Information security: Does the network have a role to play?

From FIpedia

Jump to: navigation, search


The Disagreement

Background

In order to reason about security, one must first understand the nature of the threat, the nature of the assets to be protected and the value that can be attributed to them. Unfortunately, the analyses present in conventional information security standards (e.g. ISO 27000 series) are not readily applicable to the Internet as a whole. The Internet is part physical infrastructure - owned or controlled by a wide range of different stakeholders, which is understandable in terms of conventional information security standards, albeit with a much greater number of much more diverse stakeholders than one would conventionally expect. However, its underlying value, and that for which end users are prepared to pay, is in the emergent connectivity that it facilitates as a result of the interconnection of that infrastructure (at a range of layers throughout the stack), the suitability of that connectivity to support the types of traffic that people wish to generate, and the availability of appropriate connectivity at the time that users wish to make use of it. Amongst the many possible definitions of the term ‘security’ there are two forms of attack that we will consider here:

  1. Attacks on the confidentiality, authenticity, or timeliness of information traversing the Internet and the appropriateness of end-to-end mechanisms for both protecting against that attack and ensuring appropriate lawful access to content.
  2. Attacks on the availability of connectivity, specifically the role of the network in filtering out undesirable traffic that impacts the ability of end users to obtain service in a timely and appropriate way.

Attacks on the security of information

A variety of end-to-end mechanisms already exist for the protection of information on a network - fom IPSEC to SSL/TLS. There are a variety of management issues that relate to the binding of identity to key that make these mechanisms impracticable for arbitrary connections between end hosts, and debates over this issue have delayed, for example, the standardisation of mobile IPv6, leading to the use of path diversity in return routability as a means of securing binding updates. More fundamentally, however, there are three major problems with end-to-end security.

  1. Lawful interception. It has been argued in the past that mechanisms for lawful interception (covert surveillance) should either be built into security protocols or imposed as a simple legal requirement of the use of any encryption scheme. Various governments have explored the possiility of their use, generally in the face of public opposition.
  2. The presumption that end devices are capable of executing appropriate encryption algorithms. Whilst this is true for many devices, the computational costs of encrypting and decrypting information are significant, particularly for the most popular forms of public key algorithms. In a world of pervasive computing devices, in which a spectrum of computational abilities exist, it is not clear that the true end point is actually the most appropriate target for end-to-end encryption. Whilst gateways can be used in some circumstances, in the case of wearable (mobile) devices the physical security environment might change rapidly and unpredictably and ergonomics might dictate that more powerful gateways are unusable.
  3. Defining the nature of an end point. Some current protocols use the identity of a node as specified by, say, its address in IPSEC, in defining a security association. IP addresses are identifiers containing internal structure that is used in routing, rather than UIDs that denote (dynamically changing groups of) nodes, individuals or suppliers of particular services. Thus they do not work well as identifiers for SAs in systems for which it is not true that a node can be defined by the route used to reach it - for example in multihomed or ad hoc networks.

Attacks on the availability of connectivity

There are many forms of denial of service attack, again operating at all levels of the stack, from jamming wireless connections, through various forms of flooding attack to SPAM, SPIT, and SPIM. Forms of attack that cause unnecessary increase in energy consumption can range from irritating and/or expensive in the case of devices that might otherwise be powered down to critical in the case of battery powered devices. We have a number of factors in play:

  • large numbers of network nodes are not, and are never likely to be, secured to the point where it is economically unviable for the malicious to take effective control of them, and to use them to effect, or amplify, an attack
  • what to one person is mobile phone signal jamming is an opportunity for a quiet restaurant meal to another - what constitutes a denial of service attack is, to some extent, determined personally and on the basis of information contained within packets rather than simply the identity of the sender. Unsolicited interaction from unknown parties can be welcome or harmful, again depending on context. There are, clearly, extremes that would be generally accepted as outside the pale, but defining where such boundaries lie is hard and partly dependent on the motivation of the attacker.
  • detecting, identifying and stopping attacks close to the source of the attack is beneficial, because the minimum amount of network is impacted. Whether filtering within the network is an appropriate solution to the problem, a protection of the morals of society, a denial of my 'right' to receive whatsoever I please, or a potential means of effecting denial of service attacks on legitimate traffic are open questions.

