DOCSLIB.ORG

Large Scale Measurement on the Adoption of Encrypted

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Large Scale Measurement on the Adoption of Encrypted Large Scale Measurement on the Adoption of Encrypted DNS Sebastián García Karel Hynek Dmtrii Vekshin [email protected] [email protected] [email protected] Faculty of Electrical Engineering Faculty of Information Technology Avast s.r.o. Czech Technical University in Czech Technical University in Prague, Czech Republic Prague Prague Prague, Czech Republic and CESNET z.s.p.o. Prague, Czech Republic Tomáš Čejka Armin Wasicek [email protected] [email protected] CESNET z.s.p.o. Avast s.r.o. Prague, Czech Republic Prague, Czech Republic Figure 1: Sum of DoH, DoT, DoQ flows for Organization 2 for 16 months, x-axis are the days of themonth. arXiv:2107.04436v1 [cs.CR] 9 Jul 2021 ABSTRACT We conclude that despite growing in 2020, during the first Several encryption proposals for DNS have been presented five months of 2021 there was statistically significant evi- since 2016, but their adoption was not comprehensively stud- dence that the average amount of Internet traffic for DoH, ied yet. This research measured the current adoption of DoH DoT and DoQ remained stationary. However, we found that (DNS over HTTPS), DoT (DNS over TLS), and DoQ (DNS the amount of, still unknown and ready to use, DoH servers over QUIC) for five months at the beginning of 2021 by three grew 4 times. These measurements suggest that even though different organizations with global coverage. By comparing the amount of encrypted DNS is currently not growing, there the total values, amount of requests per user, and the sea- may probably be more connections soon to those unknown sonality of the traffic, it was possible to obtain the current DoH servers for benign and malicious purposes. adoption trends. Moreover, we actively scanned the Internet for still-unknown working DoH servers and we compared KEYWORDS them with a novel curated list of well-known DoH servers. DoH, DoT, Encrypted DNS, Network Measurement, Network Trends 1 INTRODUCTION 2 RELATED WORK The Domain Name System (DNS) is a core service that plays DNS encryption is a relatively novel approach to improve an essential role in network communication, but it does user’s privacy. IETF standardized DNS over TLS (DoT) in not meet the current requirements of privacy and security. 2016 as RFC 7858 [18], followed by DNS over HTTPS (DoH) In the last years there has been an increasing amount of in 2018 as RFC 8484 [15], and the third approach, DNS over proposed protocols to enhance its privacy and confidentiality QUIC (DoQ), is still an RFC draft [19]. Since DNS encryption via encryption [24]. This trend started around 2014 [17], with modifies the usage of one of the oldest and essential proto- protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), cols on the Internet, many research studies focused on the or DNS over QUIC (DoQ). consequences of large-scale DNS encryption. There has been previous measurements of the prevalence Borgolte et al. [2] provided a general discussion about of encrypted DNS in the Internet focused on specific pro- DoH and several areas such as performance, security, and tocols of encrypted DNS [6, 25]. However, there is a lack privacy. Similarly, Fidler et al. [7] presented challenges that of real-world observations of the volume of encrypted DNS network operators are going to face due to DNS encryption. traffic, and there is no study of the long term trends onits Both studies concluded that large deployments of privacy- adoption. Moreover, the amount of DoH servers seems to be preserving DNS will be a problem for users’ security since small and highly controlled by organizations. automated network security tools rely on unencrypted DNS. This paper presents the first comprehensive measurement, This phenomenon is further researched by Bumanglag et comparison and analysis of the volume of DoH, Dot and DoQ al. [3], which analyzed DoH traffic and even discussed the traffic from the perspective of three large organizations: a) challenges related to its detection, since DoH uses a well- the backbone infrastructure of an Internet Service Provider, known port allocated for HTTPS communication (443/TCP). b) the network infrastructure of a large University, and c) The Bumanglag paper also mentioned that the cybersecurity the traffic of millions of endpoints from a global security community suggests allowing HTTPS traffic to pass only company. through inspection proxies that would decrypt and encrypt The methodology of our analysis has two main parts. First, all HTTPS traffic. a measurement on the total amount of DoH servers on the The detection of DoH in different traffic was studied in Internet via a global scan and verification. Second, a deep multiple papers. There are currently two main approaches in statistical analysis on the trends, stationarity, patterns and DoH detection. The first