• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
DNSSEC and VoIP: Who are you really calling?
 

DNSSEC and VoIP: Who are you really calling?

on

  • 1,258 views

Who are you really calling? When we we use VoIP systems, how can we be sure we are talking to the correct people? Particularly as we increasingly move communications to IP? In this presentation at ...

Who are you really calling? When we we use VoIP systems, how can we be sure we are talking to the correct people? Particularly as we increasingly move communications to IP? In this presentation at SIPNOC 2013, Dan York introduced the ideas around DNSSEC and DANE and asked questions around how these might potentially be used to add an additionally layer of security for VoIP.

For more info, see:
http://www.internetsociety.org/deploy360/dnssec/

Statistics

Views

Total Views
1,258
Views on SlideShare
1,069
Embed Views
189

Actions

Likes
2
Downloads
16
Comments
0

3 Embeds 189

http://www.internetsociety.org 134
https://twitter.com 46
http://danyork.me 9

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    DNSSEC and VoIP: Who are you really calling? DNSSEC and VoIP: Who are you really calling? Presentation Transcript

    • www.internetsociety.org/deploy360/Who Are You Really Calling?How DNSSEC Can HelpSIPNOC 2013April 25, 2013Dan YorkInternet Society
    • www.internetsociety.org/deploy360/When Alice Goes To Register Her SIP Client…… how does her UA know the IP address of the registrar/proxy server?
    • www.internetsociety.org/deploy360/When Alice Goes To Register Her SIP Client…… how does her UA know the IP address of the registrar/proxy server?•  DNS SRV record based on her account domain name•  Manual configuration of the domain name of her SIP proxyDNS•  How does she know her UA is connecting to the correct server?
    • www.internetsociety.org/deploy360/When Alice Calls Bob…… how does her SIP proxy know the SIP proxy to sendthe INVITE for Bob?
    • www.internetsociety.org/deploy360/When Alice Calls Bob…… how does her SIP proxy know the SIP proxy to sendthe INVITE for Bob?•  DNS SRV record based on Bobs domain name•  ENUM lookupDNS•  How does her SIP proxy know it is connecting to the correct SIPproxy for Bob?
    • www.internetsociety.org/deploy360/Maybe not a problem for an individual…… but what if Alice is calling her bank and it uses an IVRon the front end?… and what if an attacker duplicated that IVR andredirects Alice to that system instead?"Please enter your 16 digit credit card number…"As we think about the transition to IP, how do we ensurepeople are connecting to the correct endpoints?
    • www.internetsociety.org/deploy360/A Brief Tour of DNS and DNSSEC
    • www.internetsociety.org/deploy360/What Problem Is DNSSEC Trying To Solve?DNSSEC = "DNS Security Extensions"•  Defined in RFCs 4033, 4034, 4035•  Operational Practices: RFC 6781Ensures that the information entered into DNS by thedomain name holder is the SAME informationretrieved from DNS by an end user.Lets walk through an example to explain…
    • www.internetsociety.org/deploy360/A Normal DNS InteractionWebServerWebBrowserhttps://example.com/web pageDNSResolverexample.com?123410.1.1.123Resolver checks its local cache. If it has theanswer, it sends it back.example.com 10.1.1.123If not…
    • www.internetsociety.org/deploy360/A Normal DNS InteractionWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.1231256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234example.comNS.comNSexample.com?
    • www.internetsociety.org/deploy360/•  First result received by a DNS resolver is treated asthe correct answer.•  Opportunity is there for an attacker to be the first oneto get an answer to the DNS resolver, either by:•  Getting to the correct point in the network to provide faster responses;•  Blocking the responses from the legitimate servers (ex. executing aDenial of Service attack against the legitimate servers to slow theirresponses)DNS Works On Speed
    • www.internetsociety.org/deploy360/Attacking DNSWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.1231256DNS Svrexample.comDNS Svr.comDNS Svrroot3192.168.2.24AttackingDNS Svrexample.com192.168.2.2example.comNS.comNSexample.com?
