11. DNSSEC Behavior
11
DNSKEY root
DS .taipei
DNSKEY .taipei
DS 101.taipei
DNSKEY 101.taipei
root
TLD : .taipei
SLD: .101.taipei
ISP
recursive resolver
1 user makes request for
a .taipei domain
2 ISP resolver verifies the
root’s DS key
3 root points the ISP to the
.taipei TLD and gives the
ISP the .taipei DS key
4 ISP verifies .taipei’s DS key
5 .taipei points the ISP to the
101.taipei SLD and give the
ISP the 101.taipei DS key.
6 ISP verifies 101.taipei’s SLD
DS key
7 Requested SLD information
is retrieved and sent back to
ISP
8 ISP sends SLD information
back to user
9 User access trusted
101.taipei domain
1
8
2
3
4
5
6
7
User
stub resolver
9
S2
12. DNSSEC Deployment Updated
12
Root Zone
795 TLDs in the root zone in total
622 TLDs are signed;
615 TLDs have trust anchors published as DS records in the root zone;
6 TLDs have trust anchors published in the ISC DLV Repository.
(ICANN, 16 Jan 2015)
(Eggert, Jan 2015)
S2
13. DNSSEC
Internet Governance and Security Implication
13
root (.)
RFC2826 Unique DNS Root
From “de facto model”
to “de jure model”
Security is as strong as the weakest linkInconsistent Cyber Security:
S2
22. gTLD Public Interests
22
Registrar
Registration
System
New gTLD
Registry
DNS
Resolver
Registrant users
Domain name
registration
Shared Registration System
Registration Policy
Reserved names
IDN variants
DNS Resource Records
DN expire; delete data
Financial information
Registrant information
DNS
Server
delegation
DRP
Registration Policy
Public interests
Eligibility
Service Quality
S3
(Kenny Huang, 2015)
23. Government Digital Portfolio
23
Allocatable Names Prohibited Names
New gTLD
applications
GAC
Early Warning
Objections
Government
Operated Registry
Public-Private
Partnership Registry
Government
Endorsement
Government Cyberspace
Digital Portfolio
Defensive StrategyAcquisition Strategy
S3
(Kenny Huang, 2015)
24. 24
Economy
Innovation &
Open markets
Protecting
Networks
Security, Reliability
& Resiliency
Law
Enforcement
Collaboration &
Rule of Law
Military
Preparing Security
Challenges
Internet
Governance
Effective &
Inclusive Structure
International
Development
Build Capacity,
Security & Prosperity
Internet
Freedom
Supporting Freedoms
& Privacy
S3
(USG, 2010)
25. OECD
CIIP vs. gTLD
Critical Information Infrastructure Protection
25
Information components supporting the critical
infrastructure
Information infrastructure supporting essential
components of government business
Information infrastructure essential to the
national economy
US
Systems and assets, whether physical or virtual to
the US that the incapacity of destruction of such
systems and assets would have a debilitating
impact on security, national economic security,
national public health or safety, or any
combination of those matters.
CIIP
Critical information infrastructure protection
Focuses on protection of IT systems and asset:
Telecommunication, computers/software ,
Internet, Satellite, submarine cable system
Ensures confidentiality, integrity, and
availability
Required 24x7 (365 days)
Past of the daily modern economy and
the existence of any country
gTLD as CIIP
gTLD registry should be classified as CII.
Registry’s facilities should be compliance with
CIIP requirements
S3
26. DDoS Amplification Attack to a gTLD Registry
26
Spoofed source IP DNS
technical compliance protocols
technical compliance protocols
Amplification Attack
Firewall/DefenseSystem
S1: BIND rate limit S2: buy transit S3: rules/policing
Challenges
S1 : out of victim’s control
S2 : port speed may not be upgradable accordingly
S3 : 1 capacity and performance
2 design new algorithm for new patterns instantly
(DNSSEC: destination validation)
gTLD Registry
It will be a severed disaster when the gTLD and sub-domains are unresolvable
S3
(Kenny Huang, 2014)
27. Potential gTLD CIIP Activities
27
Assisting government to better understand gTLD registry operation
Issuing important recommendations to government
Developing gTLD registry good practices
Assisting telecom regulatory authority in implementing incident
reporting
Facilitating the dialogue among the public and private stakeholders
on emerging CIIP issues
Contributing to national policy and strategic initiatives
Offering training and seminars to government on the area of its
competence, e.g., contingency planning, incident reporting
gTLD CIIP Activities
S3
28. ETSI Lawful Intercept Model
28
administration
function
IRI mediation
function
content
mediation
function
IRI : intercept
related Information
CC : content
of communication
INI
internal network interface
IIF
internal interception function
HI3
content of communication
Network
Internal
Functions
HI2
Intercept related information
HI1
administrative information
NWO/AP/SvP Domain
LEMF
Law Enforcement Monitoring Facility
network operator / access provider / service provider
HI: handover interface
S3
(ETSI)
29. Lawful Interception for LEA SOC
29
MD
LEA SOC
AAA
server
Access Router
WWW
content
RADIUS
Internet
ETSI TS 102 232-3
RADIUS name; Circuit ID;
User ID; IP address..etc
S3