approach is the detection of regular ratios between the three organizations during the first five behavior patterns by Hjelm et al. [13]. They claim that by months of 2021. The analysis is completed by a comparison using the Real Intelligence Threat Analytics (RITA) frame- of the trends with the traffic from 2020. All trends and ratios work, they were able to identify behavioral patterns of DoH are statistically tested for similarities and the stationarity of and successfully detect them. The second approach employs the time series is verified with the Augmented Dickey–Fuller Machine Learning principles and was introduced by Vekshin test. et al. [35]. Their AdaBoost decision tree classifier was able The results show that despite a growing increase of en- to detect DoH connections with an accuracy of more the crypted DNS traffic in 2020, the first five months of 2021show 99 %. A limitation was that their classifier worked only with a statistically significant stationarity of the traffic. With some DoH created by web browsers and cannot detect single DoH differences for DoH and DoT traffic, these protocols areused queries. to encrypt up to 0.01% of the total DNS traffic. Regarding Malicious DoH studies were limited only to data exfiltra- the unknown DoH servers on the Internet, results show that tion via DNS. MontazeriShatoori et al. [29] created a classifier there are at least 4 times more DoH servers working than that can distinguish between a DoH tunnel and regular DoH the most comprehensive and current list of well-known DoH with outstanding precision. Similar results were achieved on servers. These services could be easily exploited by security the same dataset by Singh et al. [34] and Banadaki [1]. threats. Several studies [4, 16, 21, 33] also challenge the privacy- The contributions of this paper are: preserving characteristics of encrypted DNS. Studies from Siby et al. [33] and Bushart et al. [4] brought interesting results by performing very accurate website fingerprinting • A comprehensive dataset of well-known DoH providers. using only DoH and DoT traffic. Even though their results • A dataset of unknown and unpublished DoH servers showed a limitation of encryption, their proposed attack is by a global Internet scan. difficult to reproduce in a real environment but it could be • A measurement and comparison of DoH, DoT and DoQ fixed by proper payload padding. Nevertheless, the main traffic in three large organizations. • A new Nmap NSE script tool to verify DoH servers. 2 reason for privacy concerns is still the transition of visibil- Table 1: Summary of the most important Encrypted ity from local DNS resolvers controlled by Internet Service DNS method Providers (ISPs) to global DoH service providers that central- ize the entire process of domain name translation. DoT DoH DoQ The previously mentioned studies focused mainly on en- crypted DNS characteristics, weaknesses, and detection pos- L4 Protocol TCP/UDP TCP UDP sibilities. However, none of them dealt with the adoption Port 853 443 784 and actual popularity of DNS encryption. Deccio et al. [5] Protocol TLS/DTSL HTTPS QUIC studied in 2019 the adoption of DoT and DoH by open re- solvers. Their result shows that the adoption is very poor. From around 1.2 million open resolvers, only 1,747 (0.15 %) 3.1 DNS over TLS (DoT) supported DoT, and only 9 supported DoH. Doan et al. [6] DNS over TLS (DoT) is specified by RFC 7858 [18]. According performed a similar measurement focusing on DoT in 2020 to the specification, the DNS wireformat messages defined and found 2,151 open resolvers supporting DoT, which shows in RFC 1035 [28] are sent over a secure TLS or Datagram an increasing trend in resolvers adoption. However, these TLS connection. IANA reserved port 853/TCP, which should data show only the adoption across the open DNS resolvers be used by default in all DoT clients and resolvers. Since the and do not consider specialized DoT/DoH proxies. packets are sent over a dedicated port, the traffic can be easily Furthermore, Doan et al. [6] and Lu et al. [25] also mea- recognized, blocked, or filtered by a network administrator. sured trends in encrypted DNS usage. Both studies used a However, it is worth noting that the RFC standard allows dataset from ISP backbone lines collected in 2019, when en- using DoT over ports other than 853/TCP; therefore, it is crypted DNS was not enabled by default in browsers, and it expected that DoT clients and resolvers will have the option was much less popular. Additionally, both studies focused to change the port in their configuration. mainly on measuring the prevalence of DoT, and the DoH measurement was very limited. Last but not least, their stud- ies did not consider DNS over QUIC. 3.2 DNS over HTTPS (DoH) We are not aware of any previous work that tried to enu- The DNS over HTTPS (DoH) protocol was adopted as RFC merate all DoH resolvers to infer the encrypted DNS preva- 8484 [15] in October 2018.
