Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

Published byJayson Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman"— Presentation transcript:

1

2 ISOC.NL SIP http://www.nlnetlabs.nl/ © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman olaf@nlnetlabs.nl

3 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 2 NLnet Labs DNSSEC evangelist of the day NLnet Labs –Not for profit Open Source Software lab Developed NSD –DNS and DNSSEC research Protocol and software development Deployment engineering Active IETF participant –co-chair of the IETF DNSEXT working group –member of the Internet Architecture Board –RFC3757 and RFC4061

4 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 3 NLnet Labs Outline purpose and protocol Current Developments/problem areas –And the case for hand waving for ENUM Deployment

5 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 4 NLnet Labs Bourtange, source Wikipedia

6 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 5 NLnet Labs Why DNSSEC Defense layers –Multiple defense rings in physical secured systems –Multiple ‘layers’ in the networking world DNS infrastructure –Providing DNSSEC to raise the barrier for DNS based attacks –Provides a security ‘ring’ around many systems and applications

7 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 6 NLnet Labs The Problem DNS data published by the registry is being replaced on its path between the “server” and the “client”. This can happen in multiple places in the DNS architecture –Some places are more vulnerable to attacks then others –Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities)

8 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 7 NLnet Labs ISP DNS service DNS Provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary

9 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 8 NLnet Labs DNS Architecture Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning

10 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 9 NLnet Labs voip2voip as an example SIP Server voip call: +31 20 222 0650 Sip Server Slide courtesy: Patrik Fältsröm SIP negotiation and call setup VOIP Query: 0.5.6.0.2.2.2.0.2.3.1.e164.arpa DNS Server SIP URI

11 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 10 NLnet Labs voip2voip as an example SIP Server DNS Server voip call: +31 20 222 0650 Sip Server Slide courtesy: Patrik Fältsröm Query: 0.5.6.0.2.2.2.0.2.3.1.e164.arpa VOIP Spoofed DNS SIP Proxy

12 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 11 NLnet Labs Where Does DNSSEC Come In? DNSSEC secures the name to resource record mapping –Transport and Application security are just other layers SIP itself allows for certificates –sip:olaf@goodsip.example –But ENUM obfuscates the URI: x.x.x.1.3.e164.arpa  olaf@badsip.example badsip.example certificate is cheap

13 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 12 NLnet Labs Solution a Metaphor Compare DNSSEC to a sealed transparent envelope. The seal is applied by whoever closes the envelope Anybody can read the message The seal is applied to the envelope, not to the message

14 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 13 NLnet Labs DNSSEC protection Registry DB Registrars Registrants DNS ProtocolProvisioning ‘envelope sealed’‘Seal checked’

15 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 14 NLnet Labs DNSSE does not protect provisioning Registry DB Registrars Registrants Provisioning

16 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 15 NLnet Labs DNSSEC hyper summary Data authenticity and integrity by signing the Resource Records Sets with private key Public DNSKEYs used to verify the RRSIGs Children sign their zones with their private key –Authenticity of that key established by signature/checksum by the parent (DS) Ideal case: one public DNSKEY distributed

17 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 16 NLnet Labs DNSSEC secondary benefits DNSSEC provides an “independent” trust path –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

18 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 17 NLnet Labs More benefits? With reasonable confidence perform opportunistic key exchanges –SSHFP and IPSECKEY Resource Records With DNSSEC one could use the DNS for a priori negotiation of security requirements. –“You can only access this service over a secure channel” DNSSEC is an enabling technology

19 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 18 NLnet Labs DNSSEC properties DNSSEC provides message authentication and integrity verification through cryptographic signatures –Authentic DNS source –No modifications between signing and validation It does not provide authorization It does not provide confidentiality It does not provide protection against DDOS

20 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 19 NLnet Labs Outline purpose and protocol Current Developments/problem areas Deployment

21 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 20 NLnet Labs Main Problem Areas “the last mile” Key management and key distribution NSEC walk improvement

22 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 21 NLnet Labs The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

23 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 22 NLnet Labs For ENUM For ENUM, trusted channel between SIP Server and the validating recursive nameserver. –Can be deployed today

24 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 23 NLnet Labs Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

