ietf dprive wg encrypting dns
play

IETF DPRIVE WG: Encrypting DNS Sara Dickinson Sinodun ICANN 54 - - PowerPoint PPT Presentation

Jan 01, 2024 •14 likes •244 views

IETF DPRIVE WG: Encrypting DNS Sara Dickinson Sinodun ICANN 54 - Tech Day October 2015 DPRIVE WG Focus is stub to recursive Group IETF92 IETF91 IETF93 created A ID: problem-statement RFC7626 ID: dns-tls-newport A ID:

  1. IETF DPRIVE WG: Encrypting DNS Sara Dickinson Sinodun ICANN 54 - Tech Day October 2015

  2. DPRIVE WG Focus is stub to recursive Group IETF92 IETF91 IETF93 created A ID: problem-statement RFC7626 ID: dns-tls-newport A ID: start-tls-for-dns ID: start-tls-for-dns ID:dns-over-tls STARTTLS & port Early port allocation A ID: dnsodtls ID: dnsodtls 2014 2015 Q4 Q1 Q3 Q2 Q4 TIME

  3. Pros and Cons Pros Cons • Port 53 - middleboxes? • Port 53 • Existing TCP implementations • Known technique STARTTLS • Downgrade attack on negotiation • Incrementation deployment • Latency from negotiation • New DNS port (no TLS • New port assignment interference with port 53) (new port) • Existing implementations • Truncation of DNS messages • UDP based (just like UDP) DTLS • Certain performance ➡ Fallback to clear text or TLS aspects ❌ Can’t be standalone solution • No running code

  4. Early port allocation • 8th October 2015 - IANA assigned port 853 : domain-s 853 tcp DNS query-response protocol run over TLS/DTLS domain-s 853 udp DNS query-response protocol run over TLS/DTLS

  5. DNS-over-TLS needs TCP ! • DNS-over-TCP… historically used only as a fallback transport (TC=1 ➡ ‘one-shot’ TCP, Zone transfer) • 2010: RFC5966 - TCP a requirement for DNS implementations • 2014: Connection-oriented DNS - USC/ISI paper • draft-ietf-dnsop-5966bis • performance on par with UDP, security/robustness • draft-ietf-dnsop-edns-tcp-keepalive - persistent TCP connections

  6. TCP/TLS Performance Goals : 1. Handle many TCP connections robustly 2. Optimise TCP/TLS set up & resumption • TCP FastOpen, TLS resumption, [TLS 1.3] 3. Amortise cost of TCP/TLS setup • Send many messages efficiently

  7. Performance (5966bis) Client - Query pipelining connection re-use pipelining q1, q2 q1, q2 q1 q1 q2 delayed q2 waiting for q1 a1 a1 (+1 RTT) a2 q2 0 extra (recursive) RTT a2 (stub)

  8. Performance (5966bis) Server - concurrent processing of requests sending of out of order responses in-order concurrent, OOOR R A R A q1, q2 q1 q1, q2 q1 q2 q2 q2 delayed waiting for q1 0 extra a2 (+1 RTT) RTT a1 a1 reply as soon stub as possible a2

  9. DNS-over-TLS implementations • Unbound 1.4.14 (2011) - DNSTrigger • TLS patches for LDNS and NSD • [BIND TCP improvements] • getdns - ongoing development of DNS-over-TLS

  10. • Modern async DNSSEC enabled API • https://getdnsapi.net • Stub mode has TLS with flexible privacy policy and fallback: Strict (Authenticated) TLS only Opportunistic TLS Fallback to TCP, UDP • Pipelining, OOOP, Configurable idle time

  11. Current status Software digit LDNS getdns Unbound NSD BIND client server/ mode client stub server client server recursive* (drill) client TLS TFO Conn reuse Pipelining OOOP Dark Green: Latest stable release supports this Light Green: Patch available Yellow: Patch in progress, or requires building a patched dependancy Grey: Not applicable or not planned 
 * getdns uses libunbound in recursive mode

  12. 
 TLS BCP • UTA (Using TLS in Applications) WG produced DNS-over-TLS is relatively RFC7525 this year - “BCP for TLS and DTLS” ‘green-field’ • Key recommendations - Protocol versions: • TLS v1.2 MUST be supported and preferred • Recommended Cipher Suites (4 of ~100): • AEAD mode - Forward secrecy for key exchange 
 • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  13. TLS BCP - Authentication • Secure discovery of certificate/hostname/etc. • For DNS-over-TLS? • Pre-deployed configuration profile • DANE… (clear-text or un-authenticated TLS) • boot strap problem

  14. Summary • Active work on encrypting DNS in DPRIVE • For DNS-over-TLS performance is key • Client should consider privacy policy • see Appendix for stub/recursive examples • Know your (D)TLS Best Current Practices

