Embed Size (px)
Citation preview
11 August 202032b
BGP
RPKI
DNSSEC
Erik DekkerMarius Brouwer
Willem Toorop
The Current State of DNS Resolversand RPKI Protection
DNSHero Clipart© FreePNGImg.com
Current State of DNS Resolvers and RPKI Validation 2
Motivation● DNSSEC protects against
address forgery● But the address
can be trivially hijacked
Picture CC BY-SA 3.0by Vegas Bleeds Neon
Current State of DNS Resolvers and RPKI Validation 3
RPKI 101
AS666 8.0.0.0/24C
1.0.0.0/24A
AS1
AS5
AS3 AS4B
AS2 8.0.0.0/23
Current State of DNS Resolvers and RPKI Validation 4
Motivation● DNSSEC protects against
address forgery● But the address
can be trivially hijacked● RPKI to the rescue
RPKI
Picture CC BY-SA 3.0by Vegas Bleeds Neon
Current State of DNS Resolvers and RPKI Validation 5
RPKI 101
AS1 AS2 AS3
AS666
8.0.0.0/23B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
AS5
Current State of DNS Resolvers and RPKI Validation 6
Motivation● What does this have to do with DNS Resolvers?
Current State of DNS Resolvers and RPKI Validation 7
● What does this have to do with DNS Resolvers?
Motivation
9
AS1 AS2 AS3
AS666
8.0.0.0/23B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
9.0.0.0/24D
Authoritative
Authoritative
9.0.0.1
AS5
Resolver
Current State of DNS Resolvers and RPKI Validation 8
Motivation
9
AS1 AS2 AS3
AS666
8.0.0.0/24B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
9.0.0.0/24D
Authoritative
Authoritative
9.0.0.1
AS5
Resolver
● What does this have to do with DNS Resolvers?
Current State of DNS Resolvers and RPKI Validation 9
Research questionMain:
What is the state of Route Origin Validation (RoV)on DNS resolvers?
Sub:
● Does the length of the AS path matter?● How does anycast influence the protection?
Current State of DNS Resolvers and RPKI Validation 10
prefix 209.24.1.0/24
max len 24
ASN 15562
Test setup$ORIGIN rootcanary.net$TTL 60@ SOA ns1.surfnet.nl. (
dns-beheer.surfnet.nl.2020080503 ; serial10800 ; refresh3600 ; retry604800 ; expire86400 ; minimum)
NS ns1.surfnet.nl.NS ns2.surfnet.nl.NS ns3.surfnet.nl.NS ns1.zurich.surf.net.
$TTL 25200
valid4 NS valid4valid4 A 209.24.1.6
invalid4 NS invalid4invalid4 A 194.32.71.6
$ORIGIN rootcanary.net$TTL 60@ SOA ns1.surfnet.nl. (
dns-beheer.surfnet.nl.2020080503 ; serial10800 ; refresh3600 ; retry604800 ; expire86400 ; minimum)
NS ns1.surfnet.nl.NS ns2.surfnet.nl.NS ns3.surfnet.nl.NS ns1.zurich.surf.net.
$TTL 25200
valid4 NS valid4valid4 A 209.24.1.6
invalid4 NS invalid4invalid4 A 194.32.71.6
$ORIGIN valid4.rootcanary.net$TTL 300@ SOA valid4.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 209.24.1.6
$TTL 1invalid DNAME invalid4.rootcanary.net.
$ORIGIN valid4.rootcanary.net$TTL 300@ SOA valid4.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 209.24.1.6
$TTL 1invalid DNAME invalid4.rootcanary.net.
$ORIGIN invalid4.rootcanary.net$TTL 300@ SOA invalid4.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 194.32.71.6
* A 145.97.20.20
$ORIGIN invalid4.rootcanary.net$TTL 300@ SOA invalid4.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 194.32.71.6
* A 145.97.20.20
prefix 194.32.71.0/24
max len 24
ASN 0
Current State of DNS Resolvers and RPKI Validation 11
Test setup
Current State of DNS Resolvers and RPKI Validation 12
Test setup
Current State of DNS Resolvers and RPKI Validation 13
Test setup
resolver
auth209.24.1.6
auth194.32.71.6
$r-$t
-$p.in
valid.
valid4
A
$r-$t-$p.invalid.valid4 A
CNAME $r-$t-$p.invalid4 $r-$t-$p.invalid4 A 145.97.20.20
CNAME
$r-$t
-$p.in
valid4
$r-$t-$p.invalid4 A $r-$t-$p.invalid4 A 145.97.20.20
$ORIGIN valid4.rootcanary.netinvalid DNAME invalid4.rootcanary.net.
$ORIGIN valid4.rootcanary.netinvalid DNAME invalid4.rootcanary.net.
$ORIGIN invalid4.rootcanary.net* A 145.97.20.20
$ORIGIN invalid4.rootcanary.net* A 145.97.20.20
Current State of DNS Resolvers and RPKI Validation 14
Test setup
resolver
auth209.24.1.6
auth194.32.71.6
$r-$t
-$p.in
valid.
valid4
A
$r-$t-$p.invalid.valid4 A
CNAME $r-$t-$p.invalid4 $r-$t-$p.invalid4 A 145.97.20.20
CNAME
$r-$t
-$p.in
valid4
$r-$t-$p.invalid4 A $r-$t-$p.invalid4 A 145.97.20.20
$ORIGIN valid4.rootcanary.netinvalid DNAME invalid4.rootcanary.net.
$ORIGIN valid4.rootcanary.netinvalid DNAME invalid4.rootcanary.net.
