<C2F7BCBCB4EBC0CEC5CDB3DDC1D6BCD2C0DABFF8B1E2BCFAB5BFC7E2BAB8B0EDBCAD BFACB0A3BAB8B0EDBCAD292E687770>

차세대인터넷주소자원기술동향보고서

User PC D. IP = 10.10.10.100 S. IP = 10.10.10.1 10.1.0.2 DNS Server Unicast = 10.5.2.10 Anycast = 10.10.10.100 Anycast Site DNS Server 10.0.0.1 DNS Server Anycast Site Unicast = 10.10.20.100 Anycast = 10.10.10.100 Unicast = 10.2.1.2 Anycast = 10.10.10.100 10.10.1.2 Anycast Site - 1 -

- 2 -

- 3 -

- 4 -

Image Source : http://www.caida.org/projects/oarc/proposal/ - 5 -

- 6 -

203.119.1.1 적용 202.12.30.131 미적용 165.76.0.98 미적용 210.138.175.244 적용 192.50.43.53 적용 150.100.2.3 적용 - 7 -

- 8 -

- 9 -

- 10 -

- 11 -

Selection and Operation of Secondary DNS Servers IPv4 Anycast Host Anycasting Service 1546 IPv6 Anycast 2182 Root Name Server Operational Requirements 2870 3258 Distributing Authoritative Name Servers via Shared Unicast Addresses 3513 IP Version 6 Addressing Architecture Obsolete 예정 RFC3513 갱신예정 DRAFT IP Version 6 Addressing Architecture, draft-ietf-ipv6-addr-arch-v4-02.txt IPv6 Anycast Issue DRAFT Operation of Anycast Services, draft-ietf-grow-anycast-00.txt Anycast Addressing in IPv6, draft-jabley-v6-anycast-clarify-00.txt An analysis of IPv6 anycast, draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt XXXX : Standard & Standard Track RFC : Updated By XXXX : Obsoleted RFC : Obsoleted By XXXX : Informational RFC : Related & Extended By - 12 -

- 13 -

- 14 -

- 15 -

- 16 -

- 17 -

- 18 -

- 19 -

- 20 -

- 21 -

- 22 -

- 23 -

- 24 -

- 25 -

- 26 -

- 27 -

- 28 -

- 29 -

- 30 -

- 31 -

- 32 -

- 33 -

- 34 -

- 35 -

- 36 -

- 37 -

- 38 -

- 39 -

- 40 -

- 41 -

- 42 -

- 43 -

- 44 -

- 45 -

Base DNS Protocol Docs. [RFC1035, RFC2181, etc.] New Security RRs [RFC2538, 2931 etc.] DNS Protocol [RFC3007, 4033 4034, 4035 etc.] New Security Uses Digital Signiture Algorithm Implementations [RFC2563, 3110] Transactions [RFC2845, 2930] - 46 -

- 47 -

- 48 -

- 49 -

2137 Secure Domain Name System Dynamic Update 2181 Clarifications to the DNS Specification 2535 Domain Name System Security Extensions 3007 2931 DNS Request and Transaction Signatures ( SIG(0)s ) Secure Domain Name System(DNS) Dynamic Update 3226 DNSSEC and IPv6 A6 aware server/ resolver message size requirements 3090 DNS Security Exte nsion Clarification on Zone Status 3008 3445 Domain Name System Security (DNSSEC) Signing Authority Limiting the Scope of the KEY Resource Record (RR) 3655 3658 Redefinition of DNS Authenticated Data (AD) bit Delegation Signer (DS) Resource Record (RR) 3755 Legacy Resolver Compatibility for Delegation Signer (DS) 3757 Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag 3845 DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format 2537 RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) 2845 Secret Key transaction Authentication for DNS (TSIG) 3110 RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) 4033 4034 4035 DNS Security Introduction and Requirements Resource Records for the DNS Security Extensions Protocol Modifications for the DNS Security Extensions 3645 Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) 2536 DSA KEYs and SIGs in the Domain Name System (DNS) 2538 2539 2540 2541 2870 Storing Certificates in the Domain Name System (DNS) Storage of Diffie- Hellman Keys in the Domain Name System (DNS) Detached Domain Name System (DNS) Information DNS Security Operational Considerations Root Name Server Operational Requirements 2929 2930 3130 3225 3597 3833 4025 Domain Name System (DNS) IANA Considerations Secret Key Establishment for DNS (TKEY RR) Notes from the State-Of-The- Technology: DNSSEC Indicating Resolver Support of DNSSEC Handling of Unknown DNS Resource Record (RR) Types Threat Analysis of the Domain Name System (DNS) A Method for Storing IPsec Keying Material in DNS XXXX : Standard & Standard Track RFC XXXX : Obsoleted RFC XXXX : Informational RFC : Updated By : Obsoleted By : Related & Extended By - 50 -

- 51 -

- 52 -

- 53 -

- 54 -

- 55 -

- 56 -

- 57 -

- 58 -

- 59 -

- 60 -

- 61 -

차세대인터넷주소자원기술동향보고서

Unicast Anycast Multicast Broadcast IPv4 주소 A, B, C Class 주소 별도지정없음 Unicast 주소중선택 D Class 주소 224.0.0.0/4 255.255.255.255 Subnet broadcast 주소 IPv6 주소 FF00::/8 제외한나머지전체 별도지정없음 Unicast 주소중선택 FF00::/8 없음 Destination 단일인터페이스 근접단일인터페이스 다수인터페이스 모든인터페이스 IPv4 소스주소 지정가능 지정가능 지정불가 지정불가 IPv6 소스주소 지정가능 지정불가 * 지정불가 지정불가 IPv4 주소할당 모든노드 모든노드에가능 Multicast Group 할당할수없음 IPv6 주소할당 모든노드 라우터에만가능 * Multicast Group - 구현요소 기본구현 Anycast IP 주소설정, 특별한라우팅설정에의해구현 Multicast Routing Protocol, Multicast Router 구현 IPv4 노드에기본구현 IPv6 에는구현않음 예시 202.31.190.1 2001:dc5:a::1 192.88.99.1 6to4 Relay Router Anycast Address 2001:dc5:a::0 Subnet-Router anycast address 224.0.0.5 OSPF All Routers FF02::2 All Routers Address FF02::1 All Nodes Address 202.31.191.255 202.31.191.0/24 네트워크의 broadcast 주소 - 63 -

User PC Web Server 10.0.0.1 D. IP = 10.10.10.100 S. IP = 10.0.0.1 D. IP = 10.10.10.100 S. IP = 10.0.0.1 10.10.10.100 User PC D. IP = 224.0.1.128 S. IP = 10.10.10.100 special multicast routing software Media Server of CNN 10.0.0.1 Joined to 224.0.1.128 10.10.10.100 10.0.0.2 Joined to 224.0.1.128 Multicast Group 10.0.0.3 Not Joined 10.0.1.1 Not Joined 10.0.1.2 Joined to 224.0.1.128 D. IP = 224.0.1.128 S. IP = 10.10.10.100 Multicast Group 10.0.1.3 Joined to 224.0.1.128-64 -

User PC D. IP = 10.10.10.100 S. IP = 10.10.10.1 10.1.0.2 NTP Server Unicast = 10.5.2.10 Anycast = 10.10.10.100 Anycast Site NTP Server 10.0.0.1 NTP Server Anycast Site Unicast = 10.10.20.100 Anycast = 10.10.10.100 Unicast = 10.2.1.2 Anycast = 10.10.10.100 10.10.1.2 Anycast Site NTP Server User PC D. IP = 10.10.10.100 S. IP = 10.10.10.1 10.1.0.2 AS300 Unicast = 10.5.2.10 Anycast = 10.10.10.100 Anycast Site AS400 NTP Server 10.0.0.1 AS100 BGP Routing Table 10.10.10.0/24 200 600 i 10.10.10.0/24 200 600 600 i 10.10.10.0/24 200 500 600 600 i 10.10.10.0/24 300 400 600 i 10.10.10.0/24 300 400 600 600 i 10.10.10.0/24 300 600 600 i 10.10.10.0/24 300 500 600 600 i AS200 AS500 NTP Server Unicast = 10.2.1.2 Anycast = 10.10.10.100 Anycast Site AS600 Anycast Site Unicast = 10.10.20.100 Anycast = 10.10.10.100 10.10.1.2-65 -

NTP Server User PC D. IP = 10.10.10.100 S. IP = 10.10.10.1 10.1.0.2 AS300 Unicast = 10.5.2.10 Anycast = 10.10.10.100 Anycast Site AS400 NTP Server RTR#2 10.0.0.1 AS100 AS500 RTR#1 Anycast Site Unicast = 10.10.20.100 Anycast = 10.10.10.100 AS200 NTP Server AS600 Unicast = 10.2.1.2 Anycast = 10.10.10.100 Anycast Site 10.10.1.2 OSPF Routing Table 10.10.10.0/24 Internal RTR#2 10.10.10.0/24 External 10.10.10.0/24 External - 66 -

