IAB Details Transport, Security Efforts

By: Carolyn Duffy Marsan

Date: March 6, 2015

line break image

The Internet Architecture Board (IAB) highlighted two of its programmes—IP Stack Evolution and Privacy and Security—during a technical plenary session held during IETF 91 in Honolulu in November.

Joe Hildebrand reported on the activities of the IAB’s Internet Protocol (IP) Stack Evolution Programme, which is studying the implications of how the IP stack is evolving as a result of dual-stack communications supporting IPv4 and IPv6. Further, more applications are being built for Transport Layer Security (TLS) and Hypertext Transfer Protocol (HTTP), which add two more layers between TCP and applications.

These trends result in the IP stack evolving from a normal hourglass shape to a taller, thinner hourglass with separate stems for IPv4 and IPv6. The new IP stack makes it harder to innovate at the transport layer, Hildebrand said.

“Some things envisioned by protocol developers are not as accessible to application programmers as is desired,” he said. “This means that there are not as many opportunities to add new security. Even if one fixes the interface, there is the matter of middleboxes.”

Hildebrand pointed out that middleboxes aren’t evil; they serve a purpose and solve a problem. Although Internet engineers prefer end-to-end communications, the majority of paths are broken due to widespread deployment of middleboxes such as network address translators (NATs).

As a starting point for its IP Stack effort, IAB is considering a proposal for a new layer on top of UDP, dubbed udp35, to provide a partial defense against middleboxes.

“UDP gives us a partial defense against middleboxes, provides port multiplexing and works from userspace,” Hildebrand says, adding that the new UDP-based protocol would provide hooks for policy decisions and would facilitate the evolution of Internet-over-HTTP applications.

The IAB’s IP Stack Evolution Programme was formed to provide guidance and coordinate efforts by several IETF working groups: Transport Services (TAPS), TCP Increased Security (TCPINC), and Active Queue Management (AQM). The programme hopes to evolve interfaces to transport and network-layer services and improve path transparency in the presence of firewalls and middleboxes.

In addition, the IAB hosted a workshop on Stack Evolution in a Middlebox Internet (SEMI) in Zurich in January 2015. IETF participants were invited to read the workshop report when it is eventually published.

“The aim of the workshop is to get people from research and industry working in this space together to refine the scope and solution space considered by the program,” Hildebrand said.

Ted Hardie reported on the IAB’s Privacy and Security Programme. He noted that the programme is focused on three challenges. First, Internet protocols are developed as building blocks and thus security and privacy protections are piecemeal. Second, security approaches presume that attackers have resources on par with those available to secure the system. Third, many systems breach confidentiality to simplify the delivery of services or meet other requirements.

To address these challenges, the IAB’s Privacy and Security Programme is split into three streams of work: Internet-Scale Resilience, Confidentiality, and Trust.

The Internet-Scale Resilience stream, led by Brian Trammel, is doing work on route hijacking, Distributed Denial of Service (DDoS), and related attacks. Documents are planned that will describe the available mitigations and work with related IETF programs to limit the development of protocols that offer amplification opportunities to the attackers.

The Confidentiality stream, led by Joe Hall, is working on threat models related to surveillance. An IAB statement on the applicability of cleartext protocols is in progress.

The Trust stream, led by Karen O’Donoghue, is working on public-key infrastructure, trying to understand how to work with multiple sources of truth within a system. Planned work includes a threat-model document as well as an IAB statement on designing protocols with multiple sources of truth.

In response to a question during the open mic session, Hardie encouraged IETF participants to email the IAB’s Privacy and Security Programme with relevant threats or issues raised in IETF working groups.

In administrative news, the IETF is putting its RFC Production Center contract out to bid and is experimenting with writing labs at the IETF meetings in order to help authors improve their documents.

In addition, Sally Wentworth briefed the IETF community about the International Telecommunication Union (ITU) Plenipotentiary Conference. The Conference featured discussions on privacy, surveillance, human rights, policy affordability, and sovereignty. She said the ITU did not expand its scope with respect to Internet operational issues. In addition, the ITU treaty and official definitions remain the same.

Wentworth said she believes the outreach the IETF has undertaken with policymakers over the last few years is paying off.

“The work done in home countries to bring greater knowledge about the technical work do have a bearing on how policy discussions play out,” she said.