TWNIC introductionInternet governance extended elaboration

Kenny Huang, Ph.D.CEO & director of the boardhuangk@twnic.net.twFeb 06 2017

黃勝雄博士

Organization structure

2

Business domain

3

Domain name registration

4

Oc 31 2017 updated

Domain name distribution

5

Domain name growth pattern

6

Registrars distribution

7

Domain name dispute resolution

8

Total 266 dispute resolution

Oct 31 2017 updated

IP addresses & as number allocation

9

Global ranking for IP addresses allocation

10

Oct 31 2017 updated

IPv6 ranking

11

排名 國家 IPv6 % IPv4位址數量 國家人口數 每人分配 IPv4數

1 比利時 60.54 28,449,408 11,429,336 2.48

2 印度 50.7 41,652,992 1,339,180,127 0.03

3 德國 41.9 120,176,768 82,114,224 1.46

4 美國 40.62 1,609,354,240 324,459,463 4.96

5 瑞士 39.48 20,150,152 8,476,005 2.37

6 希臘 36.97 5,624,064 11,159,773 0.5

7 盧森堡 29.81 1,422,336 583,455 2.43

8 英國 27.21 122,889,240 66,181,585 1.85

9 日本 25.02 203,653,632 127,484,450 1.59

10 葡萄牙 23.7 6,624,544 10,329,506 0.64

： 　

66 台灣 0.38 35,522,048 23,626,456 1.5

Oct 31 2017 updated

Taiwan ipv6 updated

12

•政府單位：

–4,366 個IPv6外部服務升級比例達 100%。

–1,210 個政府單位參與 IPv6內部網路升級規劃並提交規劃書。其中 100 個單位已完成升級，規劃在 107年底

前完成IPv6內部網路升級的政府單位共 679 個。

–持續推動 10,003 處 iTaiwan 熱點進行 IPv6 啟動，105年完成321個熱點升級 IPv6 ，106年預計5,965個(73%) 熱

點升級IPv6。

•學術網路：

–推動各學校電腦教室、宿舍網路及校務人員網路 啟動連線IPv6網路。

–學術網路 IPv6 流量持續成長，出國流量為 3.2Gbps，約為 IPv4 流量的 20%；流入為 1.6Gbps，約為 IPv4 流量

的 12%。

ISP ipv6 user availability

13

Oct 16 2017 updated

ISP IPv6 availability

14

15

ISP ipv6 survey

16

　 Cable Modem上網 光纖(FTTx)上網 WiFi無線上網 4G行動上網 4G VoLTE

已提供 　 中華電信,教育部,國發會

　 　 　

2017年 　 香港商第一線,台灣基礎開發

　 　 　

2018年 新彰數位, 全國數位 台灣智慧光網　 中華電信,新彰數位

中華電信,遠傳電信,台灣之星

台灣之星

大於

2018年台灣寬頻, 世新有線, 大新店

民主有線,東亞有線, 洄瀾有線, 和記環

球, 天外天有線,天外天網路, 鋐捷

台灣固網, 台灣碩網,大台北寬頻, 大大寬頻, 寶島

聯網, 天外天有線, 天外天網

路, 新永安,

安源通訊 台灣大哥大, 亞太電信

中華電信, 亞太電信

無建置計

畫

凱擘, 台灣基礎開發, 大大寬

頻, 台固媒體, 大台中數位, 超宇

新世紀資通, 凱擘,亞太電信, 宏遠,大台中數位, 超宇,

超宇 　 　

4g operators ipv6 trial

17

Cybersecurity

18

19

Secure namespace - dnssec

20

International affairs

21

Publications

22

Connectivity

23

Taiwan broadband survey

24

Conferences and Charity

25

Post transition :complementary functions

26

內容、媒體、服務

網路邏輯層 (naming, addressing, routing)

實體網路基礎設施

Fill the gap

Change

27

● Institution○ Competent authority

■ Stewardship transition for the core Internet functions

○ Bylaws ○ Governing body (Chairman / Board of Directors)○ Executive team

● Operation○ Business goals alignment○ Strategic planning○ Operating planning

28

ccTLD world mapSource : Nominet

Redefining Cyberspace

Where do we want to go

29

Exemplary Registry

Exemplary Internet Registry(EIR)

Exemplary ccTLD Registry(ECR)

Mandatory Performance Baseline

Potential constructs

30

ECR Potential Constructs (.org registry)

❖ Customer service❖ DNS Performance❖ Policy Position❖ Outreach and community based initiatives❖ Financial management❖ Marketing and communication

EIR Potential Constructs (APNIC)

❖ Serving members 80%❖ Regional development and outreach 10%❖ Global cooperation 5%❖ Corporate 5%

Compound Constructs1. Serving members2. DNS performance3. Marketing and communication4. Global cooperation and policy leadership5. Outreach and development6. Corporate (Financial management)

TWNIC @2030

31

● Top 10 ccTLD registries○ Serving members, DNS performance, marketing, outreach and development, policy leadership

● Top 10 IPv6 adoption (60th @2018.01)○ Serving members, outreach and development, policy leadership

● Tier 1 Internet partner with core Internet organizations (ICANN, APNIC,ISOC, APTLD.)○ qualitative and quantitative measurements ?

