Seminar on Network Security

Introduction of the topics and some material for the session of

Security for Internet's basic infrastructure

Tutors: Jonna Särs and Sanna Liimatainen

Securing Internet Routing

(Jonna Särs)

The Internet's exterior routing infrastructure is highly vulnerable to a variety of attacks, both in theory and in practice, due to the lack of scalable means to verify the legitimacy and authenticity of the relevant control traffic.

This topic includes a short presentation of the relevant routing protocols (e.g. BGP), an analysis of their vulnerabilities, and the proposed solutions for fixing the security problems present in the protocols. Since the topic is large, the author can choose between a general overview and an in-depth presentation of a subset of the area.

Material to begin

• The IETF Routing Working Groups
• S.L. Murphy, M.R. Badger. Digital Signature Protection of the OSFP Routing Protocol. In Proceedings of the 1996 Symposium on Network and Distributed System Security (NDSS'96), February 1996.
• B.R. Smith, S. Murthy, J.J. Garcia-Luna-Aceves. Securing Distance-Vector Routing Protocols. In Proceedings of the 1997 Symposium on Network and Distributed System Security (NDSS'97), February 1997.

Note: the NDSS references can be obtained from the tutor, jonna.partanen@hut.fi.

---

The Effects of the Transition to IPv6 on Internet Security

(Jonna Särs)

The slow transition to IPv6 from the current IPv4 has started. IPv6 includes IPsec as a standard feature, and so the transition is expected to improve the overall Internet security. Some even say it will solve most of the security problems the Internet is faced with today. However, things may not be this straight forward. The implementation of the transition might introduce new vulnerabilites and subtle attacks that take advantage of the different capabilities of the communicating parties.

This topic includes a short introduction to IPv6 and its seurity features in particular, but the main purpose is to analyse the different aspects of the transition period from the security point of view. The topic is challenging, but it should also prove to be interesting.

Material to begin

• The IETF IPNG Working Group
• The IETF NG Transition Working Group
• The IETF IPsec Working Group

---

The Security of Network Management

(Jonna Särs)

The SNMP protocol was developed to provide remote management of network nodes in the Internet. Unfortunately, the first version contained very little in terms of security. The SNMPv2 standardization tried to improve security, but failed, resulting in two uncompatible versions. Soon, the standardization of the version 3 is ready.

This topic includes presenting the SNMP security features and their evolution. The author should also address the other security relevant trends in network node management, such as management over HTTP or ssh.

Material to begin

• The IETF SNMPv3 Working Group
• Simple Network Management Protocol, RFC1157.

---

Secure DNS

(Sanna Liimatainen)

The Domain Name System (DNS) does not support the checking of data integrity and not much of its authentication. IETF's DNS Security Working Group is creating a standard that improve the security of the DNS. DNSSEC uses digital signatures to archieve data integrity and origin authentication.

This paper should introduce Domain Name System (DNS) and it's Security Extension. It is also nice to hear how DNS can be used as Certificate Repository in a Public-Key Infrastructure (PKI).

Material to begin

• IETF's working group for Domain Name System Security
• RFC 2535 Domain Name System Security Extensions
• Marc Branchaud: A Survey of of Public Key Infrastructures (Master's Thesis)

---

Internet Key Exchange (IKE)

(Sanna Liimatainen)

IPSec provides secure communication in the Internet but it does not take a stand on the key management. ISAKMP (Internet Security Association and Key Management Protocol) provides a framework for authentication and key management but does not define them. ISAKMP is designed to be key exchange independant. It is designed to support many different key exchanges. The Internet Key Exchange (IKE) Protocol is designed to negotiate and provide authenticated keying material.

Author of this paper should introduce the Internet Key Exchange Protocol and describe how it work with the ISAKMP. Note: Domain of Interpretation (RFC 2407) is also associated with ISAKMP and IKE and it should not be forgotten. It would also be nice to hear who has implemented these protocols.

Material to begin

• IETF's Working Group for IP Security Protocol (ipsec)
• RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
• RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
• RFC 2409 The Internet Key Exchange (IKE)

---

Comparison of different PKI proposals

(Sanna Liimatainen)

In its most simple form, a PKI is a system for publishing the public-key values used in public-key cryptography. There are two basic operations common to all PKIs: Certification and Validation. Digital certificates can be used to bind the information (for example a permission) to the keys. Validation is a process to check whether a given certificate is still valid.

Author of this paper should briefly introduce several Public-Key Infrastructures and compare them (also other PKIs than X.509 and SPKI):

• what kind of certificates
• certification authority and their arrangements
• scalability
• validation
• etc

This topic is quite easy.

• A Survey of of Public Key Infrastructures - PKI References
• IEFT's Working Group of Public-Key Infrastructure (X.509)
• IETF's Working Group of Simple Public-Key Infrastructure (SPKI)