ARIN Support forDNSSEC and RPKI    ION San Diego  11 December 2012  Pete Toscano, ARIN
2DNS and BGP•  They have been around for a   long time.    •  DNS: 1982    •  BGP: 1989•  They are not very secure.•  Meth...
3DNSSEC•  Domain Name System Security   Extensions•  Took a while to implement --   •  Design work started in 1993 at IETF...
4DNSSEC•  Designed to verify data integrity and   authenticity.•  Does not prevent data snooping.•  Generally, that first ...
5DNSSEC•  DNSSEC is an overlay on top of DNS,   not a replacement.•  Uses public key cryptography and a   chain of trust s...
6DNSSEC•  Adds six new RR types and extension   mechanisms for DNS (EDNS).    •  DNSKEY    •  DS    •  RRSIG    •  NSEC   ...
7DNSSEC•  DNSKEY: The public keys. Either a Key   Signing Key (KSK) or Zone Signing Key   (ZSK).•  DS: Delegation Signer. ...
8DNSSEC•  RRSIG: Resource Record Signature.   Every RRset for each name has a single   RRSIG. There are two exceptions:   ...
9DNSSEC•  NSEC/NSEC3: Next Secure Record /   Next Secure Record version 3.    •  Used to prove the non-existence of a reso...
10DNSSEC• A   simple example of securing a zone.      example.com.       SOA [SOA STUFF]!                         NS   ns!...
11DNSSEC• Throw     in the keys...   example.com.     SOA [SOA STUFF]!                    NS   ns!                    MX  ...
12DNSSEC•  Add the NSEC records so that all gaps are   accounted for...     example.com.          SOA [SOA STUFF]!     exa...
DNSSEC                                             13•  Sign each label’s RRset and update NSECs...   example.com.        ...
DNSSEC                                              14•  Signed delegations. Add DS records and update   NSEC and RRSIGs. ...
15DNSSEC•  What to do with all this extra data?•  Publishing the signed data is only half   the battle.•  The authoritativ...
16DNSSEC•  Response validation involves following   a chain of trust from the trust anchor   to the answer received.•  Typ...
17DNSSEC•  The backbone of the chain of trust is   the DS, DNSKEY, RRSIG interaction.•  Trust travels from the parent zone...
18DNSSEC                  RRSIG!                KSK DNSKEY!                ZSK DNSKEY!  Parent Zone                 RRSIG!...
19DNSSEC•  Once the target child zone is found,   the ZSK is used the verify the   appropriate RRSIG.•  If the question ca...
20DNSSEC•  From a DNS publisher’s point of view,   DNSSEC can greatly expand the size of   zones.•  On average, responses ...
21DNSSEC•  At ARIN, we currently sign our v4 /8s   and v6 /12 and /24s.•  ARIN Online allows members to add   DS records t...
22DNSSEC•  DNSSEC Analyzer:   http://dnssec-analyzer.verisignlabs.com•  DNSViz: http://dnsviz.net•  ldns / Drill:   http:/...
23RPKI
24“The inter-domain routing protocol BGPwas created when the Internetenvironment had not yet reached thepresent, contentio...
25RPKI  This is the basic     problem...   Send	  a	  packet	             to	    209.85.128.100	                          ...
26RPKI  165.135.0.2                                       209.85.128.100                AS100	     AS200	     AS300	  
27RPKI  165.135.0.2                                       209.85.128.100                AS100	     AS200	     AS300	      ...
28RPKI•  April 1997 – AS 7007 announced paths for all   of the internet to themselves.•  Feb. 24, 2008 –Pakistan Telecom a...
29RPKI  165.135.0.2                                            209.85.128.100                AS100	         AS200	      AS...
30RPKI•  Resource Public Key Infrastructure•  RPKI attaches ASNs and IP address   blocks to X.509 v3 certs.•  These resour...
31RPKI                                    IANA!                                                                      Resou...