25 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 24 NLnet Labs Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

26 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 25 NLnet Labs For ENUM: e164.arpa needs to be signed –Probably sooner than the root Rollover still applies –Protocol to assist with rollover is in last stages of IETF process

27 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 26 NLnet Labs NSEC walk The record for proving the non- existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier

28 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 27 NLnet Labs But, for ENUM Walking is a non-issue (as it is trivial) –DNS properties allow to walk the tree efficiently Technical detail: Difference between RCODEs Easy to find out where the tree stops and where it has depth

29 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 28 NLnet Labs Preventing NSEC walk Current Work Online creation and signing of NSEC RRs that cover the query name –RFC4470 and RFC4471 NSEC3 –Hashed based denial of existence –draft-ietf-dnsext-nsec3 Working group finished: IETF Last Call in a couple of weeks Implementations exist.

30 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 29 NLnet Labs Outline purpose and protocol Current Developments/problem areas Deployment

31 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 30 NLnet Labs Common arguments against DNSSEC is to complex to deploy –The weapon with which to shoot oneself in the foot is not a pop-gun but a military grade full automatic The root will never get signed There is no economy to push deployment Cache poisoning can be mitigated by correctly implementing random query ports and proper query ID The specification is still a moving target

32 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 31 NLnet Labs What’s keeping folk New technology; chicken and egg Zone walking possibility –Is this really an issue in your environment? Automated key rollover and distribution Solutions for both are in the final stages of standardization

33 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 32 NLnet Labs Concluding remarks DNSSEC is not a magic bullet but will become an important component –Through providing the DNSSEC infrastructure one enables apps and resolver to innovate. ENUM has a strong use case –Responsibility for the registries to provide protective means U.S. Federal requirement –Federal agencies will need to support DNSSEC –http://www.dnssec- deployment.org/news/FISMA.htmhttp://www.dnssec- deployment.org/news/FISMA.htm

34 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 33 NLnet Labs

35 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 34 NLnet Labs QUESTIONS? Acknowledgements: A number of these slides are based on earlier work at RIPE NCC.

36 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 35 NLnet Labs References I Without claims to completeness… RFCs can be found at http://www.ietf.org/rfc/http://www.ietf.org/rfc/ Internet drafts are at http://www.ietf.org/internet- drafts/http://www.ietf.org/internet- drafts/ DNSSEC bis: –RFC4033,4034,4035 Authenticated denial: –Online signing: RFC4470, RFC4471 –NSEC3: draft-ietf-dnsext-dnssec-nsec3

37 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 36 NLnet Labs Rerferences II Key Anchor maintenance DLV: IEICE Trans. Commun. Vol. E88- B, No. 4, April 2005 Trustancor maintenance (standards track): –draft-ietf-dnsext-trustupdate-threshold Old proposals: –draft-ietf-dnesxt-trustupdate-timers –draft-moreau-dnsext-takrem-dns –draft-laurie-dnssec-key-distribution

38 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 37 NLnet Labs References III Operational RFC4641 RIPE 352 –http://www.ripe.net/ripe/docs/ripe-352.htmlhttp://www.ripe.net/ripe/docs/ripe-352.html DNSSEC HOWTO –http://www.nlnetlabs.nl/dnssec_howto/http://www.nlnetlabs.nl/dnssec_howto/ draft-hayatnagarkar-dnsext-validator-api Geoff Hustons experiences –ispcolumn.isoc.org or www.potaroo.net

39 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 38 NLnet Labs References IV Websites www.dnssec-deployment.org www.dnssec.net RIPE DNSSEC deployment (keymanagement tools etc) –www.ripe.net/disi/www.ripe.net/disi/ DNSSEC testbed and testing tools developed by NIST –http://www-x.antd.nist.gov/dnssec/http://www-x.antd.nist.gov/dnssec/ DNSSEC tools available at –http://www.dnssec-tools.org/http://www.dnssec-tools.org/

40 ISOC.NL SIPhttp://www.nlnetlabs.nl/ page 39 NLnet Labs References V Deployment Initiatives http://dnssec.nic.se/ http://www.dnssec.ru/ https://www.ripe.net/rs/reverse/dnssec/

Download ppt "ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google