Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
TWNIC introductionInternet governance extended elaboration
Kenny Huang, Ph.D.CEO & director of the [email protected] 06 2017
黃勝雄博士
Organization structure
2
Business domain
3
Domain name registration
4
Oc 31 2017 updated
Domain name distribution
5
Domain name growth pattern
6
Registrars distribution
7
Domain name dispute resolution
8
Total 266 dispute resolution
Oct 31 2017 updated
IP addresses & as number allocation
9
Global ranking for IP addresses allocation
10
Oct 31 2017 updated
IPv6 ranking
11
排名 國家 IPv6 % IPv4位址數量 國家人口數 每人分配 IPv4數
1 比利時 60.54 28,449,408 11,429,336 2.48
2 印度 50.7 41,652,992 1,339,180,127 0.03
3 德國 41.9 120,176,768 82,114,224 1.46
4 美國 40.62 1,609,354,240 324,459,463 4.96
5 瑞士 39.48 20,150,152 8,476,005 2.37
6 希臘 36.97 5,624,064 11,159,773 0.5
7 盧森堡 29.81 1,422,336 583,455 2.43
8 英國 27.21 122,889,240 66,181,585 1.85
9 日本 25.02 203,653,632 127,484,450 1.59
10 葡萄牙 23.7 6,624,544 10,329,506 0.64
:
66 台灣 0.38 35,522,048 23,626,456 1.5
Oct 31 2017 updated
Taiwan ipv6 updated
12
•政府單位:
–4,366 個IPv6外部服務升級比例達 100%。
–1,210 個政府單位參與 IPv6內部網路升級規劃並提交規劃書。其中 100 個單位已完成升級,規劃在 107年底
前完成IPv6內部網路升級的政府單位共 679 個。
–持續推動 10,003 處 iTaiwan 熱點進行 IPv6 啟動,105年完成321個熱點升級 IPv6 ,106年預計5,965個(73%) 熱
點升級IPv6。
•學術網路:
–推動各學校電腦教室、宿舍網路及校務人員網路 啟動連線IPv6網路。
–學術網路 IPv6 流量持續成長,出國流量為 3.2Gbps,約為 IPv4 流量的 20%;流入為 1.6Gbps,約為 IPv4 流量
的 12%。
ISP ipv6 user availability
13
Oct 16 2017 updated
ISP IPv6 availability
14
15
ISP ipv6 survey
16
Cable Modem上網 光纖(FTTx)上網 WiFi無線上網 4G行動上網 4G VoLTE
已提供 中華電信,教育部,國發會
2017年 香港商第一線,台灣基礎開發
2018年 新彰數位, 全國數位 台灣智慧光網 中華電信,新彰數位
中華電信,遠傳電信,台灣之星
台灣之星
大於
2018年台灣寬頻, 世新有線, 大新店
民主有線,東亞有線, 洄瀾有線, 和記環
球, 天外天有線,天外天網路, 鋐捷
台灣固網, 台灣碩網,大台北寬頻, 大大寬頻, 寶島
聯網, 天外天有線, 天外天網
路, 新永安,
安源通訊 台灣大哥大, 亞太電信
中華電信, 亞太電信
無建置計
畫
凱擘, 台灣基礎開發, 大大寬
頻, 台固媒體, 大台中數位, 超宇
新世紀資通, 凱擘,亞太電信, 宏遠,大台中數位, 超宇,
超宇
4g operators ipv6 trial
17
Cybersecurity
18
19
Secure namespace - dnssec
20
International affairs
21
Publications
22
Connectivity
23
Taiwan broadband survey
24
Conferences and Charity
25
Post transition :complementary functions
26
內容、媒體、服務
網路邏輯層 (naming, addressing, routing)
實體網路基礎設施
Fill the gap
Change
27
● Institution○ Competent authority
■ Stewardship transition for the core Internet functions
○ Bylaws ○ Governing body (Chairman / Board of Directors)○ Executive team
● Operation○ Business goals alignment○ Strategic planning○ Operating planning
28
ccTLD world mapSource : Nominet
Redefining Cyberspace
Where do we want to go
29
Exemplary Registry
Exemplary Internet Registry(EIR)
Exemplary ccTLD Registry(ECR)
Mandatory Performance Baseline
Potential constructs
30
ECR Potential Constructs (.org registry)
❖ Customer service❖ DNS Performance❖ Policy Position❖ Outreach and community based initiatives❖ Financial management❖ Marketing and communication
EIR Potential Constructs (APNIC)
❖ Serving members 80%❖ Regional development and outreach 10%❖ Global cooperation 5%❖ Corporate 5%
Compound Constructs1. Serving members2. DNS performance3. Marketing and communication4. Global cooperation and policy leadership5. Outreach and development6. Corporate (Financial management)
TWNIC @2030
31
● Top 10 ccTLD registries○ Serving members, DNS performance, marketing, outreach and development, policy leadership
● Top 10 IPv6 adoption (60th @2018.01)○ Serving members, outreach and development, policy leadership
● Tier 1 Internet partner with core Internet organizations (ICANN, APNIC,ISOC, APTLD.)○ qualitative and quantitative measurements ?
