the importance of being an earnest stub
play

The Importance of Being an Earnest stub Challenges and solution for - PowerPoint PPT Presentation

The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive


  1. The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid)

  2. From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive Authoritative resolver dns-oarc.net ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● Every “secure” connection is preceded by a DNS lookup ● The stub does the lookup at the request of the application The recursive resolver does all the heavy lifting Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 2/45

  3. From the ground-up security Authoritative . t e n . c r a 1 o . - 6 s . n 6 d . Authoritative 6 = net dns-oarc.net A dns-oarc.net A Validation Authoritative Recursive dns-oarc.net resolver ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● DNSSEC protects against cache poisoning Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45

  4. From the ground-up security Authoritative . ← 6.6.6.1 Authoritative dns-oarc.net A? net Validation Authoritative Recursive dns-oarc.net resolver Browser (application) WebSrv → http stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ( i.e. ARP or DHCP hijacking or routing tricks ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 4/45

  5. From the ground-up security Authoritative . Authoritative net dns-oarc.net DNSKEY DS A DNSSEC Aware Authoritative Recursive DNSKEY DS dns-oarc.net resolver net Browser DNSKEY (application) WebSrv · https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● One possibility: DNSSEC on the stub Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 5/45

  6. From the ground-up security/privacy Authoritative . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● Another possibility: DNS over TLS Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 6/45

  7. From the ground-up security/privacy Authoritative . Applies to DNS over TLS too Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https https stub OS ● TLS hijacking? Is That Possible?! Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception." ● Network and Distributed Systems Symposium (NDSS’17) . 2017. https://www.internetsociety.org/doc/security-impact-https-interception Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 7/45

  8. From the ground-up security/privacy ● Strengthen TLS security with the stub: DANE ( DNS-based Authentication of Named Entities ) ● Also signalling system for TLS support ( For application without user interaction ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 8/45

  9. From the ground-up security/privacy Authenticate DNS-over-TLS Authoritative with DANE? . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS ● Bootstrap the TLSA lookup with regular DNS? Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 9/45

  10. From the ground-up security/privacy Authenticate A DNS-over-TLS S L T _853._tcp.getdnsapi.net Authoritative with DANE? . Authoritative DNSSEC Aware getdnsapi.net S net D S Recursive D Y E Y K E S K N S resolver D net N Authoritative D Y E K Authoritative S dns-oarc.net N D · getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? – Chicken and Egg problem Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 10/45

  11. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? ● Have the TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 11/45

  12. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 TLS DNSSEC https OS authentication chain ● Bootstrap the TLSA lookup with regular DNS? extension must be ● Have the TLSA record + the complete DNSSEC obligatory, to prevent the authentication chain embedded in a TLS extension “Too many CA’s” problem https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 12/45

  13. From the ground-up security/privacy DNS Privacy status DNSSEC Availability X Clear text DNS X Private DNS X Authenticated X Private DNS ● The stub is close to the application Inform status of DNSSEC and DNS Privacy Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 13/45

  14. From the ground-up security/privacy Authoritative . Authoritative Round-robin net Validation Recursive Validation Authoritative dns-oarc.net resolver Recursive Validation Browser resolver Recursive Validation (application) resolver WebSrv Recursive Validation stub resolver Recursive resolver OS ● Enhanced privacy by Bonus round-robining Feature upstreams Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 14/45

  15. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 15/45

  16. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 16/45

  17. DNSSEC Roadblocks Authoritative . Authoritative net dns-oarc.net DNSKEY DS A recu cursive ve Authoritative DNSKEY DS resolve ver dns-oarc.net net Browser DNSKEY (application) WebSrv · https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 17/45

  18. DNSSEC Roadblocks Authoritative . Authoritative net recu cursive ve Authoritative resolve ver dns-oarc.net Browser (application) WebSrv https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 18/45

  19. DNSSEC Roadblocks Authoritative . Does not apply to first-mile Does not apply to first-mile Authoritative crossed by DNS-over-TLS net crossed by DNS-over-TLS recu cursive ve Authoritative Authoritative resolve ver . dns-oarc.net _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS Browser net DNSKEY DS Authoritative . DNSKEY RRSIGs net (application) WebSrv Authoritative Authoritative https dns-oarc.net stub getdnsapi.net Browser dns-oarc.net A → Validation (application) Recursive WebSrv _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver OS ← 64.191.0.198 https OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 19/45

Recommend


More recommend