Notes on internet security
I'm giving a talk in a few months about Internet Governance and Security. A useful way to organize this topic (with many thanks to Steve Crocker) might be to look at different categories of internet security threats and try to figure out who deals with them.
The bottom line seems to be (1) that there aren't numbers of governance structures that exist as forums for the discussion of security issues and (2) that most of the money looks backward instead of forward. (ICANN's role in internet security is very limited — it works on the DNS and IP address coordination only. The root list changes on average once every two days, and there are hundreds of copies of it around the world, so it's not a high risk operation.)
There are infrastructure issues — lines, switches, physical assets. These are handled pretty well by individual companies who build in redundancy. When the World Trade Center buildings collapsed, IM conversations around the world continued even though there were plenty of communications lines that were severed.
There are potential issues with hostile acts that cause packets to be deliberately addressed in ways that disrupt the routing fabric of the internet. There isn't a single natural forum for these issues, as I understand it, but network operators and ISPs around the world worry about routing. And building into each router authentication methods for all source and destination addresses would add enormous computational weight and delays. There is likely a role for ISPs to check at the point of entry into their networks whether the source address for a given packet is authentic, but I'm not sure whether that can be more than a suggested best practice. This should probably be a focus of attention — but in what forum?
There are issues about denial of service attacks, but it's not clear how to tell a denial of service attack from traffic experienced by a popular web site. I know CERT is out there, but I don't think it agitates for changes in practices.
So — what needs to be governed? There's a vast landscape of interactions out there. ICANN works on a small subset of these interactions, but comes in for a lot of attention because it's the only barn standing in that landscape. When it comes to the “governance” part of this topic, it seems as if there could be encouragement of forums for discussion of particular issues — like routing — that don't fall into any natural discussion place.
The intersection between network neutrality and internet security is interesting. I think ISPs should be able/encouraged to look for viruses, trojan horses, DDOS attacks, and routing mischief. Arguably, this kind of inspection is part of transport — inspecting for “content” isn't.
But it is true that the distance between content and security can be defined out of existence. For example, if DOJ feels that in order to achieve true CALEA surveillance capacity it has to work with vertically integrated, constantly-inspecting broadband providers that allow only a subset of “approved services” to cross their networks, I suppose it would oppose network neutrality. That seems like a shortsighted approach to me — as I've argued in the past, there are much better ways for law enforcement to get the information it needs.
Network neutrality advocates will need to figure out how neutrality intersects with security. My own view is that there isn't a conflict between these two values.
Comments
3 Responses to “Notes on internet security”
Got something to say?
There are lots of forums for network security discussion and coordination between providers, formal and informal. FIRST is one; there are many others.
There are best practices for providers to prevent IP address spoofing using uRPF and filtering; these are described in RFC 2827. Also see RFC 3013. Your point about computational expense of verifying source and destination with something like IPsec authentication header is correct (though hardware keeps getting faster), but it's also important that exchange of routes themselves are properly authenticated. Historically weak points for IP hijacking have been the IP registries and the ISPs. There have been numerous cases of miscreants transferring IP block registrations and even AS numbers to themselves, often from defunct entities, then getting ISPs to provide routing. RFC 4272 discusses BGP security vulnerabilities.
You're correct that, in the extreme cases, it may be very difficult to distinguish DDoS attacks from genuine bursts of traffic due to popularity. In practice, however, it's almost always possible to tell the difference.
Thanks, Jim, particularly for the pointers to routing-related RFCs. Appreciate it. Susan
On the infrastructure issues: a minor point, but I think some of the non-hiccupping of IMs must issue not from infrastructure features, but rather from protocol features. To paraphrase, the internet sees damage as damage, and routes around it. A certain amount of hardware is of course needed for this to work - if your last-mile is chopped with a backhoe, you're still hosed - but beyond that it's just a feature of the internet, i.e. “everybody's” infrastructure. Equal-cost multipath routing is a nifty trick, but it's sauce for the underlying protocol goose.
On the lack of governance structures for discussion of security issues: The previous commenter correctly points out that there are lots of places where network security issues are discussed. However, the way you raise the issue is that there is a lack of *governance* structures for internet security.
There may actually be a governance structure for security. Inasmuch as standards are promulgated by some entity (say, some standard for how packets have to look) then when security folk filter out non-conforming packets, you can say that the standard-promulgating entity has acted as a security governance structure. You scratch your head and say that this idea is a bit of a stretch, though; and you're right.
On the coexistence of (net-)neutrality and security: I too think it is correct to say that the two are not mutually exclusive.
When we employ the hack of using network-centric means to achieve application-level security, this gives the appearance (and rightly so, I think) of a form of non-neutrality.
However, where network-centric means are used to achieve network-level security, I think neutrality is still intact.
In other words, I think it all fits into neat little boxes if you're first able sensibly to subdivide what “security” means. For example, network security, application security, national security, and so on.
Finally, where are you going to give the governance & security talk?
SMM