Routing Table of Router 2: DNS Query to 192.0.2.1 Destination Mask Next-Hop Distance 192.0.2.0 /24 192.168.0.2 1 192.0.2.0 /24 172.16.0.3 3 Client B Router 2 Router 5 DNS Server A DNS Query to 192.0.2.1 172.16.0.2 192.168.0.1 192.168.0.2 192.0.2.1 Client A Router 1 172.16.0.1 172.16.0.3 192.0.2.1 Router 3 Router 4 Router 6 DNS Server B Routing Table of Router 1: Destination Mask Next-Hop Distance 192.0.2.0 /24 172.16.0.2 2 192.0.2.0 /24 172.16.0.3 3 Client C Routing Table of Router 2: DNS Query to 192.0.2.1 Destination Mask Next-Hop Distance 192.0.2.0 /24 192.168.0.2 1 192.0.2.0 /24 172.16.0.3 3 Client B Router 2 Router 5 DNS Server A DNS Query to 192.0.2.1 172.16.0.2 192.168.0.1 192.168.0.2 192.0.2.1 Client A Router 1 172.16.0.1 172.16.0.3 Router 3 Router 4 Router 6 DNS Server B 192.0.2.1 Routing Table of Router 1: Destination Mask Next-Hop Distance 192.0.2.0 /24 172.16.0.2 2 192.0.2.0 /24 172.16.0.3 3 Client C - 67 -

- 68 -

There is little experience with widespread, arbitrary use of internet anycast addresses, and some known complications and hazards when using them in their full generality [ANYCST]. Until more experience has been gained and solutions are specified, the following restrictions are imposed on IPv6 anycast addresses: o An anycast address must not be used as the source address of an IPv6 packet. o An anycast address must not be assigned to an IPv6 host, that is, it may be assigned to an IPv6 router only. APPENDIX B: Changes from RFC-3513 ---------------------------------------------- The following changes were made from RFC-3513 "IP Version 6 Addressing Architecture": o The restrictions on using IPv6 anycast addresses were removed because there is now sufficient experience with the use of anycast addresses, the issues are not specific to IPv6, and the GROW working group is working in this area. - 69 -

- 70 -

- 71 -

- 73 -

- 74 -

- 75 -

- 76 -

- 77 -

- 78 -

- 79 -

- 80 -

- 81 -

- 82 -

- 83 -

- 84 -

- 85 -

- 86 -

- 88 -

- 89 -

- 90 -

- 91 -

- 92 -

- 93 -

- 94 -

- 95 -

- 96 -

- 97 -

- 98 -

- 99 -

- 100 -

- 101 -

- 102 -

- 103 -

- 104 -

- 106 -

- 107 -

- 108 -

- 109 -

- 110 -

차세대인터넷주소자원기술동향보고서

- 112 -

- 113 -

- 114 -

- 115 -

- 116 -

- 117 -

- 118 -

- 119 -

- 120 -

- 121 -

- 122 -

- 123 -

- 124 -

- 125 -

- 126 -

- 127 -

- 128 -

- 129 -

- 130 -

- 131 -

subdomain location Model - 132 -

- 133 -

- 134 -

- 135 -

- 136 -

RFC 3966 The tel URI for Telephone Numbers Obsoleted RFC 2543 SIP RFC 2916 RFC 2131 Dynamic Host Configuration Protocol RFC 2915 RFC 3986 URI : Generic Syntax E.164 Number and DNS NAPTR DNS RR Obsoleted Dynamic Delegation Discovery System (DDDS) Series RFC 3219 TRIP : Telephony Routing Information Protocol RFC 2276 Architectural Principles of URN Resolution Updated RFC 3401 RFC 3402 RFC 3403 Pt 1. Comprehensive DDDS Pt. 2 The Algorithm Pt. 3 DNS DB Obsoleted RFC 3404 Pt. 4 URI RFC 3482 Number Portability in the GSTN : An Overview RFC 3761 RFC 3405 Pt. 5 URI.ARPA Assignment Procedure ENUM Service Registration RFC 3762 ENUM Service Registration for H.323 RFC 3764 enumservice registration for SIP Addresses-of-record RFC 3953 ENUM Service Registration for Presence Services RFC 4002 IANA Registration for enumservice web and ft RFC 4114 E.164 Number Mapping for the Extensible Provisioning Protocol (EPP) The E.164 to URI DDDS Application (ENUM) Usage of URIs and DNS H.323 Annex 0 ITU H.323 Packet-based Mobile Multimedia Communication Systems RFC 3261 SIP RFC 2778 A Model for Presence and Instant Messaging RFC 3730 EPP W3C XML 1.0 ITU E.164 Supplement 3 RFC 3731 EPP : Domain Name ENUM WG draft Carrier ENUM draf t -Haberler Combined User and Carrier ENUM in the e164.arpa tree Carrier ENUM draf t -Pf aut z -lind A Combined User/Carrier ENUM Regist r at ion email f ax mms Implementation Ex per ience Enum ser vice VOID Regist ry IRIS - 137 -

