VeriSign CSO on new IPv6 threats, Internet stability and securityDate: Feb 16, 2011
VeriSign CSO Danny McPherson talks about the new threats posed by the move from IPv4 to IPv6 and the issues hindering the the adoption of the next Internet protocol. McPherson, who serves on ICANN's Stability and Security Advisory Council, explains the responsbility ISPs and registrars have to ensure the reliability and security of the Internet and whether the Internet, or parts of it, could ever be shut down in the United States.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
VeriSign CSO on new IPv6 threats, Internet stability and security
Robert Westervelt: So we're here with Danny McPherson.
He is the Chief Security Officer of VeriSign. Danny, thanks
very much for taking the time out of this busy RSA conference.
Danny McPherson: Yeah, thanks for the opportunity, Rob. I appreciate it.
Robert Westervelt: So I know you came from Arbor Networks.
how long were you at Arbor Networks? And what was the transition
like to go over to VeriSign?
Danny McPherson: I was previously Chief Security Officer at
Networks. I was there for about eight years, and it was actually nice.
I wanted to step into an organization and work with a company that
had an operational role with critical infrastructure and Internet
enabling infrastructure on the Internet, I guess. So stepping in
has been interesting. I had an operational background, I worked
for ISPs for about 10 years prior to Arbor. So it's been good,
sort of the culmination of the two, the operational background
and the product. And the sort of startup mentality experience I
learned from Arbor in the security space has been a great learning
experience. So I'm finding both those a benefit here at VeriSign.
Robert Westervelt: I know you've been involved with the
from IPV4 to IPV6. Can you talk a little bit about some of the
security issues inherent in that? Basically, you're quoted as
saying that IPV4 is going to be with us for probably quite some time.
Danny McPherson: Yeah, sure. I think one of the key
is that the transition plan from IPV4 to IPV6 is something known
as dual stack, where you run both IPV4 and IPV6 at the same time.
Unlike Y2K, for example, where you take two digit data and you turn
it into four digit data and that's it. There's a flag day with IPV4 to IPV6
which aren't, what I call, bits on the wire compatible, you basically
could run IPV4 for a long time or IPV6 or a transitional coexistence that
could be decades. The reason why is there is going to be a lot of devices
that are never going to be upgraded to IPV6. There are going to be a lot
of devices that never need to run IPV4, but there are going to be a lot
that run one or the other that need to communicate with systems on
one network or the other. So it's going to be quite a while before we
realize complete migration to IPV6.
Robert Westervelt: Let's talk about network, NATs actually. We
a question from somebody, a Chief Security Officer, who wants
to know, "Will carrier grade NATs break end user expectations?"
First off, explain what carrier grade NATs are and how this
all relates to that question.
Danny McPherson: So with IPV4, folks are familiar with
address translators or NATs. With IPV4 to IPV6 there's something
known as network address translation protocol translation, which are
not only translating addresses you're translating protocols. From
IPV4 to IPV6 or vice versa. Any time, if you liken this to sort of the
postal service where you put an envelope on the header of a
data gram and put it in the mail in the postal service, with IPV6
what you're basically doing or with the carrier grade NAT what
you're doing is you're swapping an envelope in the network. So you're
violating sort of that end to end principle that's made the Internet
successful, and you're opening up the envelope and you're putting a new
envelope on it.
Sometimes, you've actually got to look at the contents of that
sure there's no network glare [SP] information inside the letter, inside
the body of what was in that envelope and say, "Was there any IPV4
information in here? I'll have to change that." If you have protocols that
have glaring violations or circular dependencies and those sorts of thing.
From a security perspective in general, any time you open up that envelope
in the network there's an opportunity for privacy violations, for
information to be leaked in the network.
On the other hand from another side of the security spectrum, a
lot of the
countermeasures and safeguards we have today, like blacklists and
reputation lists, and some of the attribution capability, even though it's
very little on the IP network we have today, you might now have a large
pool of users behind a single address base. And so it can be very
problematic from an attribution or an accounting and authorization
perspective if you're relying just on network glare information.
Robert Westervelt: Is there a solution for that?
Danny McPherson: The solution is dual stack, transitional
for quite a while. And then everyone run V6 and we try and get
everyone on V6, I guess. Any time you put these devices in the
network middle boxes of any sort, a firewall, an IDS, a packet filter,
and in particular ones that are going protocol translation at the
perimeter of some point in a network or perhaps even multiple
points. It both introduces scale issues from an availability
perspective, but at the end of the day the Internet was successful
because of IP, end to end, any to any, and the less complexity you
have in the network, the better off you're going to be. I guess, in
a nutshell, that's the takeaway there.
