VPN + DNSSEC (Additional security?) + Fusion Speed Results

[orm]

Is using the sonic.net Cisco VPN AND the DNSSEC servers redundant? Should I use both when I use VPN? Does VPN render DNSSEC meaningless? I'm at home right now, but do travel, sometimes to open/public hotspots. I understand you have a diff IP with the VPN, that's fine for IP tracking privacy, but aren't logs still kept for 2 weeks by sonic that can be traced back to a user (via username at least referenced with the assigned IP from the VPN)? DNSSEC I guess covers a different range of security concerns/types of attacks I'm sure, but I don't really understand the details of the overlap/interaction here with VPN. I work with HW/SW but I am NOT a networking expert.

Additionally, I was having trouble setting up the VPN service, but got it to work:
Platform: Mac OS 10.7.4 using Built-In VPN service (not cisco, therefore, not using Certificate).
I finally got this to work after: 0. Deleting my old VPN service that was created on 10.6.8 Snow Leopard prior to upgrade (that never worked, nobody said it would on that OS, in fact recommended to use Cisco VPN Client d/l).
1. Fields filled in according to the wiki PLUS
2. (username means sans "@sonic.net", which is implicit, but don't waste your time trying the other way, it fails)
3. I did fill in DNS/DNSSEC servers at first, but don't need to now apparently, it grabs the standard ones.
4. *Note, do not turn off/disable your primary connection service (Ethernet/Wifi).
5. Apple has a support document on enabling options in Lion that do not exist (perhaps just not on Cisco IPSec type of VPN?) (at least not on MY 10.7.4 install, early 2011 MBP 13").

Also, here are my speed results using the below combinations (haven't switched to static):
Fusion Speeds (using dynamic IP):
VPN + DNSSEC (39ms)
4.08/.79
VPN + regular DNS (38ms)
4.04/.78
regular dynamic IP + regular DNS (26ms)
4.35/.85
regular dynamic IP+ DNSSEC (26ms)
4.36/.86

So it appears there is an ~7.5% speed loss for using the VPN, for me at least (retesting at any settings right now results in ~0-3ms + ~10kbps variations, connecting to the SAME server of course on speedtest.net). Do customers with much higher speeds see an equivalent ratio of loss, or is it more or less a static amount (everyone gets a ~300kbps speed hit, probably less likely)?

[toast0]

In a nutshell, Sonic's VPN protects you from your local network altering or eavesdropping on your traffic. DNSSEC (when enabled for a domain) protects you from altered dns responses, anywhere in the path.

When you make a connection over the internet, you're trusting (hoping?) that all intermediate routers will not eavesdrop on or alter your data in transit. Usually if data is eavesdropped or altered, it's going to happen closer to the end points; when you use Sonic's VPN, your traffic is encrypted (and verified) between you and Sonic's datacenter, but it's still subject to potential eavesdropping or altering by Sonic* or intermediate routers between Sonic and the other endpoint (this may be mitigated by encryption and/or verification in the protocol you're communicating with such as SSH or SSL/TLS). You should use the VPN when you're connected to a network that you don't trust, or at least that you trust less than Sonic. The best example of a network unworthy of trust is unsecured wifi, but even if you're connected over secured wifi or ethernet, anyone providing you internet may record or alter your data in transit (I know that sounds paranoid, but it's true). I would suggest using VPN anywhere with insecure wifi (I believe anything less than WPA2 is widely considered insecure, and WPA2 can also be administered insecurely), in a coffee shop type setting, and consider it for mobile data** as well, especially when tethering. I don't worry about the security of my traffic while it goes through the DSL line, and AT&T's ATM network to Sonic; there's a risk, but I don't consider it large enough to mitigate. As an aside, acorporate VPN will typically allow you to access resources you wouldn't be able to otherwise; basically putting you on your corporate private network (hence the name Virtual Private Network).

DNSSEC ads response signatures (and signing keys) to DNS. DNS is already built on delegation, to resolve forums.sonic.net. you first ask the root servers, they'll point you to the servers for .net, then the .net servers, and they'll point you at sonic's servers, and finally you ask sonic's servers and they tell you the answer (or you use a recursive dns server and it does all that work for you!); with DNSSEC, all of the delgation steps can include a key for the next step, and those responses can be signed. So you have a chain of trust. At the end of the day, this means that if you're requesting something in a signed zone, you'll know if the response was altered. But you're not protected from eavesdropping, or a malicious networking diverting IP traffic. There are people using DNS with DNSSEC to provide a secure basis for distributing public keys, which could help detect diverted traffic with the right mix of software.

In terms of how this would affect your connection, VPN adds an extra layer of encapsulation, so it's not surprising that it constrains your bandwidth. It also routes all your packets through Santa Rosa, which might not be the most direct route, leading to additional latency. DNSSEC adds additional overhead to DNS requests, so you could notice slower resolution (and therefore slower connection opening), especially if the chain of trust needs to be established, but it would not affect the connection after the name is resolved. I did a little testing and saw http://www.yahoo.com took about 600 ms to resolve via the Sonic.net DNSSEC resolvers the first time I resolved it, but future yahoo.com requests were within 10 ms of the normal resolvers (about 40 ms); http://www.netflix.com took 185 ms the first time, but then settled down too. If more people use the DNSSEC resolvers, more (popular) things will be cached, and the likelyhood of hitting a slow initial request will go down.




* I am not suggesting that Sonic eavesdrops or alters traffic, but since your traffic flows through their equipment when you use their VPN, they could. I'm personally confident that they don't, but you are encouraged to form your own judgement. Assuming you are using them for internet access at home, your traffic flows through their equipment most of the time anyway. Sonic's policy is here https://wiki.sonic.net/wiki/Open_Internet_Principals "In summary: We don't touch yer bits! (We believe that would be inappropriate.) " Again, I trust them, but with my paranoid hat on, someone planning to touch your bits might tell you they wouldn't touch them.

** Mobile data is often encrypted over the air, but the encryption standards are not well vetted and may have flaws (GSM encryption does, but I don't know if that applies to HSPA or LTE). Many services geared towards mobile devices do use HTTPS which mitigates an insecure network, if properly applied, but not all services use it, and not all that do use it properly. I personally don't have a VPN configured on my phone, but do use one when tethered.

[orm]

That is one tasty hull! (*.webarchive'd)
Thank you toast0!
I am now very close to being totally, and completely outfitted with arms and munitions!
Interestingly I read earlier today that sonic does not at this time, but perhaps soon(?), 'sign their DNSSEC servers' (I'm sure that's not the way to say it, but the link explains it better):
viewtopic.php?f=13&t=587#p3490
However, it still seems like there's value in using them, since there will still be a key, correct?

[toast0]

The sonic.net. domain isn't signed, so when you resolve forums.sonic.net (for example), there's no signature. But lots of other domains are signed, and those will only return from the DNSSEC resolvers if the signatures are good.

[orm]

Ah, I see, got it!
Thank you, again, toast0, for your clearly thoughtful and beautifully written responses.