It's thanks to standards that the internet works
Steven Luitjens, the Dutch interior ministry's Director of Information Society and Government, has linked up with Nico Westpalm van Hoorn, who chairs of the Forum for Standardisation, to present the magazine Standaardwerken (in Dutch) 2018. The new publication is packed with interviews and case studies on the use of open standards in the public and private sectors. As Standaardwerken makes clear, open standards are the oil that lubricates the digital collaboration sought by both sectors. SIDN's contribution to Standaardwerken is reproduced below.
SIDN wants to see all businesses and government bodies using the security standard DNSSEC. DNSSEC makes the internet safer and more reliable. However, although it's been around for some years, not everyone is using it. It's a similar story with IPv6, a protocol that allows more unique IP addresses to be created. Again, the take-up has been slow, despite the obvious benefits. "It's thanks to standards that the internet works. Without them, there's no shared language that can be used for machines to find each other and communicate over the World Wide Web," points out Marco Davids, Research Engineer at SIDN Labs, part of the Foundation for Internet Domain Registration in the Netherlands (SIDN). SIDN operates part of the Domain Name System (DNS), which translates domain names into IP addresses and vice versa. Davids does research and innovation work aimed at improving the stability and security of the DNS. He's also involved in DNS data analysis and privacy protection.
Since 2012, it's been possible to secure .nl domain names using DNS Security Extensions, or DNSSEC for short. "With DNSSEC, encryption is used to add a layer of security to the basic DNS protocol," explains Davids. "Extra security is important, because the internet is increasingly used to exchange and store sensitive information and perform financial transactions. Most of us do at least some internet banking, for example. And paying for things on line is an everyday activity. However, the traditional DNS – without DNSSEC – is vulnerable to internet criminals, who are getting cleverer all the time." The flaw in the DNS and the security implications were highlighted in 2008 by US hacker and computer consultant Dan Kaminsky. "It's possible for crooks to interfere with the DNS information sent by a name server, so that the internet user who receives it gets directed to a different web server, despite entering the right domain name," continues Davids. "So the user ends up on a fake site, set up to harvest confidential data, for example. Using the international DNSSEC standard can prevent that kind of situation and make the internet safer for everyone. DNSSEC also serves as a basis for other security enhancements. The DANE standard, which builds on DNSSEC, is a good example. DANE offers a more reliable way of checking the validity of the certificates used for secure connections, such HTTPS for a website or STARTTLS for e-mail."
All registrars (firms that have direct access to SIDN's systems for registering on-line addresses) and internet service providers can now offer their customers the extra protection provided by DNSSEC. Davids is concerned, however. "Many internet firms don't yet support this security enhancement," he says. "No matter how good and secure a standard may be, getting it agreed and available for use is just the start. The real challenge is usually persuading people to use it. For example, by no means all .nl domain names are secured with DNSSEC." With the aim of promoting take-up by registrars and internet service providers, SIDN offers cash incentives to those who make DNSSEC available to their customers. "The incentive scheme is working," says Davids. "Financial rewards definitely help to get some firms on board. But often the key thing is awareness: motivation to adopt DNSSEC depends on understanding what it is and why it matters." Unfortunately, some important players remain wary of DNSSEC. "SNS Bank is now using it, but a lot of banks were initially very reluctant to embrace the new standard," reflects Davids. "However, we see adoption by financial service providers as really important, because of all the transactions their websites handle." Roelof Meijer- CEO SIDN
|"You might think that banks would be eager to embrace the security benefits of DNSSEC. But a survey we did at the start of 2017 found that banking lagged behind all the other industries we looked at in terms of securing their domain names. We see that as a source of concern. With many high street branches closing and fewer cash machines around, it's increasingly important that banks secure their digital front doors. DNSSEC is one of the main ways of doing that." ”|
Promoting awareness, lobbying and raising the topic at every opportunity. Those are the tactics that SIDN is using in its efforts to persuade banks and other influential players, including the news media and weather forecasters, to get on side with DNSSEC. Part of the issue is that the standard involves the two-way exchange of information. "With DNSSEC, security is improved only if recipients actually check the 'digital signatures' attached to DNS data," explains Davids. "That would normally be done for the user by their internet access provider. However, while XS4ALL and certain others provide that service, many don't."
