View
218
Download
0
Category
Tags:
Preview:
Citation preview
Designing a Secure and Resilient Internet Infrastructure
Dan MasseyUSC/ISI
2 May 03 2masseyd@isi.edu
Overview
Internet Infrastructure
Overview and Vulnerabilities
Securing the Domain Name System
IETF Standard for Authentication of DNS
Responses
Critical Failures and Lessons Learned
Open Challenges for Infrastructure Security
2 May 03 3masseyd@isi.edu
Internet Infrastructure
Internet relies on fundamental infrastructures BGP Internet Routing Protocol DNS Internet Naming Service
Failure at these levels often can’t be overcome. Provide basic packet delivery functions.
Protocol Designs Show Signs of Age Growing complexity of large-scale systems. Demand for new features and services. Primarily designed for only fail-stop faults. Little or no protection against malicious attacks.
2 May 03 4masseyd@isi.edu
Example Infrastructure Problems
BGP Routing Fault Example: ISP mistakenly announced routes to 3000+
prefixes (destinations) it did not own. Other ISPs adopt these routes and
blackholed traffic to those sites. DNS Root Server Attack Example:
Recent DDoS attack disabled majority of the 13 DNS root servers.
Bringing down all 13 root servers is frequently mentioned as a worst case scenario that would “cripple the Internet”.
2 May 03 5masseyd@isi.edu
A More Interesting Example
InternetInternet c.gtld-servers.net
rrc00 monitor
192.26.92.30
originates route to 192.26.92/24
Invalid BGP routes exist in everyone’s table. These can include routes to root/gTLD servers One example observed on 4/16/01:
ISPs announce new path3 lasted 20 minutes
1 lasted 3 hours
2 May 03 6masseyd@isi.edu
The Potential Catastrophic Attack
BGP routing can direct packets to false server.
Detected false BGP routes to root/gTLD severs at major global ISPs. Routes lasted up to hours,
but were errors and faulty site did not reply.
Any response from false server would be believed. NANOG 25/ICDCS 2003 -
protecting BGP routes to DNS servers
Bell Labs Caching Server
Root serverSpoofed
Root server
Internet Routing
2 May 03 7masseyd@isi.edu
Securing the Internet Infrastructure
Cryptography is like magic fairy dust,we just sprinkle it on our protocols
and its makes everything secure
- See IEEE Security and Privacy Magazine, Jan 2003
2 May 03 8masseyd@isi.edu
Virtually every application uses
the Domain Name System (DNS).
DNS database maps:
Name to IP address
www.darpa.mil = 128.9.176.20
And many other mappings
(mail servers, IPv6, reverse…)
Data organized as tree structure.
Each zone is authoritative
for its local data.
Root
edu mil com
darpaisi ciscousmc
nge quantico
The Domain Name System
2 May 03 9masseyd@isi.edu
DNS Query and Response
Caching DNS Server
End-user
www.darpa.mil A?
www.darpa.mil A 128.9.128.127
Root DNS Server
Actually www.darpa.mil = 192.5.18.195. But how would you determine this?
mil DNS Server
darpa.mil DNS Server
2 May 03 10masseyd@isi.edu
DNS Vulnerabilities
Original DNS design focused on data availability
DNS zone data is replicated at multiple servers.
A DNS zone works as long as one server is available.
– DDoS attacks against the root must take out 13 root servers.
But the DNS design included no authentication.
Any DNS response is generally believed.
No attempt to distinguish valid data from invalid.
– Just one false root server could disrupt the entire DNS.
2 May 03 11masseyd@isi.edu
A Simple DNS Attack
Caching DNS Server
Sanjoy’s Laptop
www.darpa.mil A?
www.darpa.mil A 128.9.128.127
Root DNS Server
mil DNS Server
darpa.mil DNS Server
Dan’s Laptop
Easy to observe UDP DNS query sent to well known server on well known port.
www.darpa.mil A 192.5.18.19
First response wins. Second response is silently dropped on the floor.
2 May 03 12masseyd@isi.edu
A More Complex Attack
ns.attacker.com
Bell Labs Caching Server
Remote attacker
Query www.attacker.com
Response www.attacker.com A 128.9.128.127 attacker.com NS ns.attacker.com attacker.com NS www.google.com ns.attacker.com A 128.9.128.2 www.google.com A 128.9.128.127
Any Bell Labs Laptop
Query www.google.com
www.google.com= 128.9.128.127
2 May 03 13masseyd@isi.edu
The Problem in a Nutshell
Resolver can not distinguish between
valid and invalid data in a response.
Idea is to add source authentication
Verify the data received in a response is equal
to the data entered by the zone administrator.
Must work across caches and views.
Must maintain a working DNS for old clients.
2 May 03 14masseyd@isi.edu
Authentication DNS Responses
Each DNS zone signs its data using a private key.
Recommend signing done offline in advance
Query for a particular record returns:
The requested resource record set.
A signature (SIG) of the requested resource record set.
Resolver authenticates response using public
key.
Public key is pre-configured or learned via a sequence
of key records in the DNS heirarchy.
