RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)

RIPE69!and!IETF!91!Review
©!Men!&!Mice!!http://menandmice.com!
©!ISC!http://www.isc.org
11th!December!2014
1

Security!Updates
BIND!9.10.1-P1!
BIND!9.9.6-P1!
Unbound!1.5.1!(1.4.22-P1)!
PowerDNS!Recursor!3.6.2
2

Agenda
RIPE69!in!London!/!IETF!91!in!Hawaii!!
DNS,!DNSSEC,!DANE,!DHCP,!IPv6!
the!following!information!is!an!excerpt!of!the!RIPE!
69!meeting!and!the!IETF!working!group!activities!
for!a!full!overview!of!all!activities!at!IETF!91,!see!
https://datatracker.ietf.org/meeting/91/materials.html !!
RIPE69!video!and!presentation!archive
https://ripe69.ripe.net/archives/
3

DNS
4

new!RFCs!published!since!last!IETF
RFC Title Category
7344 Automating DNSSEC Delegation Trust Maintenance Informational
5

Automating!DNSSEC!Delegation!Trust!
Maintenance
automates!the!updates!of!the!DNSSEC!trust!chain!
information!in!the!parent!zone!
defines!two!new!record!types:!CDS!(Client-DS)!and!
CDNSKEY!(Client-DNSKEY)!
operator!of!a!DNSSEC!secured!child!zone!publishes!
new!DS!via!CDS,!or!new!DNSKEY!via!CDNSKEY!
parent!zone!operator!monitors!the!child
zone!and!imports!new!DS!and!DNSKEY!
data!from!the!child
6

Maintenance
7
Parent!DNS
Child!DNS
child.tld. IN SOA …
child.tld. IN NS …
child.tld. IN DNSKEY …
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …

Maintenance
8
Parent!DNS
Child!DNS
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN DS …
Updating!DNSSEC!Trust!chain!today

Maintenance
9
Parent!DNS
Child!DNS
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN CDS …
Updating!DNSSEC!Trust!chain!
with!CDS!/!CDNSKEY

!Brett!Carr!-!Name!Collision!Controlled!
Interruption
!DNS!name!collision!-!risk!mitigation!for!ngTLDs!
•!"internal"!non-registered!DNS!names
are!used!in!private!networks!
•names!are!leaking!into!the!Internet!DNS!
•machines!with!local!names!configured!leave!the!
"controlled"!network!
•.mail,!.corp,!.home!have!been!reserved!for!now
by!ICANN!
•name!collision!emergency!response!
•controlled!interruption!-!wildcard!TLD!and!SLD!
•curious!loopback!address!127.0.53.53!
•ICANN!monitors!CI!for!all!new!TLDs!and!SLDs!in!the!new!TLDs!
•Information!@!https://icann.org/namecollison
•Video!and!Slides: https://ripe69.ripe.net/archives/video/181
10

".home"!Special-Use!Domain!Name
Proposal!to!designate!the!".home"
TLD!as!a!"private!use"!domain!
!
!
!
http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-8.pdf
http://tools.ietf.org/html/draft-cheshire-homenet-dot-home-01
11

Geoff!Huston!-!The!Resolvers!We!Use
TL;DR:!DNS!in!the!Internet
is!weird!
•how!close!are!clients!to!the!
resolver?!
•41%!if!Internet!clients!use!
non-local!DNS!resolver!(google,!level!3,!opendns!…)!
•1/3!use!a!resolver!in!a!different!country!
•Video!and!Slides:!
https://ripe69.ripe.net/archives/video/10114
12

Sara!Dickinson!-!Hedgehog
new!presenter!(Web-UI)!
for!DNS!data!collected
by!DSC!for!the!L-root!DNS-Server(s)!
Work!by!Sinodun!
for!ICANN!
•new!version!2.0!does!not
require!a!Adobe!Flash!plugin!
•open!source
(Apache!License)!
http://www.dns-stats.org
•code!is!available!on!github
https://github.com/dns-stats/hedgehog
•Video!and!Slides: https://ripe69.ripe.net/archives/video/194
13

How!the!Hell!Should!We!Fund!Open!
Source?
Jeff!Osborn!(ISC)!asked!
an!open!question!"how
to!finance!open!source
development?"!
NLnetLabs!and!ISC!team
up!to!provide!security
announcements!and
support!to!customers!for!BIND,!Unbound!and!NSD
14