Robert Westervelt: One thing I didn't ask you was kind of the
this change over from IPV4 to IPV6. Where are we in that timeline right now?
Danny McPherson: One of the challenges is that the transition
hasn't benefited from network externalities. There's not a lot of external
opportunity or revenue opportunities for operators to go and deploy IPV6.
It's simply more numbers in the existing name space. And so it's really
challenging for operators to invest in that infrastructure. I think the
most significant changes of late in this arena is the IANA, the Internet
assigned numbers authority's free pool of IPV4 space was exhausted
a week or two weeks ago and the last remaining IPV4 space was given
out to the five regional Internet registries.
Now that that's happened you're going to see a trickle of
in the near future exhausting their own IPV4 resources and at some
point shortly after that an individual, some organization on the Internet
is either not going to be able to get their content on the Internet for
IPV4 eyeballs or their eyeballs on the Internet for IPV4 content. And
they're going to get an IPV6 only address or they're going to have to set
it aside behind a box that does network address translation protocol
translation and if you have any protocol that does glaring violations or
has encryption or other things in the payloads, it could be problematic for
that organization. And so the sooner everyone could deploy dual stack and
have that sort of transitional coexistence period the better off we're
going to be. That's sort of the major milestone.
I think from a general security perspective organizations
to be looking at how they can realize parity from an IPV4 security posture
perspective which means availability, scale, performance, forwarding
performance, feature sets, instrumentation and telemetry data like flow
tools or log in access lists, all those things. You need to find parity
from IPV4 to IPV6 in the near future. That's sort of the biggest challenge.
And the market's really not been there for the vendors to provide that
capability at the same price point that they provided IPV4 capabilities. So
folks like VeriSign certainly had to invest extra in infrastructure to
provide our services on IPV6 at the same level of availability and security
as we do IPV4. So we do welcome those economies of scale in the future.
Robert Westervelt: So I know you've served on ICANN's security
stability advisory council, and I wanted to start with a question about
Egypt and the fact that Egypt shut down much of its Internet infrastructure
to the average Egyptian. Do you think something like that can happen
here in the United States?
Danny McPherson: I think from a global infrastructure Internet
perspective enumerating everything that enables sort of the services that
any nation stay connected to the Internet today is extremely complex. So
all the sort of share dependencies that exist in this global ecosystem that
is the Internet it's sort of a network in networks. It's global. It's
extremely complex for those sorts of things for a nation today to take
itself offline and secede from the Internet, if you will, in that
perspective. And that's pretty much all I got there. Sorry I'm losing
Robert Westervelt: Sure. No problem. As part of the Department
Homeland Security and part of some legislation, the legislation, at least,
calls for Congress to give the president the authority to kind of shut down
the Internet in times of probably some great crisis. Is that something that
you personally think is a good idea in terms of securing critical infrastructure?
Danny McPherson: I think securing critical infrastructure is
certainly an important
idea. How you go about securing that infrastructure and what the
implications are on the global ecosystem, certainly any nation state today
with the sort of cyber theater that exists should be concerned about the
security, the availability of this global Internet ecosystem and this
infrastructure that's allowing innovation and collaboration and so forth.
So I think with the reliance of the global economy and eCommerce and all
other aspects of the economy on the Internet today that it's absolutely
critical that folks have a look at the implications of their capabilities
and their security posture on that global infrastructure. Now what that
means in terms of outcome, I'm not sure of that, but I think for those
folks to make informed decisions on policy development is extremely
Robert Westervelt: I'm wondering what you think ICANN's role is
or what it
can be? For example, and I'm thinking of the anonymous group, let me just
make sure this is good to go. I'm thinking of what the anonymous group
has been doing, highlighted by the takeout of H.B. Gary. But they've also been
involved in a lot of D-DOS attacks. Does ICANN or should ICANN play any
role in trying to prevent groups like this anonymous group from taking
these kinds of actions? Especially, and I think it's an important question
to pose to you since you were involved at one point with Arbor Networks,
which is involved with D-DOS.
