ion singapore - geoff huston/dan york: business cases for ipv6 & dnssec
DESCRIPTION
Slides from ION Singapore. Geoff Huston's slides, as presented by Dan YorkTRANSCRIPT
![Page 1: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/1.jpg)
The Business Cases for IPv6 & DNSSEC
Slides by Geoff Huston, APNIC Presented by Dan York, Internet Society
![Page 2: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/2.jpg)
A “Business Case”
![Page 3: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/3.jpg)
The Basics of Business
Business is driven by two very fundamental emoGonal states:
Greed Where the anGcipated return is greater than the investment, and the moGvaGon is to maximize the margins
Fear Where the absence of investment will erode current returns, and the moGvaGon is to minimize the damage
![Page 4: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/4.jpg)
The Basics of Business
Business is driven by two very fundamental emoGonal states:
Greed Where the anGcipated return is greater than the investment, and the moGvaGon is to maximize the margins
Fear Where the absence of investment will erode current returns, and the moGvaGon is to minimize the damage
What is the major business driver for IPv6?
Is it Fear or Greed?
What about DNSSEC?
Fear or Greed?
![Page 5: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/5.jpg)
Lessons from the Past
Why are we discussing this issue of a business case for technology in the context of IPv6 and DNSSEC anyway? As far as I recall it seems that IPv4 never needed a business case!
![Page 6: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/6.jpg)
Economics and Technology
To answer that we need to digress into an examinaGon of macro economics and technology…
![Page 7: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/7.jpg)
The Rise of the Internet
Technology ShiT: From circuit switching to packet switching: transiGon from network-‐centric to edge-‐centric communicaGons model generated displacement leverage – lower network costs though displacement of funcGonality and cost to computer-‐based end systems
– the more flexible service model of a packet-‐based network exposed a larger set of services that could be replaced by communicaGons-‐based service models
![Page 8: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/8.jpg)
The Demand Schedule
Quantity
Pric
e
![Page 9: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/9.jpg)
The Demand Schedule: ConsumpGon
Quantity
Pric
e demand
As the unit price comes down, it tends to expose higher levels of demand
![Page 10: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/10.jpg)
The Demand Schedule: ProducGon
Quantity
Pric
e supply
As the unit price increases, it tends to motivate higher levels of production
![Page 11: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/11.jpg)
The Demand Schedule: Equilibrium Point
Quantity
Pric
e
q
p
s d
Market equilibrium point of supply and demand
![Page 12: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/12.jpg)
Circuits to Packets: The Demand Schedule ShiT
Quantity
Pric
e
q(Circuits)
p(Circuits)
reduced cost of supply of services within the network
s(IP)
s(C) d(C)
![Page 13: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/13.jpg)
Circuits to Packets: The Demand Schedule ShiT
Quantity
Pric
e
q(Circuits)
p(Circuits)
s(C)
d(IP) d(C)
increased perception of value due to greater service flexibility
![Page 14: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/14.jpg)
Circuits to Packets: The Demand Schedule ShiT
Quantity
Pric
e
q(Circuits) q(IP)
p(IP)
p(Circuits)
reduced cost of supply, and increased perception of value, resulting in a new equilibrium point with higher quantity and lower unit price
s(IP)
s(C)
d(IP) d(C)
![Page 15: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/15.jpg)
The Rise of the Internet
Technology ShiT: From circuit switching to packet switching
Packet switching is far cheaper than circuit switching. This drop in cost exposed new market opportuniGes for emergent ISPs
![Page 16: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/16.jpg)
The Rise of the Internet Business: exposed new market opportunity in a market that was
acGvely shedding many regulatory constraints – exposed new market opportuniGes via arbitrage of circuits
• buy a circuit, resell it as packets – presence of agile high-‐risk entrepreneur capital willing to exploit short
term market opportuniGes exposed through this form of arbitrage – volume-‐based suppliers iniGally unable to redeploy capital and process
to meet new demand • unable to cannibalize exisGng markets • unwilling to make high risk investments
![Page 17: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/17.jpg)
The Rise of the Internet
Time
Size
of t
he In
tern
et
~1990 ~2000
High Volume Provider Industry (Telco Sector)
Small ISP (Entrepreneur Sector)
~1995
![Page 18: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/18.jpg)
IPv4 Deployment– First Steps Greed A small investment by a new entrant could support a service por\olio that has a high perceived value, allowing for a high premium on invested capital
Fear New entrants take market share away from incumbent telcos. Incumbents need to offer similar IP-‐based services in order to minimize the impact on market share, despite a certain level of unavoidable product cannibalizaGon on their legacy products
![Page 19: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/19.jpg)
The Maturing Internet
Business: CommunicaGons is a volume-‐dominated acGvity: higher service volumes tend to drive down the unit cost of service supply
The maturing Internet market represented an opportunity for large scale investment that could operate on reduced cost bases through economies of scale
![Page 20: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/20.jpg)
The Maturing Internet
Maturity: This is a market dominated by volume-‐based economics. As the market matures the novelty premium disappears, and the market reverts to a convenGonal volume-‐based characterisGcs where the smaller players are squeezed/bought out
![Page 21: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/21.jpg)
IPv4 Deployment
Time
Size
of t
he In
tern
et
High Volume Provider Industry (Telco Sector)
Small ISP (Entrepreneur Sector)
~1990 ~2005
![Page 22: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/22.jpg)
But that was then
And this is now 2013!
