Browsing Posts published in June, 2010

Where is Culpeper ? What are you doing there ? For the entire last two weeks, that’s the most common question I was asked. While there were a few thumbs up from people who knew what was going on, I tried to explain to other techies about DNSSec and the significance of the key signing ceremony. For others, I just resorted to saying that it’s a place near Washington DC where there was a technical meeting I had to attend. ‘DC’ and ‘meeting’ in the same line was enough explanation for them, me thinks.

While I am detailing the DNSSec protocol in laymen’s term further below, the signing ceremony was not different from a well written IETF protocol draft, where every actor had a role, and parts were scripted like it was an act on stage. The 35 pages long script will possibly be made public by ICANN in near future, but the attention to details, pedantic execution and timestamps at each step lasted almost seven hours. In seven hours, we incorporated the seven crypto officers and seven recover key share holders, initialized the HSM, generated the KSK, processed the request from Verisign  and made arrangements for continuation of the procedure in the West Coast facility. From Verisign, we received the Key Signing Request, containing ZSKs generated by Verisign, signed those and returned them a Signed Key Response, they will use those ZSKs to sign the root zone. Exceptions were handled by the ceremony administrators with utmost care. The main ceremony was in a secure room with multiple secure layers involving a man trap at the second stage.  The event was recorded, and was watched by more people in an external room in the same facility. We had an auditor present to keep notes of the proceedings, and a armed guard to make sure that we didn’t deviate.

I was one of the seven crypto officers selected for the East Coast facility, which is in Culpeper.  In essence, at least three out of the seven crypto officers need to be present in future key signing ceremonies for the east coast. We hold safe keys where the crypto smart cards that will be needed to operate the key signing hardware every time new keys are generated and used for signing the root zone key are stored. So, in a way, for popular consumption, I now hold keys to the DNS system on the Internet.

As was noted by various people, this was quite a significant ceremony. This makes DNS -one of the most fundamental tenets of the Internet more secure. DNS has long been one of the most open protocols on the Internet, and over time a model of how successful protocol design works. The cryptographic signing of the root zone possibly indicates the changes that has happened to the Internet over the years, and the way it’s headed.

Personally, I think it was a great step forward, but at the same time I wonder if we continue the push to crypto- encrypt everything on the Internet, the free and wild wild west nature of the Internet will still be there in a decade or so. Only time will tell.

Explaining DNSSec:

To give some background, DNSSec is short for Domain Name System Security Extensions. DNS is what links names like www.gaurab.org.np to Internet Protocol (IP) Addresses. IP addresses are like phone numbers on the Internet and DNS is the telephone directory.  DNS is very widely distributed network of hierarchical servers spread around the world. For example, for www.gaurab.org.np, there are separate servers that handle the ‘org.np’ part and the ‘www.gaurab’ part. The ‘org.np’ part is spread out over as many as nine name servers all over the world. Of the nine, few are distributed even further with a technique called Anycast. That makes it potentially about 80 to 100 servers for ‘org.np’ who can tell an inquiring machine about ‘gaurab.org.np’. Further, ‘gaurab.org.np’  has three authoritative servers spread between USA and Nepal.

When you go further above ‘org.np’ then we end up in the root zone. If you think of DNS as a inverted tree with the root at the top, with country codes branches like ‘np’, ‘nz’, and gTLD branches like ‘com’ which then further branch out to ‘org.np’ , ‘com.np’ and so on,  you get fairly close to the concept. The way the early DNS system was designed, there is no way to verify the integrity of the data you receive from these servers. With enough technical skills, someone in the middle can modify valid response and send false data. They can also pretend to be one of the servers and send bad data. There are also other known problems like cache poisoning that can inject false data into the Internet system.

To address this problem with maintaing the integrity of the data, DNSSec was developed many years ago. It’s been a known protocol for many years. DNSSec uses public key cryptography and embeds the information which can be used to cryptographically validate the response with each response. The bits included with each response is called a ‘signature’. Your computer, or ‘resolver’ as it’s called in DNS parlance, can then verify this information by comparing against well known set of published data. This process is called validating the response. If the signature doesn’t validate, then the resolver will not accept the response and try again. Of course, this is very simplified version of the entire process.

Despite being around for a while, the root or the top level of the DNS system wasn’t using DNSSec. The main issue that delayed it for so long was the ownership and management of the root zone cryptographic data.  There were also other issues with DNSSec deployment that were identified and resolved in the mean time.  But by 2009, many organizations were pushing for deployment. The Swedish ccTLD .se was one of the first ones to be signed. In mid 2009, .org – a major gTLD was signed.  The pressure was on for the actors responsible for root zone management to sign the root.

