Global Infrastructure Security and IPv6 Implications. Larry J. Blunk Fall 2004 Internet2 Member Meeting September 29, 2004

Transcription

1 Global Infrastructure Security and IPv6 Implications Larry J. Blunk Fall 2004 Internet2 Member Meeting September 29,

2 Defining GlobGg infbasfrusrfee Internet Global Infrastructure consists of core Internet services which are globally deployed and coordinated Also referred to as Critical Infrastructure DNS and BGP are traditional Global Infrastructure PKI may be considered as well Will consider security and IPv6 implications Cannot look at IPv6 in isolation as IPv4 will be a major part of Global Infrastructure for many years 2 Merit Network: Connecting People and Organizations Since 1966 Slide 2

3 ProGnugKeyg infbasfrusrfe PKI defned here as X.50 standards and Certifcate Authorities Deployment of PKI for site certfcates is partially motivated by lack of security in underlying DNS and BGP protocols However, PKI cannot be relied on to completely cure the security issues of DNS and BGP 3 Merit Network: Connecting People and Organizations Since 1966 Slide 3

4 PK gggnmnsbsnlia Ubiquitous use of PKI could lessen need to secure DNS and BGP Unlikely to be deployed on all services due to performance overhead and complexity issues Most users unaware of when they are making a secured connection and why it is important How many check the litle padlock in the cornerr Issues with Certifcate Authorities and validation procedures 4 Merit Network: Connecting People and Organizations Since 1966 Slide 4

5 PK,g PSEC,gbidg Pv6 IPSec is a critical security component of IPv6 Ofen cited as a primary security advantage of IPv6 Mandated in protocol Not integrated as an aferthought as in IPv4 PKI support can be integrated with IPSEC to ease manageability and deployment IETF pki4ipsec working group addressing issues 5 Merit Network: Connecting People and Organizations Since 1966 Slide 5

6 PK g Pv6gnmpGemeisbsnlia X.50 standards include IPv6 support RFC3285 University of Murcia has developed a set of services around PKI with full IPv6 support Provides users with basic certifcation services such as the issuance, renewal, and revocation of certifcates, as well as advanced services Open source, writen in ava htpp::pkixumuxeuro6ixxorg IPv6 only secure site -- htpsp::pkixipv6xumxes 6 Merit Network: Connecting People and Organizations Since 1966 Slide 6

7 DNSgSeurfnsyg-gDNSSEC DNSSEC has been in development for 0 years Close to fnaliiing third major revision RFC2.3.bis With standards largely fnaliied work is progressing on deployment road map Issues with key management, distribution, and signing the root ione Does not address weaknesses in underlying BGP routing infrastructure 7 Merit Network: Connecting People and Organizations Since 1966 Slide 7

8 DNSSECgbidg Pv6 DNSSEC standards protocol agnostic BIND 0 supports both DNSSEC and IPv6 NLNet labs has developed a dig-like debuging:query tool called Drill for DNSSEC includes IPv6 support There are issues with.12-byte UDP packet limit and IPv6 glue record support in root ione NLNet Labs released a study on the issue DNSSEC will likely compound the.12-byte problem 8 Merit Network: Connecting People and Organizations Since 1966 Slide 8

9 SeurfningB P BGP security is less advanced than DNSSEC Secure BGP (S-BGP) has been in development for roughly 7 years (BBN Technologies) No consensus that S-BGP is the right path RPSEC WG still looking at security requirements Cisco alternative - Secure Origin BGP (sobgp) Other proposals have been presented Inter-domain Routing Validation (IRV) AT&T Research Secure Path Vector (SPV) - CMU 9 Merit Network: Connecting People and Organizations Since 1966 Slide 9

10 SeurfningB Pg g Pv6g nmpgnubsnlia IPv6 represents an opportunity due to its considerably smaller deployment 6.5 global routing table entries versus 145,555+ for IPv4 All IPv6 allocations have been made by Regional Internet Registries (RIRs) and are well documented Unlike IPv4 there are no legacy allocations IPv6 could serve well as an initial deployment base for a secured BGP protocol Registries should consider PKI needs of Secure BGP 10 Merit Network: Connecting People and Organizations Since 1966 Slide 10

11 isefnmgb Pgaeurfnsyg-gfGsefnin Filter prefx announcements and only allow those which have been confgured for a given origin AS Has been an application of routing registries for a considerable time Many ISPs have tools and experience with it IPv6 presents an opportunity due far fewer prefxes in global routing tables Filtering in core transit backbones more feasible RPSLng work updates Routing Policy Specifcation Language to support IPv6 (more laterxxx) 11 Merit Network: Connecting People and Organizations Since 1966 Slide 11

12 isefnmgb Pgaeurfnsyg g mlinslfningbidgilsnfubsnli Use routing registries or other databases to confgure normative routing policy Alert when anomalous routing event detected Use various BGP collectors as data sources More fexible than simple origin AS fltering Can monitor AS PATH and other atributes Cannot prevent atacks -- reactive mechanism Alert may not be received if sent in-band Does not require cooperation of other providers 12 Merit Network: Connecting People and Organizations Since 1966 Slide 12

13 RPSLingbidg Pv6gflrsningplGnuy RPSLng updates Routing Policy Specifcation language standard to support IPv6 and Multicast Internet Draf has received IESG approval Now awaiting RFC Editor for approval Merit and RIPE have both implemented the RPSLng spec and are coordinating production deployment Planning on deploying within a month Merit has updated RADB whois server to support for whois queries over IPv6 - v6xradbxnet 13 Merit Network: Connecting People and Organizations Since 1966 Slide 13

14 Renefeiuea PKI WG - htpp::wwwxietfxorg:htmlxcharters:pkix-charterxhtm Infrastructure Securityp PKI, IPSec, DNSsec, IPv6 -- htpp::wwwxisocxorg:isoc:conferences:inet:54:documents:sein IT_3_INET2554_InfrastructureXpdf UMU PKIv6 - htpsp::pkixumuxeuro6ixxorg:pkiv6xhtml IETF pki4ipsec WG - htpp::wwwxietfxorg:htmlxcharters:pki4ipsec-charterxhtml DNSSEC - htpp::wwwxdnssecxnet DNSSEC Deployment - htpp::wwwxsdlxsrixcom:other:dnssec Drill - htpp::wwwxnlnetlabsxnl:dnssec:drillxhtml 14 Merit Network: Connecting People and Organizations Since 1966 Slide 14

15 Renefeiueag(uli'd) Adding IPv6 glue to the root ione - htpp::wwwxnlnetlabsxnl:ipv6:publications:v6rootgluexpdf S-BGP - htpp::wwwxnet-techxbbnxcom:sbgp:sbgp-indexxhtml RPSEC - htpp::wwwxietfxorg:htmlxcharters:rpsec-charterxhtm SoBGP - htpp::wwwxnanogxorg:mtg-5356:pdf:alvaroxpdf IRV - htpp::wwwxisocxorg:isoc:conferences:ndss:53:proceedings:pa pers:.xpdf SPV - htpp::wwwxecexcmuxedu:/adrian:projects:spvxpdf RPSLng - htpp::wwxradbxnet:rpslngxhtml 15 Merit Network: Connecting People and Organizations Since 1966 Slide 15