mydnsipv6 Success Story

Transcription

1 Internet Identity For All mydnsipv6 Success Story By Norsuzana Harun Manager, Technology and Innovation Dept. 20 th July 2009

2 Agenda 1. About mydnsipv6 mydnsipv6 Roadmap ( ) 2. mydnsipv6 Test Bed 3. 4 related changes to.my registry system.my Registry System Interface Changes.my Registry System Backend Changes 4. Test Cases Test Cases for Network Equipments Test Cases for DNS Activities Test Cases for Web Interface and Database Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 2

3 Agenda (cont) 5. Registration to IANA 6. IPv6 Connectivity and Security Audit 7. Public Launch 8..my s IPv6 Enabled Domain Names 9. The Way Forward 10. Conclusion Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 3

4 About mydnsipv6 Objectives To actualize and facilitate IPv4 to IPv6 transition as mandated in Malaysian Information, Communication and Multimedia Services 886 (MyICMS 886) IPv6 is a mandated Infrastructure Government agencies to adopt IPv6 by year 2010 To provide IPv4 and IPv6 enabled DNS registry system Public are able to register.my domain name with IPv6 enabled name server(s) Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 4

5 mydnsipv6 Roadmap ( ) TRIAL PHASE DEPLOYMENT AWARENESS a) Study current MYNIC's DNS system and DNS naming compressio n (512 bytes limitation) b) Organize.my training related to DNS and IPv6 topics a) Formation of R&D lab and server room b) Develop and launch mydnsipv6 Test bed for public to test in July c) Organize.my training related to DNS and IPv6 topics d) Organize seminar pertinent to DNS related technologies (NICE) e) IPv6 Readiness Survey a) Enhanced the registry system and testing b) Launch IPv6 enabled.my registry system c) Deployment of IPv6 for secondary DNS d) Security audit and IPv6 connectivity test by appointed auditor e) IPv6 Readiness Survey (Continue) f) Organize MYNIC DNS security seminar (WCIT) g).my Training related to DNS, IPv6 and Security topics a).my Training related to DNS, IPv6 and Security topics b) IPv6 awareness program road tour c) Integrate IPv6 with other MYNIC projects (DNSSEC, myanycast and ENUM) d) Security audit (Networks and Servers) by appointed auditor a) Integrate IPv6 with other MYNIC projects (Webserver, mail and whois servers) b).my Training related to DNS, IPv6 and Security topics c) Security audit (Networks and Servers) by appointed auditor Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 5

6 mydnsipv6 Test Bed Started on 17th July and closed on 30th August participants 58 testing domain registered Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 6

7 4 related changes to.my registry system Web Interface and Application New domain registration will allow input and validation of IPv6 addresses for name server Current domain name holder will able to assign IPv6 address for their name server Backend and Network Change.my Domain Registry s co location service provider need to enable the router to support dual stack (IPv4 & IPv6) Upgrade network equipments to support dual stack (IPv4 & IPv6) Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 7

8 4 related changes to.my registry system Database Additional field to keep IPv6 address information Security Appointed third party to audit our servers and networks Harden our servers and networks according to the audit report Upgrade firewall and install IPS Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 8

9 .my Registry System Interface Changes Web interface comparison Customers are able to enter IPv4 address only. Simplified page: Customers are not able to enter IP addresses. They have to use the Name Server Creation page (which is on the following slide). Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 9

10 .my Registry System Interface Changes Additional input field for IPv6 address Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 10

11 .my Registry System Interface Changes Name server modification 2001:328:1000:3:: :328:1000:3::11 Customers able to view and modify the IPv4 & IPv6 addresses Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 11

12 .my Registry System Interface Changes Modify existing Name Server IP addresses 2001:328:1000:3:: :328:1000:3::11 Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 12

13 .my Registry System Backend Changes Dual stack firewall, IPS and DNS servers (wef: 16 th Aug 08) Firewall IPv6 address DNS Servers IPv6 address A record AAAA record Reverse lookup for IPv6 address Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 13

14 Test Cases for Network Equipments Equipment Test Description Objectives Routers Firewall Configure IPv6 address for the router Test the network (which go through the router) by using IPv6 protocol Configure IPv6 address for the Firewall Test the network (which go through the firewall) by using IPv6 protocol To ensure the OS support IPv6 protocol To ensure the IPv6 transport able to go through the network To ensure the firewall also able to filter IPv6 address IPS (Intrusion Prevention System) Configure IPv6 address for the IPS Test the network (which go through the IPS) by using IPv6 protocol Switches (layer 2) Use the switches to connect 2 IPv6 network segments To ensure the IPv6 transport able to go through the network Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 14

15 Test Cases for DNS Activities Activities Test Description Objectives DNS Query Zone Transfer DNS Extension for IPv6 (EDNS0 or Data size) Use a dig command to query the data from IPv4 only DNS, IPv6 only DNS and also dual stack DNS Use a dig +axfr command to check the zone transfer activities, check the bind log to find out the transaction is run on v4 or v6 transport Create a large (huge) zone of domain, and do a dig to it authoritative server, make sure the respond datagram s size is larger than 512 octets To ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack To verify IPv6 protocol is the preferred protocol for the To process ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack To verify IPv6 protocol is the preferred protocol for the To process ensure the respond data will not get loss if the respond datagram s size is larger than 512 octets Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 15