○ No1 Internet youth forum in Taiwan (members > 100K)
● Tier 1 DNS infrastructure operator○ DNS availability, RRT, query capacity
● Internet policy leading org. (tw)
● Capital reserve > 60 months
Additional issues● IX policy document (abandon / terminated / revision/ re-activation ..)
● CDNC roadmap
● ICANN issues○ GAC position, PTI country code ISO3166-2, ..etc.
● Policy position and policy statements○ digital diplomacy, digital economy, cyberspace jurisdiction, ..etc.
32
Multistakeholder model : adjusting stakeholder groups
33
Domain name stakeholders
registrar registrant
BEFORe
after
Implementation
34
● Expanding global coverage of .tw name holders○ expanding global accredited registrars○ Improving DNS service quality ○ Developing IDN (internationalized domain names) services in different
countries■ 日文、韓文、泰文 ..
● 翻轉域名 service evaluation○ rapid domain forwarding to an identified destination (url)
● Corporate registrant due diligence service evaluation● DNSSEC deployment strategy evaluation● .TW certificate service evaluation (e.g. DANE)
DANE : DNS-BASED AUTHENTICATION OF NAMED ENTITIES (RFC6698)● Powerful combination
○ TLS=encryption○ DNSSEC=strong integrity protection○ DANE=TLS+DNSSEC
● How do you know if the TLS certificate is the correct one○ Store the certificate in DNS and sign them with DNSSEC○ A browser that understand DNSSEC and DANE will then know when the
required certificate is NOT being used○ Certificate stored in DNS is controlled by the domain name holder. It could be a
certificate signed by a CA - or a self-signed certificate.
35
36
Multistakeholder model : adjusting stakeholder groups
37
IP addresses stakeholders
ISPOperators, corporate
BEFORe
after
Implementation
38
● Developing corporate IP members ○ From ISP to operators (online operators, corporate ..etc)○ Leveraging IPv4 exhaustion policy (/22 for each member) ○ Community engagement
● Capacity building for IPv6 adoption○ Capacity building was designed for end users with local trainers○ Capacity building now is designed for tier 1 ISPs with well-known Internet gurus
● RPKI service
Internet Routing Registry● Routing registries are queried by upstream providers for
○ Route filters updates, ensuring stability and consistency of routing information shared via BGP
○ Better control on BGP traffic, example to avoid BOGONS.
● If ISPs don’t have objects in a routing registry, then he need to create new objects to avoid being filtered by upstream providers○ Based on the planned routing policy, other objects need to be created (AS-SET,
ROUTE-SET)○ For routing purposes not all objects are needed. It depends on the situation and
routing policy
39
Commercial Routing registry database● RADB
○ Routing Assets Database (Routing Arbiter Database)○ Many upstream providers requested RADB registration
● Fee (Merit RADB)○ For-profit Maintainer agrees to pay a fee of Four Hundred Ninety Five United
States Dollars (USD$495) for each maintainer object to be registered in the RADb.
○ Non-profit Maintainer agrees to pay a fee of Three Hundred Ninety Five United States Dollars (USD$395) for each maintainer object to be registered in the RADb.
40
RPSL● RPSL
○ Routing Policy Specification Language RFC2622
● Purpose of RPSL○ RPSL was designed for Internet Service Providers (ISPs) to publish their routing
policies. Since the introduction of RPSL, many ISPs publish their policies in public Internet Routing Registries. Such as RIR Routing Registry.
41
Fragmentation within RPSL● Two primary sources: RIPE WHOIS and RADB
○ A kind of ‘europe’ / ‘rest of the world’○ Content can conflict. Which one is right?
● Other sources, APNIC, AfriNIC, JPNIC … less globally applied○ Content is visible in several sources○ ISP specific (e.g. NTT) with automated customer-AS routing○ National scope (JPIRR) with strong checks
● Lack of visible cohesion. What determines ground-truth○ If IRR conflict ?○ If IRR are incomplete?○ If IRR include data with no visible linkage to origin assigning registry?
42
APNIC Internet Routing Registry (WHOIS)● Whois
○ The APNIC Whois Database can be used to publish information about the routing of Internet number resources
● Maintain route filters○ Using IRR to manage route filters typically requires use of software like the
irrtoolset or rtconfig.
