Security Top Concern for New IETF Chair

BobB writes "New IETF chair Russ Housley speaks out about bolting security on after the fact, the prospects for IPv6 and a new security technology called Hokey that could help safeguard wireless and wired networks."

chair?

[HalifaxRage]

I would think legs, cushion, and some sort of drink holder would be the primary concerns for any new chair...

Re:chair?

How about throwability? You never now when you have to fucking kill somebody.

Re:chair?

[HalifaxRage]

Ah yes: the ultimate security feature.

Re:chair?

[sokkalf]

Not to mention Steve Ballmer..

Re:chair?

[markov_chain]

This is getting OT, but Pope Joan, the alleged woman pope, prompted the Vatican to create a chair with an opening. The examining cleric would feel through the opening to make sure the Pope was a man. Talk about a security hole!

Re:chair?

[davester666]

Nope, I'm sure he's mostly concerned with...JOB security!

Re:chair?

They (northamericans only) want no-security in world's wide IPv6.
They want to use "exportation regulation" to everyone who use IPv6.
Why? Only an answer: easy military victory for only north-americans.

Then, why use they http://en.wikipedia.org/wiki/SIPRNet for only militar soldiers?

"The SIPRNet (Secret [formerly Secure] Internet Protocol Router Network) is a system of interconnected computer networks used by the U.S. Department of Defense and the U.S. Department of State to transmit classified information (up to and including information classified SECRET) by packet switching over the TCP/IP protocols in a "completely secure" environment. It also provides services such as hypertext documents and electronic mail."

They prefer SIPRNet against IPv6.

Re:chair?

Why don't appear RFCs of the hidden protocols of north-american SIPRNet?

Is it an international world wide violation?

The "USofA's cryptographic exportation regulation" says:
1. You can not use >= 1024 bits keys for asymmetric encryption.
2. You can not use >= 128 bits keys for symmetric encryption.
3. You must to install backdoors in the encryption's programs.
4. You must to facilitate information to the Federal Bureau Investigation (FBI).
5. Bla, bla, bla, beware of the National Security.

They are f**king your private life, no privacy, no liberty, disinformation, trapdoors, no confidentiality of your banks's documents, of your VISAs, etc.

Because...

[chris_eineke]

a new security technology called Hokey

poop-flinging monkeys haven't been enough!

Re:Because...

I think there was a house-elf in the Harry Potter series called Hokey.

Re:Because...

[chris_eineke]

He dies.

Huh?

[khasim]

Do IETF participants have the will to go back and fix insecure parts of the Internet? For example, everyone knows about the lack of security in HTTP, but there seems little will within the IETF to fix the HTTP authentication problem.

That's because in the case of HTTP, and I suspect in many others, there's little agreement about what's the most important security feature to add. When you say that we'll just fix the most egregious things, then you get into an argument about where to draw the line. In the case of HTTP, the biggest concern is authentication and that is primarily solved by [Transport Layer Security]. Why not mandate TLS? That's a very good question.

Why "mandate" anything? People who want to run a site with encrypted communications CAN run a site with encrypted communications. Come on people! HTTPS.

Pretty much a fluff piece. It seems that the interviewer only had some buzzwords and a vague feeling that something was somehow insecure.

Re:Huh?

[caluml]

I think a large part of why more people don't use HTTPS is because a:, the certificate problem, and b:, the fact you can't use named based virtual hosts if you do.

Re:Huh?

[InsaneGeek]

Actually he *is* talking about HTTPS, TLS is the successor to SSL it came about because the MD5 & SHA-1 algorithms have been "technically" compromised.

Re:Huh?

[TheRaven64]

the fact you can't use named based virtual hosts if you do. By the way, there is an RFC describing a STARTTLS-like extension for HTTP. You first connect, then you specify the hostname of the server you want, and complete the TLS handshake. This is the same system used for XMPP, SMTP, and IMAP for virtual hosts.

Re:Huh?

[_Knots]

There are in fact several mechanisms, which is part of the problem. There's a TLS extension, Server Name Identification (http://www.ietf.org/rfc/rfc4366.txt), and an HTTP Upgrade: header approach (http://www.ietf.org/rfc/rfc2817.txt). I think consensus is moving towards SNI, and a reasonable chunk of the browsers seem to support it (though OpenSSL does not yet until 0.9.9 comes around). The Apache project is also dragging its feet, waiting for a clear consensus towards one or the other, AFAICT.

