Saving the Internet from doom (DNSSEC and IPv6) Sofia, Bulgaria September 2008

Similar documents
DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Topics of Interest Iraklion, Greece June 2008

DNSSEC Explained. Marrakech, Morocco June 28, 2006

Internet Operations and the RIRs

DNS Security FAQ for Registrants

FAQ (Frequently Asked Questions)

IANA Functions to cctlds Sofia, Bulgaria September 2008

DNS Basics. DNS Basics

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

Root zone update for TLD managers Mexico City, Mexico March 2009

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

Securing DNS Infrastructure Using DNSSEC

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Current Counter-measures and Responses by the Domain Name System Community

Computer Networks: Domain Name System

Before the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives

Distributed Systems. 22. Naming Paul Krzyzanowski. Rutgers University. Fall 2013

DNS and BIND. David White

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

The Internet. On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet.

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

The Internet Introductory material.

DNS Root NameServers

Internet Bodies.

Current Counter-measures and Responses by the Domain Name System Community

Internet-Praktikum I Lab 3: DNS

mydnsipv6 Success Story

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

IPv6 Address Planning

Q3 State of DNS Report DNSSEC Deployment in.gov

ICANN- INTERNET CORPORATION OF ASSIGNED NAMES & NUMBERS

Operation of the Root Name Servers

An Introduction to the Domain Name System

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Use Domain Name System and IP Version 6

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Kim Davies Internet Assigned Numbers Authority

Copyright

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Introduction to IP Numbers vs. Domain names. Adiel A. Akplogan CEO, AFRINIC. 2014

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Georgia College & State University

How It Works: 101: Naming, Addressing, Routing ALAIN DURAND ICANN

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

The Regional Internet Registries

Introduction to The Internet. ISP/IXP Workshops

Introduction to The Internet

Security of IPv6 and DNSSEC for penetration testers

DNS security: poisoning, attacks and mitigation

Internet Structure and Organization

IPv6 support in the DNS

Law Enforcement and Internet Governance: An Ounce of Prevention Is Worth a Pound of Cure

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

How To Transition To Annia.Org From Aaa To Anora.Org

Deploying DNSSEC: From End-Customer To Content

The Future of the Internet

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

DNSSEC Deployment Activity in Japan - Introduction of DNSSEC Japan - Yoshiki Ishida, Yoshiro Yoneya, Tsuyoshi Toyono, Miki Takata DNSSEC Japan

APNIC IPv6 Deployment

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

Regional Internet Registries. Statistics & Activities. Prepared By APNIC, ARIN, LACNIC, RIPE NCC

How to use the UNIX commands for incident handling. June 12, 2013 Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan

DNS Protocol and Attacks

DNSSEC Applying cryptography to the Domain Name System

What's inside the cloud?!

NET0183 Networks and Communications

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

IPV6 SERVICES DEPLOYMENT

Innovating with the Domain Name System: From Web to Cloud to the Internet of Things

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Measuring IPv6 Deployment. Geoff Huston APNIC December 2009

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Glossary of Technical Terms Related to IPv6

STATE OF DNS AVAILABILITY REPORT

DNS at NLnet Labs. Matthijs Mekking

Namecoin as alternative to the Domain Name System

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

DNS traffic analysis -- Issues of IPv6 and CDN --

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

DOMAIN NAME SECURITY EXTENSIONS

Introduction to Network Operating Systems

An introduction to IANA Presentation Notes

The Domain Name System

Response to Solicitation Number: SA R-P0-016

IPv6 Addressing and Subnetting

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

IPv6Program. Expanding the Internet. The IPv4 to IPv6 transition

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

Network measurement II. Sebastian Castro NZRS 27 th May 2015 Victoria University

Transcription:

Saving the Internet from doom (DNSSEC and IPv6) Sofia, Bulgaria September 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers

Agenda How do you attack the DNS? How does DNSSEC help this? Work IANA is doing on DNSSEC IPv6 and TLDs

How do you attack the DNS?

A typical DNS query

A typical DNS query aftld.org?

aftld.org? 192.0.2.0 A typical DNS query

The DNS is not secure A computer sends a question to a DNS server, asking a question like What is the IP address for aftld.org? The computer gets an answer, and completely trusts that it is correct. There are multiple ways that traffic on the Internet can be intercepted and rerouted, or impersonated, so that the answer given is false.

Receiving the wrong answer Something in the network between the computer and the server has intercepted or redirected the traffic.

aftld.org? Receiving the wrong answer Something in the network between the computer and the server has intercepted or redirected the traffic.

aftld.org? 6.6.6.0 Receiving the wrong answer Something in the network between the computer and the server has intercepted or redirected the traffic.

Receiving the wrong answer A server on the network responds with the wrong answer, quicker than the correct server can give the right answer.

aftld.org? Receiving the wrong answer A server on the network responds with the wrong answer, quicker than the correct server can give the right answer.

aftld.org? 6.6.6.0 Receiving the wrong answer A server on the network responds with the wrong answer, quicker than the correct server can give the right answer.

aftld.org? 192.0.2.0 6.6.6.0 Receiving the wrong answer A server on the network responds with the wrong answer, quicker than the correct server can give the right answer.

