Internet Kill Switches Demystified
|
|
- Theodora Lane
- 5 years ago
- Views:
Transcription
1 Internet Kill Switches Demystified Benjamin Rothenberger, Daniele E. Asoni, David Barrera, Adrian Perrig EuroSec 17, Belgrade B.Rothenberger
2 B.Rothenberger
3 Internet Kill Switches Recent history: multiple incidents of Internet censorship State-run ISPs used to shut down local Internet Common techniques: BGP route withdrawal / redirection IP / keyword filtering DNS hijacking / injection DDoS à known as: Internet Kill Switch B.Rothenberger
4 Outline Goal: motivate research about Internet KS Evaluation & Metrics Examples: KS in BGP KS in BGPsec Comparison of KS in BGP and BGPsec Similarities to DNSSEC B.Rothenberger
5 Evaluation of Kill Switches Comparison of Kill Switches is challenging! Ideal: quantitative metric How about: financial cost? 1. Impact Intuitively: amount of damage based on network disruption i.e., percentage of Internet communications that are blocked by KS 2. Visibility Should be measured relatively to detection mechanisms High visibility ensures consistent public view of systems (e.g. Certificate Transparency in DNSSEC) B.Rothenberger
6 Evaluation of Kill Switches 3. Recoverability How easily / quickly network can recover: time to recover Partial recovery can be sufficient in short term (e.g., 90% recovery) 4. Precision and Effectiveness Specify degree of control that adversary has over KS High precision à low collateral damage High effectiveness à low number of hosts in target area remain online Precision: ratio of impact in target area over overall impact Effectiveness: ratio of actual impact over maximum possible impact B.Rothenberger
7 KS using BGP: Subprefix Hijacking B.Rothenberger
8 Deployment of Secure Protocols How does the effectiveness of Internet Kill Switches change when secure protocols such as BGPsec / DNSSEC are deployed? What about adversarial misuse of centralized key architectures? Discussion typically dismissed à safeguard technologies & procedures sufficiently secure Attack would be highly visible Concern: adversarial KS are feasible! B.Rothenberger
9 RPKI / BGPsec: Resource Authorization B.Rothenberger
10 RPKI Hierarchy B.Rothenberger
11 RPKI Hierarchy B.Rothenberger
12 KS using BGPsec: Certificate Revocation Misbehaving authorities can make targeted manipulations of RPKI 1 Certificate Revocation Authority can revoke any child certificate Creates new mechanism to unilaterally reclaim IP address space No recourse for holder of reclaimed space Causes other networks to reject routing updates from targeted AS à invalidates entire subtree & makes prefix invisible 1 Related Work by Cooper et. al.,: On the Risk of Misbehaving RPKI Authorities B.Rothenberger
13 KS in BGP vs. KS in BGPsec Prefix Hijacking Key compromise Impact Visibility Recoverability < 1h < 48h Precision Effectiveness = good for adversary = bad for adversary B.Rothenberger
14 DNSSEC Trust Chain B.Rothenberger
15 Kill Switches in DNSSEC DNS: 13 different root servers vs. DNSSEC: single root of trust Control over private key is essential for manipulations Allows control over entire sub-domain! Powerful adversaries can compel network operators In both cases: regional registries offer hosted RPKI / DNSSEC à further centralization, valuable target B.Rothenberger
16 Who should have control? B.Rothenberger
17 Internet KS of the US Government Declaration of National Cyber Emergency Take over any communication network, including the Internet Conditions: Disruption causes severe economic consequences Component of national information infrastructure Systems which operations rely on national information infrastructure B.Rothenberger
18 Conclusion Centralized key-infrastructures provide Internet-scale kill switches Few roots of trust Unilateral control over delegated resources Unilateral control makes KS worse! More precise, effective & easier to select target Remote Internet KS are feasible! à must be considered in the design of secure Internet protocols B.Rothenberger
19 Related Work On the Risk of Misbehaving RPKI Authorities Cooper et. al., HotNets 13 Analysis of Country-wide Internet Outages Caused by Censorship Dainotti et. al., SigComm 11 The Crossfire Attack Kang et. al., Security & Privacy 13 Why Is It Taking So Long to Secure Internet Routing? S. Goldberg ACM Queue 14 B.Rothenberger
