DNS Cookies draft-eastlake-dnsext-cookies-00.txt

Slides:

Advertisements

Similar presentations

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

Advertisements

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.

Wired Equivalent Privacy (WEP)

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

Module 3 DNS Types.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.

1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.

Multicast Distribution Tree Extensions for IS-IS draft-yong-isis-ext-4-distribution-tree-02 Lucy Yong Donald Eastlake Andrew Qu July

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.

IGP Multicast Architecture Lucy Yong, Weiguo Hao, Donald Eastlake Andrew Qu, Jon Hudson, Uma Chunduri November 2014 Honolulu USA draft-yong-rtgwg-igp-mutlicast-arch-00.

WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)

Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.

DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.

Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

PPP Configuration.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 18 Windows Internet Name Service (WINS)

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

Slide 1 July 2006, Montreal, QuebecIETF DNSEXT 2929bis Donald E. Eastlake 3 rd

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

A Optimal Load-balance mechanism for NAT64 (OL-NAT) draft-chen-behave-olnat-01 Gang Chen; Hui Deng;

November 2006IETF DNSEXT WG Cookies1 DNS Cookies draft-eastlake-dnsext-cookies-01.txt Donald E. Eastlake 3 rd

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

1 Behcet Sarikaya Frank Xia November 2010 NAT64 for DSMIPv6 IETF 79

Slide 1 November 2005, Vancouver, BCIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.

The Domain Name System (DNS) – The online directory DNS Simplified.

High performance recursive DNS solution

Security Issues with Domain Name Systems

DNS Discovery Discussion draft-ietf-ipngwg-dns-discovery-00.txt

Chapter 9: Domain Name Servers

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Lionel Morand DHCP options for PAA Lionel Morand

Teemu Savolainen (Nokia) MIF WG IETF#75 28-July-2009

Month 2002 doc.: IEEE /xxxr0 November 2004 Routing and Rbridges

Current Issues with DNS Configuration Options for SLAAC

Donald E. Eastlake 3rd TSIG SHA etc. Donald E. Eastlake 3rd March.

DNS Cache Poisoning Attack

CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch

draft-zhang-dnsext-test-result-00

EE 122: Domain Name Server (DNS)

TCP for DNS security considerations

DNS: Domain Name System

COMPUTER NETWORKS PRESENTATION

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Slides Credit: Sogand Sadrhaghighi

Presentation transcript:

DNS Cookies draft-eastlake-dnsext-cookies-00.txt Donald E. Eastlake 3rd Donald.Eastlake@motorola.com +1-508-786-7554 July 2006 IETF DNSEXT WG Cookies

DNS Cookies Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG. No protection against “on-path” attackers, that is, no protection against anyone who can see the plain text queries and responses. Requires no set-up or configuration. July 2006 IETF DNSEXT WG Cookies

DNS Cookies (cont.) Intended to greatly reduce Forged source IP address traffic amplification DOS attacks. Forged source IP address recursive server work load DOS attacks. Forged source IP address reply cache poisoning attacks. July 2006 IETF DNSEXT WG Cookies

The COOKIE RR A Meta-RR in the Additional Information Section. RDATA: Resolver Cookie, 64 bits Server Cookie, 64 bits Error Code July 2006 IETF DNSEXT WG Cookies

Resolver Warm Fuzzies If DNS Cookies Enforced Resolver puts a COOKIE RR in queries with A Resolver Cookie that varies with server Truncated HMAC(server-IP-address, resolver secret) The resolver cached Server Cookie for that Cookie if it has one Resolver ignores all replies that do not have the correct Resolver Cookie Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie July 2006 IETF DNSEXT WG Cookies

Simplified Server Warm Fuzzies If DNS Cookies Enforced Server puts a COOKIE RR in replies with A Server Cookie that varies with resolver Truncated HMAC(resolver-IP-address, server secret) The Resolver Cookie if there was one in the corresponding query If query received with bad or no Server Cookie, send back short error message July 2006 IETF DNSEXT WG Cookies

Example Resolver Server Query: RC:123, SC:???,E:0 RC:123 ErrReply: RC:123, SC:789, E:BadC SC:789 Query: RC:123, SC:789,E:0 RC:123 AnsReply: RC:123, SC:789,E:0 ForgedQuery: RC:???, SC:???,E:0 ErrReply: RC:???, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 July 2006 IETF DNSEXT WG Cookies

Complexities Bad guy Resolver behind a NAT Anycast Servers Can get Server Cookie and attack other resolvers behind the NAT Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished Anycast Servers Need to use the same server secret or assure that queries from the same resolver usually go to the same server July 2006 IETF DNSEXT WG Cookies