RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)

©!Men!&!Mice!!http://menandmice.com!©!ISC!http://www.isc.org

RIPE69!and!IETF!91!Review

11th!December!2014

1

©!Men!&!Mice!!http://menandmice.com!

Security!Updates

BIND!9.10.1-P1!

BIND!9.9.6-P1!

Unbound!1.5.1!(1.4.22-P1)!

PowerDNS!Recursor!3.6.2

2


Agenda

RIPE69!in!London!/!IETF!91!in!Hawaii!!

DNS,!DNSSEC,!DANE,!DHCP,!IPv6!

the!following!information!is!an!excerpt!of!the!RIPE!69!meeting!and!the!IETF!working!group!activities!

for!a!full!overview!of!all!activities!at!IETF!91,!see! https://datatracker.ietf.org/meeting/91/materials.html !!

RIPE69!video!and!presentation!archivehttps://ripe69.ripe.net/archives/

3


DNS

4


new!RFCs!published!since!last!IETF

5

RFC Title Category

7344 Automating DNSSEC Delegation Trust Maintenance Informational


Automating!DNSSEC!Delegation!Trust!Maintenance

automates!the!updates!of!the!DNSSEC!trust!chain!information!in!the!parent!zone!

defines!two!new!record!types:!CDS!(Client-DS)!and!CDNSKEY!(Client-DNSKEY)!

operator!of!a!DNSSEC!secured!child!zone!publishes!new!DS!via!CDS,!or!new!DNSKEY!via!CDNSKEY!

parent!zone!operator!monitors!the!childzone!and!imports!new!DS!and!DNSKEY!data!from!the!child

6



7

Parent!DNS

Child!DNS

child.tld. IN SOA …child.tld. IN NS …child.tld. IN DNSKEY …

tld. IN SOA …tld. IN NS …tld. IN DNSKEY …



8

Parent!DNS

Child!DNS



child.tld. IN DS …


Updating!DNSSEC!Trust!chain!today



9

Parent!DNS

Child!DNS



child.tld. IN CDS …


Updating!DNSSEC!Trust!chain!with!CDS!/!CDNSKEY


!Brett!Carr!-!Name!Collision!Controlled!Interruption

!DNS!name!collision!-!risk!mitigation!for!ngTLDs!

•!"internal"!non-registered!DNS!namesare!used!in!private!networks!

•names!are!leaking!into!the!Internet!DNS!

•machines!with!local!names!configured!leave!the!"controlled"!network!

•.mail,!.corp,!.home!have!been!reserved!for!nowby!ICANN!

•name!collision!emergency!response!

•controlled!interruption!-!wildcard!TLD!and!SLD!

•curious!loopback!address!127.0.53.53!

•ICANN!monitors!CI!for!all!new!TLDs!and!SLDs!in!the!new!TLDs!

•Information!@!https://icann.org/namecollison•Video!and!Slides: https://ripe69.ripe.net/archives/video/181

10


".home"!Special-Use!Domain!Name

Proposal!to!designate!the!".home"TLD!as!a!"private!use"!domain!

!

!

!

http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-8.pdf

http://tools.ietf.org/html/draft-cheshire-homenet-dot-home-01

11


Geoff!Huston!-!The!Resolvers!We!Use

TL;DR:!DNS!in!the!Internetis!weird!

•how!close!are!clients!to!the!resolver?!

•41%!if!Internet!clients!use!non-local!DNS!resolver!(google,!level!3,!opendns!…)!

•1/3!use!a!resolver!in!a!different!country!

•Video!and!Slides:!https://ripe69.ripe.net/archives/video/10114

12


Sara!Dickinson!-!Hedgehog

new!presenter!(Web-UI)!for!DNS!data!collected by!DSC!for!the!L-root!DNS-Server(s)!

Work!by!Sinodun!for!ICANN!

•new!version!2.0!does!notrequire!a!Adobe!Flash!plugin!

•open!source (Apache!License)!http://www.dns-stats.org

•code!is!available!on!githubhttps://github.com/dns-stats/hedgehog

•Video!and!Slides: https://ripe69.ripe.net/archives/video/194

13


How!the!Hell!Should!We!Fund!Open!Source?

Jeff!Osborn!(ISC)!asked!

an!open!question!"howto!finance!open!sourcedevelopment?"!

