Slashdot Mirror

← Back to Stories (view on slashdot.org)

GA Tech: Internet's Mid-Layers Vulnerable To Attack

Posted by timothy on from the soft-creamy-underbelly dept.

An anonymous reader writes "Evolution has ossified the middle layers of the Internet, leaving it vulnerable but security breaches could be countered by diversification of protocols, according to Georgia Tech, which recommends new middle layer protocols whose functionality does not overlap, thus preventing 'unnatural selection.' Extinction sucks, especially when it's my favorite protocols like FTP."

21 of 166 comments (clear)

  1. It's hard to take seriously... by msauve · · Score: 4, Insightful

    an article which discusses "the six [sic] layers..."

    I understand that IP protocols predate the 7 layer ISO/OSI model, but that's what everything is mapped to in modern terms.

    The article seems even more confused, when it reverses the layers, claiming that "at layers five and six, where Ethernet and other data-link protocols such as PPP (Point-to-Point Protocol) communicate..."

    What are they teaching at GA Tech? This is networking 101.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:It's hard to take seriously... by JMZero · · Score: 2

      Variants of FTP are used widely in business to business transfers - sometimes secured with SSL, but often just by plaintext passwords, obscurity and/or IP whitelists. FTP is consistent between a large variety of platforms and lots of sysadmins like the simplicity of scripting, for example, a nightly FTP file transfer.

      Is there better solutions? Of course. But FTP is still very common - and lots of businesses still employ much more arcane tech than it. For a lot of businesses, terminal servers were a real boon, because now they could all connect to a single old desktop (which in turn has a much more arcane connection to some mainframe in a basement that everyone's scared of).

      It'll be a long time before FTP dies.

      --
      Let's not stir that bag of worms...
    2. Re:It's hard to take seriously... by mgiuca · · Score: 3, Informative

      I've never really been a fan of the OSI model. The idea of the hierarchy is great; sandwiching it into discrete layers seems problematic.

      Wikipedia's definition of the OSI model states that "there are seven layers, each generically known as an N layer. An N+1 entity requests services from the layer N entity." Makes sense. So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP, so it should be in the layer above IP, but it doesn't actually provide transport (or at least, isn't meant to). HTTP is in layer 7, but it can be sent directly on top of TCP, which is in layer 4, skipping over two layers. (Or it can be tunnelled over SSL, but still skipping layer 5.)

      I prefer to think of the IP stack being a directed acyclic graph of technologies, each depending on another, rather than an explicit linear division into layers.

    3. Re:It's hard to take seriously... by Pentium100 · · Score: 4, Informative

      Well, you can imagine a "null" layer that does nothing, just passes the data unmodified to the next layer.

      For example, HTTPS would be HTTP over SSL, SSL wouls be level 6 (presentation). If you use HTTP without SSL then level 6 is empty or uses the "null" protocol.

      ICMP is part of IP, while you could say that the ICMP packet is inside an IP packet it is easier to imagine ICMP as just a part of IP, because it is used that way (for example, to signal that some other packet could not be delivered).

      Just because I can send the HTTP packet inside an Ethernet frame (without IP or TCP), does not mean that the model is broken, it's just that "null" is a valid protocol.

    4. Re:It's hard to take seriously... by lennier · · Score: 4, Informative

      So, why are both ICMP and IP considered to be in layer 3?

      Because the Internet protocols are not in fact part of the OSI model, despite lots of teaching materials claiming this. The neat little OSI layer diagrams you see with all the layers filled in are mostly retcons invented long after OSI was dead.

      The actual Internet protocol suite is not part of the OSI model but the 4-layer Internet model (Link, Internet, Transport, Application). Link is like OSI layers 1 and 2, Internet is like OSI Layer 3, Transport is like OSI Layer 4, Application is like OSI Layer 7, but there is no actual Internet equivalent of OSI's layers 5 and 6. Pretty much everything above 4 runs at Layer 7.

      In the Internet model, it makes perfect sense for DHCP, IP and ICMP and routing protocols like RIP and OSPF to be at the Internetworking level because they are both protocols dealing with datagram transmission between interconnecting disparate packet-switched services, while TCP and UDP are in the Transport layer because they make dealing with raw datagrams somewhat more pleasant.

      It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    5. Re:It's hard to take seriously... by Animats · · Score: 2

      So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP.

      The real answer to that is that it's a Berkeley UNIXism. Some early TCP/IP implementations, including the one I worked on, had ICMP at a layer above IP, in the same layer with TCP and UDP. The Berkeley UNIX kernel, like other UNIX versions of the period, had real trouble communicating upward within the kernel, because this was before threads, let alone kernel threads.

      To get around that kernel limitation, ICMP was crammed in with IP. This had some downsides, including the demise of ICMP Source Quench for congestion control, which didn't fit well into the mode of ICMP as an error-reporting mechanism for IP.

