[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec and DNSSEC



-----BEGIN PGP SIGNED MESSAGE-----


I'm posting this since a couple of people were curious about the DNSSEC
packets that I mentioned at the WG meeting. Here is a trace from Saturday
at the DNSSEC workshop. It is not the best trace there is, but it is
pretty good example. Type43 is "DS", which tcpdump doesn't know about (yet).

Note that RSA keys stored in DNS are much smaller than CERTs.

11:23:12.728566 192.1.2.45.500 > 192.1.2.23.500: isakmp: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024)))) (DF)

11:23:12.760746 192.1.2.23.500 > 192.1.2.45.500: isakmp: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=1
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005)))) (DF)

11:23:13.111953 192.1.2.45.500 > 192.1.2.23.500: isakmp: phase 1 I ident:
    (ke: key len=192)
    (nonce: n len=16) (DF)

11:23:13.654194 192.1.2.23.500 > 192.1.2.45.500: isakmp: phase 1 R ident:
    (ke: key len=192)
    (nonce: n len=16) (DF)

11:23:14.787339 192.1.2.45.500 > 192.1.2.23.500: isakmp: phase 1 I ident[E]: [encrypted id] (DF)

At this point, we have transmitted the IDs and stuff, and here we go with
DNSSEC. Clearly we just gave the IDs away --- one of the reason we'd like to
do OE to the DNS servers as well. 192.1.2.129 is a local (fake) root name server.

11:23:14.971909 192.1.2.23.1029 > 192.1.2.129.53:  49634 [1au] KEY? 45.2.1.192.in-addr.arpa. (52) (DF)
11:23:14.996431 192.1.2.129.53 > 192.1.2.23.1029:  49634*- 2/3/7 KEY, SIG (1065) (DF)

11:23:15.024044 192.1.2.23.1029 > 192.1.2.129.53:  28790 [1au] KEY? 2.1.192.in-addr.arpa. (49) (DF)
11:23:15.071367 192.1.2.129.53 > 192.1.2.23.1029:  28790*- 2/3/5 KEY, SIG (672) (DF)

11:23:15.091019 192.1.2.23.1029 > 192.1.2.129.53:  7257 [1au] Type43? 2.1.192.in-addr.arpa. (49) (DF)
11:23:15.116719 192.1.2.129.53 > 192.1.2.23.1029:  7257- 0/4/5 (508) (DF)

11:23:15.138023 192.1.2.23.1029 > 192.1.2.129.53:  43181 [1au] Type43? 2.1.192.in-addr.arpa. (49) (DF)
11:23:15.178295 192.1.2.129.53 > 192.1.2.23.1029:  43181- 0/4/5 (508) (DF)

11:23:15.209710 192.1.2.23.1029 > 192.1.2.254.53:  23990 [1au] Type43? 2.1.192.in-addr.arpa. (49) (DF)
11:23:15.228795 192.1.2.254.53 > 192.1.2.23.1029:  23990*- 2/3/7 Type43, SIG (820) (DF)

11:23:15.254679 192.1.2.23.1029 > 192.1.2.130.53:  11995 [1au] KEY? 1.192.in-addr.arpa. (47) (DF)
11:23:15.271300 192.1.2.130.53 > 192.1.2.23.1029:  11995*- 2/3/5 KEY, SIG (668) (DF)

11:23:15.289401 192.1.2.23.1029 > 192.1.2.129.53:  30311 [1au] KEY? 192.in-addr.arpa. (45) (DF)
11:23:15.308475 192.1.2.129.53 > 192.1.2.23.1029:  30311*- 2/3/5 KEY, SIG (660) (DF)

11:23:15.325525 192.1.2.23.1029 > 192.1.2.129.53:  58800 [1au] Type43? 192.in-addr.arpa. (45) (DF)
11:23:15.344598 192.1.2.129.53 > 192.1.2.23.1029:  58800- 0/4/5 (492) (DF)

11:23:15.364417 192.1.2.23.1029 > 192.1.2.254.53:  62168 [1au] Type43? 192.in-addr.arpa. (45) (DF)
11:23:15.379614 192.1.2.254.53 > 192.1.2.23.1029:  62168*- 2/3/7 Type43, SIG (798) (DF)

11:23:15.390795 192.1.2.23.1029 > 192.1.2.130.53:  31891 [1au] A? beet.uml.freeswan.org. (50) (DF)
11:23:15.416174 192.1.2.130.53 > 192.1.2.23.1029:  31891*- 2/3/7 A 192.1.2.129, SIG (795) (DF)

11:23:15.448143 192.1.2.23.1029 > 192.1.2.130.53:  6395 [1au] KEY? in-addr.arpa. (41) (DF)
11:23:15.465954 192.1.2.130.53 > 192.1.2.23.1029:  6395*- 2/3/5 KEY, SIG (650) (DF)

11:23:15.481494 192.1.2.23.1029 > 192.1.2.129.53:  34237 [1au] KEY? arpa. (33) (DF)
11:23:15.500268 192.1.2.129.53 > 192.1.2.23.1029:  34237*- 2/3/5 KEY, SIG (624) (DF)

11:23:15.519473 192.1.2.23.1029 > 192.1.2.129.53:  17229 [1au] Type43? arpa. (33) (DF)
11:23:15.537361 192.1.2.129.53 > 192.1.2.23.1029:  17229*- 2/3/7 Type43, SIG (740) (DF)

11:23:16.700977 192.1.2.23.500 > 192.1.2.45.500: isakmp: phase 1 R ident[E]: [encrypted id] (DF)

11:23:17.053262 192.1.2.45.500 > 192.1.2.23.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] (DF)
...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPdmsX4qHRg3pndX9AQFzpwQAjis1BHzRVZfSnNDcf9kYYeLTf4GqfE/Z
a4RzlkmnCtBytFvQVkEIz81u5YoUY+/arisUVCZZw3xUUUl20vwJHcVZ1T3G+n/h
3/ra21WtLPgo7rNqHnNf6HCdIBRl7+Kdm5GPW+YQsyMW+i2BfOqTUmHAkZ7oJlyN
rKIHICTmmV8=
=g2NS
-----END PGP SIGNATURE-----