Short presentation I made at the Commonwealth Telecommunications Organisation (CTO) Forum about the roots of the lack of trust on the Internet and how RPKI & DNSSEC are keys to regaining that trust.
3. Exhibit A: The Great YouTube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 3!
4. Exhibit A: The Great YouTube Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 4!
1 billion (non)views per day!
Date: 24th February 2008
Extent: Two thirds of Internet
Damage: Inaccessible for 2 hours
5. Exhibit B: Great Firewall of China extends abroad
Mukom Akong T. | @perfexcellence |! Slide 5!
6. Exhibit B: Great Firewall of China extends overseas
Mukom Akong T. | @perfexcellence |! Slide 6!
Date: 24 March 2010
Extent: Some networks in USA & Chile
Damage: US & Chilean citizens became
subject to the online policies of
the Chinese gov’t
8. Identifying computers on the Internet
Mukom Akong T. | @perfexcellence |! Slide 8!
192.0.2.1
2001:db8:dead::a1d
learn.afrinic.net
IP addresses are ineffective for human use on a large scale
9. How this can happen to you
① You type your bank’s address: www.yourbank.com
② Your PC asks your ISP’s DNS servers for the matching IP address
③ The DNS server goes through a hierarchy to get the answer:
§ Asks the root DNS servers which points it to .com servers
§ The .com servers direct it to .yourbank.com DNS server
§ The .yourbank.com DNS server sends the answer (an IP address)
§ The server passes the response to your PC which makes the connection
④ An attacker can inject a fake answer during any of the above steps
⑤ The response that comes to you
§ Is NOT the same IP address of you bank (which you don’t know)
§ The website LOOKS exactly like the one you often use
⑥ You type in your credentials, then you get a error e.g. page cannot be
displayed
⑦ 3 weeks later, you scream: “Where’s my money??!!"
Mukom Akong T. | @perfexcellence |! Slide 9!
10. Identifying organisations on the Internet
☀ Domain name e.g
afrinic.net
☀ A block of IP addresses
§ 196.1.0.0/24
§ 2001:4290::/32
☀ Autonomous System
Number e.g.
Mukom Akong T. | @perfexcellence |! Slide 10!
11. For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 11!
2001:db8:dead::a1dlearn.afrinic.net
12. For the Internet to work ..
Mukom Akong T. | @perfexcellence |! Slide 12!
How do I send
information to
the computer
with address B?
13. The Problem: Breakdown of TRUST
Mukom Akong T. | @perfexcellence |! Slide 13!
I AM …
www.google.com
www.yourbank.com
www.statehouse.gov.ng
www.prc.cm
www.cto.int
www.afrinic.net
I AM …
2c0f:face:b00c::/48
197.253.0.0/16
65.25.0/24
It is possible to impersonate any entity by name or address
14. The Problem: Breakdown of TRUST
☀ It is possible for one computer to
impersonate another node by name.
☀ There’s no real way of knowing if the
answer your computer got to “what is
the IP address of www.yourbank.com” is
legitimate or not
Mukom Akong T. | @perfexcellence |! Slide 14!
15. The Problem: Breakdown of TRUST
☀ It is possible for one entity (e.g an ISP)
to impersonate a whole network by IP
address
☀ There’s been no way verify if that entity
owns that IP address it’s claiming
Mukom Akong T. | @perfexcellence |! Slide 15!
16. A Fix: Certify & authenticate Internet identity
☀ Sign DNS records
☀ Establish a chain of trust
☀ Establish ‘ownership’ of
address space
Mukom Akong T. | @perfexcellence |! Slide 16!
Digital certificates & public
key infrastructure
17. How DNSSEC solves the problem
① Digitally sign DNS (name to IP address)
records using public keys
② Establishes a chain of trust where parent
domains authenticate child domains
③ Ensures responses have not been
tampered with in transit
Does NOT provide confidentiality (encryption)
Mukom Akong T. | @perfexcellence |! Slide 17!
18. DNSSEC – What It Solves
☀ Use public keys to authenticate
§ The original name to address mapping
§ That queries were not tampered with
☀ Prevents impersonation by domain name
☀ Completely backwards compatible with
existing DNS infrastructure
☀ It would prevent the extension of the Great
Firewall of China outside China
Mukom Akong T. | @perfexcellence |! Slide 18!
19. Bene"ts of DNSSEC
① The Internet community: Improved security in
the zones that are signed.
② Registrars: Offer domain signing services to
their customers.
③ ISPs: Increasing the security of the data
returned to their customers.
④ Users: Protection from DNS vulnerabilities
such as cache poisoning and man-in-the-
middle attacks.
Mukom Akong T. | @perfexcellence |! Slide 19!
20. RPKI – What It Solves
☀ Ties an organization's IP address
range(s) to its ASN
☀ Solves the “does this address block
belong to this organization”
☀ Blocks impersonation by IP address
(number)
☀ RPKI would have prevented the Youtube
Blackout of ‘08
Mukom Akong T. | @perfexcellence |! Slide 20!
21. How RPKI Works
☀ Digitally certify that a resource has been allocated
to a specific entity.
☀ Usage rights for resources is proven by digital
certificate.
☀ Connect resources (ASNs, IP addresses) to a trust
anchor, thus forming a chain of trust.
☀ Control authority to originate a routing
announcement by a certificate via ROAs
☀ Certificates are used to verify that a network has
the authority to announce a given block of
addresses.
Mukom Akong T. | @perfexcellence |! Slide 21!
22. Implications for National Infrastructure
① Is the ccTLD DNSSEC enabled?
② Government network
☀ Support DNSSEC on all gov’t networks
☀ Is gov’t IP space RPKI-protected?
③ Key network operators (ideally Everyone)
☀ Secure your names domain with DNSSEC
☀ Secure your number domains with RPKI
Because Cyber Crime is an industry that will
only grow (to the chagrin of us all) and extend
to Cyber War & Terrorism
Mukom Akong T. | @perfexcellence |! Slide 22!
24. Consequences: think of the e#ect
① We consolidate governance around
technology …then the e-gov’t portal is
inaccessible due to attack
② We consolidate education around
hosted content and that platform was
inaccessible
③ Our bank websites get hijacked
Mukom Akong T. | @perfexcellence |! Slide 24!
25. Our digital way of life is under threat
Mukom Akong T. | @perfexcellence |! Slide 25!
e-Banking E-Gov’t E-Commerce
27. Call to Action
Mukom Akong T. | @perfexcellence |! Slide 27!
RPKI & DNSSEC are not Silver Bullets but are a core part of the solution.
Fix up your own part of this mess! RPKI & DNSSEC on gov’t infrastructure
28. Na Gode! Thank You ! Sh’kran
mukom@afrinic.net | Twitter: @perfexcellent