Towards Secure Name Resolution on the Internet
|
|
- Tiffany Gabriella Owens
- 6 years ago
- Views:
Transcription
1 Towards Secure Name Resolution on the Internet C. Grothoff M. Wachs M. Ermert J. Appelbaum The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee
2 Security Goals for Name Systems Query origin anonymity Data origin authentication and integrity protection Zone confidentiality Query and response privacy Censorship resistance Availability, DDoS-resistance 2 / 17
3 Exemplary Attacks: MORECOWBELL 3 / 17
4 Exemplary Attacks: QUANTUMDNS 4 / 17
5 DNSSEC Root Zone a.root-servers.net. Stub Resolver A RRSIG example.com. K0rp9n... AD DNSSEC Trust Anchor 49AAC1... Recursive Name Server NS a.gtld-servers.net.test DS E2D3C9... RRSIG. S4LXnQiBS... NS a.gtld-servers.net.test DS 3490A6... RRSIG com. U/ZW6P3c....com a.gtld-servers.net. A RRSIG example.com. K0rp9n... example.com a.iana-servers.net. 5 / 17
6 Query Name Minimization Stub Resolver A Recursive Name Server NS com? NS a.gtld-servers.net. NS example.com? NS a.iana-servers.net. Root Zone a.root-servers.net..com a.gtld-servers.net A example.com a.iana-servers.net 6 / 17
7 DNS over TLS Stub Resolver A Recursive Name Server NS a.gtld-servers.net. NS a.iana-servers.net. Root Zone a.root-servers.net..com a.gtld-servers.net. A example.com a.iana-servers.net. 7 / 17
8 The Textbook Version of the Internet Layering, 1990 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer 8 / 17
9 The Textbook Version of the Internet Layering, 1990 Layering, 2020 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer HTTPS TLS-with-DANE DNS-over-TLS TLS TCP IPv6 Ethernet Phys. Layer libmicrohttpd libgnutls libunbound libnss Linux Linux = castrated version without RFC 6125 or RFC 6394, possibly NULL cipher, see TLS profiles draft. 8 / 17
10 DNSCurve DNSCurve Cache Public Key P c Private Key S c NS a.gtld-servers.net. NS uz5...hyw.iana-servers.net. Root Zone a.root-servers.net..com a.gtld-servers.net. Pc, N, E () N, E (A ) DNSCurve Server example.com uz5...hyw.iana-servers.net. 9 / 17
11 Confidential DNS Stub Resolver A Recursive Name Server ENCRYPT.? ENCRYPT P ENCRYPT. EP ( K)? ENCRYPT EK (A ) example.com a.iana-servers.net. 10 / 17
12 Namecoin Namecoin Client Local Copy of Block Chain Append registration to block chain Get copy of block chain P2P Network Block Chain 11 / 17
13 The GNU Name System (GNS) Bob s NSS.gnu = Pbob A Bob s GNS Service Pbob zone database carol PKEY Pcarol www A PUT (H(carol, Pbob), E(PKEY Pcarol)) PUT (H(www, Pbob), E(A )) Carols s GNS Service Pcarol zone database www A PUT (H(www, Pcarol), E(A )) GET (H(carol, Pbob)) DHT E (PKEY Pcarol) GET (H(www, Pcarol)) E (A ) P2P Network Alice s NSS.gnu = Palice A Alice s GNS Service A Palice zone database bob PKEY Pbob www A / 17
14 GNS and Query Privacy: Terminology G generator in ECC curve, a point n size of ECC group, n := G, n prime x private ECC key of zone (x Z n ) P public key of zone, a point P := xg l label for record in a zone (l Z n ) R P,l q P,l B P,l set of records for label l in zone P query hash (hash code for DHT lookup) block with encrypted information for label l in zone P published in the DHT under q P,l 13 / 17
15 GNS and Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) 14 / 17
16 GNS and Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) Searching for records under label l in zone P h : = H(l, P) (5) q P,l : = H(hP) = H(hxG) = H(dG) obtain B P,l (6) R P,l = D HKDF (l,p) (B P,l ) (7) 14 / 17
17 Summary Protection against Ease of Manipulation Zone Client observation Traffic Censorship / Migration / by MiTM walk network operator Amplifi. Legal attacks Compatibility DNS +++ DNSSEC failed +/- + DNSCurve + DNS-over-TLS n/a + Conf. DNS n/a ++ Namecoin - GNS - - EDNS0 15 / 17
18 Conclusion Query name minimization is low-cost, low-benefit approach, but should clearly be done Simple encryption schemes offer medium-cost, medium-benefit approach NameCoin does not help with privacy at all GNU Name System performance depends on the DHT need to invest more in DHT design & implementation 16 / 17
19 Do you have any questions? Yves Eudes, Christian Grothoff, Jacob Appelbaum, Monika Ermert, Laura Poitras, Matthias Wachs: MoreCowBell, nouvelles révélations sur les pratiques de la NSA. Le Monde, Nathan Evans and Christian Grothoff. R 5 N. Randomized Recursive Routing for Restricted-Route Networks. 5th International Conference on Network and System Security, Matthias Wachs, Martin Schanzenbach and Christian Grothoff. A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System. 13th International Conference on Cryptology and Network Security, / 17
The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance
The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance Christian Grothoff The GNUnet Project 28.04.2017 Never doubt your ability to change the world.
