1 / 20

Handle-DNS Integration Project Report

Handle-DNS Integration Project Report. Handle-DNS Working Group CNNIC/CNRI. Project Objective. Take Advantage of the Handle System to provide security service for DNS namespace, including: Secured DNS resolution (whenever needed) Discretionary Administration & dynamic update

kat
Télécharger la présentation

Handle-DNS Integration Project Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Handle-DNS Integration Project Report Handle-DNS Working Group CNNIC/CNRI

  2. Project Objective • Take Advantage of the Handle System to provide security service for DNS namespace, including: • Secured DNS resolution (whenever needed) • Discretionary Administration & dynamic update • Access control & privacy protection • Delegation of credential validation • Co-exist with existing DNS operation, no change needed to DNS client.

  3. Project Background • CNRI • Non-profit research institute • Developed Handle System in Java, specified in RFC3650,3651,3652. • Open source distribution at http://www.handle.net • CNNIC • “.cn” TLD registry in China • Developed Handle System in C • Integrated with DNS BIND9 • Project web page: http://hdl.cnnic.cn

  4. Handle System Overview • A global identifier service, to provide identifier service for any digital resource over the Internet. • Distributed, scalable service infrastructure similar to DNS. • Efficient name-resolution and administration protocol supports both TCP/UDP connection. • Build-in security options for both name resolution and administration.

  5. Client LHS LHS LHS LHS Site 1 Site 2 #1 #2 #1 #2 #3 #4 #n Handle System Service Framework GHR The Handle System is a collection of handle services, each of which consists of one or more replicated sites, each of which may have one or more servers. Site 2 Site 1 Site 3 Site n …... ... 4 123.456/abc URL http://www.acme.com/ URL 8 http://www.ideal.com/

  6. Handle System Security • Security handle resolution, including option for data confidentiality and service integrity checking • Discretionary namespace and identifier attribute administration, independent from host-admin, that allows creation, deletion, and modification of identifier and/or identifier attributes. • Standard access control model per individual identifier attribute, essential for privacy protection. • Standard mechanism for credential validation per individual handle attribute.

  7. Handle-DNS Implementation • Basic Implementation • Handle Server in C/C++ (server/client) • BIND 9 standard distribution • Additional Modules • DNS Interface integrated with handle server • Cache/Preload Module • Database Connection Pools • C-Version Handle-DNS Admin Toolkit • Support DNS resolution and Zone load • Performance Improvements • Exceptional Processing • Memory Leak Protection • Thread Pool Management

  8. Design & Implementation • Integrated Handle-DNS server DNS Protocol BIND 9.3.0 DNS interface 53 Handle Server Handle Protocol 8000 Handle interface 2641

  9. Handle-DNS Admin Toolkit • C-Version Handle-DNS Admin Toolkit • Supporting DNS Resource Record Query & Management • Supporting DNS Zone File Upload

  10. Client: Dell PowerEdge Server Machine 2.8G CPU / 1G RAM / 38GB HardDisk Benchmark • Benchmark Configuration • Client and Server in same LAN 100 Mbps Server: Same configuration as the client. 100 Mbps Cisco Switch

  11. Benchmark • Testing Method • Compare resolution performance among the C-Version Handle-DNS Server and Java-Version Handle Server under the same hardware configuration. • Handle Protocol • Test Software written by CNNIC • DNS Protocol • QueryPerf, benchmark software supplied by BIND • Database • MySQL, 1M Handle Records Handle-DNS Client Handle-DNS Server(C-Version) Java-Version Handle Server

  12. Benchmark (Java/C) • TCP Interface for Handle-DNS server • Comparison between Java-Version and C-Version • Resolution speed • 5~10 ms C-Version, 25~35 ms Java-Version • 2.5~7 Times Performance Improvement for Java-Version • # of concurrent request • 40,000 queries (Handle-DNS) • 4,000 queries (Java) • CPU usage • 90%, Java • Below 10%, C

  13. Benchmark (Handle-DNS/BIND) • UDP Interface for DNS Protocol • Compared to BIND 9.3.0 • Comparable Resolution Performance • Larger size than DNS Records

  14. Prototype Applications • ENUM • ENUM Puts Telephone Numbers in DNS • Mapping PSTN Phone Number to URLs • One Number For All Services on Internet • Based on DNS Protocol • ENUM Zones, “e164.arpa.” • Using DNS “NAPTR” Resource Records • Using DNS Resolution NAPTR RRs tel:+15712205650 +17036208990 sip:samsum@cnri.reston.va.us http://www.cnri.reston.va.us 0.9.9.8.0.2.6.3.0.7.1.e164.arpa mailto:samsum@cox.net

  15. Prototype Application (ENUM) • A Simple ENUM Call Flow

  16. Prototype Application (ENUM) • Handle-ENUM Secure Resolution & Administration • Secure Resolution • Authentication • Access Control • Private ENUM records • Distributed Admin

  17. Prototype Application (Secure Resolution) • Secured DNS resolution via Handle Protocol Interface • Secure DNS Resolution • Man-in-middle attack • Privacy Protect • DNS Administration

  18. Future Plan • Package the Handle-DNS software for public release. • Deploy Handle-DNS server in “.cn” TLD registry and its subsidiaries. • Establish ENUM service and client software based on Handle-DNS interface.

  19. Thanks!

  20. DEMO

More Related