20 Thanks for your attention!
21 DNSSEC Trust Chain B.Rothenberger
22 Deployment Status of BGPsec & DNSSEC BGPsec: ~7% of advertised IPv4 prefixes have an ROA (valid and invalid) DNSSEC: ~88% of all TLDs have DS entry in the root zone ~0.5% of.com are signed ~13% of all DNS queries are validated B.Rothenberger
APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013
APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationProblem Statement and Considerations for ROA Mergence. 96 SIDR meeting
Problem Statement and Considerations for ROA Mergence draft-yan-sidr-roa-mergence-00 @IETF 96 SIDR meeting fuyu@cnnic.cn Background RFC 6482 1/19 ROA mergence What is the ROA mergence? is a common case
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationSecuring Routing: RPKI Overview. Mark Kosters Chief Technology Officer
Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer Why are DNSSEC and RPKI important? Two of the most critical resources DNS Routing Hard to tell when resource is compromised Focus of
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationDecentralized Internet Resource Trust Infrastructure
Decentralized Internet Resource Trust Infrastructure Bingyang Liu, Fei Yang, Marcelo Bagnulo, Zhiwei Yan, and Qiong Sun Huawei UC3M CNNIC China Telecom 1 Critical Internet Trust Infrastructures are Centralized
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationSecuring Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO
Securing Core Internet Functions Resource Certification, RPKI Mark Kosters ARIN CTO Core Internet Functions: Routing & DNS The Internet relies on two critical resources DNS: Translates domain names to
More informationRPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting
RPKI Deployment Considerations: Problem Analysis and Alternative Solutions draft-lee-sidr-rpki-deployment-01 @IETF 95 SIDR meeting fuyu@cnnic.cn Background RPKI in China CNNIC deploy a platform to provide
More informationDeploying RPKI An Intro to the RPKI Infrastructure
Deploying RPKI An Intro to the RPKI Infrastructure VNIX-NOG 24 November 2016 Hanoi, Vietnam Issue Date: Revision: Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours)
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationMisdirection / Hijacking Incidents
Security Tutorial @ TWNOG SECURE ROUTING WITH RPKI 1 Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationInternet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!
Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil! Who is allowed to do what?! BGP (the Internet s inter-domain routing protocol) runs by rumor Participants assert reachability
More informationRobust Inter-Domain Routing
Establishing the Technical Basis for Trustworthy Networking Robust Inter-Domain Routing Addressing Systemic Vulnerabilities in BGP Doug Montgomery (dougm@nist.gov) Manager, Internet and Scalable Systems
More informationTowards Deployment of a Next- Generation Secure Internet Architecture
Towards Deployment of a Next- Generation Secure Internet Architecture Adrian Perrig Network Security Group, ETH Zürich http://www.scion-architecture.net 1 monumental structure stood the test of time &
More informationSCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich
SCION: PKI Overview Adrian Perrig Network Security Group, ETH Zürich PKI Concepts: Brief Introduction PKI: Public-Key Infrastructure Purpose of PKI: enable authentication of an entity Various types of
More informationBGP Route Hijacking - What Can Be Done Today?
BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security bgreene@akamai.com @Akamai BGP - the Core Protocol that Glues all of
More informationMCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams
MCSE Server Infrastructure This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams 1. MCSE: Server Infrastructure / Exam 70-413 (Designing and Implementing
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationSecuring the Internet at the Exchange Point Fernando M. V. Ramos
Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 There are vulnerabilities in the Internet architecture
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationDraft Applicant Guidebook, v3
Draft Applicant Guidebook, v3 Module 5 Please note that this is a discussion draft only. Potential applicants should not rely on any of the proposed details of the new gtld program as the program remains
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationSTANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange
STANDARD INFORMATION SHARING FORMATS Will Semple Head of Threat and Vulnerability Management New York Stock Exchange AGENDA Information Sharing from the Practitioner s view Changing the focus from Risk
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationCourse Outline 20742B
Course Outline 20742B Module 1: Installing and configuring domain controllers This module describes the features of AD DS and how to install domain controllers (DCs). It also covers the considerations
More informationJumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking Victim Path: 111 AS X AS 111 Boston University BGP Ad. AS 666 Data flow 2 Prefix
More informationResource Certification
Resource Certification CISSP, science group manager RIPE NCC robert@ripe.net 1 Contents Motivation for Resource Certification (RPKI) Architecture overview Participating in RPKI Most importantly: use cases
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationRPKI. Resource Pubic Key Infrastructure
RPKI Resource Pubic Key Infrastructure Purpose of RPKI RPKI replaces IRR or lives side by side? Side by side: different advantages Security, almost real time, simple interface: RPKI Purpose of RPKI Is
More informationSecurity Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
More informationThe Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla
The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Venugopalan Ramasubramanian Emin Gün Sirer Presented By: Kamalakar Kambhatla * Slides adapted from the paper -
More informationMadison, Wisconsin 9 September14
1 Madison, Wisconsin 9 September14 2 Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN Engineering 3 Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard
More informationConfiguring, Managing, and Maintaining Windows Server 2008 R2 Servers
Configuring, Managing, and Maintaining Windows Server 2008 R2 Servers Course 6419B - Five Days - Instructor-led - Hands on Introduction This five-day instructor-led course provides students with the knowledge
More informationCIRA DNSSEC PRACTICE STATEMENT
CIRA DNSSEC PRACTICE STATEMENT 1. Introduction This DNSSEC Practice Statement ( DPS ) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These
More informationNetwork Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012
Network Security: Routing security Aapo Kalliola T-110.5241 Network security Aalto University, Nov-Dec 2012 Outline 1. Structure of internet 2. Routing basics 3. Security issues 4. Attack 5. Solutions
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationDNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010
DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers Recap DNS originally not designed with
More information6 March 2012
6 March 2012 richard.lamb@icann.org www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank
More informationConfiguring, Managing and Maintaining Windows Server 2008-based Servers (Course 6419)
Length: 5 Days About this Course This five-day instructor-led course provides students with the knowledge and skills that are required to manage accounts and resources, maintain server resources, monitor
More informationLEA Workshop. Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013
LEA Workshop Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013 Agenda Introduction to APNIC Know about APNIC Internet Policy Development How the Internet Policies are developed
More informationMicrosoft Configuring, Managing and Maintaining Windows Server 2008
1800 ULEARN (853 276) www.ddls.com.au Microsoft 6419 - Configuring, Managing and Maintaining Windows Server 2008 Length 5 days Price $4290.00 (inc GST) Overview This five-day instructor-led course provides
More informationDS TTL shortening experience in.jp
DS TTL shortening experience in.jp APRICOT2014 DNS Session 27 Feb 2014 Yoshiro YONEYA Copyright 2014 Japan Registry Services Co., Ltd. 1 What is DS? Establish a DNSSEC chain
More informationRPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:
RPKI Introduction APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By: 1 Content Why do we need RPKI What is RPKI How to deploy RPKI Configuration case Misdirection / Hijacking Incidents
More informationIn the Domain Name System s language, rcode 0 stands for: no error condition.