- 138 -

- 139 -

- 140 -

- 141 -

- 142 -

- 143 -

- 144 -

- 145 -

- 146 -

- 147 -

- 148 -

- 149 -

- 150 -

- 151 -

- 152 -

- 153 -

- 154 -

- 155 -

- 156 -

- 157 -

- 158 -

- 159 -

Selection and Operation of Secondary DNS Servers IPv4 Anycast Host Anycasting Service 1546 IPv6 Anycast 2182 Root Name Server Operational Requirements 2870 3258 Distributing Authoritative Name Servers via Shared Unicast Addresses 3513 IP Version 6 Addressing Architecture Obsolete 예정 RFC3513 갱신예정 DRAFT IP Version 6 Addressing Architecture, draft-ietf-ipv6-addr-arch-v4-02.txt IPv6 Anycast Issue DRAFT Operation of Anycast Services, draft-ietf-grow-anycast-00.txt Anycast Addressing in IPv6, draft-jabley-v6-anycast-clarify-00.txt An analysis of IPv6 anycast, draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt XXXX : Standard & Standard Track RFC : Updated By XXXX XXXX : Obsoleted RFC : Obsoleted By : Informational RFC : Related & Extended By - 160 -

- 161 -

- 162 -

- 163 -

- 164 -

- 165 -

- 166 -

- 167 -

- 168 -

- 169 -

- 170 -

- 171 -

- 172 -

- 173 -

- 174 -

- 175 -

- 176 -

- 177 -

- 178 -

- 179 -

- 180 -

- 181 -

- 182 -

- 183 -

- 184 -

- 185 -

- 186 -

- 187 -

- 188 -

- 189 -

- 190 -

- 191 -

- 192 -

I1(I,RVS,HIT-I,HIT-R) RVS I1(RVS, R, HIT-1, HIT-R FROM:I, RVS_HMAC) I R1(R, I, HIT-R,HIT-I, VIA:RVS) I2 R2 R - 193 -

- 194 -

- 195 -

- 196 -

- 197 -

- 198 -

차세대인터넷주소자원기술동향보고서

Selection and Operation of Secondary DNS Servers IPv4 Anycast Host Anycasting Service 1546 IPv6 Anycast 2182 Root Name Server Operational Requirements 2870 3258 Distributing Authoritative Name Servers via Shared Unicast Addresses 3513 IP Version 6 Addressing Architecture Obsolete 예정 RFC3513 갱신예정 DRAFT IP Version 6 Addressing Architecture, draft-ietf-ipv6-addr-arch-v4-04.txt IPv6 Anycast Issue DRAFT Operation of Anycast Services, draft-ietf-grow-anycast-02.txt Anycast Addressing in IPv6, draft-jabley-v6-anycast-clarify-00.txt An analysis of IPv6 anycast, draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt XXXX : Standard & Standard Track RFC : Updated By XXXX XXXX : Obsoleted RFC : Obsoleted By : Informational RFC : Related & Extended By - 200 -

- 201 -

- 202 -

- 203 -

- 204 -

- 205 -

- 206 -

- 207 -

- 208 -

- 209 -

- 210 -

- 211 -

- 212 -

- 213 -

- 214 -

- 215 -

- 216 -

- 217 -

- 218 -

- 219 -

victim.example.edu rsh victim.example.edu -1 student Attacker s IP Address: 172.16.0.8 위조된 PTR 레코드를받아들이고연결을허가한다. 질의 (query) Question: qname=8.0.16.172.in-addr.arpa. qtype=ptr RDATA=? ourdns.example.com evildns.example.org 오염된 PTR 레코드를캐 쉬하고, victim 으로위조 된응답을되돌린다 Answer: 8.0.16.172.in-addr.arpa. PTR trustme.plain.org. Authority: example.org Additional: NS evildns.example.org. evildns.example.org. A 172.16.0.2-220 -

- 221 -

- 222 -

- 224 -

- 225 -

- 226 -

- 227 -

- 228 -

- 229 -

- 230 -

- 231 -

- 232 -

- 233 -

- 234 -

- 235 -

- 236 -

- 237 -

- 238 -

- 239 -

- 240 -

- 241 -

- 242 -

- 243 -

- 244 -

- 245 -