It’s important to understand that unless the root zone was signed, the hierarchy couldn’t be verified. It meant the full benefit of using DNSSec wasn’t there.  Sometime in 2009, IANA, ICANN, Verisign and NTIA all agreed on a way to get this done.  They are the primary actors in the management of root zone management. Under the arrangement, Verisign – as maintainer of the root zone, was to keep and maintain the zone signing key (ZSK), and ICANN would issue and maintain the Key Signing Key (KSK), that would be used to cryptographically sign the ZSK.

The ceremony in Culpeper was where ICANN in the presence of 14 chosen community representatives as well as many other external witnesses created the KSK to be used for signing the root zone. And it accepted the first key signing request by Verisign to use the KSK to sign the ZSK.  ICANN will maintain the keys in two different locations in the US. The signing ceremony in Culpeper was the first of the two and the second one will take place in Los Angeles on 12th July 2010. Once the keys are safe and the 7 more community representatives incorporated for the West Coast facility, the root zone will finally be signed on 15th July 2010. DNSSec will be in production after 15th July, 2010. A major milestone on maintaining the integrity or the domain name system and subsequently the Internet.

The details of the root DNSSec are on the http://www.root-dnssec.org/ site. It also includes names and details of all the community representatives and other actors in the process.

I find Japan charming. It’s got its quirks, and the language doesn’t really help, but people make up for it. My recent visit was the fifth since 2003, and third in as many years.  First the visa – of the many countries and embassies that I go to for visas, Japan is unique that it requires original letters of invitations. printed or e-mailed ones are not acceptable. They need the paper with the squarish red stamp on it. But once you get that piece of invitation, it’s kinda straight forward. No questions asked. I think being the fifth time they weren’t as meticulous as they’d be on a first time visitor though.

Flights to Japan are non-incident in general. But if you fly Thai Airways, you can be sure that the flight to Tokyo possibly gets one of the best planes on the fleet. When i flew last week, it was the latest 777-200ER that they leased from Jet Airways. Given that this was Extended Range (ER) air-craft meant to fly India – USA non-stop, the seat pitch even in economy was really good. So, it was indeed a good flight.

Arrival in Tokyo is fun. They land on the never finished runway with a farm right there in the middle.  The well known story is that the farmer who owns that piece of land didn’t like the way government officials mis-using imminent domain rules to expand the airport that he fought back and the courts ruled in his favour. Meaning that the government can’t force him to sell it. so, the runway remains far shorter then it would have been. you can see this picture http://www.airliners.net/photo//0874120/M/.

The charm of Japan is in its service standards. Even before you hit the Immigration official, you’ll pass through at least two other ‘helpers’ who will check if you have the forms and another one who’ll come walking the queue to see if your forms are filled correctly. I believe that this does save time eventually, but also helps visitors, who has been confined to the airplane for long hours. Even frequent fliers tends to make mistake after being in the sanitized air of an air-craft for longer hours. A little bit of help, does help.

Sometimes the Japanese can overdo the ‘stewards’ bit though. It’s common to walk through a conference or an event in Japan with two stewards standing every corner and every hallway with signs. I’d rather believe that most people attending these events are more than capable of finding their way.

Japanese food is another of its charm. You can get equally interesting boiled, fried, baked and even raw stuff. I prefer shoba noodles to ramen. This time around I got to try some interesting Ekonomi-akai Osaka style- in tokyo. Though for some reason, I didn’t eat any sushi. Time was well spent on other foods.  Even at Narita Airport, there are some good food places now in the Airport Mall. And my highlight was the Hagen-Diaz icecream vending machine.

Departure proceedings in Japan are fairly straight forward, and the ANA lounge was great. I was invited into the first class section by my friend Mr. Toyama. Irrespective of which lounge you are – ANA possibly are the only airlines which has a proper kitchen in the lounge and you can get your choice of noodles at the noodles bar.

Before ending, just so that you don’t think I was in Japan to just have fun, I was there for a reason. I was speaking at a major Japanese Internet Conference -  Interop-Japan. One of the founders of the event Toru Takahashi from IAJ had asked us to be part of a panel on Internet Exchange Points around the World. I was speaking about IXP Trends in Asia Pacific Region. While I didn’t go to any other sessions, as most were in Japanese, the exhibition was enormous. I’ll spare the details, but the highlight was a 100GigE circuit between two Cisco CRS-3. Now beat that.

