summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1636.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc1636.txt')
-rw-r--r--doc/rfc/rfc1636.txt2915
1 files changed, 2915 insertions, 0 deletions
diff --git a/doc/rfc/rfc1636.txt b/doc/rfc/rfc1636.txt
new file mode 100644
index 0000000..38fca5e
--- /dev/null
+++ b/doc/rfc/rfc1636.txt
@@ -0,0 +1,2915 @@
+
+
+
+
+
+
+Network Working Group R. Braden
+Request for Comments: 1636 ISI
+Category: Informational D. Clark
+ MIT Laboratory for Computer Science
+ S. Crocker
+ Trusted Information Systems, Inc.
+ C. Huitema
+ INRIA, IAB Chair
+ June 1994
+
+
+ Report of IAB Workshop on
+
+ Security in the Internet Architecture
+
+ February 8-10, 1994
+
+Status of this Memo
+
+ This memo provides information for the Internet community. This memo
+ does not specify an Internet standard of any kind. Distribution of
+ this memo is unlimited.
+
+Abstract
+
+ This document is a report on an Internet architecture workshop,
+ initiated by the IAB and held at USC Information Sciences Institute
+ on February 8-10, 1994. This workshop generally focused on security
+ issues in the Internet architecture.
+
+ This document should be regarded as a set of working notes containing
+ ideas about security that were developed by Internet experts in a
+ broad spectrum of areas, including routing, mobility, realtime
+ service, and provider requirements, as well as security. It contains
+ some significant diversity of opinions on some important issues.
+ This memo is offered as one input in the process of developing viable
+ security mechanisms and procedures for the Internet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 1]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+Table of Contents
+
+ 1. INTRODUCTION .................................................. 2
+ 2. OVERVIEW ...................................................... 4
+ 2.1 Strategic and Political Issues ........................... 4
+ 2.2 Security Issues .......................................... 4
+ 2.3 DNS Names for Certificates ............................... 7
+ 3. FIREWALL ARCHITECTURE ......................................... 9
+ 3.1 Introduction ............................................. 9
+ 3.2 Application-Layer Firewalls .............................. 11
+ 3.3 IP-Layer Firewalls ....................................... 12
+ 4. SECURE QOS FORWARDING ......................................... 21
+ 4.1 The Requirement for Setup ................................ 21
+ 4.2 Securing the Setup Process. .............................. 22
+ 4.3 Validating an LLID ....................................... 24
+ 4.4 Dynamics of Setup ........................................ 28
+ 4.5 Receiver-Initiated Setup ................................. 30
+ 4.6 Other Issues ............................................. 30
+ 5. AN AUTHENTICATION SERVICE ..................................... 35
+ 5.1 Names and Credentials .................................... 36
+ 5.2 Identity-Based Authorization ............................. 37
+ 5.3 Choosing Credentials ..................................... 38
+ 6. OTHER ISSUES .................................................. 39
+ 6.1 Privacy and Authentication of Multicast Groups ........... 39
+ 6.2 Secure Plug-and-Play a Must .............................. 41
+ 6.3 A Short-Term Confidentiality Mechanism ................... 42
+ 7. CONCLUSIONS ................................................... 44
+ 7.1 Suggested Short-Term Actions ............................. 44
+ 7.2 Suggested Medium-Term Actions ............................ 46
+ 7.3 Suggested Long-Term Actions .............................. 46
+ APPENDIX A -- Workshop Organization .............................. 48
+ Security Considerations .......................................... 52
+ Authors' Addresses ............................................... 52
+
+1. INTRODUCTION
+
+ The Internet Architecture Board (IAB) holds occasional workshops
+ designed to consider long-term issues and strategies for the
+ Internet, and to suggest future directions for the Internet
+ architecture. This long-term planning function of the IAB is
+ complementary to the ongoing engineering efforts performed by working
+ groups of the Internet Engineering Task Force (IETF), under the
+ leadership of the Internet Engineering Steering Group (IESG) and area
+ directorates.
+
+ An IAB-initiated workshop on the role of security in the Internet
+ Architecture was held on February 8-10, 1994 at the Information
+ Sciences Institute of the University of Southern California, in
+
+
+
+Braden, Clark, Crocker & Huitema [Page 2]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ Marina del Rey, California. This RFC reports the results of the
+ workshop.
+
+ In addition to the IAB members, attendees at this meeting included
+ the IESG Area Directors for the relevant areas (Internet, Transport,
+ Security, and IPng) and a group of 15 other experts in the following
+ areas: IPng, routing, mobility, realtime service, and security (see
+ Appendix for a list of attendees). The IAB explicitly tried to
+ balance the number of attendees from each area of expertise.
+ Logistics limited the attendance to about 30, which unfortunately
+ meant that many highly qualified experts were omitted from the
+ invitation list.
+
+ In summary, the objectives of this workshop were (1) to explore the
+ interconnections between security and the rest of the Internet
+ architecture, and (2) to develop recommendations for the Internet
+ community on future directions with respect to security. These
+ objectives arose from a conviction in the IAB that the two most
+ important problem areas for the Internet architecture are scaling and
+ security. While the scaling problems have led to a flood of
+ activities on IPng, there has been less effort devoted to security.
+
+ Although some came to the workshop eager to discuss short-term
+ security issues in the Internet, the workshop program was designed to
+ focus more on long-term issues and broad principles. Thus, the
+ meeting began with the following ground rule: valid topics of
+ discussion should involve both security and at least one from the
+ list: (a) routing (unicast and multicast), (b) mobility, and (c)
+ realtime service. As a basis for initial discussion, the invitees
+ met via email to generate a set of scenarios (see Appendix)
+ satisfying this ground rule.
+
+ The 30 attendees were divided into three "breakout" groups, with each
+ group including experts in all the areas. The meeting was then
+ structured as plenary meetings alternating with parallel breakout
+ group sessions (see the agenda in Appendix). On the third day, the
+ groups produced text summarizing the results of their discussions.
+ This memo is composed of that text, somewhat rearranged and edited
+ into a single document.
+
+ The meeting process determined the character of this document. It
+ should be regarded as a set of working notes produced by mostly-
+ autonomous groups, containing some diversity of opinions as well as
+ duplication of ideas. It is not the output of the "security
+ community", but instead represents ideas about security developed by
+ a broad spectrum of Internet experts. It is offered as a step in a
+ process of developing viable security mechanisms and procedures for
+ the Internet.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 3]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+2. OVERVIEW
+
+ 2.1 Strategic and Political Issues
+
+ Despite the workshop emphasis on architectural issues, there was
+ considerable discussion of the real-politik of security.
+
+ For a number of years, the IETF, with IAB backing, has worked on
+ developing PEM, which provides email security with a great deal of
+ functionality. A question was repeatedly raised at the workshop:
+ why has user acceptance of PEM been slow? A number of answers to
+ this question were suggested.
+
+ (a) High-quality implementations have been slow in coming.
+
+ (b) The use of a patented technology, the RSA algorithm, violates
+ social conventions of the Internet.
+
+ (c) Export restrictions dampen vendor enthusiasm.
+
+ (d) PEM currently depends upon a certificate hierarchy for its
+ names, and certificates form a new and complex name space.
+ There is no organizational infrastructure in place for creat-
+ ing and managing this name space.
+
+ (e) There is no directory infrastructure available for looking up
+ certificates.
+
+ The decision to use X.500 has been a complete failure, due to
+ the slow deployment of X.500 in the Internet. Because of UDP
+ packet size restrictions, it is not currently feasible to
+ store certificates in the DNS, even if the DNS were expanded
+ to hold records for individual email users.
+
+ It seems probable that more than one, and possibly all, of these
+ reasons are at work to discourage PEM adoption.
+
+ The baleful comment about eating: "Everything I enjoy is either
+ immoral, illegal, or fattening" seems to apply to the cryptography
+ technology that is required for Internet security.
+
+ 2.2 Security Issues
+
+ Almost everyone agrees that the Internet needs more and better
+ security. However, that may mean different things to different
+ people. Four top-level requirements for Internet security were
+ identified: end-to-end security, end-system security, secure QOS,
+ and secure network infrastructure.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 4]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ A. End-to-End Security
+
+ One requirement is to support confidentiality, authentication
+ and integrity for end-to-end communications. These security
+ services are best provided on an end-to-end basis, in order
+ to minimize the number of network components that users must
+ trust. Here the "end" may be the end system itself, or a
+ proxy (e.g., a firewall) acting on behalf of an end system.
+
+ For point-to-point applications, the workshop felt that
+ existing security techniques are well suited to support
+ confidentiality, authentication and integrity services
+ efficiently. These existing techniques include symmetric
+ encryption applied on an end-to-end basis, message digest
+ functions, and key management algorithms. Current work in
+ these areas in the IETF include the PEM and Common
+ Authentication Technologies working groups.
+
+ The group favored a strategic direction for coping with
+ export restrictions: separate authentication from privacy
+ (i.e., confidentiality). This will allow work to proceed on
+ authentication for the Internet, despite government
+ restrictions on export of privacy technology. Conversely, it
+ will allow easy deployment of privacy without authentication,
+ where this is appropriate.
+
+ The workshop explored the implications of multicasting for
+ end-to-end security. Some of the unicast security techniques
+ can be applied directly to multicast applications, while
+ others must be modified. Section 6.2 contains the results of
+ these discussions; in summary, the conclusions were:
+
+ a) Existing technology is adequate to support
+ confidentiality, authentication, and integrity at the
+ level of an entire multicast group. Supporting
+ authentication and integrity at the level of an
+ individual multicast source is performance-limited and
+ will require technology advances.
+
+ b) End-to-end controls should be based on end system or
+ user identifiers, not low level identifiers or locator
+ information. This requirement should spawn engineering
+ work which consists of applying known key distribution
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 5]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ and cryptographic techniques.
+
+ B. End-System Security
+
+ Every host has its own security defenses, but the strength of
+ these defenses depends upon the care that is taken in
+ administering them. Careful host security administration
+ means plugging security holes in the kernel and applications
+ as well as enforcing discipline on users to set good (hard to
+ crack) passwords.
+
+ Good security administration is labor-intensive, and
+ therefore organizations often find it difficult to maintain
+ the security of a large number of internal machines. To
+ protect their machines from outside subversion, organizations
+ often erect an outer security wall or "perimeter". Machines
+ inside the perimeter communicate with the rest of the
+ Internet only through a small set of carefully managed
+ machines called "firewalls". Firewalls may operate at the
+ application layer, in which case they are application relays,
+ or at the IP layer, in which case they are firewall routers.
+
+ The workshop spent considerable time on the architecture of
+ firewall routers. The results are contained in Section 3.
+
+ C. Secure QOS
+
+ The Internet is being extended to provide quality-of-service
+ capabilities; this is the topic called "realtime service" in
+ the workshop. These extensions raise a new set of security
+ issues for the architecture, to assure that users are not
+ allowed to attach to resources they are not authorized to
+ use, both to prevent theft of resources and to prevent denial
+ of service due to unauthorized traffic. The resources to be
+ protected include link shares, service classes or queues,
+ multicast trees, and so on. These resources are used as
+ virtual channels within the network, where each virtual
+ channel is intended to be used by a particular subset or
+ "class" of packets.
+
+ Secure QOS, i.e., protection against improper virtual channel
+ usage, is a form of access control mechanism. In general it
+ will be based on some form of state establishment (setup)
+ that defines authorized "classes". This setup may be done
+ via management configuration (typically in advance and for
+ aggregates of users), or it may be done dynamically via
+ control information in packets or special messages (typically
+ at the time of use by the source or receiver(s) of the
+
+
+
+Braden, Clark, Crocker & Huitema [Page 6]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ flow/data). In addition to state establishment, some form of
+ authentication will be needed to assure that successive
+ packets belong to the established class. The general case to
+ be solved is the multicast group, since in general the
+ multicast problem includes the two-party case as a subset.
+ The workshop developed an approach to the secure QOS problem,
+ which appears in Section 4 below.