2 May 03 15masseyd@isi.edu
Secure DNS Query and Response
Caching DNS Server
End-user
www.darpa.mil
www.darpa.mil = 192.5.18.195Plus (RSA) signature by darpa.mil
Attacker can not forge this answer without the darpa.mil private key.
Authoritative DNS Servers
Challenge: add signatures to the protocol manage DNS public keys
2 May 03 16masseyd@isi.edu
Example of Signed Record
zen.nge.isi.edu. 82310 IN A 65.114.169.197zen.nge.isi.edu. 86400 IN SIG A 1 5 86400 20030226023910 ( 20030127023910 468 nge.isi.edu. 2gHZzvcB01VSnjF9K+0eet1sUQrGprMZC1Kn FNLSeJMMjN0Aw4Ewj5+Il8ejvqO0lX+njNOo EzlhXAV+mp5dT0WjJB+78Nv51UEHW0bQnt05 PQ86nXaTTXXQyYE3PSrmASfwXyVlXh430ty3 oWZUZdBZUgvqRGT97xLtagdrCq0= )
name TTL class SIG type_covered algorithm labels_in_name original_TTL expiration and inception dates key tag key name signature
2 May 03 17masseyd@isi.edu
Example Public Key
nge.isi.edu. 82310 IN KEY 256 3 1 ( 2gHZzvcB01VSnjF9K+0eet1sUQrGprMZC1Kn FNLSeJMMjN0Aw4Ewj5+Il8ejvqO0lX+njNOo EzlhXAV+mp5dT0WjJB+78Nv51UEHW0bQnt05nge.isi.edu. 86400 IN SIG KEY 1 3 86400 20030226023910 ( 20030127023910 569 isi.edu. 2gHZzvcB01VSnjF9K+0eet1sUQrGprMZC1Kn FNLSeJMMjN0Aw4Ewj5+Il8ejvqO0lX+njNOo EzlhXAV+mp5dT0WjJB+78Nv51UEHW0bQnt05 PQ86nXaTTXXQyYE3PSrmASfwXyVlXh430ty3 oWZUZdBZUgvqRGT97xLtagdrCq0= )
name TTL class KEY FLAGS PROTOCOL Algorithm public key
Note nge.isi.edu KEY is signedby isi.edu private key
2 May 03 18masseyd@isi.edu
There is no magic fairy dust
2 May 03 19masseyd@isi.edu
So Why Aren’t We There Yet
Scope of DNS security too broad Attempt to solve DNS security and build
generic global PKI at same time. RFC 2535 design was fatally flawed.
Key management did not scale and did not work in realistic operations.
Progress on Improving DNSSEC. RFC 3449 now limits scope to secure DNS. Revised DNS key management system
implemented and verified at workshops. Authenticated denial of existence? or
security?
2 May 03 20masseyd@isi.edu
Bush, Griffin, Meyer: draft-ymbk-arch-guidelines-03.txt
The implication for carrier IP networks then, is that to be successful we must drive our architectures and designs toward the simplest possible solutions.
complexity is the primary mechanism which impedes efficient scaling, and as a result is the primary driver of increases in both capital expenditures (CAPEX) and operational expenditures (OPEX).
Mike O’Dell:
Lesson: Simple Operations
2 May 03 21masseyd@isi.edu
RFC 2535 Key Change Process
Signatures from parent zone sit in child zone. Requires some sync
between parent/child Figure shows process
of a key change at edu.
Actual exchange is much more complex. “com” change
assumes rough sync shown here at 22 million different zones
ucdavis.edu edu
Select KEYset C1 Sign KEY
set C1
with P1
KEY set P1
KEY set C1
and SIG(P1)entered in child zone
Select KEYset P2 andsign KEY
set C1
Replace P1
with P2
Add SIG(P2)to child zone
Remove SIG(P1)to child zone
2 May 03 22masseyd@isi.edu
Revised DNS Key Management
mil DNS Server
darpa.mil DNS Server
darpa.mil NS records
www.darpa.mil A record
www.darpa.mil SIG(A) by key 2
darpa.mil KEY (pub key 1)
darpa.mil KEY (pub key 2)
darpa.mil SIG(A) by key 1
darpa.mil DS record (hash of pubkey 1)
darpa.mil SIG(DS) by mil private key
Can Change mil key without notifying darpa.mil
Can Change key 2 without notifying .mil
2 May 03 23masseyd@isi.edu
DNS Key Roll-Over
mil DNS Server
darpa.mil DNS Server
darpa.mil KEY (pub key 1)
darpa.mil KEY (pub key 2)
darpa.mil SIG(A) by key 1
darpa.mil DS record (hash of pubkey 1)
darpa.mil SIG(DS) by mil private key
darpa.mil KEY (pub key 3)
darpa.mil SIG(A) by key 3
darpa.mil DS record (hash of pubkey 3)
darpa.mil SIG(DS) by mil private key
Objective: Replace KEY 1 with new KEY 3
2 May 03 24masseyd@isi.edu
Minimal Requirements
Parent must indicate how to reach the
child.
NS records at parent MUST identify at least
one valid name server for child.
