998, Dr. Wu has also devoted his time to the design and development of a large-scale native IPv6 backbone in China that now serves to connect over 200 universities and millions of users.

The Postel Award was established by the ISOC to honour individuals or organisations that, like Jon Postel, have made outstanding contributions in service to the data communications community. Commenting on its presentation to Dr. Wu, Lynn St. Amour, President and CEO of ISOC said: "Jianping Wu has dedicated his career in China to developing a broadly accessible Internet that brings people together. Twenty years ago, Dr. Wu recognized the importance and future impact of the Internet and the pivotal role it would play in terms of its impact on social reform, technology advancement and economic growth for China. He has worked tirelessly to bring his vision to life. As a result, the networks that resulted from his determination and hard work have played an important role in driving Internet development in China and have had a significant impact on the Internet worldwide."

ISOC presented the award, including a US$20,000 honorarium and a crystal engraved globe, during the 78th meeting of the Internet Engineering Task Force (IETF) in Maastricht, The Netherlands 25–30 July 2010.

DNSSEC Deployed in the Root Zone

On July 16, 2010 the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) announced the completion of an initiative with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign to enhance the security and stability of the Internet.

The announcement marks full deployment of a security technology— Domain Name System Security Extensions (DNSSEC) [1]—at the Internet's authoritative root zone, which will help protect Internet users against cache poisoning and other related cyber attacks.

"The Internet plays an increasingly vital role in daily life, from helping businesses expand to improving education and health care," said Assistant Secretary for Communications and Information and NTIA Administrator Lawrence E. Strickling. "The growth of the Internet is due in part to the trust of its users—trust, for example, that when they type a website address, they will be directed to their intended website. Today's action will help preserve that trust. It is an important milestone in the ongoing effort to increase Internet security and build a safer online environment for users."

"Improving the trustworthiness, robustness and scaling of the Internet's core infrastructure is an activity that lines up strongly with NIST's mission, and we have been contributing to design, standardization and deployment of DNSSEC technology for several years," said NIST Director Patrick Gallagher. "The deployment of DNSSEC at the root zone is the linchpin to facilitating its deployment throughout the world and enabling the current domain-name system to evolve into a significant new trust infrastructure for the Internet."

The Domain Name System (DNS) is a critical component of the Internet infrastructure. The DNS associates user-friendly domain names (for example, www.commerce.gov) with the numeric network addresses (for example, 170.110.225.168) required to deliver information on the Internet, making the Internet easier for the public to navigate. The authenticity of the DNS data is essential to Internet use. For example, it is vital that users reach their intended destinations on the Internet and are not unknowingly redirected to bogus and malicious websites.

The DNS was not originally designed with strong security mechanisms, and technological advances have made it easier to exploit vulnerabilities in the DNS protocol that put the integrity of DNS data at risk. Many of these vulnerabilities are mitigated by the deployment of DNSSEC, which is a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS.

A main goal of this action—DNSSEC deployment at the root zone—is to facilitate greater DNSSEC deployment throughout the rest of the global DNS hierarchy. While deployment of DNSSEC will protect Internet users from certain DNS-related cyber attacks, users must continue to exercise vigilance in protecting their information online.

ISOC Embraces DNSSEC

The Internet Society (ISOC) recently announced that it has deployed DNSSEC, a set of extensions to the DNS that provides a level of assurance, for its isoc.org domain. The announcement builds on an announcement by the Public Interest Registry (PIR) that they have implemented DNSSEC for the entire .org top-level domain.

"We are pleased to be among the first organisations in the .org top level domain to deploy DNSSEC, as DNSSEC provides an important building block for increasing user confidence in the Internet," said Lynn St.Amour, President and CEO of the Internet Society. "Implementing DNSSEC for the .org top-level domain is an important step in ensuring the global Internet serves as a trusted channel for communication and collaboration and we applaud the PIR's efforts in this area."

