High Level Overview of RPKI & DNSSEC


Published on

Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

High Level Overview of RPKI & DNSSEC

  1. 1. Key pieces of the Cyber Security Puzzle
  2. 2. Scorecard! DNS & Routing ! Overview of the problem!
  3. 3. Exhibit A: The Great YouTube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 3!
  4. 4. Exhibit A: The Great YouTube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 4! 1 billion (non)views per day! Date: 24th February 2008 Extent: Two thirds of Internet Damage: Inaccessible for 2 hours
  5. 5. Exhibit B: Great Firewall of China extends abroad Mukom Akong T. | @perfexcellence |! Slide 5!
  6. 6. Exhibit B: Great Firewall of China extends overseas Mukom Akong T. | @perfexcellence |! Slide 6! Date: 24 March 2010 Extent: Some networks in USA & Chile Damage: US & Chilean citizens became subject to the online policies of the Chinese gov’t
  7. 7. Oh God, how did we get here?
  8. 8. Identifying computers on the Internet Mukom Akong T. | @perfexcellence |! Slide 8! 2001:db8:dead::a1d learn.afrinic.net IP addresses are ineffective for human use on a large scale
  9. 9. How this can happen to you ①  You type your bank’s address: www.yourbank.com ②  Your PC asks your ISP’s DNS servers for the matching IP address ③  The DNS server goes through a hierarchy to get the answer: §  Asks the root DNS servers which points it to .com servers §  The .com servers direct it to .yourbank.com DNS server §  The .yourbank.com DNS server sends the answer (an IP address) §  The server passes the response to your PC which makes the connection ④  An attacker can inject a fake answer during any of the above steps ⑤  The response that comes to you §  Is NOT the same IP address of you bank (which you don’t know) §  The website LOOKS exactly like the one you often use ⑥  You type in your credentials, then you get a error e.g. page cannot be displayed ⑦  3 weeks later, you scream: “Where’s my money??!!" Mukom Akong T. | @perfexcellence |! Slide 9!
  10. 10. Identifying organisations on the Internet ☀ Domain name e.g afrinic.net ☀ A block of IP addresses § §  2001:4290::/32 ☀ Autonomous System Number e.g. Mukom Akong T. | @perfexcellence |! Slide 10!
  11. 11. For the Internet to work .. Mukom Akong T. | @perfexcellence |! Slide 11! 2001:db8:dead::a1dlearn.afrinic.net
  12. 12. For the Internet to work .. Mukom Akong T. | @perfexcellence |! Slide 12! How do I send information to the computer with address B?
  13. 13. The Problem: Breakdown of TRUST Mukom Akong T. | @perfexcellence |! Slide 13! I AM … www.google.com www.yourbank.com www.statehouse.gov.ng www.prc.cm www.cto.int www.afrinic.net I AM … 2c0f:face:b00c::/48 65.25.0/24 It is possible to impersonate any entity by name or address
  14. 14. The Problem: Breakdown of TRUST ☀ It is possible for one computer to impersonate another node by name. ☀ There’s no real way of knowing if the answer your computer got to “what is the IP address of www.yourbank.com” is legitimate or not Mukom Akong T. | @perfexcellence |! Slide 14!
  15. 15. The Problem: Breakdown of TRUST ☀ It is possible for one entity (e.g an ISP) to impersonate a whole network by IP address ☀ There’s been no way verify if that entity owns that IP address it’s claiming Mukom Akong T. | @perfexcellence |! Slide 15!
  16. 16. A Fix: Certify & authenticate Internet identity ☀ Sign DNS records ☀ Establish a chain of trust ☀ Establish ‘ownership’ of address space Mukom Akong T. | @perfexcellence |! Slide 16! Digital certificates & public key infrastructure
  17. 17. How DNSSEC solves the problem ①  Digitally sign DNS (name to IP address) records using public keys ②  Establishes a chain of trust where parent domains authenticate child domains ③  Ensures responses have not been tampered with in transit Does NOT provide confidentiality (encryption) Mukom Akong T. | @perfexcellence |! Slide 17!
  18. 18. DNSSEC – What It Solves ☀ Use public keys to authenticate §  The original name to address mapping §  That queries were not tampered with ☀ Prevents impersonation by domain name ☀ Completely backwards compatible with existing DNS infrastructure ☀ It would prevent the extension of the Great Firewall of China outside China Mukom Akong T. | @perfexcellence |! Slide 18!
  19. 19. Bene"ts of DNSSEC ①  The Internet community: Improved security in the zones that are signed. ②  Registrars: Offer domain signing services to their customers. ③  ISPs: Increasing the security of the data returned to their customers. ④  Users: Protection from DNS vulnerabilities such as cache poisoning and man-in-the- middle attacks. Mukom Akong T. | @perfexcellence |! Slide 19!
  20. 20. RPKI – What It Solves ☀ Ties an organization's IP address range(s) to its ASN ☀ Solves the “does this address block belong to this organization” ☀ Blocks impersonation by IP address (number) ☀ RPKI would have prevented the Youtube Blackout of ‘08 Mukom Akong T. | @perfexcellence |! Slide 20!
  21. 21. How RPKI Works ☀ Digitally certify that a resource has been allocated to a specific entity. ☀ Usage rights for resources is proven by digital certificate. ☀ Connect resources (ASNs, IP addresses) to a trust anchor, thus forming a chain of trust. ☀ Control authority to originate a routing announcement by a certificate via ROAs ☀ Certificates are used to verify that a network has the authority to announce a given block of addresses. Mukom Akong T. | @perfexcellence |! Slide 21!
  22. 22. Implications for National Infrastructure ①  Is the ccTLD DNSSEC enabled? ②  Government network ☀ Support DNSSEC on all gov’t networks ☀ Is gov’t IP space RPKI-protected? ③  Key network operators (ideally Everyone) ☀ Secure your names domain with DNSSEC ☀ Secure your number domains with RPKI Because Cyber Crime is an industry that will only grow (to the chagrin of us all) and extend to Cyber War & Terrorism Mukom Akong T. | @perfexcellence |! Slide 22!
  23. 23. Source: http://www.dnssec-deployment.org
  24. 24. Consequences: think of the e#ect ①  We consolidate governance around technology …then the e-gov’t portal is inaccessible due to attack ②  We consolidate education around hosted content and that platform was inaccessible ③  Our bank websites get hijacked Mukom Akong T. | @perfexcellence |! Slide 24!
  25. 25. Our digital way of life is under threat Mukom Akong T. | @perfexcellence |! Slide 25! e-Banking E-Gov’t E-Commerce
  26. 26. The Problem: Breakdown of TRUST
  27. 27. Call to Action Mukom Akong T. | @perfexcellence |! Slide 27! RPKI & DNSSEC are not Silver Bullets but are a core part of the solution. Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure
  28. 28. Na Gode! Thank You ! Sh’kran mukom@afrinic.net | Twitter: @perfexcellent