Peter!van!Dijk!-!PowerDNS!Lua!Policy!
Engine
•embedded!scripting
engine!in!PowerDNS!
•Idea:!software!needs!to
adapt!
•Motivation:!implement!RRL!
(Respond!Rate!Limiting)!
•allows!decisions!on!incoming!DNS!traffic!inside!the!policy!engine!
•embedded!LUA!feature!still!in!development,!feedback!requested!
•Video!and!Slides:!https://ripe69.ripe.net/archives/video/201/
15

George!Michaelson
Please!Don’t!Pick!the!ECDSA-ies
•!measurement!of!ECDSA!P256!support!in!
!DNSSEC!validating!resolvers!deployed!today!
•!ECDSA!more!light!in!key-size!and!computation!
power!
•!UDP!fragmentations!issues!in!IPv6!(and!IPv4)!
•!1/3!of!DNSSSEC!validating!resolvers!do!not!
fetch!ECDSA!
•possible!reason:!IPR!issues!with!ECDSA!in!OpenSSL!(Redhat/CentOS/Fedora,!FreeBSD!...)!
•but!clients!still!fetch!the!content!
•DNSSEC!RFC:!if!a!resolver!does!not!understand!the!algorithm,!treat!zone!as!unsigned!
(insecure)!
•possible!Downgrade!attack?!
•!Proposal!from!Audience:!send!SRVFAIL!instead!of!treat!as!insecure!!
•Video!and!Slides: https://ripe69.ripe.net/archives/video/10059/
16

Geoff!Huston!-!Who's!Watching?
•!can!surveillance!be!seen!in!
!measurements?!
•!measurements!using!unique!
!URL!names,!should!only!be!
!fetched!once!
•"shadow"!fetches!of!measurement
URLs,!from!China,!Iran,!Laos,
Macao,!Singapore,!Honkong,!
UK,!Taiwan,!....!
•Chinanet,!Google,!RIM!...!
•most!fetches!in!about!3!seconds!after!original!measurement!fetch!
•Slides!and!Video:!https://ripe69.ripe.net/archives/video/10110
17

DNS!Privacy!-!DPRIVE!WG
•Phill!Hallam-Baker!—!Private!DNS
http://www.ietf.org/proceedings/91/slides/slides-91-dprive-2.pdf!
•Paul!Hoffman!—!DNS!over!TLS:!Three!ways!of!not!
using!port!53
http://www.ietf.org/proceedings/91/slides/slides-91-dprive-0.pdf!
•Stéphane!Bortzmeyer!—!QNAME!minimiz(s?)ation
http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-2.pdf!
!
18

DNSSEC!negative!trust-anchor
•Operators!of!DNSSEC!validating!resolver!need
to!have!a!way!to!selectively!turn!of!DNSSEC!
validation!
•in!case!the!DNSSEC!in!the!authoritative!zone!is!broken!(no!attack)!
•Draft!got!adopted!by!the!DNSOP!WG!
•"Definition!and!Use!of!DNSSEC!Negative!Trust!Anchors"!
Slides:!
http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-4.pdf!
Draft:!
http://tools.ietf.org/html/draft-livingood-dnsop-negative-trust-anchors-01
19

DNS!Transport!over!TCP
•why?!
•Privacy!efforts!
•Preventing!amplification!attacks!
•Packet!size!limitations!
•Slides:!
20

DNS!Cookies
•!OPT!option!that!provides!weak!protection!against!
•off!path!DNS!denial!of!service!
•traffic!amplification!
•DNS!cache!poisoning!attacks!
•Experimental!implementation!in!BIND!9.10!
•BIND!Source!Identity!Token!
•Draft:!http://tools.ietf.org/html/draft-ietf-dnsop-cookies-00!
•Slides:!
21

EDNS!compliance!report
•Mark!Andrews!(ISC)!did
extensive!tests!to!find!out
about!the!EDNS
compliance!of!DNS!servers
in!the!Internet!
•EDNS!=!extended!DNS,!
around!since!1998!
•many!DNS!server!(and!middle-boxes)!do!not!handle!
unknown!EDNS!options!or!versions!
• http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-9.pdf
22

DANE!S/MIME
Client
•Prototype!DANE!
S/MIME!Mail-Client
based!on!the!GetDNS-API!
•Plugin!for!Mozilla!
Thunderbird
http://www.ietf.org/proceedings/91/slides/slides-91-dane-1.pdf
23

