DOCSLIB.ORG

Naming and Security in a Mobile, Multihomed and Multiple Interfaces Environement Daniel Migault

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Naming and Security in a Mobile, Multihomed and Multiple Interfaces Environement Daniel Migault Naming and security in a mobile, multihomed and multiple interfaces environement Daniel Migault To cite this version: Daniel Migault. Naming and security in a mobile, multihomed and multiple interfaces environement. Architecture, space management. Institut National des Télécommunications, 2012. English. NNT : 2012TELE0033. tel-01016686 HAL Id: tel-01016686 https://tel.archives-ouvertes.fr/tel-01016686 Submitted on 1 Jul 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. I99 59 5h/hw! /hbWhLb 9[9/ha 5t!wL [bL9wL9 tL9ww9 9 a!wL9 /wL9 L !"# 9 $ L Ç 9 t t % 5 a&# t# ' & $ $ 5h/9w 59 Ç9[9/ha {5t!wL b!!& {# $% # ( ! a') a#*! + L % a#% ## ,- !' ,./, $( 0# 1 !% $ 5 # $ *2% a 1 [# t %%# ! #$ t % w # % !'$!$0$ .#'$* t %%# Ü( % Ç*&"# $ /!2& !$ 4# ( t %%# Ü( % $ h## 95!# % 4#1 t#0 t %%# Ü( % t a /# * . 6!1 !%% C 8% # b!!& L / b$ .#9*! t %%# t %* Thèse n° 2012TELE0033 Ref : 2012TELE0033 Télécom Sud Paris / Université Pierre et Marie Curie École Doctorale - EDITE Naming and Security in a Mobile, Multihomed and Multiple Interfaces Environement by Daniel Migault Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy at Télécom Sud Paris September 26, 2012 Supervised by Maryline Laurent, Professor at Institut Mines-telecom Certified by Andrei Gurtov, Professor at l’Université de Oulu Abdelmadjid Bouabdallah, Professor at Université Technologique de Compiègne Guy Pujolle, Professor at Pierre et Marie Curie Stéphane Bortzmeyer, Association Française pour le Nommage Internet Coopératif Nadia Boukhatem, Professor at Paristech Contents Summaries 1 EnglishSummary..................................... ... 1 FrenchSummary ...................................... .. 2 Acknowledgments 5 Introduction 7 HowtodeployaSecureNamingService . ....... 8 ContextDescription .................................. 8 OrganizationoftheMaterial . .... 9 How to provide a Seamless Network Security . ......... 10 ContextDescription .................................. 10 OrganizationoftheMaterial . .... 12 I Providing Secure Naming Resolution 15 Introduction 17 DescriptionoftheWork ............................... ..... 17 Notations&Abbreviations . ...... 19 1 A Performance view on DNSSEC migration 21 1.1 Introduction..................................... ... 21 1.2 DNSSECCurrentStatus.............................. ... 22 1.2.1 DNSSECBriefDescription . ... 22 1.2.2 DNSSECDeployment .............................. 23 i CONTENTS 1.2.3 DNSSECImpactsontheNetwork . 24 1.2.4 ISPPositionforMigratingtoDNSSEC . .... 25 1.3 RelatedWork..................................... .. 26 1.4 TestingPlatform ................................. .... 27 1.4.1 TestingEnvironment. ... 27 1.4.2 TestingTools .................................. 28 1.4.3 TestingMethodology. ... 28 1.5 Experimental Work to Measure DNSSEC Impact on Servers and EndUsers . 29 1.5.1 ImpactofDNSSEConUnitaryTests. ... 29 1.5.2 ImpactofDNSSEConMaximumLoad . 29 1.5.3 Impact of DNSSEC on Network Latency & Response Time . .... 30 1.5.4 ImpactofDNSSEConDNSUpdateOperations . ... 31 1.5.5 ImpactofCacheHitRate ............................ 32 1.6 Application for ISPs: Estimation of Costs for Migrating fromDNStoDNSSEC . 34 1.7 Conclusion ....................................... 35 2 Overcoming DNSSEC Performance Issues with FQDN Load Balancer and Cache Sharing 37 2.1 Introduction..................................... ... 37 2.2 FQDNorIPsasLoadBalancerCriteria . ..... 40 2.2.1 Measured DNS(SEC) CPU R and CPU H ................... 41 2.3 PositionofourWork............................... .... 42 2.3.1 DNSTrafficAnalysis.............................. 43 2.3.2 DNSCacheOptimization . 43 2.3.3 DNSResolutionOptimization. ..... 44 2.3.4 DNSserviceoverDHToverlay . ... 45 2.3.5 AlternateNamingArchitecture . ...... 45 2.3.6 ActiveCachingforDHTarchitectures . ...... 46 2.4 Traffic-basedLoadBalancerSimulation . ......... 47 2.4.1 CacheHitRate(CHR)Simulation . .. 48 2.4.2 CPU Time Simulation : CPU R, CPU H .................... 49 2.4.3 ScalabilitySimulation . ..... 50 2.4.4 ConclusiononLoadBalancer . ... 51 2.5 Modelization of Pastry based Architectures . ............ 52 2.5.1 Single Node Model: τr .............................. 53 ii CONTENTS 2.5.2 IPSHA1 Architecture............................... 55 2.5.3 FQDN Architecture ............................... 55 2.5.4 Pastry-based architecture (no cache, no replication) . ... 57 2.5.5 Pastry-Stateless Forwarding (Pastry-SF): (no cache, no replication) . 59 2.5.6 Pastry-Active Caching (Pastry-AC)(noreplication) . 