Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.
3. Exhibit A: The Great YouTube Blackout of ā08
Mukom Akong T. | @perfexcellence |! Slide 3!
4. Exhibit A: The Great YouTube Blackout of ā08
Mukom Akong T. | @perfexcellence |! Slide 4!
1 billion (non)views per day!
Date: 24th February 2008
Extent: Two thirds of Internet
Damage: Inaccessible for 2 hours
5. Exhibit B: Great Firewall of China extends abroad
Mukom Akong T. | @perfexcellence |! Slide 5!
6. Exhibit B: Great Firewall of China extends overseas
Mukom Akong T. | @perfexcellence |! Slide 6!
Date: 24 March 2010
Extent: Some networks in USA & Chile
Damage: US & Chilean citizens became
subject to the online policies of
the Chinese govāt
8. Identifying computers on the Internet
Mukom Akong T. | @perfexcellence |! Slide 8!
192.0.2.1
2001:db8:dead::a1d
learn.afrinic.net
IP addresses are ineffective for human use on a large scale
9. How this can happen to you
ā āÆ You type your bankās address: www.yourbank.com
ā”āÆ Your PC asks your ISPās DNS servers for the matching IP address
ā¢āÆ The DNS server goes through a hierarchy to get the answer:
Ā§ļ§āÆ Asks the root DNS servers which points it to .com servers
Ā§ļ§āÆ The .com servers direct it to .yourbank.com DNS server
Ā§ļ§āÆ The .yourbank.com DNS server sends the answer (an IP address)
Ā§ļ§āÆ The server passes the response to your PC which makes the connection
ā£āÆ An attacker can inject a fake answer during any of the above steps
ā¤āÆ The response that comes to you
Ā§ļ§āÆ Is NOT the same IP address of you bank (which you donāt know)
Ā§ļ§āÆ The website LOOKS exactly like the one you often use
ā„āÆ You type in your credentials, then you get a error e.g. page cannot be
displayed
ā¦āÆ 3 weeks later, you scream: āWhereās my money??!!"
Mukom Akong T. | @perfexcellence |! Slide 9!
10. Identifying organisations on the Internet
āāÆDomain name e.g
afrinic.net
āāÆA block of IP addresses
Ā§ļ§āÆ 196.1.0.0/24
Ā§ļ§āÆ 2001:4290::/32
āāÆAutonomous System
Number e.g.
Mukom Akong T. | @perfexcellence |! Slide 10!
11. For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 11!
2001:db8:dead::a1dlearn.afrinic.net
12. For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 12!
How do I send
information to
the computer
with address B?
13. The Problem: Breakdown of TRUST
Mukom Akong T. | @perfexcellence |! Slide 13!
I AM ā¦
www.google.com
www.yourbank.com
www.statehouse.gov.ng
www.prc.cm
www.cto.int
www.afrinic.net
I AM ā¦
2c0f:face:b00c::/48
197.253.0.0/16
65.25.0/24
It is possible to impersonate any entity by name or address
14. The Problem: Breakdown of TRUST
āāÆIt is possible for one computer to
impersonate another node by name.
āāÆThereās no real way of knowing if the
answer your computer got to āwhat is
the IP address of www.yourbank.comā is
legitimate or not
Mukom Akong T. | @perfexcellence |! Slide 14!
15. The Problem: Breakdown of TRUST
āāÆIt is possible for one entity (e.g an ISP)
to impersonate a whole network by IP
address
āāÆThereās been no way verify if that entity
owns that IP address itās claiming
Mukom Akong T. | @perfexcellence |! Slide 15!
16. A Fix: Certify & authenticate Internet identity
āāÆSign DNS records
āāÆEstablish a chain of trust
āāÆEstablish āownershipā of
address space
Mukom Akong T. | @perfexcellence |! Slide 16!
Digital certiļ¬cates & public
key infrastructure
17. How DNSSEC solves the problem
ā āÆ Digitally sign DNS (name to IP address)
records using public keys
ā”āÆ Establishes a chain of trust where parent
domains authenticate child domains
ā¢āÆ Ensures responses have not been
tampered with in transit
Does NOT provide confidentiality (encryption)
Mukom Akong T. | @perfexcellence |! Slide 17!
18. DNSSEC ā What It Solves
āāÆUse public keys to authenticate
Ā§ļ§āÆ The original name to address mapping
Ā§ļ§āÆ That queries were not tampered with
āāÆPrevents impersonation by domain name
āāÆCompletely backwards compatible with
existing DNS infrastructure
āāÆIt would prevent the extension of the Great
Firewall of China outside China
Mukom Akong T. | @perfexcellence |! Slide 18!
19. Bene"ts of DNSSEC
ā āÆ The Internet community: Improved security in
the zones that are signed.
ā”āÆ Registrars: Offer domain signing services to
their customers.
ā¢āÆ ISPs: Increasing the security of the data
returned to their customers.
ā£āÆ Users: Protection from DNS vulnerabilities
such as cache poisoning and man-in-the-
middle attacks.
Mukom Akong T. | @perfexcellence |! Slide 19!
20. RPKI ā What It Solves
āāÆTies an organization's IP address
range(s) to its ASN
āāÆSolves the ādoes this address block
belong to this organizationā
āāÆBlocks impersonation by IP address
(number)
āāÆRPKI would have prevented the Youtube
Blackout of ā08
Mukom Akong T. | @perfexcellence |! Slide 20!
21. How RPKI Works
āāÆDigitally certify that a resource has been allocated
to a specific entity.
āāÆUsage rights for resources is proven by digital
certificate.
āāÆConnect resources (ASNs, IP addresses) to a trust
anchor, thus forming a chain of trust.
āāÆControl authority to originate a routing
announcement by a certificate via ROAs
āāÆCertificates are used to verify that a network has
the authority to announce a given block of
addresses.
Mukom Akong T. | @perfexcellence |! Slide 21!
22. Implications for National Infrastructure
ā āÆ Is the ccTLD DNSSEC enabled?
ā”āÆ Government network
āāÆSupport DNSSEC on all govāt networks
āāÆIs govāt IP space RPKI-protected?
ā¢āÆ Key network operators (ideally Everyone)
āāÆSecure your names domain with DNSSEC
āāÆSecure your number domains with RPKI
Because Cyber Crime is an industry that will
only grow (to the chagrin of us all) and extend
to Cyber War & Terrorism
Mukom Akong T. | @perfexcellence |! Slide 22!
24. Consequences: think of the e#ect
ā āÆ We consolidate governance around
technology ā¦then the e-govāt portal is
inaccessible due to attack
ā”āÆ We consolidate education around
hosted content and that platform was
inaccessible
ā¢āÆ Our bank websites get hijacked
Mukom Akong T. | @perfexcellence |! Slide 24!
25. Our digital way of life is under threat
Mukom Akong T. | @perfexcellence |! Slide 25!
e-Banking E-Govāt E-Commerce
27. Call to Action
Mukom Akong T. | @perfexcellence |! Slide 27!
RPKI & DNSSEC are not Silver Bullets but are a core part of the solution.
Fix up your own part of this mess! RPKI & DNSSEC on govāt infrastructure
28. Na Gode! Thank You ! Shākran
mukom@afrinic.net | Twitter: @perfexcellent