Danny McPherson: So I think all sort of stakeholders in the
community have some role about ensuring the availability and the integrity
of the operation, the reliability of that infrastructure. A global infrastructure
that's a platform again, for innovation and collaboration and allowing that
to continue to evolve and for folks to legitimately connect in a secure and
reliable manner and have confidence in those connections and the
reliability of that infrastructure's important. And I think all the
stakeholders in that infrastructure have a critical role to play in
ensuring the availability and the preservation of the global Internet.
Robert Westervelt: You also served on the FCC's network
and interoperability council and I'm wondering, the council doesn't
seem to have been very active of late. Are they acting behind...
Where's the transparency there when it comes to what they're
trying to do in terms of ensuring network reliability? Are there other
organizations now, whether they be on the federal level or even
private organizations that are involved with network reliability
and that kind of ties into security, too.
Danny McPherson: I think again, it's sort of a
multidisciplinary and systemic function at every layer in any security
architecture infrastructure. All the constituents, all the stakeholders and
that need to collaborate and coordinate and have incident response plans
and form policy functions and regulatory functions and so forth put in
place. In general, I think that simply anyone with sort of a stake in
either a local government, or a regional government or national government,
global Internet needs to consider all the constituents, all the consumers
and the ways that infrastructure is being employed. And try and stay ahead
of the trajectory and enable that infrastructure into the future.
Robert Westervelt: Let's talk briefly about what Microsoft's
Charney brought up last year. He posed the idea of an Internet tax
to pay for cyber security and it really was part of a broader idea
from Scott Charney on getting ISPs to maybe do some sort of
inspection or quarantine service prior to the average consumer getting
onto the Internet. Is that something that you support?
Danny McPherson: I think consumers have a really tough time
staying secure on the
Internet. When my mom or my sister asks me how to secure their Internet
presence, I'm even at a loss to tell them where to start. I mean, there's a
few baseline things. The challenge for ISPs, I think, is that ISPs are in
one of the toughest predicaments. Certainly, the IP transit side is largely
a commodity, and there are new markets and other things that are entering.
They care a lot about turn and average revenue per user, those sorts of
things. But stepping back from a functional perspective, ISPs don't own the
end systems that are compromised. So if you ask them to quarantine a
compromised bot or a compromised end system, it's not a binary thing. It's
not simply shut that system off and break its internet access because it's
Well, one, it's probably a compromised system. At the same time
if you shut
if off, how are they going to patch it, how are they going to update their
AV or their anti-bot software? How are they going to let somebody remotely
access that system and clean it up? Additionally, emergency services. What
if there are over the top applications or E-911 services or IPTV, all these
new value added services that are in the quad place suite for broadband
ISPs, for example, that all these additional services they require
availability. If somebody gets on my wireless and is doing something
malicious and I lose the Super Bowl at the same time, as a consumer I'm
going to have a problem with that. And so sort of what's the balance? ISPs
are in a tough spot, and I think to acknowledge that they don't own the end
systems is a starting point.
I think that's one side of the spectrum actually. I think the
other side of
the spectrum is that with net neutrality and no discrimination of traffic
on the network and so forth, ISPs are largely counter sensitivized to
invest in infrastructure to provide security capabilities because it
affects the help desk calls and it affects bottom line and the turn that
subscribers may see if their availability is impacted. So I think for
people to recognize those aspects from the ISP perspective is extremely
Robert Westervelt: Did we talk about Internet routing issues
yet? I think
quite some time ago you were quoted in a publication about Pakistan
blocking access to YouTube to some of its citizens. The story was more
about highlighting Internet routing issues, and I'm curious if you can
kind of go into that a little bit in terms of what kind of Internet routing
issues are out there right now that maybe the consumer should think
about but more importantly that an enterprise should think about.
Danny McPherson: Absolutely. Anyone with an Internet presence
or a network
connection, certainly anyone here at RSA this week should certainly be, at
least, aware of the insecurities in the Internet routing system and the
things that are happening to try and make that infrastructure more secure.
In a nutshell, the Internet is a network of networks, this loosely
interconnected network of networks. There is no central authority and
nobody sort of holds the keys to routing on the Internet. Each network on
the Internet makes its systems completely autonomously. I refer to this as
routing by rumor.