Enabling the internet to grow
Despite the ambivalence towards DNSSEC from some important players, adoption in the Netherlands is actually quite high by international standards. The same can't be said in relation to another protocol that SIDN wants to see everyone on the internet using: IPv6. Marco Davids again: "Every device on the internet is identified by a unique number called an Internet Protocol address, or IP address for short. The version of the Internet Protocol that most people currently use, IPv4, dates back to 1981. With IPv4, the address space is 32 bits. Meaning that IPv4 can be used to create about four billion unique IP addresses. That may sound a lot, but when you think that there are more than seven billion people on earth, and before long the vast majority will want to be connected to the net, it's easy to see that IPv4 isn't up to the job any more. That's why IPv6 was developed. This new version of the protocol came out in 1998, but it didn't become a hot topic or make real headway until more recently. The number of enabled servers and end users has been growing almost exponentially in the last few years. The IPv6 address space is 128 bits, which means you can use it to create way, way more unique IP addresses. It's really high time that everyone switched, because the internet needs IPv6 to continue growing."
Netherlands lags behind
Big internet firms such as Google and Facebook have already gone over to the new protocol. All their services are now IPv6-enabled. Many countries, including Belgium, the US, India, Greece and Germany, are well on their way to full transition. The Netherlands lags behind, however. At the end of 2017, just 10 per cent or so of Dutch addresses were enabled, leaving the country down at 24th in the international adoption rankings. That's the picture painted by data from APNIC, the non-profit organisation that issues and manages IP addresses in the Asia-Pacific region.
Marco Davids - Research engineer SIDN Labs
|"DNSSEC is a standard that makes the internet safer for everyone"|
"One problem is that IPv6 isn't compatible with IPv4," Davids acknowledges. "As a result, a computer that only has an IPv4 address can't talk to one that only has an IPv6 address. New and old don't mix, and that's holding up adoption. Migration to IPv6 can therefore be costly, because knowledge needs to be replaced and the two systems will need to run side-by-side for a good while. That should be a lesson for the future, where the development of internet standards is concerned. New standards need to build on the existing ones – to be 'backward compatible' in tech jargon – so that adoption is more straightforward and therefore quicker and cheaper." The Dutch government now recognises the importance of IPv6. Like DNSSEC and DANE, IPv6 has for some time been on the government's 'use or explain' list of standards that official bodies are more or less obliged to follow. So, for example, the DigiD site has been IPv6-enabled for a while. Adoption by local government has nevertheless been slow. On the other hand, there's recently been a steady stream of announcements from big businesses that they are making the change. Among them Rabobank and other financial institutions. The services of IT firms such as Ziggo, KPN, XS4ALL, Vodafone, Tele2, T-Mobile, Netflix and LinkedIn are also now accessible using IPv6. The trend is welcomed by Davids. "That's good news, because IPv6 involves two-way traffic as well. So migration isn't simply a question of companies making their websites 'IPv6-proof'; it also requires access providers to enable their customers to use IPv6 for surfing the net. Things are starting to move now, but the process needs to be accelerated. As a country, we don't want to find ourselves in a situation where there are no IPv4 addresses left, but many of our systems can't work with IPv6. That would be a brake on economic growth and internet innovation. So we have to plan ahead and get ready for the future."
Want to know more about Standaardwerken 2018?
Download the Dutch magazine Standaardwerken 'het belang van verbinden'
At the Weekconnect event on 17 April, Nico Westpalm van Hoorn will be interviewing a number of people involved in producing the magazine about the benefits of new internet standards and how to adopt them. Standards will also be in the spotlight at the ECP annual congress.Standaardwerken is published by the Forum for Standardisation