32                                                                       CertificatesRPKI                                 ...
33                                                                                   Certificates   RPKI                  ...
34                                                                                   Certificates   RPKI                  ...
35RPKI•  Address holders issue Route Origin   Authorizations (ROAs).
36                                                                                   Certificates   RPKI                  ...
37                                                                                    Certificates   RPKI                 ...
38RPKI•  Two RPKI implementation types:    •  Delegated: Each participating node       becomes a CA and runs their own RPK...
39RPKI•  For most participants, running a CA   would be an insurmountable   obstacle to the implementation of   RPKI.•  Th...
40RPKI•  Regardless of the method used,   the RPKI repositories are published.•  TAL: Trust Anchor Locator    •  Points to...
41RPKI•  Reliant third parties would gather all   relevant TALs.•  Get all of the RPKI repos.•  Validate, validate, valida...
42RPKI•  Once we have validated ROAs and   the backing resource hierarchy, what   do we do?
43RPKI•  Once we have validated ROAs and   the backing resource hierarchy, what   do we do?•  Use ROAs to weight BGP path ...
44RPKI  165.135.0.2                                       209.85.128.100                AS100	     AS200	     AS300	      ...
45RPKI  165.135.0.2                                       209.85.128.100                AS100	     AS200	     AS300	  
46RPKI                      “Only AS 300 can originate                      209.85.128.0/24 network                      s...
47RPKI                       “Only AS 300 can originate my                       209.85.128.0/24 network                  ...
48RPKI                       “Only AS 300 can originate my                       209.85.128.0/24 network                  ...
49RPKI•  Border routers use the RPKI with the   RPKI/Router protocol.•  http://tools.ietf.org/html/draft-ietf-   sidr-rpki...
50RPKI•  Offload validation and origin   evaluation to some other box.•  “Valid”, “Invalid”, “Unknown”•  What’s done with ...
51RPKI•  As with DNSSEC, the more buy in, the   better the security.•  Be a good netizen: certify your   resources.•  Even...
52RPKI @ ARIN•  Only hosted model is currently   implemented.•  The delegated model will be   released in the not-too-dist...
53Future of RPKI•  Single TAL.•  Inter-RIR transfers.•  Integrated with a path validation   system.
54Questions
Upcoming SlideShare
Loading in...5
×

ION San Diego - ARIN Support for DNSSEC and RPKI

194

Published on

Pete Toscano's presentation from ION San Diego on 11 December 2012 about ARIN's support for DNSSEC and RPKI.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
194
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ION San Diego - ARIN Support for DNSSEC and RPKI

  1. 1. ARIN Support forDNSSEC and RPKI ION San Diego 11 December 2012 Pete Toscano, ARIN
  2. 2. 2DNS and BGP•  They have been around for a long time. •  DNS: 1982 •  BGP: 1989•  They are not very secure.•  Methods for securing them exist.
  3. 3. 3DNSSEC•  Domain Name System Security Extensions•  Took a while to implement -- •  Design work started in 1993 at IETF 28. •  The root zone signed: July 15th, 2010.
  4. 4. 4DNSSEC•  Designed to verify data integrity and authenticity.•  Does not prevent data snooping.•  Generally, that first point outweighs these others.
  5. 5. 5DNSSEC•  DNSSEC is an overlay on top of DNS, not a replacement.•  Uses public key cryptography and a chain of trust similar to X.509 certificates.
  6. 6. 6DNSSEC•  Adds six new RR types and extension mechanisms for DNS (EDNS). •  DNSKEY •  DS •  RRSIG •  NSEC •  NSEC3 •  NSEC3PARM
  7. 7. 7DNSSEC•  DNSKEY: The public keys. Either a Key Signing Key (KSK) or Zone Signing Key (ZSK).•  DS: Delegation Signer. Hashes and identifies the KSK of a signed, delegated child zone.
