IPv6 and DNSSEC

5 12 2012

The IPv6 (Internet Protocol version 6) was developed in order to address the impending shortage of address space that was a serious limiting factor to the continued usage of IPv4. The Internet Engineering Task Force (IETF) initiated it as early as 1994 (1).

The worldwide deployment of IPv6 traced back to July 1999, on which the major industry players and corporations around the world including manufactures, Research & Development institutions, Education organizations, Telecom Operators, Consulting companies and many others joined together in a nonprofit organization named “IPv6 Forum”(2). From that day on, the process of global deployment of IPv6 has been speeding up significantly. By now, IPv6 can be viewed as 21st century Internet to some extent. The current status of deployment of IPv6 around world is very promising: USA has issued a mandate to all vendors to switch to an IPv6 platform by summer of 2008. A consulting and R&D firm in Canada has also developed a tunnel server which allows any IPv4 node to be connected to the 6Bone.

However, considering the fact that only 2 commercial IPv6 address ranges have been allocated in North America, this indicates that the operational deployment of IPv6 in North America may progress slow since the problems of IPv4 shortage was not that urgent in those area yet. On the other hand, both Asian and European have strong support for the deployment of IPv6. China initiated a five year plan (China’s Next Generation Internet) with the objective of implementing IPv6 early, and put on display the new IPv6 deployment during Olympics in Beijing. The mobility industry in European is also a strong supporter of the transition to IPv6, and the European Telecommunications Standards Institute and the IPv6 Forum have also established a cooperation agreement. There are new actions about deployment of IPv6 everyday around the rest of the world as well. (3)

IPv6 has serious of new security features compared to IPv4. The first thing needs to be mentioned here is that IP security (IPsec) is part of IPv6 protocol suite, and it is mandatory. (4) IPsec is a set of Internet standards that uses cryptographic security services to providing confidentiality, authentication and Data Integrity. Although IPv4 also adapted IPsec as optional property, data is secured from the originating host to the destination host via various routers in IPv6 whereas only between border routers of separate networks in IPv4. (5) IPsec has a fundamental concept named Security Association (SA). SA is uniquely identified by the Security Parameters Index, destination IP address and security protocol. It is a one-way relationship between sender and receiver that defines the type of security services for a connection. IPv6 also has an authentication header (AH)which provides data integrity, anti-replay protection and data authentication for the entire IPv6 packet. In addition, the Encapsulating Security Payload (ESP) Header provides confidentiality, authentication and data integrity to the encapsulated payload. (4)

The new security features provided by IPv6 are significant improvements over IPv4 along with other new features of IPv6. However, it has created several new security issues.  Firstly, the strength of the encryption algorithms to be used to ensure global interoperability is limited due to export laws. Secondly,             public-key infrastructure (PKI) has not been fully standardized, which can be a problem to IPsec since it relies on PKI. Furthermore, there still exits flaws in against Denial of Service and flooding attacks. And there’s also the potential for inadvertent confusion among routers with the ability to change IP addresses, the generated traffic may look like a DDos attack to an IPv4 firewall. Besides, misconfiguring IPv6 systems is still big threat to organizations. (6)

As a CIO of CMU, the first and most important thing when consider implementing IPv6 on CMU campus is that we must not compromise the security of the site. Many of common threats and attacks on IPv4 also apply to IPv6, and on the other hand, many new threat possibilities do not appear in the same way as with IPv4. To begin with, I will mark the reconnaissance more difficult via proper address planning in order to prevent attackers from quickly understand the common addressing for the campus. I will also plan the control of management access to the campus switches carefully, implement IPv6 traffic policy and Control Plane Policing by Controlling IPv6 traffic based on source prefix that can help protect the network against basic spoofing (6).  However, despite the drawbacks and new security issues mentioned above, the benefits of IPv6 outweigh its shortcomings since IPv6 provides auto configuration capabilities, direct addressing, much more address space, built in IPsec and interoperability and mobility capabilities which are already widely embedded in network devices. As a CIO of CMU, I will certainly deploy IPv6.(7)

DNSSEC

DNSSEC, stands for DNS Security extensions, was designed to add security to DNS and protect the Internet from certain attacks. It was first addressed by Steven Bellovin in his paper in 1995, the final design standardized in RFC 4033-35 March 2005 by IETF (8).

