Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY

Published byNoel Gervais Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY"— Presentation transcript:

1 DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY richard.lamb@icann.org

2 The Internet did not have security designed into it. But has demonstrated time and again that it is a platform for innovation - good and bad.

3 The BAD: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4 mil (1/2 mil in US) 9 Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/

4 The BAD: Brazilian ISP fall victim to a series of DNS attacks 7 Nov 2011 http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil

5 The Internet’s Phone Book - Domain Name System (DNS) www.majorbank.com=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Hierarchy comgov root majorbank.com www.majorbank.com DNS Resolver www.majorbank.com = 1.2.3.4 DNS Server 1.2.3.4 Login page ISP

6 The BAD: DNS Cache Poisoning Attack www.majorbank.com=? DNS Resolver www.majorbank.com = 1.2.3.4 DNS Server 5.6.7.8 Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.com = 5.6.7.8 Login page Password database 3 Aug 2008 Dan Kaminsky reveals shortcut http://www.seattlepi.com/local/article/Seattle-security-expert-helped-uncover-major-1281123.php

7 Securing The Phone Book - DNS Security Extensions (DNSSEC) www.majorbank.com=? DNS Resolver with DNSSEC www.majorbank.com = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Username / Password Account Data Login page Attacker www.majorbank.com = 5.6.7.8 Attacker’s record does not validate – drop it

8 The GOOD: DNSSEC Add keys to hierarchy and compute digital signatures. Keep it backward compatible Based on over 15 years of global technical community development (in IETF) after discovery of vulnerability

9 The GOOD: DNSSEC Listen to calls from global community for deployment: – Internet community (e.g., RIPE, APNIC, ccNSO…) – Governments (e.g., USG:DHS/OMB/NIST, EU members) – Business (e.g., Kaminsky 2008, Press)

10 Deploying it Problem – Bureaucracy and Fear: Hard to change anything that has not changed since 1983. Many excuses not to. – root - An internationally agreed to single key – right – Trust me - I will manage the root key...uh huh.

11 Look at other International efforts, e.g., ICAO PKD Long top down development But not a single hierarchy Countries (27) pick-up / deposit certificates at ICAO contracted repository in Singapore

12 Approach Eliminate excuses and lead by example – start at root Solution – Multi-stakeholder – get buy in up front – Bottom up – like the Internet itself – Transparency and Choice – Draw from existing secure practices and trusted models Public-private partnership with US Department of Commerce and VeriSign (existing DNS management partner)

13 DNSSEC at the root: result Deployed 15 July 2010 Completed in ~2years Biggest upgrade to the Internet’s core infrastructure in 20 years Set the stage for deployment in rest of hierarchy (e.g., top level domains, end user domains)

14 Cont… Got global buy in Direct stakeholder participation in key management – 21 Trusted Community Representatives made up of respected members of Internet community from 17 countries Currently: URUGUAY, BRAZIL, TRINIDAD AND TOBAGO, CANADA, BENIN, SWEDEN, NEPAL, NETHERLANDS, NEW ZEALAND, RUSSIAN FEDERATION, PORTUGAL, JAPAN, MAURITIUS, CHINA, BURKINA FASO,CZECH REPUBLIC, UNITED KINGDOM, USA

15 Cont…. Enabled DNSSEC deployment throughout hierarchy – need just one key to validate all Publish, broadcast everything. Pass 3 rd party annual SysTrust audit ICANN Secure Key Management Facilities in Culpepper, VA and El Segundo, CA. FIPS 140-2 Level 4 crypto, GSA Class 5 safes, multiple tiers, biometrics, etc.

16

17 ICANN ICANN is a global organization that coordinates the Internet’s unique identifier systems for worldwide public benefit, enabling a single, global interoperable Internet. ICANN’s inclusive multi-stakeholder model and community- developed policies facilitate billions of computers, phones, devices and people into one Internet. ICANN’s mission is to coordinate, at the overall level, the global Internet’s systems of unique identifiers, and in particular, to ensure the stable and secure operation of the Internet’s unique identifier systems. (Source: ICANN Bylaws as amended 25 January 2011)

18 IP addresses, Domain names, Parameters Web Server www.icann.org port 80 192.0.1.3 Email Server mail.icann.org port 25 192.0.1.3 User’s browser 123.yourisp.se port 54332 204.107.191.131 User’s phone rick.tel or 4.3.2.1.7.4.6.2.0.2.1.e164.arpa port 5060 168.1.3.123 Internet

19 Background Created 1998 to continue technical IANA coordination function (previously performed by Jon Postel) on behalf of USG MoU with US DoC: ICANN will operate "in a bottom up, consensus driven, democratic manner." 2009 AoC: transitions U.S. oversight authority to ICANN’s Governmental Advisory Committee (GAC) and establishes accountability “review teams” IANA Function contract still in place

20

21 What ICANN does NOT do ICANN does not play a role in policing the Internet or operationally combating criminal behavior. ICANN does not have a role in the use of the Internet related to cyber-espionage and cyber war. ICANN does not have a role in determining what constitutes illicit conduct on the Internet. ICANN IS able to enforce its contracts on registries & registrars

22 ICANN’s Role in DNSSEC Manage the root key of this hierarchy together with VeriSign (under contract with the US Department of Commerce) and trusted international representatives of the Internet community Process requests for additions/changes/deletions of public key and other records from Registries at the top of the DNS hierarchy (i.e.,.com,.se, …etc) Educate and assist the Internet community regarding DNSSEC

23 Where we are now < 1% DNSSEC still needs to deployed on more domain names. 82/312 top level domain (e.g.,.com) have DNSSEC deployed. Multi-stakeholder managed root key. 82% of domain names can have DNSSEC deployed on them. Large ISP in US has turned DNSSEC “on”. Supported by DNS implementations Yesterday ALL 17.8 M COMCAST Internet customers. Vodafone, Telefonica CZ

24 What needs to still happen Needs to be widely deployed across the domain names Registrars, ISPs, and hosting providers need to support it in a trustworthy fashion DNSSEC validation needs to be pushed to the end user Raise awareness of the security benefits of DNSSEC and its secure deployment.