Privacy

Whilst not directly related to issues of security, the extent to which any putative security mechanism permits or requires the identity of an individual to be made visible (and to whom) is not immaterial to the likely acceptability of that mechanism. Visibility here could be defined as simple mapping between online and actual identity or, for example, linkability of pseudonyms. In the absence of a universal PKI-like trust structure, the linkability of different interactions (and degree of difficulty in forging or changing identity) is useful in determining trust and this is in turn useful in establishing the rights to control (c.f. MIPv6 BU messages). Moreover, the linkability of online and offline identities is useful in ensuring appropriate punishment for inappropriate behaviour or for filtering traffic, amongst other things. However, if one takes the view that some models of governmental organisation are preferable to others, it is clear that the same mechanisms can be used to punish individuals for behaviour that may locally be declared unlawful, where that judgement might not be seen as an appropriate characterisation from a wider perspective.

Disagreement

In any technological system, particularly any system relating to security, a set of (human) values are embedded by design choices, whether these are made explicit or not. In the end, the role of security in this context can be summarised as

  1. questions of choice (in effect policy) - over who sees what of our data, with whom we interact, and the extent to which we are prepared to accept particular forms of unsolicited interaction.
  2. questions of jurisdiction and control (policy enforcement) - the most effective mechanisms for which require the cooperation of parties with whom we may share only a common desire to see benign network operating conditions.

The nature of the disagreement here lies in the extent to which we should embed governmental (societal) and/or individual control over permissible content, sources/destinations, tunnelling, traffic patterns, etc. into the network infrastructure and protocols, at what level, and what checks and balances must exist to ensure that such control is not abused (i.e. that it works as intended). This is partly a question of architectural choice, and partly a question of whether to permit or assist the imposition of control strategies by others that would appear to be unconscionable from one’s own perspective.


Viewpoint 1

Summary

...more

Viewpoint 2

Summary

...more

Moderator

Stephen Hailes

Leave a Comment

Name (required):

Comment:


RaeHarbird said ...

related topics:

  • identification and authentication;
  • whether to embed in the network?

--RaeHarbird 11:51, 7 June 2009 (EDT)

David Clark said ...

I think this question is perhaps one of the most important ones to be asked about a future Internet. However, I think it needs to be framed more carefully before we can see if we disagree.

We must first agree what what is meant by "security" (and how the word is scoped) and by "network" (and, again, what is within scope).

The question was posed in terms of "information security", which may have been meant as a narrowing of "all of security". If so, then one could exploit a version of the end-to-end argument to say that if information is signed by the creator, and validated by the receiver, then the problems of integrity and disclosure can be left to the end-points. That leaves availability as the network problem, but availability is (after all) the central objective of the network architecture, so all of network design can get swept up.

If by network we mean "routers", then we can take one point of view about availability. However, I would assert that a future Internet will be defined by requirements at all "layers", and by devices that are not routers.

Based on all of this, I would say that this topic is not so much a disagreement as a point where we need to compare alternative architectural proposals.

I would hesitate to try to describe my proposal in a comment box...

--Ddc 20:13, 21 June 2009 (EDT)

Ian Brown said ...

Integrity still seems to be best tackled E2E, not least because it leaves the two parties to decide what authentication they find acceptable for their needs and whether transactions need to be linked to an individual or not (various zero-knowledge proofs and other cryptographic techniques can be used to prove authorisation without any link to a given user or pseudonym).

For similar reasons as well as the impact on privacy, confidentiality is best provided E2E. The two-party negotiation can include the specification of ciphers that are feasible to a minimally-resourced endpoint (and will usually be symmetric, not public-key, outside the key establishment phase). However, for traffic-flow confidentiality, you also need support from onion routers, mixes and the like within/on the network -- this might be made more efficient in a future Internet, but you would need to weigh the efficiency gain against the privacy loss of having increasingly regulated ISPs running such devices.

Availability is the key network architecture issue, and often neglected by the security peeps (no ciphers required ;) But even here, there are some interesting reliablity qualities that can be provided E2E -- see Yochai Benkler's Peer Production of Survivable Critical Infrastructures for one set of interesting ideas.

--Ian.brown 07:22, 26 August 2009 (EDT)

Retrieved from "http://fipedia.org/fipedia/index.php?title=Information_security:_Does_the_network_have_a_role_to_play%3F"
Personal tools