+
+ D. Secure Network Infrastructure
+
+ Network operation depends upon the management and control
+ protocols used to configure and operate the network
+ infrastructure, including routers and DNS servers. An attack
+ on the network infrastructure may cause denial-of-service
+ from the user viewpoint, but from the network operators'
+ viewpoint, security from attack requires authentication and
+ integrity for network control and management messages.
+
+ Securing the routing protocols seems to be a straightforward
+ engineering task. The workshop concluded the following.
+
+ a) All routing information exchanges should be
+ authenticated between neighboring routers.
+
+ b) The sources of all route information should be
+ authenticated.
+
+ c) Although authenticating the authority of an injector of
+ route information is feasible, authentication of
+ operations on that routing information (e.g.,
+ aggregation) requires further consideration.
+
+ Securing router management protocols (e.g., SNMP, Telnet,
+ TFTP) is urgent, because of the currently active threats.
+ Fortunately, the design task should be a straightforward
+ application of existing authentication mechanisms.
+
+ Securing DNS is an important issue, but it did not receive
+ much attention at the workshop.
+
+ 2.3 DNS Names for Certificates
+
+ As noted in Section 2.1, work on PEM has assumed the use of X.509
+ distinguished names as the basis for issuing certificates, with
+ public-key encryption. The most controversial discussion at the
+ workshop concerned the possibility of using DNS (i.e., domain)
+ names instead of X.509 distinguished names as (at least) an
+ interim basis for Internet security.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 7]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ The argument in favor of DNS names is that they are simple and
+ well understood in the Internet world. It is easy for a computer
+ operating in the Internet to be identified this way, and users who
+ receive email on such machines already have DNS mailbox names. In
+ contrast, introducing X.509 distinguished names for security will
+ add a new layer of names. Most importantly, there is an existing
+ administrative model for assigning DNS names. There is no
+ administrative infrastructure for assigning X.509 distinguished
+ names, and generating them may be too complex for early
+ acceptance. The advocates of DNS names for certificates hope that
+ using DNS names would encourage the widespread use of security in
+ the Internet. It is expected that DNS names can be replaced later
+ by a more capable naming mechanism such as X.509-based
+ certificates.
+
+ The basic argument against DNS names as a basis for security is
+ that they are too "weak". Their use may lead to confusion in many
+ instances, and this confusion can only grow as more organizations
+ and individuals attach to the Internet. Some commercial email
+ systems employ numeric mailbox names, and in many organizations
+ there are uncertainties such as whether "bumber@foo.edu" belongs
+ to Bill Umber or Tom Bumber. While it is feasible to make DNS
+ names more descriptive, there is a concern that the existing
+ infrastructure, with millions of short, non-descriptive names,
+ will be an impediment to adoption of more descriptive names.
+
+ It was noted that the question of what name space to use for
+ certificates is independent of the problem of building an
+ infrastructure for retrieving those names. Because of UDP packet
+ size restrictions, it would not be feasible to store certificates
+ in the DNS without significant changes, even if the DNS were
+ expanded to hold records for individual email users.
+
+ The group was unable to reach a consensus on the issue of using
+ DNS names for security; further discussion in the Internet
+ community is needed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 8]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+3. FIREWALL ARCHITECTURE
+
+ 3.1 Introduction
+
+ A firewall may be used to isolate a specific connected segment of
+ Internet topology. When such a segment has multiple links to the
+ rest of the Internet, coordinated firewall machines are required
+ on all the links.
+
+ Firewalls may be implemented at different layers in the protocol
+ stack. They are most commonly implemented at the application
+ layer by forwarding (application) gateways, or at the IP
+ (Internet) layer by filtering routers. Section 3.2 discusses
+ application gateways. Section 3.3 concerns Internet-layer
+ firewalls, which filter IP datagrams entering or leaving a
+ security perimeter.
+
+ The general architectural model for a firewall should separate
+ policy, i.e., determining whether or not the requester of a
+ service should be granted access to that service, from control,
+ i.e., limiting access to resources to those who have been granted
+ access.
+
+ 3.1.1 The Use for Firewalls
+
+ Firewalls are a very emotional topic in the Internet community.
+ Some community members feel the firewall concept is very
+ powerful because firewalls aggregate security functions in a
+ single place, simplifying management, installation and
+ configuration. Others feel that firewalls are damaging for the
+ same reason: they provide "a hard, crunchy outside with a soft
+ chewy center", i.e., firewalls foster a false sense of
+ security, leading to lax security within the firewall
+ perimeter. They observe that much of the "computer crime" in
+ corporate environments is perpetrated by insiders, immune to
+ the perimeter defense strategy. Firewall advocates counter
+ that firewalls are important as an additional safeguard; they
+ should not be regarded as a substitute for careful security
+ management within the perimeter. Firewall detractors are also
+ concerned about the difficulty of using firewalls, requiring
+ multiple logins and other out-of-band mechanisms, and their
+ interference with the usability and vitality of the Internet.
+
+ However, firewalls are a fact of life in the Internet today.
+ They have been constructed for pragmatic reasons by
+ organizations interested in a higher level of security than may
+ be possible without them. This section will try to outline
+ some of the advantages and disadvantages of firewalls, and some
+
+
+
+Braden, Clark, Crocker & Huitema [Page 9]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ instances where they are useful.
+
+ Consider a large organization of thousands of hosts. If every
+ host is allowed to communicate directly with the outside world,
+ attackers will attempt to penetrate the organization by finding
+ the weakest host in the organization, breaching its defenses,
+ and then using the resources of that host to extend the
+ penetration further within the organization. In some sense,
+ firewalls are not so much a solution to a security problem as
+ they are a reaction to a more basic software
+ engineering/administration problem: configuring a large number
+ of host systems for good security. If this more basic problem
+ could be solved, firewalls would generally be unnecessary.
+
+ It is interesting to consider the effect that implementing a
+ firewall has upon various individuals in the organization.
+ Consider first the effect upon an organization's most secure
+ host. This host basically receives little or no extra
+ protection, because its own perimeter defenses are as strong or
+ stronger than the firewall. In addition, the firewall will
+ probably reduce the connectivity available to this host, as
+ well as the reliability of the communications path to the
+ outside world, resulting in inconvenience to the user(s) of
+ this host. From this (most secure) user's point of view, the
+ firewall is a loss.
+
+ On the other hand, a host with poor security can "hide" behind
+ the firewall. In exchange for a more limited ability to
+ communicate with the outside world, this host can benefit from
+ the higher level of security provided by the firewall, which is
+ assumed to be based upon the best security available in the
+ entire organization. If this host only wants to communicate
+ with other hosts inside the organization, the outside
+ communications limitations imposed by the firewall may not even
+ be noticed. From this host's viewpoint, better security has
+ been gained at little or no cost.
+
+ Finally, consider the point of view of the organization as a
+ whole. A firewall allows the extension of the best security in
+ the organization across the whole organization. This is a
+ benefit (except in the case where all host perimeter defenses
+ in the organization are equal). Centralized access control
+ also becomes possible, which may be either a benefit or a cost,
+ depending upon the organization. The "secure" hosts within the
+ organization may perceive a loss, while the "unsecure" hosts
+ receive a benefit. The cost/benefit ratio to the organization
+ as a whole thus depends upon the relative numbers of "secure"
+ and "unsecure" hosts in the organization.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 10]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ Consider some cases where firewalls do not make sense. An
+ individual can be thought of as an organization of one host.
+ The security of all the host(s) is thus (trivially) identical,
+ and by definition the best available to the organization. In
+ this case the choice of firewall is simple. Does this
+ individual wish to communicate with the outside or not? If
+ not, then the "perfect" firewall is implemented (by complete
+ disconnection). If yes, then the host perimeter will be the
+ same as the firewall perimeter, so a firewall becomes
+ unnecessary.
+
+ Another interesting case is an organization that consists of
+ individuals with few shared interests. This might be the case
+ of a service provider that sells public access to the network.
+ An unrelated community of subscribers should probably be
+ considered as individuals, rather than an organization.
+ Firewalls for the whole organization may make little sense in
+ this case.
+
+ To summarize, the benefit of a firewall depends upon the nature
+ of the organization it protects. A firewall can be used to
+ extend the best available protection within the organization
+ across the entire organization, and thus be of benefit to large
+ organizations with large numbers of poorly administered hosts.
+ A firewall may produce little or no perceived benefit, however,
+ to the individuals within an organization who have strong host
+ perimeters already.
+
+ 3.2 Application-Layer Firewalls
+
+ An application-layer firewall can be represented by the following
+ diagram.
+
+ C <---> F <---> S
+
+ Here the requesting client C opens its transport connection to the
+ firewall F rather than directly to the desired server S. One
+ mechanism for redirecting C's request to F's IP address rather
+ than S's could be based on the DNS. When C attempts to resolve
+ S's name, its DNS lookup would return a "service redirection"
+ record (analogous to an MX record) for S. The service redirection
+ record would return the IP address of F.
+
+ C enters some authentication conversation to identify itself to F,
+ and specifies its intention to request a specific service from S.
+ F then decides if C is authorized to invoke this service. If C is
+ authorized, F initiates a transport layer connection to S and
+ begins the operation, passing requests and responses between C and
+
+
+
+Braden, Clark, Crocker & Huitema [Page 11]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ S.
+
+ A major advantage of this scenario over an IP-layer firewall is
+ that raw IP datagrams are never passed through the firewall.
+ Because the firewall operates at the application layer, it has the
+ opportunity to handle and verify all data passing through it, and
+ it may be more secure against illicit rendezvous attacks (see
+ below).
+
+ Application layer firewalls also have important disadvantages.
+ For full benefit, an application level firewall must be coded
+ specifically for each application. This severely limits the
+ deployment of new applications. The firewall also represents a
+ new point of failure; if it ceases to be reachable, the
+ application fails. Application layer firewalls also may affect
+ performance more than IP-layer firewalls, depending on specific
+ mechanisms in use.
+
+ 3.3 IP-Layer Firewalls
+
+ Our model of an IP-layer firewall is a multi-ported IP router that
+ applies a set of rules to each incoming IP datagram, to decide
+ whether it will be forwarded. It is said to "filter" IP
+ datagrams, based on information available in the packet headers.
+
+ A firewall router generally has a set of filtering rules, each of
+ which specifies a "packet profile" and an "action". The packet
+ profile specifies values for particular header fields, e.g.,
+ source and destination IP address, protocol number, and other
+ suitable source and destination identifying information (for
+ instance, port numbers). The set of possible information that may
+ be used to match packets is called an "association". The exact
+ nature of an association is an open issue.
+
+ The high-speed datagram forwarding path in the firewall processes
+ every arriving packet against all the packet profiles of all
+ active rules, and when a profile matches, it applies the
+ corresponding action. Typical actions may include forwarding,
+ dropping, sending a failure response, or logging for exception
+ tracking. There may be a default rule for use when no other rule
+ matches, which would probably specify a drop action.
+
+ In addition to the packet profile, some firewalls may also use
+ some cryptographic information to authenticate the packet, as
+ described below in section 3.3.2.
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 12]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 3.3.1 Policy Control Level
+
+ This section presents a model for the control of a firewall
+ router, with some examples of specific mechanisms that might be
+ used.
+
+ 1. A client C attempts to access a service S. (Client here
+ can mean either a person or a process - that also is an
+ issue to be resolved.)
+
+ 2. The initiation of access to that service may result in an
+ attempt to cross one or more boundaries of protection via
+ firewall router(s).
+
+ 3. The policy control level sets filters in the firewall
+ router(s), to permit or deny that attempt.
+
+ The policy control level consists of two distinct functions,
+ authentication and authorization. Authentication is the
+ function of verifying the claimed identity of a user. The
+ authentication function should be distributed across the
+ Internet, so that a user in one organization can be
+ authenticated to another organization. Once a user is
+ authenticated, it is then the job of the authorization service
+ local to the resource being requested to determine if that user
+ is authorized to access that resource. If authorization is
+ granted, the filter in the firewall can be updated to permit
+ that access.
