ICANN Talk - State of Global DNSSEC

Transcription

ICANN Talk - State of Global DNSSEC
DNSSECUpdate
SANOG27
Kathmandu,Nepal
January2016
[email protected]
DNSBasics
• DNSconvertsnames(www.nepalbank.com.np)
tonumbers(198.1.112.132)
• ..toidentifyservicessuchaswwwande-mail
• ..thatidentifyandlinkcustomerstobusiness
andvisaversa
+1-202-709-5262
VoIP
US-NSTICeffort
DNSisapartofallITecosystems
(muchmorethanoneexpects)
[email protected]
OECSIDeffort
SmartElectricalGrid
mydomainname.com
WhereDNSSECfitsin
• CPUandbandwidthadvancesmakelegacy
DNSvulnerabletoMITMattacks
• DNSSecurityExtensions(DNSSEC)introduces
digitalsignaturesintoDNSto
cryptographicallyprotectcontents
• WithDNSSECfullydeployedabusinesscanbe
sureacustomergetsun-modifieddata(and
visaversa)
TheBad:DNSChanger - ‘Biggest
CybercriminalTakedowninHistory’–
4Mmachines,100countries,$14M
Nov2011http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/
End-2-endDNSSECvalidationwouldhaveavoidedtheproblems
TheInternet’sPhoneBook- Domain
NameSystem(DNS)
DNS
Resolver
www.majorbank.se=?
1.2.3.4
Get page
Login page
www.majorbank.se = 1.2.3.4
DNS
Server
webserver
www @
1.2.3.4
Username / Password
Account Data
ISP
DNS Hierarchy
se
root
com
majorbank.se
www.majorbank.se
Majorbank (Registrant)
CachingResponsesforEfficiency
www.majorbank.se=?
1.2.3.4
Get page
Login page
Username / Password
Account Data
DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server
webserver
www @
1.2.3.4
TheProblem:
DNSCachePoisoningAttack
www.majorbank.se=?
5.6.7.8
Get page
Login page
Username / Password
Error
DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server
Attacker
www.majorbank.se = 5.6.7.8
Attacker
webserver
www @
5.6.7.8
Password database
Argghh!NowallISPcustomersget
senttoattacker.
www.majorbank.se=?
5.6.7.8
Get page
Login page
Username / Password
Error
DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server
Attacker
webserver
www @
5.6.7.8
Password database
SecuringThePhoneBook- DNS
SecurityExtensions(DNSSEC)
www.majorbank.se=?
1.2.3.4
Get page
Login page
Username / Password
Account Data
DNS
Resolver
with
DNSSEC
Attacker’s record does not
validate – drop it
www.majorbank.se = 1.2.3.4
DNS
Server with
DNSSEC
Attacker
www.majorbank.se = 5.6.7.8
webserver
www @
1.2.3.4
Resolveronlycachesvalidatedrecords
www.majorbank.se=?
1.2.3.4
Get page
Login page
Username / Password
Account Data
DNS
Resolver
with
DNSSEC
www.majorbank.se = 1.2.3.4
DNS
Server with
DNSSEC
webserver
www @
1.2.3.4
Securingit
• DNSconvertsnames(www.bncr.fi.cr)to
numbers(201.220.29.26)
• Makesurewegettherightnumbers(DNSSEC)
• Verifytheidentityandencryptdata
TheBad:OtherDNShijacks*
•
•
•
•
•
•
•
•
25Dec2010- Russiane-PaymentGiantChronoPay Hacked
18Dec2009– Twitter– “Iraniancyberarmy”
13Aug2010- Chinesegmail phishingattack
25Dec2010TunisiaDNSHijack
2009-2012google.*
– April282009GooglePuertoRicositesredirectedinDNSattack
– May92009MoroccotemporarilyseizeGoogledomainname
9Sep2011- Diginotar certificatecompromiseforIranianusers
SSL/TLSdoesn'ttellyouifyou'vebeensenttothecorrectsite,itonly
tellsyouiftheDNSmatchesthenameinthecertificate.Unfortunately,
majorityofWebsitecertificatesrelyonDNStovalidateidentity.
DNSisreliedonforunexpectedthingsthoughinsecure.
*ABriefHistoryofDNSHijacking- Google
http://costarica43.icann.org/meetings/sanjose2012/presentation-dns-hijackings-marquis-boire-12mar12-en.pdf
TheBusinessCaseforDNSSEC
• Cybersecurityisbecomingagreaterconcernto
enterprises,government,andendusers.DNSSEC
isakeytoolanddifferentiator.