12/2017 SIMPLE, FAST, RESILIENT In the Domain Name System s language, rcode 0 stands for: no error condition. If a DNS server answers a query with this result code, the service is running properly. This
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: February 2012
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 6483 G. Michaelson Category: Informational APNIC ISSN: 2070-1721 February 2012 Abstract Validation of Route Origination Using the
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: September 2017
Internet Engineering Task Force (IETF) Request for Comments: 8211 Category: Informational ISSN: 2070-1721 S. Kent BBN Technologies D. Ma ZDNS September 2017 Adverse Actions by a Certification Authority
More information(Towards) a Threshold Cryptographic Backend for DNSSEC
(Towards) a Threshold Cryptographic Backend for DNSSEC OARC 2011 Antonio Cansado acansado@niclabs.cl Pablo Sepúlveda psepulv@niclabs.cl Tomás Barros tbarros@niclabs.cl Victor Ramiro vramiro@niclabs.cl
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationDetecting Internet Traffic Interception based on Route Hijacking
Detecting Internet Traffic Interception based on Route Hijacking Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos
More informationProtecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
More informationM20742-Identity with Windows Server 2016
M20742-Identity with Windows Server 2016 Course Number: M20742 Category: Technical Microsoft Duration: 5 days Certification: 70-742 Overview This five-day instructor-led course teaches IT Pros how to deploy
More informationKeeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson olafur@cloudflare.com How long does it take to? Post a new selfie on Facebook and all your friends to be notified few seconds
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationShifting Sands. PLNOG March Andrzej Wolski Training Department
Shifting Sands PLNOG March 2014 Andrzej Wolski Training Department RIPE NCC 2 Began operating in 1992 Not-for-profit membership organisation 10,000 members (Local Internet Registries) Neutral, Impartial,
More informationIdentity with Windows Server 2016
Identity with Windows Server 2016 Course 20742B - 5 Days - Instructor-led, Hands on Introduction This five-day instructor-led course teaches IT Pros how to deploy and configure Active Directory Domain
More informationRoot Zone DNSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 51 51 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key
More informationMETHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.
CENTER OF KNOWLEDGE, PATH TO SUCCESS Website: IDENTITY WITH WINDOWS SERVER 2016 Course 20742: 5 days; Instructor-Led INTRODUCTION This five-day instructor-led course teaches IT Pros how to deploy and configure
More informationRoute Security for Inter-domain Routing
Route Security for Inter-domain Routing Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services 3 This could happen to YOUR network 4 This could happen be happening to YOUR network 5 Agenda
More informationOne Namespace, Many Circles. Dr. Paul Vixie, CEO Farsight Security, Inc.
One Namespace, Many Circles Dr. Paul Vixie, CEO Farsight Security, Inc. DNS Works Only Because of Voluntary Cooperation Every Internet host chooses Recursive DNS servers Can either believe ISP settings,
More informationDNS and BGP. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu. University of Wisconsin CS 642
DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 DNS and BGP University of Wisconsin CS 642 128.105.5.31
More informationRTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.
RTRlib An Open-Source Library in C for RPKI-based Prefix Origin Validation Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H. Schiller m.waehlisch@fu-berlin.de schmidt@informatik.haw-hamburg.de
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationThe ISP Column A column on various things Internet. Securing the Routing System at NANOG 74. A Legal Perspective. October 2018 Geoff Huston
The ISP Column A column on various things Internet October 2018 Geoff Huston Securing the Routing System at NANOG 74 The level of interest in the general topic of routing security seems to come in waves
More informationMicrosoft Certified Solutions Associate (MCSA)
Microsoft Certified Solutions Associate (MCSA) Installing and Configuring Windows Server 2012 (70-410) Module 1: Deploying and Managing Windows Server 2012 Windows Server 2012 Overview Overview of Windows
More informationThe RPKI and BGP Origin Validation
The RPKI and BGP Origin Validation APRICOT / New Delhi 2012.02.27 Randy Bush Rob Austein Steve Bellovin And a cast of thousands! Well, dozens :) 2012.02.27
More informationNetwork Security - ISA 656 Routing Security
Network Security - ISA 656 Angelos Stavrou December 4, 2007 What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games
More informationDNSSEC for the Root Zone. NZNOG Hamilton, NZ January 2010
