High Level Overview of RPKI & DNSSEC

Key pieces of the Cyber Security Puzzle

Scor

ecar

d!

DNS & Routing !

Overview of the problem!

Exhibit A: The Great YouTube Blackout of ‘08

Mukom Akong T. | @perfexcellence |! Slide 3!

Exhibit A: The Great YouTube Blackout of ‘08


1 billion (non)views per day!

Date: 24th February 2008

Extent: Two thirds of Internet

Damage: Inaccessible for 2 hours

Exhibit B: Great Firewall of China extends abroad


Exhibit B: Great Firewall of China extends overseas


Date: 24 March 2010

Extent: Some networks in USA & Chile

Damage: US & Chilean citizens became

subject to the online policies of

the Chinese gov’t

Oh God, how did we get

here?

Identifying computers on the Internet


192.0.2.1 �2001:db8:dead::a1d�

learn.afrinic.net �

IP addresses are ineffective for human use on a large scale�

How this can happen to you ①  You type your bank’s address: www.yourbank.com

②  Your PC asks your ISP’s DNS servers for the matching IP address

③  The DNS server goes through a hierarchy to get the answer: §  Asks the root DNS servers which points it to .com servers

§  The .com servers direct it to .yourbank.com DNS server

§  The .yourbank.com DNS server sends the answer (an IP address)

§  The server passes the response to your PC which makes the connection

④  An attacker can inject a fake answer during any of the above steps

⑤  The response that comes to you §  Is NOT the same IP address of you bank (which you don’t know)

§  The website LOOKS exactly like the one you often use

⑥  You type in your credentials, then you get a error e.g. page cannot be displayed

⑦  3 weeks later, you scream: “Where’s my money??!!"


Identifying organisations on the Internet

☀ Domain name e.g

afrinic.net

☀ A block of IP addresses

§  196.1.0.0/24

§  2001:4290::/32

☀ Autonomous System

Number e.g.


For the Internet to work ..


2001:db8:dead::a1d�learn.afrinic.net �

For the Internet to work ..


How do I send information to the computer

with address B?

The Problem: Breakdown of TRUST


I AM … �www.google.com�www.yourbank.com�www.statehouse.gov.ng �www.prc.cm �www.cto.int �www.afrinic.net �

I AM … �2c0f:face:b00c::/48 �197.253.0.0/16 �65.25.0/24 �

It is possible to impersonate any entity by name or address�


☀ It is possible for one computer to

impersonate another node by name.

☀ There’s no real way of knowing if the

answer your computer got to “what is

the IP address of www.yourbank.com” is

legitimate or not



☀ It is possible for one entity (e.g an ISP)

to impersonate a whole network by IP

address

☀ There’s been no way verify if that entity

owns that IP address it’s claiming


A Fix: Certify & authenticate Internet identity

☀ Sign DNS records

☀ Establish a chain of trust

☀ Establish ‘ownership’ of

address space


Digital certificates & public key infrastructure�

How DNSSEC solves the problem

①  Digitally sign DNS (name to IP address)

records using public keys

②  Establishes a chain of trust where parent

domains authenticate child domains

③  Ensures responses have not been

tampered with in transit

Does NOT provide confidentiality (encryption)


DNSSEC – What It Solves ☀ Use public keys to authenticate

§  The original name to address mapping

§  That queries were not tampered with

☀ Prevents impersonation by domain name

☀ Completely backwards compatible with existing DNS infrastructure

☀ It would prevent the extension of the Great Firewall of China outside China


Bene"ts of DNSSEC

①  The Internet community: Improved security in the zones that are signed.

②  Registrars: Offer domain signing services to their customers.

③  ISPs: Increasing the security of the data returned to their customers.

④  Users: Protection from DNS vulnerabilities such as cache poisoning and man-in-the-middle attacks.


RPKI – What It Solves ☀ Ties an organization's IP address

range(s) to its ASN

☀ Solves the “does this address block belong to this organization”

☀ Blocks impersonation by IP address (number)

☀ RPKI would have prevented the Youtube Blackout of ‘08


How RPKI Works ☀ Digitally certify that a resource has been allocated

to a specific entity.

☀ Usage rights for resources is proven by digital certificate.

☀ Connect resources (ASNs, IP addresses) to a trust anchor, thus forming a chain of trust.

☀ Control authority to originate a routing announcement by a certificate via ROAs

☀ Certificates are used to verify that a network has the authority to announce a given block of addresses.


Implications for National Infrastructure

①  Is the ccTLD DNSSEC enabled?

②  Government network ☀ Support DNSSEC on all gov’t networks

☀ Is gov’t IP space RPKI-protected?

③  Key network operators (ideally Everyone) ☀ Secure your names domain with DNSSEC

☀ Secure your number domains with RPKI

Because Cyber Crime is an industry that will only grow (to the chagrin of us all) and extend to Cyber War & Terrorism


Source: http://www.dnssec-deployment.org

Consequences: think of the e#ect

①  We consolidate governance around

technology …then the e-gov’t portal is

inaccessible due to attack

②  We consolidate education around

hosted content and that platform was

inaccessible

③  Our bank websites get hijacked


Our digital way of life is under threat


e-Banking E-Gov’t E-Commerce


Call to Action


RPKI & DNSSEC are not Silver Bullets but are a core part of the solution. Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure

Na Gode! Thank You ! Sh’kran [email protected] | Twitter: @perfexcellent

Technology

High Level Overview of RPKI & DNSSEC