And we are looking at the business case for IPv6 deployment!
![Page 23: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/23.jpg)
What about IPv6 Deployment?
Will the same technology, cost and regulatory factors that drove the deployment of the IPv4 Internet also drive this industry through the transiGon from IPv4 to IPv6?
![Page 24: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/24.jpg)
What about IPv6 Deployment?
• Will the same technology, cost and regulatory factors that drove the deployment of the IPv4 Internet also drive this industry through the transiGon from IPv4 to IPv6? Will Greed work for IPv6?
![Page 25: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/25.jpg)
IPv6 vs IPv4
Are there compe77ve differen7ators? no cost differenGal no funcGonality differenGal
no inherent consumer-‐visible difference no visible consumer demand
![Page 26: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/26.jpg)
IPv4 to Dual Stack: The Demand Schedule ShiT
Quantity
Pric
e
QV4
PV4
SV4
SDualStack
DV4 / DualStack
PDualStack
QDualStack
Supply side cost increase due to Dual Stack operation
No change in perception of value, so demand schedule is unaltered
Equilibrium point is at a lower quantity if Dual Stack supply costs are passed on to customers
![Page 27: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/27.jpg)
IPv6
• It won’t make producGon costs any cheaper – and it may make them slightly higher
• It won’t reduce your customer support loads – and it may make then higher
• It won’t make your network more resilient – it may make the customer experience worse
• It won’t allow you to avoid large scale use of NATs in IPv4
![Page 28: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/28.jpg)
What about IPv6 Deployment?
• Will the same technology, cost and regulatory factors that drove the deployment of the IPv4 Internet also drive this industry through the transiGon from IPv4 to IPv6?
Will Greed work for IPv6?
NO!
![Page 29: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/29.jpg)
What about the Business Case for IPv6?
Its hard to sell incumbent service providers a business strategy involving a quarter-‐by-‐quarter expense to improve the strategic outlook over a 5 – 10 year period
Some buy it – its called “the evangelist” business plan, or the “20%” plan
But most have not
And that really should be cause for concern
![Page 30: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/30.jpg)
What is the underlying business driver for IPv6?
![Page 31: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/31.jpg)
future risk.
![Page 32: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/32.jpg)
(and we’re prefy bad at quanGfying risk!)
![Page 33: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/33.jpg)
And the future risk is…
We have no idea how to build the Internet through the coming decade without IPv6 at its foundaGon *
We have no idea how to scale up the Internet to a network with some 50 – 100 billion connected devices if we have to make intense use of NATS and sGll preserve the basic afributes of scale, flexibility, security, efficiency and uGlity
* Actually we don’t have all that good an idea of how to do this even with IPv6, but we feel more confident that we can make something work if we have a coherent IP layer at the foundaGon of the network
![Page 34: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/34.jpg)
The Case for IPv6
It’s all about what made the Internet so disrupGve in the first place: openness accessibility permissionless innovaGon role specializaGon compeGGon
![Page 35: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/35.jpg)
The Case for IPv6 These factors do not necessarily advantage one incumbent over another But these factors have already facilitated highly valuable new market entrants:
– social nets – mobility
– grid and cloud – app innovators – streaming video
– data analyGcs
![Page 36: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/36.jpg)
The Case for IPv6
Who benefits: The Incumbent Provider? The Consumer?
