Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

Published byJulie Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012"— Presentation transcript:

1 ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012 richard.lamb@icann.org

2 What is ICANN? IANA function – coordinate unique identifiers (root and top-level domain names, IP address allocation, protocol number assignments, time zone database, other…) DNS operations (L-root, DNSSEC, ICANN managed domains) Policy and multi-stakeholder support – Facilitator – Delegation of registry and registrar functions – Education/ training/ awareness – Collaboration on other, non-domain name issues

3 What is ICANN? We are NOT a – Law enforcement agency – Court of law – Government agency ICANN Cannot unilaterally – Suspend domain names – Transfer domain names – Immediately terminate a registrar’s contract ICANN can enforce contracts on registries and registrars

4 What is ICANN? Security Team is LE contact point Participation via – Government Advisory Council (GAC) – Security Team provides “basic training”, “speak to X for Y”, workshops, collaborate with LE, Security and operational communities – Direct meetings like with any other stakeholder

5

6 The Internet’s Phone Book - Domain Name System (DNS) www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server 1.2.3.4 Login page ISP/Enterprise Majorbank.se (Registrant) DNS Server.se (Registry) DNS Server. (Root)

7 Caching Responses for Efficiency www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server 1.2.3.4 Login page

8 Here is root zone file Just a bunch of zone files courtesy Dave Piscitello, ICANN

9 DNS 101 continued.. gTLD = Global Top Level Domain.com,.museum…and soon.yourdomainhere... ccTLD = Country Code TLD.uy,.br,.cl,.se,.cn,.ru TLDs operated by Registries Root (ICANN) has entries for TLDs; TLDs have entries for domain names Domains sold to Registrants thru Registrars Registrant  Registrar  Registry  Root google.com  GoDaddy .com . Google Inc  GoDaddy Inc  VeriSign Inc  ICANN background courtesy Kim Davies, ICANN

10 Why do I care? For example: IP address or domain name of suspect WHOIS protocol Contact owner, Registrar, or Registry Obtain other information collected by Registrar Other examples: http://www.icann.org/about/staff/security/guidance-domain-seizures-07mar12-en.pdf

11 Conficker Created 250-50000 pseudo-random domains/day for C&C across 116 TLDs Instant actions based on established international relationships with ccTLD and gTLDs (Crain) –wow! Unprecedented act of coordination and collaboration (MSFT, ICANN, Registries, AV, researchers) Lessons: private sector collaboration; public- private info sharing; support to LE; legislative reform.

12 Registrar Accreditation Agreement (RAA) Registrars sign contract /wICANN to become accredited Required for com, gtlds, … Not for ccTLDs Stakeholders: Registrars, LE, privacy, community, ICANN Accurate/validated WHOIS (…also ICANN community efforts for common machine readable format with tiered access) Major progress – LE and Registrars now agree in principle http://prague44.icann.org/meetings/prague2012/present ation-raa-negotiations-summary-03jun12-en.pdf

13 The Problem: DNS Cache Poisoning Attack www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server 5.6.7.8 Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.se = 5.6.7.8 Login page Password database

14 Argghh! Now all ISP customers get sent to attacker. www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server 5.6.7.8 Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Login page Password database

15 Securing The Phone Book - DNS Security Extensions (DNSSEC) www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Username / Password Account Data Login page Attacker www.majorbank.se = 5.6.7.8 Attacker’s record does not validate – drop it

16 Resolver only caches validated records www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Username / Password Account Data Login page

17 DNSSEC Bellovin 1995, Kaminsky 2008 Deployed on root 2010: Biggest security upgrade to Internet in 20 years DNS Changer 2011 Web accounts, SSL certificates, configuration,.. Future innovation and opportunities Only possible with unprecedented international multi-stakeholder, bottom-up managed and trusted root key (including representatives from Uruguay, Brazil, Trinidad)