Re:Huh?

[Zeinfeld]

Actually he *is* talking about HTTPS, TLS is the successor to SSL it came about because the MD5 & SHA-1 algorithms have been "technically" compromised.

TLS is the successor to SSL but that is not the reason that the spec came about. The MD5 compromise came after the work was already started.

The work started when Microsoft sumbitted their Transport Layer Security protocol to the IETF as a standards proposal. Up to that point Netscape had attempted to keep SSL as a proprietary specification under their control. Which was not too popular with those of us who had broken SSL 1.0 without any difficulty and then been completely ignored in the design of SSL 2.0, which was also botched.

Sometime after the group began to start up Netscape came out with SSL 3.0 which had been extensively reworked by Paul Kocher and Netscape offered to release change control to the IETF. Microsoft agreed since that is all they had actually wanted all along. The only thing that was really changed in the end was the name and the ciphersuite options.

BTW its not surprising that Russ thinks security is the major challenge, he was until recently the security area director. Before that he was chair of the S/MIME working group.

Re:Huh?

[Skapare]

What certificate problem? They they cost money?

You have to be able to prove you are not the man in the middle. Otherwise encryption doesn't mean much.

Re:Huh?

[kestasjk]

I think a large part of why more people don't use HTTPS is because a:, the certificate problem, and b:, the fact you can't use named based virtual hosts if you do. It's totally crazy that encryption isn't a default part of all network communications. Screw creating new encrypted protocols for HTTP, FTP, MSN, Skype, IRC, RSH, RCP, POP, SMTP, etc, etc, etc, all with their own faults and issues. This should definitely be tackled at whatever layer is most pervasive, and that's IP.

Re:Huh?

[slamb]

here's a TLS extension, Server Name Identification (http://www.ietf.org/rfc/rfc4366.txt), and an HTTP Upgrade: header approach (http://www.ietf.org/rfc/rfc2817.txt).

I'd say there's a clear winner there. I don't think anyone thought RFC 2817 through. It suggests (though does not require) sending the initial request in plaintext (ugh), and there's no good mechanism to advertise the server support without penalty on first hit to a https URL (i.e., advertise in the URL or DNS records). Since no existing servers support it, this means for browsers to take advantage of it, they'd have to connect to existing servers on the http port, discover the lack of support, then fall back to normal https. So all sessions to existing https sites would be slowed down by at least two round trips (c->s SYN, s->c SYN/ACK, c->s request, s->c failure), or say 150 ms. I'll pass.

RFC 4366 is much better. No speed penalty - there's no need to advertise server support - the client can always send the option. The server ignores it if it doesn't understand, so without server support the status quo is maintained - the server admins shouldn't put more than one vhost on the same IP until they upgrade. When the client and server both support it, everything works fine. When the client doesn't support it, there's a security warning - about as good a failure mode as you're going to get with a protocol upgrade like this. And the client support is already there in the latest versions of Internet Explorer, Firefox, Safari, and Opera.

I think consensus is moving towards SNI, and a reasonable chunk of the browsers seem to support it (though OpenSSL does not yet until 0.9.9 comes around). The Apache project is also dragging its feet, waiting for a clear consensus towards one or the other, AFAICT.

I think the Apache people are waiting on OpenSSL 0.9.9. bug 34607 (copy'n'paste the URL; don't follow the referral from slashdot) has a patch with support, but it is not effective without OpenSSL 0.9.9. I'm looking forward to it myself...tempted to install a development build just to have this feature, but probably not a good idea to use untested security software.

Re:Huh?

[mrsteveman1]

I think you could do without the cost and use other means to link a certificate to an entity.

Theres a project right now for openly available certificates, they are free but you have to prove you own the domain you want a cert for, and of course the CA root has to be in browsers and it isnt right now (though will be soon).

It should be

Anyone using IE, whether it's IE6, IE7 or this new IETF (Turbo Fabulous?) I've never heard of, should be concerned with security.

hokey security?

[socsoc]

Do the hokey pokey and you turn yourself around. And thats what it all about.

In related news

I bet Microsoft employees can't wait to implement this secure chair protocol as soon as the RFC is released. Anything that helps protect them from Steve Ballmer is more than welcome.

How about the IETF concern themselves

with being a technical standards group? Will they ever stop bowing to political pressure from ISOC "sustaining members" and the employers individuals in the WGs?

