BruCON 0x05 has ended
This schedule is subject to change, check back regularly.
Registrations start at 8h30!
Workshop rooms in the location Novotel are 5 minutes walking from the main venue.
Workshop seats are limited to max 30 persons in rooms Orval, Chimay & La Trappe Seats will be on a first come first serve basis, please be there in time
back to BruCON web site.
TIP: to see as grid: click on the "Schedule button"  
Back To Schedule
Friday, September 27 • 2:00pm - 3:00pm
Data-plane networking (Robert Graham)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

High-speed network design separates components into a "fast-path" and a "slow-path". And example might be "software defined networks", where software controls how a switch forwards network traffic. One set of terminology calls this the "data-plane" and "control-plane".

This is a great metaphor for cybersecurity. The "data-plane" is exposed to hackers, and must withstand constant hacker attack while keeping up with link speed traffic. The "control-plane" is hidden from hacker attack, using firewalls or non-routable IP addresses.

My DNS server is a "data-plane" DNS. It's based upon an in-memory table that's lost due to power outage. It doesn't store information a SQL server with transaction logging. Because of this, it can be 10x or even 100x as fast. This is a great attribute for the "data-plane", but a horrible attribute for the "control-plane".

It's role is to be a "slave" to a "hidden master" server running software like BIND10. The design proposed by this talk is that all DNS should consist of slave DNS servers exposed to the Internet, and that all primary master servers should be hidden from the Internet.

From a DNS point of view, I'll show how UPDATE, NOTIFY, and AXFR/IXFR mechanisms work to maintain this structure.

This idea isn't necessarily new, it's just that it hasn't been formalized. People already use caching front-ends for hidden webservers, or separate 10.x.x.x private networks for controlling their public infrastructure routers. The purpose of this talk is to provide a more formal, rigorous discussion of this idea. For example, I'll demonstrate how the custom TCP/IP stack in my DNS server that bypasses the operating-system stack serves this "data plane" purpose.

avatar for Robert Graham

Robert Graham

In 1998, I created one of the first personal firewalls (BlackICE Defender) and the first IPS (BlackICE Guard). In 2007, I released the first sidejacking tool "Hamster". For the past 15 years I've been a frequent speaker at conferences. My blog is at http://blog.erratasec.com, my... Read More →

Friday September 27, 2013 2:00pm - 3:00pm CEST
1 Westvleteren Aula Ghent