the importance of being an earnest stub
play

The Importance of Being an Earnest stub Challenges and solution for - PowerPoint PPT Presentation

Sep 11, 2022 •131 likes •597 views

The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive

  1. The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid)

  2. From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive Authoritative resolver dns-oarc.net ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● Every “secure” connection is preceded by a DNS lookup ● The stub does the lookup at the request of the application The recursive resolver does all the heavy lifting Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 2/45

  3. From the ground-up security Authoritative . t e n . c r a 1 o . - 6 s . n 6 d . Authoritative 6 = net dns-oarc.net A dns-oarc.net A Validation Authoritative Recursive dns-oarc.net resolver ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● DNSSEC protects against cache poisoning Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45

  4. From the ground-up security Authoritative . ← 6.6.6.1 Authoritative dns-oarc.net A? net Validation Authoritative Recursive dns-oarc.net resolver Browser (application) WebSrv → http stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ( i.e. ARP or DHCP hijacking or routing tricks ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 4/45

  5. From the ground-up security Authoritative . Authoritative net dns-oarc.net DNSKEY DS A DNSSEC Aware Authoritative Recursive DNSKEY DS dns-oarc.net resolver net Browser DNSKEY (application) WebSrv · https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● One possibility: DNSSEC on the stub Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 5/45

  6. From the ground-up security/privacy Authoritative . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● Another possibility: DNS over TLS Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 6/45

  7. From the ground-up security/privacy Authoritative . Applies to DNS over TLS too Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https https stub OS ● TLS hijacking? Is That Possible?! Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception." ● Network and Distributed Systems Symposium (NDSS’17) . 2017. https://www.internetsociety.org/doc/security-impact-https-interception Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 7/45

  8. From the ground-up security/privacy ● Strengthen TLS security with the stub: DANE ( DNS-based Authentication of Named Entities ) ● Also signalling system for TLS support ( For application without user interaction ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 8/45

  9. From the ground-up security/privacy Authenticate DNS-over-TLS Authoritative with DANE? . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS ● Bootstrap the TLSA lookup with regular DNS? Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 9/45

  10. From the ground-up security/privacy Authenticate A DNS-over-TLS S L T _853._tcp.getdnsapi.net Authoritative with DANE? . Authoritative DNSSEC Aware getdnsapi.net S net D S Recursive D Y E Y K E S K N S resolver D net N Authoritative D Y E K Authoritative S dns-oarc.net N D · getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? – Chicken and Egg problem Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 10/45

  11. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? ● Have the TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 11/45

  12. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 TLS DNSSEC https OS authentication chain ● Bootstrap the TLSA lookup with regular DNS? extension must be ● Have the TLSA record + the complete DNSSEC obligatory, to prevent the authentication chain embedded in a TLS extension “Too many CA’s” problem https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 12/45

  13. From the ground-up security/privacy DNS Privacy status DNSSEC Availability X Clear text DNS X Private DNS X Authenticated X Private DNS ● The stub is close to the application Inform status of DNSSEC and DNS Privacy Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 13/45

  14. From the ground-up security/privacy Authoritative . Authoritative Round-robin net Validation Recursive Validation Authoritative dns-oarc.net resolver Recursive Validation Browser resolver Recursive Validation (application) resolver WebSrv Recursive Validation stub resolver Recursive resolver OS ● Enhanced privacy by Bonus round-robining Feature upstreams Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 14/45

  15. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 15/45

  16. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 16/45

  17. DNSSEC Roadblocks Authoritative . Authoritative net dns-oarc.net DNSKEY DS A recu cursive ve Authoritative DNSKEY DS resolve ver dns-oarc.net net Browser DNSKEY (application) WebSrv · https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 17/45

  18. DNSSEC Roadblocks Authoritative . Authoritative net recu cursive ve Authoritative resolve ver dns-oarc.net Browser (application) WebSrv https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 18/45

  19. DNSSEC Roadblocks Authoritative . Does not apply to first-mile Does not apply to first-mile Authoritative crossed by DNS-over-TLS net crossed by DNS-over-TLS recu cursive ve Authoritative Authoritative resolve ver . dns-oarc.net _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS Browser net DNSKEY DS Authoritative . DNSKEY RRSIGs net (application) WebSrv Authoritative Authoritative https dns-oarc.net stub getdnsapi.net Browser dns-oarc.net A → Validation (application) Recursive WebSrv _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver OS ← 64.191.0.198 https OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 19/45

Recommend

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary Devices Satire Epigram Symbolism of Food Satire: use of humor, irony, exaggeration, or ridicule to exploit vices in other characters or

423 views • 14 slides
The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern

The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern

The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern rnest est E., ., Ern rnest est G., ., Ern rnest est H. H. Choices of the Author Dramatic matic Irony Chara ract cterizati

562 views • 18 slides
EARNEST Study Schools Workshop Paris, 11 February SUBJECTS 1 - CCEMS Short Presentation 2

EARNEST Study Schools Workshop Paris, 11 February SUBJECTS 1 - CCEMS Short Presentation 2

EARNEST Study Schools W orkshop 10-11 February 2007 La Maison Internationale, Paris, France W hat are the infrastructure and service needs of schools? 1 4 :2 0 1 4 :4 0 h Marco Neves ( m neves@ccem s.pt) EARNEST Study Schools Workshop

201 views • 18 slides
SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 |

SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 |

SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 | SusanEarnestRealtor@gmail.com www.SusanEarnestRealEstate.com eReal Estate Corp. 414 Torrance Blvd. Redondo Beach, CA 90277 DRE# 01272987 SUSAN EARNEST

