Network Security
Our CAIRN Network Participation
Local Experiments
Domain Name System Security Extensions
Abstract - DNS provides the mapping of domain names, which include host names, to IP addresses. In the current DNS, spoofing responses to redirect IP traffic is trivial. The impact is that asking for http://myfavoriteplace.org may result in a page coming from thebadpeople.org because the wrong IP address is used by the web browser. DNS security extensions is an activity coordinated in the IETF DNSSEC working group. The strategy is to add digital signatures to the DNS data so that spoofed IP address responses will be recognized as spoofs.
DNSSEC servers are modified BIND 8.1.1. named servers, running locally on buddy.tis.cairn.net and active.tis.cairn.net. Externally to the TIS CAIRN segment, there is at least one other server running the DNSSEC code - the server for isie.cairn.net.
Future Plans
The intent of the experiment is to grow the use of DNSSEC throughout CAIRN DNS
zones. In parallel with the effort to do this, the DNSSEC technology is to be
combined with the stock BIND releases. How these two efforts will interact is
unknown. (I.e., by simply staying with the stock version of BIND, DNSSEC would
be used throughout CAIRN without an overt effort to install DNSSEC prototype software.
Local Configuration
An ethernet segment is dedicated to the support of CAIRN. The LAN is attached
to the Internet through an institutional router to our local IP provider. The
LAN is connected to the CAIRN cloud via a T-1 line to ISI East.
Other machines may be attached to the LAN from time to time, but these are the machines germain to the CAIRN effort:
| Role | Machine Name | IP Address | Other Information |
|---|---|---|---|
| CAIRN router | CAIRN cloud: tissun-isipc3.cairn.net internal E-net: frodo.tis.cairn.net |
140.173.1.42 199.171.39.200 |
Sun SparcStation SunOS 4.1.1 (DARTNET) Accessible by CAIRN researchers |
| Buddy host | buddy.tis.cairn.net | 199.171.39.1 | FreeBSD 2.2.5 Can "tip" to the CSU/DSU and frodo Runs DNSSEC primary server Partly accessible by CAIRN researchers |
| Experimental host | active.tis.cairn.net | 199.171.39.3 | Linux 5 Runs DNSSEC secondary server Not accessible by CAIRN researchers |
| Internal router | internal E-net: cisco.tis.cairn.net | 199.171.39.100 | Connects our CAIRN LAN to Internet Not accessible by CAIRN experimenters |
No routing is done on the LAN. Static routes are configured into the involved hosts to be able to reach CAIRN sites via CAIRN and other sites via the Internet.
Page Data
Maintained by Ed Lewis (Edward_Lewis@nai.com),
phone to: +1-301-854-5794 (about 9am-5pm, eastern US).
Last updated on July 15, 1998