Load more

Recommended publications
  • Adopting Encrypted DNS in Enterprise Environments
    National Security Agency | Cybersecurity Information Adopting Encrypted DNS in Enterprise Environments Executive summary Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. It is useful to prevent eavesdropping and manipulation of DNS traffic. While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration. Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.
    [Show full text]
  • Technical Impacts of DNS Privacy and Security on Network Service Scenarios
    - Technical Impacts of DNS Privacy and Security on Network Service Scenarios ATIS-I-0000079 | April 2020 Abstract The domain name system (DNS) is a key network function used to resolve domain names (e.g., atis.org) into routable addresses and other data. Most DNS signalling today is sent using protocols that do not support security provisions (e.g., cryptographic confidentiality protection and integrity protection). This may create privacy and security risks for users due to on-path nodes being able to read or modify DNS signalling. In response to these concerns, particularly for DNS privacy, new protocols have been specified that implement cryptographic DNS security. Support for these protocols is being rapidly introduced in client software (particularly web browsers) and in some DNS servers. The implementation of DNS security protocols can have a range of positive benefits, but it can also conflict with important network services that are currently widely implemented based on DNS. These services include techniques to mitigate malware and to fulfill legal obligations placed on network operators. This report describes the technical impacts of DNS security protocols in a range of network scenarios. This analysis is used to derive recommendations for deploying DNS security protocols and for further industry collaboration. The aim of these recommendations is to maximize the benefits of DNS security support while reducing problem areas. Foreword As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (ATIS) brings together the top global ICT companies to advance the industry’s business priorities. ATIS’ 150 member companies are currently working to address network reliability, 5G, robocall mitigation, smart cities, artificial intelligence-enabled networks, distributed ledger/blockchain technology, cybersecurity, IoT, emergency services, quality of service, billing support, operations and much more.
    [Show full text]
  • The ISP Column Diving Into The
    The ISP Column A column on various things Internet October 2018 Geoff Huston Diving into the DNS DNS OARC organizes two meetings a year. They are two-day meetings with a concentrated dose of DNS esoterica. Here’s what I took away from the recent 29th meeting of OARC, held in Amsterdam in mid-October 2018. Cloudflare's 1.1.1.1 service Cloudflare have been running an open public DNS resolver service on 1.1.1.1 for more than six months now. The service, based on the Knot resolver engine, is certainly fast (http://bit.ly/2PBfoSh), and Cloudflare's attention to scale and speed is probably appreciated by users of this service. However, in a broader Internet environment that is now very aware of personal privacy it’s not enough to be fast and accurate. You have to be clear that as an operator of a public DNS resolution service you may be privy to clients’ activities and interests, and you need to clearly demonstrate that you are paying attention to privacy. Not only does this include appropriate undertakings regarding the way you handle and dispose of the logs of the resolvers' query streams, but also in being mindful of the way that users can pass queries to the service. The 1.1.1.1 service supports DNS over TLS 1.3 and 1.2 using the GnuTLS system. This supports long-lived connection with client systems and also supports session resumption. There are a number of DNS tools that can use the DNS over a TLS connection including kdig (http://bit.ly/2A9f9rX, http://bit.ly/2OoLu7a), GetDNS (https://getdnsapi.net/), Unbound (http://bit.ly/2CIKEf0), Android P and the Tenta browser (https://tenta.com/).
    [Show full text]
  • Adguard Premium Key Apk
    Adguard premium key apk Continue The more talent involved, the better the result - one of our mottos sounds. So let's grow and develop together! Contribute to AdGuard! There are many things you can do, such as translate AdGuard, test it nightly and beta, improve blocking filters or write articles. Choose something right for you and get started! The call has been accepted! Free Licenses for Developers Do you know about filters, extensions or custom scenarios firsthand? Have you already contributed to their development, for the sake of the Internet community? You do good things then, and we definitely want to show our respect. Find out more about who can get a free AdGuard license. Can I qualify? AdGuard Crack (AKA: Adguard Web Filter) is now the most advanced, cross-platform in the world (Windows, Mac OS X, Android and iOS) Internet filters and ad pop-ups blocking the edge of the tool from Cyprus. It protects you during web surfing, stopping annoying ads, viruses, dangerous websites; Speeds up page loading Doesn't allow anyone to track your online activities. and helps parents prevent content not suitable for children. Get an Adguard Premium Key license crack free activation. AdGuard Premium Features Crack keyProtection and blockingCheck page against our database of phishing and malicious sites. When a web page is processed, it does several things at once: deletes ads and online tracking code directly from the page. It can handle most adblock bypass scripts; Protects your privacy by blocking common third-party tracking systems; Blocks many spyware, advertising software and dial installers; Check the website's reputation and informs you of it if necessary.Comfort and safetyProtects you from malware and phishing.
    [Show full text]
  • Ikev2 Configuration for Encrypted DNS
    IKEv2 Configuration for Encrypted DNS draft-btw-add-ipsecme-ike Mohamed Boucadair (Orange) Tirumaleswar Reddy (McAfee, Inc.) Dan Wing (Citrix Systems, Inc.) Valery Smyslov (ELVIS-PLUS) July 2020, IETF#108 Agenda • Context • A Sample Use Case • IKE Configuration Attribute for Encrypted DNS • Next Steps 2 Problem Description • Several schemes to encrypt DNS have been specified – DNS over TLS (RFC 7858) – DNS over DTLS (RFC 8094) – DNS over HTTPS (RFC 8484) • …And others are being specified: – DNS over QUIC (draft-ietf-dprive-dnsoquic) • How to securely provision clients to use Encrypted DNS? This use can be within or outside the IPsec tunnel 3 A Sample Use Case: DNS Offload • VPN service providers can offer publicly accessible Encrypted DNS – the split-tunnel VPN configuration allows the client to access the DoH/DoT servers hosted by the VPN provider without traversing the tunnel 4 A Sample Use Case: Protecting Internal DNS Traffic • DoH/DoT ensures DNS traffic is not susceptible to internal attacks – see draft-arkko-farrell-arch-model-t-03#section-3.2.1 • encrypted DNS can benefit to Roaming Enterprise users to enhance privacy – With DoH/DoT the visibility of DNS traffic is limited to only the parties authorized to act on the traffic (“Zero Trust Architecture”) 5 Using IKE to Configure Encrypted DNS on Clients • New configuration attribute INTERNAL_ENC_DNS is defined to convey encrypted DNS information to clients: – Encrypted DNS type (e.g., DoH/DoT) – Scope of encrypted DNS use – One or more encrypted DNS server IPv6 addresses • For IPv4
    [Show full text]
  • Paper, We Note That Work Is with Help from Volunteer OONI Probe Users
    Measuring DoT/DoH Blocking Using OONI Probe: a Preliminary Study Simone Basso Open Observatory of Network Interference [email protected] Abstract—We designed DNSCheck, an active network exper- delivery networks (CDN). This fact raises concerns regarding iment to detect the blocking of DoT/DoH services. We imple- performance [25], competition, and privacy [14]. mented DNSCheck into OONI Probe, the network-interference (While DoH’s centralization and the resulting privacy con- measurement tool we develop since 2012. We compiled a list of popular DoT/DoH services and ran DNSCheck measurements cerns are not the focus of this paper, we note that work is with help from volunteer OONI Probe users. We present pre- underway to mitigate them [38] [24].) liminary results from measurements in Kazakhstan (AS48716), Simultaneously, the rollout of DoT and DoH does not Iran (AS197207), and China (AS45090). We tested 123 DoT/DoH fully solve the surveillance and censorship issues posed by services, corresponding to 461 TCP/QUIC endpoints. We found a cleartext internet. There are at least two remaining fields endpoints to fail or succeed consistently. In AS197207 (Iran), 50% of the DoT endpoints seem blocked. Otherwise, we found that could reveal the precise target of otherwise encrypted that more than 80% of the tested endpoints were always reach- communications. They are the Server Name Indication [19] able. The most frequently blocked services are Cloudflare’s and (SNI) extension inside the TLS ClientHello and the destination Google’s. In most cases, attempting to reach blocked endpoints IP address. However, in a landscape increasingly dominated by failed with a timeout.