  15. Thank you! Any Questions? sara@sinodun.com

  16. Appendix

  17. Examples STUB MODE TLS ENABLED Next release: 1.5.5 Hostname verification

  18. Scenario 1: Strict TLS • Configuration: • Hostname verification required (Default) • Correct hostname for Unbound resolver • TLS as only transport • RESULT: • TLS used (cert & hostname verified)

  19. Scenario 2: Strict TLS • Configuration: • Hostname verification required (Default) • No or incorrect hostname • TLS as only transport • RESULT: • Query fails

  20. Scenario 3: Opportunistic TLS • Configuration: • Hostname verification optional • Valid, none or incorrect hostname • TLS as only transport • RESULT: • TLS used (hostname verification tried but fails)

  21. Scenario 4: Opportunistic TLS • Configuration: • Hostname verification required (default) • Valid, none or incorrect hostname • TLS with fallback to TCP • RESULT: • TLS used (hostname verification tried but fails)

  22. Example STUB MODE NO TLS

  23. Scenario 3: Opportunistic TLS • Configuration: • Hostname verification required (default) • Valid, none or incorrect hostname • TLS with fallback to TCP • RESULT: • TCP used (TLS tried, but fails)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DPRIVE WG DNS PRIVate Exchange 1 IETF 95, Buenos Aires, AR 2016-04-06 Welcome to DPRIVE Chairs

DPRIVE WG DNS PRIVate Exchange 1 IETF 95, Buenos Aires, AR 2016-04-06 Welcome to DPRIVE Chairs

DPRIVE WG DNS PRIVate Exchange 1 IETF 95, Buenos Aires, AR 2016-04-06 Welcome to DPRIVE Chairs : o Tim Wicinski <tjw.ietf@gmail.com> o Warren Kumari <warren@kumari.net> Jabber Scribe : o dprive@ietf.jabber.org Minutes :

452 views • 9 slides
DNS / DNSSEC / DANE / DPRIVE Results at IETF 93

DNS / DNSSEC / DANE / DPRIVE Results at IETF 93

DNS / DNSSEC / DANE / DPRIVE Results at IETF 93 Hackathon 18-19 July 2015 Prague, Czech Republic Summary What We Are Working On

256 views • 7 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
DNS, DNSSEC, DANE, DPRIVE IETF 94 Hackathon Results! DNS Team Hackathon Projects DNS Privacy

DNS, DNSSEC, DANE, DPRIVE IETF 94 Hackathon Results! DNS Team Hackathon Projects DNS Privacy

DNS, DNSSEC, DANE, DPRIVE IETF 94 Hackathon Results! DNS Team Hackathon Projects DNS Privacy topics getdnsapi extension (call debugging) implemented with changes so user learns transport/privacy results edns0-client-subnet privacy

753 views • 21 slides
IETF DNS Privacy A short introduction and update on DPRIVE Warren Kumari 1 ICANN-TechDay /

IETF DNS Privacy A short introduction and update on DPRIVE Warren Kumari 1 ICANN-TechDay /

IETF DNS Privacy A short introduction and update on DPRIVE Warren Kumari 1 ICANN-TechDay / Dublin, .IE - 10/2015 - Ver:01 Whats the problem? 2 Whats the problem? I hate doing expense reports 2 Whats the problem? I hate doing

618 views • 51 slides
Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Unit OS8: File System 8.3. Encrypting File System Security in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS

250 views • 12 slides
EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF

940 views • 7 slides
DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John Heidemann and Sara Dickinson

DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John Heidemann and Sara Dickinson

DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John Heidemann and Sara Dickinson Joint work with Liang Zhu, Zi Hu, Duane Wessels, Allison Mankin, Willem Toorop USC/ISI, Verisign Labs, and Sinodun in collaboration with NLnet Labs,

781 views • 50 slides
Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author Wei-Shyun Pan Po-Kang Chen Quincy Wu Outline Introduction Related works A Confused Document Encrypting Schemes and its

514 views • 33 slides
IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195 newcomers l IETF 82 was 948 people l 55 countries l IETF 82 was 48 countries IETF 82 was held in US JP CN FR UK Taipei, Taiwan DE

327 views • 8 slides
Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1

Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1

Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1 IETF Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any

637 views • 29 slides
Welcome to the IETF! You are standing at the end of the road before a small brick building

Welcome to the IETF! You are standing at the end of the road before a small brick building

Welcome to the IETF! You are standing at the end of the road before a small brick building Mike StJohns IETF 99 Prague, CZ IETF Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF

582 views • 29 slides
Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 - March 2005 Sumitha Bhandarkar, A. L. Narasimha Reddy, Mark Allman, Ethan Blanton "Hit our satellite with feeling, Give the people what they

363 views • 8 slides
BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor

BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor

BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an

399 views • 22 slides
IETF LLC Report Presented By: Jason Livingood Chair, IETF LLC Board IETF-106, Singapore