More informationSecure Name Resolution
Secure Name Resolution Christian Grothoff Berner Fachhochschule 10.11.2017 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Background: Efficient Set Union (based on What s the difference?
More informationThe GNU name system. Christian Grothoff Inria Rennes Bretagne Atlantique
The GNU name system Christian Grothoff Inria Rennes Bretagne Atlantique 11.7.2016 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Trouble at the root ICANN asserts cctlds are not
More informationThe GNU Name System and the Future of Social Networking with GNUnet
The GNU Name System and the Future of Social Networking with GNUnet Christian Grothoff Technische Universität München 24.08.2013 Never doubt your ability to change the world. Glenn Greenwald Cyberwar Presidential
More informationComponents for Building Secure Decentralized Networks
Components for Building Secure Decentralized Networks Christian Grothoff Technische Universität München 26.11.2013 Never doubt your ability to change the world. Glenn Greenwald Where We Are Where We Are
More informationOrdinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver
Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30 k.root-servers.net Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationThe Importance of Being an Earnest stub
The Importance of Being an Earnest Challenges and solution for the versatile Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security et n A rc a -o s 98 n 1 d 910 1 4 6 Recursive dns-oarc
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationDNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationIntroduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?
Introduction 1 Overview of Tor What is Tor? Why use Tor? How Tor works Encryption, Circuit Building, Directory Server Drawback of Tor s directory server Potential solution Using DNS Security Extension
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationDNS & Iodine. Christian Grothoff.
DNS & Iodine christian@grothoff.org http://grothoff.org/christian/ The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee 1 DNS: Domain Name System Unique Distributed Database Application-layer
More informationROOT SERVERS MANAGEMENT AND SECURITY
ROOT SERVERS MANAGEMENT AND SECURITY WSIS African regional meeting 01/29/05 ALAIN PATRICK AINA aalain@trstech.net What is DNS(1)? Addresses are used to locate objects Names are easier to remember than
More informationWhen HTTPS Meets CDN: A Case of Authentication in Delegated Services. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu
When HTTPS Meets CDN: A Case of Authentication in Delegated Services J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu Problem statement: TLS, an End-to-End Protocol 2 Problem Statement: End-to-End Protocol
More informationDomain Name System (DNS)
Domain Name System (DNS) Computer Networks Lecture 9 http://goo.gl/pze5o8 Domain Name System Naming service used in the Internet Accomplishes mapping of logical ("domain") names to IP addresses (and other
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationComputer Security CS 426
Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationIntroduction to the DANE Protocol And Updates From IETF 88
Introduction to the DANE Protocol And Updates From IETF 88 Dan York, Senior Content Strategist Internet Society ICANN 48, Buenos Aires, Argentina November 20, 2013 A Quick Overview of DANE www.internetsociety.org
More informationMore on DNS and DNSSEC
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers
More informationSecurity Impact of DNS Delegation Structure and Configuration Problems
Universität Stuttgart INSTITUT FÜR NACHRICHTENVERMITTLUNG UND DATENVERARBEITUNG Prof. Dr.-Ing. Dr. h. c. mult. P. J. Kühn INSTITUT FÜR KOMMUNIKATIONSNETZE UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult.