    • www.internetsociety.org/deploy360/The Bigger Impact: A Poisoned CacheWebServerWebBrowserhttps://example.com/web pageDNSResolver1234192.168.2.2Resolver cache now has wrong data:example.com 192.168.2.2This stays in the cache until theTime-To-Live (TTL) expires!example.com?
    • www.internetsociety.org/deploy360/How Does DNSSEC Help?•  DNSSEC introduces new DNS records for a domain:•  RRSIG – a signature ("hash") of a set of DNS records•  DNSKEY – a public key that a resolver can use to validate RRSIG•  A DNSSEC-validating DNS resolver:•  Uses DNSKEY to perform a hash calculation on received DNS records•  Compares result with RRSIG records. If results match, records are thesame as those transmitted. If the results do NOT match, they werepotentially changed during the travel from the DNS server.4/25/13
    • www.internetsociety.org/deploy360/A DNSSEC InteractionWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.123DNSKEYRRSIGs1256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234example.com?
    • www.internetsociety.org/deploy360/But Can DNSSEC Be Spoofed?•  But why cant an attacker simply insert DNSKEY andRRSIG records? What prevents DNSSEC from beingspoofed?•  An additional was introduced, the "Delegation Signer(DS)" record•  It is a fingerprint of the DNSKEY record that is sent to theparent zone for each domain (and this happens for eachdomain up to the root)•  Provides a global "chain of trust" from the root of DNSdown to the domain•  Attackers would have to compromise the registry4/25/13
    • www.internetsociety.org/deploy360/A DNSSEC InteractionWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.123DNSKEYRRSIGs1256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234example.comNSDS.comNSDSexample.com?
    • www.internetsociety.org/deploy360/The Global Chain of TrustWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.123DNSKEYRRSIGs1256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234example.comNSDS.comNSDSexample.com?
    • www.internetsociety.org/deploy360/Attempting to Spoof DNSWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.123DNSKEYRRSIGs1256DNS Svrexample.comDNS Svr.comDNS Svrroot3AttackingDNS Svrexample.com192.168.2.2DNSKEYRRSIGsexample.comNSDS.comNSDSexample.com?
    • www.internetsociety.org/deploy360/Attempting to Spoof DNSWebServerWebBrowserhttps://example.com/web pageDNSResolver10.1.1.123DNSKEYRRSIGs1256DNS Svrexample.comDNS Svr.comDNS Svrroot3SERVFAIL4AttackingDNS Svrexample.com192.168.2.2DNSKEYRRSIGsexample.comNSDS.comNSDSexample.com?
    • www.internetsociety.org/deploy360/What DNSSEC Proves:•  "These ARE the IP addresses you are looking for."(or they are not)•  Ensures that information entered into DNS by the domainname holder (or the operator of the DNS hosting servicefor the domain) is the SAME information that is receivedby the end user.•  Adds a "trust layer" to DNS4/25/13
    • www.internetsociety.org/deploy360/The Two Parts of DNSSECSigning ValidatingISPsEnterprisesApplicationsDNS HostingRegistrarsRegistries
    • www.internetsociety.org/deploy360/DNSSEC Validation•  Fairly simple – just enable DNSSEC validation in your DNScaching resolver•  DNS resolver will return a SERVFAIL if there is a validation error. User will notreceive any results•  Question is more where does DNSSEC validation occur?•  ISPs DNS resolvers•  Local network DNS resolver•  Local computer (i.e. operating system)•  Application(answer is that it could occur in any of the locations)4/25/13
    • www.internetsociety.org/deploy360/DNSSEC Signing - The Individual StepsRegistryRegistrarDNS Hosting ProviderDomain NameRegistrant•  Signs TLD•  Accepts DS records•  Publishes/signs records•  Accepts DS records•  Sends DS to registry•  Provides UI for mgmt•  Signs zones•  Publishes all records•  Provides UI for mgmt•  Enables DNSSEC(unless automatic)
    • www.internetsociety.org/deploy360/Signing Can Be Simple
    • www.internetsociety.org/deploy360/DNSSEC and VoIP
