U.S. should fund, test IETF security developments

The U.S. government should fund and test Internet Engineering Task Force developments and initiatives to bolster the security of Internet communication, including extensions to the Border Gateway Protocol, a presidential advisor said last week.

The U.S. government should fund and test Internet Engineering Task Force developments and initiatives to bolster the security of Internet communication, including extensions to the Border Gateway Protocol, a presidential advisor said last week.

Internet protocols such BGP and DNS can be targets of intentional malicious activity or sources of instability that compromise the security and reliability of the Internet, says Richard Clarke, Special Advisor to the President for Cyberspace Security. Indeed, there have been recent instances of malicious activity – the Oct. 21 distributed denial-of-service attacks on 13 Internet root servers – and Clarke says BGP frequently “flops” massive routing tables between ISPs, creating “pockets” of instability.

Clarke’s proposing that there be an increased role for the federal government in terms of funding research, in terms of being an early adopter when there are successful new things, and in terms of helping to create test beds.  He says the U.S. government should be doing more, not in terms of regulating, mandating or dictating; but in terms of facilitating the work of groups such as the IETF.

Governmental funding of IETF work is tricky, however, Clarke notes, because the IETF and the Internet are worldwide organizations and entities. “Ownership” is, therefore, ambiguous, as is the source of research and development funding, he says.

Clarke says the IETF is receptive to the funding and testing proposal but sensitive to the possibility that the federal government would “dominate” the IETF’s work. Clarke says the U.S. government is only interested in facilitating, not dominating, the IETF’s security work.

Under consideration is the creation of a “civilian DARPA” in the Homeland Security Department to solicit the participation of the private sector in Internet security and stability R&D, Clarke says. DARPA – the Defense Advanced Research Projects Agency, the R&D arm of the U.S. Defense Department – funded early development of the Internet in the 1970s.

The U.S. government is also discussing joint funding and research with the European National Security Agency, a department of the European Union, Clarke says.

Clarke says there are two kinds of problems with BGP: One is instability, which arises mostly from human error. The other is security – right now, BGP doesn’t use authentication or encryption, he says.

Clarke feels stability and security extensions can be bolted onto the existing BGP protocol rather than requiring the development of a new peering protocol for the Internet.

The IETF is likely to require “a few million dollars” annually from the federal government to fund R&D of Internet security and stability initiatives, Clarke says. Test beds would need to assimilate a very large-scale system as well, he says.