DANE!Deployment!
Observations
•Dan!York!(ISOC)!
•the!good!and!the!bad!seen
in!DANE!deployments
•Draft:!
https://tools.ietf.org/html/draft-york-dane-deployment-observations-00
•Slides:!
http://www.ietf.org/proceedings/91/slides/slides-91-dane-3.pdf
24

More!DNS!from!RIPE!69
•Chris!Baker
Dynamic!DNS!Abuse!Overview
https://ripe69.ripe.net/archives/video/10057/
•Nicolas!Cartron!-!DNS!Attacks:!
Can!we!Still!Afford!to!Use!Old,!
Ineffective!Solutions?
https://ripe69.ripe.net/archives/video/10055!
•Ondřej!Caletka!-!Challenges!in!Endpoint!DNSSEC
https://ripe69.ripe.net/archives/video/10116!
•!Jaap!Akkerhuis!-!NSD!4.1
https://ripe69.ripe.net/archives/video/204
25

DHCP
26

new!RFCs!published!since!last!
RFC Title Category
IETF
7341 DHCPv4-over-DHCPv6 (DHCP 4o6) Transport
27
Standards
Track

DHCP!Privacy!Updates
•Work!Items!
•Identifiers!
•Current!Mechanisms!
•Attacks!
•Differences!between!DHCPv4!and!DHCPv6!
•Work!Plan!
•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dhc-6.pdf
•Drafts:!
draft-krishnan-dhc-dhcpv6-privacy-00!
draft-jiang-dhc-dhcpv4-privacy-00
28

Issues!and!Recommendations!with!Multiple!
Stateful!DHCPv6!Options
•DHCPv6!supports!multiple!stateful!options!
•Options!that!require!dynamic!binding!state!per!
client!on!the!server!
•IPv6!Addresses!and!Prefix!Delegations!(PD)!
•Slides:!
http://www.ietf.org/proceedings/91/slides/slides-91-dhc-2.pdf
•Draft:!
http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-stateful-issues-
09
29

IPv6/IPv4-sunset
30

published!new!RFCs!since!last!IETF
RFC Title Category
7335 IPv4 Service Continuity Prefix (192.0.0.0/29) Standards Track
7343 An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers
Version 2 (ORCHIDv2)
31
Standards Track
7346 IPv6 Multicast Address Scopes Standards Track
7371 Updates to the IPv6 Multicast Addressing Architecture Standards Track
7381 Enterprise IPv6 Deployment Guidelines Informal
7404 Using Only Link-Local Addressing inside an IPv6 Network Informal

Jen!Linkova
Stop!Thinking!IPv4;!IPv6!is!Here
•!!IPv6!is!here!-!questions!is!not!
"should!I!deploy!IPv6"!but!"how!to!deploy"!
•!you!need!to!understand!IPv6!to!be!able!to!
decide!why!to!use!/!why!not!to!use!IPv6!
•!using!link-local!addresses!for!router!links!
•!easy!subnet!size!address!plans!
•!first!hop!redundancy!via!Router!Advertisements!
•!DHCPv6?!Is!it!needed?!
•!RFC!5942!"relationship!between!links!and!subnet!prefixes"!
•!Franck!Martin!"Sending!and!receiving!emails!over!IPv6"
http://engineering.linkedin.com/email/sending-and-receiving-emails-over-ipv6!
•!IPv6!only!data-center!
•!IPv6!and!Firewall!
•Slides!and!Video: https://ripe69.ripe.net/archives/video/185!
•free!'IPv6!for!IPv4!experts'!book:!https://sites.google.com/site/yartikhiy/home/ipv6book
32

!Tore!Anderson
SIIT-DC:!IPv4!Service!Continuity!for!IPv6!Data!Centres
•!IPv4!is!not!mandatory!anymore!
•!we!have!to!work!with!IPv6!anyway,!
!try!to!build!infrastructure!IPv6!only!
•!less!complexity,!avoid!transition!
!"workarounds"!
•!move!IPv4!to!the!edge!of!the!
!infrastructure!network!
•!SIIT-DC!-!Stateless!IP/ICMP!Translation!
!for!IPv6!Data!Centre!Environments!
•!mapping!IPv4!addresses!into!an!IPv6!prefix!
•!works!with!IPv4!only!applications!(difficult!protocols!like!FTP!via!host-agent)!
•!available!through!TAYGA!(Open!Source/Linux)!and!commercial!routers!
•!Draft:!http://tools.ietf.org/html/draft-anderson-v6ops-siit-dc-01!
•!Slides!and!Video:!https://ripe69.ripe.net/archives/video/186
33

