DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris...
Transcript of DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris...
DNSSEC and Internet Development
Patrik Wallström, FoU .SE
Wednesday, March 9, 2011
Om .SE
DomainAdministration
InternetDevelopment
Financing
User Benefit
Wednesday, March 9, 2011
Urkunden“Stiftelsen skall ha till ändamål att främja en god stabilitet i infrastrukturen för Internet i Sverige samt främja forskning, utbildning och undervisning inom data- och telekommunikation, särskilt med inriktning på Internet. Stiftelsen skall härvid prioritera områden som ökar effektiviteten i infrastrukturen för elektronisk datakommunikation, varvid stiftelsen bland annat skall sprida information om forsknings- och utvecklingsarbete, initiera och genomföra forsknings- och utvecklingsprojekt samt genomföra kvalificerade utredningar. Stiftelsen skall särskilt främja utvecklingen av hanteringen av domännamn under toppdomänen ”se.” och andra nationella domäner avseende Sverige.”
Wednesday, March 9, 2011
Allt möjligt!
Wednesday, March 9, 2011
About me!
Wednesday, March 9, 2011
Work at .SE• Systems development
• Wb• Automation, Regelverk 3.0• IDN, Swedish characters, jiddisch• Niceasy-projec5
• DNSSEC• Standardization• Implementation• Prototype web management interface
• OpenDNSSEC• Architecture
• Healthcheck• Measure the whole Internet!
Wednesday, March 9, 2011
DNS attack tree
Privacy
Cache Snooping
NSEC walk
Denial of Service
DNS Servers
System/Application crash
Specially crafted packet
Resource starvation
DoS attack
Distributed DoS attack
Network infrastructure
Core infrastructure Server-edge infrastructure
Client-edge infrastructure
Data integrity
Repository corruption
Outdated information (D)DoS on hidden master
Modified information
Master compromised
Secondary compromised
Social engineering
Domain hihackingSocial engineering
System corruption
Resolver compromised
Host breakin
Client compromised
Malware
Protol Issues
Cache poisoning
Open recursion Too liberal with additional info
Query prediction
Fixed port numbers
Weak ID algorithm
Man-in-the-middle Non-secure network path
Wednesday, March 9, 2011
DNS-history1983 Paul Mockapetris invents the DNS and implements the first server: Jeeves.
1986 Formal IETF Internet Standard. Two RFC's describe DNS: 1034 and 1035.
1988 DNS begins to catch on the Internet.
1990 Steven Bellovin discovers a major flaw in the DNS. As DNS is already widely deployed on the Internet, the report is kept secret until 1995. In those years research is started on a more secure replacement of DNS.1995 The article from Bellovin is published and DNSSEC (as it became known) becomes a topic within the IETF.1997 RFC2065, a predecessor of 2535, is published.
1999 RFC2535 is published by the IETF. The DNSSEC protocol looks to be finally finished. BIND9 is developed to be the first DNSSEC capable implementation.1999-2001 Although the RFC is finished and BIND is DNSSEC ready, deployment is stalling.
Wednesday, March 9, 2011
DNS-history contd2001 Experiments show 3 that the key handling in RFC2535 is causing operational problems that would make deployment difficult if not impossible.After various ideas and drafts (sig@parent) a new record was proposed: the DS RR, Delegation Signer resource record. With this record the operational problems of DNSSEC would be solved. Because this record has the special property of only existing at the parent zone it introduced some difficulties in the DNS protocol it self. Deployment of DNSSEC looks possible now, but the current code (ie. BIND9) does not understand the new DS record.It is decided to rewrite 2535 into three new drafts:draft-ietf-dnsext-dnssec-intro - a introduction into DNSSECdraft-ietf-dnsext-dnssec-records - introduces the new recordsdraft-ietf-dnsext-dnssec-protocol - details the protocol changes2002-2003 The drafts are getting more refined and better, BIND9 snapshots start appearing that are capable of handling the new DNSSEC standard (2535bis).NLnet Labs decided to run a new experiment called SECREG (secure registry) to test 2535bis. The results of this experiment are documented in 4. In short the experiment showed that 2535bis is ready for deployment.
Wednesday, March 9, 2011
DNS-history contd2004 The expectation is that the drafts are to be finished this year and that even the RFC could be published before 2005. Currently BIND9.3 and higher NSD2 and higher are capable of handling 2535bis DNSSEC.2005 The three new drafts are on there way to the RFC editor. This means the new standard is almost official. Now we only have to wait for DNSSECbis to become the new standard.2005 - MarchThe RFC's are published:RFC 4033DNS Security Introduction and RequirementsRFC 4034Resource Records for the DNS Security ExtensionsRFC 4035Protocol Modifications for the DNS Security Extensions
2005 - September.SE is the first TLD to be signed.