18 DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M 9 Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/

19 DNSSEC: Where we are *COMCAST 18M Internet customers. Others..TeliaSonera SE, Vodafone CZ,Telefonica, CZ, T-mobile NL, SurfNet NL,.. http://securitywatch.pcmag.com/security/295722-isps-agree-to-fcc-rules-on-anti-botnet-dnssec-internet-routing Deployed on 88/313 TLDs (.cl,.br,.cr,.co,.pr,.hn,.us,.lk,.eu,.tw 台灣, 한국,.com,…) Root signed and audited 84% of domain names could have could have DNSSEC deployed on them Large ISPs have or have agreed to support DNSSEC* A few 3 rd party signing solutions (e.g., GoDaddy, VeriSign, Binero,…) Supported by majority of DNS implementations Required for new gTLDs

20 DNSSEC: Where we are But deployed on < 1% of 2 nd level domains. Many have plans. Few have taken the step (e.g., paypal.com*). DNSChanger and other attacks highlight today’s need. Innovative security solutions (e.g., DANE) highlight tomorrow’s value. Need to raise Registrant and end user awareness *http://www.thesecuritypractice.com/the_security_practice/2011/12/all-paypal-domains-are-now-using-dnssec.html http://www.nacion.com/2012-03-15/Tecnologia/Sitios-web-de-bancos-ticos-podran-ser-mas-seguros.aspx Approx 0.5M have DNSSEC http://www.internetsociety.org/deploy360/dnssec/

21 Unexpected reliance on DNS Web accounts SSL dilution of trust  Diginotar/Comodo Configuration, s/w updates, … Lack of trust in e-commerce  negative economic impact Imagine if you could trust “the ‘Net”?

22 DNSSEC Future DANE – Improved Web TLS for all – Email S/MIME for all …and – SSH, IPSEC, VoIP – Digital identity – Other content (e.g. configurations, XML, app updates) – Smart Grid – A global PKI

23 OECS ID effort

24 Summary The bottom-up, multi-stakeholder approach works Personal relationships are critical Public Private collaboration is essential

25 ICANN Security Team: Jeff Moss, VP & Chief Security Officer Geoff Bickers, Director of Security Operations John Crain, Sr. Director, SSR Whitfield Diffie, VP InfoSec & Cryptography Patrick Jones, Sr. Director, Security Dr. Richard Lamb, Sr. Program Manager, DNSSEC Dave Piscitello, Sr. Security Technologist Sean Powell, Information Security Engineer Thank You

Download ppt "ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012"

Similar presentations

ICANN Report Presented by: Dr Paul Twomey CEO and President LACNIC, Montevideo 31 March 2004.

ICANN Report Presented by: Dr Paul Twomey CEO and President LACNIC, Montevideo 31 March 2004.
The ICANN Experiment ISOC-Israel 13-March-2000 Andrew McLaughlin.

The ICANN Experiment ISOC-Israel 13-March-2000 Andrew McLaughlin.
The ICANN Experiment CainetCainet 2000 8-3-00 Andrew McLaughlin.

The ICANN Experiment CainetCainet Andrew McLaughlin.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
The Business Case for DNSSEC Tunis Tunisia 2013 22 April 2013

The Business Case for DNSSEC Tunis Tunisia April 2013
Update on ccTLD Agreements Montevideo 9 September, 2001 Andrew McLaughlin.

Update on ccTLD Agreements Montevideo 9 September, 2001 Andrew McLaughlin.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.

Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.
© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.

© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.
ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.

ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.
.| The Trusted Channel Centric Marketplace Domain Name Transfers & Domain Delegation.

.| The Trusted Channel Centric Marketplace Domain Name Transfers & Domain Delegation.
DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012

DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012
DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012

DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Glen de Saint Géry ICANN GNSO Secretariat for Theresa Swinehart Counsel for International Legal Affairs Domain Day Milan.

Glen de Saint Géry ICANN GNSO Secretariat for Theresa Swinehart Counsel for International Legal Affairs Domain Day Milan.
“ICANN and the Global Internet” ICANN Workshop Wednesday, October 9, 2002 Mexico City.

“ICANN and the Global Internet” ICANN Workshop Wednesday, October 9, 2002 Mexico City.
Registrars and Security Greg Rattray Chief Internet Security Advisor.

Registrars and Security Greg Rattray Chief Internet Security Advisor.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.

New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google