59 2.5.7 Pastry-Passive Caching (Pastry-PC):(cache,noreplication) . 60 2.5.8 Pastry-Replication (Pastry-R):(nocache,replication) . 61 2.6 ConfigurationforSimulation . ...... 61 2.7 Simulation of Pastry Based Architectures . ........... 62 2.7.1 γ, Neighbors ................................... 63 2.7.2 CPU &Scalability................................ 65 CPU R 2.7.3 CPU & CPU H .................................. 66 2.7.4 Evaluation of TTL impact over CPU ..................... 67 2.7.5 CPU & Query Rate ............................... 67 2.8 DNSSECMigration ................................. .. 68 2.8.1 AnalysisonCPUTime ............................. 68 2.8.2 AnalysisonResponseTime(RT) . .. 70 2.9 Conclusion ....................................... 72 3 PREFETCH Architecture to overcome DNSSEC Performance Issue in large Resolving Platforms 75 3.1 Introduction..................................... ... 75 3.2 RelatedWork..................................... .. 76 3.3 PREFETCHArchitecture: GoalsandDesign . ...... 77 3.3.1 Better load balancing and smaller cache for reducing CPU.......... 77 3.3.2 Pastry auto-configuration to reduce Operations, Administration and Main- tenance ...................................... 78 3.3.3 P REF ET CHX ArchitectureDefinition . 78 3.4 Deriving X, HEADX , T AILX fromlivecapturetraffic . 80 3.4.1 LoadBalancerAnalysis . ... 80 3.4.2 Defining X for a proper δCP UX ........................ 82 3.4.3 δCP UX timestability .............................. 83 3.4.4 T AILX Distribution............................... 84 3.4.5 Discussion.................................... 84 3.5 Executing DHT models with T AILX .......................... 85 3.6 FreePastryExperimentation . ....... 88 iii CONTENTS 3.7 Conclusion ....................................... 89 II Providing Seamless Security for Multiple Interfaces 91 Introduction 93 DescriptionoftheWork ............................... ..... 93 Notations&Abbreviations . ...... 96 4 Issues and Protocols Relative to Simultaneous Support of Security, Mobility, Multihoming and Multiple Interfaces 99 4.1 Introduction..................................... ... 99 4.1.1 Mobility, Multihoming and Multiple Interfaces Definition .......... 100 4.1.2 SCTPforMobilitySupport . 100 4.2 IPsecOverview .................................... 102 4.3 IPsecDatabases ................................... 103 4.3.1 SecurityPolicyDatabase . .... 103 4.3.2 SecurityAssociationDatabase . ...... 105 4.3.3 PeerAuthorizationDatabase . ..... 106 4.4 Mobility Multihoming and Multiple Interfaces impacts onIPsec........... 106 4.4.1 InitialConfigurationattheMN. ... 106 4.4.2 Mobility...................................... 108 4.4.3 Multihoming ................................... 109 4.4.4 MultipleInterfaces . ... 109 4.5 IKEv2........................................... 112 4.5.1 CREATE_CHILD_SAOperation . 112 4.5.2 DELETEOperation ............................... 114 4.6 MOBIKE ......................................... 114 4.6.1 HardHandoverMobility. ... 115 4.6.2 Multihoming ................................... 116 4.7 MOBIKE-X........................................ 117 4.7.1 UseCases..................................... 117 4.7.2 ProblemStatement.............................. 119 4.7.3 ProtocolDesign................................ 120 4.7.4 ProtocolDescription . .... 121 5 IPsec Cost Measurement in Mobile, Multihomed and Multiple Interfaces Envi- iv CONTENTS ronment 129 5.1 Introduction..................................... ... 129 5.2 TestingPlatform ................................. .... 131 5.3 SCTPMobilityMultihomingwithIPsec . ..... 132 5.3.1 GeneralInput/OutputGraphs . 133 5.3.2 Measured Time Definition: TSCT P , TIKE, TSY S and TST ALLED ...... 133 5.3.3 TIKE Analysis .................................. 134 5.3.4 TSCT P Analysis.................................. 135 5.3.5 TSY S Analysis .................................. 135 5.3.6 TST ALLED Analysis ............................... 136 5.4 MOBIKEMobilityMultihoming . .... 136 5.5 MOBIKE-XMobilityMultihoming . ..... 138 5.6 Conclusion ....................................... 140 6 MOBIKE-X & Offload 143 6.1 Introduction..................................... ... 143 6.2 OffloadEconomics .................................. 144 6.2.1 IncreasingDemandforMobileData . .... 144 6.2.2 Offloading traffic to WLAN: the only viable solution for ISPs ........ 144 6.2.3 OffloadComplexEnvironment . 146 6.2.4 CurrentOffloadDeployments . 146 6.3 Offload Service Architecture (OSA) vs Offload Access Architecture(OAA) . 147 6.3.1
Load more

Recommended publications
  • 8100 Mobile Device Test System Location Test System Module Version 13.1 System Deployment Instructions