○ No1 Internet youth forum in Taiwan (members > 100K)

● Tier 1 DNS infrastructure operator○ DNS availability, RRT, query capacity

● Internet policy leading org. (tw)

● Capital reserve > 60 months

Additional issues● IX policy document (abandon / terminated / revision/ re-activation ..)

● CDNC roadmap

● ICANN issues○ GAC position, PTI country code ISO3166-2, ..etc.

● Policy position and policy statements○ digital diplomacy, digital economy, cyberspace jurisdiction, ..etc.

32

Multistakeholder model : adjusting stakeholder groups

33

Domain name stakeholders

registrar registrant

BEFORe

after

Implementation

34

● Expanding global coverage of .tw name holders○ expanding global accredited registrars○ Improving DNS service quality ○ Developing IDN (internationalized domain names) services in different

countries■ 日文、韓文、泰文 ..

● 翻轉域名 service evaluation○ rapid domain forwarding to an identified destination (url)

● Corporate registrant due diligence service evaluation● DNSSEC deployment strategy evaluation● .TW certificate service evaluation (e.g. DANE)

DANE : DNS-BASED AUTHENTICATION OF NAMED ENTITIES (RFC6698)● Powerful combination

○ TLS=encryption○ DNSSEC=strong integrity protection○ DANE=TLS+DNSSEC

● How do you know if the TLS certificate is the correct one○ Store the certificate in DNS and sign them with DNSSEC○ A browser that understand DNSSEC and DANE will then know when the

required certificate is NOT being used○ Certificate stored in DNS is controlled by the domain name holder. It could be a

certificate signed by a CA - or a self-signed certificate.

35

36

Multistakeholder model : adjusting stakeholder groups

37

IP addresses stakeholders

ISPOperators, corporate

BEFORe

after

Implementation

38

● Developing corporate IP members ○ From ISP to operators (online operators, corporate ..etc)○ Leveraging IPv4 exhaustion policy (/22 for each member) ○ Community engagement

● Capacity building for IPv6 adoption○ Capacity building was designed for end users with local trainers○ Capacity building now is designed for tier 1 ISPs with well-known Internet gurus

● RPKI service

Internet Routing Registry● Routing registries are queried by upstream providers for

○ Route filters updates, ensuring stability and consistency of routing information shared via BGP

○ Better control on BGP traffic, example to avoid BOGONS.

● If ISPs don’t have objects in a routing registry, then he need to create new objects to avoid being filtered by upstream providers○ Based on the planned routing policy, other objects need to be created (AS-SET,

ROUTE-SET)○ For routing purposes not all objects are needed. It depends on the situation and

routing policy

39

Commercial Routing registry database● RADB

○ Routing Assets Database (Routing Arbiter Database)○ Many upstream providers requested RADB registration

● Fee (Merit RADB)○ For-profit Maintainer agrees to pay a fee of Four Hundred Ninety Five United

States Dollars (USD$495) for each maintainer object to be registered in the RADb.

○ Non-profit Maintainer agrees to pay a fee of Three Hundred Ninety Five United States Dollars (USD$395) for each maintainer object to be registered in the RADb.

40

RPSL● RPSL

○ Routing Policy Specification Language RFC2622

● Purpose of RPSL○ RPSL was designed for Internet Service Providers (ISPs) to publish their routing

policies. Since the introduction of RPSL, many ISPs publish their policies in public Internet Routing Registries. Such as RIR Routing Registry.

41

Fragmentation within RPSL● Two primary sources: RIPE WHOIS and RADB

○ A kind of ‘europe’ / ‘rest of the world’○ Content can conflict. Which one is right?

● Other sources, APNIC, AfriNIC, JPNIC … less globally applied○ Content is visible in several sources○ ISP specific (e.g. NTT) with automated customer-AS routing○ National scope (JPIRR) with strong checks

● Lack of visible cohesion. What determines ground-truth○ If IRR conflict ?○ If IRR are incomplete?○ If IRR include data with no visible linkage to origin assigning registry?

42

APNIC Internet Routing Registry (WHOIS)● Whois

○ The APNIC Whois Database can be used to publish information about the routing of Internet number resources

● Maintain route filters○ Using IRR to manage route filters typically requires use of software like the

irrtoolset or rtconfig.