  8. 8. 8DNSSEC•  RRSIG: Resource Record Signature. Every RRset for each name has a single RRSIG. There are two exceptions: •  NS records at delegation points. •  Glue records.•  DNSKEY RRSIGs are signed by the KSK, all others by ZSK.
  9. 9. 9DNSSEC•  NSEC/NSEC3: Next Secure Record / Next Secure Record version 3. •  Used to prove the non-existence of a resource record.
  10. 10. 10DNSSEC• A simple example of securing a zone. example.com. SOA [SOA STUFF]! NS ns! MX 10 mail! mail A 128.66.0.100! AAAA 2001:db8::100! ns A 128.66.0.10! AAAA 2001:db8::10! sub NS ns.sub! ns.sub A 128.66.10.10! AAAA 2001:db8:10::10! !
  11. 11. 11DNSSEC• Throw in the keys... example.com. SOA [SOA STUFF]! NS ns! MX 10 mail! DNSKEY 256 [DNSKEY STUFF]; ZSK! DNSKEY 257 [DNSKEY STUFF]; KSK! mail A 128.66.0.100! AAAA 2001:db8::100! ns A 128.66.0.10! AAAA 2001:db8::10! sub NS ns.sub! ns.sub A 128.66.10.10! AAAA 2001:db8:10::10!
  12. 12. 12DNSSEC•  Add the NSEC records so that all gaps are accounted for... example.com. SOA [SOA STUFF]! example.com. NS ns! example.com. MX 10 mail! example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK! example.com. DNSKEY 257 [DNSKEY STUFF]; KSK! example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC! mail.example.com. A 128.66.0.100! mail.example.com. AAAA 2001:db8::100! mail.example.com. NSEC ns.example.com. A AAAA NSEC! ns.example.com. A 128.66.0.10! ns.example.com. AAAA 2001:db8::10! ns.example.com. NSEC sub.example.com. A AAAA NSEC! sub.example.com. NS ns.sub! sub.example.com. NSEC example.com. NS NSEC! ns.sub.example.com. A 128.66.10.10! ns.sub.example.com. AAAA 2001:db8:10::10!• NSEC doesn’t do glue.• Zone enumeration? That’s where NSEC3 comes in.
  13. 13. DNSSEC 13•  Sign each label’s RRset and update NSECs... example.com. SOA [SOA STUFF]! example.com. RRSIG SOA [RRSIG STUFF]! example.com. NS ns! example.com. RRSIG NS [RRSIG STUFF]! example.com. MX 10 mail! example.com. RRSIG MX [RRSIG STUFF]! example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK! example.com. DNSKEY 257 [DNSKEY STUFF]; KSK! example.com. RRSIG DNSKEY [RRSIG STUFF]! example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC RRSIG! example.com. RRSIG NSEC [RRSIG STUFF]! mail.example.com. A 128.66.0.100! mail.example.com. RRSIG A [RRSIG STUFF]! mail.example.com. AAAA 2001:db8::100! mail.example.com. RRSIG AAAA [RRSIG STUFF]! mail.example.com. NSEC ns.example.com. A AAAA NSEC RRSIG! mail.example.com. RRSIG NSEC [RRSIG STUFF]! ns.example.com. A 128.66.0.10! ns.example.com. RRSIG A [RRSIG STUFF]! ns.example.com. AAAA 2001:db8::10! ns.example.com. RRSIG AAAA [RRSIGSTUFF]! ns.example.com. NSEC sub.example.com. A AAAA NSEC RRSIG! ns.example.com. RRSIG NSEC [RRSIG STUFF]! sub.example.com. NS ns.sub! sub.example.com. NSEC example.com. NS NSEC RRSIG! sub.example.com. RRSIG NSEC [RRSIG STUFF]! ns.sub.example.com. A 128.66.10.10! ns.sub.example.com. AAAA 2001:db8:10::10!