Wednesday, March 9, 2011
.SE and DNSSEC
2006
Feb 16, 2007
Standards development
AutomationMarket
Sept. 2007Softstart
of service
Project start 2001
Signed.SE-zoneSep 2005
Commercial launchof .SE-DNSSEC
RFC4033, 4034, 4035March 2005
VerktygSpridning
Wednesday, March 9, 2011
What is DNSSEC?root
.se .dk .org
iis.sesunet.se dn.se foo.se
. DNSKEY
. RRSIG DNSKEYse. DS
se. DNSKEYse. RRSIG DNSKEYsunet.se. DS
sunet.se. DNSKEYsunet.se. RRSIG DNSKEYwww.sunet.se. A 127.0.0.1www.sunet.se RRSIG A ...
Wednesday, March 9, 2011
New record types• DNSKEY
• KSK / ZSK• DS• RRSIG• NSEC / NSEC3• NSEC3PARAM
Wednesday, March 9, 2011
And some algorithms
Algorithm Field Algorithm Source
0 Reserved1 RSA/MD5 RFC40343 DSA/SHA-1
RFC4034
5 RSA/SHA-17 RSASHA1-NSEC3-SHA1 RFC51558 RSA/SHA-256 RFC5702
10 RSA/SHA-512RFC5702
12 GOST R 34.10-2001 RFC5933
Wednesday, March 9, 2011
DNSKEY
iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF
KSK
ZSK
Wednesday, March 9, 2011
DNSKEY
iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF
KSK
ZSK
iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 18937 iis.se. DiNYYelgXcgIi6+xevjgqSy/ilcWmu52LkcKk9AwoWbcBrf1Zag8gowv 8S0LWJjKUO2aYRy53VvU/nkI20AJBuec/PYtEw7pK8Z3fMFspQZeqR8Z kTQv6+l5w1n1UUKIzRNtFG5FEH5zSdb5sOL8YEyIUVScuHewmtkwoN+M dWkoB5IEb3IuT57LgiQPxMogFRH9xoR/DrP299pvBQ78dgmbCwHxQCVG orGY1XHbvfwndsqrnFmBxrxu6DwZitXSCVHWgsiMMVE/rhKpdlCwl3uZ WJ4vipACelaqjdqpZG2sLbfKpeK44WeMTiaSgypDQVnXdDaP0g7mMk3o 0xGLXQ==iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 27345 iis.se. DLAB4SbzYw9YEs3rj0vE3eXmA6J3HiFIi0jgO3wVtnwnCzn9J5iSuTUn b1iUjsk4TpwuF6tf4udo9L1lAQPGyw+qLzEKdfQ+G02n1rvcSBDU8pPT MsgyCz6DV+TJ/oGkCVi4grUycj4q5rtCRToL4Icdx+F91moY0yW2LO6T qMw=
RRSIG
RRSIG
Wednesday, March 9, 2011
RRSIG
g.ns.se. 172682 IN A 130.239.5.114g.ns.se. 172682 IN AAAA 2001:6b0:e:3::1g.ns.se. 172682 IN RRSIG A 5 3 172800 20100311000326 ( 20100304101819 40935 se. IbCqCAa63j6uf0o52b4JDCvkl/VHlXJCcbwpfxiizySY qBXkHSHJw/vDn9he8EApSzJehfXQoUa2oySukuCHssdv IayAonD1LG1RP1SQnxTe3iwWPcNQjMIofBn0cY2/FlVR W4H5WIeS2DwZpLRr7IAM51OZRGIg8aUnzfrnML8= )g.ns.se. 172682 IN RRSIG AAAA 5 3 172800 20100310041411 ( 20100304101819 40935 se. Qo4JViec7dgJY1+LcpYqVoJA65Gxf9xRyCGlkZW2Xf3n +tO6/6jsdK+OWF9tWrtJH0xlRdeiiEu2FJU4iV+EBtZN 1zEiy7Gyehe6UA+oAZ4s3CRfYrD+QKoZ4D6uoIucAN5g 3H96l+Ad++tEniQtuqCzbgFVSzsBl+hMUaMEJrg= )
Wednesday, March 9, 2011
Delegation Signer
iis.se:iis.se. IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=
KSK
DS.se:iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
Wednesday, March 9, 2011
Delegation Signer
iis.se:iis.se. IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=
KSK
DS.se:iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
Om du har fler KSK-nycklar, så får du fler DS i förälderzonen.
