Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Applications: Security, DNS

Published byCharles Ball Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Applications: Security, DNS"— Presentation transcript:

1 Network Applications: Email Security, DNS
Y. Richard Yang 9/14/2017

2 Outline Admin and recap Email DNS Basic email systems design
security DNS

3 Admin 72 discretionary late hours for assignments across the semester

4 Recap: The Big Picture of the Internet
Hosts and routers: ~ 1 bill. hosts organized into ~50K networks backbone links 100 Gbps Software: datagram switching with virtual circuit support layered network architecture use end-to-end arguments to determine the services provided by each layer the 5-layer hourglass architecture of the Internet Telnet FTP WWW SSL TCP UDP IP Ethernet Wireless Cable/DSL

5 Multiplexing/Demultiplexing

6 Formats of main protocols

7 Recap: Client-Server Paradigm
application transport network data link physical The basic paradigm of network applications is the client-server (C-S) paradigm Some key design questions to ask about a C-S application: extensibility scalability robustness security reply request

8 Recap: Email App SMTP Some key design features of Email
user agent Some key design features of Separate protocols for different functions access (e.g., POP3, IMAP) transport (SMTP) Separation of envelop and message body (end-to-end arguments) envelop: simple/basic requests to implement transport control; message body: fine-grain control through ASCII header and message body MIME type as self-describing data type Status code in response makes message easy to parse mail server user agent SMTP mail server user agent mail server user agent POP3 or IMAP SMTP user agent user agent

9 Recap: Email Authentication Approaches
Sender Policy Frame (SPF) DomainKeys Identified Mail (DKIM) Authenticated Results Chain (ARC)

10 Sender Policy Framework (SPF RFC7208)
Sender Policy Framework (SPF RFC7208) MUA smtp/submission Is my neighbor m a permitted sender for the domain? MTA smtp Border Outbound MTA m smtp Border Inbound MTA neighbor MTA pop/imap validating MTA MUA

11 Key Question for SPF? How does SPF know if its neighbor MTA is a permitted sender of the domain? <selector>._domainkey.example.com dig txt <selector>._domainkey.<domain> +short

12 DomainKeys Identified Mail (DKIM; RFC 5585)
A domain-level digital signature authentication framework for , using public key crypto E.g., gmail.com signs that the message is sent by gmail server Basic idea of public key signature Owner has both public and private keys Owner uses private key to sign a message to generate a signature Others with public key can verify signature Assumption: difficult to get private key even w/ public key distributed mailing lists or account forwarding

13 DomainKeys Identified Mail (DKIM)
MUA smtp/submission Is the message signed by the private key of the signing domain? Signing MTA smtp MTA smtp VerifyingMTA pop/imap MUA

14 Example: RSA 1. Choose two large prime numbers p, q.
(e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e < n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d).

15 RSA: Signing/Verification
0. Given (n,e) and (n,d) as computed above 1. To sign message, m, compute h = hash(m), then sign with private key s = h mod n d (i.e., remainder when h is divided by n) d 2. To verify signature s, compute h’ = s mod n e e (i.e., remainder when s is divided by n) h = (h mod n) d mod n e Magic happens! The magic is a simple application of Euler’s generalization of Fermat’s little theorem

16 Key Question about DKIM?
How does DKIM retrieve the public key of the author domain? <selector>._domainkey.example.com dig txt <selector>._domainkey.<domain> +short

17 Summary: Some Key Remaining Issues about Email
Basic: How to find the server of a domain? Scalability/robustness: how to find multiple servers for the domain? Security SPF: How does SPF know if its neighbor MTA is a permitted sender of the domain? DKIM: How does DKIM retrieve the public key of the author domain?

18 Scalability/Robustness
Both scalability and robustness require that multiple servers serve the same address need an server’s IP address client mapping mail server yale.edu

19 Mapping Functions Design Alternatives
name (e.g., yale.edu) 1 IP multiple IPs mapping multiple IPs name (e.g., yale.edu)

20 Mapping Functions Design Alternatives
name (e.g., yale.edu) 1 IP mapping name (e.g., yale.edu) 1 IP load balancer (routing) 1 IP switch

21 Outline Recap security (authentication) DNS

22 DNS: Domain Name System
Function map between (domain name, service) to value, e.g., ( addr) -> (yale.edu, ) -> chai.mail.yale.edu rosehip.mail.yale.edu clients DNS Hostname, Service Address routers Why name: easy to remember, one-level of indirection servers

23 RR format: (name, type, value, ttl)
DNS Records DNS: stores resource records (RR) RR format: (name, type, value, ttl) Type=A name is hostname value is IP address Type=CNAME name is an alias of a “canonical” (real) name value is canonical name Type=NS name is domain (e.g. yale.edu) value is the name of the authoritative name server for this domain Type=MX value is hostname of mail server associated with name Type=SRV general extension for services Type=TXT general txt Type=PTR a pointer to another name