  14. 14. DNSSEC 14•  Signed delegations. Add DS records and update NSEC and RRSIGs. example.com. SOA [SOA STUFF]! example.com. RRSIG SOA [RRSIG STUFF]! example.com. NS ns! example.com. RRSIG NS [RRSIG STUFF]! example.com. MX 10 mail! example.com. RRSIG MX [RRSIG STUFF]! example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK! example.com. DNSKEY 257 [DNSKEY STUFF]; KSK! example.com. RRSIG DNSKEY [RRSIG STUFF]! example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC RRSIG! example.com. RRSIG NSEC [RRSIG STUFF]! mail.example.com. A 128.66.0.100! mail.example.com. RRSIG A [RRSIG STUFF]! mail.example.com. AAAA 2001:db8::100! mail.example.com. RRSIG AAAA [RRSIG STUFF]! mail.example.com. NSEC ns.example.com. A AAAA NSEC RRSIG! mail.example.com. RRSIG NSEC [RRSIG STUFF]! ns.example.com. A 128.66.0.10! ns.example.com. RRSIG A [RRSIG STUFF]! ns.example.com. AAAA 2001:db8::10! ns.example.com. RRSIG AAAA [RRSIG STUFF]! ns.example.com. NSEC sub.example.com. A AAAA NSEC RRSIG! ns.example.com. RRSIG NSEC [RRSIG STUFF]! sub.example.com. NS ns.sub! sub.example.com. DS [Hash of sub’s KSK]! sub.example.com. RRSIG DS [RRSIG STUFF]! sub.example.com. NSEC example.com. NS DS NSEC RRSIG! sub.example.com. RRSIG NSEC [RRSIG STUFF]! ns.sub.example.com. A 128.66.10.10! ns.sub.example.com. AAAA 2001:db8:10::10!
  15. 15. 15DNSSEC•  What to do with all this extra data?•  Publishing the signed data is only half the battle.•  The authoritative DNS responses need to be validated.
  16. 16. 16DNSSEC•  Response validation involves following a chain of trust from the trust anchor to the answer received.•  Typically, the root zone’s KSK == Trust Anchor
  17. 17. 17DNSSEC•  The backbone of the chain of trust is the DS, DNSKEY, RRSIG interaction.•  Trust travels from the parent zone down to the child zone. Repeat until the target zone is found.•  Start at the trust anchor’s zone.
  18. 18. 18DNSSEC RRSIG! KSK DNSKEY! ZSK DNSKEY! Parent Zone RRSIG! ...! DS! RRSIG! KSK DNSKEY! Child Zone ZSK DNSKEY! RRSIG! ...! DS!
  19. 19. 19DNSSEC•  Once the target child zone is found, the ZSK is used the verify the appropriate RRSIG.•  If the question cannot be answered, the ZSK can be used to verify the appropriate NSEC/NSEC3 RRSIG.•  If the answer can’t be verified, then NXDOMAIN status is returned.
  20. 20. 20DNSSEC•  From a DNS publisher’s point of view, DNSSEC can greatly expand the size of zones.•  On average, responses are larger.•  Management of the keys can be tricky.•  Protects the data, not the headers.•  Does nothing to protect the stub resolver to recursive resolver communication.
  21. 21. 21DNSSEC•  At ARIN, we currently sign our v4 /8s and v6 /12 and /24s.•  ARIN Online allows members to add DS records to the zones their resources are delegated from.