The following two figures represent the level of DNSSEC deployment in the word to date.  Those countries marked green have deployed DNSSEC today. Those marked yellow have plans to deploy it in the near future.

DNSSEC

DNSSEC_2

We can see from the figures above that most countries in European and north America have deployed DNSSEC.(9)

DNSSEC was designed to protect the internet from certain attacks, such as DNS caching poisoning.(10) It is a set of extensions to DNS which provides origin authentication of DNS data, data integrity and authenticated denial of service. It has several new resource record types to add security: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC).(10) DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets).  Digital signatures are stored in RRSIG resource records and are used in the DNSSEC authentication process. The DS can refer to a DNSKEY by storing the key tag, algorithm number and a digest of the DNSKEY. The NSEC resource record lists two separate things: the next owner name that contains   authoritative data or a delegation point NS RR set, and the set of RR types present at the NSEC RR’s owner name.(11) DNSSEC also has two DNS header flags namely Checking Disabled (CD) and Authenticated data (AD), it also support for the DNSSEC OK (DO) EDNS header bit so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. DNSSEC protects clients from forged data by digitally signing DNS records. Clients can use this digital signature to check whether or not the supplied DNS information is identical to that held on the authoritative DNS server. It will also be possible to use DNSSEC-enabled DNS to store other digital certificates; this makes it possible to use DNSSEC as public key infrastructure for signing of e-mail. (12)

However, DNSSEC also introduce some new security issues. Firstly, DNSSEC must be able to report when a name is not found, and providing a signed “not found ” record for a name may cause a denial of service while a unsigned record could easily be spoofed. In addition, since DNSSEC will return a pre-signed report containing a range of names which do not exist and could be signed offline ahead of time. This will give attackers much more information about the network.(12)

As a CIO of CMU, here are few things I would consider when implementing DNSSEC on campus. Firstly, DNSSEC adds a vast amount of complexity and lack of transparency for errors that make it far harder for us to spot and fix issues as they arise, so we must understand the structure and function of DNSSEC thoroughly before implementing it. Secondly, there will be increasing opportunities for Internet communications breakdowns since currently the market is lack of application providers implementing DNSSEC. The potential Internet breakdown is obviously a major factor when consider implementing DNSSEC on campus. In conclusion, we should concede that despite the merits of DNSSEC mentioned above, there are few awards for an large cooperation such as CMU to actually run DNSSEC on Internet today, since most ISPs aren’t validating yet, and most applications aren’t yet DNSSEC savvy.(13) As a CIO of CMU, I would not recommend implementing DNSSEC on campus for the moment.

_____________

(1)http://www.ipv6.com/articles/general/timeline-of-ipv6.htm

(2)http://www.ipv6.com/articles/deployment/IPv6-Deployment-Status.htm

(3)http://www.consulintel.es/Html/ForoIPv6/Documentos/IPv6%20Status%20around%20the%20World.pdf

(4)http://www.sans.org/reading_room/whitepapers/protocols/security-features-ipv6_380

(5)http://technet.microsoft.com/en-us/library/cc775898(v=ws.10)

(6) http://www.darkreading.com/security/news/227300083

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753a6.pdf

(7)http://www.ipv6now.com.au/primers/benefits.php

(8) http://www.internetdagarna.se/arkiv/2008/www.internetdagarna.se/images/stories/pdf/domannamn/Steve_Crocker_administrationofDNSSEC.pdf

(9) http://www.nlnetlabs.nl/projects/DNSSEC/history.html

(10) http://www.DNSSEC.net/

(11) http://www.rfc-archive.org/getrfc.php?rfc=4034

(12) http://www.techrepublic.com/blog/networking/DNSSEC-whats-the-fuss-all-about-and-what-does-us-homeland-security-have-to-do-with-it/234

(13)http://www.securityweek.com/risk-vs-reward-implementing-DNSSEC-and-what-enterprises-should-do-today

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: