Skip Links

Fed plan exposes 'Net's weak links

By , Network World
October 07, 2002 12:10 AM ET

Network World - In the fine print of the Bush administration's recently released cybersecurity strategy is the stark admission that three critical components of the Internet's infrastructure are highly vulnerable to a variety of attacks.

The three troublesome components underpin all Internet communications. They are: IP; DNS, which matches lengthy, numeric IP addresses to simple names for Web and e-mail traffic; and Border Gateway Protocol (BGP), which controls interdomain routing between carriers.

All three lack a means of authenticating communications. Although the Internet engineering community has spent more than a decade trying to retrofit these protocols with encryption and digital signatures, the security fixes aren't widely used by ISPs or their corporate customers because of the high cost and management overhead involved.

"We've been trying to push security into these protocols for years, but we've gotten no involvement from the operational side of ISPs or enterprises," says Russ Mundy, manager of network security research at Network Associates Laboratories. Now that the security offerings for these protocols are done or close to being done, the ISPs and other potential customers claim the offerings aren't practical or affordable, he says.

Defense Department faces hurdles with DNS security

The problem is that the fixes - known as IP Security, DNS Security and Secure BGP - are too complex and too expensive for ISPs and companies to deploy. The protocols require hardware and software upgrades to handle the assignment, management and processing of keys, signatures and certificates, as well as additional operator support.

Given today's economic climate, ISPs and domain name registries aren't willing to spend millions of dollars on upgrades when their corporate customers aren't demanding additional security measures. Because none of the Internet's infrastructure players has deployed the secure versions of these protocols, there's no market pressure to upgrade.

It's the classic chicken-and-egg dilemma, and the Bush administration's cybersecurity strategy offers only the possibility of additional federal research dollars in the fiscal 2004 budget. Even with stronger government support, experts say it will take two to five years to deploy these fixes across enough of the Internet infrastructure to eliminate much of the threat.

"There are some in government who say the people who designed the Internet protocols were idiots. Let's go back and redesign it all," says Steve Bellovin, a well-known AT&T researcher and one of the directors of the Internet Engineering Task Force's (IETF) Security Area. "That's mostly a bad and dangerous approach to take."

Instead, Bellovin says the government needs to create market incentives for software vendors and ISPs to build security into their offerings. "What if vendors were liable financially for security problems? That would be an interesting question," he says.

Contributing to the Internet industry's do-nothing approach to secure protocols is because few hackers exploit holes in IP, DNS or BGP. Instead, distributed denial of service (DoS) attacks have caused the most damage, and fixing these three protocols won't prevent distributed DoS attacks.

"Part of the problem is there hasn't been a major attack," says Richard Probst, vice president of product management at Nominum, which develops DNS software. "If somebody took out a bank or a large e-commerce site, that would get everyone's attention."

IPSec proves hard to deploy

IPSec is the most mature of the three security protocols and is used in some VPNs. However, IPSec remains too complex for most network managers, and IPSec products from different vendors don't work with each other.

For a novice to set up IPSec is "virtually impossible," says Mark Kosters, vice president of research at VeriSign Global Registry Services. "If you want widespread adoption, it needs to be trivial to set these things up."

In particular, network managers have trouble configuring IP Security devices because they all use different words to describe various security policies.

"You can only manage an IP Security device with the management tool from the vendor of that IP Security device," Mundy says. "The only way you can configure in a consistent way all the devices on your network is if they're all from the same vendor."

To help fix this problem, the IETF's IP Security Policy working group is developing a consistent set of words to describe the policies that an IPSec device can enforce.

The IETF's IP Security working group also is developing a simpler key exchange technique to help reduce the complexity of IPSec devices.

Also on the horizon is IPv6, an overhaul of IP that mandates the use of IPSec. However, IPv6 is another Internet infrastructure upgrade that has not yet shown much market momentum.

DNS Security considered too costly

DNS Security is not yet deployed in the Internet's root servers or top-level domains. One of the big problems with it is that assigning and managing keys for each domain name causes a huge performance hit for top-level domain operators.

"DNS Security requires 10 times the bytes" for each transaction, says Paul Mockapetris, inventor of DNS and chief scientist at Nominum. "From the standpoint of deploying the service, you have to increase disk space and memory on your DNS servers. It's two to five times the cost of the regular DNS service."

The IETF is working on two fixes to the DNS Security deployment challenge: Delegation Signer Resource Record and Opt In. Both fixes are supported in the latest version of Berkeley Internet Name Domain, the open source software that runs on most DNS servers.

Delegation Signer streamlines how parent domains hand out keys to child domains. For example, Delegation Signer makes it easier for a Web site like to authenticate all its domain names under the umbrella.

Delegation Signer has widespread support within the IETF, and participants expect it to be finalized by year-end.

Opt In, a proposal from VeriSign, is more controversial. It lets domain name holders choose whether to adopt DNS Security. This gives operators of large domains a gradual approach for migrating name holders to DNS Security, and it limits the amount of new hardware and software they need to purchase up front.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News