• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Network Security

Internet Infrastructure Protection (IIP)

Objective:
The Internet infrastructure protocols, which provide the support for the operation of the Internet, are designed with an implicit trust in the integrity and authenticity of information received that is ill-suited for the present day Internet environment. Consequently, accidental failure or malicious attack by outsiders could result in widespread disruption of the Internet. TIS efforts in this task will prevent such disruptions by employing digital signature and other security techniques to support development and initial use of security services for certain chosen infrastructure protocols. TIS is also investigating the use of existing work to improve the robustness of protocols in the face of Byzantine attacks, that is, arbitrary behavior from the protocol participants themselves.

Approach:
TIS is investigating methods of enhancing the Internet infrastructure protocols through use of public key cryptography and other security techniques. These methods provide protection against accidental or malicious failures by participants or outsiders. In particular, TIS designs, implements and makes available toolkits and reference implementation software to support data origin authentication, data integrity and other security services. These services are the cornerstone of protecting the Internet infrastructure from disruption.

TIS has worked with the Internet community to specify architecture and protocol enhancements to support the inclusion of data integrity and data origin authentication security services in the Domain Name System protocol. These services provide protection from the propagation of inaccurate data and prevent machines from masquerading as other domain name system servers. The design ensures that Domain Name System servers enhanced with the security services can interoperate with non-enhanced servers and clients. This allows for the phased deployment of the secure domain name system throughout the global Internet. As part of the phased implementation, TIS is providing a Domain Name System reference implementation for the Domain Name System dynamic update, the Dynamic Host Configuration Protocol and the next generation of Internet Protocol.

TIS has designed protocol enhancements to support these same security services in routing protocols. The security services provide protection from the introduction and propagation of invalid routing data from machines masquerading as valid routers. The software is backward compatible with routers using non-enhanced versions of the protocol. This provides for phased deployment of the reference implementation. TIS is presently investigating enhancements to the Border Gateway Protocol inter-autonomous system routing protocol, security for multicast protocols as well as security for protocols used by routing registries.

TIS is also investigating ways of enhancing other infrastructure protocols with cryptographic and other techniques that provide improved robustness. To this end, TIS is designing and implementing a key management and distribution toolkit. This toolkit will facilitate the use of various emerging security technologies in the Internet. TIS is also supporting the definition and establishment of an Internet standard for network management known as Simple Network Management Protocol, version 3, which will provide the capability for securely managing network components. The protocols will be designed and implemented to minimize performance degradation due to the enhancements and to ensure that enhanced and non-enhanced protocols can coexist peacefully and cooperate.

Recent Accomplishments:

• TIS has provided a world-wide exportable version of the security enhanced DNS reference implementation. This version provides security services for static DNS information as described in the Internet specification and can be obtained through anonymous ftp. The unrestricted availability of secure DNS software will accelerate use of DNS security services in the Defense research community as well as their availability in commercial products.
• TIS has worked with the DNSSEC Working Group of the Internet Engineering Task Force (IETF) to keep them apprised of TIS implementation experience and related design changes. Based on this interaction, the IETF has published the DNSSEC specification as a proposed standard for the Internet. Approval as an Internet standard will be another motivation for adoption of these security enhancements by commercial DNS vendors and providers of publicly available DNS products.
• Implementation of the TIS design for a security enhanced OSPF was completed. The prototype was ported to GateDaemon, a publicly available package that implements various routing protocols. TIS has provided a world-wide exportable version of the implementation to facilitate and promote use of the security enhanced version of the OSPF protocol.
• The TIS design for the security enhanced OSPF was submitted to the OSPF Working Group of the IETF for review by the OSPF community. The design and specification have been accepted and published as an experimental standard for the Internet. Establishment of an Internet standard design for OSPF security will encourage product providers to offer this secure routing protocol.
• To facilitate availability of secure network management, TIS lead an IETF advisory team that designed a viable approach for SNMP security. As a result of this activity, the detailed specifications for the next generation of SNMP are being developed in an accelerated manner. Publication of the resulting Internet standards will provide the basis for multiple commercial network management products which will meet many Defense requirements for secure network management.

Current Plan:

• Operational availability of DNS security enhancements with the principal software used by the primary Internet DNS servers and network information center will take place by October 1997. Earlier reference implementation versions modified stable but older versions of the principal DNS software. Work is currently underway to incorporate the reference implementation into the newest version. Use of the DNS security extensions by the Internet root name servers and the InterNIC will provide the core capability for wide-spread use of DNS security services.
• Release of an initial key management and distribution toolkit to the Internet research community will be completed by February 1998. This toolkit will provide a body of software to facilitate initial fielding and support for emerging Internet infrastructure capabilities such as the Internet Protocol Security (IPSEC).
• Extensions to the initial DNSSEC reference implementation to support dynamic host information and dynamic address information for the next generation of Internet Protocol will be provided as they are defined. Reference implementation support for emerging dynamic capabilities is essential for infrastructure protection and product availability.
• Protection of inter-autonomous system routing is not addressed by the security enhancements to OSPF. TIS will investigate employing security techniques to protect BGP, multicast routing protocols as well as protocols used by routing registries for interconnection of autonomous systems. Resulting security services will provide significant survivability protection for the Internet infrastructure.
• The specifications for the proposed Internet standard for the next generation of Simple Network Management Protocol are expected to be published by April 1998. Although the uncertainties of the IETF standardization process may affect this date, SNMP version 3 will provide security capabilities needed by Defense as well as a migration approach for older and future versions of network management protocols. The establishment of a single, secure Internet standard for network management will provide the needed basis for commercial products to migrate security into the management of Defense networks and internets.

Technology Transition:
Prototypes of TIS developed software are made available to the Internet community for anonymous FTP. To ensure that this technology is transferred to the community, we are working with the standards groups responsible for the specifications of these protocols, particularly the IETF, to see that the enhancements are incorporated into published standards. TIS will work with the vendor community to facilitate incorporation of any techniques or code developed into commercial implementations of infrastructure protocols. TIS is also working with those providing publicly available software products that implement infrastructure protocols (e.g., BIND, the principal DNS software package, and the GateDaemon routing software from the GateDaemon Consortium of Merit Network Systems, Inc.) to facilitate incorporation of this technology. TIS will continue to work with the Department of State and the Department of Commerce to receive the widest possible approval for distribution of these products outside the US. Approval for distribution outside the US will facilitate the incorporation of this technology into commercial and publicly available implementations. Software packages for the TIS Domain Name System Security Extensions reference implementation, the TIS digital signature toolkit and the TIS reference implementation of OSPF With Digital Signatures are available from TIS. Implementations are written for UNIX platforms. For further information, contact Russ Mundy at 443-430-8000 or Russ.Mundy@SPARTA.com.