high level overview of rpki & dnssec
DESCRIPTION
Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.TRANSCRIPT
Key pieces of the Cyber Security Puzzle
Scor
ecar
d!
DNS & Routing !
Overview of the problem!
Exhibit A: The Great YouTube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 3!
Exhibit A: The Great YouTube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 4!
1 billion (non)views per day!
Date: 24th February 2008
Extent: Two thirds of Internet
Damage: Inaccessible for 2 hours
Exhibit B: Great Firewall of China extends abroad
Mukom Akong T. | @perfexcellence |! Slide 5!
Exhibit B: Great Firewall of China extends overseas
Mukom Akong T. | @perfexcellence |! Slide 6!
Date: 24 March 2010
Extent: Some networks in USA & Chile
Damage: US & Chilean citizens became
subject to the online policies of
the Chinese gov’t
Oh God, how did we get
here?
Identifying computers on the Internet
Mukom Akong T. | @perfexcellence |! Slide 8!
192.0.2.1 �2001:db8:dead::a1d�
learn.afrinic.net �
IP addresses are ineffective for human use on a large scale�
How this can happen to you ① You type your bank’s address: www.yourbank.com
② Your PC asks your ISP’s DNS servers for the matching IP address
③ The DNS server goes through a hierarchy to get the answer: § Asks the root DNS servers which points it to .com servers
§ The .com servers direct it to .yourbank.com DNS server
§ The .yourbank.com DNS server sends the answer (an IP address)
§ The server passes the response to your PC which makes the connection
④ An attacker can inject a fake answer during any of the above steps
⑤ The response that comes to you § Is NOT the same IP address of you bank (which you don’t know)
§ The website LOOKS exactly like the one you often use
⑥ You type in your credentials, then you get a error e.g. page cannot be displayed
⑦ 3 weeks later, you scream: “Where’s my money??!!"
Mukom Akong T. | @perfexcellence |! Slide 9!
Identifying organisations on the Internet
☀ Domain name e.g
afrinic.net
☀ A block of IP addresses
§ 196.1.0.0/24
§ 2001:4290::/32
☀ Autonomous System
Number e.g.
Mukom Akong T. | @perfexcellence |! Slide 10!
For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 11!
2001:db8:dead::a1d�learn.afrinic.net �
For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 12!
How do I send information to the computer
with address B?
The Problem: Breakdown of TRUST
Mukom Akong T. | @perfexcellence |! Slide 13!
I AM … �www.google.com�www.yourbank.com�www.statehouse.gov.ng �www.prc.cm �www.cto.int �www.afrinic.net �
I AM … �2c0f:face:b00c::/48 �197.253.0.0/16 �65.25.0/24 �
It is possible to impersonate any entity by name or address�
The Problem: Breakdown of TRUST
☀ It is possible for one computer to
impersonate another node by name.
☀ There’s no real way of knowing if the
answer your computer got to “what is
the IP address of www.yourbank.com” is
legitimate or not
Mukom Akong T. | @perfexcellence |! Slide 14!
The Problem: Breakdown of TRUST
☀ It is possible for one entity (e.g an ISP)
to impersonate a whole network by IP
address
☀ There’s been no way verify if that entity
owns that IP address it’s claiming
Mukom Akong T. | @perfexcellence |! Slide 15!
A Fix: Certify & authenticate Internet identity
☀ Sign DNS records
☀ Establish a chain of trust
☀ Establish ‘ownership’ of
address space
Mukom Akong T. | @perfexcellence |! Slide 16!
Digital certificates & public key infrastructure�
How DNSSEC solves the problem
① Digitally sign DNS (name to IP address)
records using public keys
② Establishes a chain of trust where parent
domains authenticate child domains
③ Ensures responses have not been
tampered with in transit
Does NOT provide confidentiality (encryption)
Mukom Akong T. | @perfexcellence |! Slide 17!
DNSSEC – What It Solves ☀ Use public keys to authenticate
§ The original name to address mapping
§ That queries were not tampered with
☀ Prevents impersonation by domain name
☀ Completely backwards compatible with existing DNS infrastructure
☀ It would prevent the extension of the Great Firewall of China outside China
Mukom Akong T. | @perfexcellence |! Slide 18!
Bene"ts of DNSSEC
① The Internet community: Improved security in the zones that are signed.
② Registrars: Offer domain signing services to their customers.
③ ISPs: Increasing the security of the data returned to their customers.
④ Users: Protection from DNS vulnerabilities such as cache poisoning and man-in-the-middle attacks.
Mukom Akong T. | @perfexcellence |! Slide 19!
RPKI – What It Solves ☀ Ties an organization's IP address
range(s) to its ASN
☀ Solves the “does this address block belong to this organization”
☀ Blocks impersonation by IP address (number)
☀ RPKI would have prevented the Youtube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 20!
How RPKI Works ☀ Digitally certify that a resource has been allocated
to a specific entity.
☀ Usage rights for resources is proven by digital certificate.
☀ Connect resources (ASNs, IP addresses) to a trust anchor, thus forming a chain of trust.
☀ Control authority to originate a routing announcement by a certificate via ROAs
☀ Certificates are used to verify that a network has the authority to announce a given block of addresses.
Mukom Akong T. | @perfexcellence |! Slide 21!
Implications for National Infrastructure
① Is the ccTLD DNSSEC enabled?
② Government network ☀ Support DNSSEC on all gov’t networks
☀ Is gov’t IP space RPKI-protected?
③ Key network operators (ideally Everyone) ☀ Secure your names domain with DNSSEC
☀ Secure your number domains with RPKI
Because Cyber Crime is an industry that will only grow (to the chagrin of us all) and extend to Cyber War & Terrorism
Mukom Akong T. | @perfexcellence |! Slide 22!
Source: http://www.dnssec-deployment.org
Consequences: think of the e#ect
① We consolidate governance around
technology …then the e-gov’t portal is
inaccessible due to attack
② We consolidate education around
hosted content and that platform was
inaccessible
③ Our bank websites get hijacked
Mukom Akong T. | @perfexcellence |! Slide 24!
Our digital way of life is under threat
Mukom Akong T. | @perfexcellence |! Slide 25!
e-Banking E-Gov’t E-Commerce
The Problem: Breakdown of TRUST
Call to Action
Mukom Akong T. | @perfexcellence |! Slide 27!
RPKI & DNSSEC are not Silver Bullets but are a core part of the solution. Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure
Na Gode! Thank You ! Sh’kran [email protected] | Twitter: @perfexcellent