Wednesday, March 9, 2011
Zonefile without DNSSEC
@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012701 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. MX 10 cleaner.prod.iis.se.$ORIGIN iis.se.www IN A 212.247.7.210
Wednesday, March 9, 2011
A signed zone
Wednesday, March 9, 2011
A signed zone@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= )
Wednesday, March 9, 2011
A signed zone@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= )
KSK
RRSIG
RRSIG
RRSIG
RRSIG
NSEC
RRSIG
Wednesday, March 9, 2011
Zone distribution
a.ns.se b.ns.se c.ns.se d.ns.se e.ns.se f.ns.se g.ns.se h.ns.se i.ns.se j.ns.se
Philby Burgess
.SE
Custo
mer
Datab
ase
Zone file
generator
KSKZSK
Key
generator
Zone signer
Wednesday, March 9, 2011
.SEs DNSSEC-signer.SE
Customer Database
Zone file generator
name servers
distribution pointdistribution point
Smartcard
Zone signer
HSM
Wednesday, March 9, 2011
User interfaces
Wednesday, March 9, 2011
Or even simpler
exempel.se DNSSEC
Wednesday, March 9, 2011
Value chain
root
.se .dk .org
iis.sesunet.se dn.se foo.se
Registrarer
DNSResolver
I.e. ISPs
Applications Internetusers
Wednesday, March 9, 2011
Support in applicationsNyckelmaterial i DNS!
DKIM
SSHFP
IPSEC
DANE - SSL/TLS i DNS
Wednesday, March 9, 2011
Incidents
“BIND-buggen”, 21 sept 2007
Felaktig zonfil, 12 okt 2009
Wednesday, March 9, 2011
DNSCheck
Wednesday, March 9, 2011
OpenDNSSEC
!"#$"
!"#$" John A Dickinson
25
Wednesday, March 9, 2011
What is OpenDNSSEC• Simplifies the process of signing one or more zones• Minimize the load of key management for the systems
administrator• Open source software with BSD-license• Simple to integrate in current infrastructure• Key storage and hardware accelerated crypto with PKCS#11
Wednesday, March 9, 2011
OpenDNSSEC Overview
Wednesday, March 9, 2011
• SoftHSM is a software implementation of a keystore with PKCS#11.
• Can be used to test the PKCS#11 interface without a real HSM.
• SoftHSM is development as a component within the OpenDNSSEC project.
• Uses Botan and SQLite.• SoftHSM makes it possible to use OpenDNSSEC with
software only.
Wednesday, March 9, 2011
Wednesday, March 9, 2011
The goal of the IETF is to make the Internet work better.
The mission of the IETF is to produce high quality, relevant technical and engineering documents that influence the way people design, use, and manage the Internet in such a way as to make the Internet work better. These documents include protocol standards, best current practices, and informational documents of various kinds.
- RFC 3935
Wednesday, March 9, 2011
Open process - any interested person can participate in the work, know what is being decided, and make his or her voice heard on the issue. Part of this principle is our commitment to making our documents, our WG mailing lists, our attendance lists, and our meeting minutes publicly available on the Internet.
Wednesday, March 9, 2011
Technical competence - the issues on which the IETF produces its documents are issues where the IETF has the competence needed to speak to them, and that the IETF is willing to listen to technically competent input from any source. Technical competence also means that we expect IETF output to be designed to sound network engineering principles - this is also often referred to as "engineering quality".
Wednesday, March 9, 2011
Volunteer Core - our participants and our leadership are people who come to the IETF because they want to do work that furthers the IETF's mission of "making the Internet work better".
Wednesday, March 9, 2011
Rough consensus and running code - We make standards based on the combined engineering judgement of our participants and our real- world experience in implementing and deploying our specifications.
Wednesday, March 9, 2011
Protocol ownership - when the IETF takes ownership of a protocol or function, it accepts the responsibility for all aspects of the protocol, even though some aspects may rarely or never be seen on the Internet. Conversely, when the IETF is not responsible for a protocol or function, it does not attempt to exert control over it, even though it may at times touch or affect the Internet.
Wednesday, March 9, 2011
Its mission includes the following:
o Identifying, and proposing solutions to, pressing operational and technical problems in the Internet
o Specifying the development or usage of protocols and the near-term architecture to solve such technical problems for the Internet
o Making recommendations to the Internet Engineering Steering Group (IESG) regarding the standardization of protocols and protocol usage in the Internet
o Facilitating technology transfer from the Internet Research Task Force (IRTF) to the wider Internet community
o Providing a forum for the exchange of information within the Internet community between vendors, users, researchers, agency contractors, and network managers
Wednesday, March 9, 2011
Note Well
Wednesday, March 9, 2011
DokumentI-D - Internet-Draft - arbetsdokument
RFC - Request for CommentsAll RFCs in a standards-track or Best Current Practice (BCP) category, as well as some Informational and Experimental RFCs, originate within the IETF process and reach the RFC Editor through the IESG. Members of the IESG include the IETF Area Directors (ADs), who are responsible for sets of related working groups. These working groups develop documents that may be approved for publication as RFCs by the ADs with IESG concurrence.
