DNSSEC (Domain Name System Security Extensions) is a domain name system (DNS) extension that provides additional security to DNS queries. Its main objective is to ensure the authenticity, integrity and confidentiality of DNS data by protecting it against cache poisoning and spoofing attacks.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
DNSSEC (Domain Name System Security Extensions)
DNSSEC uses public key cryptography to digitally sign DNS records, allowing users to verify the authenticity of data obtained from a DNS server. Here's how DNSSEC works:
1. Digital zone signatures
In DNSSEC, a zone signing key (ZSK) is created for each DNS zone. This key is used to generate digital signatures of the DNS records in the zone. Digital signatures are generated using cryptographic algorithms and attached to the corresponding DNS records.
2. Zone Signing Key (ZSK) and Key Signing Key (KSK)
In addition to the ZSK, a key signing key (KSK) is used to digitally sign the ZSK and establish a chain of trust. The KSK is kept separate from the ZSK and is used to sign and renew the ZSK periodically.
3. Chain of trust
Each DNS server that implements DNSSEC stores the public keys necessary to verify digital signatures. These public keys are used to establish a chain of trust that allows users to validate the authenticity of DNS data.
4. Authentication tour
When a client performs a DNS query, the DNS server implementing DNSSEC sends the requested records along with the corresponding digital signatures. The client can verify the authenticity of the records using the public keys stored in its DNSSEC configuration.
5. Chain of trust signature
To establish the chain of trust, the KSK is used to digitally sign the ZSK and its signature is added to the DNS zone. This ensures that users who trust the KSK can also trust the ZSK and therefore the data in the DNS zone.
DNSSEC provides an additional layer of security to the domain name system by ensuring that DNS data has not been modified in transit and comes from legitimate sources. This protects against DNS cache poisoning attacks, where attackers spoof DNS responses and redirect traffic to malicious destinations.
Secure ICMPv6
Secure ICMPv6, also known as Secure ICMP for IPv6, is an extension to Internet Control Message Protocol version 6 (ICMPv6) that provides additional security to ICMPv6 messages over IPv6.
Its main objective is to guarantee the authenticity and integrity of ICMPv6 messages, avoiding spoofing attacks and ensuring that messages come from legitimate sources and have not been modified in transit.
Below are some key features and mechanisms of Secure ICMPv6:
1. ICMPv6 message authentication
Secure ICMPv6 uses authentication techniques to verify the identity of the source of ICMPv6 messages. It relies on the use of digital signatures and public key cryptography to authenticate ICMPv6 messages and ensure that they come from trusted sources.
2. ICMPv6 message integrity
Secure ICMPv6 guarantees the integrity of ICMPv6 messages by using digital signatures. Each ICMPv6 message is digitally signed with a private key to generate a digital signature, and this signature is attached to the message. Upon receiving the message, the receiver can verify the integrity of the message by using the corresponding public key and checking the validity of the digital signature.
3. Public key cryptography
Secure ICMPv6 relies on public key infrastructure (PKI) to manage the public and private keys required for authentication and digital signing. Each participating entity has its own public-private key pair, where the private key is used to sign messages and the public key is used to verify signatures.
4. Digital signature verification
Upon receiving an ICMPv6 message, the receiver verifies the attached digital signature using the corresponding public key. If the signature is valid, this indicates that the ICMPv6 message has not been modified in transit and is coming from the expected source.
Secure ICMPv6 provides an additional layer of security to ICMPv6 messages over IPv6, ensuring that messages are authentic and have not been modified. This helps prevent spoofing attacks and ensures that ICMPv6 messages are trusted and come from legitimate sources.
It is important to note that Secure ICMPv6 implementation and support may vary between systems and network devices. Not all devices or operating systems natively support Secure ICMPv6, and it may require additional configurations and settings to enable and use this security extension.
BGPsec (Border Gateway Protocol Security Extensions)
BGPsec (Border Gateway Protocol Security Extensions) is an extension of the Border Gateway Protocol (BGP) routing protocol that provides additional security to routes advertised on the Internet. Its main objective is to guarantee the authenticity and integrity of BGP routes, preventing malicious routing attacks and improving security in the Internet infrastructure.
Below are some fundamental elements of BGPsec:
1. Digital route signature
BGPsec uses digital signatures to authenticate and validate BGP routes. Each BGP route advertisement is digitally signed using public key cryptography. This allows BGP routers to verify the authenticity of routes and ensure that they come from trusted sources.
2. Chain of trust
BGPsec establishes a chain of trust to validate BGP routes. Each route digital signature is verified using the issuer's public key, and this public key is in turn authenticated using a chain of trusted certificates and public keys. In this way, a chain of trust is created that allows BGP routers to validate the authenticity of the routes.
3. Protocol updates
BGPsec introduces new updates and extensions to the BGP protocol to support route signing and verification. This involves changes to the way BGP routers exchange information and process route advertisements, to include information necessary for authentication and integrity.
4. Public Key Infrastructure (PKI)
BGPsec requires a public key infrastructure (PKI) to manage and distribute the public keys and certificates required for signing and verifying routes. PKI is used to generate and distribute public and private keys, as well as to establish trust in the public keys of route issuers.
5. Mitigation of malicious routing attacks
BGPsec improves security in Internet infrastructure by mitigating malicious routing attacks such as route poisoning and spoofing. By ensuring the authenticity of BGP routes, BGPsec helps prevent attackers from manipulating routing and diverting traffic to malicious destinations.
It is relevant to keep in mind that BGPsec requires the adoption and cooperation of network operators and Internet service providers to be effective globally. All routers along the path must support BGPsec and be properly configured to use this security extension.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
IPv6 book with MikroTik, RouterOS v7
Study material for the MTCIPv6E Certification Course updated to RouterOS v7