    6. Re:It's hard to take seriously... by FireFury03 · · Score: 4, Informative

      It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.

      Thinking of a fixed set of layers stops being useful as soon as you get moderately complex network setups because these days encapsulations tend to happen at all sorts of layers. Modern networks can probably be thought of more as a stack of protocols with the link layer at the bottom, application at the top and chopped up repetitive bits of the stack in the middle.

      e.g. take for example a modern connection to a website and we probably see this kind of stack:
      HTTP
      SSL
      TCP
      IP
      PPP
      PPPoE
      Ethernet
      ATM VC-Mux
      ATM
      G.922.5 data link layer
      Physical ADSL

      And that's just for a plain home ADSL connection. In more complex networks it is common to encapsulate stuff further, for example using GRE tunnels or IPSEC tunnels, and it isn't uncommon to see something more like:

      HTTP
      SSL
      TCP
      IP
      IPSEC ESP
      IPSEC AH
      IP
      Ethernet
      GRE
      IP
      GRE
      IP
      PPP
      PPPoE
      Ethernet
      ATM VC-Mux
      ATM
      G.922.5 data link layer
      Physical ADSL

      And you can keep adding encapsulation layers at pretty much any point in the stack.

      --
      http://blog.nexusuk.org
    7. Re:It's hard to take seriously... by Alioth · · Score: 4, Informative

      FTP (and FTPS) uses two ports: one fixed port number and the other random. You also have passive mode and "active" mode for FTP (but everyone these days uses passive, except one particularly backward vendor I had to deal with).

      This causes firewall headaches because now the packet filter must understand FTP and selectively punch holes in the firewall for the data connection, and close them when the data connection finishes. Either the packet filter in the OS kernel must understand FTP, or you must use an FTP proxy that can dynamically modify your packet filter rules.

      SFTP requires none of this. It works on a single port and this port doesn't change with each file you want to transfer or directory listing you want to see. You can also use the scp command which is much cleaner for scripting than writing FTP scripts. SFTP is a *lot* easier and cleaner to support, and the encryption is built right into the protocol, not added ad-hoc some time later.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
  2. How to mod article? by whoever57 · · Score: 3

    Surely this article should be nodded "massive ignorance"! It's the simplicity of the middle layers that enables the development of the upper and lower levels. It also makes the middle layer much more immune to security issues.

    --
    The real "Libtards" are the Libertarians!
  3. So the internet is just like a human being then? by antifoidulus · · Score: 4, Funny

    Well, I know for myself a good swift "attack" on my "middle layer" does cause me to fall to the ground and writhe around for a while, so I guess the internet and I do have a lot in common, really vulnerable mid-sections.

    --
    Monstar L
  4. How did this article make it? by norpy · · Score: 3, Insightful

    Not only did they combine the presentation and application layers from the OSI model they completely misunderstand WHY that the transport layer is less diverse in number of protocols.

    They propose that we should create new transport protocols that do not overlap with existing ones.... The reason we only have a handful of them is because of the fact that there are not many ways to differentiate a transport protocol.

  5. Unstated, and important, assumptions? by fuzzyfuzzyfungus · · Score: 4, Insightful

    There seems to be the unstated(but vital to the conclusion asserted) assumption that competition actually makes protocols more secure and that competition must occur at the protocol level, rather than the implementation level. Without those assumptions holding, all this article really says is that people use TCP and UDP a lot. Yup. That they do.

    This seems like it might be true in the (not necessarily all that common) case of a protocol whose security is fucked-by-design competing with a protocol that isn't fundamentally flawed, in a marketplace with buyers who place a premium on security, rather than price, features, time-to-market, etc.

    Outside of that, though, much of the competition and security polishing seems to be at the level of competing implementations of the same protocols(and, particularly in the case of very complex ones, the de-facto modification of the protocol by abandonment of its weirder historical features). It also often seems to be the case that(unless you are in the very small formally-proven-systems-written-in-Ada market, or something of that sort) v1.0 of snazzynewprotocol is a bit of a clusterfuck, and is available in only a single implementation, also highly dubious, while the old standbys have been polished considerably and have a number of implementations available...

    1. Re:Unstated, and important, assumptions? by fuzzyfuzzyfungus · · Score: 2

      As best I can tell, after going back and reading the paper, TFA is a miserable hatchetjob that has almost nothing to do with the paper.

      The paper dealt with modeling the survival or culling of protocols at various layers, under various selection criteria, from a sort of evolutionary-biology standpoint. This did entail examining what conditions resulted in monoculture end states, and what conditions might result in stable multiple-protocols-at-each-layer end states; but all at the level of a fairly abstract model, not an empirical examination of the State of The Intertubes, or much specifically security-related material(In TFA's defense, the paper did suggest that, if you wanted a stable-state outcome with multiple middle layer protocols, they would have to be non-overlapping, which TFA managed to at least parrot accurately, and both agree that the internet as it exists is pretty much an IP monoculture; but the two otherwise bear surprisingly little resemblance to one another.)

