The iLab Experience a blended learning hands-on course concept you - - PowerPoint PPT Presentation

you set the focus

The iLab Experience

a blended learning hands-on course concept

WWW Security / Your Exercise Topic Pitch

2018-05-8

YE 1st Lecture IoT DIY HW YE Topic Outline Kick Off, IPv6 IoT Smart Space SW & measr Advanced Wireless Playground Minilab 2 YE Didactics, Tools & iAdvise YE Review Presentation YE Final Presentation, Wrap-Up

BGP Minilab 1 WWW Security Your Exercise Topic Pitch summer term 2018

Giving good Feedback Prepare Your Exercise Prepare Your Exercise

Agenda

• Reminder: Please do not forget to give short feedback.
• Interactive: Collaborative Memory.
• Info: Oral Attestation.
• Lecture: WWW Security.
• Interactive: Your Exercise Topic Pitch.

We want your Feedback!

Collaborative Memory

what are the most important things to remember from the last lab?

Mon 28.5. Tue 29.5.

10h00-15h00

• ral

attestation ~12min each

you set the focus

The iLab Experience

a blended learning hands-on course concept

Your Exercise

Topic Pitch — the topics make sense round… May 8, 2018

create YOUR own LAB

upside-down classroom

Security

DNS BGP

Common Ground for all Topics

• DNS Basics
• GO Basics
• Jupiter Notebook Basics

Introductory Tutorial DNS & GO

• Students understand DNS delegation via NS
• Students understand semantics and format of the following DNS records: A, NS, PTR, SOA
• Students can use the Linux tool dig to query resolvers such as 8.8.8.8 (i.e. recursively)
• Students can use the Linux tool dig with the +trace option to understand the process of lookup
• Students can interpret on-the-wire data (pcap) to understand DNS resolution
• Students can use the Linux tool dig to query NS iteratively, i.e. they can simulate the lookup process

that a resolver would carry out (respectively: what dig +trace does)

• Students can spot inconsistencies in the setup of NS <-> SOA and A <-> PTR
• Students understand programming in Go on a fundamental level
• Students can use the Go DNS library competently
• Students understand go routines

What next?

• You get 10 minutes to prepare a short pitch of a topic.
• What is it about?
• Why is it interesting?
• You find today’s topic in the envelope.
• After the session you will have time to vote for a topic until Monday

12pm (noon).

Now open the envelope.

• Now: 10 minutes time for the preparation


Each team prepares its topic from the envelope

• Afterwards: You have 1 minute per topic to tell why a topic is cool
• What is it about?
• Why is it interesting?
• What cool stuff do you

want to communicate to those doing your planned lab?

• What concrete

theoretical background will one get?

• What could you

imagine as interesting work done during the 
 hands-on?

You make it interesting…

Available Topics

• 1. DNS delegations to other zones & querying DNS with GO.
• 2. MassDNS.
• 3. DNSSec with Linux Tools and GO.
• 4. Scanning DNS and DNSSec and mapping results to ASN/ Geolocations.
• 5. RPKI Validation.
• 6. DANE-TLSA.
• 7. CAA.
• 8. Certificate Transparency and OCSP revocation.
• 9. go-tlsscanner, BGPStream, and AS dynamics.

DNS delegations to other zones & querying DNS with GO

We introduce the complexity of the DNS by demonstrating how often zones have nameservers in

• ther zones. Students learn that this can lead to problems and they are introduced to security

aspects.

• Students understand how delegations of authority work between zones
• Students understand the rules (in/out-of-bailiwick) that are applied
• Students understand how misconfigurations (circular delegation) can happen, and why most
• f the DNS still works
• Students understand the risks associated with delegating authority
• Students understand the meaning of registrant, registrar, registry
• Students learn how to find out the registrant, registrar, and registry of a given domain
• Students can write a simple program that concurrently queries the DNS of Alexa Top 1M

domains for A, NS, SOA records

MassDNS

Querying the DNS at scale is a difficult task. Tools exist that address this, e.g.

• massdns. Students learn what scanning at scale means and what it can

reveal, e.g. NS responsibility for many domains by big companies such as GoDaddy or outsourcing to CloudFlare.

• Students understand the challenges of raising measurement data at

Internet scale

• Students understand how tools such as zmap or massdns solve this
• Students understand operations of the DNS by external providers
• Students understand how to raise empirical data with massdns and analyse

it with Python

DNSSec with Linux Tools and GO

DNSSEC is an advocated technology to make the integrity of DNSSEC records

• verifiable. It suffers from low deployment and high complexity, however. Students learn

how DNSSEC is meant to be deployed and how it is deployed in practice.

• Students understand how DNSSEC security is built around the concept of delegation
• Students understand privacy implications of DNSSEC zone walking
• Students understand the use of DS, DNSKEY, RRSIG, NSEC, and NSEC3
• Students can write a Go program that queries DNSSEC records (input: list of

domains)

• Students can use miekg/dns to verify signatures of RRSIG
• Students can extend Go program to verify complete DNSSEC chain

Scanning DNS and DNSSec and mapping results to ASN/ Geolocations

Students bring together what they have learned in previous tasks. They are now asked to carry out an empirical study of 10,000 domains for DNS and DNSSEC records and analyze the results. They map IP addresses to ASN and geographic location.