More informationHow to get a trustworthy DNS Privacy enabling recursive resolver
How to get a trustworthy DNS an analysis of authentication mechanisms for DNS s Willem Toorop NLnet Labs (presenter) Melinda Shore Fastly Benno Overeinder NLnet Labs DNS over TLS What are the actors, and
More informationThe Performance of ECC Algorithms in DNSSEC: A Model-based Approach
Master Thesis The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Faculty: Group: Electrical Engineering, Mathematics and Computer Science Design and Analysis of Communication Systems Author
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationI certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?
RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record
More informationSome Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
More informationProtecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationRe-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist
Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure
More informationIntroduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 46 April 10, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: Case Studies Tutorials
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationCS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
More informationLess is More Cipher-Suite Negotiation for DNSSEC
Less is More Cipher-Suite Negotiation for DNSSEC Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt Bruno Crispo Trento University Domain Name System (DNS) Lookup services
More information3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
More informationPersonalized Pseudonyms for Servers in the Cloud. Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.
Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Background Server s identity is not well protected with
More informationCS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:
CS 470 Spring 2017 Mike Lam, Professor Distributed Web and File Systems Content taken from the following: "Distributed Systems: Principles and Paradigms" by Andrew S. Tanenbaum and Maarten Van Steen (Chapters
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationTable of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
More informationDNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi
DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi Introduction DNSSEC is a security extensions to the DNS protocol in response to the
More informationCS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:
CS 470 Spring 2018 Mike Lam, Professor Distributed Web and File Systems Content taken from the following: "Distributed Systems: Principles and Paradigms" by Andrew S. Tanenbaum and Maarten Van Steen (Chapters
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017
Internet Engineering Task Force (IETF) Request for Comments: 8109 BCP: 209 Category: Best Current Practice ISSN: 2070-1721 P. Koch DENIC eg M. Larson P. Hoffman ICANN March 2017 Initializing a DNS Resolver
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationAdvanced Caching DNS Server
This chapter explains how to set the Caching DNS parameters for the advanced features of the server. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which
More informationDNS Privacy Clients. Stubby, Mobile apps and beyond! dnsprivacy.org
DNS Privacy Clients Stubby, Mobile apps and beyond! dnsprivacy.org Sara Dickinson Allison Mankin Willem Toorop sara@sinodun.com amankin@salesforce.com willem@nlnetlabs.com OARC 27 San Jose, Sep 2017 Overview
More informationDNS Fundamentals. Steve Conte ICANN60 October 2017
DNS Fundamentals Steve Conte ICANN60 October 2017 Names and Numbers IP addresses easy for machines but hard for people IPv4: 192.0.2.7 IPv6: 2001:db8::7 People need to use names In the early days of the
More informationApplications & Application-Layer Protocols: The Domain Name System and Peerto-Peer
CPSC 360 Network Programming Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer Systems Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationDNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationExpires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004
DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015
Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationCNAME-based Redirection Design Notes
CNAME-based Redirection Design Notes When we configure a redirect type of local-zone or access-control action, we might want to specify a CNAME as the action data, whose canonical name is managed by an
More informationA survey of the peer to peer based DNS system
A survey of the peer to peer based DNS system Who am I? Data Analyst @ Dyn Keeper of dogs Lover of Internet Hater of Ne er do wells The Year of The Crypto Currency I swear I m not making this up Proof
More informationBIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
More information6 March 2012
6 March 2012 richard.lamb@icann.org www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank
More informationDNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
More informationUsing EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi
Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls13-02 IETF 101, EMU, MAR 19 2018 John Mattsson, MOHIT sethi draft-mattsson-eap-tls13 EAP-TLS is widely supported for authentication in Wi-Fi. EAP-TLS is
More informationExpires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003
DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS
More informationNetwork Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationDomain Name System (DNS)
CPSC 360 - Network Programming Domain Name System (DNS) Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu April 15, 2005 http://www.cs.clemson.edu/~mweigle/courses/cpsc360
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationA Root DNS Server. Akira Kato. Brief Overview of M-Root. WIDE Project