    • www.internetsociety.org/deploy360/So How Could We Use This With VoIP?•  Be able to trust SRV records?•  Ensure that we are connecting to the correctaddresses?•  Build DNSSEC validation into SIP user agents?•  Build DNSSEC validation into SIP servers?
    • www.internetsociety.org/deploy360/Example: Jitsi softphone•  www.jitsi.org•  Includes DNSSECresolver•  Generates warningmessage withDNSSEC failures•  Currently works innightly builds ofJitsi 2.1
    • www.internetsociety.org/deploy360/Example: Kamailio SIP Server•  New DNSSEC module•  Tutorial:http://www.kamailio.org/wiki/tutorials/dns/dnssec
    • www.internetsociety.org/deploy360/What else could we do with this?How can we make VoIP more trusted?
    • www.internetsociety.org/deploy360/DNSSEC and Certificates
    • www.internetsociety.org/deploy360/Why Do I Need DNSSEC If I Have SSL?•  A common question: why do I need DNSSEC if I alreadyhave a SSL certificate? (or an "EV-SSL" certificate?)•  SSL (more formerly known today as Transport LayerSecurity (TLS)) solves a different issue – it providesencryption and protection of the communication betweenthe browser and the web server
    • www.internetsociety.org/deploy360/The Typical TLS (SSL) Web InteractionWebServerWebBrowserhttps://example.com/TLS-encryptedweb pageDNSResolverexample.com?10.1.1.1231256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234
    • www.internetsociety.org/deploy360/The Typical TLS (SSL) Web InteractionWebServerWebBrowserhttps://example.com/TLS-encryptedweb pageDNSResolver10.1.1.1231256DNS Svrexample.comDNS Svr.comDNS Svrroot310.1.1.1234Is this encryptedwith theCORRECTcertificate?example.com?
    • www.internetsociety.org/deploy360/What About This?WebServerWebBrowserhttps://www.example.com/TLS-encrypted web pagewith CORRECT certificateDNSServerwww.example.com?1.2.3.412Firewall(orattacker)https://www.example.com/TLS-encrypted web pagewith NEW certificate(re-signed by firewall)
    • www.internetsociety.org/deploy360/Problems?WebServerWebBrowserhttps://www.example.com/TLS-encrypted web pagewith CORRECT certificateDNSServerwww.example.com?1.2.3.412Firewallhttps://www.example.com/TLS-encrypted web pagewith NEW certificate(re-signed by firewall)
    • www.internetsociety.org/deploy360/Problems?WebServerWebBrowserhttps://www.example.com/TLS-encrypted web pagewith CORRECT certificateDNSServerwww.example.com?1.2.3.412Firewallhttps://www.example.com/TLS-encrypted web pagewith NEW certificate(re-signed by firewall)Log filesor otherserversPotentially includingpersonal information
    • www.internetsociety.org/deploy360/IssuesA Certificate Authority (CA) can sign ANY domain.Now over 1,500 CAs – there have been compromiseswhere valid certs were issued for domains.Middle-boxes such as firewalls can re-sign sessions.
    • www.internetsociety.org/deploy360/A Powerful Combination•  TLS = encryption + limited integrity protection•  DNSSEC = strong integrity protection•  How to get encryption + strong integrity protection?•  TLS + DNSSEC = DANE4/25/13
    • www.internetsociety.org/deploy360/DNS-Based Authentication of Named Entities(DANE)•  Q: How do you know if the TLS (SSL) certificate is thecorrect one the site wants you to use?•  A: Store the certificate (or fingerprint) in DNS (new TLSArecord) and sign them with DNSSEC.A browser that understand DNSSEC and DANE will thenknow when the required certificate is NOT being used.Certificate stored in DNS is controlled by the domainname holder. It could be•  a certificate signed by a CA (including an EV cert)•  a self-signed certificate
    • www.internetsociety.org/deploy360/DANEWebServerWebBrowserw/DANEhttps://example.com/TLS-encrypted web pagewith CORRECT certificateDNSServer10.1.1.123DNSKEYRRSIGsTLSA12Firewall(orattacker)https://example.com/TLS-encrypted web pagewith NEW certificate(re-signed by firewall)Log filesor otherserversDANE-equipped browsercompares TLS certificatewith what DNS / DNSSECsays it should be.example.com?
    • www.internetsociety.org/deploy360/DANE – Not Just For The Web•  DANE defines protocol for storing TLS certificates in DNS•  Securing Web transactions is the obvious use case•  Other uses also possible:•  Email via S/MIME•  VoIP•  Jabber/XMPP•  ?4/25/13
