Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Cookies draft-eastlake-dnsext-cookies-00.txt

Published byAvis Sanders Modified over 6 years ago

Similar presentations

Presentation on theme: "DNS Cookies draft-eastlake-dnsext-cookies-00.txt"— Presentation transcript:

1 DNS Cookies draft-eastlake-dnsext-cookies-00.txt
Donald E. Eastlake 3rd July 2006 IETF DNSEXT WG Cookies

2 DNS Cookies Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG. No protection against “on-path” attackers, that is, no protection against anyone who can see the plain text queries and responses. Requires no set-up or configuration. July 2006 IETF DNSEXT WG Cookies

3 DNS Cookies (cont.) Intended to greatly reduce
Forged source IP address traffic amplification DOS attacks. Forged source IP address recursive server work load DOS attacks. Forged source IP address reply cache poisoning attacks. July 2006 IETF DNSEXT WG Cookies

4 The COOKIE RR A Meta-RR in the Additional Information Section. RDATA:
Resolver Cookie, 64 bits Server Cookie, 64 bits Error Code July 2006 IETF DNSEXT WG Cookies

5 Resolver Warm Fuzzies If DNS Cookies Enforced
Resolver puts a COOKIE RR in queries with A Resolver Cookie that varies with server Truncated HMAC(server-IP-address, resolver secret) The resolver cached Server Cookie for that Cookie if it has one Resolver ignores all replies that do not have the correct Resolver Cookie Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie July 2006 IETF DNSEXT WG Cookies

6 Simplified Server Warm Fuzzies
If DNS Cookies Enforced Server puts a COOKIE RR in replies with A Server Cookie that varies with resolver Truncated HMAC(resolver-IP-address, server secret) The Resolver Cookie if there was one in the corresponding query If query received with bad or no Server Cookie, send back short error message July 2006 IETF DNSEXT WG Cookies

7 Example Resolver Server Query: RC:123, SC:???,E:0 RC:123
ErrReply: RC:123, SC:789, E:BadC SC:789 Query: RC:123, SC:789,E:0 RC:123 AnsReply: RC:123, SC:789,E:0 ForgedQuery: RC:???, SC:???,E:0 ErrReply: RC:???, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 July 2006 IETF DNSEXT WG Cookies

8 Complexities Bad guy Resolver behind a NAT Anycast Servers
Can get Server Cookie and attack other resolvers behind the NAT Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished Anycast Servers Need to use the same server secret or assure that queries from the same resolver usually go to the same server July 2006 IETF DNSEXT WG Cookies

Download ppt "DNS Cookies draft-eastlake-dnsext-cookies-00.txt"

Similar presentations

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen
Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.

Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.

1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Module 3 DNS Types.

Module 3 DNS Types.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Similar presentations

Ads by Google