And what I mean by that is that when I receive a routing
update, a piece of
information from someone, I choose to use that information and propagate
that information or to not use that information. And there's no central
authority for that. The challenge is that without any central repository
for, at least, who holds a number of resources, who might be authorized to
announce somebody's address based on the Internet routing system, you can't
secure the routing system. So there is some work going on today to develop
a number resource certification for IP addresses and AS numbers on the
internet. And once that infrastructure exists one of the primary
initiatives associated with this today is something know as resource PKI or
RPKI and the secure inter-domain routing group and the ITF, a lot of
acronyms there I know. But there's a lot of work gong on underway to build
With that system, organizations can sort of autonomously make
how they want to route things on the Internet. But they also are going to
apply organizational policies and priorities and local or national policies
and then what sort of information that global infrastructure provides to
show them who may be authorized to originate reach-ability for addresses
based in the routing system. It certainly needs some attention from a
security perspective and fortunately some work is underway on that today.
And I think we're getting closer to an infrastructure to a resource that we
can use to help secure the routing system. So awareness is extremely
important in this area.
Robert Westervelt: The electric companies have NERK, which is
to govern electric companies. Why isn't there, or maybe there is an
organization, that is supposed to kind of be a watchdog over ISPs
and over registrars? Are we in the process of that forming, or is there
an organization that really is going to be taking more of a role in overseeing
Danny McPherson: So I think the sort of bottom up policy
development and multi-
stakeholder nature of sort of all things internet, from the internet
standards development in the ITF to the ICANN objectives with getting multi-
stakeholder, individual and government input into policy development
processes to the regional Internet registries, the number of resource
organizations about allocation of addresses and so forth. And I think the
bottom up aspect is important. And I think as the Internet becomes more
critical and more critical services are converged on IP Internet
infrastructure, the policies and the organizations and how they contribute
and how they inform people that develop those policies is going to become
It's a global resource, It's a network of networks with no sort
predefined national boundaries or jurisdictional boundaries that any of
this infrastructure relates to. So I think there's some learning to be done
and I think the Internet by all measures has been extremely successful and
so to reuse what we can from that framework to try and keep a single global
internet namespace that gives predictable results to any user, no matter
where you are in the world, is an important attribute. And preserving that
as much as possible is extremely critical.
Robert Westervelt: How exciting is DNS sec?
Danny McPherson: So it's interesting. Information security
got sort of three primary pillars. You've got confidentiality. Is it secret,
which is most of what compliance deals with. And then you've got
integrity. Is it accurate, is it authentic, can you authenticate that
information? And then you have availability. And DNS sec brings
integrity to the DNS, it brings the authentication. So I can verify
that information that was input in the DNS system, I can validate
that on output and know that there's truth, that there's some
confidence in the accuracy of that input. And if I can do that,
then I can connect more confidently to resources that I might want to
access on the Internet. I don't have to worry about threats from cache
poisoning or other attacks that employ those types of vectors. Certainly
for us at VeriSign, Root being signed recently in .net and then
IntoTheNearFuture.com being signed provides a platform. As a matter of
fact, we'll be 2/3rds of the way to securing the entire transaction set
from a recursive name server, to the route and then the TLD and then the
delegation of the referral to the second level domain. And that brings
security. A lot of what we do is all about telling, at VeriSign, is helping
people connect safe, reliable, and more quickly on the Internet. And as
more people rely on that infrastructure, that's an important attribute as
well. So I think that's important.
Robert Westervelt: Couple more questions, I'm sorry. We're
little long on this.
Danny McPherson: No worries.
Robert Westervelt: Twenty-three minutes here but Dan
talks a lot about how he thinks DNS sec is going to enable more
kinds of new services that we can't even think of at this point. Do
you understand what he's saying when he says that?
Danny McPherson: Absolutely. There are lots of folks, Dan's a
really bright guy,
there are lots of folks looking at if you have integrity in the DNS, you've
got this global directory system that's highly available, then what else
could you do with that? Why can't I send a secure email today? Why do we
have overlay protocols and all these system and share dependencies that
don't necessarily follow delegation graphs from a trust model perspective?
And if you have integrity in the DNS and it's highly available and it's
secure and it's reliable, then what can you do with that? Maybe, I can send
a secure email to somebody I don't know. Maybe, I can use it for a
certificate distribution mechanism and not have overlay protocols, that
sort of thing.
There's actually some work going on in the ITF that's had a few
acronyms, to throw some more acronym soup out, initially known as KIDNS,
Keys in DNS and then Key Assure and it's currently known as DANE. And it's
work about distributing SSL certificates or TLS functions inside of DNS
with DNS sec extensions. And there's an integrity function where you don't
need an overlay infrastructure so I think that having a common ubiquitous
infrastructure platform to distribute this critical information has got to
be highly available. The DNS seems a nice fit without introducing more
overlay infrastructures on the network today.