    8100 Mobile Device Test System Location Test System Module Version 13.1 System Deployment Instructions 8100 MDTS Location Test System Version 13.1 – System Deployment Instructions © 2020 Spirent Communications, Inc. All Rights Reserved. All of the company names and/or brand names and/or product names referred to in this document, in particular, the name “Spirent” and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws. All other registered trademarks or trademarks are the property of their respective owners. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Spirent Communications. The information in this document is believed to be accurate and reliable; however, Spirent Communications assumes no responsibility or liability for any errors or inaccuracies that may appear in the document. Page Part Number: 71-008871, Version A1 www.spirent.com 2 8100 MDTS Location Test System Version 13.1 – System Deployment Instructions Table of Contents 1. Introduction ........................................................................................ 5 1.1. Overview .................................................................................................... 5 1.2. How to Contact Us ..................................................................................... 8 2. System Upgrade Instructions ............................................................
    [Show full text]
  • Why Open Source Software?
    Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers! David A. Wheeler http://www.dwheeler.com/contactme.html Revised as of November 7, 2004 This paper provides quantitative data that, in many cases, using open source software / free software is a reasonable or even superior approach to using their proprietary competition according to various measures. This paper’s goal is to show that you should consider using OSS/FS when acquiring software. This paper examines market share, reliability, performance, scalability, security, and total cost of ownership. It also has sections on non- quantitative issues, unnecessary fears, OSS/FS on the desktop, usage reports, governments and OSS/FS, other sites providing related information, and ends with some conclusions. An appendix gives more background information about OSS/FS. You can view this paper at http://www.dwheeler.com/oss_fs_why.html (HTML format). Palm PDA users may wish to use Plucker to view this. A short briefing based on this paper is also available in PDF and Open Office Impress formats (for the latter, use Open Office Impress). Old archived copies and a list of changes are also available. 1. Introduction Open Source Software / Free Software (OSS/FS) has risen to great prominence. Briefly, OSS/FS programs are programs whose licenses give users the freedom to run the program for any purpose, to study and modify the program, and to redistribute copies of either the original or modified program (without having to pay royalties to previous developers). This goal of this paper is to show that you should consider using OSS/FS when you’re looking for software, based on quantitative measures.
    [Show full text]
  • Hc Features Overview
    HC FEATURES OVERVIEW © Hosting Controller 1998 – 2009. All Rights Reserved. HC Features Overview Contents Proprietary Notice........................................................................................................................ 3 HC Overview ................................................................................................................................4 The Company ........................................................................................................................... 4 The Product............................................................................................................................... 4 Latest Version ........................................................................................................................... 6 Benefits....................................................................................................................................... 6 HC Features................................................................................................................................... 7 Development Framework ....................................................................................................... 7 Centralized Database............................................................................................................... 7 Load Balancer ........................................................................................................................... 7 Windows and Linux Support ................................................................................................