A Root DNS Server Akira Kato WIDE Project kato@wide.ad.jp Brief Overview of M-Root Assumes basic knowledge on DNS Dr. Tatsuya Jinmei has introduced in Nov 19, 2004 What s Root Servers? Start point of the
More informationDNS Privacy. EDU Tutorial dnsprivacy.org. Sara Dickinson Sinodun
DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99 Prague, July 2017 Overview The problem: Why Internet privacy and DNS Privacy are important (DNS leakage) Recent Progress:
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationInternet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015
Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: 2070-1721 W. Kumari Google P. Hoffman ICANN November 2015 Decreasing Access Time to Root Servers by Running
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationOSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)
OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora
More informationRolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016
Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016 edward.lewis@icann.org 1 Motivation for this talk ICANN is about to change an important configuration parameter in DNSSEC
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Spring 2017
Network Security DNS (In)security Radboud University, The Netherlands Spring 2017 Security in Times of Surveillance No lecture on May 29 Use the opportunity and register for Security in Times of Surveillance
More informationDistributed Systems. Fall 2017 Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2017
Distributed Systems Fall 2017 Exam 3 Review Paul Krzyzanowski Rutgers University Fall 2017 December 11, 2017 CS 417 2017 Paul Krzyzanowski 1 Question 1 The core task of the user s map function within a
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationICS 351: Today's plan. DNS WiFi
ICS 351: Today's plan DNS WiFi Domain Name System Hierarchical system of names top-level domain names include.edu,.org,.com,.net, and many country top-level domains root is just "." so the fully qualified
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Web Security Abusing cookies Phishing, Spreading misinformation You are not seeing what you think you are! HREFs, Ill-constructed strings in HREFs Dynamic HTML, Scripting
More informationTesting IPv6 address records in the DNS root
Testing IPv6 address records in the DNS root February 2007 Geoff Huston Chief Scientist APNIC Priming a DNS name server 1. Take the provided root hints file 2. Generate a DNS query for resource records
More informationDANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!
DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014! Outline! What is DANE?! The TLSA Record! TLSA Browser Plugin! Generating the TLSA Record! Other uses for DANE! 2!
More informationOn the Internet, nobody knows you re a dog.
On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More informationDNS Privacy - Implementation and Deployment Status
DNS Privacy - Implementation and Deployment Status Sara Dickinson Sinodun Allison Mankin Salesforce IEPG@IETF96 Berlin, July 2016 DNS Privacy - Background RFC 7558 - Pervasive Monitoring is an Attack DPRIVE
More informationWhat s Happening at the IETF & IRTF? Human Rights Protocol Considerations and how to get involved
18 September 2017 What s Happening at the IETF & IRTF? Human Rights Protocol Considerations and how to get involved Salam Yamout Middle East Bureau Director meynell@isoc.org Presentation title Client name
More informationDNSSEC KSK-2010 Trust Anchor Signal Analysis
DNSSEC KSK-2010 Trust Anchor Signal Analysis MAPRG @ IETF102 1 Overview Background: DNSSEC KSK rollover and plan Problems with the KSK rollover Case study analysis: difficulty in identifying old Trust
More informationAssessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
More informationThe Internet is Broken: Idealistic Ideas for Building a NEWGNU Network. Christian Grothoff Bartlomiej Polot Carlo von Loesch. The GNUnet Project
The Internet is Broken: Idealistic Ideas for Building a NEWGNU Network Christian Grothoff Bartlomiej Polot Carlo von Loesch 1 Introduction The GNUnet Project The Internet is broken, by design. Recent revelations
More informationDNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
More informationF5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution
F5 Technical Brief F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management
More informationNetwork Working Group Request for Comments: Category: Best Current Practice October 2008
Network Working Group Request for Comments: 5358 BCP: 140 Category: Best Current Practice J. Damas ISC F. Neves Registro.br October 2008 Preventing Use of Recursive Nameservers in Reflector Attacks Status
More informationImplementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
More informationDNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC. Wes Hardaker
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker Overview Business Model Changes Relationship Requirements Relationship with
More informationThe State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang
The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread
More informationDNS. A Massively Distributed Database. Justin Scott December 12, 2018
DNS A Massively Distributed Database Justin Scott December 12, 2018 What is DNS? Translates Hostnames to IP Addresses What is DNS? Example: www.serverlogic.com 23.185.0.4 What is DNS? Example: www.serverlogic.com
More informationEvaluation and consideration of multiple responses. Kazunori Fujiwara, JPRS OARC 28
Evaluation and consideration of multiple responses Kazunori Fujiwara, JPRS fujiwara@jprs.co.jp OARC 28 Past discussion Background DNS is query response based protocol Each query contains one QNAME / QTYPE
More information