Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013.

Slides:



Advertisements
Similar presentations
Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.
Advertisements

ICANN Report Presented by: Dr Paul Twomey CEO and President LACNIC, Montevideo 31 March 2004.
Update on IANA APNIC Meeting 29 February 2008 Barbara Roseman Internet Assigned Numbers Authority.
Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.
Whois Task Force GNSO Public Forum Wellington March 28, 2006.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
DNS Security and Stability Analysis Working Group (DSSA) DSSA Update Prague – June, 2012.
The Role of Governments Caribbean Telecommunications Union Ministerial Seminar May 29, 2012 Heather Dryden Chair - Governmental Advisory Committee, ICANN.
Internationalization Status and Directions: IETF, JET, and ICANN John C Klensin October 2002 © 2002 John C Klensin.
Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.
Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.
ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.
Text DNS Name Collision Risk Mitigation Francisco Arias Director, Technical Services GDD, ICANN DNS-OARC - 12 October 2014.
Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Glen de Saint Géry ICANN GNSO Secretariat for Theresa Swinehart Counsel for International Legal Affairs Domain Day Milan.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
Argos - Moving into the Community Presented by: Bruce Knox University of Arkansas Division of Agriculture Cooperative Extension Service March 23, 2009.
©2012 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian.
Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014.
2012 – 2015 ICANN Strategic Plan Development 6 October 2011.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
An Over View of current IDN Developments Eng.Mohamed El Bashir Ahmed Chairman – Sudan Internet Society “SIS” ICANN ccNSO Council Member ICANN IDN Committee.
NewTLDs: Implications for Trademark Owners Mike Rodenbaugh Managing IP Webinar Internet Liberalization: Opportunities and Challenges for IP Owners August.
2 Dedicated to keeping the Internet secure, stable and interoperable Formed in 1998 as a not- for-profit public-benefit corporation Follows multistakeholder.
Consumer Trust, Consumer Choice & Competition Presenter: Steve DelBianco Chair: Rosemary Sinclair.
ICANN Update: What Next for Trademark Owners? 22 nd Annual Fordham Int’l IP Law & Policy Conference 25 April 2014.
© 2012 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian.
1 IDN TLD Progress Veni Markovski Manager, Regional Relations ccTLD Meeting, Slovenia – 7-8 Sept 2009.
Update from ICANN staff on SSR Activities Greg Rattray Tuesday 21 st 2010.
1 ICANN update Save Vocea APSTAR retreat, Taipei, TW 24 February 2008.
JIG (Joint ccNSO-GNSO IDN Group) Update APTLD | New Delhi Feb 23, 2012.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
GTLD Briefing APSTAR Retreat Beijing 24 th August 2009.
Text #ICANN51. Text #ICANN51 Potential GNSO Policy Work on gTLD Name Collision Mitigation 12 October 2014 Francisco Arias Director, Technical Services.
1 1 The Why & How of IDN Generic Domain Names Presented by: Chuck Gomes Date: 13 May 2010.
Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
New gTLD Subsequent Procedures Steve Chan | APRALO-APAC Hub Webinar | 28 September 2015.
1 1 The GNSO Role in Internet Governance Presented by: Chuck Gomes Date: 13 May 2010.
RESPONDING TO THE GLOBAL ECONOMIC CRISIS: MOLDOVA’S EXPERIENCE Ruslan CODREANU - Head of the Policy, Strategic Planning and External Aid Department, State.
A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.
Invitation to ICANN GNSO ISPCP RIPE65 – September, 2012 The Internet Service Providers Connectivity Providers Constituency, ICANN Generic Names Supporting.
ICANN Regional Outreach Meeting, Dubai 1–3 April Toward a Global Internet Paul Twomey President and CEO 1 April 2008 ICANN Regional Meeting 1–3.
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.
ACAT transition to using My Aged Care October 2015.
Advanced, Programmable Cloud-based GSLB to Optimize Performance and Availability Terry Bernstein Senior Product Manager Verisign Managed DNS Service.
Deployment of IDN In Korea March 1, 2004 Korea Network Information Center.
1 New gTLD Program What kind of Internet do you want? Speakers: Olof Nordling and Karla Valente Date: June 11, 2008.
Update on Consumer Choice, Competition and Innovation (CCI) WG Rosemary Sinclair.
Joint GAC ccNSO Meeting ICANN Singapore 22 June 2011.
1 27Apr08 Some thoughts on Internet Governance and expansion of the Domain Name space Paul Twomey President and CEO 9 August 2008 Panel on Internet Governance.
New gTLDs and the Stability of Root Service System CDAR Continuous Data-driven Analysis of Root Stability Enog 11, Moscow Jaap Akkerhuis (NLnet Labs)
Measuring the Leakage of Onion at the Root A measurement of Tor’s.onion pseudo-top-level domain in the global domain name system Aziz Mohaisen Verisign.
MitM Attack by Name Collision: Cause Analysis & Vulnerability Assessment in the New gTLD Era Qi Alfred Chen, Eric Osterweil†, Matthew Thomas†, Z. Morley.
Summary of the « New gTLD Program Safeguards » context before the Statistical Analysis of DNS Abuse in gTLD Farell FOLLY, Africa 2.0 Foundation .
Defining Namespaces Challenges with Internet Namespaces Jonne Soininen
CDAR Continuous Data-driven Analysis of Root Stability
Two different issues ref. country codes
ICANN’s Policy Development Activities
Update on Competition, Consumer Choice & Consumer Trust Review
ICANN62 GAC Capacity Building
Matías Heinrich VP Operations Latam October 2011
Two different issues ref. country codes
Sarmad Hussain Internationalized Domain Names (IDN) Programs Director
Presentation transcript:

Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013

2 Name Collision Problem for DNS Queries Installed System Global DNS without TLD ….SLD.TLD NXDOMAIN expected See Verisign Labs’ technical reports New gTLD Security and Stability Considerations and New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis for further information.New gTLD Security and Stability ConsiderationsNew gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis

3 Name Collision Problem for DNS Queries Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision

4 Mitigating Name Collisions: General Approaches Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision (1) Remediate Installed System (3) Hybrid of Both (2) Constrain Global DNS

5 How to Constrain the Global DNS? If we knew how all the installed systems used the global DNS … If we knew all the queries they might make … If we knew all the SLDs they might use...

6 How Long Does It Take to Learn All the SLDs? A- and J-root data for 96-day period from July 16 to October 19, (Excludes non-LDH, “Chrome 10” strings.) Still growing after 90+ days …

7 SLD ≠ Risk Query = Risk in context of installed system, application, protocol Qualitative Analysis minimize false negatives & positives solve problem Does It Even Matter?

8 If SLD blocking for a gTLD leaves too much risk, how do we back out? Expedited approval process needs an expedited rollback process What If It’s Not Enough?

9 New gTLD Security and Stability Considerations. Verisign Labs Technical Report # Version 2.2, March 28, 2013.New gTLD Security and Stability Considerations New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report # Version 1.1, August 27, 2013.New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, Verisign, May 9, 2013.Part 1 of 5; Introduction: New gTLD Security and Stability ConsiderationsBetween the Dots Danny McPherson. New gTLD SSR-2: Exploratory Consumer Impact Analysis. Between the Dots, Verisign, August 6, 2013.New gTLD SSR-2: Exploratory Consumer Impact AnalysisBetween the Dots Danny McPherson. New gTLD Queries at the Root & Heisenberg’s Uncertainty Principle. Between the Dots, Verisign, August 27, 2013.New gTLD Queries at the Root & Heisenberg’s Uncertainty PrincipleBetween the Dots Patrick S. Kane, Thomas C. Indelicarto and Danny McPherson. Re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. September 15, Re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study Patrick S. Kane. Letter to Vernita D. Harris re: Joint Test Summary Report, RZM 2.0. May 30, 2013.Letter to Vernita D. Harris re: Joint Test Summary Report, RZM 2.0 For Further Reading Verisign Public

Thank You © 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.