● Routing policies○ Simple routing assertion can be made by creation of
inetnum/inet6num/aut-num and associated route objects with no optional data○ Recording network routing policy by using the policy specification language
(RPSL). (RFC2622; RFC2650)
43
Benefit of APNIC WHOIS● Free● Easy maintenance
○ Same set of objects are used (aut-num, maintainer ..etc)
● Security○ Route objects are tied to aut-num; created only by APNIC Hostmasters○ Only “holder” of prefixes can create route objects for given inetnum○ Considerable reduced risk of hijacking
44
What is RPKI● Chain of resource allocation certification● APNIC allocates address resources to NIR (TWNIC). TWNIC
allocates address resources to ISPs or IP members.● With RPKI, APNIC certifies for TWNIC. TWNIC certifies for ISPs
or IP members
45
ISP
IP member
IP member
Who● IETF (SIDR WG, IDR WG), routing and security area
○ Technical specifications, researchers, implementers
● RIR, TWNIC and ISP○ Database, registration, cryptographic key management○ Resource certification for resource holder
● BGP routing operators, researchers, web service operators○ Input security requirements into IETF
46
When
47
Year chronicle
1997 The basic concept of RPKI and Secure BGP
1999 Technical draft (I-D) for resource certification
2004 RFC3779
2006 The first SIDR WG meeting
2008 YouTube incident
2009 Some of RIR started resource certification
2012 RPKI capable BGP routers
● Routing table in BGP routers○ Misused IP address information is propagated between AS.○ Depends on network topology
● Affected area : reachability○ E.g., Global web service
Where
48
Why
49
● Why IP address is misused?○ Faking users of DNS server, web server, etc.○ For sending SPAM from temporary IP address
● Why resource certification?○ Detecting allocated/assigned IP address prefix + finding correct AS who should
use the IP address = misused IP address is detected.
● Why RPKI is good to deploy○ Misused IP address can be found with origin validation. It is good inputs for BGP
operation avoiding receiving malicious traffic (SPAM. etc).■ BGP operators can find own IP address faked without RPKI. But with RPKI, for other also can be.
How● How misused IP address in BGP routing are conducted?
○ By configuring BGP routers■ Fat finger, mis-typing■ Intentional use of victim’s IP address or unused IP address
● How RPKI is used?○ Registry issues resource certificate and LIR creates ROA○ BGP operators compare ROA and route.○ BGP operators change their router configuration
50
How much● Does misused IP address have any economic value ?
○ Yes, recent example: an advertisement area in a website has paybacks when unreachable from Internet. Untraceable zombie hosts for SPAM email sending.
● The free of charge for getting resource certificate and ROA currently○ Operational cost in the registries, for giving certificates to provide information
integrity
● Operational cost in BGP routing○ When BGP operators face a misused IP address, they do their incident action.
Investigation, testing, negotiation with their peer.
51
ROA Content● It is able to be used to find misused IP address in the Internet
○ Origin validation = validation of BGP routes ○ whether IP address prefix is used properly in Internet routing
● ROA content○ Original autonomous system number○ Prefix○ Validity dates○ When a ROA is signed, it has a cryptographically provable chain to the source of
authority allowing that IP to be advertised by that ASN
52
What it look like
53
54
Coverage for RPKI and RPSL
● Not all BGP is in RPSL, but much more is in RPSL than in RPKI● Most RPSL is outside of RPKI● Most RPKI is covered in RPSL
55
RPKI deployment status
56
Source: RIPE
Three Route States● Valid
○ Prefix is covered by a valid ROA
● Unknown○ No ROA exists for this prefix
● Invalid○ Unauthorized announcement
■ Mismatch between authorized ASN and originating ASN, split origin■ More specific announcement that valid ROA allows ■ Expired ROA
57
What to do with this data now● With 95% of the table in the unknown state, probably nothing● In a fully deployed RPKI environment, do you
○ Reject unknown, invalid routes?○ Set LOCALPREF low ?○ Set Community, put in a VRF?
● Still under operational development● Study RFC6483
58
Public Resources
59
Secure internet routing - RPKI
60
Problem solved
61
When● When does TWNIC begin to provide RPKI service ?
○ Study team has been established○ Lab operation will be completed in June 2018○ Planned soft launch in the end of 2018
62
BGPsec - RFC8205
63
BGPsec
64
US Internet governance : open
65
China Internet governance : censorship
66
Internet governance regime 1/2
67
資料來源: Laura DeNardis; 黃勝雄博士整理
TWNIC直接相關
TWNIC間接相關
Internet governance regime 2/2
68
資料來源: Laura DeNardis; 黃勝雄博士整理
TWNIC直接相關
TWNIC間接相關
Major institutions in IG regime
69
National and global issues
70
Digital diplomacy : internet regime for taiwan engagement
71
● ICANN○ 政府代表 GAC; 國家頂級域名ccNSO; 頂級域名gNSO; 位址社群 ASO; 社群團
體At-Large; 網路安全 SSAC● APEC TEL● APNIC亞太網路資訊中心
○ APNIC會員; 國際合作組Communication SIG; 國家註冊管理局組 NIR SIG; 政策組 Policy SIG; APNIC 基金會
● APrIGF亞太網路治理論壇○ 政府單位; 學術研究機構; 企業; 社群或個人
● IETF 網際網路社群: 研究機構; 企業或個人● APAN亞太先進網路: 研究機構網路● APTLD亞太頂級域名組織: ccTLD管理者● CERT 電腦網路危機處理中心
72