A Security Assessment of the Internet Protocol

Interesting:

Preface

The TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today's global economy remains dependent upon them.

While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications.

Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation. Even in the last couple of years researchers were still working on security problems in the core protocols.

The discovery of vulnerabilities in the TCP/IP protocols led to reports being published by a number of CSIRTs (Computer Security Incident Response Teams) and vendors, which helped to raise awareness about the threats as well as the best mitigations known at the time the reports were published.

Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which "known" security problems have not always been addressed by all vendors. In many cases vendors have implemented quick "fixes" to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability.

As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past.

Producing a secure TCP/IP implementation nowadays is a very difficult task partly because of no single document that can serve as a security roadmap for the protocols.

There is clearly a need for a companion document to the IETF specifications that discusses the security aspects and implications of the protocols, identifies the possible threats, proposes possible counter-measures, and analyses their respective effectiveness.

This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies.

Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations community.

Feedback from the community is more than encouraged to help this document be as accurate as possible and to keep it updated as new threats are discovered.

Posted on August 20, 2008 at 7:48 AM • 22 Comments

Comments

Mike SaxAugust 20, 2008 10:08 AM

Hi Bruce - I'm wondering if everyone switching to IPv6 would make us all much less vulnerable, and if so why don't we have a big push as a matter of national security. Looks like there's a lobbying opportunity here for the Cisco's of the world. :)

Baron Dave RommAugust 20, 2008 10:22 AM

Given the Russian cyber attacks on Georgia, TCP/IP security should be a high priority. Indeed, this should have been a high priority after 9/11, but Bush seriously dropped the ball, as usual.

Instead of improving internet security after a terrorist attack, Bush hired a convicted felon to run part of DARPA. Pitiful. We need adults in charge.

HaceldamaAugust 20, 2008 10:29 AM

IPv6 may come, but an effort to document IPv4 security will be useful now, especially for the Open Source community.
A positive newsitem. thanks!

Durable AlloyAugust 20, 2008 11:49 AM

This document would have been immensely more valuable had it come four or five years ago. And the fact that it doesn't cover IPv6 doesn't help it.

Anyways, it's a good start. Hopefully this will inspire others to work more thoroughly to improve the Net's security.

Joe BuckAugust 20, 2008 1:43 PM

I've seen claims that some problems that have been identified and patched in IPv4 are still present in IPv6; also, much of IPv6's design was done when we knew less about possible attacks than we know now. It shouldn't be assumed that a switch to IPv6 can fix all ills. Also, to the extent that IPv6 encourages people to dump NAT and give everyone a direct, public IPv6 address, we may be more vulnerable to some attacks than ever.

bobAugust 20, 2008 2:03 PM

A security assessment of IP is similar to a nutritional assessment of McDonald's; not enough intersection in the domains to make a meaningful result.

SkorjAugust 20, 2008 2:55 PM

@ Bob

Excellent analogy. The "security" of the IP protocol leaves me baffled. Certainly one could write an IP stack that was vulnerable to direct attack through buffer overflow etc, but aren't we past that now? The TCP protocol is a bit more rich, but still ...

I suspect this is more of a request for best practices in (a) providing endpoint authentication and (b) in-flight encryption of network traffic in general.

There's certainly something to that idea! I've lost count of the times I've had to explain to intelligent engineers that there's little point in doing b without doing a, for example.

John MoserAugust 20, 2008 3:00 PM

"Instead of improving internet security after a terrorist attack, Bush hired a convicted felon to run part of DARPA. Pitiful. We need adults in charge."

We should execute all felons. Hiring them is a bad idea; seeing as how they can't (shouldn't) get jobs anyway because of this, we can project they'll all turn to (potentially violent) crime, and thus they're too dangerous to let live.

Also IPv6 has the same stupid shit as IPv4; it even has more robust source routing IIRC. There's not much you can do without a serious IPSec implementation, because most IP suite attacks are MitM based. The others are all injection, which either A) serves as a DoS, or B) attacks the higher level application (telnet vs ssh).

JimFiveAugust 20, 2008 3:03 PM

@Bob
I think a more apt analogy would be:

A security assessment of IP is similar to a nutritional assessment of your dining room table.