    [Show full text]
  • An Empirical Study Into the Absence of Consent to Third-Party Tracking in Android Apps
    A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps Konrad Kollnig, Reuben Binns, Pierre Dewitte*, Max Van Kleek, Ge Wang, Daniel Omeiza, Helena Webb, Nigel Shadbolt Department of Computer Science, University of Oxford, UK *Centre for IT and IP Law, KU Leuven, Belgium firstname.lastname@(cs.ox.ac.uk | kuleuven.be) Abstract trackers benefits app developers in several ways, notably by Third-party tracking allows companies to collect users’ be- providing analytics to improve user retention, and by enabling havioural data and track their activity across digital devices. the placement of personalised advertising within apps, which This can put deep insights into users’ private lives into the often translates into a vital source of revenue for them [32,62]. hands of strangers, and often happens without users’ aware- However, it also makes app developers dependent on privacy- ness or explicit consent. EU and UK data protection law, invasive data practices that involve the processing of large however, requires consent, both 1) to access and store infor- amounts of personal data [40, 48, 62], with little awareness mation on users’ devices and 2) to legitimate the processing from users and app developers [28,71,74,85]. Data protection of personal data as part of third-party tracking, as we analyse and privacy legislation such as the General Data Protection in this paper. Regulation (GDPR) [38] in the EU and the UK, and the Chil- This paper further investigates whether and to what extent dren’s Online Privacy Protection Act (COPPA) [79] in the US, consent is implemented in mobile apps.
    [Show full text]
  • A Cybersecurity Terminarch: Use It Before We Lose It
    SYSTEMS ATTACKS AND DEFENSES Editors: Davide Balzarotti, [email protected] | William Enck, [email protected] | Samuel King, [email protected] | Angelos Stavrou, [email protected] A Cybersecurity Terminarch: Use It Before We Lose It Eric Osterweil | George Mason University term · in · arch e /’ t re m , närk/ noun an individual that is the last of its species or subspecies. Once the terminarch dies, the species becomes extinct. hy can’t we send encrypt- in the Internet have a long history W ed email (secure, private of failure. correspondence that even our mail To date, there has only been one providers can’t read)? Why do our success story, and, fortunately, it is health-care providers require us to still operating. Today, almost ev- use secure portals to correspond erything we do online begins with a with us instead of directly emailing query to a single-rooted hierarchical us? Why are messaging apps the global database, whose namespace only way to send encrypted messag- is collision-free, and which we have es directly to friends, and why can’t relied on for more than 30 years: we send private messages without the Domain Name System (DNS). user-facing) layer(s). This has left the agreeing to using a single platform Moreover, although the DNS pro- potential to extend DNSSEC’s verifi- (WhatsApp, Signal, and so on)? Our tocol did not initially have verifica- cation protections largely untapped. cybersecurity tools have not evolved tion protections, it does now: the Moreover, the model we are using to offer these services, but why? DNS Security Extensions (DNS- exposes systemic vulnerabilities.