"DNSSEC acts like tamper-proof packaging to make sure that when you type in the website name of your bank you actually get the server IP address your bank wants you to use," said Leslie Daigle, Chief Internet Technology Officer of ISOC. "In this way, DNSSEC allows us to have more confidence in the online activities that are increasingly becoming a part of our lives at work, home, and school."

DNSSEC technology used today is the result of careful protocol engineering and standardization within the IETF; implementation by various DNS vendors; and operational trials by DNS operators. In addition to .org, DNSSEC is currently implemented by several country-specific top-level domains: Brazil (.br), Bulgaria (.bg), The Czech Republic (.cz), Puerto Rico (.pr), and Sweden (.se).

ISOC is a non-profit organisation founded in 1992 to provide leadership in Internet related standards, education, and policy. ISOC is the organisational home of the IETF. With offices in Washington, D.C., and Geneva, Switzerland, it is dedicated to ensuring the open development, evolution, and use of the Internet for the benefit of people throughout the world. For more information see: http://isoc.org

DNSSEC Fund Announced

In order to speed up the process of introduction a more secure global DNS infrastructure, the Netherlands-based charity NLnet Foundation has announced the creation of a global fund where open source projects can apply for grants to work on Domain Name System Security Extensions (DNSSEC) in their Internet applications.

DNSSEC is one of the key technologies for a safer Internet, as it allows the Internet user to know for sure that he or she is being sent to the right computer or service on the Internet. "If you type the name of your bank into a browser, you want to be sure that you are actually directed to a computer of that bank," said Michiel Leenaars, Director of Strategy at NLnet foundation. "Domain names are vital to the way we use the Internet, and without DNSSEC users are open to serious abuse."

DNSSEC provides a cryptographic seal of authenticity that gives real proof of the validity of the domain name you use when you visit a website, chat or send an e-mail. With DNSSEC you get a chain of trust from the root of the Internet to the service you want to connect to—opening the way for many new exciting opportunities for humans and computers to exchange information safely. DNSSEC is being gradually introduced worldwide.

The new fund will provide grants for reengineering important software to reliably work with DNSSEC. "The signing of the root through DNSSEC is a historical moment, but in a way it is only the beginning," said Leslie Daigle, Chief Internet Technology Office at the Internet Society. "Actual users will not fully benefit from protection in the more challenging situations as long as DNSSEC does not reach them." A great deal of work has already been done at the infrastructure level—most DNS servers such as BIND, NSD and Unbound now support the new technology. However, it will take a lot of work at the user level as well: operating systems, web browsers, e-mail servers, VoIP clients, and many other pieces of software need to be able to reliably work with DNSSEC.

"Every Internet user deserves to be protected by DNSSEC, yet currently almost no end user software is ready to take full advantage of the availability of DNSSEC," said Leenaars. "The IT community has a big responsibility in making sure that DNSSEC gets deployed across the board swiftly. We aim to accelerate the process significantly by putting some money on the table, and we invite other stakeholders to join us."

Since there are many applications and platforms that will require work, the NLnet Foundation is very open to cooperation with others as well as to targeted donations from interested stakeholders such as governments, registries and corporations.

The NLnet Foundation is a registered Netherlands charity with a long history of supporting Internet standardization. The foundation gained its capital from selling the first Dutch Internet Service Provider.

Potential applicants and collaborators can find more information at: http://nlnet.nl/dnssec

See also:

[1] Miek Gieben, "DNSSEC: The Protocol, Deployment, and a Bit of Development," The Internet Protocol Journal, Volume 7, No. 2, June 2004.

[2] Torbjörn Eklöv, and Stephan Lagerholm, "Operational Challenges when Implementing DNSSEC," The Internet Protocol Journal, Volume 13, No. 2, June 2010.

[3] http://www.dnssec.net/

Call for Papers: Internet Privacy Workshop

The Internet Architecture Board (IAB), World Wide Web Consortium (W3C), Internet Society (ISOC) and the Massachusetts Institute of Technology (MIT) will hold a joint Internet Privacy Workshop on December 8 and 9, 2010 at MIT, Cambridge, Massachusetts on the question:

"How Can Technology Help to Improve Privacy on the Internet?"

