Post on 14-Apr-2017
Woodstock, The Internet and Campu 2011 – Bringing People to Together
Steve CrockerJanuary 20, 2011
Brazil
Beautiful country Warm people Delicious food And…
2
A Prolific Builder of Networks
About me…
CEO, Shinkuro, Inc. Collaboration technology and Internet infrastructure security
ICANN Security and Stability Advisory Committee (SSAC) ICANN Board of Directors (currently vice chair)
Arpanet pioneer First connection (UCLA 1969); initial protocols Request for Comments (RFCs)
R&D, R&D management, some start ups USC-ISI, Aerospace Corp, Trusted Information Systems,
CyberCash, Longitude Systems
Early days
Los Angeles and Chicago area. Math. Started programming in high school UCLA -> MIT -> UCLA Lots of programming, artificial
intelligence Building a network looked fun and
useful – but not really “serious”
5
Network origins
Early and mid 1960s – Several attempts to connect two and three computers
Computers were big, expensive Existed mostly in universities and large
businesses No personal computers
6
The Arpanet
Advanced Research Projects Agency (ARPA, DARPA) is part of the U.S. Dept of Defense
Funds research to make big changes “Factor of 10, not 10%”
Started Arpanet project in 1967
7
ARPA Environment
Research labs at major universities and some companies
Graphics, computer architecture, programming languages, artificial intelligence
Arpanet built to connect these labs
8
Arpanet – December 1969
Arpanet – June 1970
Arpanet – March 1977
12
Standards on the Arpanet
Single vendor (BBN) for routers (IMPs) Proprietary format, addressing, routing
No formal plan or organization for apps Organic cooperation among initial sites
Informal, cooperative process emerged
13
The Early “Standards” Process
Open architecture Multiple protocol layers
Not a fixed number; new layers anticipated Middle layers accessible New protocols encouraged
Open participation Originally just from host sites Everyone equal - individuals, not organizations No cost for participation (NWG) No cost for documents (RFCs)
14
Network Working Group
Loose, open organization From current or future Arpanet sites
No formal charter S. Crocker chaired and was funded
Grew from fewer than 10 to 50 and up Split into parallel working groups
Telnet, File Transfer Protocol (FTP), others
15
Jon PostelSteve CrockerVint Cerf
Aug 1994 –25 year anniversary of the Arpanet
16
Documents (The RFCs)
Completely open, informal documents “Standards” arrived at by consensus
Mild management to declare completion Strong emphasis on running code
Documents named“Request for Comments”
to emphasize open, invitational nature Became more structured over time
17
Jon Postel1943-1998
18
Arpanet begets the Internet
Lots of other networks Other countries - UK, CA, FR Other agencies - NASA, DoE Local nets - Ring nets, Ethernet Other media - packet radio, packet satellite
Need to interconnect and interoperate
19
Internet Standards
Network Working Group evolved into multiple groups
Internet Activities Board (IAB) formed IETF born under the IAB 1986
Keeping track of things
RFCs had numbers Postel took over from Crocker in 1971
Other things needed numbers Protocol parameters, etc. Let Postel do it
DNS invented Postel hands out country code TLDs
Internet Assigned Numbers Authority (IANA)
20
THE GROWTH PERIOD
21
Internet Users
data from www.nua.comhttp://www.internetworldstats.com/stats.htm
millions
Users 1970 – 1997
1970 1997
geeks geeks and studentsNBC TV
1988
WWWmom!