16 Test Cases for Web Interface and Database Activities Test Description Objectives New registration Modification Submit different type of IPv6 address format through the online DNS registration form Submit different type of IPv6 address format through the online DNS modification form Database field Insert different type of IPv6 data format into the database field To ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons Filter and reject all the invalid IPv6 addresses being insert into the To database ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons. Filter and reject all the invalid IPv6 addresses being insert into the To database ensure the data field has correct data type and enough field length to keep IPv6 data Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 16

17 .my s DNS Server Registration to IANA Can only proceed when the name server is ready with IPv6 in production environment Registration being made under Requests by cctld Managers to Change Name servers procedure. The IANA is responsible for receiving and acting on requests by the designated cctld managers to change information (name and IP address) The request submission date was on 19 th August 2008 Updated the glue record by IANA on 26 th August 2008 Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 17

18 .my s DNS Server Registration to IANA (cont) Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 18

19 .my s DNS Server Registration to IANA (cont) Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 19

20 IPv6 Connectivity and Security Audit Certificate for IPv6 Level 1 Network connectivity Certificate for Security Audit Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 20

21 Public Launch Launch mydnsipv6 on 23th Nov 2009.my Domain Registry are no 127 th TLD support IPv6 out of 296 TLD in the world Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 21

22 .my s IPv6 Enabled Domain Names According to categories Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 22

23 .my s IPv6 Enabled Domain Names (cont) Low adoption from domain name s holder. As of 18 th July 2009, only 17 or 0.02% out of 83,319.my domain names support IPv6 Possible Reasons (???) : 1. No urgency for the migration/ipv6 2. Lack of technical expertise for IPv6 3. Lack of awareness programs 4. Motivation factors Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 23

24 .my s IPv6 Enabled Domain Names (cont) Category:.my (9) Domain Name Primary Primary IPv6 Secondary Secondary IPv6 1 bsd.my benkyo.mybsd.org. my 2 cybershop.my ns1.my 2001:328:ff00:1:215:c5ff:fe6 0:74f8 2001:328:2002:ace::1000 ns1.everydns.net ns2.my 3 erion.m y n1.erion.my 2001:470:1f08:61d::2 n2.erion.my 2001:960:2:585::2 4 hack.my benkyo.mybsd.org. my 5 infoweapons.my atlcolodns1.infowea pons.com 2001:328:2002:ace::1000 ns2.afraid.org 2001:418:5403::2 atlcolodns2.infow eapons.com 6 jaring.my dns2.jaring.my 2001:328:200:ab::100 ns7.jaring.my 2001:418:5403::3 7 ns1.my ns1.my 2001:328:ff00:1:215:c5ff:fe6 0:74f8 ns2.my 8 ntt.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24 9 void.my benkyo.mybsd.org. my 2001:328:2002:ace::1000 ns2.afraid.org Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 24

25 .my IPv6 Enabled Domain Names (cont) Category:.net.my (3) and.org.my (2).net.my Domain Name Primary Primary IPv6 Secondary Secondary IPv6 1 arcnet6.net.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24 2 infoweapons.net.my atlcolodns1.infoweapo ns.com 2001:418:5403::2 atlcolodns2.info weapons.com 2001:418:5403::3 3 myren.net.my ns1.myren.net.my 2404:a8:400:200 0::53.org.my ns2.myren.net.m y 1 myren.org.my ns1.myren.net.my 2404:a8:400:200 0::53 ns2.myren.net.m y 2 neohumanist.org.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24 Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 25

26 .my IPv6 Enabled Domain Names (cont) Category:.com.my (3) Domain Name Primary Primary IPv6 Secondary Secondary IPv6 1 arcnet6.com.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24 2 infoweapons.com.my atlcolodns1.infoweap ons.com 3 myren.com.my ns1.myren.net.my 2404:a8:400:2000: : :418:5403::2 atlcolodns2.infow eapons.com ns2.myren.net.my 2001:418:5403:: 3 Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 26

27 The Way Forward Keep up to date on IPv6 activities around the world Attend and join IPv6 related events Joining IPv6 Working group ( MSTFB, AP IPv6 Task Force ) encourage registration of domain with IPv6 Name servers Integrate IPv6 with other.my DOMAIN REGISTRY projects (DNSSEC, myanycast, ENUM, Webserver, mail and whois servers).my Domain Registry is seriously put an effort on awareness program for public to increase the number of domain with IPv6 Conduct series of IPv6 technology workshops / seminars / training Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 27

28 Conclusion This project took about 3 years to get into production and at this time we are focusing on IPv6 at our secondary Testing Firewalls for IPv6 and EDNS0 Support ( sac016.htm) Good practice for migration is to start with dual stack approach Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 28

29 Thank You! Internet Identity for All MYNIC Berhad 2009 Strictly Private & Confidential 29