    • www.internetsociety.org/deploy360/What could we do with a global PKI?How could we use DANE to distributecertificates to SIP endpointsor servers?
    • www.internetsociety.org/deploy360/How Do We Get DANE Deployed?Developers:•  Add DANE support into applications (see list of libraries)•  Note: VoIP developers dont need to wait for browser vendors!DNS Hosting Providers:•  Provide a way that customers can enter a “TLSA” record into DNSas defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 )•  This will start getting TLS certificates into DNS so that whenbrowsers support DANE they will be able to do so.Network Operators / Enterprises / Governments:•  Start talking about need for DANE•  Express desire for DANE to app vendors (especially browsers)
    • www.internetsociety.org/deploy360/Getting DNSSEC Deployed
    • www.internetsociety.org/deploy360/DNSSEC Deployment Status – Signing Side•  All major generic TLDs signed (.com, .org, .net … )•  105 TLDs (of 317) signed as of April 25, 2013:•  http://stats.research.icann.org/dns/tld_report/•  DNSSEC is mandatory for the 1,930 proposed newgTLDs•  Tools have become greatly automated•  Developer libraries now support DNSSEC•  Struggling a bit with registrar support:•  http://www.icann.org/en/news/in-focus/dnssec/deployment4/25/13
    • www.internetsociety.org/deploy360/DNSSEC Deployment Status
    • www.internetsociety.org/deploy360/DNSSEC Deployment Status – Validation SideDNSSEC validation is easily enabled for major DNSresolvers:•  BIND 9.x•  Unbound•  Microsoft Windows Server 2012See SURFnet white paper:•  http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdfLarge-scale deployments:•  Comcast deployed DNSSEC validation to their 18 million customers•  Most ISPs in Sweden, Czech Republic, Netherlands, Brazil•  Googles Public DNS (8.8.8.8, 8.8.4.4 and IPv6 versions) now supportDNSSEC if requested (and will move to full validation)
    • www.internetsociety.org/deploy360/Three Requests For Network Operators (ISPs)1.  Deploy DNSSEC-validating DNS resolvers2.  Sign your own domains where possible3.  Help promote support of DANE protocol•  Allow usage of TLSA record. Let browser vendors and others know youwant to use DANE. Help raise awareness of how DANE and DNSSECcan make the Internet more secure.
    • www.internetsociety.org/deploy360/Three Requests For Website/Content Owners1.  Sign your domains•  Work with your registrar and/or DNS hosting provider to make thishappen.2.  Ask your IT team or network operator about DNSSECvalidation3.  Help promote support of DANE protocol•  Let browser vendors and others know you want to use DANE. If you useSSL, deploy a TLSA record if you are able to do so. Help raiseawareness of how DANE and DNSSEC can make the Internet moresecure.
    • www.internetsociety.org/deploy360/3 More Requests For SIP Network Operators1.  Think about how and where DNSSEC and DANEcould be potentially used2.  Experiment with the early implementations like Jitsiand Kamailio3.  Share the ideas…•  Directly with me ( york@isoc.org ) or via email lists, online forums, etc.•  http://www.internetsociety.org/deploy360/dnssec/community/(or lets make a new place for DNSSEC and VoIP)
    • www.internetsociety.org/deploy360/DNSSEC ResourcesDeploy360 Programme:•  www.internetsociety.org/deploy360/dnssec/DNSSEC Deployment Initiative:•  www.dnssec-deployment.org/DNSSEC Tools:•  www.dnssec-tools.org/DNSSEC and VoIP:•  www.internetsociety.org/deploy360/resources/dnssec-voip/
    • www.internetsociety.org/deploy360/DANE ResourcesDANE Overview and Resources:•  http://www.internetsociety.org/deploy360/resources/dane/IETF Journal article explaining DANE:•  http://bit.ly/dane-dnssecRFC 6394 - DANE Use Cases:•  http://tools.ietf.org/html/rfc6394RFC 6698 – DANE Protocol:•  http://tools.ietf.org/html/rfc6698
    • www.internetsociety.org/deploy360/york@isoc.orgwww.internetsociety.org/deploy360/Dan York, CISSPSenior Content Strategist, Internet SocietyThank You!