Woodstock, The Internet and Campu 2011 – Bringing People to Together

Steve CrockerJanuary 20, 2011

Brazil

Beautiful country Warm people Delicious food And…

2

A Prolific Builder of Networks

About me…

CEO, Shinkuro, Inc. Collaboration technology and Internet infrastructure security

ICANN Security and Stability Advisory Committee (SSAC) ICANN Board of Directors (currently vice chair)

Arpanet pioneer First connection (UCLA 1969); initial protocols Request for Comments (RFCs)

R&D, R&D management, some start ups USC-ISI, Aerospace Corp, Trusted Information Systems,

CyberCash, Longitude Systems

Early days

Los Angeles and Chicago area. Math. Started programming in high school UCLA -> MIT -> UCLA Lots of programming, artificial

intelligence Building a network looked fun and

useful – but not really “serious”

5

Network origins

Early and mid 1960s – Several attempts to connect two and three computers

Computers were big, expensive Existed mostly in universities and large

businesses No personal computers

6

The Arpanet

Advanced Research Projects Agency (ARPA, DARPA) is part of the U.S. Dept of Defense

Funds research to make big changes “Factor of 10, not 10%”

Started Arpanet project in 1967

7

ARPA Environment

Research labs at major universities and some companies

Graphics, computer architecture, programming languages, artificial intelligence

Arpanet built to connect these labs

8

Arpanet – December 1969

Arpanet – June 1970

Arpanet – March 1977

12

Standards on the Arpanet

Single vendor (BBN) for routers (IMPs) Proprietary format, addressing, routing

No formal plan or organization for apps Organic cooperation among initial sites

Informal, cooperative process emerged

13

The Early “Standards” Process

Open architecture Multiple protocol layers

Not a fixed number; new layers anticipated Middle layers accessible New protocols encouraged

Open participation Originally just from host sites Everyone equal - individuals, not organizations No cost for participation (NWG) No cost for documents (RFCs)

14

Network Working Group

Loose, open organization From current or future Arpanet sites

No formal charter S. Crocker chaired and was funded

Grew from fewer than 10 to 50 and up Split into parallel working groups

Telnet, File Transfer Protocol (FTP), others

15

Jon PostelSteve CrockerVint Cerf

Aug 1994 –25 year anniversary of the Arpanet

16

Documents (The RFCs)

Completely open, informal documents “Standards” arrived at by consensus

Mild management to declare completion Strong emphasis on running code

Documents named“Request for Comments”

to emphasize open, invitational nature Became more structured over time

17

Jon Postel1943-1998

18

Arpanet begets the Internet

Lots of other networks Other countries - UK, CA, FR Other agencies - NASA, DoE Local nets - Ring nets, Ethernet Other media - packet radio, packet satellite

Need to interconnect and interoperate

19

Internet Standards

Network Working Group evolved into multiple groups

Internet Activities Board (IAB) formed IETF born under the IAB 1986

Keeping track of things

RFCs had numbers Postel took over from Crocker in 1971

Other things needed numbers Protocol parameters, etc. Let Postel do it

DNS invented Postel hands out country code TLDs

Internet Assigned Numbers Authority (IANA)

20

THE GROWTH PERIOD

21

Internet Users

data from www.nua.comhttp://www.internetworldstats.com/stats.htm

millions

Users 1970 – 1997

1970 1997

geeks geeks and studentsNBC TV

1988

WWWmom!

business

1981

CSNet

Organizations -- Global

IETF – Internet Engineering Task Force ICANN – Internet Corporation for

Assigned Names and Numbers ISOC – Internet Society W3C – World Wide Web Consortium …

24

Organizations – Regional

LACTLD – Latin America and Caribbean Top Level Domains

LACNIC – Latin America and Caribbean Network Information Center

NIC.BR – Brazillian Top Level Domain Many others

25

26

The Birth of ICANN

IANA function become complicated Contention over domain names Allocation of addresses

ICANN created by U.S. Government Internet Corporation for Names and Numbers

Major Functions Manage DNS root including defining new TLDs Allocate IP address blocks

to regional Internet registries (RIRs) Registers IETF Internet parameter values Foster competition and innovation Security too