NLnetLabs!and!ISC!team up!to!provide!securityannouncements!andsupport!to!customers!for!BIND,!Unbound!and!NSD

14


Peter!van!Dijk!-!PowerDNS!Lua!Policy!Engine

•embedded!scriptingengine!in!PowerDNS!

•Idea:!software!needs!toadapt!

•Motivation:!implement!RRL!(Respond!Rate!Limiting)!

•allows!decisions!on!incoming!DNS!traffic!inside!the!policy!engine!

•embedded!LUA!feature!still!in!development,!feedback!requested!

•Video!and!Slides:!https://ripe69.ripe.net/archives/video/201/

15


George!MichaelsonPlease!Don’t!Pick!the!ECDSA-ies

•!measurement!of!ECDSA!P256!support!in!!DNSSEC!validating!resolvers!deployed!today!

•!ECDSA!more!light!in!key-size!and!computation!power!

•!UDP!fragmentations!issues!in!IPv6!(and!IPv4)!

•!1/3!of!DNSSSEC!validating!resolvers!do!not!fetch!ECDSA!

•possible!reason:!IPR!issues!with!ECDSA!in!OpenSSL!(Redhat/CentOS/Fedora,!FreeBSD!...)!

•but!clients!still!fetch!the!content!

•DNSSEC!RFC:!if!a!resolver!does!not!understand!the!algorithm,!treat!zone!as!unsigned!(insecure)!

•possible!Downgrade!attack?!

•!Proposal!from!Audience:!send!SRVFAIL!instead!of!treat!as!insecure!!

•Video!and!Slides: https://ripe69.ripe.net/archives/video/10059/

16


Geoff!Huston!-!Who's!Watching?

•!can!surveillance!be!seen!in!!measurements?!

•!measurements!using!unique! !URL!names,!should!only!be!!fetched!once!

•"shadow"!fetches!of!measurement URLs,!from!China,!Iran,!Laos,Macao,!Singapore,!Honkong,! UK,!Taiwan,!....!

•Chinanet,!Google,!RIM!...!

•most!fetches!in!about!3!seconds!after!original!measurement!fetch!

•Slides!and!Video:!https://ripe69.ripe.net/archives/video/10110

17


DNS!Privacy!-!DPRIVE!WG

•Phill!Hallam-Baker!—!Private!DNS http://www.ietf.org/proceedings/91/slides/slides-91-dprive-2.pdf!

•Paul!Hoffman!—!DNS!over!TLS:!Three!ways!of!not!using!port!53http://www.ietf.org/proceedings/91/slides/slides-91-dprive-0.pdf!

•Stéphane!Bortzmeyer!—!QNAME!minimiz(s?)ationhttp://www.ietf.org/proceedings/91/slides/slides-91-dnsop-2.pdf!

!

18


DNSSEC!negative!trust-anchor•Operators!of!DNSSEC!validating!resolver!needto!have!a!way!to!selectively!turn!of!DNSSEC!validation!

•in!case!the!DNSSEC!in!the!authoritative!zone!is!broken!(no!attack)!

•Draft!got!adopted!by!the!DNSOP!WG!

•"Definition!and!Use!of!DNSSEC!Negative!Trust!Anchors"!

Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-4.pdf!

Draft:!http://tools.ietf.org/html/draft-livingood-dnsop-negative-trust-anchors-01

19


DNS!Transport!over!TCP

•why?!

•Privacy!efforts!

•Preventing!amplification!attacks!

•Packet!size!limitations!

•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-7.pdf

20


DNS!Cookies•!OPT!option!that!provides!weak!protection!against!

•off!path!DNS!denial!of!service!

•traffic!amplification!

•DNS!cache!poisoning!attacks!

•Experimental!implementation!in!BIND!9.10!

•BIND!Source!Identity!Token!

•Draft:!http://tools.ietf.org/html/draft-ietf-dnsop-cookies-00!

•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-1.pdf

21


EDNS!compliance!report•Mark!Andrews!(ISC)!didextensive!tests!to!find!out about!the!EDNScompliance!of!DNS!servers in!the!Internet!

•EDNS!=!extended!DNS,!around!since!1998!

•many!DNS!server!(and!middle-boxes)!do!not!handle!unknown!EDNS!options!or!versions!

• http://www.ietf.org/proceedings/91/slides/slides-91-dnsop-9.pdf

22


DANE!S/MIMEClient

•Prototype!DANE!S/MIME!Mail-Client based!on!the!GetDNS-API!