      TFA seems to be the result of picking the page with the least math, skimming it, and then adding some security-related alarmism...

  6. Really? Why not link to the original paper? by Anonymous Coward · · Score: 5, Informative

    It's the very first Google hit, is still on a public server, and doesn't obviously distort the conclusions like TFSA in an effort to get more clicks. A+ for poorly crafted summaries, Slashdot.

    http://www.cc.gatech.edu/~sakhshab/evoarch.pdf

  7. Alrighty by khallow · · Score: 2

    security breaches could be countered by diversification of protocols, according to Georgia Tech, which recommends new middle layer protocols whose functionality does not overlap, thus preventing 'unnatural selection.'

    Let's have a lot of protocols right, but to prevent too much diversity (that is, stuff that doesn't work) we'll need to make sure these comply with one or two protocols that everyone will use...

    Hmmm, "Middle layer protocols whose functionality does not overlap"... does that mean that we prune the vast abundance of current protocols with sometimes overlapping functionality? I guess we could call that "diversification" though at this level of semantic mismatch, we could call it "Frank" with equal justification.

    I guess I'm not quite sold on the argument presented here.

  8. Other things hampering evolution by jhantin · · Score: 2

    Evolution at the middle layers is also hampered by the proliferation of middleboxes: monkeying with packet headers for policy-enforcement and profit. It's also pretty well de rigueur for IT departments to configure both middleboxes and "smart" switches to drop any unrecognized middle layer packets.

    --
    ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
  9. Re:Let FTP die already by colinrichardday · · Score: 2

    Let FTP die already. Clear text passwords suck.

    How do clear text passwords suck for anonymous FTP?

  10. Re:ossified? by JMZero · · Score: 5, Informative

    No - the figurative sense of ossified is correct and common. Petrified is usually used figuratively to mean something like "scared stiff". Ossified, in common figurative use, means that something has become stiff and inflexible (often through disuse or rot) - like tissue that has become bone.

    If you check a reasonable dictionary (eg. http://dictionary.cambridge.org/dictionary/british/ossify_1?q=ossified) you'll find this definition.

    --
    Let's not stir that bag of worms...
  11. Re:What we need is a P2P by spauldo · · Score: 3, Informative

    There are plenty of those already. NetBIOS is an example of a non-TCP/IP peer-to-peer filesharing protocol (I'm talking LANMAN style NetBIOS, not NetBIOS over TCP/IP). It doesn't route outside your local network though. There's the good ol' IPX/SPX, which can actually be routed if your router supports them - while not filesharing protocols in themselves, they do support some very well-established filesharing protocols. You could probably adapt bittorrent to work on IPX/SPX.

    The problem is we can't even get IPv6 routed on the internet, much less some obscure non-IP protocol. Hell, we never even really got all of IPv4 - multicast would have been great for streaming video if anyone had bothered to set up their routers for it.

    That being said, you don't need to use TCP and UDP. You can create new protocols to run over IP, and the internet will generally pass them (your local firewall might be a different story). They'll stick out like a sore thumb to anyone searching for them, though.

    --
    Those who can't do, teach. Those who can't teach either, do tech support.
  12. What are you talking about? by reiisi · · Score: 3, Informative

    ARPANET predates the OSI model, and the current Internet Protocols came after the definition of the OSI stuff. (That's a little hard to see in the current wikipedia articles, but it's there.) The IETF in fact deliberately chose to combine two of the OSI layers.

    The article does have some issues. I'm not sure if the author actually doesn't understand the paper he or she is trying to summarize. Maybe the intent was to make it easier for the lay person to understand. But there is some creativity going on, and parts of the summary don't really reflect the paper.

    The paper itself is offering a framework of analysis of the evolution of the Internet Protocols. It might have been interesting to see a bit more analysis of ARPANET and some of the other protocols the IP protocols eventually replaced. It might have been interesting to see them address the OSI model a bit more, but the OSI model never was really implemented fully, and might be considered not part of the evolution.

    I see that the take IPv6 up as a competitor of IPv4 instead of the heir apparent, which is probably a useful thing to do, if we want to understand why so many IT managers are still failing to move in a timely manner.

    I'm not sure I understand their work well enough to either agree or disagree, but I think it offers food for thought, including the idea that IPv4/6 doesn't actually have to be the only protocol existing at that layer.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  13. Re:Let FTP die already by Lehk228 · · Score: 2

    why should they, they have it installed on YOUR mainframe

    --
    Snowden and Manning are heroes.