High Level Overview of RPKI & DNSSEC

  • 142 views
Uploaded on

Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.

Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
142
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
8
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Key pieces of the Cyber Security Puzzle
  • 2. Scorecard! DNS & Routing ! Overview of the problem!
  • 3. Exhibit A: The Great YouTube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 3!
  • 4. Exhibit A: The Great YouTube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 4! 1 billion (non)views per day! Date: 24th February 2008 Extent: Two thirds of Internet Damage: Inaccessible for 2 hours
  • 5. Exhibit B: Great Firewall of China extends abroad Mukom Akong T. | @perfexcellence |! Slide 5!
  • 6. Exhibit B: Great Firewall of China extends overseas Mukom Akong T. | @perfexcellence |! Slide 6! Date: 24 March 2010 Extent: Some networks in USA & Chile Damage: US & Chilean citizens became subject to the online policies of the Chinese gov’t
  • 7. Oh God, how did we get here?
  • 8. Identifying computers on the Internet Mukom Akong T. | @perfexcellence |! Slide 8! 192.0.2.1 2001:db8:dead::a1d learn.afrinic.net IP addresses are ineffective for human use on a large scale
  • 9. How this can happen to you ①  You type your bank’s address: www.yourbank.com ②  Your PC asks your ISP’s DNS servers for the matching IP address ③  The DNS server goes through a hierarchy to get the answer: §  Asks the root DNS servers which points it to .com servers §  The .com servers direct it to .yourbank.com DNS server §  The .yourbank.com DNS server sends the answer (an IP address) §  The server passes the response to your PC which makes the connection ④  An attacker can inject a fake answer during any of the above steps ⑤  The response that comes to you §  Is NOT the same IP address of you bank (which you don’t know) §  The website LOOKS exactly like the one you often use ⑥  You type in your credentials, then you get a error e.g. page cannot be displayed ⑦  3 weeks later, you scream: “Where’s my money??!!" Mukom Akong T. | @perfexcellence |! Slide 9!
  • 10. Identifying organisations on the Internet ☀ Domain name e.g afrinic.net ☀ A block of IP addresses §  196.1.0.0/24 §  2001:4290::/32 ☀ Autonomous System Number e.g. Mukom Akong T. | @perfexcellence |! Slide 10!
  • 11. For the Internet to work .. Mukom Akong T. | @perfexcellence |! Slide 11! 2001:db8:dead::a1dlearn.afrinic.net
  • 12. For the Internet to work .. Mukom Akong T. | @perfexcellence |! Slide 12! How do I send information to the computer with address B?
  • 13. The Problem: Breakdown of TRUST Mukom Akong T. | @perfexcellence |! Slide 13! I AM … www.google.com www.yourbank.com www.statehouse.gov.ng www.prc.cm www.cto.int www.afrinic.net I AM … 2c0f:face:b00c::/48 197.253.0.0/16 65.25.0/24 It is possible to impersonate any entity by name or address
  • 14. The Problem: Breakdown of TRUST ☀ It is possible for one computer to impersonate another node by name. ☀ There’s no real way of knowing if the answer your computer got to “what is the IP address of www.yourbank.com” is legitimate or not Mukom Akong T. | @perfexcellence |! Slide 14!
  • 15. The Problem: Breakdown of TRUST ☀ It is possible for one entity (e.g an ISP) to impersonate a whole network by IP address ☀ There’s been no way verify if that entity owns that IP address it’s claiming Mukom Akong T. | @perfexcellence |! Slide 15!
  • 16. A Fix: Certify & authenticate Internet identity ☀ Sign DNS records ☀ Establish a chain of trust ☀ Establish ‘ownership’ of address space Mukom Akong T. | @perfexcellence |! Slide 16! Digital certificates & public key infrastructure
  • 17. How DNSSEC solves the problem ①  Digitally sign DNS (name to IP address) records using public keys ②  Establishes a chain of trust where parent domains authenticate child domains ③  Ensures responses have not been tampered with in transit Does NOT provide confidentiality (encryption) Mukom Akong T. | @perfexcellence |! Slide 17!
  • 18. DNSSEC – What It Solves ☀ Use public keys to authenticate §  The original name to address mapping §  That queries were not tampered with ☀ Prevents impersonation by domain name ☀ Completely backwards compatible with existing DNS infrastructure ☀ It would prevent the extension of the Great Firewall of China outside China Mukom Akong T. | @perfexcellence |! Slide 18!
  • 19. Bene"ts of DNSSEC ①  The Internet community: Improved security in the zones that are signed. ②  Registrars: Offer domain signing services to their customers. ③  ISPs: Increasing the security of the data returned to their customers. ④  Users: Protection from DNS vulnerabilities such as cache poisoning and man-in-the- middle attacks. Mukom Akong T. | @perfexcellence |! Slide 19!
  • 20. RPKI – What It Solves ☀ Ties an organization's IP address range(s) to its ASN ☀ Solves the “does this address block belong to this organization” ☀ Blocks impersonation by IP address (number) ☀ RPKI would have prevented the Youtube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 20!
  • 21. How RPKI Works ☀ Digitally certify that a resource has been allocated to a specific entity. ☀ Usage rights for resources is proven by digital certificate. ☀ Connect resources (ASNs, IP addresses) to a trust anchor, thus forming a chain of trust. ☀ Control authority to originate a routing announcement by a certificate via ROAs ☀ Certificates are used to verify that a network has the authority to announce a given block of addresses. Mukom Akong T. | @perfexcellence |! Slide 21!
  • 22. Implications for National Infrastructure ①  Is the ccTLD DNSSEC enabled? ②  Government network ☀ Support DNSSEC on all gov’t networks ☀ Is gov’t IP space RPKI-protected? ③  Key network operators (ideally Everyone) ☀ Secure your names domain with DNSSEC ☀ Secure your number domains with RPKI Because Cyber Crime is an industry that will only grow (to the chagrin of us all) and extend to Cyber War & Terrorism Mukom Akong T. | @perfexcellence |! Slide 22!
  • 23. Source: http://www.dnssec-deployment.org
  • 24. Consequences: think of the e#ect ①  We consolidate governance around technology …then the e-gov’t portal is inaccessible due to attack ②  We consolidate education around hosted content and that platform was inaccessible ③  Our bank websites get hijacked Mukom Akong T. | @perfexcellence |! Slide 24!
  • 25. Our digital way of life is under threat Mukom Akong T. | @perfexcellence |! Slide 25! e-Banking E-Gov’t E-Commerce
  • 26. The Problem: Breakdown of TRUST
  • 27. Call to Action Mukom Akong T. | @perfexcellence |! Slide 27! RPKI & DNSSEC are not Silver Bullets but are a core part of the solution. Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure
  • 28. Na Gode! Thank You ! Sh’kran mukom@afrinic.net | Twitter: @perfexcellent