Cache poisoning If the answers are stored in a cache, the wrong answer gets remembered and served to future lookups. This is the typical configuration at ISPs, etc. One successful cache poisoning attack with therefore affect many users.

Cross pollination If the cache is also authoritative for a domain, it can also give the wrong answers for answers within that domain.

What do I do? Short term Do not offer open recursive name servers Definitely do not offer open recursive name servers that are also authorities at the same time Patch recursive name servers for maximum entropy (source port randomisation, etc.) http://recursive.iana.org/ Longer term Introduce security to the DNS...

What DNSSEC provides DNSSEC provides proof that the data has not been modified in transit from the DNS zone publisher (the registry) to the end-user It does this by providing additional information, something like a seal of origin, that can be verified as being correct or not.

aftld.org = centr.org = A DNSSEC secured transaction Check against a known set of signatures, and if there is a match, is a valid answer.

aftld.org? aftld.org = centr.org = A DNSSEC secured transaction Check against a known set of signatures, and if there is a match, is a valid answer.

aftld.org? 192.0.2.0 aftld.org = centr.org = A DNSSEC secured transaction Check against a known set of signatures, and if there is a match, is a valid answer.

aftld.org? 192.0.2.0 aftld.org = centr.org = A DNSSEC secured transaction Check against a known set of signatures, and if there is a match, is a valid answer.

Maintaining a list of signatures for every domain does not scale How could every computer maintain a list of every certificate for every domain it needs to verify? There needs to be a better way...

aftld.org = centr.org = iana.org? 192.0.2.0 Using a chain of trusted certificates

aftld.org = centr.org = root.org = iana.org? 192.0.2.0 Using a chain of trusted certificates

aftld.org = centr.org = root.org = iana.org? 192.0.2.0 Using a chain of trusted certificates

aftld.org = centr.org = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

aftld.org = centr.org = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

aftld.org = centr.org = root = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

aftld.org = centr.org = root = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

aftld.org = centr.org = root = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

aftld.org = centr.org = root = root.org = iana.org? 192.0.2.0.org iana.org = Using a chain of trusted certificates

The chain of trust By using the hierarchical property of the DNS, you can use DNSSEC to check certificates without knowing the certificate of every single domain Computers can learn certificates by tracing from a trusted key down the DNS delegation chain Of course, this only works if each level of the DNS deploys DNSSEC... For this to work, registries need to keep a list of signatures of its child zones, and publish them in their own signed zone

In summary: To deploy DNSSEC fully, zone managers need to: Sign their zone with a certificate Publish the certificates of their child zones Share their certificate with their parent zone The administration of these is much of the reason why DNSSEC has been difficult to deploy And why signing the root is considered so important it theoretically allows a single signature to verify the whole DNS!

Signing the root

IANA has been asked to sign the root zone Several entities have formally asked ICANN to sign the root zone (RIPE,.SE, APNIC) IANA has been signing the root experimentally for over a year However, as IANA does not directly publish the root, it can not currently make this a production service Working on obtaining permission from USDOC to let us sign the root zone

IPv6

100 50 0 2002 2005 2008 2011 IPv4 Availability Dwindling stocks...

100 50 0 2002 2005 2008 2011 IPv4 Availability Dwindling stocks...

100 50 0 2002 2005 2008 2011 IPv4 Availability Dwindling stocks...

IPv6 in a nutshell 128-bit address space 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses IANA still has lots in reserve

All IPv6 Space ⅛th devoted to Unicast Divided into 512 /12 segments ARIN 1 RIPE NCC 1 AfriNIC 1 LACNIC 1 APNIC 1 Mixed 1 Unallocated 506 IPv6 Availability Approximately 1% of Unicast designated space is allocated to RIRs.

IPv6: the short story IPv4 address space is running out Current estimates, next couple of years IPv6 is the new numbering technology that will provide for growth of IP addressing needs The two numbering technologies are not mutually compatible, you must support IPv6 in addition to IPv4 to be accessible to IPv6 clients.

IPv6 adoption by TLD operators

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities 22 TLDs have 3 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities 22 TLDs have 3 IPv6 authorities 34 TLDs have 2 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities 22 TLDs have 3 IPv6 authorities 34 TLDs have 2 IPv6 authorities 49 TLDs have only 1 IPv6 authorities

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities 22 TLDs have 3 IPv6 authorities 34 TLDs have 2 IPv6 authorities 49 TLDs have only 1 IPv6 authorities Would not meet IANA minimum diversity requirements for production deployment for IPv4

IPv6 adoption by TLD operators 5 TLDs have 6 IPv6 authorities 11 TLDs have 5 IPv6 authorities 5 TLDs have 4 IPv6 authorities 22 TLDs have 3 IPv6 authorities 34 TLDs have 2 IPv6 authorities 49 TLDs have only 1 IPv6 authorities Would not meet IANA minimum diversity requirements for production deployment for IPv4 155 TLDs have no IPv6 authorities at all!

Don t be a hindrance to IPv6 adoption Allow AAAA glue records in your zone Provide your zone over IPv6 transit Encourage registrars to allow AAAA glue records from registrants It is no use if your registry supports it, if your registrars do not. Registry support is bad, registrar support is worse!

Thanks! kim.davies@icann.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information