• DNSSECisthebiggestsecurityupgradeto
Internetinfrastructureinover20years.Itisa
platformfornewsecurityapplications(forthose
thatseetheopportunity).
• DNSSECinfrastructuredeploymenthasbeenbrisk
butrequiresexpertise.Gettingaheadofthe
curveisacompetitiveadvantage.
DNSSECinterestfromgovernments
• Sweden,Brazil,Netherlands,CzechRepublicand
othersencourageDNSSECdeploymenttovarying
degrees
• Mar2012- AT&T,CenturyLink (Qwest),Comcast,
Cox,Sprint,TimeWarner Cable,andVerizonhave
pledgedtocomplyandabidebyUSFCC[1]
recommendationsthatincludeDNSSEC..“Areportby
Gartnerfound3.6millionAmericansgettingredirectedtobogus
websitesinasingleyear,costingthem$3.2billion.,”[2].
• 2008US.gov mandate.85%operational.[3]
[1]FCC=FederalCommunicationsCommission=UScommunicationsMinistry
[2]http://securitywatch.pcmag.com/security/295722-isps-agree-to-fcc-rules-on-anti-botnet-dnssec-internet-routing
[3]http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf
http://fedv6-deployment.antd.nist.gov/snap-all.html
ThankyouGeoffHuston
NL
DNSSEC- Whereweare
•
•
•
•
•
•
•
•
•
Deployedon1034/1205TLDs (23Jan2016.az .in.af .tm.kg.cn
.th .id.lk .se.de.ru .рф .com.uk .nl .fr .in.jp .us.my‫ ﺎﯾﺳﯾﻠﻣ‬.asia
.tw 台灣,.kr 한국 .net,.org,.post,+ntlds,.ibm .berlin)
Rootsigned**andaudited
>85%ofdomainnamescouldhaveDNSSEC
RequiredinnewgTLDs.BasicsupportbyICANNregistrars
GrowingISPsupport*- ~16%endusers“validate”.
3rd partysigningsolutions***
GrowingS/WH/Wsupport:NLNetLabs,ISC,Microsoft,
PowerDNS,Secure64…?openssl,postfix,XMPP,mozilla:early
DANEsupport
IETFstandardonDNSSECTLScertificates(RFC6698)andothers
Growingsupportfrommajorplayers…(AppleiPhone/iPad,
Google8.8.8.8,hostingcoCloudflare DNSSECbydefault,
Germanemailproviders…)
Stats:https://rick.eng.br/dnssecstat/
*COMCAST /w20M and others; mostISPsinSE,CZ.
**Int’l bottom-up trustmodel/w21TCRsfrom:TT,BF,RU,CN,US,SE,NL,UG,BR,Benin,PT, NP,Mauritius, CZ,CA,JP,UK,NZ…
***Partiallistofregistrars:https://www.icann.org/en/news/in-focus/dnssec/deployment
But…
• Butdeployedononly~2%of2nd level
domains.Manyhaveplans.Fewhavetaken
thestep(e.g.,yandex.com,paypal.com*,
comcast.com).
• DNSChanger andotherattackshighlight
today’sneed.(e.g end-2-endDNSSECvalidation
wouldhaveavoidedtheproblems)
• Innovativesecuritysolutions(e.g.,DANE)
highlighttomorrow’svalue.
*http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-com
http://www.thesecuritypractice.com/the_security_practice/2011/12/all-paypal-domains-are-now-using-dnssec.html
http://www.nacion.com/2012-03-15/Tecnologia/Sitios-web-de-bancos-ticos-podran-ser-mas-seguros.aspx
DNSSEC:Sowhat’stheproblem?
• NotenoughITdepartmentsknowaboutitorare
toobusyputtingoutothersecurityfires.
• Whentheydolookintoittheyhearoldstoriesof
FUDandlackofturnkeysolutionsandCDN
support.
• Registrars*/CDNs/DNSprovidersseenodemand
leadingto“chicken-and-egg”problems.
*butrequiredbynewICANNregistraragreement
Who Can Implement DNSSEC
•
•
•
•
•
•
Enterprises – Sign their zones and validate lookups
TLD Operators – Sign the TLD
Domain Name holders – Sign their zones
Internet Service Providers – validate DNS lookups
Hosting Provider – offer signing services to customers
Registrars – accept DNSSEC records (e.g., DS)
Whatyoucando
• ForCompanies:
– Signyourcorporatedomainnames
– JustturnonvalidationoncorporateDNSresolvers
• ForUsers:
– AskISPtoturnonvalidationontheirDNS
resolvers
• ForAll:
– TakeadvantageofICANN,ISOCandother
organizationsofferingDNSSECeducationand
training
DNSSEC:AGlobalPlatformforInnovation
or..
