ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
IETF63 - enum WG1 ENUM validation architecture & friends Alex Mayrhofer enum.at / 3.4.e164.arpa Bernie Höneisen SWITCH.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
How to use DNS during the evolution of ICN? Zhiwei Yan.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,
Security fundamentals Topic 5 Using a Public Key Infrastructure.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
DNS Security Advanced Network Security Peter Reiher August, 2014
Lecture 20 DNS Sec Slides adapted from Olag Kampman
DNS Security.
Cryptography and Network Security
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Cache Poisoning Attack
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
DNSSEC Basics, Risks and Benefits
Cryptography and Network Security
What DNSSEC Provides Cryptographic signatures in the DNS
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

ISOC.NL SIPhttp:// page 2 NLnet Labs DNSSEC evangelist of the day NLnet Labs –Not for profit Open Source Software lab Developed NSD –DNS and DNSSEC research Protocol and software development Deployment engineering Active IETF participant –co-chair of the IETF DNSEXT working group –member of the Internet Architecture Board –RFC3757 and RFC4061

ISOC.NL SIPhttp:// page 3 NLnet Labs Outline purpose and protocol Current Developments/problem areas –And the case for hand waving for ENUM Deployment

ISOC.NL SIPhttp:// page 4 NLnet Labs Bourtange, source Wikipedia

ISOC.NL SIPhttp:// page 5 NLnet Labs Why DNSSEC Defense layers –Multiple defense rings in physical secured systems –Multiple ‘layers’ in the networking world DNS infrastructure –Providing DNSSEC to raise the barrier for DNS based attacks –Provides a security ‘ring’ around many systems and applications

ISOC.NL SIPhttp:// page 6 NLnet Labs The Problem DNS data published by the registry is being replaced on its path between the “server” and the “client”. This can happen in multiple places in the DNS architecture –Some places are more vulnerable to attacks then others –Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities)

ISOC.NL SIPhttp:// page 7 NLnet Labs ISP DNS service DNS Provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary

ISOC.NL SIPhttp:// page 8 NLnet Labs DNS Architecture Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning

ISOC.NL SIPhttp:// page 9 NLnet Labs voip2voip as an example SIP Server voip call: Sip Server Slide courtesy: Patrik Fältsröm SIP negotiation and call setup VOIP Query: e164.arpa DNS Server SIP URI

ISOC.NL SIPhttp:// page 10 NLnet Labs voip2voip as an example SIP Server DNS Server voip call: Sip Server Slide courtesy: Patrik Fältsröm Query: e164.arpa VOIP Spoofed DNS SIP Proxy

ISOC.NL SIPhttp:// page 11 NLnet Labs Where Does DNSSEC Come In? DNSSEC secures the name to resource record mapping –Transport and Application security are just other layers SIP itself allows for certificates –But ENUM obfuscates the URI: x.x.x.1.3.e164.arpa  badsip.example certificate is cheap

ISOC.NL SIPhttp:// page 12 NLnet Labs Solution a Metaphor Compare DNSSEC to a sealed transparent envelope. The seal is applied by whoever closes the envelope Anybody can read the message The seal is applied to the envelope, not to the message

ISOC.NL SIPhttp:// page 13 NLnet Labs DNSSEC protection Registry DB Registrars Registrants DNS ProtocolProvisioning ‘envelope sealed’‘Seal checked’

ISOC.NL SIPhttp:// page 14 NLnet Labs DNSSE does not protect provisioning Registry DB Registrars Registrants Provisioning

ISOC.NL SIPhttp:// page 15 NLnet Labs DNSSEC hyper summary Data authenticity and integrity by signing the Resource Records Sets with private key Public DNSKEYs used to verify the RRSIGs Children sign their zones with their private key –Authenticity of that key established by signature/checksum by the parent (DS) Ideal case: one public DNSKEY distributed

ISOC.NL SIPhttp:// page 16 NLnet Labs DNSSEC secondary benefits DNSSEC provides an “independent” trust path –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

ISOC.NL SIPhttp:// page 17 NLnet Labs More benefits? With reasonable confidence perform opportunistic key exchanges –SSHFP and IPSECKEY Resource Records With DNSSEC one could use the DNS for a priori negotiation of security requirements. –“You can only access this service over a secure channel” DNSSEC is an enabling technology

ISOC.NL SIPhttp:// page 18 NLnet Labs DNSSEC properties DNSSEC provides message authentication and integrity verification through cryptographic signatures –Authentic DNS source –No modifications between signing and validation It does not provide authorization It does not provide confidentiality It does not provide protection against DDOS