+
+ As an aid to understanding the issues, we introduce a
+ particular detailed mechanism. We emphasize that this
+ mechanism is intended only as an illustrative example; actual
+ engineering of the mechanism will no doubt lead to many
+ changes. Our mechanism is illustrated by the following sketch.
+ Here a user wishes to connect from a computer C behind firewall
+ F1, to a server S behind firewall F2. A1 is a particular
+ authentication server and Z1 is a particular authorization
+ server.
+
+ C <-------> F1 <-------> F2 <-------> S
+ \ /
+ \_____ /
+ \ \ /
+ A1 Z1
+
+ C attempts to initiate its conversation by sending an initial
+ packet to S. C uses a normal DNS lookup to resolve S's name,
+ and uses normal IP routing mechanisms. C's packet reaches
+
+
+
+Braden, Clark, Crocker & Huitema [Page 13]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ firewall router F1, which rejects the packet because it does
+ not match any acceptable packet profile. F1 returns an
+ "Authentication Required" error indication to C, including a
+ list of authentication/authorization servers that F1 trusts.
+ This indication might be a new type of ICMP Destination
+ Unreachable packet, or some other mechanism for communicating
+ with C.
+
+ When C receives the error indication, authenticates itself with
+ A1, one of the authentication servers listed in the error
+ indication, after validating A1's identity. C then requests
+ authorization from server Z1 (using a ticket provided by A1),
+ informs Z1 of the application it wishes to perform, and
+ provides a profile for the packets it wishes to pass through
+ F1. Z1 then performs an authorization function to decide
+ whether to allow C to penetrate F1. If C is to be allowed, Z1
+ then informs the firewall F1 to allow packets matching the
+ packet profile to pass through the firewall F1.
+
+ After C's packets penetrate F1, they may again be rejected by a
+ second firewall F2. C could perform the same procedures with
+ authentication server A2 and authorization server Z2, which F2
+ trusts. This is illustrated by the following schematic diagram
+ of the sequence of events.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 14]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+
+ ----------+--------+--------+------------+------------+----
+ | C | A1 | Z1 | F1 | F2 | S
+ ----------+--------+--------+------------+------------+----
+ | Sends pkt| | | | |
+ | to S ----------------------->Intercept;| |
+ | | | | requires | |
+ | | | |authenticat'n |
+ | <------------------------------- | |
+ |Auth'cate | | | | |
+ | C to A1 ----> | | | |
+ | |Provide | | | |
+ | <------- ticket| | | |
+ | Request | | | | |
+ |authoriz'n| | | | |
+ | -------------------> Is C| | |
+ | | |allowed?| | |
+ | | | OK ---------> | |
+ |Resend | | | Set filter | |
+ | first pkt| | | | |
+ | to S -------------------------->(OK)------>Intercept;|
+ | | | | | requires |
+ | | | | |authenticat'n
+ | <------------------------------------------- |
+ | (Repeat | | | | |
+ |procedure | | | | |
+ with A2,Z2)| | | | |
+ | ... | | | | |
+ |Resend | | | | |
+ | first pkt| | | | |
+ | ------------------------------>(OK)--------(OK)------>
+ | | | | | |
+ -----------+--------+--------+------------+------------+----
+
+
+ Again, we emphasize that this is only intended as a partial
+ sketch of one possible mechanism. It omits some significant
+ issues, including the possibility of asymmetric routes (see
+ 3.3.3 below), and the possibility that the profiles may be
+ different in the two directions between C and S.
+
+ We could imagine generalizing this to an arbitrary sequence of
+ firewalls. However, security requires that each of the
+ firewalls be able to verify that data packets actually come
+ from C. This packet authentication problem, which is discussed
+ in the next section, could be extremely difficult if the data
+ must traverse more than one or possibly two firewalls in
+ sequence.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 15]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ A firewall router may require re-authentication because:
+
+ * it has been added to the path by a routing change, or
+
+ * it has timed out the profile entry, or
+
+ * it has been newly re-activated, perhaps after a crash that
+ lost its list of acceptable profiles.
+
+ If C contacts authentication and authorization servers that S
+ trusts, C may utilize tickets given it by these servers when
+ initiating its use of S, and avoid re-authenticating itself to
+ S.
+
+ Although the authentication server A1 and the authorization
+ server Z1 are conceptually separate, they may run on the same
+ computer or router or even be separate aspects of a single
+ program. The protocol that C speaks to an An, the protocol
+ that C speaks to a Zn, and the protocol that Zn speaks to Fn
+ are not specified in these notes. The authentication mechanism
+ used with An and the packet profile required by a firewall Fn
+ are considered matters of policy.
+
+ 3.3.2 Source Authentication
+
+ We next consider how to protect against spoofing the IP source
+ address, i.e., injecting packets that are alleged from come
+ from C but do not. There are three classes of mechanisms to
+ prevent such spoofing of IP-level firewalls. The mechanisms
+ outlined here are also discussed in Section 4.3 below.
+
+ o Packet Profile Only
+
+ The lowest level of security consists of allowing the IP-
+ layer firewall to filter packets purely on the basis of
+ the packet profile. This is essentially the approach used
+ by filtering routers today, with the addition of (1)
+ authentication and authorization servers to control the
+ filtering profiles, and (2) the automatic "Authentication
+ Required" notification mechanism. This approach provides
+ almost no security; it does not prevent other computers
+ from spoofing packets that appear to be transmitted by C,
+ or from taking over C's transport level connection to S.
+
+ o Sealed Packets
+
+ In the second level of security, each packet is "sealed"
+ with a secure hash algorithm. An authentication server Ai
+
+
+
+Braden, Clark, Crocker & Huitema [Page 16]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ chooses a secret and shares it with the source host S and
+ also with the authorization server Zi, which shares the
+ secret with the firewall Fi. Every packet that C
+ transmits contains a hash value that depends upon both the
+ contents of the packet and the secret value. The firewall
+ Fi can compute the same hash function and verify that the
+ packet was originated by a computer that knew the shared
+ secret.
+
+ This approach does raise issues of how much C trusts Zi
+ and Fi. Since they know C's secret, Zi or Fi could spoof
+ C. If C does not trust all Z's and F's in its path, a
+ stronger mechanism (see below) is needed.
+
+ A more difficult problem arises in authenticating C's
+ packets when more than one firewall lies in the path.
+ Carrying a separate seal for each firewall that is
+ penetrated would be costly in terms of packet size. On
+ the other hand, in order to use a single seal, all the
+ firewalls would have to cooperate, and this might require
+ a much more complex mechanism than the one sketched in the
+ previous section. Morever, it may require mutual trust
+ among all of the authentication servers Ai and
+ authorization servers Zi; any of these servers could
+ undermine all the others. Another possibility to be
+ investigated is to use hop-by-hop rather than end-to-end
+ authentication of C's packets. That is, each firewall
+ would substitute into the packet the hash needed by the
+ next firewall.
+
+ Multi-firewall source authentication is a difficult
+ problem that needs more investigation.
+
+ o Packet Signatures
+
+ In the third level of security, each packet is "signed"
+ using a public/private key algorithm. C shares its public
+ key with Zn, which shares it with Fn. In this scenario, C
+ can safely use one pair of keys for all authorization
+ servers and firewalls. No authorization server or
+ firewall can spoof C because they cannot sign packets
+ correctly.
+
+ Although packet signing gives a much higher level of
+ security, it requires public key algorithms that are
+ patented and currently very expensive to compute; their
+ time must be added to that for the hash algorithm. Also,
+ signing the hash generally makes it larger.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 17]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 3.3.3 Other Firewall Issues
+
+ o Performance
+
+ An Internet-layer firewall has the advantage of generality
+ and flexibility. However, filtering introduces a
+ potential performance problem. Performance may depend
+ upon the number and position of the packet fields used for
+ filtering, and upon the number of rules against which a
+ packet has to be matched.
+
+ Denial of service attacks require that the per-packet rule
+ matching and the drop path be able to keep up with the
+ interface speed.
+
+ o Multicasting
+
+ To allow multicast traffic to penetrate a firewall, the
+ rule that is needed should be supplied by the receiver
+ rather than the sender. However, this will not work with
+ the challenge mechanism outlined in Section 3.3.1, since
+ "Authentication Required" notifications would be sent to
+ the sender, not to the receiver(s).
+
+ Multicast conversations may use any of the three levels of
+ security described in the previous section, but all
+ firewalls will have to share the same secret with the
+ originator of the data stream. That secret would have to
+ be provided to the receivers through other channels and
+ then passed to the firewalls at the receivers' initiative
+ (in much the same way that resources are reserved at
+ receiver's initiative in RSVP).
+
+ o Asymmetric Routing
+
+ Given a client computer C utilizing a service from another
+ computer C through a firewall F: if the packets returning
+ from S to C take a different route than packets from C to
+ S, they may encounter another firewall F' which has not
+ been authorized to pass packets from S to C (unlike F,
+ which has been). F' will challenge S rather than C, but S
+ may not have credentials to authenticate itself with a
+ server trusted by F'.
+
+ Fortunately, this asymmetric routing situation is not a
+ problem for the common case of single homed administrative
+ domains, where any asymmetric routes converge at the
+ firewall.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 18]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ o Illicit Rendezvous
+
+ None of these mechanisms prevent two users on opposite
+ sides of a firewall from rendezvousing with a custom
+ application written over a protocol that may have been
+ authorized to run through a firewall.
+
+ For example, if an organization has a policy that certain
+ information is sensitive and must not be allowed outside
+ its premises, a firewall will not be enough to enforce
+ this policy if users are able to attach sensitive
+ information to mail and send it outside to arbitrary
+ parties. Similarly, a firewall will not prevent all
+ problems with incoming data. If users import programs and
+ execute them, the programs may have Trojan horses which
+ disclose sensitive information or modify or delete
+ important data. Executable code comes in many, many
+ forms, including PostScript files, scripts for various
+ interpreters, and even return addresses for sendmail. A
+ firewall can detect some of these and scan for some forms
+ of potentially hazardous code, but it cannot stop users
+ from transforming things that look like "data" into
+ programs.
+
+ We consider these problems to be somewhat outside the
+ scope of the firewall router mechanism. It is a matter of
+ the policies implemented by the organization owning the
+ firewalls to address these issues.
+
+ o Transparency for Security Packets
+
+ For the mechanisms described above to operate, the
+ "Authentication Required" notification and the
+ authentication/authorization protocol that is used between
+ the client computer and the authentication and
+ authorization servers trusted by a firewall, must be
+ passed by all firewalls automatically. This might be on
+ the basis of the packet profiles involved in security.
+ Alternatively, firewall routers might serve as
+ application-layer firewalls for these types of
+ communications. They could then validate the data they
+ pass to avoid spoofing or illicit rendezvous.
+
+ 3.3.4 Firewall-Friendly Applications
+
+ Firewall routers have problems with certain communication
+ patterns where requests are initiated by the server, including
+ callbacks and multiple connections (e.g., FTP). It was
+
+
+
+Braden, Clark, Crocker & Huitema [Page 19]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ suggested that it would be useful to have guidelines to
+ application designers to help them to build 'firewall-friendly
+ applications'. The following guidelines were suggested:
+
+ 1) no inbound calls (the xterm problem),
+
+ 2) fixed port numbers (no portmapper or tcpmux),
+
+ 3) integral redirection is good (application gateways),
+
+ 4) no redirection in the protocol,
+
+ 5) 32 bit sequence numbers that are crypto-strong random #'s,
+ and
+
+ 6) fixed length and number of header fields.
+
+ Type fields are good, but they may not be needed if there are
+ fixed port numbers.
+
+ 3.3.5 Conclusions
+
+ Compared to an application-layer firewall, an IP-layer firewall
+ scheme could provide a number of benefits:
+
+ - No extra authentication is required for end hosts.
+
+ - A single authentication protocol can be used for all
+ intended applications.
+
+ - An IP-layer firewall causes less performance degradation.
+
+ - An IP-layer firewall may be able to crash and recover
+ state without disturbing open TCP connections.
+
+ - Routes can shift without disturbing open TCP connections.
+
+ - There is no single point of failure.
+
+ - It is independent of application.
+
+ However, there are substantial difficult design issues to be
+ solved, particularly in the areas of multiple firewalls,
+ assymmetric routes, multicasting, and performance.
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 20]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+4. SECURE QOS FORWARDING
+
+ When the Internet supports special qualities-of-service (QOS) for
+ particular packet flows, there will be a new set of security
+ problems. There will be a need to authenticate and authorize users
+ asking for those QOS values that are expensive in network resources,
+ and it will be necessary to prevent theft of these resources and
+ denial-of-service attacks by others. This section contains a
+ conceptual model for these problems, which we may call secure QOS
+ forwarding. The issues here differ from end-to-end security and
+ firewalls, because QOS forwarding security may need to be enforced at
+ every router along a path.
+
+ It was noted that this is not a new problem; it was stated and solved
+ in a theoretical way in a thesis by Radia Perlman.
+
+ 4.1 The Requirement for Setup
+
+ Setup is an essential part of any QOS mechanism. However, it may
+ be argued that there are also good engineering reasons for setup
+ in any Internet-layer security mechanism, even without QOS
+ support. In the abstract, one could imagine a pure datagram model
+ in which each IP packet separately carried the necessary
+ authorizations for all the stages in the forwarding path.
+ Realistically, this is not practical, since the security
+ information may be both unacceptably large and computationally
+ demanding for inclusion in every packet. This seems to imply the
+ need for some form of state setup for security.
+
+ Thus, we presume a two stage process that moves somewhat away from
+ the pure datagram model. In the first stage, the setup stage,
+ some state is established in the routers (and other network
+ elements) that describes how a subsequent stream of packets is to
+ be treated. In the second stage, the classification stage, the
+ arriving packets are matched with the correct state information
+ and processed. The terminology in use today calls these different
+ state descriptions "classes", and the process of sorting
+ "classification".
+
+ Setup can take many forms. It could be dynamic, invoked across
+ the network by an application as described above. The setup
+ process could also be the manual configuration of a router by
+ means of a protocol such as SNMP or remote login. For example, a
+ network link, such as a link across the Atlantic, might be shared
+ by a number of users who purchase it jointly. They might
+ implement this sharing by configuring a router with
+ specifications, or filters, which describe the sorts of packets
+ that are permitted to use each share. Whether the setup is
+
+
+
+Braden, Clark, Crocker & Huitema [Page 21]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ dynamic or manual, short-lived or semi-permanent, it has the same
+ effect: it creates packet classes in the router and defines how
+ packets are to be classified as they arrive.
+
+ Much of the current research on extensions to IP for QOS, such as
+ realtime service, has assumed an explicit setup phase and a
+ classification stage. The setup stage is accomplished using
+ protocols such as RSVP or ST-II, which also specify how the
+ subsequent classification is to be done. Security at the setup
+ stage would thus simply be an extension to such a protocol. It
+ should be noted that there are alternative proposals for realtime
+ QOS, based on an implicit setup process.
+
+ 4.2 Securing the Setup Process.
+
+ To secure the setup process, we require that a setup request be
+ accompanied by user credentials that provide a trustworthy
+ assurance that the requester is known and is authorized to make
+ the request in question. We refer to the credentials used in the
+ setup phase as the high-level identification (HLID).
+
+ A simple version of this authorization would be a password on the
+ management interface to a router (the limitations of such a
+ password scheme are well known and not the issue here). In the
+ case of setup requests made by individual applications, some
+ user-specific authorization must be assumed.
+
+ While there could be any number of ways to organize the HLIDs, the
+ objective of scaling suggests that a global framework for user
+ naming and authentication would be useful. The choice of naming
+ framework is discussed further in Section 5. Note that this
+ discussion, which concerns controlling access to network resources
+ and security devices, is distinct from end-to-end authentication
+ and access control; however, the same authentication
+ infrastructure could be used for both.
+
+ In general, while significant engineering effort will be required
+ to define a setup architecture for the Internet, there is no need
+ to develop new security techniques. However, for the security
+ aspects of the classification process, there are significant
+ problems related to performance and cost. We thus focus on that
+ aspect of the overall framework in more detail.
+
+ Above, we defined the high-level ID (HLID) as that set of
+ information presented as part of a setup request. There may also
+ be a "low-level ID" (LLID), sometimes called a "cookie", carried
+ in each packet to drive classification. In current proposals for
+ IP extensions for QOS, packets are classified based on existing
+
+
+
+Braden, Clark, Crocker & Huitema [Page 22]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ packet fields, e.g., source and destination addresses, ports, and
+ protocol type.
+
+ It is important to note that the LLID is distinct from the address
+ of the user, at least conceptually. By stressing this distinction
+ we make the point that the privileges of the user are not
+ determined by the address in use. If the user's address changes,
+ the privileges do not.
+
+ The LLID in a packet acts as a form of tag that is used by some or
+ all routers along a path to make decisions about the sort of QOS
+ that shall be granted to this packet. An LLID might refer to a
+ data stream between a single source-destination address pair, or
+ it might be more general and encompass a range of data streams.
+ There is no requirement that the LLID embody a syntax that permits
+ a router to discern the QOS parameters that it represents, but
+ there also is no prohibition against imposing such a structure.
+
+ We propose that an IP datagram contain one LLID, which can be used
+ at various stages of the network to map the packet to a class. We
+ reject the alternative that the packet should have a variable
+ number of LLIDs, each one for a different point in the net.
+ Again, this is not just a security comment, but it has security
+ implications.
+
+ The attributes of the LLID should be picked to match as broad a
+ range of requirements as possible.
+
+ * Its duration (discussed below) must match both the needs of
+ the security protocol, balancing robustness and efficiency,
+ and the needs of the application, which will have to deal
+ with renewal of the setup when the LLID expires. A useful
+ end-node facility would be a service to renew setup requests
+ automatically.
+
+ * The degree of trust must be high enough to meet the most
+ stringent requirement we can reasonably meet.
+
+ * The granularity of the LLID structure must permit packet
+ classification into classes fine-grained enough for any
+ resource selection in the network. We should therefore
+ expect that each separate stream of packets from an
+ application will have a distinct LLID. There will be little
+ opportunity for aggregating multiple streams under one LLID
+ or one authenticator.
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 23]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 4.3 Validating an LLID
+
+ At a minimum, it is necessary to validate the use of an LLID in
+ context, i.e., to ensure that it is being asserted in an
+ authorized fashion. Unauthorized use of an LLID could result in
+ theft of service or denial-of-service attacks, where packets not
+ emitted by an authorized sender are accorded the QOS treatment
+ reserved for that sender (or for a group of which the sender is a
+ member). Thus, use of an LLID should be authenticated by routers
+ that make QOS decisions based on that LLID. (Note that not all
+ routers may "pay attention" to the LLID.)
+
+ In principle, the validity of an LLID assertion needs to be
+ checked on every packet, though not necessarily at every router;
+ it may be possible to restrict the checks to security perimeters.
+ At those routers that must validate LLIDs, there is an obvious
+ concern over the performance impact. Therefore, a router may
+ adopt a less rigorous approach to LLID validation. For example, a
+ router may elect to sample a data stream and validate some, but
+ not all, packets. It may also elect to forward packets first and
+ perform selective validation as a background activity. In the
+ least stringent approach, a router might log selected packets and
+ validate them as part of an audit activity much later.
+
+ There are several candidate techniques for validating the use of
+ LLIDs. We have identified three basic techniques, which differ in
+ terms of computational performance, bandwidth overhead, and
+ effectiveness (resistance to various forms of attack).
+
+ * Digital Signatures
+
+ The first technique entails the use of public key
+ cryptography and digital signatures. The sender of each
+ packet signs the packet (header and payload) by computing a
+ one-way hash over the packet and transforming the hash value
+ using a private key associated with the LLID. The resulting
+ authenticator value is included in the packet header. The
+ binding between the public key and the LLID is established
+ through a connection setup procedure that might make use of
+ public keys that enjoy a much longer lifetime. Using public
+ key technology yields the advantage that any router can
+ validate a packet, but no router is entrusted with data that
+ would enable it to generate a packet with a valid
+ authenticator (i.e., which would be viewed as valid by other
+ routers.) This characteristic makes this technique ideal
+ from the standpoint of the "principle of least privilege."
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 24]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ Public key cryptosystems such as RSA have the advantage that
+ validation of a signature is much faster than signing, which
+ reduces the router processing burden. Nonetheless, this
+ approach is not likely to be feasible for anything other than
+ selective checking by routers, given current public key
+ algorithm performance.
+
+ * Sealing
+
+ The next technique is based on the use of the same type of
+ one-way hash function used for digital signatures, but it
+ does not require signing the hash value. Here the sender
+ computes a one-way hash with a secret quantity (essentially a
+ "key") appended to the packet. This process is an example of
+ what is sometimes referred to more generically as
+ cryptographic "sealing." The inclusion of this key at the
+ end of the hash computation results in a hash value that is
+ not predictable by any entity not possessing the key. The
+ resulting hash value is the authenticator and is included in
+ the packet header. A router validates a packet by
+ recomputing the hash value over the received packet with the
+ same secret quantity appended. If the transmitted hash value
+ matches the recomputed hash value, the packet is declared
+ valid. Unlike the signature technique, sealing implies that
+ all routers capable of verifying a seal are also capable of
+ generating (forging) a seal. Thus, this technique requires
+ that the sender trust the routers not to misuse the key.
+
+ This technique has been described in terms of a single secret
+ key shared between the sender and all the routers that need
+ to validate packets associated with an LLID. A related
+ alternative strategy uses the same authenticator technique,
+ but shares the secret key on a pairwise basis, e.g., between
+ the sender and the first router, between the first router and
+ the next, etc. This avoids the need to distribute the secret
+ key among a large group of routers, but it requires that the
+ setup mechanism enable Router A to convince his neighbor
+ (Router B) that Router A is authorized to represent traffic
+ on a specific LLID or set of LLIDs. This might best be done
+ by encapsulating the packet inside a wrapper that both ends
+ of the link can validate. Once this strategy is in place, it
+ may even be most efficient for routers to aggregate traffic
+ between them, providing authentication not on a per-LLID
+ basis, since the router pairs are prepared to "trust" one
+ another to accurately represent the data stream LLIDs.
+
+ For a unicast data stream, the use of pairwise keying between
+ routers does not represent a real change in the trust
+
+
+
+Braden, Clark, Crocker & Huitema [Page 25]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ required of the routers or of the setup mechanism, because of
+ the symmetric sharing of the secret key. However, for a
+ multicast connection, this pairwise keying approach is
+ superior in that it prevents a router at one point in a
+ multicast tree from being able to generate traffic that could
+ be inserted at another point in the tree. At worst, a router
+ can generate spurious, but authenticatable, traffic only for
+ routers "below" it in the multicast tree.
+
+ Note that the use of network management fault isolation
+ techniques, e.g., sampling router traffic statistics at
+ different points along a data stream, should permit post hoc
+ detection of packet forgery attacks mounted by rogue routers
+ along a data stream path. Use of this technique could
+ provide a deterrent to such activity by routers, further
+ arguing for the pairwise keying approach.
+
+ The sealing technique is faster than the digital signature
+ technique, because the incremental hash calculation
+ (including the appended secret quantity) is much faster than
+ the cryptographic transformation required to sign a hash.
+ The processing burden is symmetric here, i.e., the sender and
+ each router devote the same amount of processing power to
+ seal a packet and to verify the seal. Also, a sealed hash
+ may be smaller than a signed hash, even if the same function
+ is used in both cases. (This is because the modulus size of
+ the public key signature algorithm and any ancillary
+ parameters tend to increase the size of the signed hash
+ value.) Moreover, one could use a hash function with a
+ "wide" value and truncate that value, if necessary to reduce
+ overhead; this option is not available when the authenticator
+ is a signed hash value.
+
+ As a variant on this technique, one could imagine a
+ "clearinghouse" that would receive, from the sender, the
+ secret key used to generate and validate authenticators. A
+ router needing to validate a packet would send a copy of the
+ packet to the clearinghouse, which would check the packet and
+ indicate to the router whether it was a valid packet
+ associated with the LLID in question. Obviously, this
+ variant is viable only if the router is performing
+ infrequent, selective packet validation. However, it does
+ avoid the need to share the authenticator secret among all
+ the routers that must validate packets.
+
+ For both of these techniques, there is a residual
+ vulnerability to denial-of-service attacks based on replay of
+ valid packets during the lifetime of a data stream. Unless
+
+
+
+Braden, Clark, Crocker & Huitema [Page 26]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ packets carry sequence numbers and routers track a sequence
+ number window for each data stream, an (external) attacker
+ can copy valid packets and replay them. It may be easiest to
+ protect against this form of attack by aggregating all
+ traffic between a pair of routers into a single flow and
+ providing replay protection for the flow as a whole, rather
+ than on a per data stream basis.
+
+ * Temporary Passwords
+
+ The final technique explored in the workshop takes a very
+ different tack to packet validation. The preceding
+ techniques compute a function of the bits in a packet and
+ transform that value in a fashion that prevents an intruder
+ from generating packets with valid authenticators. The
+ ability to generate packets with valid authenticators for a
+ given LLID requires access to a secret value that is
+ available only to the sender, or to the sender and to routers
+ participating in a given data stream.
+
+ In contrast, this third technique calls for the authenticator
+ to be a short term, secret quantity that is carried in the
+ packet header, without benefit of further protection. In
+ essence, this technique incorporates a short term "password"
+ into each packet header. This approach, like its
+ predecessor, requires that all of the routers validating the
+ LLID be privy to this authenticator. Moreover, the
+ authenticator is visible to any other router or other
+ equipment along the path, and thus this technique is much
+ more vulnerable than the previous ones.
+
+ Here the same authenticator may be applied to all packets
+ with the same LLID, since the authenticator is not a function
+ of the packet it authenticates. In fact, this suggests that
+ it is feasible to use the LLID as the authenticator.
+ However, adopting this tack would not be consistent with the
+ two previous techniques, each of which requires an explicit,
+ separate authenticator, and so we recommend against this
+ optimization.
+
+ Nonetheless, the fact that the authenticator is independent
+ of the packet context makes it trivial to generate (forge)
+ apparently authentic packets if the authenticator is
+ intercepted from any legitimate packet. Also, if the
+ authenticator can be guessed, an attacker need not even
+ engage in passive wiretapping to defeat this scheme. This
+ latter observation suggests that the authenticator must be of
+ sufficient size to make guessing unlikely, and making the
+
+
+
+Braden, Clark, Crocker & Huitema [Page 27]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ LLID and the authenticator separate further supports this
+ requirement.
+
+ The major advantage of this approach is one of performance.
+ The authenticator can be validated very quickly through a
+ simple comparison. Consistent with the need to protect
+ against guessing attacks, the authenticator need not consume
+ a significant amount of space in the packet header.
+
+ The use of a sequence number visible to the routers is an
+ interesting technique to explore to make these somewhat
+ vulnerable methods more robust. If each stream (each source
+ of packets) numbers its packets, then an intruder attempting
+ to use the network resource must delete the legitimate
+ packets, which in many cases would be difficult. Otherwise,
+ the router being attacked would notice duplicate sequence
+ numbers and similar anomalies. The exact details of the
+ numbering would have to be worked out, since for the
+ legitimate stream packets might be lost, which would cause
+ holes in the sequence space.
+
+ We do not consider here the issues of collusion, in which a user
+ with a given LLID and authenticator deliberately shares this with
+ another unauthorized user. This possibility should be explored,
+ to see if there is a practical advantage to this act, and thus a
+ real threat.
+
+ 4.4 Dynamics of Setup
+
+ o Duration of LLID's
+
+ A key question in the use of LLIDs is how long they remain
+ valid. At one extreme, they last only a very short time,
+ perhaps seconds. This limits the damage that can be done if
+ the authenticator for the LLID is stolen. At the other
+ extreme, LLIDs are semi-permanent, like credit card numbers.
+ The techniques proposed above for securing the LLID traded
+ strength for efficiency, under the assumption that the peril
+ was limited by the limited validity of the LLID.
+
+ The counterbalancing advantage of long-term or semi-permanent
+ LLIDs is that it becomes practical to use primitive setup
+ techniques, such as manual configuration of routers to
+ establish packet classes. This will be important in the
+ short run, since deployment of security and dynamic resource
+ allocation protocols may not exactly track in time.
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 28]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ We conclude that the correct short-term action is to design
+ LLIDs under the assumption that they are fairly short lived,
+ and to tolerate, in the short run, a longer period of
+ validity. This would imply that we will get an acceptable
+ long-term mechanism in place, which operationally will have a
+ lower level of security at first. As we get better tools for
+ automatic setup, we can shorten the duration of validity on a
+ individual basis, without replacing mechanism in the packet
+ forwarding path.
+
+ o Setup Latency
+
+ The tradition of the Internet is not to impose any setup
+ latency in the communication path between end nodes. This
+ supports the classic datagram model for quick transactions,
+ etc., and it is a feature that should be preserved.
+
+ For setup that is done "in advance", either through a
+ management interface or by an end-node in the background, the
+ issue of latency does not arise. The latency issue occurs
+ for dynamic reservations made in response to a specific
+ application request.
+
+ We observe that while latency is a key issue, it is not
+ materially influenced by security concerns. The designers of
+ resource reservation protocols such as RSVP and ST-II are
+ debating the latency of these protocols today, absent
+ security. Adding an authenticator to the request message
+ will increase the processing needed to validate the request,
+ and might even imply a message exchange with an
+ authentication service, but should not substantially change
+ the real time of the setup stage, which might already take
+ time on the order of a round-trip delay. But the design of
+ the high level authentication and authorization methods for
+ the setup protocol should understand that this process, while
+ not demanding at the level of the per-packet processing, is
+ still somewhat time-critical.
+
+ One way of dealing with an expensive setup process is to set
+ up the request provisionally and perform the validation in
+ the background. This would limit the damage from one bad
+ setup request to a short period of time. Note, however, that
+ the system is still vulnerable to an attack that uses a
+ sequence of setup requests, each of which allows unauthorized
+ usage for at least a short period of time.
+
+ Note also that a denial-of-service attack can be mounted by
+ flooding the setup process with invalid setup requests, all
+
+
+
+Braden, Clark, Crocker & Huitema [Page 29]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ of which need to be processed and rejected. This could
+ prevent a valid user from setting up any state. However,
+ denial-of-service attacks based upon flooding leave very
+ large "finger prints"; they should not normally be an
+ important threat. If it is a problem, it may be possible to
+ incorporate a mechanism at the level of setup processing that
+ is equivalent to "fair queueing", to limits the damage from a
+ flooding attack at the packet level.
+
+ 4.5 Receiver-Initiated Setup
+
+ Recent work on a QOS extension for the Internet, embodied in the
+ RSVP protocol, uses the model that the receiver will reserve
+ resources. This scheme is consistent with the current IP
+ multicast paradigm, which requires the receiver to join the
+ multicast group. The receiver reserves the resources to insure
+ that the multicast traffic reaches the receiver with the desired
+ QOS. In this case, it is the credentials (the HLIDs) of the
+ receivers that will be presented to the setup phase.
+
+ Note that receiver initiation requires an explicit setup phase.
+ Suppose setup were implicit, driven by pre-existing fields in the
+ packet. Then there would be no way to associate a packet with a
+ particular receiver, since in multicast, the address of the
+ receiver never appears in the packet.
+
+ Further, it is impossible in this case to perform a setup "in
+ advance", unless the sender and the receiver are very tightly co-
+ ordinated; otherwise, the receiver will not know in advance what
+ LLID will be in the packet. It is certainly impossible, in this
+ case, for the receiver to set up "semi-permanent" reservations for
+ multicast traffic coming to it. This, again, is not a security
+ issue; the problem exists without adding security concerns, but
+ the security architecture must take it into account.
+
+ 4.6 Other Issues
+
+ 4.6.1 Encrypting Firewalls and Bypass
+
+ Our view of security, both end node and network protection,
+ includes the use of firewalls, which partition the network into
+ regions of more or less trust. This idea has something in
+ common with the encrypting-firewall model used in the
+ military/intelligence community: red (trusted) networks
+ partitioned from black (untrusted) networks. The very
+ significant difference is that, in the military model, the
+ partition uses an encryption unit that encodes as much as
+ possible of the packet for its trip across the black network to
+
+
+
+Braden, Clark, Crocker & Huitema [Page 30]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ another red network. That is, the purpose of the encryption
+ unit, among others, is to provide a very high degree of
+ protection against disclosure for data housed within the red
+ networks. In contrast, our version of a firewall is more to
+ protect the trusted (red) region of the network from outside
+ attacks. It is concerned both with what comes in and with what
+ goes out. It does permit communication between a node on the
+ trusted and nodes in the untrusted parts of the network.
+
+ We would like to be able to adapt our model of secure QOS to
+ the case of military-style encrypting firewalls. However, this
+ use of encryption raises a problem with our model of secure
+ resource management, discussed above, which was based on a
+ two-stage process of setup and classification. This model is
+ problematic because it requires information to pass from the
+ red region to the black region in the clear. This information
+ includes both the setup packets themselves, if setup is done
+ dynamically from the end node, and the classification fields
+ (the LLIDs) in the data packets. Obviously, this information
+ cannot be encrypted when leaving the red region of the network,
+ since it would then be meaningless to the black net, so that
+ the black network would be unable to make resource allocation
+ decisions based on it.
+
+ To make this sort of control scheme work, it is necessary for
+ the encryption device to be programmed to permit certain
+ packets and fields in packets to pass through the encryptor in
+ the clear. This bypass of the encryption is considered highly
+ undesirable. In a high security situation, the process
+ generating the bypassing information might be corrupted, with
+ the result that information that should be controlled is
+ removed from the secure network by hiding it in the bypassed
+ fields of the packets.
+
+ We concluded, however, that this bypass problem is not
+ insurmountable. The key idea, as in all cases of bypass, is to
+ limit, rather than wholly outlaw, the information passing in
+ the clear. To limit the information needed for bypass, one can
+ either perform the setup as a management function totally
+ within the black environment, or divide the process into two
+ stages. The first stage, again totally in the black context,
+ defines a limited number of setup situations. The second stage
+ involves sending from the red net a very small message that
+ selects one request to be instantiated from among the pre-
+ defined set.
+
+ Perhaps the more difficult issue is the LLID in the packet
+ header. If the LLID is an explicit field (as we have discussed
+
+
+
+Braden, Clark, Crocker & Huitema [Page 31]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ so far, but see below), it represents a new field in each
+ packet, with perhaps as many as 32 bits. Again, the solution
+ is to limit the way this field can be used. When the end-node
+ performs a setup, it will specify the value of the LLID to be
+ used. This fact can be observed by the red/black encryption
+ unit, which can then limit the components of this field to the
+ values currently in use. To further improve the situation, the
+ encryption unit might be able to aggregate a number of flows
+ onto one flow for the purpose of crossing the black net, which
+ would permit a further reduction in the number of distinct
+ LLIDs that must escape the red region.
+
+ The details of this proposal, including some important issues
+ such as the time duration of LLIDs in this case, must be
+ considered further. However, the initial conclusion that
+ bypass can be incorporated into a general resource control
+ framework is very encouraging, since it suggests that both
+ military and commercial forms of security can be built out of
+ the same building blocks.
+
+ 4.6.2 The Principle of Consistent Privilege
+
+ A well understood principle of security is the principle of
+ least privilege, which states that a system is most robust when
+ it is structured to demand the least privilege from its
+ components.
+
+ A related rule we observe is the principle of consistent
+ privilege. This can be illustrated simply in the case of
+ denial of service, where it is particularly relevant. For a
+ particular route, no assumption of service can be justified
+ unless we trust the routers to deliver the packets. If a
+ router is corrupted and will not forward packets, the only
+ solution is to find another route not involving this router.
+ We do not concern ourselves here with protocols for finding new
+ routes in the presence of a corrupted router, since this topic
+ is properly part of another topic, securing the network
+ infrastructure. We only observe that either we will get
+ service from the router or we will not. If the router is
+ corrupted, it does not matter how it chooses to attack us.
+ Thus, as long as the router is part of a forwarding path (most
+ generally a multicast forwarding tree), we should not hesitate
+ to trust it in other ways, such as by giving it shared resource
+ keys or LLID verifiers.
+
+ This illustrates the principle of consistent privilege. This
+ principle is exploited in the scheme for hop-by-hop or pairwise
+ use of secrets to validate LLIDs in a multicast tree. If a
+
+
+
+Braden, Clark, Crocker & Huitema [Page 32]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ single key is issued for the whole tree, then the privilege is
+ not consistent. We only need to trust a router with respect to
+ the nodes "below" it in the tree. If it fails to forward
+ traffic, it can affect only those nodes. But if we give it the
+ group key, then it can generate bogus traffic and inject it
+ into the tree at any point, affecting traffic for other parts
+ of the tree. If, on the other hand, we use pairwise keys, then
+ a corrupt node can only generate bogus traffic with the key for
+ traffic it would directly receive, which is the part of the
+ tree it could damage anyway.
+
+ Another requirement we must place on the network concerns
+ routing. If a firewall is in place, we must trust the routing
+ architecture not to bypass that firewall. One way to
+ accomplish this is to eliminate any physical path between the
+ regions other than those that go through the firewall.
+ Operational experience will be required to see if this simple
+ physical limit is an acceptable constraint.
+
+ 4.6.3 Implicit LLID's
+
+ We stress the importance of a strong conceptual distinction
+ between the addresses in a packet and the LLID which is used to
+ classify the packet. The conceptual distinction is important,
+ but under limited circumstances it may be possible to overload
+ some of the packet fields and create an LLID from the current
+ packet header. For example, current packet classifiers for
+ IPv4, which are not secure but which seem to work for
+ classifying the packets into service classes, use a number of
+ the packet fields together as a form of LLID: the source and
+ destination IP addresses and ports plus the protocol type.
+
+ This sort of "implicit" LLID must be short-lived, especially if
+ the host can change its IP address as it moves. But if the
+ LLID is established by some sort of dynamic setup protocol, it
+ should be possible reestablish the LLID as needed.
+
+ The current IPv4 header has no authenticator field to validate
+ the LLID. An authenticator field could be optionally carried
+ in an option; adding it gives robustness to network
+ reservations. Any of the schemes described above for creating
+ an authenticator could be used, except that if the simple
+ password-style authenticator is used, it must be an explicit
+ separate field, since the LLID cannot be picked randomly.
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 33]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 4.6.4 Security without Setup
+
+ As we describe this architecture, the setup phase is an
+ essential part of the sequence. This suggests that the current
+ Internet, which has no setup protocols, cannot be secured
+ against denial-of-service attacks. It is important to explore
+ the limits of this point. As we stressed above, setup can
+ occur in many ways. Routers today offer management options to
+ classify packets based on protocol types and other fields found
+ in the header, and to use this classification to create a few
+ fair queueing classes that can prevent one class from
+ overloading the net to the exclusion of the others.
+
+ There are two problem here. The first is that for a setup done
+ using a management interface, the secret that is shared among
+ the source and the routers to validate the LLID must remain
+ valid for a long time, and it must be manually configured. The
+ second problem is that the granularity of the categories may be
+ coarse. However, it has been proposed, in a thesis by Radia
+ Perlman, that a router might create a separate fair queueing
+ class implicitly for each source address. This approach, which
+ uses the addresses as an implicit LLID, must have some form of
+ authenticator for robustness. But if the LLID can be trusted,
+ this scheme provides classification of traffic based only on an
+ implicit setup operation. The granularity of classification is
+ not sufficient to provide any QOS distinction. The only
+ objective is to prevent the traffic from one source from
+ flooding the net to the exclusion of another.
+
+ 4.6.5 Validating Addresses
+
+ We make a claim here that if the LLID and the addresses in the
+ packet are conceptually distinct, and if there is a suitable
+ means to validate the LLID, then there is no reason to validate
+ the addresses. For example, a packet constructed with a false
+ source address does not seem to represent any security problem,
+ if its LLID can be validated.
+
+ An exception to this might possibly lie in communication with
+ mobile hosts, but it will require a complete model of threats
+ and requirements in the mobile environment to be sure.
+ However, we make the claim, as a starting point for discussion,
+ that if LLIDs are distinguished from addresses, many of the
+ security concerns with mobility are mitigated and perhaps
+ removed. This point should be validated by more detailed
+ consideration of the mobility problem.
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 34]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 4.6 Conclusions
+
+ a) It is important to conceptually separate a LLID (Low-Level
+ IDentifier) carried in a packet from addresses in the packet.
+
+ b) There will be a single LLID carried in each packet. Although
+ this might imply some additional state in the routers than if
+ multiple LLIDs were used, using only one LLID choice is more
+ scalable.
+
+ c) Hop-by-hop LLID authentication mechanisms might provide a
+ highly scalable approach that limits the distribution of
+ secrets. However, the robustness limitations must be
+ investigated thoroughly.
+
+ d) Statistical sampling or after-the-fact detection mechanisms
+ may be employed by routers to address performance concerns.
+
+5. AN AUTHENTICATION SERVICE
+
+ The purpose of an authentication service is simply to verify names,
+ or more precisely to verify the origin of "messages". It differs
+ from the authorization service, which determines what services are
+ available to an authenticated name. We expect that authentication
+ will be an Internet-wide service, while authorization will be
+ specific to the resources to which access is being authorized.
+
+ This "identification" function can be used in several contexts, for
+ example:
+
+ * One-time passwords: "it is really <huitema@inria.fr> that is
+ responding to this challenge".
+
+ * Access to a firewall: "it is really <huitema@inria.fr> that is
+ trying to send data to host-A at port-a".
+
+ There are many Internet objects that we may want to name, e.g.,:
+
+ domain names: sophia.inria.fr
+
+ machine names: jupiter.inria.fr
+
+ service names: www.sophia.inria.fr
+ (in fact, a data base)
+
+ users: huitema@sophia.inria.fr
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 35]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ processes: p112.huitema@sophia.inria.fr
+ p112.sophia.inria.fr
+
+ universal resource locators:
+ http//www.sophia.inria.fr:222/tmp/foobar
+
+ One could be tempted to believe that the authentication service will
+ only be concerned with naming humans, as only humans are
+ "responsible"; a process obtains some access rights because it is
+ acting on behalf of a person. However, this is too reductive and
+ potentially misleading. We may have to authenticate "machines" or
+ hardware components. For example:
+
+ * When a machine boots it needs to access resources for
+ configuring itself, but it is not yet "used" by a person; there
+ is no user.
+
+ * On a "distributed processor", component CPUs may need to
+ authenticate each other.
+
+ Machines do differ from users; machines cannot keep their "secrets"
+ in the same way that people do. However, there is a big value in
+ having a simple and extensible name space.
+
+ 5.1 Names and Credentials
+
+ We make the hypothesis that the authorization services will
+ generally use "access control lists" (ACLs), i.e., some definition
+ of a set of authorized users. A compact way to represent such a
+ set would be to allow "wildcard" authorizations, e.g., "anybody at
+ <Bellcore.com>", or "any machine at <INRIA.FR>". The
+ authentication service should be designed to facilitate the
+ realization of the authorization service and should support
+ "wildcards".
+
+ However, wildcards are not general enough. Assuming that we have
+ a hierarchical name space, a wildcarded entry is limited to the
+ naming hierarchy. For example, a name like
+ <huitema@sophia.inria.fr> could be matched by the wildcard
+ <*@sophia.inria.fr> or <*.inria.fr> or <*.fr>. This is useful as
+ long as one stays at INRIA, but does not solve the generic
+ problem. Suppose that an IETF file server at CNRI is to be
+ accessible by all IAB members: its ACL will explicitly list the
+ members by name.
+
+ The classic approach to naming, as exemplified in the X.500 model,
+ is to consider that people have "distinguished names". Once one
+ has discovered such a name through some "white pages" service, can
+
+
+
+Braden, Clark, Crocker & Huitema [Page 36]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ use it as an access key in a global directory service.
+
+ An individual may acquire authorizations from a variety of
+ sources. Using a pure, identity-based access control system, the
+ user would have to acquire multiple identities (i.e.,
+ distinguished names), corresponding to the roles in which she is
+ authorized to access different services. We discuss this approach
+ in the next section.
+
+ An alternative approach is for the user to have a very small
+ number of identities, and to have the grantors of authorizations
+ issue (signed) credentials granting permissions to the user,
+ linked to her ID. These additional signed credentials are known
+ as "capabilities". The user can then establish her identity
+ through a generic identity credential, e.g., an X.509 certificate,
+ and can establish authorization by presenting capabilities as
+ required. This is somewhat analogous to a person acquiring credit
+ cards linked to the name on a driver's license, and presenting the
+ appropriate credit card, plus the license for picture verification
+ of identity.
+
+ 5.2 Identity-Based Authorization
+
+ Let's open the wallet of an average person: we find several
+ "credit cards" in it. We all have many "credit cards", e.g.,
+ company cards, credit cards, airline frequent flyers memberships,
+ driver licenses. Each of these cards is in fact a token asserting
+ the existence of a relation: the bank certifies that checks
+ presented by the bearer will be paid, the traffic authorities
+ certifies that the bearer has learned how to drive, etc. This is
+ an example of identity-based authorization, in which an individual
+ is given different names corresponding to different relations
+ entered into by that individual.
+
+ If we imagine that the name space is based upon DNS (domain)
+ names, then for example, the person mentioned above could be
+ authenticated with the names:
+
+ customer@my-big-bank.com
+
+ customer@frequent-flyer.airline.com
+
+ The model we used here is that "the name is an association". This
+ is consistent with name verification procedures, in which that one
+ builds a "chain of trust" between the user and the "resource
+ agent". By following a particular path in the trust graph, one
+ can both establish the trust and show that the user belongs to an
+ "authorized group".
+
+
+
+Braden, Clark, Crocker & Huitema [Page 37]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ The existence of "multiple names" for a person may or may not
+ imply the existence of an "equivalence" relation. It may be
+ useful to know that <huitema@sophia.inria.fr> and
+ <huitema@iab.isoc.org> are two names for the same person, but
+ there are many cases where the user does not want to make all his
+ tokens visible.
+
+ 5.3 Choosing Credentials
+
+ Let's consider again the example of Christian Huitema accessing a
+ file at CNRI. He will have to interact with INRIA's outgoing
+ firewall and with CNRI's incoming controls. Regardless of whether
+ authorization depends upon capabilities or upon multiple
+ association names, a different credential may be needed in each
+ firewall on the path. For example, assuming multiple names are
+ used, he will use an INRIA name, <huitema@sophia.inria.fr>, to be
+ authorized by INRIA to use network resources, and he will use an
+ IAB name, <huitema@iab.isoc.org>, to access the file server. Thus
+ comes an obvious problem: how does he choose the credential
+ appropriate to a particular firewall? More precisely, how does
+ the computer program that manages the connection discover that it
+ should use one credential in response to INRIA's firewall
+ challenge and another in response to CNRI's request?
+
+ There are many possible answers. The program could simply pass
+ all the user's credentials and let the remote machine pick one.
+ This works, but poses some efficiency problems: passing all
+ possible names is bulky, looking through many names is long.
+ Advertising many names is also very undesirable for privacy and
+ security reasons: one does not want remote servers to collect
+ statistics on all the credentials that a particular user may have.
+
+ Another possibility is to let the agent that requests an
+ authorization pass the set of credentials that it is willing to
+ accept, e.g., "I am ready to serve CNRI employees and IAB
+ members". This poses the same privacy and security problems as
+ the previous solutions, although to a lesser degree. In fact, the
+ problem of choosing a name is the same as the generic "trust path"
+ model. The name to choose is merely a path in the authentication
+ graph, and network specialists are expected to know how to find
+ paths in graphs.
+
+ In the short term, it is probably possible to use a "default name"
+ or "principal name", at least for local transactions, and to count
+ on the user to "guess" the credential that is required by remote
+ services. To leave the local environment we need only the local
+ credentials; to contact a remote server we need only the
+ destination credentials. So we need one or maybe two credentials,
+
+
+
+Braden, Clark, Crocker & Huitema [Page 38]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ which may be derived from the destination. It will be very often
+ the case that the generic credential is enough; then wildcards;
+ then "FTP provided" tokens.
+
+6. OTHER ISSUES
+
+ 6.1 Privacy and Authentication of Multicast Groups
+
+ Multicast applications are becoming an increasingly important part
+ of Internet communications. Packet voice, video and shared
+ whiteboard can be powerful productivity tools for users. For
+ these applications to have maximum value to their users, a variety
+ of security services will be required.
+
+ Existing techniques are directly applicable to providing privacy
+ for a private teleconference. If each member of the conference
+ shares a single key for a symmetric encryption algorithm (such as
+ DES), existing point-to-point security techniques can be extended
+ to protect communication within the group from outsiders.
+
+ However, slight modifications to existing techniques are required
+ to accommodate the multicast environment. Each packet will
+ require independent cryptographic processing to ensure that
+ packets from multiple sources can be independently decrypted by
+ the numerous receivers, particularly in the presence of lost
+ packets. N-party authentication and key management will be
+ required to establish the shared key among the proper group
+ members. This can be done by extending existing two-party key
+ management techniques pairwise. For example, the conference
+ manager may provide the key to each member following individual
+ authentication; for example, this could be implemented trivially
+ using PEM technology. The overhead experienced by each host
+ computer in the conference will be similar to that of existing
+ point-to-point encryption applications, This overhead is be low
+ enough that, today, software encryption can offer adequate
+ performance to secure whiteboard and voice traffic, while hardware
+ encryption is adequate for video.
+
+ The nature of multicast communication adds an additional
+ requirement. Existing multicast conferences provide gradual
+ degradation in quality as the packet loss rate increases. To be
+ acceptable, authentication protocols must tolerate lost packets.
+ Techniques to accomplish this efficiently need to be developed.
+ One initial sketch is outlined below. Engineering work will be
+ required to validate the practicality of this approach.
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 39]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ The use of symmetric encryption provides the members of the
+ conference with effective protection from outsiders. However,
+ because all members of the conference share a single key, it does
+ not provide a means of authenticating individual conference
+ members. In principle, existing techniques, based on one-way hash
+ functions coupled with digital signatures based on asymmetric
+ encryption algorithms, can provide individual authentication.
+ One-way hash functions such as MD5 are comparable in cost to
+ symmetric encryption. However, digital signatures are
+ considerably more costly, both in computation and in communication
+ size. The degree of overhead depends on the quality of
+ authentication required.
+
+ In summary, realtime authentication at the granularity of group
+ membership is easy and cheap, but individual authentication is
+ costly in time and space. Over time, the costs of both
+ communications and processing are expected to decline. It is
+ possible that this will help make authentication at the level of
+ individual conference participants. There are two conflicting
+ trends: (1) increasing CPU speeds to provide symmetric
+ encryption, and (2) increasing communication data rates. If both
+ technologies increase proportionally, there will be no net gain,
+ at least if the grain size is measured in terms of bits, rather
+ than as a period in seconds.
+
+ The group felt that the correct approach to end-to-end controls is
+ the use of encryption, as discussed above. The alternative is to
+ control the ability of a user to join a multicast group as a
+ listener, or as a speaker. However, we are not comfortable with
+ the level of assurance that we can offer if we attempt to ensure
+ end-to-end semantics using these means. Any passive penetration
+ of the network, i.e., any wire-tap, can compromise the privacy of
+ the transmitted information. We must acknowledge, however, that
+ problems with deployment of encryption code and hardware, and
+ especially problems of export controls, will create a pressure to
+ use the tools described in Section 4 to implement a form of end-
+ to-end control. Such a decision would raise no new issues in
+ security technology. The shared key now used for encrypting the
+ data could instead be used as the basis for authenticating a
+ multicast group join request. This would require modification of
+ the multicast packet format, but nothing more. Our concern is not
+ the technical difficulty of this approach, but the level of
+ assurance we can offer the user.
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 40]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 6.2 Secure Plug-and-Play a Must
+
+ Plug-and-play is the ability to plug a new device into a network
+ and have it obtain the information it needs to communicate with
+ other devices, without requiring any new configuration
+ information. Secure plug-and-play is an important Internet
+ requirement, and a central architectural issue is whether it can
+ be made to scale well.
+
+ For plug-and-play operation, a new machine that is "plugged" into
+ the network needs to:
+
+ (1) Obtain an locator so it can communicate with other devices
+
+ (2) Register or obtain a name to be identified by (e.g., machine
+ name)
+
+ (3) Discover services available on the network (e.g., printers,
+ routers, file servers, etc.)
+
+ (4) Discover other systems on the network so it can communicate
+ with them.
+
+ In some environments, no security mechanisms are required because
+ physical security and local knowledge of the users are sufficient
+ protection. At the other end of the spectrum is a large network
+ with many groups of users, different types of outside connections,
+ and levels of administrative control. In such environments,
+ similar plug-and-play capabilities are needed, but the new device
+ must be "authenticated" before it can perform these functions. In
+ each step in the discovery process the new device must
+ authenticate itself prior to learning about services.
+
+ The steps might be:
+
+ - Obtain a HLID from a smart card, smart disk, or similar
+ device.
+
+ - Authenticate itself with the first plug-and-play server using
+ its HLID, to register a name and to find the location of
+ other services.
+
+ - Discover services available on the network (e.g., printers,
+ routers, file servers, etc.) based on its HLID.
+
+ - Discover other systems on the network so it can communicate
+ with them.
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 41]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ The problem of taking a system out of the box and initially
+ configuring it is similar to the problem of a mobile or portable
+ machine that a human wants to connect to a local network
+ temporarily in order to receive services on that network. How can
+ the local network authenticate the human (and therefore the
+ human's machine) and know which services this visiting machine is
+ permitted to use?
+
+ The human must be endowed with a high level identifier (HLID)
+ which acts as his/her passport and can be verified by the local
+ network. This high level identifier must be globally unique and
+ registered/assigned by some recognized authority.
+
+ When the human plugs the machine onto a local net, the machine
+ identifies itself to the net with the human's high level
+ identifier. If local net has a policy of permitting anyone to
+ plug and play on its network, it will ignore the HLID and assign
+ an address (locator), permitting the visitor unrestricted access
+ and privileges. More likely, the local net will authenticate the
+ HLID prior to granting the visitor an address or any privileges.
+
+ At this point, the HLID has only authenticated the visitor to the
+ local network; the issue of which services or resources the
+ visitor is entitled to use has not been addressed. It is
+ desirable to develop a low-overhead approach to granting
+ authentications to new users. This will help in the case of
+ visitors to a site, as well as new users joining a facility.
+
+ 6.3 A Short-Term Confidentiality Mechanism
+
+ Authentication has customarily been achieved using passwords. In
+ the absence of active attacks, the greatest threat to computer
+ system security may be the ease with which passwords can be
+ "snooped" by the promiscuous monitoring of shared-media networks.
+ There are known security techniques for achieving authentication
+ without exposing passwords to interception, for example the
+ techniques implemented in the well-known Kerberos system.
+ However, authentication systems such as Kerberos currently operate
+ only in isolation within organizational boundaries. Developing
+ and deploying a global authentication infrastructure is an
+ important objective, but it will take some years. Another useful
+ approach in the short term is the use of a challenge-response user
+ authentication scheme (e.g., S/Key).
+
+ One of the groups explored another interim approach to guarding
+ passwords: introducing a readily-used confidentiality mechanism
+ based on an encrypted TCP connection. This would operate at the
+ IP level to encrypt the IP payload, including the TCP header, to
+
+
+
+Braden, Clark, Crocker & Huitema [Page 42]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ allow the nature as well of the contents of the communication to
+ be kept private. It could be implemented to provide either
+ "strict" protection (the connection fails if the other side cannot
+ decrypt your data stream) or "loose" protection (falling back to
+ non-private TCP if decryption fails).
+
+ Loose protection would allow interoperability with older hosts in
+ a seamless (non-user-intrusive) manner.
+
+ One-time keys may be exchanged during the SYN handshake that
+ starts the TCP connection. Using one-time keys avoids a need for
+ infrastructure support and does not require trust between the
+ organizations on the two ends of the connection. Tieing the key
+ exchange to the SYN handshake will avoid the possibility of having
+ the connection fully open without knowing the state of encryption
+ on both ends of the connection. Although it may still be
+ theoretically possible to intercept the SYN exchange and subvert
+ the connection by an active "man-in-the-middle" attack, in
+ practice such attacks on TCP connections are quite difficult
+ unless the routing protocols have been subverted.
+
+ The keys could be exchanged using a new option that specifies the
+ key exchange protocol, the data encryption algorithm, and the key
+ to be used to decrypt the connection. It could be possible to
+ include multiple options in the same SYN segment, specifying
+ different encryption models; the far end would then need to
+ acknowledge the option that it is willing to use. In this case,
+ the lack of an acknowledgement would imply disinterest in
+ decrypting the datastream. If a loose privacy policy were in
+ force, the connection could continue even without an
+ acknowledgment. The policy, "strict" or "loose", would be set by
+ either the user or the default configuration for the machine.
+
+ One must however observe that a TCP option can carry only a
+ limited amount of data. Efficient protection against crypto-
+ analysis of the Diffie-Hellmann scheme may require the use of a
+ very long modulus, e.g., 1024 bits, which cannot be carried in the
+ 40 bytes available for TCP options. One would thus have either to
+ define an "extended option" format or to implement encryption in a
+ separate protocol layered between TCP and IP, perhaps using a
+ version of "IP security". The detailed engineering of such a
+ solution would have to be studied by a working group.
+
+ A TCP connection encryption mechanism such as that just outlined
+ requires no application changes, although it does require kernel
+ changes. It has important drawbacks, including failure to provide
+ privacy for privacy for UDP, and the great likelihood of export
+ control restrictions. If Diffie-Hellman were used, there would
+
+
+
+Braden, Clark, Crocker & Huitema [Page 43]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ also be patent issues.
+
+7. CONCLUSIONS
+
+ As a practical matter, security must be added to the Internet
+ incrementally. For example, a scheme that requires, as a
+ precondition for any improvement, changes to application code, the
+ DNS, routers and firewalls all at once will be very hard to deploy.
+ One of the reasons the workshop explored schemes that are local to
+ the IP layer is that we surmise that they might be easier to deploy
+ in practice.
+
+ There are two competing observations that must shape planning for
+ Internet security. One is the well known expression: "the best is
+ the enemy of the good." The other is the observation that the
+ attacks are getting better.
+
+ Finally, it should noted that the principle of least privilege, which
+ was mentioned above, may be in contradiction to the principle of
+ least cost.
+
+ 7.1 Suggested Short-Term Actions
+
+ The general recommendation for short-term Internet security policy
+ was that the IETF should make a list of desirable short-term
+ actions and then reach out to work with other organizations to
+ carry them out. Other organizations include regionals, which may
+ be in a good position to provide site security counseling services
+ to their customers, vendors and other providers, and other
+ societies. We should also give input to the US government to
+ influence their posture on security in the direction desired by
+ the community.
+
+ A suggested preliminary list of short-term actions was developed.
+
+ o Perform external diagnostic security probes
+
+ Organizations should be encouraged to use CRACK and other
+ tools to check the robustness of their own passwords. It
+ would also be useful to run a variety of security probes from
+ outside. Since this is a very sensitive issue, some care
+ needs to be taken to get the proper auspices for such
+ probing.
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 44]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ Useful probe tools include:
+
+ ISS: Klaus (GA)
+ SATAN: Farmer Venema
+ ICEPICK: NRL
+
+ o Determine Security-Risk Publication Channels
+
+ What channels should be used for disseminating information of
+ security risks?
+
+ o Encourage use of one-time passwords.
+
+ Available packages: S/Key, SecurID, Enigma, Digital Pathways.
+
+ o Develop and publish guidelines for protocol developers, for
+ security-friendliness and firewall-friendliness.
+
+ o Control topology to isolate threats
+
+ o Set privacy policy:
+
+ * Always
+
+ * As much as possible
+
+ o Bring Site Security Handbook up to date
+
+ o Support use of Kerberos
+
+ The subject of the "Clipper chip" came up several times, but there
+ was not sufficient discussion of this very complex issue for this
+ grouip to reach a recommendation. It has been observed that there
+ are a number of quite differing viewpoints about Clipper.
+
+ o Some people accept the government's Clipper proposal,
+ including key escrow by the US government and the
+ requirement that encryption be in hardware.
+
+ o Some people don't mind key escrow by the government in
+ principle, but the object to the hardware requirement.
+
+ o Some people don't mind key escrow in principle, but
+ don't want the government to hold the keys. They would
+ be comfortable with having the organization which owns
+ the data hold the keys.
+
+ o Some people don't want key escrow at all.
+
+
+
+Braden, Clark, Crocker & Huitema [Page 45]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ o Some people don't mind the hardware or the key escrow,
+ but they don't think this will be acceptable to other
+ countries and thus will not work internationally.
+
+ This report takes no position on any of these viewpoints.
+
+ 7.2 Suggested Medium-Term Actions
+
+ These actions require some protocol design or modification;
+ however, they use existing security technology and require no
+ research.
+
+ o Authentication Protocol
+
+ There is a problem of the choice of technology. Public key
+ technology is generally deemed superior, but it is patented
+ and can also induce relatively long computations. Symmetric
+ key technology (Needham-Schroeder algorithm, as used in
+ Kerberos) has some technical drawbacks but it is not
+ patented. A system based on symmetric keys and used only for
+ authentication would be freely exportable without being
+ subject to patents.
+
+ o Push Kerberos
+
+ Engineering is needed on Kerberos to allow it to interoperate
+ with mechanisms that use public key cryptography.
+
+ o Push PEM/RIPEM/PGP...
+
+ o Develop an authenticated DNS
+
+ o Develop a key management mechanism
+
+ o Set up a certificate server infrastructure
+
+ Possible server mechanisms include the DNS, Finger, SNMP,
+ Email, Web, and FTP.
+
+ o Engineer authentication for the Web
+
+
+ 7.3 Suggested Long-Term Actions
+
+ In this category, we have situations where a threat has been
+ identified and solutions are imaginable, but closure has not been
+ reached on the principles.
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 46]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ o Executable Apps
+
+ o Router sabotage counter-measures
+
+ o Prevent Byzantine routing.
+
+ o Proxy Computing
+
+ o Decomposition of computers
+
+ o Are there "good" viruses?
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 47]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+APPENDIX A -- Workshop Organization
+
+ The following list of attendees indicates also the breakout group to
+ which they were assigned.
+
+ Breakout Groups
+
+ Group I.1 Leader:
+ 1 Christian Huitema, INRIA (IAB)
+
+ 1 Steve Bellovin, AT&T
+ 1 Bob Braden, ISI (IAB)
+ 1 John Curran, NEARNET
+ 1 Phill Gross, ANS (IETF/IAB)
+ 1 Stev Knowles, FTP Software (Internet AD)
+ 1 Barry Leiner, USRA (IAB)
+ 1 Paul Mockapetris, ISI
+ 1 Yakov Rekhter, IBM (IAB)
+ 1 Dave Sincoskie, Bellcore (IAB)
+
+ Group I.2 Leader:
+ 2 Steve Crocker, TIS (Security AD)
+
+ 2 Jon Crowcroft
+ 2 Steve Deering, PARC
+ 2 Paul Francis, NTT
+ 2 Van Jacobson, LBL
+ 2 Phil Karn, Qualcomm
+ 2 Allison Mankin, NRL (Transport AD, IPng AD)
+ 2 Radia Perlman, Novell
+ 2 John Romkey, ELF (IAB)
+ 2 Mike StJohns, ARPA (IAB)
+
+ Group I.3 Leader:
+ 3 Dave Clark, MIT
+
+ 3 Deborah Estrin, USC
+ 3 Elise Gerich, Merit (IAB)
+ 3 Steve Kent, BBN (IAB)
+ 3 Tony Lauck, DEC (IAB)
+ 3 Tony Li, CISCO
+ 3 Bob Hinden, Sun (IESG->IAB liaison, Routing AD)
+ 3 Jun Murai, WIDE (IAB)
+ 3 Scott Shenker, PARC
+ 3 Abel Weinrib, Bellcore
+
+ The following were able to attend only the third day, due to a
+ conflicting ISOC Board of Trustees meeting:
+
+
+
+Braden, Clark, Crocker & Huitema [Page 48]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ Scott Bradner, Harvard (IPng AD)
+ Jon Postel, ISI (IAB)
+
+ The workshop agenda was as follows.
+
+ Tues Feb 8
+ 9:00 - 10:30 Plenary
+ Discuss facilities, meeting goals, agenda, organization.
+ Establish some minimal common understandings. Assign
+ scenarios to Breakout I groups.
+
+ 10:30 - 13:00 Breakout I meetings
+ Each breakout group examine one or more scenarios and
+ formulate a list of design questions. Lunch available on
+ 11th floor.
+
+ 13:00 - 15:00 Plenary
+ Report, discuss. Collate and shorten list of design
+ issues. Organize Breakout II groups to work on these
+ issues.
+
+ 15:00 - 17:30 Breakout IIa meetings
+ Work on design issues.
+
+ Wed Feb 9
+ 9:00 - 10:00 Plenary
+ Report, discuss.
+
+ 10:00 - 13:30 Breakout IIb meetings
+ More work on design questions, develop list of
+ requirements.
+
+ 13:30 - 14:30 Plenary
+ Report, discuss.
+
+ 15:30 - 17:30 Breakout III groups
+
+ Thurs Feb 10
+ 9:00 - 9:30 Plenary
+
+ 9:30 - 11:00 Breakout Groups (wrapup)
+
+ 11:00 - 12:00 Plenary
+ Discuss possible short-term security recommendations
+
+ 13:00 - 14:00 Plenary -- Discuss short-term security issues
+
+ 14:00 - 14:30 Plenary -- Presentation by Steve Bellovin
+
+
+
+Braden, Clark, Crocker & Huitema [Page 49]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ 14:30 - 16:00 Plenary -- Long- and Medium-term
+ Recommendations
+
+ The following scenarios were used as a starting point for
+ discussions. It distinguished security-S (security as a service to
+ the end systems) from security-M, security as a mechanism to support
+ other services. The workshop was intended to be primarily concerned
+ with interactions among the following different *services*:
+
+ o Security-S
+
+ o Routing
+
+ o Multi-destination delivery (mcast-S)
+
+ o Realtime Packet scheduling (realtime)
+
+ o Mobility
+
+ o Accounting
+
+ (and maybe large-scale?)
+
+ These categories were then applied to the following scenarios:
+
+ S1. Support a private teleconference among mobile hosts connected to
+ the Internet. [Security-S, mcast-S, realtime, mobility]
+
+ S2. The group in S1 is 1/3 the Internet, i.e., there are VERY severe
+ scaling problems. [Security-S, mcast-S, realtime, mobility,
+ large-scale]
+
+ S3. Charge for communication to support a video teleconference.
+ [Accounting, realtime, mcast-S]
+
+ S4. I am travelling with my laptop. I tune in to radio channel IP-
+ RADIO, pick-up the beacon and start using it. Who gets the
+ bill? Why do they believe this is me? Is "me" a piece of
+ hardware (IP address) or a certified user (PEM certificate)?
+ [Mobility, accounting (, realtime, mcast-S)]
+
+ S5. A Politically Important Person will mcast an Internet
+ presentation, without danger of interruptions from the audience.
+
+ S6. The travel industry wants to use Internet to deliver tickets to
+ customer premises directly in a secure way, but the customer has
+ only dial-up capability. [Security-S, mobility]
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 50]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ S7. I am traveling with my laptop and this friendly host is running
+ the autoconfiguration protocol. I immediately get an address as
+ "mac1.friendly.host.com". (What is the difference between my
+ laptop and a bona fide autoconfigured local station?)
+ [Security-S, mobility]
+
+ S8. Multiple people are connected to a subnetwork providing mobility
+ (e.g., cellular, packet radio). The subnetwork is connected to
+ multiple places in the "fixed" backbone. How can routing be done
+ efficiently? [Routing, mobility]
+
+ The following scenarios that were suggested do not fit into the
+ primary thrust of the workshop, generally because they are single-
+ issue topics. Most of them are pure security topics and are
+ concerned with the security perimeter. The last two do not fit into
+ our classification system at all.
+
+ S9. XYZ corporation has two major branches on opposite ends of the
+ world, and they want to communicate securely over the Internet,
+ with each branch having IP-level connectivity to the other (not
+ through application gateways).
+
+ S10. I am visiting XYZ corporation, with my laptop. I want to
+ connect it to their LAN to read my email remotely over the
+ Internet. Even though I am inside their corporate firewall,
+ they want to be protect their machines from me.
+
+ S11. XYZ corporation is trying to use the Internet to support both
+ private and public networking. It wants to provide full
+ connectivity internally between all of its resources, and to
+ provide public access to certain resources (analogous of
+ anonymous ftp servers)
+
+ S12. The travel industry wants to use Internet to deliver tickets to
+ customer premises directly in a secure way.
+
+ S13. Some hacker is deliberately subverting routing protocols,
+ including mobile and multicast routing. Design counter
+ measures.
+
+ S14. Part of the Internet is running IPv4 and part is running IPng
+ (i.e. the Internet is in transition). How can we assure
+ continued secure operation through such a transition?
+
+ S15. A corporation uses ATM to connect a number of its sites. It also
+ uses Internet. It wants to make use of the ATM as its primary
+ carrier, but also wants to utilize other networking technologies
+ as appropriate (e.g., mobile radio). It wants to support all
+
+
+
+Braden, Clark, Crocker & Huitema [Page 51]
+
+RFC 1636 IAB Workshop Report June 1994
+
+
+ media (data, voice, video).
+
+
+Security Considerations
+
+ This memo is entirely concerned with security issues.
+
+Authors' Addresses
+
+ Bob Braden [Editor]
+ USC Information Sciences Institute
+ 4676 Admiralty Way
+ Marina del Rey, CA 90292-6695
+
+ Phone: (310) 822-1511
+ EMail: Braden@ISI.EDU
+
+
+ David Clark
+ MIT Laboratory for Computer Science
+ 545 Technology Square
+ Cambridge, MA 02139-1986
+
+ Phone: 617-253-6003
+ EMail: ddc@lcs.mit.edu
+
+
+ Steve Crocker
+ Trusted Information Systems, Inc.
+ 3060 Washington Road (Rte 97)
+ Glenwood, MD 21738
+
+ Phone: (301) 854-6889
+ EMail: crocker@tis.com
+
+
+ Christian Huitema
+ INRIA, Sophia-Antipolis
+ 2004 Route des Lucioles
+ BP 109
+ F-06561 Valbonne Cedex
+ France
+
+ Phone: +33 93 65 77 15
+ EMail: Christian.Huitema@MIRSA.INRIA.FR
+
+
+
+
+
+
+Braden, Clark, Crocker & Huitema [Page 52]
+