IETF LLC Report Presented By: Jason Livingood Chair, IETF LLC Board IETF-106, Singapore

IETF LLC Report Presented By: Jason Livingood Chair, IETF LLC Board IETF-106, Singapore November 2019 Making the Internet work better IETF Administration LLC Who serves on the Board? Peter Maja Jason Sean Alissa Van Roste Livingood,

391 views • 10 slides
IP Telephony (iptel) IETF 56 Note Well All statements related to the activities of the IETF

IP Telephony (iptel) IETF 56 Note Well All statements related to the activities of the IETF

IP Telephony (iptel) IETF 56 Note Well All statements related to the activities of the IETF and addressed to the IETF are subject to all provisions of Section 10 of RFC 2026, which grants to the IETF and its participants certain licenses

198 views • 9 slides
OrganisatiOn in Design X inDeX Design series Dubai 26-29 March 2018 OrganisatiOn WhY shOuLD

OrganisatiOn in Design X inDeX Design series Dubai 26-29 March 2018 OrganisatiOn WhY shOuLD

OrganisatiOn in Design X inDeX Design series Dubai 26-29 March 2018 OrganisatiOn WhY shOuLD in Design YOu crOss the crOsses the Desert Desert For many years DMG events has organised and produced Why should you participate? the Index

95 views • 9 slides
ONONDAGA COUNTY LAKEVIEW AMPHITHEATER ST A TE ENVIRONMENT AL QUALITY REVIEW (SEQR) Draft

ONONDAGA COUNTY LAKEVIEW AMPHITHEATER ST A TE ENVIRONMENT AL QUALITY REVIEW (SEQR) Draft

ONONDAGA COUNTY LAKEVIEW AMPHITHEATER ST A TE ENVIRONMENT AL QUALITY REVIEW (SEQR) Draft Environmental Impact Statement (DEIS) Public Hearing Legislative Chambers (Court House Room 407) Wednesday July 23, 2014

466 views • 33 slides
Implementation Report #1 | 2013-04-24 False Creek Bridges ECONOMY PEOPLE ENVIRONMENT

Implementation Report #1 | 2013-04-24 False Creek Bridges ECONOMY PEOPLE ENVIRONMENT

Implementation Report #1 | 2013-04-24 False Creek Bridges ECONOMY PEOPLE ENVIRONMENT Council Requested Report Back Topics Intro Progress on Planning for Broadway Subway False Creek Bridges Local Transit Improvements

598 views • 35 slides
Solano360 Vallejo City Council Public Hearing May 14, 2013 PROJECT BACKGROUND AND HISTORY

Solano360 Vallejo City Council Public Hearing May 14, 2013 PROJECT BACKGROUND AND HISTORY

Solano360 Vallejo City Council Public Hearing May 14, 2013 PROJECT BACKGROUND AND HISTORY DRAFT SPECIFIC PLAN GENERAL PLAN AND ZONING AMENDMENTS ENVIRONMENTAL REVIEW DEVELOPMENT AGREEMENT PROJECT APPROVALS OVERVIEW

662 views • 63 slides
Indirect cost compensation Overview of Draft Guidelines for Public Consultation European

Indirect cost compensation Overview of Draft Guidelines for Public Consultation European

Indirect cost compensation Overview of Draft Guidelines for Public Consultation European Commission, DG Climate Action Background Legal basis: Article 10a(6) ETS Directive State aid rules apply State aid competence exercised by DG

168 views • 12 slides
Paying for Postsecondary Education Your Presenter Amy Sloan Higher Education Access Partner

Paying for Postsecondary Education Your Presenter Amy Sloan Higher Education Access Partner

Paying for Postsecondary Education Your Presenter Amy Sloan Higher Education Access Partner Northwest Region PA Higher Ed Assistance Agency asloan@pheaa.org 724-977-3662 What will we discuss tonight? What is financial Aid Free

833 views • 60 slides
Pulaski County Historic Courthouse BUILDING ASSESSMENT - OCTOBER 2019 Goals Identify

Pulaski County Historic Courthouse BUILDING ASSESSMENT - OCTOBER 2019 Goals Identify

Pulaski County Historic Courthouse BUILDING ASSESSMENT - OCTOBER 2019 Goals Identify architectural and structural stabilization action items Identify building systems in need of modernization Concept design to utilize the historic

537 views • 29 slides
Industrial Solar Fan Ventilation System with NO electricity cost AT ALL Product Solar Our

Industrial Solar Fan Ventilation System with NO electricity cost AT ALL Product Solar Our

Industrial Solar Fan Ventilation System with NO electricity cost AT ALL Product Solar Our product is a Ventilation System that works using solar radiation only. Fan Is an innovative Air Renovation System that complies the energetic

415 views • 8 slides

More recommend