1 / 10

Security Work in the IETF

Security Work in the IETF. Scott Bradner Harvard University sob@harvard.edu. Syllibus. IETF security “rules” security at the IP layer security above the IP layer key distribution applications summary. IETF Security Rules.

blanca
Download Presentation

Security Work in the IETF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Work in the IETF Scott Bradner Harvard University sob@harvard.edu

  2. Syllibus • IETF security “rules” • security at the IP layer • security above the IP layer • key distribution • applications • summary

  3. IETF Security Rules • all RFCs must have a meaningful (in context) Security Considerations section • not always the case with old RFCs • most IETF charters say that security must be addressed as a basic issue • security ADs carefully review security issues with documents offered for publication as RFCs • note: “security” includes integrity, confidentiality, privacy, scalability, reliability, ...

  4. IETF Security Rules, contd. • most applications must have a mandatory-to-implement security option • can negotiate alternatives • working group can not assume that the technology will be only used in a confined environment • e.g., IP storage - not just the glass house anymore • authentication & confidentially must be addressed • can not overload TCP port 80 • can not piggyback on the web getting through a firewall • by the way RFC 3093 is a joke

  5. Security at the IP Layer • IPsec • IETF packet-level authentication & encryption • best implemented in OS Kernel • can provide protection to all applications • can live under legacy applications • mostly used in VPN applications and between firewall products

  6. Security above Transport • SSL/TLS • TLS: IETF “Transport Layer Security” protocol • can be implemented in an application • does not require OS support • comes from history - Netscape could not depend on OS • perhaps the most used security technology on the Internet • used by browsers everyday to do commerce on the Internet

  7. SSL/TLS, contd. • integration into Browser makes it invisible to end-users • this is a Good Thing ™ • TLS is "good enough” to have displaced “better” solutions • e.g., Secure Electronic Transaction (SET) standard designed by Visa and Mastercard

  8. Key Distribution, a Big Problem • “big” in that it requires infrastructure • infrastructure is hard to deploy • IETF PKIX Group is profiling X.509 for use in the Internet • largest user: TLS • DNS Security may also be used for Key Distribution some day • problems deploying it so far • will DNS be our Key Management System or will PKIX? • jury still out

  9. Applications • secure mail: SMIME & PGP/MIME • Key Distribution is still a problem • user applications are available, but hard to use • hope to see some real deployment as people realize the need to secure email • SMIME & TLS used to secure IETF VoIP signaling • TLS used for many applications • PKIX, LDAP, BEEP, SASL, L2TP, SMTP, ...

  10. Summary & Problems • IETF demands “good” security • standard development community is reluctant sometimes • users seen as not wanting security • tell that to the feds

More Related