25 How to implement DNSSEC? 25 For Companies: Deploy DNSSEC on corporate DNS infrastructure (turn DNSSEC validation “on”) Deploy DNSSEC on your domain names (“sign” your corporate domain names) For Users: Ask your ISP about DNSSEC (get DNSSEC validation turned “on” on their DNS servers) Are we done?

26 But wait, there’s more… “More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re‐purposed in a number of different ways...” – Vint Cerf 16 June 2010 Root Key Ceremony

27 Cont… Looks like we now have a global, secure database for “free”! A globally trusted Public Key Infrastructure Enabler for global security applications An authentication platform for identification Cross-organizational and trans-national.. A global platform for innovation

28 Expect: SSL, E-mail, secured VOIP… (e.g. DANE, S/MIME, DKIM, IPSEC) CA Certificate roots ~1482 Login security SSHFP RFC4255 Yet to be discovered security innovations, enhancements, and synergies Content security Commercial SSL Certificates for Web and e-mail Content security “Free SSL” certificates for Web and e-mail and “trust agility” (DANE) Network security IPSECKEY RFC4025 Cross- organizational and trans-national identity and authentication E-mail security DKIM RFC4871 DNSSEC root - 1 Domain Names VoIP securing SIP https://www.eff.org/observatory http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/

29 Potential Applications Build and improve on established trust models, e.g., CAs Greatly expanded SSL usage (currently ~4M/200M) Make SMIME a reality May work in concert with in enhancing or extending other cyber security efforts like digital Identities, WebID, BrowserID, CAs,.. Securing VoIP Simplify WiFi roaming security Secure distribution of configurations (e.g., blacklists, anti-virus sigs)

30 lamb@xtcn.co m 2001:470:8165:1:1e6f:65ff:fe87:5471 IPV6 ICA O +1-202-709-5262 tel number mydomainname.co m

31 In Search of Trust: a Perfect Storm? Government digital identity efforts – US National Strategy for Trusted Identities in Cyberspace (NSTIC) (Apr 2011), Sweden e-ID, Brazil, etc.. – Interoperability / Assurance / Certification Certification Authority fix /w dnssec – Not perfect but decades of experience: Use it! – Recent impetus to improve. Smart Electrical Grid efforts – Not just reading meters DNS/DNSSEC part of all ecosystems NSTIC http://www.nist.gov/nstic

32 Summary DNSSEC will be a critical tool in combating the global nature of cyber crime allowing cross-organizational and trans-national authentication As a global security federation DNSSEC is a platform for cyber security innovation and international cooperation Successful Internet example of bottom up development and multi-stakeholder, public-private cooperation DNSSEC does not solve all the ills of the Internet but can become a powerful tool in improving the security of the Internet.

Download ppt "DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY"

Similar presentations

Technical Services Develop Integrate Operate APNIC technical infrastructure.

Technical Services Develop Integrate Operate APNIC technical infrastructure.
GNSO goals Bruce Tonkin Chair, GNSO Council Sao Paulo, 4 Dec 2006.

GNSO goals Bruce Tonkin Chair, GNSO Council Sao Paulo, 4 Dec 2006.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.

ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012

DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012
“ICANN and the Global Internet” ICANN Workshop Wednesday, October 9, 2002 Mexico City.

“ICANN and the Global Internet” ICANN Workshop Wednesday, October 9, 2002 Mexico City.
1 July 08, 2010 Information Security Officer Meeting.

1 July 08, 2010 Information Security Officer Meeting.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
1 CS 4396 Computer Networks Lab The Internet. 2 A Definition On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet.

1 CS 4396 Computer Networks Lab The Internet. 2 A Definition On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet.
ICANN Mission, Structure and Constituencies Capacity Building Program Dakar, 23-27 October 2011 Anne-Rachel Inné.

ICANN Mission, Structure and Constituencies Capacity Building Program Dakar, October 2011 Anne-Rachel Inné.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 Updated as of 1 July 2014 About ICANN KISA-ICANN Language Localisation Project Module 1.1.

1 Updated as of 1 July 2014 About ICANN KISA-ICANN Language Localisation Project Module 1.1.
ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012
ICANN and the Internet Ecosystem. 2  A network of interactions among organisms, and between organisms and their environment.  The Internet is an ecosystem.

ICANN and the Internet Ecosystem. 2  A network of interactions among organisms, and between organisms and their environment.  The Internet is an ecosystem.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
2011 – 2014 ICANN Strategic Plan Development Stakeholder Review 4 November 2010.

2011 – 2014 ICANN Strategic Plan Development Stakeholder Review 4 November 2010.

Similar presentations

Ads by Google