    [Show full text]
  • Observed Workarounds
    Observed Workarounds …to synthetic data returned for uninstantiated names in .COM/.NET Paul Vixie [email protected] Internet Software Consortium Background: DNS Responses • Normal answer – “Here is the data matching your question” • Referral (or “Delegation”) – “Here are the servers who could answer you” • Negative answer (or “RCODE 3”) – “There is no such name” Background: ISC’s Involvement • ISC is a not-for-profit who publishes BIND and operates “f-root” (among other things) • Our relevance and success depends on our responsiveness to the technical community • The technical community gave an intensely negative response to VeriSign’s SiteFinder • We have no financial stake in the outcome Workaround: Translate Address back to “RCODE 3” • Unofficial patches for opensource DNSware – Popular programs like BIND, djbdns, others • Look for 64.94.110.11, substitute RCODE3 – This is the address of the SiteFinder web site • Weakness: address could change naturally – For example, due to a DDoS or load balancer • Weakness: other TLDs use other addresses – One BIND8 patch now has a complete list Workaround: Require Referrals From Some TLDs • ISC released new BIND9 feature in ~40 hrs • “delegation-only” for specified domains • Server for .FOO can only send referral (“delegation”) toward servers for SUB.FOO • Normal answers translated to RCODE 3 • This is not BIND’s default behaviour Workaround: Permit Referrals From Some TLDs • ISC improved new BIND9 feature in 4 days • “root-delegation-only” applies to root and all toplevel domains except those specified
    [Show full text]
  • Download Versacheck Free Versacheck Gold Activation Key Freeware
    download versacheck free Versacheck Gold Activation Key Freeware. Locate lost, forgotten or misplaced eM Client activation key by downloading freeware eM Client key locator Tool in your machine. Now get back you misplace or lost eM Client activation key with free eM Client Key Locater. After locate lost eM Client activation key you can easily open your eM Client without having any problem. File Name: eMClientKeyLocator.exe Author: eM Client Key Locater License: Freeware (Free) File Size: 1.93 Mb Runs on: Win7 x32, Win7 x64, Win98, WinVista, WinVista x64, WinXP. The WindowsdlT« Automated Installation Kit (AIK) for WindowsdlT« 7 helps you to install, customize, and deploy the Microsoft WindowsdlT« 7 and Windows ServerdlT« 2008 R2 family of operating systems. File Name: KB3AIK_EN.iso Author: Microsoft License: Freeware (Free) File Size: 1710.08 Mb Runs on: Windows 7. The main features of the program:Supports of the batch processing of videofiles.Supports of practically any videos-formats (even MOV, QT, FLV, SWF, RM if you have appropriate codecs). If the file can be normally played in your video-player (Windows. File Name: VideoThumbnailsMaker_Setup.z ip Author: SUU Design License: Freeware (Free) File Size: 1.4 Mb Runs on: Windows All. MyBusinessCatalog will provide extensive means for creating your own Internet storefront. The program includes an extensive set of tools for creating a digital product catalog and writing it on a CD. The catalog starts right off the CD and does not. File Name: mbcfree.exe Author: MyBusinessCatalog License: Freeware (Free) File Size: Runs on: WindowsAll. Net.Ex Pro, the Ultra Web Browser, comes in 2 Editions, the Basic Edition and the Ultra Edition.
    [Show full text]
  • DNS Survey: October 2010 Geoffrey Sisson C 2010 the Measurement Factory
    DNS Survey: October 2010 Geoffrey Sisson c 2010 The Measurement Factory November 30, 2010 Abstract This study, commissioned by Infoblox, undertakes to measure the number of DNS servers on the Internet and to quantify their various DNS behaviors and configuration choices. 1 Introduction In this study we undertook to measure: • The number of name servers in use in a random 5% sample of the routed IPv4 Internet. • The configuration of zones and associated name servers in a random 1% sample of the domains in the .com, .net, and .org zones. • The implementations and versions of name server software used. • Whether recursion is supported (i.e., open resolvers). • Whether recursive name servers use predictable ports. • Whether authoritative name servers openly permit AXFR. • Whether name servers support TCP. • Configuration decisions for DNSSEC. • Whether DNSSEC-signed zones validate. • How many name servers support EDNS. • How many zones are configured for IPv6, SPF, or DKIM. • How many zones have DNS wildcards. • What SOA and TTL values are in use in a zone. • Whether information in a zone agrees with its parent. • Whether a zone has a lame name server. • Whether the TTLs of the authoritative NS RRs for a zone match. • To what degree redundant name servers are topologically diverse. • How many name servers support 0x20. • The geographic location of name servers. $Id: dns_survey_2010.tex,v 1.27 2010-12-09 22:03:29 geoff Exp $ 3 RESULTS FOR DATASET I 2 Datasets This survey comprises results of two distinct data sets. Dataset I is a random 5% sample of the routed IPv4 Internet.