•Plugin!for!Mozilla!Thunderbirdhttp://www.ietf.org/proceedings/91/slides/slides-91-dane-1.pdf

23


DANE!Deployment!Observations

•Dan!York!(ISOC)!

•the!good!and!the!bad!seenin!DANE!deployments

•Draft:!https://tools.ietf.org/html/draft-york-dane-deployment-observations-00

•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dane-3.pdf

24


More!DNS!from!RIPE!69

•Chris!BakerDynamic!DNS!Abuse!Overviewhttps://ripe69.ripe.net/archives/video/10057/

•Nicolas!Cartron!-!DNS!Attacks:!Can!we!Still!Afford!to!Use!Old,!Ineffective!Solutions?https://ripe69.ripe.net/archives/video/10055!

•Ondřej!Caletka!-!Challenges!in!Endpoint!DNSSEC https://ripe69.ripe.net/archives/video/10116!

•!Jaap!Akkerhuis!-!NSD!4.1https://ripe69.ripe.net/archives/video/204

25


DHCP

26


new!RFCs!published!since!last!IETF

27

RFC Title Category

7341 DHCPv4-over-DHCPv6 (DHCP 4o6) TransportStandards

Track


DHCP!Privacy!Updates

•Work!Items!

•Identifiers!

•Current!Mechanisms!

•Attacks!

•Differences!between!DHCPv4!and!DHCPv6!

•Work!Plan!

•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dhc-6.pdf

•Drafts:!

draft-krishnan-dhc-dhcpv6-privacy-00!

draft-jiang-dhc-dhcpv4-privacy-00

28


Issues!and!Recommendations!with!Multiple!Stateful!DHCPv6!Options

•DHCPv6!supports!multiple!stateful!options!

•Options!that!require!dynamic!binding!state!per!client!on!the!server!

•IPv6!Addresses!and!Prefix!Delegations!(PD)!

•Slides:!http://www.ietf.org/proceedings/91/slides/slides-91-dhc-2.pdf

•Draft:!http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-stateful-issues-09

29


IPv6/IPv4-sunset

30


published!new!RFCs!since!last!IETF

31

RFC Title Category

7335 IPv4 Service Continuity Prefix (192.0.0.0/29) Standards Track

7343 An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers Version 2 (ORCHIDv2)

Standards Track

7346 IPv6 Multicast Address Scopes Standards Track

7371 Updates to the IPv6 Multicast Addressing Architecture Standards Track

7381 Enterprise IPv6 Deployment Guidelines Informal

7404 Using Only Link-Local Addressing inside an IPv6 Network Informal


Jen!Linkova Stop!Thinking!IPv4;!IPv6!is!Here

•!!IPv6!is!here!-!questions!is!not!"should!I!deploy!IPv6"!but!"how!to!deploy"!

•!you!need!to!understand!IPv6!to!be!able!to!decide!why!to!use!/!why!not!to!use!IPv6!

•!using!link-local!addresses!for!router!links!

•!easy!subnet!size!address!plans!

•!first!hop!redundancy!via!Router!Advertisements!

•!DHCPv6?!Is!it!needed?!

•!RFC!5942!"relationship!between!links!and!subnet!prefixes"!

•!Franck!Martin!"Sending!and!receiving!emails!over!IPv6" http://engineering.linkedin.com/email/sending-and-receiving-emails-over-ipv6!

•!IPv6!only!data-center!

•!IPv6!and!Firewall!

•Slides!and!Video: https://ripe69.ripe.net/archives/video/185!

•free!'IPv6!for!IPv4!experts'!book:!https://sites.google.com/site/yartikhiy/home/ipv6book

32


!Tore!AndersonSIIT-DC:!IPv4!Service!Continuity!for!IPv6!Data!Centres

•!IPv4!is!not!mandatory!anymore!

•!we!have!to!work!with!IPv6!anyway,!!try!to!build!infrastructure!IPv6!only!

•!less!complexity,!avoid!transition!!"workarounds"!

•!move!IPv4!to!the!edge!of!the!!infrastructure!network!

•!SIIT-DC!-!Stateless!IP/ICMP!Translation!!for!IPv6!Data!Centre!Environments!

•!mapping!IPv4!addresses!into!an!IPv6!prefix!

•!works!with!IPv4!only!applications!(difficult!protocols!like!FTP!via!host-agent)!