Security should be like charity and start with the IETF itself; a standards track that is insecure and subject to political manipulation has no technical value.

Re:How about the IETF concern themselves

[iamdrscience]

LOL! IMHO the IETF WGs and the ISOC need to STFU and GTFO. The IETF is AOK without those SOBS. YMMV.

Re:How about the IETF concern themselves

WTF?!

Re:How about the IETF concern themselves

The amusing thing is that most /. readers probably understand the sentence perfectly.
People complaining about acronym confusion on /. are probably only a small but vocal minority of willfully obtuse pseudo-trolls.

Re:How about the IETF concern themselves

> willfully obtuse pseudo-trolls.

You mean WOPT?

Security Top Concern for IETF chair?

[Graywolf]

Where can I get one of these secure chairs?

Re:Security Top Concern for IETF chair?

Where can I get one of these secure chairs?

Steve B. had one, but I heard he threw it away.

Re:Security Top Concern for IETF chair?

Except that L. Nowak lied when she said Steve threw it. The guy who threw the chair was, ummm... from Greencastle.

IPv6

[Ang31us]

Q. Can you give me three specific goals? A. Rollout of IPv6 is clearly one of them. IPv6 is on by default in most OSes and the autoconfiguration feature assures that once the routers enable IPv6, their new IPv6 addresses will be Internet-routable without stateful firewalling, which would break things like VOIP.

Re:IPv6

[Wesley+Felter]

Too bad the IETF turned around and said that all home routers (like Apple's AirPort) should include deny-by-default stateful IPv6 firewalling. They spent so much effort making IPv6 "just work", and now they're undoing it.

Re:IPv6

[FuzzyFox]

Are you saying that you want every device on the entire internet to be able to speak to your system directly, without hindrance, by default?

You want everyone else's systems to be able to be contacted, directly, without hindrance, by default?

You do realize that the internet used to be like that, right? Do you remember what happened as a result? Do you know why firewalls were invented in the first place?

Re:IPv6

[Wesley+Felter]

Ah, I do so appreciate the patronizing. In a home environment I think host-based firewalls are easier to configure and diagnose than network-based ones, and thus I would prefer that network equipment not deny any traffic by default.

The best of Verisign AND the NSA!!

Housley: "VeriSign is giving me a check a month, and the National Security Agency is paying my travel costs. "

What could go wrong here?

Re:The best of Verisign AND the NSA!!

What could go wrong here?

While we all have our biases, Russ has disclosed two potential sources for his. That's the mark of an honest man. Russ is responsible for pushing the IETF to repair protocols that have MD5 or SHA1 hash algorithms hard coded. So perhaps his bias is towards secure protocols. Shocking? I think not.

Obscure groups' acronyms

[Gertlex]

It would be nice if more articles mentioned the full name of whatever acronym makes the tagline. You know... so I don't have to think about it too hard... or even look it up.

Re:Obscure groups' acronyms

[TechyImmigrant]

HOKEY = Hand Over Keying

Rekeying security protocols when handover mobile devices from one AP or BS to another takes time and disrupts communications. So fix it. That's what HOKEY does.

HTTP security problems

[Zarhan]

Watched the presentation at Chicago earlier this week. HTTPBis BOF basically dealt with these:

http://www3.ietf.org/proceedings/07jul/slides/http bis-2.ppt - Chair's Slides
http://www3.ietf.org/proceedings/07jul/slides/http bis-1.pdf - Cookies & Caching
http://www3.ietf.org/proceedings/07jul/slides/http bis-0.pdf - Etags

The "Chair's slides" basically deal with HTTP Auth issues. Take a look - the presentations were rather interesting, altough it seemed at the time that a WG may not be formed out of these.

Re:HTTP security problems

[Zarhan]

Hmmh, apparently the presentation about auth cited in the Agenda slide is not online yet. Sorry - apparently exactly the on-topic presentation is still pending publication :)

Why mandate it?

[khasim]

Adding encryption to the communication channel is an additional level to troubleshoot.

Is your certificate current?
Do you have enough entropy?
etc

We already have it available. Without the mandate. Go to your bank's website and look for the HTTPS. Most other sites (like /.) run regular HTTP because the additional layer and expense of encryption would not gain them anything.

Pfff...

[CRX588]

IPv6 is soooo 1996

Re:Pfff...

[LongestPrefix]

IPv4 is sooooooo 1984.