    [Show full text]
  • Increased DNS Forgery Resistance Through 0X20-Bit Encoding
    Increased DNS Forgery Resistance Through 0x20-Bit Encoding SecURItY viA LeET QueRieS David Dagon Manos Antonakakis Paul Vixie Georgia Institute of Georgia Institute of Internet Systems Consortium Technology Technology [email protected] [email protected] [email protected] Tatuya Jinmei Wenke Lee Internet Systems Consortium Georgia Institute of Technology [email protected] [email protected] ABSTRACT DNS poisoning attacks present a persistent, ongoing threat to We describe a novel, practical and simple technique to make DNS server operations. While there are a variety of DNS poisoning tech- queries more resistant to poisoning attacks: mix the upper and niques, those directed at large cache servers often use two steps: lower case spelling of the domain name in the query. Fortuitously, (a) they force the recursive server to perform a lookup; and then almost all DNS authority servers preserve the mixed case encod- (b) spoof misleading DNS answers, using the source address of the ing of the query in answer messages. Attackers hoping to poison authority server. A successful attacker can change a DNS cache a DNS cache must therefore guess the mixed-case encoding of the entry, and redirect all users of the victim DNS server to arbitrary query, in addition to all other fields required in a DNS poisoning proxy locations. When done to obtain transactional information attack. This increases the difficulty of the attack. (e.g., banking), this technique is called pharming (or large-scale We describe and measure the additional protections realized by phishing) [27]. this technique. Our analysis includes a basic model of DNS poi- Numerous solutions have been proposed to prevent DNS poison- soning, measurement of the benefits that come from case-sensitive ing, e.g., whitelisting [14], cryptographic systems [33], and many query encoding, implementation of the system for recursive DNS client-based systems have been suggested.
    [Show full text]
  • At68 Java & Web Programming Jun 2015
    AT68 JAVA & WEB PROGRAMMING JUN 2015 Q.2 a. List out the properties of static variables and methods in Java. (4) Answer: Unlike instance variables, static variables belong to a class, rather than to specific instances of it. This means that there is only one copy of a static variable, which is accessible from all members of the class, as well as from external "customer" code via objects of the class. For example, a static variable could keep track of a property within the application which remains the same for all class members. The following sample code demonstrates declaring a static variable inside a class declaration: private static int numWomen = 0; Within the class constructor or another method, the variable can be accessed and updated as follows: numWomen++; Class declarations can include static methods. As with variables, static methods provide some functionality that is the same across all object instances of a class. Static methods commonly carry out processing that involves static variables. The following sample static method returns the value of a static variable within a class declaration: public static int getNumWomen() { return numWomen; } b. Explain various primitive data types supported by Java. (4) Answer: int Int is the data type used to declare integers. The int data type is 32 bits and has a maximum value of 2,147,483,647; anything beyond that requires a long data type, which is also primitive. Int is used frequently in Java for calculations. It can also be used to count cycles of a loop, a common programming construct. To declare an int, use int variableName, substituting variableName with the name of your choice.