I*$mell opportunity!
GamechangingInternetCore
InfrastructureUpgrade
• “Morehashappenedheretodaythanmeets
theeye.Aninfrastructurehasbeencreated
forahierarchicalsecuritysystem,whichcan
bepurposedandre-purposedinanumberof
differentways...”– VintCerf(June2010)
ForTechiesandotherDreamers
ToomanyCAs.Whichonecanwe
trust?DNSSECtotherescue….
CACertificateroots~1482
Symantec,Thawte,Godaddy
DNSSECroot- 1
InternetofThings
IoT
Contentsecurity
CommercialSSL
Certificatesfor
Webande-mail
DANE andotheryettobe
discoveredsecurity
innovations,enhancements,
andsynergies
https://www.eff.org/observatory
http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/
Contentsecurity
“FreeSSL”
certificatesforWeb
ande-mailand“trust
agility”DANE
Cryptocurrencies
ande-commerce?
SecuringVoIP
DomainNames
Crossorganizationaland
trans-national
authenticationand
security
E-mailsecuritySMIME,
DKIMRFC4871
Loginsecurity
SSHFPRFC4255
Opportunity:NewSecuritySolutions
•
•
•
•
•
•
•
•
•
•
ImprovedWebSSLandcertificatesforall*
Securede-mail(SMTP+S/MIME)forall*
ValidatedremoteloginSSH,IPSEC*
SecuringVoIP
Crossorganizationalauthentication,security
Securedcontentdelivery (e.g.configurations,updates,
keys)– InternetofThings
SecuringSmartGridefforts
Increasingtrustine-commerce
Securingcryptocurrencies andothernewmodels
FirstglobalFREEPKI
Agoodrefhttp://www.internetsociety.org/deploy360/dnssec/
*IETFstandardscompleteandmorecurrentlybeingdeveloped
Athought:ScalableSecurityforIoT
root
com
google.com
security.co.za
za
DNS is already there
DNSSEC adds security
and crosses
organizational
boundaries.
co.za
electric.co.za
water.rickshome.security.co.za
car.rickshome.iotdevices.co.za
aircond.rickshome.electric.co.za
window.rickshome.security.co.za
meter.rickshome.electric.co.za
door.rickshome.security.co.za
Animatedslide
iotdevices.co.za
thermostat.rickshome.iotdevices.co.za
refrigerator.rickshome.iotdevices.co.za
DNSSEC:Internetinfrastructure
upgradetohelpaddresstoday’s
needsandcreatetomorrow’s
opportunity.
MoreTechiestuff..
Hmm…howdoItrustit?
(transparencytransparency transparency!)
ICANNDNSSECDeployment@Root
• Multi-stakeholder,bottom-uptrustmodel*/w21
cryptoofficersfromaroundtheworld
• BroadcastKeyCeremoniesandpublicdocs
• SysTrust audited
• FIPS140-2level4HSMs
*Managedbytechnicalcommunity+ICANN
RootDPS
DNSSECPracticeStatement
ICANNDNSSECDeployment@Root
(andelsewhere)
FIPS140-2level4
Next..ISO19790
DCID6/9
“SCIF”spec
http://www.flickr.com/photos/kjd/sets/72157624302045698/
Photos:KimDavies
Photos:KimDavies
DNSSEC:Internetinfrastructure
upgradetohelpaddresstoday’s
needsandcreatetomorrow’s
opportunity.
TechDetailsofaDNSSECLookup
TheInternet’sPhoneBook- Domain
NameSystem(DNS+DNSSEC)
www.bank.se=?
1.2.3.4
Get page
Login page
Username / Password
Account Data
bank.seDNSKEY+
RRSIG=?
www.bank.se=? DNS
DNS
Resolver bank.seDNSKEY+
Server
www.bank.se=1.2.3.4
RRSIG=455536
RRSIG=636345
webserver
www @
1.2.3.4
ISP/HotSpot /
Enterprise/End
Node
bank.se (Registrant)
DNS
Server
.se (Registry)
DNS
Server
Details– yuk!
Animatedslide
. (Root)