Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security - Trust and Gossip

Security - Trust and Gossip

Presentation I gave at #Loadays 2012. It's about how new "secure" tech isn't that secure at all.


Frank Louwers

March 31, 2012


  1. Security: Trust and Gossip Loadays - 31/03/2012 @frank_be http://frank.be http://www.openminds.be/

  2. Security improvements The future looks bright and secure, right?

  3. Past few years: •IPv6 will have security built-in •DNSSEC will

    provide a more stable and secure DNS infrastructure •Secure BGP is the way ISPs will work •Telenet and Belgacom “homespots” are great
  4. Guess what? They are all wrong!

  5. First: disclaimer

  6. This talk: •Provocative! •Meant to give you overview, not tech

    details •I am user / admin, not expert •Should make you think, not act •Just after lunch break
  7. None
  8. IPv6 and security

  9. IPv6 myths •“Security built in” •means: “IPSec is part of

    the spec” •fact: not better than IPv4 + IPSec
  10. but is it worse? •YES •Firewalling •deep (layer7) •statefull •basic:

    ACL •easy to implement in switch hardware!
  11. Source IP, Destination IP and Source Port, Destination Port in

    fixed locations in packet Image: (c) cisco.com IPv4
  12. IP Header of IPv6 is easier then IPv4 but ...

    Image: (c) tcpipguide.com IPv6: IP Header
  13. Optional Extension Headers! Image: (c) tcpipguide.com IPv6 problem

  14. Result: •Source port and destination port can be anywhere in

    IPv6 packet •ACLs can’t work fast •ASICs assume no extentions
  15. Even worse ... •firewalls/routers don’t catch this! •they only inspect

    first X bytes of packet •craft IPv6 packet: port location > X •Example: Juniper •http://blog.ip.fi/2011/08/ipv6-acl-bypass.html
  16. term my_smtp { from { destination-address 2001:db8::42/128; } then accept;

    term no_spam { from { next-header tcp; destination-port 25; } then discard; } term accept { then accept; }
  17. IPv6 makes certain firewall rules useless (at worst) and slow

    (at best)
  18. DNSSEC and stability

  19. DNSSEC in 1 line “Makes DNS more secure by signing

    records using private/public keys”
  20. More secure? Yes Less stable? Yes !!!

  21. DNSSEC resolvers •Should not give reply to user if badly

    signed •Can lead to downtime of sites •nasa.gov: january 2012 •.UK, .FR, Ripe, Mozilla.org, various .gov, ...
  22. Big problem: transfers •Without cooperation: resolution problems •Very complex, even

    when cooperation •Verisign whitepaper: 11 steps! •Without cooperation: impossible! •unless declaring zone “unsafe” for +/- 7d
  23. Read More •Verisign whitepaper: • http://www.verisigninc.com/assets/whitepaper-dnssec- transfers.pdf •Proposal by DENIC:

    • http://tools.ietf.org/html/draft-koch-dnsop-dnssec-operator- change-03 •Shinkuro study: • http://ccnso.icann.org/node/9280
  24. Secure BGP Securing the protocol that makes the internet work

    Most of this: Geoff Huston pres AusCert http://www.potaroo.net/presentations/2011-05-16-route-secure.pdf
  25. BGP •Routing protocol: used by *all* ISPs •Based on “advertisements”

    •We, being network 30961, have a route to •prefixes,
  26. Problems •Based on Trust and Gossip •“The internet runs fine,

    right?” •But who checks if gossip is right? •Do you trust your neighbour? •Do you trust your neighbour’s neighbour? •Do you trust Pakistani or Saudi Telecom?
  27. When the net breaks •February 2008: •Pakistan “filters” YouTube in

    an incorrect way •Breaks YouTube for everyone •Spammers “steal” some else’s space •More?
  28. How many BGP “lies”? •About 400 on any given day!

    •Level3 •TATA •UUNet •Telstra •France Telecom
  29. Why? •We are sloppy •and used to being sloppy •and

    used to everybody being sloppy •abuses are relatively infrequent •so we tolerate this state
  30. Proposed solution •Routing Security, Secure BGP •PKI infrastructure •network numbers

    •and prefixes •Managed by RIPE, APNIC, ARIN, AfriNIC...
  31. Problems •Filtering what your peers announce •Good •Doesn’t help to

    check further in the path •No PKI needed to do that now anyway
  32. Problems ... •Full check on entire path •possible •slow •needs

    10GB of ram in each router •needs heaps and heaps of CPU power •no incremental rollout possible
  33. None
  34. We can’t ... We can’t make secure routing mechanisms cheaper,

    more robust, more effective than existing routing tools ... • We can make it more robust, but won’t be cheap • We can make it fast, but won’t be robust nor cheap • We can makt it cheap, but won’t be robust
  35. Read More ... •Geoff Huston (chief scientist, APNIC) • http://www.potaroo.net/presentations/2011-05-16-route-

    secure.pdf • recording: http://risky.biz/AusCERT-routing-lies
  36. Bonus: don’t use Telenet homespots

  37. Can you tell me why?

  38. Because you can’t be sure it’s a “homespot”

  39. What prevents me ... •Taking Telenet homespot / Belgacom fon

    login page •Putting up a WiFi net with right SSID •Putting my fake page as captive portal •Stealing your logins •All your base belong to me!
  40. But but but but ... •It’s SSL enabled, right? •Sure

    •But does your mom checks SSL? •Does your mom check url in browserbar? •Possible to put “looks ok” url in url-bar •with valid SSL cert •Possible to put real url, but without SSL
  41. Fix? •Not easy. •Two ways: •Login other than web (eg

    sms text?) •Client apps •mobile clients: no problem •“real” computers: what to support? Admin Rights?
  42. Presentation Conslusions

  43. •Stuff that look good at first: •isn’t always good •isn’t

    solving problems you think they solve •IPv6 might be less secure than you think •DNSSEC will break things, hard! •Secure BGP is not a solution •Maybe you shouldn’t use Telenet Homespots
  44. Thank you Slides will be on SpeakerDeck tomorrow