![Page 37: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/37.jpg)
The TransiGon to IPv6
So if there is no immediate benefit to incumbents who elect to deploy IPv6, then in economic terms is this transiGon an instance of a market failure?
![Page 38: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/38.jpg)
“Market Failure”
![Page 39: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/39.jpg)
Really? Is this IPv6 transiGon really so hard?
Or is it a collecGve complacency of the form “we’ll move when we have to, but not necessarily unGl we have to”?
The stories from providers who have provisioned IPv6 is largely positive: low incremental cost, little disruption, no significant service impact
![Page 40: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/40.jpg)
The business case for IPv6 need not be rocket science
But it does require you to think for yourself, and not just copy your competitor’s inaction!
![Page 41: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/41.jpg)
![Page 42: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/42.jpg)
What about DNSSEC?
![Page 43: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/43.jpg)
Why DNSSEC?
The DNS only just works – that it works at all is a modern miracle!
So why make the DNS – slower – a LOT more complex to operate – more fragile – more expensive?
![Page 44: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/44.jpg)
What about DNSSEC?
What’s the Business Case for security? – If you are an online bank its easy – it’s core business
– If you are a customer its hard • Because its hard to value ephemeral risk • And good security oTen runs counter to simplicity and ease of use
– Customers prefer passwords
![Page 45: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/45.jpg)
Why DNSSEC?
Simple: – The DNS is highly vulnerable to malicious and insidious afack
– And the paraphenalia of today’s network security (SSL) has been proved to be highly vulnerable to relaGvely unsophisGcated afacks
– If we were able to secure the DNS we could leverage that to improve the situaGon with SSL and related service security measures
![Page 46: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/46.jpg)
InternaGonal Herald Tribune Sep 13, 2011 Front Page
Front-Page
News!
![Page 47: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/47.jpg)
How Did This Happen?
• Because the hierarchy of domain name registraGon is disconnected from domain name security – Your browser has no idea of WHICH Domain Name CerGficate Authority to trust to validate a domain name cerGficate
• So its trusts them all! • And that’s not good • Because some CA’s are not very well secured • And get hacked • And are used to mint forged cerGficates • For ANY domain name
![Page 48: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/48.jpg)
How can we fix this?
• The class of exploit works because cerGficate validaGon is independent of domain name resoluGon – The implicit trust model necessarily involves a leap of faith – And “trust” and “leap of faith” are convenGonally seen as antonyms
• So a robust “fix” should add validaGon into domain name resoluGon – Which inevitably leads to DNSSEC – That allows domain name cerGficates to be securely placed into a signed DNS (DANE)
![Page 49: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/49.jpg)
Why DNSSEC?
• For clients: avoid being duped or misled through malicious use of forged Domain Name cerGficates
• For domain name holders: raise the threshold for the afacker
![Page 50: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/50.jpg)
From Here to There
• DNSSEC-‐validaGon tools are useful only when domain names are signed
• DNSSEC-‐signed domains are useful only when there are DNSSEC validaGon tools in use
What changes this deadlock?
![Page 51: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/51.jpg)
A circuit breaker?
![Page 52: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/52.jpg)
What’s the Business Case for DNSSEC?
What’s the Business Case for security and trust in the Internet?
![Page 53: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/53.jpg)
The Worldwide Digital Economy in 2016
Digital Economy of the G20 Economies
2016: US $4.2 Trillion *
Improved Trust
Compromised Trust
US $ 5.2T
US $ 3.2T
At Risk: US $2T
* Boston ConsulGng Group, January 2012
![Page 54: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/54.jpg)
The Case for DNSSEC
Are there compe77ve differen7ators? higher cost more complex operaGon
no overt consumer-‐visible difference no visible consumer demand
![Page 55: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/55.jpg)
The Case for DNSSEC Are there compe77ve differen7ators?
higher cost more complex operaGon
no overt consumer-‐visible difference no visible consumer demand
But: this is the only way we know to secure the operaGon of the DNS in the face of known exploitaGon vectors Securing the name infrastructure then allows us to improve the a suite of security tools that are triggered by name-‐based rendezvous mechanisms
![Page 56: ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC](https://reader033.vdocument.in/reader033/viewer/2022051816/5456a47cb1af9fcf338b4ef6/html5/thumbnails/56.jpg)
Thank You! Questions?