@@ -245,7 +245,9 @@ provider with whom they have no relationship.
245245A more sophisticated approach relies on the use of cryptographically
246246signed statements authorizing a particular AS to advertise paths to a
247247particular prefix. This technology behind this is referred to as RPKI:
248- Resource Public Key Infrastructure.
248+ Resource Public Key Infrastructure. RPKI builds on the concepts of
249+ cryptographic signatures and certificate hierarchies that we
250+ introduced in previous chapters.
249251
250252RPKI provides a means by which entities involved in routing, such as
251253the operator of an AS, can make assertions about information that is
@@ -361,13 +363,20 @@ complete picture of the chains of certificates that have been
361363issued. With this information, a router running BGP can determine *in advance * which
362364ASes could originate routing advertisements for which prefixes and use
363365this to configure filtering rules that specify which advertisements they are
364- willing to accept. There is a well-established set of software tools
365- to automate this process for popular operating systems and commercial
366- routing platforms. Notably, the routers running BGP do not perform
367- cryptographic operations in real time when processing route
368- advertisements; all the cryptographic operations happen in advance
369- when setting up the filtering rules based on information from the RPKI
370- repository.
366+ willing to accept. Note the contrast to prior uses of certificates we
367+ have seen: a router builds a complete picture of the certificate
368+ hierarchy *a priori * in readiness for subsequent routing decisions,
369+ rather than checking the validity of certificates as part of
370+ establishing a session (as happens in TLS, for example).
371+
372+ There is a well-established set of software tools to automate the
373+ process of leveraging the RPKI for popular operating systems and
374+ commercial routing platforms. Notably, the routers running BGP do not
375+ perform cryptographic operations in real time when processing route
376+ advertisements; all the cryptographic operations happen in advance on
377+ servers that are external to the routers themselves. The external
378+ systems push filtering rules to the routers based on information
379+ derived from the RPKI repository.
371380
372381With the RPKI in place it is now possible to perform Route Origin
373382Validation (ROV). That is, if a given AS claims to be the originator of a
@@ -629,7 +638,7 @@ requests that can fool the recipients. Because of the way DNS caches
629638responses, the impact of such false information can be widespread.
630639
631640"Cache poisoning"—also sometimes referred to as DNS spoofing—is a
632- common from of attack on DNS. If an attacker can either force a
641+ common form of attack on DNS. If an attacker can either force a
633642resolver to make a recursive query to an authoritative name server, or
634643predict roughly when such a query is to be made, the attacker can try
635644to send a fake response to *that * query. :numref: `Figures %s
@@ -748,9 +757,10 @@ autonomous systems to reject traffic with spoofed source
748757addresses. It may not be 100% effective but it will reduce the
749758effectiveness of large scale attacks.
750759
751- Finally, there are ways to deal with DoS attacks such as the use
752- of content distribution networks and black-holing of DoS
753- traffic. We discuss these further in Chapter 9.
760+ Finally, recall that there are general ways to deal with DoS attacks
761+ such as the use of content distribution networks and black-holing of
762+ DoS traffic. We discuss the general approaches to DoS mitigation in
763+ Chapter 7.
754764
7557658.2.2 DNS Security Extensions (DNSSEC)
756766~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -845,9 +855,11 @@ connect you to the web site?
845855
846856This is not to say that protecting DNS is unimportant,
847857however. Interference with DNS is still a vector for censorship and
848- surveillance of Internet usage. For this reason there are other
849- methods of protecting DNS that have started to gain traction more
850- recently, as discussed in the next section.
858+ surveillance of Internet usage. Subverting DNS to direct a client to a
859+ site other than the one they intended to reach undermines the
860+ operation of the Internet. While DNSSEC has struggled to gain
861+ traction, other methods of protecting DNS have appeared more
862+ recently and are having some impact, as discussed in the next section.
851863
852864A final note on DNSSEC is that, by making responses larger, it has the
853865potential to worsen amplification attacks. The response to a request
0 commit comments