● Routing policies○ Simple routing assertion can be made by creation of

inetnum/inet6num/aut-num and associated route objects with no optional data○ Recording network routing policy by using the policy specification language

(RPSL). (RFC2622; RFC2650)

43

Benefit of APNIC WHOIS● Free● Easy maintenance

○ Same set of objects are used (aut-num, maintainer ..etc)

● Security○ Route objects are tied to aut-num; created only by APNIC Hostmasters○ Only “holder” of prefixes can create route objects for given inetnum○ Considerable reduced risk of hijacking

44

What is RPKI● Chain of resource allocation certification● APNIC allocates address resources to NIR (TWNIC). TWNIC

allocates address resources to ISPs or IP members.● With RPKI, APNIC certifies for TWNIC. TWNIC certifies for ISPs

or IP members

45

ISP

IP member

IP member

Who● IETF (SIDR WG, IDR WG), routing and security area

○ Technical specifications, researchers, implementers

● RIR, TWNIC and ISP○ Database, registration, cryptographic key management○ Resource certification for resource holder

● BGP routing operators, researchers, web service operators○ Input security requirements into IETF

46

When

47

Year chronicle

1997 The basic concept of RPKI and Secure BGP

1999 Technical draft (I-D) for resource certification

2004 RFC3779

2006 The first SIDR WG meeting

2008 YouTube incident

2009 Some of RIR started resource certification

2012 RPKI capable BGP routers

● Routing table in BGP routers○ Misused IP address information is propagated between AS.○ Depends on network topology

● Affected area : reachability○ E.g., Global web service

Where

48

Why

49

● Why IP address is misused?○ Faking users of DNS server, web server, etc.○ For sending SPAM from temporary IP address

● Why resource certification?○ Detecting allocated/assigned IP address prefix + finding correct AS who should

use the IP address = misused IP address is detected.

● Why RPKI is good to deploy○ Misused IP address can be found with origin validation. It is good inputs for BGP

operation avoiding receiving malicious traffic (SPAM. etc).■ BGP operators can find own IP address faked without RPKI. But with RPKI, for other also can be.

How● How misused IP address in BGP routing are conducted?

○ By configuring BGP routers■ Fat finger, mis-typing■ Intentional use of victim’s IP address or unused IP address

● How RPKI is used?○ Registry issues resource certificate and LIR creates ROA○ BGP operators compare ROA and route.○ BGP operators change their router configuration

50

How much● Does misused IP address have any economic value ?

○ Yes, recent example: an advertisement area in a website has paybacks when unreachable from Internet. Untraceable zombie hosts for SPAM email sending.

● The free of charge for getting resource certificate and ROA currently○ Operational cost in the registries, for giving certificates to provide information

integrity

● Operational cost in BGP routing○ When BGP operators face a misused IP address, they do their incident action.

Investigation, testing, negotiation with their peer.

51

ROA Content● It is able to be used to find misused IP address in the Internet

○ Origin validation = validation of BGP routes ○ whether IP address prefix is used properly in Internet routing

● ROA content○ Original autonomous system number○ Prefix○ Validity dates○ When a ROA is signed, it has a cryptographically provable chain to the source of

authority allowing that IP to be advertised by that ASN

52

What it look like

53

54

Coverage for RPKI and RPSL

● Not all BGP is in RPSL, but much more is in RPSL than in RPKI● Most RPSL is outside of RPKI● Most RPKI is covered in RPSL

55

RPKI deployment status

56

Source: RIPE

Three Route States● Valid

○ Prefix is covered by a valid ROA

● Unknown○ No ROA exists for this prefix

● Invalid○ Unauthorized announcement

■ Mismatch between authorized ASN and originating ASN, split origin■ More specific announcement that valid ROA allows ■ Expired ROA

57

What to do with this data now● With 95% of the table in the unknown state, probably nothing● In a fully deployed RPKI environment, do you

○ Reject unknown, invalid routes?○ Set LOCALPREF low ?○ Set Community, put in a VRF?

● Still under operational development● Study RFC6483

58

Public Resources

59

Secure internet routing - RPKI

60

Problem solved

61

When● When does TWNIC begin to provide RPKI service ?

○ Study team has been established○ Lab operation will be completed in June 2018○ Planned soft launch in the end of 2018

62

BGPsec - RFC8205

63

BGPsec

64

US Internet governance : open

65

China Internet governance : censorship

66

Internet governance regime 1/2

67

資料來源: Laura DeNardis; 黃勝雄博士整理

TWNIC直接相關

TWNIC間接相關

Internet governance regime 2/2

68

資料來源: Laura DeNardis; 黃勝雄博士整理

TWNIC直接相關

TWNIC間接相關

Major institutions in IG regime

69

National and global issues

70

Digital diplomacy : internet regime for taiwan engagement

71

● ICANN○ 政府代表 GAC; 國家頂級域名ccNSO; 頂級域名gNSO; 位址社群 ASO; 社群團

體At-Large; 網路安全 SSAC● APEC TEL● APNIC亞太網路資訊中心

○ APNIC會員; 國際合作組Communication SIG; 國家註冊管理局組 NIR SIG; 政策組 Policy SIG; APNIC 基金會

● APrIGF亞太網路治理論壇○ 政府單位; 學術研究機構; 企業; 社群或個人

● IETF 網際網路社群: 研究機構; 企業或個人● APAN亞太先進網路: 研究機構網路● APTLD亞太頂級域名組織: ccTLD管理者● CERT 電腦網路危機處理中心

72