  22. 22. 22DNSSEC•  DNSSEC Analyzer: http://dnssec-analyzer.verisignlabs.com•  DNSViz: http://dnsviz.net•  ldns / Drill: http://www.nlnetlabs.nl/projects/ldns/•  DNSSEC Validator: http://www.dnssec-validator.cz/ (FF Plugin)•  Other Tools: https://www.dnssec-deployment.org/wiki/ index.php/Tools_and_Resources
  23. 23. 23RPKI
  24. 24. 24“The inter-domain routing protocol BGPwas created when the Internetenvironment had not yet reached thepresent, contentious state.Consequently, the BGP design did notinclude protections against deliberateor accidental errors that could causedisruptions of routing behavior.”• Intro to RFC 4272 “BGP Security VulnerabilitiesAnalysis” January 2006
  25. 25. 25RPKI This is the basic problem... Send  a  packet   to   209.85.128.100   I  have   209.85.128.0/17  
  26. 26. 26RPKI 165.135.0.2 209.85.128.100 AS100   AS200   AS300  
  27. 27. 27RPKI 165.135.0.2 209.85.128.100 AS100   AS200   AS300   AS666   209.85.128.100
  28. 28. 28RPKI•  April 1997 – AS 7007 announced paths for all of the internet to themselves.•  Feb. 24, 2008 –Pakistan Telecom announced a part of YouTube’s address blocks.•  April 2010 - China Telecom mis-originated about 15% of Internet address blocks affecting I-root.•  Nov. 2012 – Google was unavailable some places via route leak from Moratel.
  29. 29. 29RPKI 165.135.0.2 209.85.128.100 AS100   AS200   AS300   Phase 1: Origin Validation (requires RPKI) Phase 2: Path Validation (still in draft phase)
  30. 30. 30RPKI•  Resource Public Key Infrastructure•  RPKI attaches ASNs and IP address blocks to X.509 v3 certs.•  These resource certs are signed by the resource parent.
  31. 31. 31RPKI IANA! Resource Allocation Hierarchy AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC! ISP 1! ISP 2! ISP 4! ISP 3! ISP! ISP! ISP!
  32. 32. 32 CertificatesRPKI IANA! issued to match allocations. AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC! Issuer: ARIN! Subject: ARIN! Resources: 192.0.0.0/8! ISP 1! ISP 2! ISP 4! Key Info: <arin-key-pub>! Signed: <arin-key-priv>! ISP 3! ISP! ISP! ISP!
  33. 33. 33 Certificates RPKI IANA! issued to match allocations. AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC!Issuer: ARIN! Issuer: ARIN!Subject: ISP1! Subject: ARIN!Resources: 192.2.0.0/16! Resources: 192.0.0.0/8!Key Info: <isp1-key-pub>! ISP 1! ISP 2! ISP 4! Key Info: <arin-key-pub>!Signed: <arin-key-priv>! Signed: <arin-key-priv>! ISP 3! ISP! ISP! ISP!
  34. 34. 34 Certificates RPKI IANA! issued to match allocations. AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC!Issuer: ARIN! Issuer: ARIN!Subject: ISP1! Subject: ARIN!Resources: 192.2.0.0/16! Resources: 192.0.0.0/8!Key Info: <isp1-key-pub>! ISP 1! ISP 2! ISP 4! Key Info: <arin-key-pub>!Signed: <arin-key-priv>! Signed: <arin-key-priv>!Issuer: ISP1!Subject: ISP3!Resources: 192.2.200.0/24!Key Info: <isp3-key-pub>!Signed: <isp1-key-priv>! ISP 3! ISP! ISP! ISP!
  35. 35. 35RPKI•  Address holders issue Route Origin Authorizations (ROAs).
  36. 36. 36 Certificates RPKI IANA! issued to match allocations. AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC!Issuer: ARIN! Issuer: ARIN!Subject: ISP1! Subject: ARIN!Resources: 192.2.0.0/16! Resources: 192.0.0.0/8!Key Info: <isp1-key-pub>! ISP 1! ISP 2! ISP 4! Key Info: <arin-key-pub>!Signed: <arin-key-priv>! Signed: <arin-key-priv>!Issuer: ISP1!Subject: ISP3!Resources: 192.2.200.0/24!Key Info: <isp3-key-pub>!Signed: <isp1-key-priv>! ISP 3! ISP! ISP! ISP!