Independent Submissions
Anyone can write an Internet-Draft and independently submit it to the RFC Editor for possible publication as an RFC (Informational or Experimental category only). It will be published after review, and perhaps revision, for technical competence, relevance, and adequate writing. It will also be reviewed by the RFC Editor and by the IESG for possible conflict with the IETF process. Once this has been completed successfully, independent submissions enter the same publication process as IETF submissions.
STD - Internet Standard
Wednesday, March 9, 2011
DokumentstatusExperimental
Informational
Standards Track - Proposed Standard - Draft Standard - Standard
Best Current Practice
Historic
Unknown
Wednesday, March 9, 2011
Flöde...
Wednesday, March 9, 2011
Drafts
Wednesday, March 9, 2011
Area Description ----------------------------------------------------------------- Applications (APP) Protocols seen by user programs, such as email and the web
General (GEN) Catch-all for WGs that don't fit in other areas (which is very few)
Internet (INT) Different ways of moving IP packets and DNS information
Operations and Operational aspects, network monitoring, Management (OPS) and configuration
Real-time Delay-sensitive interpersonal Applications and communications Infrastructure (RAI)
Routing (RTG) Getting packets to their destinations
Security (SEC) Authentication and privacy
Transport (TSV) Special services for special packets
Wednesday, March 9, 2011
dnsext
Wednesday, March 9, 2011
Wednesday, March 9, 2011
Starta en arbetsgrupp!Föreslå - föreslå en idé, förslagsvis på en area-lista.
Etablera - en mailinglista för diskussion om idén. Det är enkelt att ansöka om lista hos IETF, och där är bra att köra den eftersom det är samma IPR-policies hos alla de listorna.
Övertyga - en Area Director måste övertygas om att det är en bra idé, och ett intressant område för en arbetsgrupp att arbeta med.
Charter - Namn och akronym, vilka personer som ska vara chairs, mailinglista, syfte - vad ska produceras och varför. Mål och milstenar - när ska arbetsgruppen producera vad som förväntas. Redaktörer för dokumenten.
Skicka till AD
Mangla genom IESG
Wednesday, March 9, 2011
IETF i Stockholm
The IETF meeting is not a conference, although there are technical presentations. The IETF is not a traditional standards organization, although many specifications are produced that become standards. The IETF is made up of volunteers, many of whom meet three times a year to fulfill the IETF mission.
Wednesday, March 9, 2011
IETF i Stockholm
Wednesday, March 9, 2011
Wednesday, March 9, 2011
Wednesday, March 9, 2011
Dress Code
Since attendees must wear their name tags, they must also wear shirts or blouses. Pants or skirts are also highly recommended. Seriously though, many newcomers are often embarrassed when they show up Monday morning in suits, to discover that everybody else is wearing T- shirts, jeans (shorts, if weather permits) and sandals. There are those in the IETF who refuse to wear anything other than suits. Fortunately, they are well known (for other reasons) so they are forgiven this particular idiosyncrasy. The general rule is "dress for the weather" (unless you plan to work so hard that you won't go outside, in which case, "dress for comfort" is the rule!).
Wednesday, March 9, 2011
Seeing Spots Before Your Eyes
Some of the people at the IETF will have a little colored dot on their name tag. A few people have more than one. These dots identify people who are silly enough to volunteer to do a lot of extra work. The colors have the meanings shown here.
Color Meaning -------------------------------------- Blue Working Group/BOF chair Green Host group Red IAB member Yellow IESG member Orange Nominating Committee member
(Members of the press wear orange-tinted badges.)
It is important that newcomers to the IETF not be afraid to strike up conversations with people who wear these dots. If the IAB and IESG members and Working Group and BOF chairs didn't want to talk to anybody, they wouldn't be wearing the dots in the first place.
Wednesday, March 9, 2011
In many ways, the IETF runs on the beliefs of its members. One of the "founding beliefs" is embodied in an early quote about the IETF from David Clark: "We reject kings, presidents and voting. We believe in rough consensus and running code". Another early quote that has become a commonly-held belief in the IETF comes from Jon Postel: "Be conservative in what you send and liberal in what you accept".
Wednesday, March 9, 2011
IPv4 är slut!2011-02-03IANA delar ut de femsista /8!
Wednesday, March 9, 2011
Text
Masters thesis!Earlier: - DKIM+DNSSEC - Internet of Things, RFID+DNS - Analysis of data from Bredbandskollen
Wednesday, March 9, 2011
Thank you!
Wednesday, March 9, 2011