1 / 14

What’s Next: DNSSEC & RPKI

What’s Next: DNSSEC & RPKI. Mark Kosters. Why are DNSSEC and RPKI Important. Two critical resources DNS Routing Hard to tell when it is compromised Focus of Government funding - DHS. What is DNSSEC? . DNS responses are not secure Easy to Spoof Examples of malicious attacks

marcy
Download Presentation

What’s Next: DNSSEC & RPKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s Next: DNSSEC & RPKI Mark Kosters

  2. Why are DNSSEC and RPKI Important • Two critical resources • DNS • Routing • Hard to tell when it is compromised • Focus of Government funding - DHS

  3. What is DNSSEC? • DNS responses are not secure • Easy to Spoof • Examples of malicious attacks • DNSSEC attaches signatures • Validates responses • Can not Spoof

  4. ARIN’s DNSSEC Deployment • Working with IANA on signing in-addr.arpa and ip6.arpa • ARIN’s /8 zones have been signed since Q2 of 2009 • Provisioning networks will be made through ARIN Online • Available (estimate) Q3 of 2010 for IPv4 • IPv6 delegations will be secured after ip6.arpa signed

  5. What is RPKI? • Routing today is insecure • IAB Report calls it “Routing by Rumor” • Multiple occurrences of taking others traffic • Pakistani Youtube incident http://ripe.net/news/study-youtube-hijacking.html • More Recently a root server in China • No evidence that is totally malicious – but it could be in the future

  6. What is RPKI? • Attaches certificates to network resources • AS Numbers • IP Addresses • Allows ISPs to associate the two • Route Origin Authorizations (ROA’s) • Follow the Allocation chain to the top

  7. What is RPKI? • Allows routers to validate Origins • Start of validated routing • Need minimal bootstrap info • Trust Anchors • Lots of focus on Trust Anchors

  8. Resource Cert Validation Resource Allocation Hierarchy IANA AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 ISP2 ISP ISP ISP ISP4 ISP ISP ISP

  9. Resource Cert Validation Resource Allocation Hierarchy IANA AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates LIR1 NIR2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text?

  10. Resource Cert Validation Resource Allocation Hierarchy IANA AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 ISP2 ISP ISP ISP ISP4 ISP ISP ISP 2. Is this certificate valid?

  11. Resource Cert Validation Resource Allocation Hierarchy IANA AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 ISP2 ISP ISP ISP ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate?

  12. Ok, Now what • We have a pilot • https://rpki-pilot.arin.net • Get some experience • Participate!

  13. RPKI Roadmap to Production - 4 phases • Phase 1: Pilot • Operational since 7/2009 • Phase 2: Initial Production • End of Q4 of 2010 • Phase 3: Global Consistency • Estimate 2011 • Phase 4: Single Trust Anchor • Estimate 2011

  14. Questions?

More Related