•!available!through!TAYGA!(Open!Source/Linux)!and!commercial!routers!

•!Draft:!http://tools.ietf.org/html/draft-anderson-v6ops-siit-dc-01!

•!Slides!and!Video:!https://ripe69.ripe.net/archives/video/186

33


IPv6!Extension!Headers!in!the!Real!World

•!Jen!Linkova!-!IPv6!Extension!Headers!

•!network!operators!filter!extension!headers!

•!Test!using!500!RIPE!ATLAS!probes!towards!Alexa!1M!websites!

•!Hop-by-Hop!and!Destination!Headers!

•!Firewalls!cannot!deal!with!complex!extension!headers,!cannot!find!the!payload!to!inspect!

•!short!EH!have!lower!drop!rate,!UDP!with!8bit!EH!have!least!drop!rate!

•!plan!to!repeat!the!test!in!1!year!time!(improvement)?!

•!Tore!Anderson!suggests!to!re-run!the!test!for!ESP!EH!

•!Draft:!http://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-in-real-world-01

•Transmission!and!Processing!of!IPv6!Options(draft-gont-6man-ipv6-opt-transmit-00)!

•!Slides!and!Video:!!

•RIPE!https://ripe69.ripe.net/archives/video/10052!

•IETF!http://www.ietf.org/proceedings/91/slides/slides-91-v6ops-9.pdf

34


more!IPv6!work!@!IETF

•Some!problems!observed!in!IPv6-only!deployment draft-song-sunset4-ipv6only-dns!

•Recommendation!on!Stable!IPv6!Interface!Identifiersdraft-ietf-6man-default-iids!

•Deprecating!the!Generation!of!IPv6!Atomic!Fragmentsdraft-ietf-6man-deprecate-atomfraggeneration!

•IPv6!Prefix!Length!Recommendation!for!Forwardingdraft-boucadair-6man-prefix-routing-reco

35


Misc

36


Jason!Schiller!-!QUIC:!Why!Should!I!Care!About!Quick!UDP!Internet!Connections?

•!increase!the!load-performance!of!webpages!

•!issues!with!TCP!that!cannot!be!easily!solved!

•!Idea:!multiplexing!connections!over!UDP!

•!implemented!as!part!of!the!!Chromium!project!(Google!Browser)!

•!same!functions!as!SPDY!

•!will!be!supported!in!future!Chrome!Browser,!!most!Google!Web-Sites!are!already!QUIC!!enabled!

•!traffic!towards!Google!might!switch!from!!TCP!to!UDP!in!2015!

•!Comment!from!Audience:!Port!80!UDP!might!be!blocked!

•!Chrome!implements!TCP!and!UDP!"Happy!Eyeballs"!

•!Slides!and!Video: https://ripe69.ripe.net/archives/video/10108/

37


Raymond!Cheng!-!uProxy:!a!Social!Proxy!for!Your!Browser

•!browser!extension!to!securely !tunnel!traffic!through!a!friends !computer!

•!peer!to!peer!communication, !encrypted!

•!plugin!for!Chrome!and!Firefox!

•!Aim:!easy!to!install!and!use!

•!use!case:!tunnel!from!insecure!WIFI!to!machine!in!home!network!

•!Plugin!implementation!uses!WebRTC!as!the!underlying!transport!

•!Slides!and!Video: https://ripe69.ripe.net/archives/video/189/

38


Men!&!Mice!webinars!2015•!DNS-Resolver!monitoring!using!DNSTAP!and!Unbound!

•!the!Men!&!Mice!Suite!Generic!DNS!Controller!(PowerDNS,!Amazon! !Route53)!

•!Selective!blackholing!

•!DANE!and!DNSSEC!revisited!

•!the!KNOT!DNS!Server!

•!RIPE!70!and!IETF!meeting!reports!

•!BIND!9!tuning!

•!BIND!9.10/9.11!update!/!GeoIP!with!BIND!9!

•!<!your!topic!here!>!(please!let!us!know!via!<[email protected]>,!Twitter,!Facebook!…)

39


Q/A

40

?2015!Schedule,!Slides,!Links,!Recording!and!errata!

will!be!posted!@https://www.menandmice.com/resources/educational-resources/webinars/


Q/A

41

?2015!Schedule,!Slides,!Links,!Recording!and!errata!

will!be!posted!@https://www.menandmice.com/resources/educational-resources/webinars/

Technology

RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)