623 views • 18 slides
Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters

Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters

Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters Symposium for Petascale Science and yeast cells Beyond: June 6, 2018 Chemical kinetic simulations Earnest, , ZLS Rep. Prog. Phys (2018)

762 views • 44 slides
Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated

Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated

Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated within 2wks Letter of Acceptance/ Sign SPA (Sales & Purchase Agreement) Pay Balance 10% Downpayment minus Earnest Money Pay State Levy

227 views • 8 slides
readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data

readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data

readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data Representation, to be used by client/server stub) task_clnt.c (client stub) task_svc.c (server stub) task_client.c (client program template)

337 views • 12 slides
Noise Characteriza.on of Quantum Amplifiers Nathan Earnest

Noise Characteriza.on of Quantum Amplifiers Nathan Earnest

Noise Characteriza.on of Quantum Amplifiers Nathan Earnest Mentor: Yi Yin PI: John Mar.nis August 19 th , 2010 Quantum Informa.on Lab Superposi.on

1.71k views • 10 slides
Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable

Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable

Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable Americans have debated how to approach our education system. We have called for reforms of every description. Weve debated how to teach, what

615 views • 14 slides
Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29,

Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29,

Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29, 2014 New Mexico Human Services Department What at i is SNA SNAP? SNAP provides assistance for the purchase of food to eligible, low-income

308 views • 12 slides
Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest,

Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest,

Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest, Secretary December 6, 2017 New Mexico Human Services Department Todays days Presentat atio ion HSD FY19 Appropriation Request Overview

307 views • 28 slides
Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019

Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019

Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019 Bouvets ambition We will be the most credible consultancy with the most satisfied employees and clients 2 Long term goals Best workplace Client

752 views • 31 slides
Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations,

Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations,

Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations, Urbana, IL 1 Introduction Not ab initio ! Required data Reactions Rate parameters Diffusion coefficients Geometry 2 Common

705 views • 34 slides
SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of

SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of

SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of Pages: 88 pages Published Date: 06 Sep 2013 Publisher: Kendall/Hunt Publishing Co ,U.S. Publication Country: Iowa, United States Language: English

272 views • 4 slides
A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for resolving) by and for application developers (for application) First implementation by LABS and From Verisign: From NLnet Labs: Theogene Bucuti,

1.63k views • 113 slides
AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP

AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP

AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP Baker IDI Heart & Diabetes Institute, Melbourne Australia St Pauls Hospital Vancouver, Canada On behalf of Karen Smith, Stephen Bernard, Ziad

312 views • 15 slides
Interim presentation First quarter 2020 19. May 2020 Sverre Hurum, CEO Erik Stub, CFO Our

Interim presentation First quarter 2020 19. May 2020 Sverre Hurum, CEO Erik Stub, CFO Our

Interim presentation First quarter 2020 19. May 2020 Sverre Hurum, CEO Erik Stub, CFO Our services Multi-channel strategy Innovation Enterprise architecture DevOps Business intelligence IT architecture Product strategy Test management

640 views • 35 slides
NEW PRODUCTS 20 10 3,544 NEW PRODUCTS FOR YOU IN 2010 S S H H E E HIGH SPEED STEEL

NEW PRODUCTS 20 10 3,544 NEW PRODUCTS FOR YOU IN 2010 S S H H E E HIGH SPEED STEEL

NEW PRODUCTS 20 10 3,544 NEW PRODUCTS FOR YOU IN 2010 S S H H E E HIGH SPEED STEEL GENERAL PURPOSE STUB DRILLS BRIGHT FINISH R R 1. General purpose HSS stub drills for use on automatics and turret lathes suitable W W

488 views • 36 slides
Extended Interface Grammars for Automated Stub Generation Graham Hughes Tevfik Bultan

Extended Interface Grammars for Automated Stub Generation Graham Hughes Tevfik Bultan

Extended Interface Grammars for Automated Stub Generation Graham Hughes Tevfik Bultan Department of Computer Science University of California, Santa Barbara Outline Motivation Interface Grammars Shape Types Interface

775 views • 36 slides
Interim presentation Fourth quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 25 February 2020

Interim presentation Fourth quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 25 February 2020

Interim presentation Fourth quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 25 February 2020 #bouvetdeler 2 Breakfast seminars 3 BouvetOne 4 Universum Professional Survey and YPAI 2019 Source:

628 views • 33 slides
Third Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the

Third Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the

15 November 2011 Third Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the Presentation is for your use only. Recipients may not reproduce, redistribute or pass on, in whole or in part, the Presentation to

432 views • 20 slides
Party on! A new, conditional variable importance A new, conditional importance measure for

Party on! A new, conditional variable importance A new, conditional importance measure for

Measuring variable Party on! A new, conditional variable importance A new, conditional importance measure for random forests importance Conclusion available in party References Carolin Strobl (LMU M unchen) and Achim Zeileis (WU Wien)

639 views • 21 slides
Interim presentation first quarter 2018 Sverre Hurum, CEO Erik Stub, CFO 16 May 2018

Interim presentation first quarter 2018 Sverre Hurum, CEO Erik Stub, CFO 16 May 2018

Interim presentation first quarter 2018 Sverre Hurum, CEO Erik Stub, CFO 16 May 2018 Highlights in the quarter Revenue and number of employees MNOK and number o Revenue and EBIT 500 450 Operating revenues increased by 10.3 percent

284 views • 25 slides
First Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the

First Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the

24 May 2011 First Quarter 2011 CEO Sverre Hurum CFO Erik Stub Disclaimer The information contained in the Presentation is for your use only. Recipients may not reproduce, redistribute or pass on, in whole or in part, the Presentation to any

393 views • 23 slides

More recommend