GA Tech: Internet's Mid-Layers Vulnerable To Attack

An anonymous reader writes "Evolution has ossified the middle layers of the Internet, leaving it vulnerable but security breaches could be countered by diversification of protocols, according to Georgia Tech, which recommends new middle layer protocols whose functionality does not overlap, thus preventing 'unnatural selection.' Extinction sucks, especially when it's my favorite protocols like FTP."

It's hard to take seriously...

[msauve]

an article which discusses "the six [sic] layers..."

I understand that IP protocols predate the 7 layer ISO/OSI model, but that's what everything is mapped to in modern terms.

The article seems even more confused, when it reverses the layers, claiming that "at layers five and six, where Ethernet and other data-link protocols such as PPP (Point-to-Point Protocol) communicate..."

What are they teaching at GA Tech? This is networking 101.

Re:It's hard to take seriously...

[Pentium100]

Well, you can imagine a "null" layer that does nothing, just passes the data unmodified to the next layer.

For example, HTTPS would be HTTP over SSL, SSL wouls be level 6 (presentation). If you use HTTP without SSL then level 6 is empty or uses the "null" protocol.

ICMP is part of IP, while you could say that the ICMP packet is inside an IP packet it is easier to imagine ICMP as just a part of IP, because it is used that way (for example, to signal that some other packet could not be delivered).

Just because I can send the HTTP packet inside an Ethernet frame (without IP or TCP), does not mean that the model is broken, it's just that "null" is a valid protocol.

Re:It's hard to take seriously...

[lennier]

So, why are both ICMP and IP considered to be in layer 3?

Because the Internet protocols are not in fact part of the OSI model, despite lots of teaching materials claiming this. The neat little OSI layer diagrams you see with all the layers filled in are mostly retcons invented long after OSI was dead.

The actual Internet protocol suite is not part of the OSI model but the 4-layer Internet model (Link, Internet, Transport, Application). Link is like OSI layers 1 and 2, Internet is like OSI Layer 3, Transport is like OSI Layer 4, Application is like OSI Layer 7, but there is no actual Internet equivalent of OSI's layers 5 and 6. Pretty much everything above 4 runs at Layer 7.

In the Internet model, it makes perfect sense for DHCP, IP and ICMP and routing protocols like RIP and OSPF to be at the Internetworking level because they are both protocols dealing with datagram transmission between interconnecting disparate packet-switched services, while TCP and UDP are in the Transport layer because they make dealing with raw datagrams somewhat more pleasant.

It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.

Re:It's hard to take seriously...

[FireFury03]

It would perhaps be sensible to invent a whole new layer model now that we have a lot more protocols. HTTP, for instance, should be a layer of its own, since so many things are now tunnelled over it. That would be sensible, though, so good luck.

Thinking of a fixed set of layers stops being useful as soon as you get moderately complex network setups because these days encapsulations tend to happen at all sorts of layers. Modern networks can probably be thought of more as a stack of protocols with the link layer at the bottom, application at the top and chopped up repetitive bits of the stack in the middle.

e.g. take for example a modern connection to a website and we probably see this kind of stack:
HTTP
SSL
TCP
IP
PPP
PPPoE
Ethernet
ATM VC-Mux
ATM
G.922.5 data link layer
Physical ADSL

And that's just for a plain home ADSL connection. In more complex networks it is common to encapsulate stuff further, for example using GRE tunnels or IPSEC tunnels, and it isn't uncommon to see something more like:

HTTP
SSL
TCP
IP
IPSEC ESP
IPSEC AH
IP
Ethernet
GRE
IP
GRE
IP
PPP
PPPoE
Ethernet
ATM VC-Mux
ATM
G.922.5 data link layer
Physical ADSL

And you can keep adding encapsulation layers at pretty much any point in the stack.

Re:It's hard to take seriously...

[Alioth]

FTP (and FTPS) uses two ports: one fixed port number and the other random. You also have passive mode and "active" mode for FTP (but everyone these days uses passive, except one particularly backward vendor I had to deal with).

This causes firewall headaches because now the packet filter must understand FTP and selectively punch holes in the firewall for the data connection, and close them when the data connection finishes. Either the packet filter in the OS kernel must understand FTP, or you must use an FTP proxy that can dynamically modify your packet filter rules.

SFTP requires none of this. It works on a single port and this port doesn't change with each file you want to transfer or directory listing you want to see. You can also use the scp command which is much cleaner for scripting than writing FTP scripts. SFTP is a *lot* easier and cleaner to support, and the encryption is built right into the protocol, not added ad-hoc some time later.

So the internet is just like a human being then?

[antifoidulus]

Well, I know for myself a good swift "attack" on my "middle layer" does cause me to fall to the ground and writhe around for a while, so I guess the internet and I do have a lot in common, really vulnerable mid-sections.

Unstated, and important, assumptions?

[fuzzyfuzzyfungus]

There seems to be the unstated(but vital to the conclusion asserted) assumption that competition actually makes protocols more secure and that competition must occur at the protocol level, rather than the implementation level. Without those assumptions holding, all this article really says is that people use TCP and UDP a lot. Yup. That they do.

This seems like it might be true in the (not necessarily all that common) case of a protocol whose security is fucked-by-design competing with a protocol that isn't fundamentally flawed, in a marketplace with buyers who place a premium on security, rather than price, features, time-to-market, etc.

Outside of that, though, much of the competition and security polishing seems to be at the level of competing implementations of the same protocols(and, particularly in the case of very complex ones, the de-facto modification of the protocol by abandonment of its weirder historical features). It also often seems to be the case that(unless you are in the very small formally-proven-systems-written-in-Ada market, or something of that sort) v1.0 of snazzynewprotocol is a bit of a clusterfuck, and is available in only a single implementation, also highly dubious, while the old standbys have been polished considerably and have a number of implementations available...

Really? Why not link to the original paper?

It's the very first Google hit, is still on a public server, and doesn't obviously distort the conclusions like TFSA in an effort to get more clicks. A+ for poorly crafted summaries, Slashdot.

http://www.cc.gatech.edu/~sakhshab/evoarch.pdf

Re:ossified?

[JMZero]

No - the figurative sense of ossified is correct and common. Petrified is usually used figuratively to mean something like "scared stiff". Ossified, in common figurative use, means that something has become stiff and inflexible (often through disuse or rot) - like tissue that has become bone.

If you check a reasonable dictionary (eg. http://dictionary.cambridge.org/dictionary/british/ossify_1?q=ossified) you'll find this definition.