business
1981
CSNet
Organizations -- Global
IETF – Internet Engineering Task Force ICANN – Internet Corporation for
Assigned Names and Numbers ISOC – Internet Society W3C – World Wide Web Consortium …
24
Organizations – Regional
LACTLD – Latin America and Caribbean Top Level Domains
LACNIC – Latin America and Caribbean Network Information Center
NIC.BR – Brazillian Top Level Domain Many others
25
26
The Birth of ICANN
IANA function become complicated Contention over domain names Allocation of addresses
ICANN created by U.S. Government Internet Corporation for Names and Numbers
Major Functions Manage DNS root including defining new TLDs Allocate IP address blocks
to regional Internet registries (RIRs) Registers IETF Internet parameter values Foster competition and innovation Security too
27
North Amer
South Amer
Europe
Africa Asia - Pacific
8 Policy & Laws7
6 Response
5 Operations4 Products/Networks3 Implementation
2 Protocols1 Architecture
Internet Engineering and Planning Group
IETF
IAB
AUCERT
Law Enforcement FBI
Root Server OperatorsNANOG
CERT
Illustrative
AFNOG
28
North Amer
South Amer
Europe
Africa Asia - Pacific
8 Policy & Laws7
6 Response
5 Operations4 Products/Networks3 Implementation
2 Protocols1 Architecture
Internet Engineering and Planning Group
IETF
ICANN
Advisory role across multiple levels and countries (DNS and addressing
only)
IAB
AUCERT
Law Enforcement FBI
Root Server OperatorsNANOG
CERT
Illustrative
AFNOG
Security – A Difficult Story
In the early days, each computer had its own security
Network was open, but we knew each group, and each group knew its users
Public key cryptography not yet known
29
As the network grew…
Breakins Morris Worm in 1988 -> CERT
Firewalls, Virus checkers Some use of cryptography
SSL, PGP, SSH
30
Cache Poisoning and DNSSEC
31
russ.mundy@cobham.com 32
1 Webpage = Multiple DNS Name Resolutions
33
DNS: Data Flow
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
4
5
34
DNS Vulnerabilities
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
Server protection
4
5
Corrupting data Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Data protection
Altered zone data
35
How bad can it get?
• In wireless environments, it’s easy to substitute DNS responses.
• Redirect to a false site– Steal passwords
• Redirect to a man-in-the-middle site– See and copy an entire session– Web, email, IM, etc.
– And, of course, Kaminsky’s attack
Where Does DNSSEC Come In?
• DNSSEC secures the name to address mapping– Transport and Application security are just
other layers.
36
DNSSEC hypersummary
• Data authenticity and integrity by signing the Resource Records Sets with private key
• Public DNSKEYs used to verify the RRSIGs
• Children sign their zones with their private key– Authenticity of that key established by
signature by the parent
37
History – Design Process
Demonstration of Cache Poisoning in early 1990s Raised concern at high levels in the U.S.
Government Caused initiation of DNSSEC design work
Three major design iterations for more than a decade Basic design is straightforward Distributed key management didn’t scale
well in early designs38
The “Final” Design
“Final” design standardized in RFC 4033-35 March 2005
Additional privacy requirement emerged NSEC3 standardized March 2008, RFC
5155 Key Rollover Scheme using Timers
RFC 5011, September 2007
39
The Deployment Process
Deployment is separate from design and standardization
Software products, tools Documentation – tutorials, manuals, … Services Early adopters
Zone signers Validators
40
Top Level Domain Leaders
Sweden .SE first top level domain deployment Formal launch DNSSEC service Feb 2007
Brazil, .MUSEUM, ORG, Bulgaria, Puerto Rico, Brazil, Czech Republic, Portugal, Switzerland, Thailand, Namibia, NET, …
Coming soon: United Kingdom, Mexico, COM, many others
41
The Root
The Root was signed July 15, 2010 Extensive debate for three years Lengthy preparation Two “key ceremonies” with >30
participants from the entire world This marks the end of the beginning Still a long way to go
42
45
LOOKING AHEAD
Predictions – Scorecard
Service Predicted?Email Yes
Instant Messaging Yes
JAVA Yes
World Wide Web Yes
Skype Yes
Google No
Facebook No
46
The Future – Technical
More bandwidth, better connectivityVoice interactionGradual automatic translation
47
The Future – Organizational
Global businesses and organizations Emphasis on skills, not location The door is open to everyone And everyone is competing with you!
48
What to do?
Work on projects that make a difference The money will take care of itself
Work with others The credit will take care of itself
Take the initiative Build, don’t destroy
49
50
Obrigado!