Transcript Identity Management and DNS Services

Identity Management and DNS Services
Tianyi XING
Project Goal
• Establish a DNSSEC server for letting each VM to
be identified in the cloud system in a dynamic
way.
Project Description (cont.)
• So far, VMs in mobicloud System has ip
addresses and specific port number for
remote access. But it is hard user to
remember all the port number of VMs, and
impossible for users to communicate with
other Users via VMs in cloud with only
knowing user ID.
Project Description (cont.)
• Tasks
– Research on DNSSEC Protocol
– Establish the DNSSEC service in our mobicloud
• Assign a domain name based on user’s ID
• Get authenticated by parent zone
• Automatically generate the ip(can be multiple) and domain
name(should be unique) pair
• Automatically update any change from the user to make
sure users are still able to access from outside
• Task allocation
– Tianyi Xing 100%
Project Description (cont.)
• The project solves the following problems:
– How public users to locate and access to the VM
in our cloud private network with a secure and
secure way.
– Assign each VM a domain name based on user’s
ID. Like for user terry, its VM domain name is
probbaly terry.mobicloud.asu.edu, which provides
a easier way for users to access to their VMs.
Technical Details
• Software
– OpenDNSSEC
– Linux OS (Debian 5.0, Mac Osx 10.5, OpenBSD 4.4, Red
Hat Enterprise Linux 5, Solaris 10 and Ubuntu 10.04)
– XenServer
– XenCenter
• Hardware
– Server for OpenDNSSEC
– Dell Cloud Server (Several VMs)
– Dell Switch
DNS Today
• Name servers are subject to many types of
attacks
– Denial of service
– Buffer overruns
• Name servers are (relatively) easily spoofed
– Security measures (e.g., access lists) and
mechanisms (e.g., credibility) can make spoofing
more difficult, but not impossible
DNSSEC
• DNSSEC, the DNS Security Extensions,
augments the current DNS standard to add
– Data origin authentication
– Data integrity checking
• DNSSEC supports data origin authentication
and data integrity checking through the use of
digital signatures
DNS Digital Signatures
• In DNSSEC, each zone has its own public and
private key
• The zone’s private key is used to sign each
RRset in the zone
– An RRset comprises all resource records with the
same owner, class and type
– The digital signature for the RRset is added to the
zone in the form of a new record type, called a SIG
record
DNS Digital Signatures
• The zone’s public key is stored in another new
record type, called a KEY record
– The zone’s KEY record is signed, too, by the zone’s
parent
– This allows a name server that knows the parent
zone’s public key to discover the subzone’s public
key and verify it
What verification proves
• Verifying the DNS data
– proves that the records your name server looked
up really came from the right zone
• For example, that the address of
terry.mobicloud.asu.edu really came from the True
mobicloud.asu.edu zone
– proves the data hasn’t been modified since it was
signed
Zone file
acmebw.com. KEY 0x4101 3 3 (
AvqyXgKk/uguxkJF/hbRpYzxZFG3x8EfNX389l7GX6w7rlLy
BJ14TqvrDvXr84XsShg+OFcUJafNr84U4ER2dg6NrlRAmZA1
jFfV0UpWDWcHBR2jJnvgV9zJB2ULMGJheDHeyztM1KGd2oGk
Aensm74NlfUqKzy/3KZ9KnQmEpj/EEBr48vAsgAT9kMjN+V3
NgAwfoqgS0dwj5OiRJoIR4+cdRt+s32OUKsclAODFZTdtxRn
XF3qYV0S8oewMbEwh3trXi1c7nDMQC3RmoY8RVGt5U6LMAQ
KITDyHU3VmRJ36vn77QqSzbeUPz8zEnbpik8kHPykJZFkcyj
JZoHT1xkJ1tk )
• The KEY record’s fields are:
– 0x4101, the flags field (use for confidentiality prohibited, zone key, valid for
signing)
– 3, the protocol octet (DNSSEC)
– 3, the KEY algorithm number (DSA)
– The public key itself
OpenDNSSEC features
• Scalable
– Sing zones contains anything from a few records up to
millions of records.
– Signed zone can be migrated from one OpenDNSSEC to
another.
• Flexible
– Works with all different version of the Unix OS
• Secure
– Stores sensitive cryptographic data in an HSM
– Includes an auditing function that compares the incoming
unsigned zone with the outgoing signed zone
– Supports RSA/SHA1 and SHA2 signatures
Technical Details
• Network topology and requirements
Logical Design
Node
created
·
Mac
DHCP
assignment
·
·
Mac
IP
·
·
·
Mac
IP
ID
ID binding
·
·
·
Mac
IP
ID
DNS update
Roadmap
• By mid-term
– Establish a DNSSEC server within the mobicloud
system
– Configure the network to make sure DNSSEC server
serve the right purpose in the mobicloud system
• By Final
– Perfect its function
• Dynamically cooperate with the user ID and IP address
• Dynamically update the ip(ID) and domain pair
– Documentation
Risk and Benefit
• Novel aspects of this project:
– Dynamic DNSSEC for VM of mobile device
– Secure DNS service in mobicloud framwork
• Risks/challenges:
– How to cooperate with the user’s ID authentication.
• Potential applications & benefits:
– Dynamic DNSSEC management application
Thanks, Question ?