Schneier on Security
A blog covering security and security technology.
« Mental Illness and Murder |
| Nice Article on Personal Surveillance »
August 20, 2008
A Security Assessment of the Internet Protocol
The TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today's global economy remains dependent upon them.
While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications.
Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation. Even in the last couple of years researchers were still working on security problems in the core protocols.
The discovery of vulnerabilities in the TCP/IP protocols led to reports being published by a number of CSIRTs (Computer Security Incident Response Teams) and vendors, which helped to raise awareness about the threats as well as the best mitigations known at the time the reports were published.
Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which "known" security problems have not always been addressed by all vendors. In many cases vendors have implemented quick "fixes" to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability.
As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past.
Producing a secure TCP/IP implementation nowadays is a very difficult task partly because of no single document that can serve as a security roadmap for the protocols.
There is clearly a need for a companion document to the IETF specifications that discusses the security aspects and implications of the protocols, identifies the possible threats, proposes possible counter-measures, and analyses their respective effectiveness.
This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies.
Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations community.
Feedback from the community is more than encouraged to help this document be as accurate as possible and to keep it updated as new threats are discovered.
Posted on August 20, 2008 at 7:48 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments..."
These must have come after my time in the classroom. I started using IP in the 1980s and I do not remember a single reference to warfare environments.
I would like to see where someone claimed IP was for warfare. I've searched and not found a single case so far. Anyone have a reference?
The common story I see is that Cerf was either brilliant or incredibly naive to think that a free protocol for research could compete with the costly alternative offered by AT&T and IBM (and also still in use today).
"Whilst not aiming to be the final word on the security of the IP, this document..."
No kidding. This document reads to me like a collection of the content pushed around the net for at least ten years. PDF is a funny format. They should have just put it in a wiki format to keep it living.
"I do not remember a single reference to warfare environments"
Like you I did IP and X25 back in the early 80's.
What I was told was that the DoD contracted BBN to provide a fault tolerant network protocol that could survive loss of paths and datagrams (a real bug bear with packet switched networks like X25 or ring protocols like the Cambridge ring).
And oddly although many people have said the DoD wanted it for warfare, and Cisco (suposedly) changed some of their protocols after the first gulf war. I do not actually remember seeing it written down in any specification.
And to be honest, it would be the routing protocol (layer 3) not the datagram protocol (layer 1 or less) that would actually give the fault tolerance, the datagram protocol would just flag up where a loss had occured.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.