ISOC.NL SIPhttp:// page 19 NLnet Labs Outline purpose and protocol Current Developments/problem areas Deployment

ISOC.NL SIPhttp:// page 20 NLnet Labs Main Problem Areas “the last mile” Key management and key distribution NSEC walk improvement

ISOC.NL SIPhttp:// page 21 NLnet Labs The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

ISOC.NL SIPhttp:// page 22 NLnet Labs For ENUM For ENUM, trusted channel between SIP Server and the validating recursive nameserver. –Can be deployed today

ISOC.NL SIPhttp:// page 23 NLnet Labs Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

ISOC.NL SIPhttp:// page 24 NLnet Labs Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

ISOC.NL SIPhttp:// page 25 NLnet Labs For ENUM: e164.arpa needs to be signed –Probably sooner than the root Rollover still applies –Protocol to assist with rollover is in last stages of IETF process

ISOC.NL SIPhttp:// page 26 NLnet Labs NSEC walk The record for proving the non- existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier

ISOC.NL SIPhttp:// page 27 NLnet Labs But, for ENUM Walking is a non-issue (as it is trivial) –DNS properties allow to walk the tree efficiently Technical detail: Difference between RCODEs Easy to find out where the tree stops and where it has depth

ISOC.NL SIPhttp:// page 28 NLnet Labs Preventing NSEC walk Current Work Online creation and signing of NSEC RRs that cover the query name –RFC4470 and RFC4471 NSEC3 –Hashed based denial of existence –draft-ietf-dnsext-nsec3 Working group finished: IETF Last Call in a couple of weeks Implementations exist.

ISOC.NL SIPhttp:// page 29 NLnet Labs Outline purpose and protocol Current Developments/problem areas Deployment

ISOC.NL SIPhttp:// page 30 NLnet Labs Common arguments against DNSSEC is to complex to deploy –The weapon with which to shoot oneself in the foot is not a pop-gun but a military grade full automatic The root will never get signed There is no economy to push deployment Cache poisoning can be mitigated by correctly implementing random query ports and proper query ID The specification is still a moving target

ISOC.NL SIPhttp:// page 31 NLnet Labs What’s keeping folk New technology; chicken and egg Zone walking possibility –Is this really an issue in your environment? Automated key rollover and distribution Solutions for both are in the final stages of standardization

ISOC.NL SIPhttp:// page 32 NLnet Labs Concluding remarks DNSSEC is not a magic bullet but will become an important component –Through providing the DNSSEC infrastructure one enables apps and resolver to innovate. ENUM has a strong use case –Responsibility for the registries to provide protective means U.S. Federal requirement –Federal agencies will need to support DNSSEC – deployment.org/news/FISMA.htmhttp:// deployment.org/news/FISMA.htm

ISOC.NL SIPhttp:// page 33 NLnet Labs

ISOC.NL SIPhttp:// page 34 NLnet Labs QUESTIONS? Acknowledgements: A number of these slides are based on earlier work at RIPE NCC.

ISOC.NL SIPhttp:// page 35 NLnet Labs References I Without claims to completeness… RFCs can be found at Internet drafts are at drafts/ drafts/ DNSSEC bis: –RFC4033,4034,4035 Authenticated denial: –Online signing: RFC4470, RFC4471 –NSEC3: draft-ietf-dnsext-dnssec-nsec3

ISOC.NL SIPhttp:// page 36 NLnet Labs Rerferences II Key Anchor maintenance DLV: IEICE Trans. Commun. Vol. E88- B, No. 4, April 2005 Trustancor maintenance (standards track): –draft-ietf-dnsext-trustupdate-threshold Old proposals: –draft-ietf-dnesxt-trustupdate-timers –draft-moreau-dnsext-takrem-dns –draft-laurie-dnssec-key-distribution

ISOC.NL SIPhttp:// page 37 NLnet Labs References III Operational RFC4641 RIPE 352 – DNSSEC HOWTO – draft-hayatnagarkar-dnsext-validator-api Geoff Hustons experiences –ispcolumn.isoc.org or

ISOC.NL SIPhttp:// page 38 NLnet Labs References IV Websites RIPE DNSSEC deployment (keymanagement tools etc) – DNSSEC testbed and testing tools developed by NIST – DNSSEC tools available at –

ISOC.NL SIPhttp:// page 39 NLnet Labs References V Deployment Initiatives

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.