ENISA evaluates network resilience of MPLS, IPv6 and DNSSEC

ENISA defines network resilience as the “ability of a system to provide and maintain an acceptable level of service in face of faults (unintentional, intentional, or naturally caused) affecting normal operation.”

Overall, ENISA found that MPLS, IPv6 and DNSSEC improve both the resilience and security of the internet; that commercial operational best practice and recommendations of applied network resilience is missing; and that there is a lack of management and coordination between stakeholders.

Andrea Pirotti, executive director of ENISA, said: “The recent spotlight in the news on networks unavailability, caused by cyber attacks and physical phenomena, highlights the urgency and importance of ENISA’s work on improving the resilience of public communications. This is an area vital for European e-government, e-business and ultimately, the economy.”

The key recommendations from the reports are:

  • Resilient connectivity of European organisations must be ensured;
  • European expertise, best practice and operational experience must be exploited; and
  • The existence of European trained experts should be ensured.

According to ENISA, the information and communication technology (ICT) sector contributes 25% of the EU’s GDP growth and 40% of its productivity growth, and that “all efforts should be made to ensure that growth of the European industry will not be hindered by unreliable and unsecure network access to infrastructures. This is likely to happen if Europe does not put effort into development and deployment of new, emerging technologies and architectures.”

MPLS

MPLS is said to be able to quickly repair traffic, offers data protection, and performance and security monitoring capabilities.

Service providers use MPLS to implement:

  • Layer 2 (L2) point-to-point connections that carry legacy traffic such as ATM and Time Relay over a common backbone;
  • Various types of virtual private networks (VPNs);
  • Traffic engineering (TE) of the traffic inside the provider core networks; and improved resilience for provider core networks.

The majority of service providers interviewed by ENISA, said they deployed MPLS, and of those, 40% have offered it to customers for 10 years.

Overall, it was found that MPLS “significantly increases the resilience of networks.”

IPv6

IPv6 is the “next generation protocol for the internet” and has been designed as a successor to IPv4. IPv6 offers a larger address space compared to IPv4, quality of service hooks and built-in security features for encryption and authentication of end-to-end communication.

It also features mandatory support for network-layer security in the protocol stack, simplified packet headers, fixed length packet headers, stateless address auto-configuration, new multicast functionality, address scopes, extension headers, flow labels, IP mobility features and jumbograms.

Around 27% of the interviewed service providers already offer IPv6 with another 55% planning to deploy it commercially within the next three years. Demand is mainly driven by increasing demand on IP addresses space as opposed to network resilience, ENISA noted. Furthermore “no improvement of resilience has been observed after introducing IPv6”, despite ENISA also saying that IPv6 makes it harder to launch worms and reconnaissance probing.

DNSSEC

DNSSEC was developed to address the problem of attackers spoofing DNS messages. DNSSEC defines a process whereby a suitably configured name server can verify the authenticity and integrity of query results from a signed zone. It uses a public key cryptography and cryptographic hashes to enable a security-aware receiving name server to authenticate data received could only have originated from the requested zone; verify the integrity of the data; and verify that if a negative response (NXDOMAIN) was received to a host query, the target record does not exist (denial of existence).

In short, it could prevent spoofing and malicious domain takeovers and provides good traffic isolation and control.

DNSSEC was the least widely deployed technology of the three explored by ENISA with 22% having deployed it. Although 56% of the interviewed service providers considering deploying it in the next three years, 22% say they have no plans to do so.

It has been found to improve the resilience of DNS, but the technology is still seen as immature. 86% of respondents said the complexity of the deployment of DNSSEC was a challenge and that tools for easy deployment are missing.

Regulations

The majority of service providers interviewed by ENISA said there was no need for regulatory intervention for deployment of any of the three technologies. However, they consider that guidelines on deployment and operational management practice “might, in some cases, help network operators with the introduction of these technologies…”

New risks

Although all three technologies were found to offer improved network resilience to varying degrees, ENISA noted that they may also introduce new security risks. One example could be that with the wide address space offered with IPv6, attackers could improve their techniques of escaping address blacklisting.

What’s hot on Infosecurity Magazine?