Information about who we are, what we own, what we have experienced, how we behave, where we are located, and how we can be reached are among the most personal pieces of information about us. This information is increasingly being made more easily available electronically via the Internet, often without the consent of the subject. The question for the workshop therefore is: How can we ensure that architectures and technologies for the Internet, including the World Wide Web, are developed in ways that respects users' intentions about their privacy?

This workshop aims to explore the experience and approaches taken by developers of Internet including Web technology, when designing privacy into these protocols and architectures. Engineers know that many design considerations need to be taken into account when developing solutions. Balancing between the conflicting goals of openness, privacy, economics, and security is often difficult, as illustrated by Clark, et al. in "Tussle in Cyberspace: Defining Tomorrow's Internet," see:

http://groups.csail.mit.edu/ana/Publications/PubPDFs/Tussle2002.pdf

As a member of the technical community, we invite you to share your experiences by participating in this important workshop. Workshop participants will focus on the core privacy challenges, the approaches taken to deal with them, and the status of the work in the field. The objective is to draw a relationship with other application areas and other privacy work in an effort to discuss how specific approaches can be generalized.

Interested parties must submit a brief contribution describing their work or approach as it relates to the workshop theme. We welcome visionary ideas for how to tackle Internet privacy problems, as well as write-ups of existing concepts, deployed technologies, and lessons-learned from successful or failed attempts at deploying privacy technologies. Contributions are not required to be original in content.

Submitters of accepted position papers will be invited to the workshop. The workshop will be structured as a series of working sessions, punctuated by invited speakers, who will present relevant background information or controversial ideas that will motivate participants to reach a deeper understanding of the subject.

The organizing committee may ask submitters of particularly topical papers to present their ideas and experiences to the workshop. We will publish submitted position papers and slides together with a summary report of the workshop. There are no plans for any remote participation in this workshop.

To be invited to the workshop, please submit position papers to privacy@iab.org by November 5, 2010. More detailed information about the workshop, including further details about the position paper requirements, is available at:

http://www.iab.org/about/workshops/privacy/

We look forward to your input,

Bernard Aboba (IAB)
Trent Adams (ISOC)
Daniel Appelquist (W3C)
Karen O'Donoghue (ISOC)
Jon Peterson (IAB)
Thomas Roessler (W3C)
Karen Sollins (MIT)
Hannes Tschofenig (IAB)

Organizations Urged to Stop Delyaing IPv6 Deployment

The Number Resource Organization (NRO), the official representative of the five Regional Internet Registries (RIRs) that oversee the allocation of all Internet number resources, recently unveiled the findings of a global, independent survey into organizations' IPv6 readiness. Funded by the European Commission and conducted by GNKS Consult and TNO, the study reveals that the majority of organizations are taking steps toward IPv6 deployment, as the IPv4 address pool continues to deplete rapidly.

IP addresses are critical for the operation of the Internet. Every Internet-enabled device needs an IP address to connect to the rest of the network. The biggest threat facing the Internet today is that less than 6% of the current form of IP addresses, IPv4, remains and the pool is likely to be completely depleted next year. This means that organizations need to adopt IPv6, the next-generation addressing protocol. There is a far larger pool of IPv6 addresses, allowing for more devices to connect to the Internet and helping to safeguard the sustainable growth of the Internet.

The survey, which polled over 1,500 organizations from 140 countries, highlights that organizations are increasingly aware of the need to deploy IPv6: approximately 84% already have IPv6 addresses or have considered requesting them from the RIRs. Only 16% of respondents have no plans to deploy IPv6 addresses.

The study also demonstrates that there are some misconceptions around the cost of adopting IPv6. Over half of all respondents noted that the cost of deployment was a major barrier for IPv6 adoption. While organizations might delay investing in IPv6, this may ultimately result in greater costs, with last-minute deployment and poor planning likely to increase the investment required.