SkorjAugust 20, 2008 3:12 PM

Upon reflection, it's certainly worth pointing out that the endpoint authentication (confirmation of identity) between CAs and their customers is the weakest link in commercial network security right now, IMO. But that has nothing to do with TCP/IP.

Davi OttenheimerAugust 20, 2008 4:03 PM

"While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments..."

These must have come after my time in the classroom. I started using IP in the 1980s and I do not remember a single reference to warfare environments.

I would like to see where someone claimed IP was for warfare. I've searched and not found a single case so far. Anyone have a reference?

The common story I see is that Cerf was either brilliant or incredibly naive to think that a free protocol for research could compete with the costly alternative offered by AT&T and IBM (and also still in use today).

"Whilst not aiming to be the final word on the security of the IP, this document..."

No kidding. This document reads to me like a collection of the content pushed around the net for at least ten years. PDF is a funny format. They should have just put it in a wiki format to keep it living.

Clive RobinsonAugust 20, 2008 5:27 PM

@ Davi,

"I do not remember a single reference to warfare environments"

Like you I did IP and X25 back in the early 80's.

What I was told was that the DoD contracted BBN to provide a fault tolerant network protocol that could survive loss of paths and datagrams (a real bug bear with packet switched networks like X25 or ring protocols like the Cambridge ring).

And oddly although many people have said the DoD wanted it for warfare, and Cisco (suposedly) changed some of their protocols after the first gulf war. I do not actually remember seeing it written down in any specification.

And to be honest, it would be the routing protocol (layer 3) not the datagram protocol (layer 1 or less) that would actually give the fault tolerance, the datagram protocol would just flag up where a loss had occured.

David CrowcroftAugust 21, 2008 12:56 AM

@ Davi & Clive

"I would like to see where someone claimed IP was for warfare. I've searched and not found a single case so far. Anyone have a reference?"

Haven't you read the Dave Clark's paper that is referenced in the document?

Have a look at Tanenbaum's "Computer Networks" book, too.

WooAugust 21, 2008 1:56 AM

This seems to be a popular misconception, due to the fact that the arpanet et al were army networks in the beginning. For most people, "developed for the army" equals "developed for warfare".

CybergibbonsAugust 21, 2008 2:46 AM

"No kidding. This document reads to me like a collection of the content pushed around the net for at least ten years. PDF is a funny format. They should have just put it in a wiki format to keep it living."

The document presents information gathered in one place, it's not full of needless opinion or conjecture unlike a lot of information on the web.

CPNI was set up to inform business about the risks they are open to. This would often involve spreading information to non technical staff, and this kind of document is ideal for that.

the boy who cries BS at the boy who cries wolfAugust 21, 2008 2:58 AM

@Baron

The Georgian attack was a few weeks ago. President Bush should have corrected all the problems with TCP/IP by now? Fascinating. It's only taken 10-some years to get IPv6 to where it is now, but a few Russian tanks move in and it's Bush's fault that miracles can't be done.

Aren't internet standards controlled by the IETF? That's an international organization--not US Government. So of all the (probably) thousands of people appointed by the president; He hired one with a questionable background to run one of dozens of government agencies with an interest in cyber security. And you're claiming that one person is able to stymie an entire international organization. What impressive logic. What next... is he also responsible for tooth decay and chewing gum sticking to your shoe?

bobAugust 21, 2008 7:57 AM

@boy who cries BS at the boy who cries wolf: Dont forget global warming - we all know Bush has a dial in the oval office where he can set day-to-day gasoline pump prices across the entire US so he also caused global warming. In fact, he did it retroactively, since the glaciers left the US ~40,000 years ago.

vontrappAugust 21, 2008 1:40 PM

++ on the kitchen table. Making TCP/IP "secure" makes about as much sense as making your table nutritious. It's what you put on the table that matters, it's what you do _with_ TCP/IP that matters.

MovOctober 3, 2008 10:21 PM

Outpost24's Senior Security Researcher, Jack C. Louis has discovered a generic issue that affects the availability of TCP services. This issue could be used to create a Denial of Service attack. Vendors have been notified. Details are not available to the public at this point, but will be disclosed at an appropriate future date.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..