    [Show full text]
  • A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email
    A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email Hyeonmin Lee∗ Aniketh Girish∗ Roland van Rijswijk-Deij Seoul National University Amrita Vishwa Vidyapeetham University of Twente & NLnet Labs Taekyoung “Ted” Kwon Taejoong Chung Seoul National University Rochester Institute of Technology Abstract 1 Introduction The DNS-based Authentication of Named Entities (DANE) Transport Layer Security (TLS) is responsible for securing In- standard allows clients and servers to establish a TLS connec- ternet traffic in a variety of protocols such as DNS and HTTP. tion without relying on trusted third parties like CAs by pub- Coupled with a Public Key Infrastructure (PKI), TLS relies lishing TLSA records. DANE uses the Domain Name System on certificates to bind entities to their public keys. Certificates Security Extensions (DNSSEC) PKI to achieve integrity and are typically issued by Certificate Authorities (CAs), in a hi- authenticity. However, DANE can only work correctly if each erarchical fashion. At the top level of the hierarchy, there are principal in its PKI properly performs its duty: through their root CAs, who have self-signed certificates since they cannot DNSSEC-aware DNS servers, DANE servers (e.g., SMTP rely on other trusted third parties. servers) must publish their TLSA records, which are consistent However, the current PKI model, discussed above, has been with their certificates. Similarly, DANE clients (e.g., SMTP criticized for its potential vulnerability, since any CA can is- clients) must verify the DANE servers’ TLSA records, which sue certificates for any domain name. Historically, we have are also used to validate the fetched certificates. observed that compromised CAs issued valid-looking but DANE is rapidly gaining popularity in the email ecosystem, fraudulent certificates inappropriately [15, 58, 75].
    [Show full text]
  • (12) Patent Application Publication (10) Pub. No.: US 2010/0011420 A1 DRAKO Et Al
    US 2010.0011420A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2010/0011420 A1 DRAKO et al. (43) Pub. Date: Jan. 14, 2010 (54) OPERATING ASERVICE ON ANETWORKAS (22) Filed: Jul. 2, 2008 ADOMAN NAME SYSTEM SERVER Publication Classification (75) Inventors: DEAN DRAKO, Los Altos, CA (51) Int. Cl. (US); Zachary Levow, Mountain G06F 7/30 (2006.01) View, CA (US) G06F 5/16 (2006.01) Correspondence Address: H04L 9/32 (2006.01) PATENTRY (52) U.S. Cl. ................. 726/5: 709/245; 707/3; 709/206; P.O. BOX 151616 709/201: 707/E17.014; 707/E17.115; 707/E17.032 SAN RAFAEL, CA 94.915-1616 (US) (57) ABSTRACT (73) Assignee: BARRACUDANETWORKS INC., CAMPBELL, CA (US) Operating a service Such as a remote database as a dins server, receiving inputs such as queries as domain names and trans (21) Appl. No.: 12/167,134 mitting replies in the format of IPv4 or IPv6 addresses. IP CONNECT EMAIL HEADER PARAMETERS FORMING FODN AUTHCODE. IPADDRESS. DNS HERARCHY CLIENT.DB SYSTEM DNS DNS RESOLVER SERVER 20 30 DATABASE 140 Patent Application Publication Jan. 14, 2010 Sheet 1 of 4 US 2010/0011420 A1 IP CONNECT EMAIL HEADER PARAMETERS FORMING FODN AUTHCODE. IPADDRESS. DNS HERARCHY CLIENT.DB SYSTEM DNS DNS RESOLVER SERVER 20 30 DATABASE 40 FIG. Patent Application Publication Jan. 14, 2010 Sheet 2 of 4 US 2010/0011420 A1 IP CONNECT EMAIL HEADER PARAMETERS FORMING FODN AUTHCODE. IPADDRESS. DNS HERARCHY CLIENT.DB SYSTEM DNS FODN DNS DNS OUERY 121 RESOLVER SERVER 20 30 DATABASE 40 FIG.2 Patent Application Publication Jan.