I suddenly felt the urge to write about an older trip today, while I am waiting for my next flight to Tokyo.  One of my favourite pastimes at Bangkok Suvarnabhumi Airport is to check out the departure screens for flights to destinations that I can’t pronounce in a single go. The many times that I have flown through different airport, I haven’t seen flights to such unique destinations from one locations.  Where would you find flights going to Yekaterinburg, St Denis de la Reunionn, and Tashkent on a display screen. I find Bangkok unique in that aspect. On a broader scale, of course lots of flights to secondary cities all over Asia and to major cities in Africa.  And there is variety too. A few years ago, I counted that I could fly almost a dozen airlines from Bangkok to Singapore or Hongkong.

But now, back to my flights from a few years ago. It was August 2005. I did a crazy routings of flights. In the first phase, I went to Karachi – my first time to Pakistan. It was fun. The PIA experience – I was given a seat in business class in the Kathmandu – Karachi sector,  – but with economy service. It was one of their A310.  Of the five people who actually were going to Karachi, I was one. The rest were all connecting to destinations in the Gulf.  The details of my security escort in Karachi is a story for another day. But I did enjoy the food and the people I met in Karachi and we setup the ground for hosting the first SANOG in Pakistan in 2006.

After Karachi, I flew PIA to Delhi. I spent about 12 hrs in Delhi. While I was expecting hassle at IGI, it was as smooth as it could get. I could see that the Immigration guy was relieved to see a non-Indian or a non-Pakistan passport. Less work for him, I believe.  My 12 hrs in Delhi was spent visiting friends and eating lunch and dinner. I had a car pick me up from the airport, go around town all day with me and then drop me off at the airport again in the evening. Delhi can be intimidating for first time visitors, but definitely it’s fun , if you know your way around the system there.

In fact, I had no real reason for being in Delhi – other then how my flights got done. I was en-route to to Ulan Bator in Mongolia. If you use the Great Circle Mapper (http://gc.kls2.com), you realize that Karachi to Ulan Bator is about 2670 miles or roughly 6 hrs flight duration. But then I was booked Karachi- Delhi – Singapore – Seoul – Ulan Bator, turning it into roughly a 33 hours long run.

The flights themselves were not that interesting, but I had a misconnect in Singapore, but SQ were so good that when I arrived, they had already moved me to a later flight and prepared new boarding pass to Seoul – Incheon. From Seoul to Ulan Bator, I flew the Mongolian Airlines (MIAT). It was a nice new 737 Aircraft. Of course, my bags didn’t make it to ULN that night with me. It arrived the next day. I never figured out if it was left in Singapore or in Seoul. The bag was tagged with so many pieces of paper that it was a jumble.

After a week in ULN doing BGP Multihoming with the good Dr. Smith, the return was not eventful at all. Korean Airlines (KE) to Seoul. Both Philip and I thought we had business class seats, but then there was no visible difference from the Economy class.  I flew back to Delhi on Singapore Airlines from Seoul. Bags made it with me.

But this was not the end. A few months before this trip, I had a trip to Mumbai cut short  due to massive floods in Mumbai. It was now time for me to finish that trip. So I flew the excellent Jet Airways to Mumbai and back. And finally back to Kathmandu.

On this one trip, I had flown on 5 Airlines, flew 7,300+ miles to cover a distance of 2670 miles, had misconnected, missed bags and was now back home in about 3 weeks.  I had visited 3 countries, and transited through two more.

I know how I ended up with this complex routing. For the non-regular travelers, it may not make sense – but it does if you look at it deeper. The choices of flying to Ulan Bator were limited, either I had to fly through Beijing or through Seoul.  Flying back to Kathmandu from Karachi would also have resulted in another set of flight that would have taken me to Beijing or Seoul via Bangkok. So, in terms of absolute number of flights or time – it wouldn’t have really made a difference. On the other hand, I still had the un-utilized Delhi-Mumbai- Kathmandu portion of my ticket from the aborted trip a few months earlier. Thus if I flew to Delhi from Karachi, I would have the return already covered. In the short of it – by going via Delhi, I saved myself one Kathmandu – Delhi Flight. Make sense, doesn’t’ it.

Even if it doesn’t, don’t worry  – now you can fly direct from Kathmandu to Seoul on certain days, and hopefully the non-regular flight between ULN and BKK will become regular one day.

Safe Travels !!