Economical and Political Implications of DNSSEC Deployment

Eldh, Axel Fant, Kirvesniemi, Mattias

January 2010

This report provides a summary of the current deployment of Domain Name System (DNS) Security Extensions (DNSSEC) as well as a discussion of future deployments and deployment rates. It analyses the problems that have occurred and considers those that may arise. This thesis focuses mainly on economical and political perspectives, rather than the technical perspective used in most reports regarding this subject. There were four areas that needed to be examined: the technical basis for DNSSEC, the deployment process, the current level of DNSSEC deployment, and the opinions regarding this subject. The information about the deployment process was obtained mainly through articles, but also through reports from organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) and the Electronic Privacy Information Centre. To acquire up to date data on DNSSEC deployment, SecSpider was used to research the level of deployment as of 2010-05-06. The search was restricted to the generic Top Level Domains (gTLDs) and country code TLDs (ccTLDs) of the top 20 countries in terms of Internet usage as well as the OECD countries. This restriction was made to narrow down the scope to the TLDs where DNSSEC would have the greatest impact. The “Top 20” comprises 77.27 % of the world’s Internet users, hence it is where DNSSEC deployment would affect the most people. The OECD is in this thesis considered a sufficient ly large selection to represent themost technologically advanced and economically powerful countries in the world regardless of size. Major powers such as China, India, and Russia while not included in the OECD are represented in the “Top 20” due to their size. Our results show that some major TLDs have implemented DNSSEC and that the rate of deployment has increased in the last few years. However, the level of DNSSEC deployment in the TLDs is still rather low; 15.00 % in the gTLDs and ccTLDs of the Top 20 countries in Internet usage, and 20.00 % in the OECD’s ccTLDs. Deployment in the root is ongoing during spring 2010, this could have a great impact on the rate of deployment as deployment in a gTLD or ccTLD is highly dependent on deployment high up in the hierarchy due to the nature of DNSSEC. It is unlikely that corporations would implement DNSSEC without a potential return on investment (ROI) and management control measures from governments might be required to increase deployment pace at the lower levels of the DNS hierarchy. / Denna rapport innehåller en sammanfattning av den nuvarande spridningen av Domain Name System (DNS) Security Extensions (DNSSEC) och även en diskussion om framtida spridning och spridningstakt. Den analyserar problemen som uppstått och avväger de som kan uppstå. Rapporten fokuserar mer på de ekonomiska och politiska perspektiven, snarare än det tekniska som använts i de flesta rapporter inom området. Det var fyra områden som behövde undersökas: den tekniska basen, spridningsprocessen, nuvarande spridningsnivåer av DNSSEC samt åsikter kring området (om inte DNSSEC adopteras av faktiska användare kommer dess effekt att bli minimal). Informationen angående spridningsprocessen anskaffades huvudsakligen genom artiklar, men även från rapporten utgivet av organisationer likt the Internet Corporation for Assigned Names and Numbers (ICANN) och the Electronic Privacy Information Centre. För att erhålla färsk information på spridningen av DNSSEC undersökte vi spridningsnivån 2010-05-06 med SecSpider. Vi avgränsade vår undersökning till generic Top Level Domains (gTLDs) och country code TLDs (ccTLDs) från de 20 främsta länderna i Internetanvändande samt OECD-länderna. Denna avgränsning gjordes för att fokusera på de TLDs där spridning av DNSSEC skulle ge störst påverkan. ”Topp 20” innehåller 77.27 % av världens Internetanvändare och det är här spridning av DNSSEC skulle nå flest användare. OECD anses i denna rapport vara ett tillräckligt urval för att representera de mest teknologiskt avancerade och ekonomiskt mäktiga ländrena oavsett storlek. Betydande makter såsom Kina, Indien och Ryssland som inte ingår i OECD är inkluderade i ”Topp 20” tack vare sin storlek. Resultaten visar att några betydande TLDs har implementerat DNSSEC och att spridningstakten har ökat de senaste åren. Dock är spridningsnivån i TLDs fortfarande ganska låg; 15.00 % i gTLDs och ccTLDs i ”Topp 20”, och 20.00 % i OECDs ccTLDs. Implementering i rooten pågår under våren 2010, något som skulle kunna ha stor påverkan på spridningstakten eftersom den är starkt beroende av spridning högt upp i hierarkin på grund av DNSSECs natur. Det är osannolikt att företag skulle implementera DNSSEC utan möjlig avkastning på investerat kapital och ekonomiska styrmedel från regeringar kan behövas för att öka spridningstakten på de lägre nivåerna.