    [Show full text]
  • Domain Name System Security Extensions
    Domain Name System Security Extensions กฤต วิทวิยะรุจ บริษัท ไทย เนม เซิฟเวอร์ จํากดั DNS ในการเข้าถึงข้อมูลใน Internet เราจําเป็นต้องระบุ Address (ที่อยู)่ ในการเข้าถึงข้อมูล Address จะเป็น ชื่อ หรือ ตัวเลข กได้็ แต่ที่อยูจะต้องไม่ ่ซํ้ากนั Address ที่เป็นชื่อจะถูกแปลงให้เป็นตัวเลข IP โดยระบบที่เรียกวา่ DNS ระบบ DNS ถูกออกแบบมาให้เป็นระบบจัดเกบข้อมูลชื่อ็ Domain/Host แบบกระจาย ข้อมูลใน DNS จะถูกแบ่งออกเป็นลําดับขั้น หรือ Domain หรือ Zone ในแต่ล่ะ Zone จะมีผู้ดูแล/เจ้าของ Domain เป็นคนจัดการ/แกไขข้อมูล้ โดยกรรมสิทธิ์ในการจัดการ Domain จะถูกถ่ายทอดเป็นลําดับขั้นจากแม่ไปสู่ลูก ระบบ DNS ทํางานบนพื้นฐานของความไว้วางใจซึ่งกนและกั นั DNSSEC คือความพยายามที่จะเพิ่มความปลอดภัยให้กบระบบั DNS ทําไม DNS จึงเป็นเป้าหมายในการโจมตี DNS มีอยูทุกที่่ เกือบทุกๆ Client ในปัจจุบันนั้นต้องอาศัย DNS ในการทํางาน โทรศัพท์, Laptop, PC, ATM? DNS ทํางานผานช่ ่องทางที่ไม่ได้มีการเข้ารหัสใดๆ plain text มีหลายวิธี/ช่องทางในระบบ DNS ที่เปิดโอกาสให้ผู้ไมประสงค์ดีจะเข้ามาแก่ ไขข้อมูล้ การโจมตี DNS จะส่งผลต่อกระทบผู้ใช้จํานวนมาก DNSSEC คืออะไร DNSSEC เป็นส่วนขยายเพิ่มเติมของระบบ DNS เริ่มต้นตั้งแตพัฒนาครั่ ้งแรก 1997, ออก RFC มาแล้วสามครั้งในปี 1999, 2005, 2008 สามารถใช้ร่วมกบระบบเดิมได้ั Backward compatible ข้อมูล DNSSEC ไม่ได้ถูกเข้ารหัส ข้อมูล DNS ในระบบ DNSSEC จะถูกทําการประทับตรารับรองจากผู้ดูแลโดเมนด้วยการลง นามอิเล็กโทรนิคส์ เพื่อสร้างเป็น Digital signature Client สามารถตรวจสอบและยืนยันความถูกต้องและสมบูรณ์ของข้อมูลที่ได้รับจาก DNS Server โดยใช้การตรวจสอบ Digital signature ข้อมูลไมถูกปลอมแปลงโดยบุคคลอื่น่ ข้อมูลที่ไมถูกต้องจะถูกทิ่ ้งไป ประโยชน์ของ
    [Show full text]
  • Pietilainen Ville.Pdf (2.751Mt)
    INTERNET-LIIKENTEEN JA SISÄLLÖN SUODATUS Ville Pietiläinen Opinnäytetyö Maaliskuu 2011 Tietotekniikan koulutusohjelma Tekniikan ja liikenteen ala OPINNÄYTETYÖN KUVAILULEHTI Tekijä(t) Julkaisun laji Päivämäärä PIETILÄINEN, Ville Opinnäytetyö 28.3.2011 Sivumäärä Julkaisun kieli 84 SUOMI Luottamuksellisuus Verkkojulkaisulupa myönnetty ( ) saakka ( X ) Työn nimi INTERNET-LIIKENTEEN JA SISÄLLÖN SUODATUS Koulutusoh jelma Tietotekniikka Työn ohjaaja(t) NARIKKA, Jorma Toimeksiantaja(t) Jyväskylän ammattikorkeakoulu, SILTANEN, Jarmo Tiivistelmä Koska perustieto Internet-liikenteen ja sisällön suodatuksesta on hajautunut eri tuotevalmi stajien omiin materiaaleihin, oli työn tavoitteena saada kerättyä tärkein informaatio aiheesta s amoihin kansiin ja toimia käsikirjana tukemassa verkkoliikenteen suodatustekniikoiden valintaa ja toteu- tuksen suunnittelua, niin että pystytään valitsemaan oikeanlainen suodatustekninen ratkaisu. Työn perimmäisenä tarkoituksena oli selvittää lukijalle olennaiset asiat Internet-liikenteen suoda- tuksesta, eli mitä suodatus on, miten se toimii ja mitä toimenpiteitä on suositeltava a suorittaa suodatusjärjestelmää käyttöönotettaessa. Työssä läpikäytiin tekniikoita, joilla verkon ylläpitäjä voi suodattaa Internet-liikennettä ja näin rajoittaa ei-haluttua liikennettä tietoverkossaan. Suodatettavissa sovellusprotokollissa pä äpaino oli World Wide Webin perustana toimivalla HTTP-protokollalla, mutta monet käytetyistä ratkai- suista mahdollistavat myös muunkin verkkoliikenteen suodatuksen. Työn testausosassa tutustuttiin noin
    [Show full text]