    [Show full text]
  • DNS As a Multipurpose Attack Vector
    PANEPISTHMIO AIGAIOU DIDAKTORIKH DIATRIBH To Prwtόκοllo DNS wc Poluleitουργικός Forèac EpÐjeshc Suggrafèac: Μάριoc Anagnwstόπουλος Epiblèpwn: Αναπληρωτής Kaj. Ge¸rgioc Καμπουράκης Diatrιβή gia thn aπόκτηση Didaktorikoύ Dipl¸matoc tou ErgasthrÐou Ασφάλειας Plhroforiak¸n kai Epikoinwniak¸n Συστημάτwn Τμήματoc Mhqanik¸n Plhroforiak¸n kai Epikoinwniak¸n Συστημάτwn Septèmbrioc, 2016 University of the Aegean Doctoral Thesis DNS as a multipurpose attack vector Author: Marios Anagnostopoulos Supervisor: Associate Prof. Georgios Kambourakis A thesis submitted in fulfilment of the requirements for the degree of Doctor of Philosophy at the Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering September, 2016 Declaration of Authorship I, Marios Anagnostopoulos, declare that this thesis entitled, \DNS as a multipurpose attack vector" and the work presented in it are my own. I confirm that: This work was done wholly while in candidature for a research degree at this University. Where I have consulted the published work of others, this is always clearly at- tributed. Where I have quoted from the work of others, the source is always given. With the exception of such quotations, this thesis is entirely my own work. I have acknowledged all main sources of help. Where the thesis is based on work done by myself jointly with others, I have made clear exactly what was done by others and what I have contributed myself. Signed: Date: September 28, 2016 i Advising Committee of this Doctoral
    [Show full text]
  • Detecting Malware in TLS Traffic
    IMPERIAL COLLEGE LONDON DEPARTMENT OF COMPUTING Detecting Malware in TLS Traffic Project Report Supervisor: Author: Sergio Maffeis Olivier Roques Co-Supervisor: Marco Cova Submitted in partial fulfillment of the requirements for the MSc degree in Computing Science / Security and Reliability of Imperial College London September 2019 Abstract The use of encryption on the Internet has spread rapidly these last years, a trend encouraged by the growing concerns about online privacy. TLS (Transport Layer Security), the standard protocol for packet encryption, is now implemented by every major websites to protect users’ messages, transactions and credentials. However cybercriminals have started to incorporate TLS into their activities. An increasing number of malware leverage TLS encryption to hide their communications and to exfiltrate data to their command server, effectively bypassing traditional detection platforms. The goal of this project is to design and implement an effective alternative to the unpractical method of decrypting TLS packets’ payload before looking for signs of malware activity. This work presents a highly accurate supervised classifier that can detect malicious TLS flows in a company’s network traffic based on a set of features related to TLS, certificates and flow metadata. The classifier was trained on curated datasets of benign and malware observations, which were extracted from capture files thanks to a set of tools specially developed for this purpose. We detail in this report the complete development process, from data collection and feature extraction to model selection and performance analysis. ii Acknowledgments I would like to particularly thank Marco Cova and Sergio Maffeis, my project su- pervisors, for their valuable and continuous suggestions and for their constructive feedbacks on this project.
    [Show full text]
  • The ISP Column Ipv6 and The
    The ISP Column On Things Internet July 2020 Geoff Huston IPv6 and the DNS These days it seems that whenever we start talking about the DNS the conversation immediately swings around to the subject of DNS over HTTPS (DoH) and the various implications of this technology in terms of changes in the way the DNS is used. It’s true that DoH is a rich topic space and while much has been said and written already, there is still more to say (and write). But that's not my intention here. I’d like to look at a different, but still very familiar and somewhat related, topic relating to the DNS, namely how IPv6 is being used as a transport protocol for DNS queries. Before I set out the questions that I want to consider here, it’s useful to remember why we are deploying IPv6 in the first place. IPv6 is not intended to sit alongside IPv4 in a dual-stack situation as the end objective of this transition process. A fully deployed dual-stack world is not the goal here. We need to push this transition process one step further, and the objective is to get to the point where IPv4 is not only no longer necessary but no longer used at all. In other words, we are attempting to get to the point where IPv6-only services are not only a viable way of using the Internet but are the only way of using the Internet. One of the key elements in the overall transition is the way in which we manage a dual-stack networked environment.
    [Show full text]
  • Network Security Knowledge Area
    Network Security Knowledge Area Prof. Christian Rossow CISPA Helmholtz Center for Information Security Prof. Sanjay Jha University of New South Wales © Crown Copyright, The National Cyber Security Centre 2021. This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open- government-licence/. When you use this information under the Open Government Licence, you should include the following attribution: CyBOK Network Security Knowledge Area Version 2.0 © Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at [email protected] to let the project know how they are using CyBOK. Security Goals What does it mean to be secure? • Most common security goals: “CIA triad” – Confidentiality: untrusted parties cannot infer sensitive information – Integrity: untrusted parties cannot alter information – Availability: service is accessible by designated users all the time • Additional security goals – Authenticity: recipient can verify that sender is origin of message – Non-Repudiation: anyone can verify that sender is origin of message – Sender/Recipient Anonymity: communication cannot be traced back to
    [Show full text]