Protocol Changes to Improve Privacy and Security
30/11/2017
In recent years, major advances have been introduced to the protocols that underpin the Internet. Many of these modifications were developed to guarantee information security and to increase privacy, two aspects that had not been addressed in the original protocol specifications.
During the recent LACNIC meeting held in Montevideo, a session was organized where experts discussed the most important of these changes, particularly those involving DNS, BGP and IPv6.
IPv6 at Home. Expert Jordi Palet noted that the IPv6 standardization process has brought about notorious improvements in terms of security, adding that one of these improvements allows optimizing data center traffic. “This is new compared to IPv4, where there is no such flow label,” said Palet.
According to Palet, this improvement aimed at load balancing — which is not possible in IPv4 — will not necessarily lead to improved functionality but may lower datacenter costs.
Another thing worth highlighting in recent years is the standardization of DNS servers: with IPv6 they can be configured without the need for a DHCP server, while with IPv4 they must be configured manually or using a DHCP server.
Another aspect of IPv6 standards highlighted by Palet is that a lot of the work required for the Internet of Things (IoT) no longer makes sense in IPv4. As an example, he mentioned the Homenet protocol. “Our home networks will become increasingly complex; in addition to a router, we will have more wi-fi networks, connected devices and so on. With IPv4, these require manual configuration, while with IPv6 these connections are automated,” noted Palet. The Homenet protocol allows wi-fi networks to talk to each other for self-configuration purposes. “Instead of having a single provider, Homenet also makes it possible to have a backup provider so your home will never be disconnected. It’s just like having two electrical power sources: you can automatically use one or the other,” added Palet.
More privacy and robustness. In turn, LACNIC CTO Carlos Martínez commented that the IETF is currently working on improvements to the DNS, one of the key components of the Internet. Martínez said that this work on improving the DNS is seeking to increase its resistance to abuse and attacks, improve the security features of the DNS, and connect users with content networks located closer to them.
Martínez pointed out that they are working so that all the information contained in the DNS — which is public — will be less exposed and more compartmentalized in order to mitigate the risk of having large servers with huge amounts of information.
To protect this level of information, among other things, Martínez noted that IETF RFC 7816 has been published, which minimizes the information that a user discloses to each level in the DNS tree. “Query each hierarchy level about what it can actually answer. You are revealing less information than before. The solution to this kind of issues cannot be found in a single place,” stressed Martínez.
The next step is to work on secure transport for DNS, how to encrypt DNS. Martínez observed that five systems are being analyzed. One of them consists of using the same encryption technology as https (the one with the lock icon), but this is an expensive solution. “This technology can be implemented at small scale,” said Martínez.
Standardization work is also being done to improve access to content distribution. “Which cache server is closest to your location? Closest in terms of network distance, of latency. One way to detect this is through the user’s IP address. One of the proposals under discussion is to send the client’s information (all of the client’s data) when a DNS query is received, as this helps determine which is the closest cache server,” said Martínez.
Modernizing BGP. Guillermo Cicileo, responsible for LACNIC’s Internet Security and Stability Program, spoke about the improvements to BGP, the Internet routing system.
BGP routing makes it possible to know how to reach a certain IP. “It’s like an Internet GPS,” said Cicileo.
Conceived in the 80s and 90s when the Internet was collaborative and used for research, BGP has security vulnerabilities that are now being addressed.
The current challenges for BGP include dealing with attacks against the routing system (i.e. when an unauthorized person publishes false information on the BGP and redirects traffic), configuration errors or publishing routing information that should not be published.
To solve the issue of these attacks, work is being done on RPKI.
“RPKI is used not only for validation, but also to authorize routing databases or the automatic construction of filters which can benefit Internet operators,” said Cicileo.
BGPsec, a protocol based on RPKI, has also been developed to improve BGP verification mechanisms, although for now it has not seen large-scale adoption.
As for the prevention of information leaks, techniques are being developed to keep everything from being announced (e.g. RFC 8212) and to avoid leaks.
Cicileo observed that “what BGP learned about a peer, it announced to other neighbors. Now (with RFC 8212) an explicit policy must be defined for such data to be published, as publishing occurs only when instructed. This avoids configuration errors.”
This mechanism will help reduce configuration errors as well as routing information, thus attacking another problem which is route hijacking.
Finally, Cicileo commented that BGP is being used in mass or large-scale datacenters (hundreds of thousands of servers), as it has several advantages such as the possibility of being the only routing protocol in the datacenter, plus lower complexity, increased stability and greater control over routing information (see RFC7938).
“BGP can carry hundreds of thousands of routes and has proven efficiency on the Internet,” concluded Cicileo.