IPv6

Multicast

Proxying

Tunneling

Routing

Communication Systems

Kommunikationssystem

IPv6 multicast home proxy

Kullberg, Elis, Junnila, Hannes

January 2010

The Internet is becoming increasingly fragmented, leading to a more heterogeneous end-user experience depending on the user's network location (i.e., point of attachment to the network). This is a consequence of several ongoing changes of the Internet. Different regions of the world are in different phases of their rollout of IPv6, making intercommunication increasingly challenging. Copyright legislation has caught up with ICT technology, but differences in licensing agreements may very from nation to nation which often hinders content being accessed beyond borders. Finally, several high-profile government attempts have been made to enforce stringent censorship of data. Therefore, we believe that a demand exists for simple consumer-oriented technologies for proxying and tunneling data between separate regions of the Internet. Furthermore, we believe that this demand will increase dramatically during the coming years. A key success factor for this next generation of proxies will be the ability to handle multicast IPv6 packets, as these packets represent the most probable distribution method for IPTV in the future. This thesis examines the challenges presented by IPv6 multicast-routing in the context of constructing a proxy. It also presents a best-practice solution to the problem of designing, implementing, and utilizing such a proxy. The thesis also contains a review of current IPv6 multicast routing technology. Several implementations are benchmarked against each other, with the goal of building a prototype for a consumer-oriented IPv6 multicast proxy. The prototype is presented and was tested. These tests demonstrate the functionality of the prototype proxy and reveal areas where the prototype could be improved. Finally a possible capitalization strategy is suggested. / Internet utvecklas mot att bli mer fragmenterat. Detta leder till en heterogen användarupplevelse beroende på uppkopplingspunkt. Utvecklingen är en konsekvens av flera pågående trender. Världens olika regioner ligger i ofas i utbyggnaden av IPv6 vilket medför nya tekniska utmaningar. Samtidigt har upphovsrättslagstiftningen hunnit ikapp teknikutvecklingen, så att länder med olika licensieringsmodeller inte kan dela innehåll. Slutligen försöker flera länder aktivt censurera datatrafik. Som konsekvens av detta ökar behovet för enkla konsumentorienterade metoder för att knyta ihop olika delar av Internet, så att åtkomst till data garanteras oavsett uppkopplingspunkt. Därmed förutspår vi att efterfrågan på produkter baserade på sofistikerad tunnelteknik kommer öka under de kommande åren. Denna rapport undersöker de utmaningar IPv6 multicast routing medför i samband med byggandet av en IPv6 multicast proxy. Rapporten presenterar en grundlig teoretisk genomgång av tekniken bakom IPv6 multicast routing. Vidare föreslås ett optimalt tillvägagångssätt för att designa, bygga och använda en sådan proxy. Flera existerande tekniker för multicast forwarding utvärderas och jämförs. Utifrån utvärderingen byggdes tre implementeringar av en IPv6 multicast proxy. Därefter analyseras dessa, tillsammans med förslag för fortsatta studier. Slutligen presenteras en möjlig kapitaliseringsstrategi för tekniken.

IPv6

Multicast

Proxying

Tunneling

Routing

Communication Systems

Kommunikationssystem

Saving Energy in Network Hosts With an Application Layer Proxy: Design and Evaluation of New Methods That Utilize Improved Bloom Filters

Jimeno, Miguel

11 December 2009

One of the most urgent challenges of the 21st century is to investigate new technologies that can enable a transition towards a society with a reduced CO2 footprint. Information Technology generates about 2% of the global CO2, which is comparable to the aviation industry. Being connected to the Internet requires active participation in responding to protocol messages. Billions of dollars worth of electricity every year are used to keep network hosts fully powered-on at all times only for the purpose of maintaining network presence. Most network hosts are idle most of the time, thus presenting a huge opportunity for energy savings and reduced CO2 emissions. Proxying has been previously explored as a means for allowing idle hosts to sleep yet still maintain network presence. This dissertation develops general requirements for proxying and is the first exploration of application-level proxying. Proxying for TCP connections, SIP, and Gnutella P2P was investigated. The TCP proxy keeps TCP connections open (when a host is sleeping) and buffers and/or discards packets as appropriate. The SIP proxy handles all communication with the SIP server and wakes up a sleeping SIP phone on an incoming call. The P2P proxy enables a Gnutella leaf node to sleep when not actively uploading or downloading files by handling all query messages and keyword lookups in a list of shared files. All proxies were prototyped and experimentally evaluated. Proxying for P2P lead to the exploration of space and time efficient data structures to reduce the computational requirements of keyword search in the proxy. The use of pre-computation and hierarchical structures for reducing the false positive rate of a Bloom filter was explored. A Best-of-N Bloom filter was developed, which was shown to have a lower false positive rate than a standard Bloom filter and the Power-of-2 Bloom filter. An analysis of the Best-of-N Bloom Filter was completed using Order Statistics to predict the false positive rate. Potential energy savings are shown to be in the hundreds of millions of dollars per year assuming a modest adoption rate of the methods investigated in this dissertation. Future directions could lead to greater savings.

Data structures

energy efficiency

performance evaluation

proxying

network applications

American Studies

Arts and Humanities