• Students carry out a large-scale scan of DNS/DNSSEC
• Students identify DNS operators (AWS, Google, Cloudflare, Akamai)

by common NS names

• Students identify common errors when scanning

RPKI Validation

Student study RPKI setup and look for problematic practices such as too large prefix definitions. The final step is to run the IP addresses through RPKI Validator, a tool that verifies an RPKI ROA given an IP

• address. This tells students whether an IP prefix is RPKI protected.
• Students understand what RPKI and an RPKI ROA is
• Students understand problematic practices in RPKI
• Students understand deployment of RPKI and can interpret results
• f ROA verification

DANE-TLSA

DANE-TLSA is an IETF standard that started with huge promise and, so far, has seen little deployment. TLSA allows to define the expected certificate or public key of an HTTPS connection in a DNS record. It is an instructive example of the divergence between cryptography and

• deployability. In this task, students retrieve DANE-TLSA records and

verify them.

• Students understand purpose and setup rules of DANE-TLSA
• Students can obtain certificates via TLS
• Students know how to verify DANE-TLSA records against certificates

CAA

CAA is an IETF standard that allows a domain to specify which CAs are allowed to issue a certificate for the domain. It is a simple and successful standard. In this task, students learn how to retrieve, parse, and evaluate CAA records.

• Students understand purpose and setup rules of CAA
• Students can obtain CAA records and parse them
• Students can check if domains actually have TLS configured with CA-issued

cert

• Students understand that a non-matching cert is not a security issue (contrary

to first impression one might have)

• Students can use CAA data for a “market” analysis of CAs

Certificate Transparency and OCSP revocation

Certificate Transparency is possibly the most influential security technology

• n the web in the last five years. In this lab, students will understand how

CT works and develop code to audit domain setups that use CT.

• Students understand CT operation
• Students write code to fetch data from CT log
• Students write code to compare SCT in TLS connection with logged SCT
• Students write a small Auditor for CT that fetches SCTs regularly and

compares with what it sees in the TLS connection

go-tlsscanner, BGPStream, and AS dynamics

Routing on the Internet is decided using the BGP protocol. Since ca. 2016, CAIDA provides a live stream of BGP announcements, hence considerably extending visibility into Internet routing. In this task, students learn to look for potential anomalies in BGP (i.e. hijacks) and map the prefixes back to potentially affected domains.

• Students can run a quick go-tlsscan on the Alexa Top 1M to store certificate

hashes (we provide the go-tlsscan tool - or even the data set, because it runs very

• ften)
• Students understand BGP and can work competently with BGPStream
• Students understand BGP anomalies and odd artefacts.
• Students understand one way to rule out that a BGP anomaly is an attack

Focussing

Lecture PreLab Lab

Details Context Narrow Broad

exam

*

Feedback Revision

~2h Didactics Lecture

~30-35 Team Prepares Exercise

~2h First Lecture Presentation

~20-25h

Review

~2h Final Presentation

~2h Received Feedback Pres.

~10-12 Revising new lab

Giving Feedback Lecture

Which Topics are Suitable?

• They have to do with computer networks and distributed systems.
• They are interesting, concise, explorative, have a scientific

component, …

• They are suitable for 1-3h lab time.
• They have learning goals.
• They are not a tutorial only…

How to find a topic?

Example for lab learning goals

• People doing our exercise will learn…
• What is SSL/ TLS? (Handshake, keygeneration, Zero Knowledge Proofs,

…)

• How to set up a webserver (e.g. Apache) with SSL right.
• How to debug an SSL connection?
• How to attack an SSL connection (man-in-the-middle MITM, 


Route redirects, …)

• How to detect that your connection is attacked?

Example workflow for a lab preparation

• Research background on the attack.
• Rebuild the attack.
• Identify relevant learning outcome!


(VERY important: what shall the take home be?)

• Design an exercise around this outcome, e.g.
• Set a suitable topology up.
• Ask for interesting steps.
• Do some measurements. Interpret the results!

This is the playground: 6x Quad Core fast PC with 
 3-4 usable LAN interfaces per machine. 2x Cisco 881 Router 2x Ethernet switch 2x Work Place with KVM

Available Equipment Reminder

Your Exercise Sequence

Voting Outline 1st Lecture Review Final Lecture

Didactics Giving Feedback

What are you expected to do next?

• For the topic outline event prepare one presentations per team.
• Both of you will present the topic there for 5 minutes each.
• You are free in choosing your topics. Today was only meant for

inspiration.

• The following slide tells you what is expected.
• You find a template in the lab!

Topic Template

1 2 3 4

Constructive Alignment Teaching Goals!

What is required until the five minute outline?

• An attractive title
• A updated abstract and learning goals of the exercise
• A first complete idea which could be the flow of the practical part

(lab)

• e.g.: 1) locally configure TOR, 2) connect to the TOR network, 3) call site XYZ.zyx,
• bserve the traffic, 3) can you see the onion routing? why or why not?

• Week -4: Concept & Topic Pitch
• Prepare your outline talk
• Week -1:Outline Presentation
• Present a first structure for your lab, prelab, and lecture.
• Week 1: Didactics & Techniques & Preparation
• Lecture Preparation (most relevant concepts?)
• Prelab Preparation (detailing the lecture content + tools + more)
• Practical Part Lab Preparation (no cooking recipe)
• Week 2:

Your lecture

• Finalise and improve your content.
• Week 3: Review and Get Reviewed
• Review other team
• Get reviewed by other team
• Week 4+5: Present the lab and the feedback received & next steps
• Improve by materialising the feedback
• Week 6: Final presentation (Lecture with lab outlook, highlights)

peer grading

• 1 slide deck for topic outline

presentation (both talk!)

• Slide deck lecture (both talk!)
• Ready PreLab, Lab
• Review report
• Slide on review feedback &

planned improvements

• Final lecture slides
• Final PreLab, Lab, Peer Grade

Expected Artefacts

your exercise

Enjoy =)