$ORIGIN invalid4.rootcanary.net* A 145.97.20.20
$ORIGIN invalid4.rootcanary.net* A 145.97.20.20
$r-$t
-$p.in
valid.
valid4
A
CNAME
$r-$t
-$p.in
valid4
$r-$t
-$p.in
valid.
valid4
A
CNAME
$r-$t
-$p.in
valid4
$r-$t
-$p.in
valid.
valid4
A
CNAME
$r-$t
-$p.in
valid4
$r-$t
-$p.in
valid.
valid4
A
CNAME
$r-$t
-$p.in
valid4
?
Current State of DNS Resolvers and RPKI Validation 15
Test setup
● Atlas measurementkindly provided by Emile Aben
● Beacon for the authoritativeskindly provided by Job Snijders
Current State of DNS Resolvers and RPKI Validation 16
Results
5000
10000
15000
2020
−01−
23
2020
−01−
24
2020
−01−
25
2020
−01−
26
2020
−01−
27
2020
−01−
28
2020
−01−
29
2020
−01−
30
2020
−01−
31
2020
−02−
01
2020
−02−
02
2020
−02−
03
Date
Prob
e/R
esol
ver P
airs
RPKI StatusTotalUnprotectedProtected
2500
5000
7500
10000
2020
−01−
23
2020
−01−
24
2020
−01−
25
2020
−01−
26
2020
−01−
27
2020
−01−
28
2020
−01−
29
2020
−01−
30
2020
−01−
31
2020
−02−
01
2020
−02−
02
2020
−02−
03
Date
Num
ber o
f Pro
bes
Probe ProtectionStatus
Total ProbesUnprotectedPartiallyFully
Probe time seriesProbe/resolver pair
Current State of DNS Resolvers and RPKI Validation 17
Results
0
1000
2000
3000
4000
5000
1516
913
335
3669
242 88
8179
2268
3033
2012
322
3215
AS
Que
ries
RPKI StatusProtectedUnprotected
0
1000
2000
3000
4000
1333
512
32232
6570
1871
32 553
8473
1303
021
1928
6012
39247
3933
0169
3917
4112
4117
5948
0215
943
AS
Que
ries
RPKI StatusProtectedUnprotected
Top ten most protected ASesTop ten most popular ASes
18
ResultsRelationship RPKI protection and AS path length
0.00
0.25
0.50
0.75
1.00
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ry R
atio
RPKI StatusUnprotectedProtected
Sub RQ: Does the length of the AS path matter?
19
ResultsCloudflare resolver prefix time series
40
80
120
160
2020
−01−
23
2020
−01−
24
2020
−01−
25
2020
−01−
26
2020
−01−
27
2020
−01−
28
2020
−01−
29
2020
−01−
30
2020
−01−
31
2020
−02−
01
2020
−02−
02
2020
−02−
03
Date
Clo
udfla
re P
refix
es
RPKI StatusTotalUnprotectedProtected
Sub RQ: How does anycast influence protection?
20
Current situation / IPv6
53 DNSThought
21
DNSThought
https://dnsthought.nlnetlabs.nl/does_rov4/#top_auth_asns
Current State of DNS Resolvers and RPKI Validation 22
Test setup$ORIGIN rootcanary.net$TTL 60@ SOA ns1.surfnet.nl. (
dns-beheer.surfnet.nl.2020080503 ; serial10800 ; refresh3600 ; retry604800 ; expire86400 ; minimum)
NS ns1.surfnet.nl.NS ns2.surfnet.nl.NS ns3.surfnet.nl.NS ns1.zurich.surf.net.
$TTL 25200
valid6 NS valid6valid6 AAAA 2001:728:1808:5::6
invalid6 NS invalid6invalid6 AAAA 2001:7fb:fd04::6
$ORIGIN rootcanary.net$TTL 60@ SOA ns1.surfnet.nl. (
dns-beheer.surfnet.nl.2020080503 ; serial10800 ; refresh3600 ; retry604800 ; expire86400 ; minimum)
NS ns1.surfnet.nl.NS ns2.surfnet.nl.NS ns3.surfnet.nl.NS ns1.zurich.surf.net.
$TTL 25200
valid6 NS valid6valid6 AAAA 2001:728:1808:5::6
invalid6 NS invalid6invalid6 AAAA 2001:7fb:fd04::6
$ORIGIN valid6.rootcanary.net$TTL 300@ SOA valid6.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 2001:728:1808:5::6
$TTL 1invalid DNAME invalid6.rootcanary.net.
$ORIGIN valid6.rootcanary.net$TTL 300@ SOA valid6.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 2001:728:1808:5::6
$TTL 1invalid DNAME invalid6.rootcanary.net.
$ORIGIN invalid6.rootcanary.net$TTL 300@ SOA invalid6.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 2001:7fb:fd04::6
* A 2001:610:188:408::20
$ORIGIN invalid6.rootcanary.net$TTL 300@ SOA invalid6.rootcanary.net. (
sysadm.rootcanary.org.2020012100 10800 3600604800 300 )
NS @A 2001:7fb:fd04::6
* A 2001:610:188:408::20
prefix 2001:7fb:fd04::/48
max len 48
ASN 196615
prefix 2001:728:1808::/48
max len 64
ASN 15562
Current State of DNS Resolvers and RPKI Validation 23
Test setup
24
DNSThoughthttps://dnsthought.nlnetlabs.nl/does_rov6/#top_auth_asns
25
DNSThought AS13335Cloudflare
IPv4 IPv6
26
DNSThought AS12322Free SAS
IPv4 IPv6
● Research performed by:– Erik Dekker <[email protected]>– Marius Brouwer <[email protected]>
● From–
● At–
● On– January 2020
● Report:– https://delaat.net/rp/2019-2020/p04/report.pdf
● DNSThought:– https://dnsthought.nlnetlabs.nl/
?Questions?