DNSSEC for the Root Zone NZNOG Hamilton, NZ January 2010 Joe Abley, ICANN This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Design Design Requirements
More informationAuto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes? Geoff Huston APNIC @RIPE 50 May 2005 1 Address Hijacking Is the unauthorized use of an address prefix as an advertised route object on the Internet It s not a bogon the
More informationIdentity with Windows Server 2016
Identity with Windows Server 2016 20742B; 5 days, Instructor-led Course Description This five-day instructor-led course teaches IT Pros how to deploy and configure Active Directory Domain Services (AD
More information6to4 Reverse DNS Delegation
NRO Document G. Huston APNIC August 18, 2004 6to4 Reverse DNS Delegation Abstract This memo describes a potential mechanism for entering a description of DNS servers which provide "reverse lookup" of 6to4
More informationDNS Security. Wolfgang Nagele DNS Group Manager
DNS Security Wolfgang Nagele DNS Group Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since then:
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationCOURSE OUTLINE. COURSE OBJECTIVES After completing this course, students will be able to: 1 - INSTALLING & CONFIGURING DCS
20742 Identity with Windows Server 2016 This course teaches IT Pros how to deploy and configure Active Directory Domain Services in a distributed environment, how to implement Group Policy, how to perform
More informationNetwork Working Group. Category: Informational SPARTA, Inc. S. Crocker Shinkuro Inc. S. Krishnaswamy SPARTA, Inc. August 2007
Network Working Group Request for Comments: 4986 Category: Informational H. Eland Afilias Limited R. Mundy SPARTA, Inc. S. Crocker Shinkuro Inc. S. Krishnaswamy SPARTA, Inc. August 2007 Requirements Related
More informationSecuring Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO
Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Mark Kosters CTO What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationSCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich
SCION: A Secure Multipath Interdomain Routing Architecture Adrian Perrig Network Security Group, ETH Zürich SCION: Next-generation Internet Architecture Path-aware networking: sender knows packet s path
More informationSENSS: Software-defined Security Service
SENSS: Software-defined Security Service Minlan Yu University of Southern California Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic 1 Growing DDoS Attacks Average monthly size of DDoS attacks
More informationSecure Inter-domain Routing with RPKI
Secure Inter-domain Routing with RPKI Srinivas (Sunny) Chendi VNIX-NOG 2018, Da Nang sunny@apnic.net Xin chào và chào buổi sáng 1 3 4 What is the fundamental Problem? An underlying problem in routing
More informationDNS and BGP. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu. University of Wisconsin CS 642
DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Announcements HW2 should be posted tonight Check the web
More informationAlberto Dainotti
HI-Cube / HI 3 Hub for Internet Incidents Investigation Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego LARGE-SCALE INCIDENTS a threat to
More informationOverview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies
Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies Presentation Outline The BGP security problem RPKI overiew Address & AS number allocation system Certificates
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationNetwork Security Part 3 Domain Name System
Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166
More informationDNSSEC for the Root Zone. ICANN 37 Nairobi March 2010
DNSSEC for the Root Zone ICANN 37 Nairobi March 2010 Kim Davies, ICANN This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Design Design Requirements
More informationA Root DNS Server. Akira Kato. Brief Overview of M-Root. WIDE Project
A Root DNS Server Akira Kato WIDE Project kato@wide.ad.jp Brief Overview of M-Root Assumes basic knowledge on DNS Dr. Tatsuya Jinmei has introduced in Nov 19, 2004 What s Root Servers? Start point of the
More informationRe-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist
Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure
More informationRouting Support for Wide Area Network Mobility. Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan
Routing Support for Wide Area Network Mobility Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan 1 Outline Introduction Inter-AS Mobility Support Intra-AS Mobility
More informationUnderstanding BGP Miscounfiguration
Understanding Archana P Student of Department of Electrical & Computer Engineering Missouri University of Science and Technology appgqb@mst.edu 16 Feb 2017 Introduction Background Misconfiguration Outline
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationTen Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Presented by Joshua Schiffman & Archana Viswanath Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Trust Models Rooted Trust Model! In a
More information