Security Top Concern for New IETF Chair

[caluml]

Security Top Concern for New IETF Chair

It suddenly collapses when sat on?

Bingo

[mpapet]

I'm not say _this_ guy in particular is the trojan horse for the end of an anonymous Internet, but it's one step closer.

At this point in the game, it's assumed all traffic is being monitored through the Telco's. http://www.salon.com/news/feature/2006/06/21/att_n sa/index_np.html

Having an NSA friendly agent running the IETF will make their jobs much easier. I boldly predict next to nothing will be done publicly by this guy. I have a feeling he will be **very** busy not as chair, but as an NSA rep who just happens to chair the IETF. Very subtle but important distinction similar to using RNC email accounts at the whitehouse.

Please stop with the cutesy names!

[pongo000]

Gimp...Pidgin...and now...

Hokey?

Hokey?

I don't know about the rest of the world, but here in the US "hokey" is used to refer to something artificial, contrived, fake. I certainly don't want to trust the security of my systems to something that's contrived.

Geez, more proof that intelligence and common sense aren't necessarily bed partners...

IPv6 and IPsec

[Skapare]

IPsec works over IPv4. IPv4 works without IPsec. I haven't found anyone (yet) that has gotten IPsec over IPv6 (I'm not talking about IPv6 tunneled over IPsec protected IPv4) to actually work on Linux or BSD. Surely someone has. But Google turns up a number of reports of problems that go unresolved and unanswered (except in one case people reporting they also cannot get it to work). I've only been spending a couple weeks trying to get it to at least establish a security association between 2 machines.

Which protocol to scrap and start over? Or is it just bad implementation? If we can at least get this working, IPv6 might be considered ready to go.

IPv6 invented here in USA for World! Stupids!

World wide people is stupid with the use of IPv6 invented in the USofA home that has its "national cryptographic exportation regulation" for world wide people.

IPv6 don't must to be invented here in USofA.

Then, we of world wide people must to invent our world wide protocol using 256 bit pseudorandom numbers src & dst (instead 128 bit) to impossibilite the collisions and the tracing & storing in gigantic DBs of the users's machines's numbers with the Law of Ginebra about the privacy of the person's communications.

So, periodically, the numbers of the machines can be generated randomly without problems of collisions.

Invented here the "IP256", "The Internet Protocol 256 bit" for the fortalezza of the anonymous communications.

They are permitted RSA, ElGamal, Eliptic, ... highly forced encryptions with the exclusion of the USofA territory because of his restrictive & stupid law.

Perfect is the enemy of the Good

The IETF and IAB has been saying this for years. The real trick
is getting the Security Directorate to recognize that the Perfect
Solution is the real enemy here. I.e., stop holding the 85%
solutions back as they seek their Holy Grail.

In Soviet Russia and Soviet Europe ...

The russians and europeans except englishmen like & guy this extra layer of security of this monstrous protocol IP256. Monstrous as torpedo or missile is better!!!

IP256 gives extra security in the background of the design thanks to the randomness of the packet's origin and to the improbability titanic of collisions of packets.

Russians and europeans dislike IPv6, it's too small to elaborate the randomness of 128 - (96 buyed by google) = 32 bits IPs!!!

So, Google doesn't need to buy 2^96 addresses of IPv6, a.k.a IP256, because the protocol of IP256 is totally different and it's based in the randomness of the IPs, not in the shopping of IPs.

Some user can have its own invented IP without buy it. Why to buy this random non-static IP that it's only a number?

Before it was impossible, after it's possible: "User A client" wants to connect "User B client", both with random IP256s, then they use the identities of their nicks, tips, authentications or certifications, and 3-handshake-distributed-anonymously-messages-proto col using always asymmetric encryption like RSA.

Rough consensus, and running code.

[ZWithaPGGB]

You're already seeing it with anti-Spam blacklists. People are blocking who they think don't behave well. Soon it will change to only allowing those they feel are. Like it or not, security in protocol enhancement is coming. If the OSS community resists it, then the only alternative will be the TCG/TPM, and we will have a network that forks, despite shared network layer protocols.
Just as the Linux community seems to have learned nothing from the way the tower of babel effect hamstrung unix, so it seems that IPV4 minimalists will cause the Internet to fork.

What else did you expect?

[(Score.5,+Interestin]

Russ is a security guy. I'd be rather surprised if his top priority was something other than... security.