High Level Overview of RPKI & DNSSEC

Key pieces of the Cyber Security Puzzle

Scorecard!
DNS & Routing !
Overview of the problem!

Exhibit A: The Great YouTube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 3!

Exhibit A: The Great YouTube Blackout of ‘08
1 billion (non)views per day!
Date: 24th February 2008
Extent: Two thirds of Internet
Damage: Inaccessible for 2 hours

Exhibit B: Great Firewall of China extends abroad

Exhibit B: Great Firewall of China extends overseas
Date: 24 March 2010
Extent: Some networks in USA & Chile
Damage: US & Chilean citizens became
subject to the online policies of
the Chinese gov’t

Identifying computers on the Internet
192.0.2.1
2001:db8:dead::a1d
learn.afrinic.net
IP addresses are ineffective for human use on a large scale

How this can happen to you
①  You type your bank’s address: www.yourbank.com
②  Your PC asks your ISP’s DNS servers for the matching IP address
③  The DNS server goes through a hierarchy to get the answer:
§  Asks the root DNS servers which points it to .com servers
§  The .com servers direct it to .yourbank.com DNS server
§  The .yourbank.com DNS server sends the answer (an IP address)
§  The server passes the response to your PC which makes the connection
④  An attacker can inject a fake answer during any of the above steps
⑤  The response that comes to you
§  Is NOT the same IP address of you bank (which you don’t know)
§  The website LOOKS exactly like the one you often use
⑥  You type in your credentials, then you get a error e.g. page cannot be
displayed
⑦  3 weeks later, you scream: “Where’s my money??!!"

Identifying organisations on the Internet
☀ Domain name e.g
afrinic.net
☀ A block of IP addresses
§  196.1.0.0/24
§  2001:4290::/32
☀ Autonomous System
Number e.g.

For the Internet to work ..
2001:db8:dead::a1dlearn.afrinic.net

For the Internet to work ..
How do I send
information to
the computer
with address B?

The Problem: Breakdown of TRUST
I AM …
www.google.com
www.yourbank.com
www.statehouse.gov.ng
www.prc.cm
www.cto.int
www.afrinic.net
I AM …
2c0f:face:b00c::/48
197.253.0.0/16
65.25.0/24
It is possible to impersonate any entity by name or address

☀ It is possible for one computer to
impersonate another node by name.
☀ There’s no real way of knowing if the
answer your computer got to “what is
the IP address of www.yourbank.com” is
legitimate or not

☀ It is possible for one entity (e.g an ISP)
to impersonate a whole network by IP
address
☀ There’s been no way verify if that entity
owns that IP address it’s claiming

A Fix: Certify & authenticate Internet identity
☀ Sign DNS records
☀ Establish a chain of trust
☀ Establish ‘ownership’ of
address space
Digital certiﬁcates & public
key infrastructure

How DNSSEC solves the problem
①  Digitally sign DNS (name to IP address)
records using public keys
②  Establishes a chain of trust where parent
domains authenticate child domains
③  Ensures responses have not been
tampered with in transit
Does NOT provide confidentiality (encryption)

DNSSEC – What It Solves
☀ Use public keys to authenticate
§  The original name to address mapping
§  That queries were not tampered with
☀ Prevents impersonation by domain name
☀ Completely backwards compatible with
existing DNS infrastructure
☀ It would prevent the extension of the Great
Firewall of China outside China

Bene"ts of DNSSEC
①  The Internet community: Improved security in
the zones that are signed.
②  Registrars: Offer domain signing services to
their customers.
③  ISPs: Increasing the security of the data
returned to their customers.
④  Users: Protection from DNS vulnerabilities
such as cache poisoning and man-in-the-
middle attacks.

RPKI – What It Solves
☀ Ties an organization's IP address
range(s) to its ASN
☀ Solves the “does this address block
belong to this organization”
☀ Blocks impersonation by IP address
(number)
☀ RPKI would have prevented the Youtube
Blackout of ‘08

How RPKI Works
☀ Digitally certify that a resource has been allocated
to a specific entity.
☀ Usage rights for resources is proven by digital
certificate.
☀ Connect resources (ASNs, IP addresses) to a trust
anchor, thus forming a chain of trust.
☀ Control authority to originate a routing
announcement by a certificate via ROAs
☀ Certificates are used to verify that a network has
the authority to announce a given block of
addresses.

Implications for National Infrastructure
①  Is the ccTLD DNSSEC enabled?
②  Government network
☀ Support DNSSEC on all gov’t networks
☀ Is gov’t IP space RPKI-protected?
③  Key network operators (ideally Everyone)
☀ Secure your names domain with DNSSEC
☀ Secure your number domains with RPKI
Because Cyber Crime is an industry that will
only grow (to the chagrin of us all) and extend
to Cyber War & Terrorism

Source: http://www.dnssec-deployment.org

Consequences: think of the e#ect
①  We consolidate governance around
technology …then the e-gov’t portal is
inaccessible due to attack
②  We consolidate education around
hosted content and that platform was
inaccessible
③  Our bank websites get hijacked

Our digital way of life is under threat
e-Banking E-Gov’t E-Commerce

Call to Action
RPKI & DNSSEC are not Silver Bullets but are a core part of the solution.
Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure

Na Gode! Thank You ! Sh’kran
mukom@afrinic.net | Twitter: @perfexcellent

High Level Overview of RPKI & DNSSEC

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to High Level Overview of RPKI & DNSSEC

Similar to High Level Overview of RPKI & DNSSEC (20)

More from Mukom Akong Tamon

More from Mukom Akong Tamon (6)

Recently uploaded

Recently uploaded (20)

High Level Overview of RPKI & DNSSEC