Parent must identify a trusted key at child.
DS record at parent MUST match a valid KEY
stored at the child.
2 May 03 25masseyd@isi.edu
Lesson: Protocol Complications
Building on an existing system
Objective is to strengthen the system.
But additions also add stress to weak
points.
Some example cases:
Denial of service added by the DS record.
NS records stored at the parent.
Over use of the KEY record.
2 May 03 26masseyd@isi.edu
Authenticated Denial of Existence
What if the requested record doesn’t exist? Query for foo.ucla.edu returns “No such name” How do you authenticate this?
Operations impose challenges. Can’t predict user would ask for “foo.ucla.edu” Can’t sign reply on the fly
– Query may go to any of serveral servers– You don’t trust all servers with the private key.– Ex: nge.isi.edu master server is at ISI, but secondaries
are at UCL (London) and USC.
2 May 03 27masseyd@isi.edu
NXT Records
Caching DNS Server
End-user
Foo.lucent.com. ?
foo.lucent.com. does not existSome sort of signature to needed….
Authoritative DNS Servers
Challenge: Prove name does not exist given that you can’t predict what user might ask you don’t trust authoritative server with private key
Solution: sign “next name after a.lucent.com. is g.lucent.com.”
More precisely: a.lucent.com NXT g.lucent.com. a.lucent.com SIG NXT ….
2 May 03 28masseyd@isi.edu
The Opt-In Proposal
Change the semantics of the NXT record. Current: next name after “a” is “c” Proposed: next signed name after “a” is “c”
Provides Gradual Roll-Out Inside a Zone Current:
Each name in com needs an NXT and SIG Proposed:
Each signed name in com needs an NXT and SIG
IETF debate concluding…. (hopefully!)
2 May 03 29masseyd@isi.edu
Status Of DNSSEC
Opt-In/authenticated denial remains issue…. “com” to deploy within 6 months if yes on Opt-In Several TLDs ready to deploy. Working with DARPA/USMC.mil on deployment
Only minor issues remain in spec IETF DNSEXT working group drafts:
– Intro to DNSSEC, DNSSEC Records, DNSSEC Protocol
Comments welcome
Opens the door for new challenges….
2 May 03 30masseyd@isi.edu
New DNSSEC Decisions
DNSSEC works well in a logical case What really happens when DNSSEC fails? Bridging incremental deployment?
Test sites quickly abandoned strict model Sites configured servers to accept unsigned data
even when signed expected. Sites quickly configured servers to ignore some
authentication failures. (expired signatures) General rule: DNS prefers some answer
(even if it fails crypto) to no answer. What does this mean for the security model?
2 May 03 31masseyd@isi.edu
A More Realistic View of DNSSEC
Adding security is a non-trivial problem. Over 10 years of DNSSEC work, no
deployment DNSSEC is not the complete answer.
No defense against denial of service. More incremental deployment work
needed. DNSSEC enables many new features.
Management of root zones. New tool (one of many) for achieving truly
robust DNS infrastructure.
2 May 03 32masseyd@isi.edu
Securing BGP
Secure BGP (S-BGP) proposes to add public key cryptography to BGP. Replace DNS with BGP. Repeat previous
slides. Secure DNS and BGP are essential. But even when successful, secure
BGP/DNS are only part of the solution. New complexity due to authentication. Failures in the authentication. New denial of serivice issues. Insider attacks.
2 May 03 33masseyd@isi.edu
General Infrastructure Security Revisit protocol design given challenges
of: New services (ex: dynamic DNS) New tools (ex: DNSSEC) New requirements (DNS as the PKI??) More scale & complexity (more in
routing/BGP) Multi-fence approach to protocol design
Incorporate cryptography as part of the solution.
Can also achieve resilience throught protocol design without cryptography
2 May 03 34masseyd@isi.edu
Two Examples of New Fences
Identify inherent consistency requirements: BGP routes include a path to the destination
and paths must be self-consistent. INFOCOM 02: reject inconsistent paths to avoid
false routes. Add consistency when possible.
BGP allows multiple origins, making it difficult to distinguish valid origins from false origins.
Our fix: list all valid origins in the route update. DSN 02: attacker can forge the list, but can’t
block valid lists in an Internet topology.
2 May 03 35masseyd@isi.edu
Non-cryptographic BGP Security
router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity outroute-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive
Example configuration:
AS58
18/8, PATH<4>, MOAS{4,58,59}
AS59
18.0
.0.0
/8 18/8, PATH<58>, MOAS{58,59}
18/8, PATH<59>, MOAS{58,59}
18/8, PATH<52>, MOAS{52, 58}
AS52
2 May 03 36masseyd@isi.edu
(b) Two Origin AS’s(a) One Origin AS
BGP false origin detection
Simulation Results
2 May 03 37masseyd@isi.edu
What To Take Away
A new look at the Internet infrastructure
Real practical need to have solutions now.
Adding Cryptography
Some details of DNSSEC and a view of why
it is not a trivial problem.
Need for more than just cryptography
Motivation to look at research challenges
in designing secure and resilient protocols.
Recommended