27

North Amer

South Amer

Europe

Africa Asia - Pacific

8 Policy & Laws7

6 Response

5 Operations4 Products/Networks3 Implementation

2 Protocols1 Architecture

Internet Engineering and Planning Group

IETF

IAB

AUCERT

Law Enforcement FBI

Root Server OperatorsNANOG

CERT

Illustrative

AFNOG

28

North Amer

South Amer

Europe

Africa Asia - Pacific

8 Policy & Laws7

6 Response

5 Operations4 Products/Networks3 Implementation

2 Protocols1 Architecture

Internet Engineering and Planning Group

IETF

ICANN

Advisory role across multiple levels and countries (DNS and addressing

only)

IAB

AUCERT

Law Enforcement FBI

Root Server OperatorsNANOG

CERT

Illustrative

AFNOG

Security – A Difficult Story

In the early days, each computer had its own security

Network was open, but we knew each group, and each group knew its users

Public key cryptography not yet known

29

As the network grew…

Breakins Morris Worm in 1988 -> CERT

Firewalls, Virus checkers Some use of cryptography

SSL, PGP, SSH

30

Cache Poisoning and DNSSEC

31

russ.mundy@cobham.com 32

1 Webpage = Multiple DNS Name Resolutions

33

DNS: Data Flow

master Caching forwarder

resolver

Zone administrator

Zone file

Dynamicupdates

1

2

slaves

3

4

5

34

DNS Vulnerabilities

master Caching forwarder

resolver

Zone administrator

Zone file

Dynamicupdates

1

2

slaves

3

Server protection

4

5

Corrupting data Impersonating master

Unauthorized updates

Cache impersonation

Cache pollution byData spoofing

Data protection

Altered zone data

35

How bad can it get?

• In wireless environments, it’s easy to substitute DNS responses.

• Redirect to a false site– Steal passwords

• Redirect to a man-in-the-middle site– See and copy an entire session– Web, email, IM, etc.

– And, of course, Kaminsky’s attack

Where Does DNSSEC Come In?

• DNSSEC secures the name to address mapping– Transport and Application security are just

other layers.

36

DNSSEC hypersummary

• Data authenticity and integrity by signing the Resource Records Sets with private key

• Public DNSKEYs used to verify the RRSIGs

• Children sign their zones with their private key– Authenticity of that key established by

signature by the parent

37

History – Design Process

Demonstration of Cache Poisoning in early 1990s Raised concern at high levels in the U.S.

Government Caused initiation of DNSSEC design work

Three major design iterations for more than a decade Basic design is straightforward Distributed key management didn’t scale

well in early designs38

The “Final” Design

“Final” design standardized in RFC 4033-35 March 2005

Additional privacy requirement emerged NSEC3 standardized March 2008, RFC

5155 Key Rollover Scheme using Timers

RFC 5011, September 2007

39

The Deployment Process

Deployment is separate from design and standardization

Software products, tools Documentation – tutorials, manuals, … Services Early adopters

Zone signers Validators

40

Top Level Domain Leaders

Sweden .SE first top level domain deployment Formal launch DNSSEC service Feb 2007

Brazil, .MUSEUM, ORG, Bulgaria, Puerto Rico, Brazil, Czech Republic, Portugal, Switzerland, Thailand, Namibia, NET, …

Coming soon: United Kingdom, Mexico, COM, many others

41

The Root

The Root was signed July 15, 2010 Extensive debate for three years Lengthy preparation Two “key ceremonies” with >30

participants from the entire world This marks the end of the beginning Still a long way to go

42

45

LOOKING AHEAD

Predictions – Scorecard

Service Predicted?Email Yes

Instant Messaging Yes

JAVA Yes

World Wide Web Yes

Skype Yes

Google No

Facebook No

46

The Future – Technical

More bandwidth, better connectivityVoice interactionGradual automatic translation

47

The Future – Organizational

Global businesses and organizations Emphasis on skills, not location The door is open to everyone And everyone is competing with you!

48

What to do?

Work on projects that make a difference The money will take care of itself

Work with others The credit will take care of itself

Take the initiative Build, don’t destroy

49

50

Obrigado!