IPv6!Extension!Headers!in!
the!Real!World
•!Jen!Linkova!-!IPv6!Extension!Headers!
•!network!operators!filter!extension!headers!
•!Test!using!500!RIPE!ATLAS!probes!towards!Alexa!1M!websites!
•!Hop-by-Hop!and!Destination!Headers!
•!Firewalls!cannot!deal!with!complex!extension!headers,
!cannot!find!the!payload!to!inspect!
•!short!EH!have!lower!drop!rate,!UDP!with!8bit!EH!have!least!drop!rate!
•!plan!to!repeat!the!test!in!1!year!time!(improvement)?!
•!Tore!Anderson!suggests!to!re-run!the!test!for!ESP!EH!
•!Draft:!http://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-in-real-world-01
•Transmission!and!Processing!of!IPv6!Options
(draft-gont-6man-ipv6-opt-transmit-00)!
•!Slides!and!Video:!!
•RIPE!https://ripe69.ripe.net/archives/video/10052!
•IETF!http://www.ietf.org/proceedings/91/slides/slides-91-v6ops-9.pdf
34

more!IPv6!work!@!IETF
•Some!problems!observed!in!IPv6-only!deployment
draft-song-sunset4-ipv6only-dns!
•Recommendation!on!Stable!IPv6!Interface!Identifiers
draft-ietf-6man-default-iids!
•Deprecating!the!Generation!of!IPv6!Atomic!
Fragments
draft-ietf-6man-deprecate-atomfraggeneration!
•IPv6!Prefix!Length!Recommendation!for!Forwarding
draft-boucadair-6man-prefix-routing-reco
35

Misc
36

Jason!Schiller!-!QUIC:!Why!Should!I!Care!
About!Quick!UDP!Internet!Connections?
•!increase!the!load-performance!of!webpages!
•!issues!with!TCP!that!cannot!be!easily!solved!
•!Idea:!multiplexing!connections!over!UDP!
•!implemented!as!part!of!the!
!Chromium!project!(Google!Browser)!
•!same!functions!as!SPDY!
•!will!be!supported!in!future!Chrome!Browser,!
!most!Google!Web-Sites!are!already!QUIC!
!enabled!
•!traffic!towards!Google!might!switch!from!
!TCP!to!UDP!in!2015!
•!Comment!from!Audience:!Port!80!UDP!might!be!blocked!
•!Chrome!implements!TCP!and!UDP!"Happy!Eyeballs"!
•!Slides!and!Video: https://ripe69.ripe.net/archives/video/10108/
37

Raymond!Cheng!-!uProxy:!a!Social!
Proxy!for!Your!Browser
•!browser!extension!to!securely
!tunnel!traffic!through!a!friends
!computer!
•!peer!to!peer!communication,
!encrypted!
•!plugin!for!Chrome!and!Firefox!
•!Aim:!easy!to!install!and!use!
•!use!case:!tunnel!from!insecure!WIFI!to!machine!in!home!network!
•!Plugin!implementation!uses!WebRTC!as!the!underlying!transport!
•!Slides!and!Video: https://ripe69.ripe.net/archives/video/189/
38

Men!&!Mice!webinars!2015
•!DNS-Resolver!monitoring!using!DNSTAP!and!Unbound!
•!the!Men!&!Mice!Suite!Generic!DNS!Controller!(PowerDNS,!Amazon!
!Route53)!
•!Selective!blackholing!
•!DANE!and!DNSSEC!revisited!
•!the!KNOT!DNS!Server!
•!RIPE!70!and!IETF!meeting!reports!
•!BIND!9!tuning!
•!BIND!9.10/9.11!update!/!GeoIP!with!BIND!9!
•!<!your!topic!here!>!(please!let!us!know!via!<info@menandmice.com>,!
Twitter,!Facebook!…)
39

2015!Schedule,!Slides,!Links,!Recording!and!errata!
https://www.menandmice.com/resources/educational-resources/webinars/
Q/A
?
will!be!posted!@
40

2015!Schedule,!Slides,!Links,!Recording!and!errata!
https://www.menandmice.com/resources/educational-resources/webinars/
Q/A
?
will!be!posted!@
41

RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)

More Related Content

Viewers also liked

Similar to RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)

More from Men and Mice

Recently uploaded

RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)