24 Discussion Can DNS handle multiple values for the same (name, service)?

25 Try DNS: Examples dig <name> <type>
Try yale.edu and various types

26 Observations MX can return multiple servers
DNS may rotate the servers in answer Address can also return multiple addresses SPY is encoded as the txt type

27 SPF Exercise telnet to netra.cs.yale.edu smtp cases
From: From: From: From: dig <domain> txt to retrieve spf POP retr Try TXT record for gmail.com dig txt gmail.com

28 DKIM Exercise Send email from gmail and check message
Try TXT record for gmail.com dig txt gmail.com

29 DKIM Example DKIM: Msg: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=accounts.google.com; s= ; h=mime-version:date:feedback-id:message-id:subject:from:to; … Query: _domainkey.accounts.google.com txt DKIM introduces a session key to allow multiple public keys <session>._domainkey.<domain>

30 DNS Design: Dummy Design
DNS itself can be considered as a client-server system as well How about a dummy design: introducing one super Internet DNS server? THE DNS server of the Internet IP address resolve <name> register <name> OK/used already

31 Problems of a Single DNS Server
Scalability and robustness bottleneck Administrative bottleneck

32 DNS: Distributed Management of the Domain Name Space
A distributed database managed by authoritative name servers divided into zones, where each zone is a sub-tree of the global tree each zone has its own authoritative name servers an authoritative name server of a zone may delegate a subset (i.e. a sub-tree) of its zone to another name server called a zone

33 Email Architecture + DNS
user agent mail server user agent SMTP mail server user agent mail server user agent POP3 or IMAP SMTP DNS user agent user agent

34 See http://root-servers.org/ for more details
Root Zone and Root Servers The root zone is managed by the root name servers 13 root name servers worldwide See for more details

35 Linking the Name Servers
Each name server knows the addresses of the root servers Each name server knows the addresses of its immediate children (i.e., those it delegates) Top level domain (TLD) Q: how to query a hierarchy?

36 DNS Message Flow: Two Types of Queries
Recursive query: The contacted name server resolves the name completely Iterated query: Contacted server replies with name of server to contact “I don’t know this name, but ask this server”

37 Two Extreme DNS Message Flows
root name server root name server 1 1 2 2 6 5 TLD name server client 3 client TLD name server 4 6 5 4 3 authoritative name server authoritative name server Issues of the two approaches? cicada.cs.yale.edu cicada.cs.yale.edu

38 authoritative name server
Typical DNS Message Flow: The Hybrid Case root name server Host knows only local name server Local name server is learned from DHCP, or configured, e.g. /etc/resolv.conf Local DNS server helps clients resolve DNS names 2 iterated query 3 4 7 1 8 6 5 local name server TLD name server authoritative name server dns.cs.umass.edu requesting host cyndra.cs.yale.edu gaia.cs.umass.edu

39 authoritative name server
Typical DNS Message Flow: The Hybrid Case root name server Host knows only local name server Local name server is learned from DHCP, or configured, e.g. /etc/resolv.conf Local DNS server helps clients resolve DNS names Benefits of local name servers (often called resolvers) simplifies client caches/reuses results 2 iterated query 3 4 7 1 8 6 5 local name server TLD name server authoritative name server dns.cs.umass.edu requesting host cyndra.cs.yale.edu gaia.cs.umass.edu

40 Outline Recap Email security (authentication) DNS High-level design
Details

41 DNS Message Format? Basic encoding decisions: UDP/TCP, how to encode domain name, how to encode answers… IP Ethernet Cable/DSL Wireless TCP UDP DNS IP Ethernet Cable/DSL Wireless TCP UDP DNS Basic questions: how to encode domain name; how to do compression…

Download ppt "Network Applications: Security, DNS"

Similar presentations

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.

2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.
2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.

2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.
Application Layer12-1 2010 session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.

Application Layer session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT 745 Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.

CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Electronic Mail Three major components: SMTP user agents mail servers

Electronic Mail Three major components: SMTP user agents mail servers
Introduction 1-1 Chapter 2 FTP & Email Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g., www.yahoo.com.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)

Domain Name System (DNS)
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9
Lecturer: Maxim Podlesny Sep 29 2008 CSE 473 File Transfer and Electronic Email in Internet.

Lecturer: Maxim Podlesny Sep CSE 473 File Transfer and Electronic in Internet.
DNS,SMTP,MIME.

DNS,SMTP,MIME.
Fall 2005 By: H. Veisi Computer networks course Olum-fonoon Babol Chapter 7 The Application Layer.

Fall 2005 By: H. Veisi Computer networks course Olum-fonoon Babol Chapter 7 The Application Layer.
Network Applications: DNS, UDP Socket Y. Richard Yang 9/12/2013.

Network Applications: DNS, UDP Socket Y. Richard Yang 9/12/2013.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
DNS: Domain Name System

DNS: Domain Name System

Similar presentations

Ads by Google