DNS over Datagram Transport Layer Security (DTLS)

Reddy, Tirumaleswar; Patil, Prashanth; Wing, Dan

doi:10.17487/rfc8094

Cited by 23 publications

(15 citation statements)

References 13 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, DNS Cookies [22] are an EDNS option that provide a weak form of authentication of DNS requests and responses by detecting and ignoring off-path spoofed responses. DNS over TLS [32], DNS over Datagram TLS (DTLS) [62], and DNS over HTTPS [30] provide confidential communication between DNS entities and can also provide source authentication when used in combination with client certificates. However, all three systems inherit communication and processing overhead introduced by (D)TLS negotiation (e.g., certificate transfer) [10,63,64], and require per-host state (without deployment of [68]).…”

Section: Related Workmentioning

confidence: 99%

“…Many of the widespread problems in today's Internet stem from the lack of authentication; in particular, denial-of-service (DoS) attacks often use reflection and amplification techniques enabled by connectionless protocols like DNS or NTP and the possibility of source-address spoofing [36,53,67]. This issue has been tackled in the past through several different approaches: source-address filtering at the network edge [24], cookie-based challenge-response systems [14,22], or client certificates and asymmetric cryptography [32,62]. Unfortunately, these systems provide relatively weak guarantees (filtering and cookies) or introduce a substantial overhead and open up additional DoS vulnerabilities (asymmetric cryptography).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PISKES: Pragmatic Internet-Scale Key-Establishment System

Rothenberger

Roos²,

Legner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Denial-of-service attacks have become increasingly prevalent in the Internet. In many cases they are enabled or facilitated by the lack of source authentication-it is often easy for an attacker to spoof its own IP address and thus launch reflection attacks or evade detection. There have been attempts in the past to resolve this issue through filtering or cryptography-based techniques; however, there is still no sufficiently strong system in place today-all proposals either provide weak security guarantees, are not efficient enough, or lack incentives for deployment. In this paper we present PISKES, a pragmatic Internet-scale key-establishment system enabling firstpacket authentication. Through the PISKES infrastructure, any host can locally obtain a symmetric key to enable a remote service to perform source-address authentication. The remote service can itself locally derive the same key with efficient cryptographic operations. PISKES thus enables packet authentication for a wide variety of systems including high-throughput applications like DNS. We have implemented a prototype system that enables a DNS server to verify the source of every received packet within 85 ns, which is over 220 times faster than a system based on asymmetric cryptography. PISKES has been developed for the SCION secure Internet architecture but is also applicable to today's Internet. With its strong source-authentication properties and highly efficient operation it has the potential to finally bring network-layer authentication to the Internet.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

PISKES: Pragmatic Internet-Scale Key-Establishment System

Rothenberger

Roos²,

Legner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…1) Introduction to DNSSEC: Domain Name System Security Extensions (DNSSEC-bis) [116], [117] belong to a set of specifications from the IETF that allows DNS clients (resolvers) to authenticate the source of DNS responses, authenticate the non existent domain responses (avoiding certain attacks), and to verify the integrity of DNS responses. It does not provide confidentiality unless used together with TLS or DTLS [118], [119].…”

Section: F Dns-based Authentication Of Named Entitiesmentioning

confidence: 99%

TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications

Díaz-Sánchez

Marin-Lopez

Almenárez

et al. 2019

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

Transport Layer Security is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on Public Key Infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, the article provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current Certificate Pinning solutions in order to illustrate the potential problems that should be addressed.

show abstract

“…The scheme is cited in DTLS related RFCs, even if we are not aware of specific available implementations. In particular, in [16] it is claimed that "it is highly advantageous to avoid server-side DTLS state and reduce the number of new DTLS sessions on the server that can be done with TLS Session Resumption without server state". And then in [2] it is stated that it is possible to devise a "TLS/DTLS session resumption that does not require per-session state information to be maintained by the constrained server.…”

Section: ) Session Resumption Through Session Idmentioning

confidence: 99%

Fast Session Resumption in DTLS for Mobile Communications

Caminati,

Kiade,

D'Angelo

et al. 2019

Preprint

View full text Add to dashboard Cite

DTLS is a protocol that provides security guarantees to Internet communications. It can operate on top of both TCP and UDP transport protocols. Thus, it is particularly suited for peer-to-peer and distributed multimedia applications. The same holds if the endpoints are mobile devices. In this scenario, mechanisms are needed to surmount possible network disconnections, often arising due to the mobility or the scarce resources of devices, that can jeopardize the quality of the communications. Session resumption is thus a main issue to deal with. To this aim, we propose a fast reconnection scheme that employs non-connected sockets to quickly resume DTLS communication sessions. The proposed scheme is assessed in a performance evaluation that confirms its viability.

show abstract

DNS over Datagram Transport Layer Security (DTLS)

Cited by 23 publications

References 13 publications

PISKES: Pragmatic Internet-Scale Key-Establishment System

PISKES: Pragmatic Internet-Scale Key-Establishment System

TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications

Fast Session Resumption in DTLS for Mobile Communications

Contact Info

Product

Resources

About