4. About me…
CEO, Shinkuro, Inc.
Collaboration technology and Internet infrastructure security
ICANN
Security and Stability Advisory Committee (SSAC)
ICANN Board of Directors (currently vice chair)
Arpanet pioneer
First connection (UCLA 1969); initial protocols
Request for Comments (RFCs)
R&D, R&D management, some start ups
USC-ISI, Aerospace Corp, Trusted Information Systems,
CyberCash, Longitude Systems
5. Early days
Los Angeles and Chicago area. Math.
Started programming in high school
UCLA -> MIT -> UCLA
Lots of programming, artificial
intelligence
Building a network looked fun and
useful – but not really “serious”
5
6. Network origins
Early and mid 1960s – Several attempts
to connect two and three computers
Computers were big, expensive
Existed mostly in universities and large
businesses
No personal computers
6
7. The Arpanet
Advanced Research Projects Agency
(ARPA, DARPA) is part of the U.S. Dept
of Defense
Funds research to make big changes
“Factor of 10, not 10%”
Started Arpanet project in 1967
7
8. ARPA Environment
Research labs at major universities and
some companies
Graphics, computer architecture,
programming languages, artificial
intelligence
Arpanet built to connect these labs
8
12. Standards on the Arpanet
Single vendor (BBN) for routers (IMPs)
Proprietary format, addressing, routing
No formal plan or organization for apps
Organic cooperation among initial sites
Informal, cooperative process emerged
12
13. The Early “Standards” Process
Open architecture
Multiple protocol layers
Not a fixed number; new layers anticipated
Middle layers accessible
New protocols encouraged
Open participation
Originally just from host sites
Everyone equal - individuals, not organizations
No cost for participation (NWG)
No cost for documents (RFCs)
13
14. Network Working Group
Loose, open organization
From current or future Arpanet sites
No formal charter
S. Crocker chaired and was funded
Grew from fewer than 10 to 50 and up
Split into parallel working groups
Telnet, File Transfer Protocol (FTP), others
14
16. Documents (The RFCs)
Completely open, informal documents
“Standards” arrived at by consensus
Mild management to declare completion
Strong emphasis on running code
Documents named
“Request for Comments”
to emphasize open, invitational nature
Became more structured over time
16
18. Arpanet begets the Internet
Lots of other networks
Other countries - UK, CA, FR
Other agencies - NASA, DoE
Local nets - Ring nets, Ethernet
Other media - packet radio, packet satellite
Need to interconnect and interoperate
18
19. Internet Standards
Network Working Group evolved into
multiple groups
Internet Activities Board (IAB) formed
IETF born under the IAB 1986
19
20. Keeping track of things
RFCs had numbers
Postel took over from Crocker in 1971
Other things needed numbers
Protocol parameters, etc.
Let Postel do it
DNS invented
Postel hands out country code TLDs
Internet Assigned Numbers Authority (IANA)
20
23. Users 1970 – 1997
mom!
business WWW
CSNet NBC TV
geeks geeks and students
1970 1981 1988 1997
24. Organizations -- Global
IETF – Internet Engineering Task Force
ICANN – Internet Corporation for
Assigned Names and Numbers
ISOC – Internet Society
W3C – World Wide Web Consortium
…
24
25. Organizations – Regional
LACTLD – Latin America and
Caribbean Top Level Domains
LACNIC – Latin America and Caribbean
Network Information Center
NIC.BR – Brazillian Top Level Domain
Many others
25
26. The Birth of ICANN
IANA function become complicated
Contention over domain names
Allocation of addresses
ICANN created by U.S. Government
Internet Corporation for Names and Numbers
Major Functions
Manage DNS root including defining new TLDs
Allocate IP address blocks
to regional Internet registries (RIRs)
Registers IETF Internet parameter values
Foster competition and innovation
Security too
26
27. Illustrative North South Europe Africa Asia -
Amer Amer Pacific
8 Policy & Laws
7 Law Enforcement FBI
6 Response CERT AUCERT
NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group
4 Products/Networks
3 Implementation
IETF
2 Protocols
1 Architecture IAB
27
28. Illustrative North South Europe Africa Asia -
Amer Amer Pacific
8 Policy & Laws
7 Law Enforcement FBI
6 Response CERT ICANN AUCERT
NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group
4 Products/Networks Advisory role across multiple levels and
countries (DNS and addressing only)
3 Implementation
IETF
2 Protocols
1 Architecture IAB
28
29. Security – A Difficult Story
In the early days, each computer had its
own security
Network was open, but we knew each
group, and each group knew its users
Public key cryptography not yet known
29
30. As the network grew…
Breakins
Morris Worm in 1988 -> CERT
Firewalls, Virus checkers
Some use of cryptography
SSL, PGP, SSH
30
32. 1 Webpage = Multiple DNS Name
Resolutions
russ.mundy@cobham.com 32
33. DNS: Data Flow
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
33
34. DNS Vulnerabilities
Corrupting data Impersonating Cache
master impersonation
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
Cache pollution by
Data spoofing
Unauthorized updates
Altered zone data
Server protection Data protection
34
35. How bad can it get?
• In wireless environments, it’s easy to
substitute DNS responses.
• Redirect to a false site
– Steal passwords
• Redirect to a man-in-the-middle site
– See and copy an entire session
– Web, email, IM, etc.
– And, of course, Kaminsky’s attack
35
36. Where Does DNSSEC Come In?
• DNSSEC secures the name to address
mapping
– Transport and Application security are just
other layers.
36
37. DNSSEC hypersummary
• Data authenticity and integrity by
signing the Resource Records Sets with
private key
• Public DNSKEYs used to verify the
RRSIGs
• Children sign their zones with their
private key
– Authenticity of that key established by
signature by the parent
37
38. History – Design Process
Demonstration of Cache Poisoning in
early 1990s
Raised concern at high levels in the U.S.
Government
Caused initiation of DNSSEC design work
Three major design iterations for more
than a decade
Basic design is straightforward
Distributed key management didn’t scale
well in early designs 38
39. The “Final” Design
“Final” design standardized in RFC
4033-35 March 2005
Additional privacy requirement emerged
NSEC3 standardized March 2008, RFC
5155
Key Rollover Scheme using Timers
RFC 5011, September 2007
39
40. The Deployment Process
Deployment is separate from design
and standardization
Software products, tools
Documentation – tutorials, manuals, …
Services
Early adopters
Zone signers
Validators
40
41. Top Level Domain Leaders
Sweden
.SE first top level domain deployment
Formal launch DNSSEC service Feb 2007
Brazil, .MUSEUM, ORG, Bulgaria,
Puerto Rico, Brazil, Czech Republic,
Portugal, Switzerland, Thailand,
Namibia, NET, …
Coming soon: United Kingdom, Mexico,
COM, many others
41
42. The Root
The Root was signed July 15, 2010
Extensive debate for three years
Lengthy preparation
Two “key ceremonies” with >30
participants from the entire world
This marks the end of the beginning
Still a long way to go
42
46. Predictions – Scorecard
Service Predicted?
Email Yes
Instant Messaging Yes
JAVA Yes
World Wide Web Yes
Skype Yes
Google No
Facebook No
46
47. The Future – Technical
More bandwidth, better connectivity
Voice interaction
Gradual automatic translation
47
48. The Future – Organizational
Global businesses and organizations
Emphasis on skills, not location
The door is open to everyone
And everyone is competing with you!
48
49. What to do?
Work on projects that make a difference
The money will take care of itself
Work with others
The credit will take care of itself
Take the initiative
Build, don’t destroy
49