  37. 37. 37 Certificates RPKI IANA! issued to match allocations. AFRINIC! APNIC! ARIN! LACNIC! RIPE NCC!Issuer: ARIN! Issuer: ARIN!Subject: ISP1! Subject: ARIN!Resources: 192.2.0.0/16! Resources: 192.0.0.0/8!Key Info: <isp1-key-pub>! ISP 1! ISP 2! ISP 4! Key Info: <arin-key-pub>!Signed: <arin-key-priv>! Signed: <arin-key-priv>!Issuer: ISP1!Subject: ISP3!Resources: 192.2.200.0/24!Key Info: <isp3-key-pub>!Signed: <isp1-key-priv>! ISP 3! ISP! ISP! ISP!Issuer: ISP3! ROA: “ISP 3 permits ASN 123 to originate itsSubject: ISP3-EE! 192.2.200.0/24 network space.”!Resources: 192.2.200.0/24! !Key Info: <isp3EE-key-pub>! !Signed: <isp3-key-priv>! ß Attached! Signed, <isp3EE-key-priv>! !
  38. 38. 38RPKI•  Two RPKI implementation types: •  Delegated: Each participating node becomes a CA and runs their own RPKI repository, delegated to by the parent CA. •  Hosted: The RIR runs the CA functionality for interested participants.
  39. 39. 39RPKI•  For most participants, running a CA would be an insurmountable obstacle to the implementation of RPKI.•  This is why the hosted option exists.
  40. 40. 40RPKI•  Regardless of the method used, the RPKI repositories are published.•  TAL: Trust Anchor Locator •  Points to the rsync entry point of that repo. •  Includes that repo’s public key.
  41. 41. 41RPKI•  Reliant third parties would gather all relevant TALs.•  Get all of the RPKI repos.•  Validate, validate, validate.
  42. 42. 42RPKI•  Once we have validated ROAs and the backing resource hierarchy, what do we do?
  43. 43. 43RPKI•  Once we have validated ROAs and the backing resource hierarchy, what do we do?•  Use ROAs to weight BGP path announcements as they’re received.
  44. 44. 44RPKI 165.135.0.2 209.85.128.100 AS100   AS200   AS300   AS666   209.85.128.100
  45. 45. 45RPKI 165.135.0.2 209.85.128.100 AS100   AS200   AS300  
  46. 46. 46RPKI “Only AS 300 can originate 209.85.128.0/24 network space.”! 165.135.0.2 209.85.128.100 AS100   AS200   AS300  
  47. 47. 47RPKI “Only AS 300 can originate my 209.85.128.0/24 network space.”! 165.135.0.2 209.85.128.100 AS100   AS200   AS300   AS666   209.85.128.100
  48. 48. 48RPKI “Only AS 300 can originate my 209.85.128.0/24 network space.”! 165.135.0.2 209.85.128.100 AS100   AS200   AS300   AS666   209.85.128.100
  49. 49. 49RPKI•  Border routers use the RPKI with the RPKI/Router protocol.•  http://tools.ietf.org/html/draft-ietf- sidr-rpki-rtr•  Implemented on Cisco IOS and Quagga. JunOS recently added.
  50. 50. 50RPKI•  Offload validation and origin evaluation to some other box.•  “Valid”, “Invalid”, “Unknown”•  What’s done with these values is up to the local policy.
  51. 51. 51RPKI•  As with DNSSEC, the more buy in, the better the security.•  Be a good netizen: certify your resources.•  Even better: publish ROAs.•  Be the best happy shiny: validate route origins as support allows.
  52. 52. 52RPKI @ ARIN•  Only hosted model is currently implemented.•  The delegated model will be released in the not-too-distant future.•  Non-repudiation requirement.•  Third parties need to sign a RPA before getting the TAL.
  53. 53. 53Future of RPKI•  Single TAL.•  Inter-RIR transfers.•  Integrated with a path validation system.
  54. 54. 54Questions
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×