[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RRG] Re: Security of TRRP mapping replies

To: "Robin Whittle" <rw@firstpr.com.au>
Subject: [RRG] Re: Security of TRRP mapping replies
From: "William Herrin" <bill@herrin.us>
Date: Mon, 25 Feb 2008 18:01:18 -0500
Cc: "Routing Research Group" <rrg@psg.com>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=gtsMyE3e4Mi6VSE7YY9Y9XGZAjJ9m3+0okn0g6PikORjlbYo1cijgntG3+LO2uDRYhRPh1cvWtMj6KMzpaZMarHfT3ES2a5SNvPzzmwxqzv4fiMld38MCZtPa8/q/5Vygrkut42NpAPbEP3UyhN5zPhz363Xsh0wBlAf9JJdwnQ=
In-reply-to: <47C2793C.50209@firstpr.com.au>
References: <47C2793C.50209@firstpr.com.au>

On Mon, Feb 25, 2008 at 3:15 AM, Robin Whittle <rw@firstpr.com.au> wrote:
>  How would you secure each ITR from bogus map replies which pretend
>  to be from the authoritative nameserver?

Hi Robin,

TRRP relies on mostly on security mechanisms present in DNS itself.
The request includes a serial number. The same serial number has to be
in the reply. Unsolicited replies and replies containing information
outside their scope of authority are ignored.

This is generally effective. Google has not suffered much in the way
of DNS hijacking above the worm-changes-client-dns-resolver level.
Neither has anyone else. The attacks you've heard of, such as cache
poisoning, trace to bugs where the above two requirements were
misimplemented.

DNSSEC is compatible with TRRP as far as I can tell, but it's not
required. DNSSEC has not been widely adopted because the
operations-level need has not demonstrated itself.

I bet the question you want to ask is: how would TRRP have handled
this weekend's YouTube hijacking?

That's hard to say with certainty since BGP doesn't completely go away
with TRRP. A bad actor with access to the DFZ's BGP system can do
significant if temporary damage and TRRP doesn't fundamentally change
that. Presumably AS 17557 is large enough that they'll still be
talking BGP with at least one short PA prefix at their border.

On the TRRP/DNS side of things, they could trivially effect an
intercept and rewrite of the DNS lookup requests for YouTube's ETR
from within Pakistan. On the other hand, getting that to leak without
fouling something up on the BGP side would be as close to impossible
as any such things tend to get.

TRRP doesn't draw traffic with a knowledge push so there's no path for
the intercept knowledge to flow through.

Regards,
Bill Herrin

-- 
William D. Herrin herrin@dirtside.com bill@herrin.us
3005 Crane Dr. Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- [RRG] Re: Security of TRRP mapping replies
  - From: Robin Whittle <rw@firstpr.com.au>

References:
- [RRG] Security of TRRP mapping replies
  - From: Robin Whittle <rw@firstpr.com.au>

Prev by Date: Re: [RRG] getting rid of longest match
Next by Date: Re: [RRG] getting rid of longest match
Previous by thread: [RRG] Security of TRRP mapping replies
Next by thread: [RRG] Re: Security of TRRP mapping replies
Index(es):
- Date
- Thread