[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: smb@research.att.com (Steven M. Bellovin)
Subject: Re: ike and secure DNS
From: Bill Manning <bmanning@ISI.EDU>
Date: Wed, 11 Oct 2000 07:58:56 -0700 (PDT)
Cc: bmanning@ISI.EDU (Bill Manning), hugo@ee.technion.ac.il (Hugo Krawczyk), henry@spsystems.net (Henry Spencer), ipsec@lists.tislabs.com (ipsec)
In-Reply-To: <20001011142847.2866435DC2@smb.research.att.com> from "Steven M. Bellovin" at Oct 11, 2000 10:28:46 AM
Sender: owner-ipsec@lists.tislabs.com

% 
% In message <200010111025.DAA06812@zed.isi.edu>, Bill Manning writes:
% > A couple academic projects, TBDS and FMESHD, are either dependent on
% > working DNSSEC or leverage DNSSEC for key exchange, while the upcoming
% > DNSSEC workshop on the 25th in WDC will be evaluating DNSSEC viability
% > in the ip6.int tree. If that can be shown to be stable, it can act as
% > a precursor to a signed in-addr.arpa. and other address-name trees.
% > I think this is what is needed to exploit any IKE/ipsec & DNS interactions
% > since that will give us a "chain-of-custody" up the delegation heirarchy.
% > Does Free/SWAN have this as a shared goal?
% 
% I'd love to see any sort of secure address-to-entity map.  But there 
% seems to be considerable uncertainty about who actually owns various 
% chunks of address space.  Is the database clean enough that it's worth 
% signing?  I sure don't get that impression from, say, the NANOG list.
% 
% 		--Steve Bellovin

First off, the test case is the ip6.int tree, not a high profile NANOG
item.

One should remember that address space is not owned, the responsiblity for
portions of it are delegated. DNSSEC provides the ability to run the
"chain of custody" to authenticate the delegation, while goofy things like
CERT RR's let you do key binding to individual, specific IP addresses, 
which is where the interaction w/ IPSEC might come into play.  

wrt "cleanliness", my own audits indicate that the data is roughly 50% 
accurate and has remained near those levels for four years.  The recent
Mice&Men survey of the forward tree indicates that roughly 80% of the
forward tree is inaccurate and the trend seems to be growing worse on
that side. So... one is allowed to draw ones own conclusions.

And then there is the play for using DNS delegation heirarchies for 
validating live routing announcements. While this idea has its warts
and has been buried in piles of rocks every time it has poked its head
above ground, if the DNS can provide an authenticatable "chain of custody"
then is is a much stronger tool for doing routing checks (although I'm still
not convivnced about the validity of doing so in real time on the live
routing system). And when there is operational need, and the responsiblity
is delegated, folks will keep their data current... at least in my 
limited experience.

-- 
--bill

References:

Re: ike and secure DNS

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: use of HAMC-MD5 with AH or ESP
Next by Date: charter question re IKE changes
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread