The CPNI has raised questions over the security of the TCP/IP system
Brits blast TCP/IP security
/v3-uk/news/1986081/brits-blast-tcp-ip-security
21 Aug 2008, Shaun Nichols , V3
A report from a top UK government defence body is calling into question the security of the basic internet protocol.
The TCP/IP protocol is the basic function used by computers to communicate with outside networks. First adopted in 1983, the TCP/IP system is widely credited with enabling the creation of the internet as we know it.
The same protocol that enables the internet, however, may also be leaving it at risk, according to the Centre for Protection of the National Infrastructure (CPNI)
The company notes that many of the same techniques first used to link up the Arpanet network in 1983 are still in use today by the modern-day internet, and not all of them are secure.
"While many textbooks and articles have created the myth that the Internet Protocols were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the Arpanet, " read the introduction to the report.
"As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications. "
The CPNI noted that over the years vulnerabilities have emerged in everything from the handling of headers to dealing with fragments of code and reassembling data.
Even when those problems are patched, the CPNI pointed out that the fixes are not always approved or recommended by the Internet Engineering Task Force.
"In many cases vendors have implemented quick 'fixes' to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability," the report read.
"As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Not well laid out.
True, there are problems at this date with TCP/IP, we all know this. But respectfully, I just don't see any answers in this article either.
If the top Brit government defence body has some solid answers that would fix these intermediate "patches", I'm quite sure we'd all like to know what they are so we can get on about fixing the holes in the 'Net.
Posted by Patrick, 21 Aug 2008
"Not well laid out."??
The report is supposed to help implmenters build secure IP implementations. There are some aspects of the protocols that can be secured. And that's what this document is about.
There are some security aspects that cannot be fixed without replacing IP itself.
The report answers the question it is supposed to answer: "What can be done to improve the security of the Internet Protocol?", rather than other questions such as "How can we fix the whole Internet mess?"
Posted by Dave, 27 Aug 2008
Typical!
Whenever a central government is caught with it's trousers firmly round its ankles, some quango or other leaps to the defence.
Here we are, with civil servants, the military, the police running around with un-encrypted data on memory sticks, posting CD's in the ordinary mail, leaving laptops on buses and trains, so a government IT security 'watchdog' blames... the internet!!
I don't follow their logic at all. In our organisation, anything that moves is encrypted! Media sent out is encrypted to either 128bit or 256bit, with keys sent independently (unlike a CD I received a little while ago from another (central government) source, who obligingly put a note of the key in the same envelope). Our external access uses various devious encryption methods, as well as SA to get in the first place.
Come on, civil service, police, judiciary, NHS, armed forces, wake up! It isn't rocket science to keep things secure, it isn't TCP/IP that looses data, it is laziness and complacency that leaves things vulnerable, not the technology.
Posted by Steve Atkinson, 28 Aug 2008