Of the 84% of respondents that have requested IPv6 addresses or have considered doing so, three-quarters reported the need to stay ahead of competition as the main reason for IPv6 adoption. Half of these respondents also noted that a lack of available IPv4 space was a major driver for deployment. When asked about issues they had encountered when deploying IPv6:

  • 60% cited the lack of vendor support as a major barrier for deployment. However, most of the latest hardware and software support IPv6. The RIRs are strongly urging organizations to check with their suppliers to ensure that the technologies they use are IPv6 compatible.
  • 45% reported a struggle to find knowledgeable technical staff to support deployment. However, all five RIRs arrange technical training to facilitate an efficient IPv6 deployment, details of which can be accessed via the NRO website.

Fifty-eight percent of all organizations polled were ISPs. It is likely that respondents to this survey are further ahead in IPv6 deployment than ISPs overall, but all organizations should ensure that their ISP offers or plans to offer services over IPv6. Out of the polled ISPs:

  • Approximately 60% already offer, or plan to offer within the next year, IPv6 to consumers.
  • 70% already offer, or plan to offer within the next year, IPv6 to businesses.
  • Only about 10% of polled ISPs have no plans to offer IPv6 to consumers or businesses.

Axel Pawlik, Chairman of the NRO, commented: "It's great to see that as we move toward complete IPv4 exhaustion, more organizations worldwide are waking up to the need to adopt IPv6 and are sourcing IPv6 addresses from the RIRs."

"Yet there is still a distinct lack of Internet traffic over the next addressing protocol, with not enough ISPs offering IPv6 services and 30% of ISPs saying the proportion of this traffic is less than 0.5%. It's critical that ISPs now take the next step in the global adoption effort by offering IPv6 services to their customers to help boost traffic over IPv6."

Per Blixt, Head of Unit in the Information Society and Medias at the European Commission, said:

"It's encouraging to see that so many organizations have made IPv6 adoption their priority. Still, as the Internet becomes increasingly important for global socio-economic development, it's critical that those who are still sitting on the fence act now on IPv6. Only by ensuring that all organizations adopt IPv6 can we ensure the sustainable growth of the digital economy worldwide."

This survey is a follow-up to a study conducted in 2009 amongst organizations in Europe, Middle East and parts of Central Asia, as well as Asia Pacific; however this year's survey polled organizations worldwide. The full research report is available at:

http://www.nro.net/documents/GlobalIPv6SurveySummaryv2.pdf

The NRO exists to protect the pool of unallocated Internet num- bers (IP addresses and AS numbers) and serves as a coordi- nating mechanism for the five RIRs to act collectively on matters relating to the interests of RIRs. For further information, visit http://www.nro.net

The RIRs are independent, not-for-profit membership organizations that support the infrastructure of the Internet through technical coordination. There are five RIRs in the world today. Currently, the Internet Assigned Numbers Association (IANA) allocates blocks of IP addresses and ASNs, known collectively as Internet Number Resources, to the RIRs, who then distribute them to their members within their own specific service regions. RIR members include Internet Service Providers (ISPs), telecommunications organizations, large corporations, governments, academic institutions, and industry stakeholders, including end users.

The RIR model of open, transparent participation has proven successful at responding to the rapidly changing Internet environment. Each RIR holds one to two open meetings per year, as well as facilitating online discussion by the community, to allow the open exchange of ideas from the technical community, the business sector, civil society, and government regulators. Each RIR performs a range of critical functions including: The reliable and stable allocation of Internet number resources (IPv4, IPv6 and Autonymous System Number resources); The responsible storage and maintenance of this registration data; The provision of an open, publicly accessible database where this data can be accessed. RIRs also provide a range of technical and coordination services for the Internet community. The five RIRs are:

AfriNIC: http://www.afrinic.net

APNIC: http://www.apnic.net

ARIN: http://www.arin.net

LACNIC: http://www.lacnic.net

RIPE NCC: http://www.ripe.net