Removing Insecurity: The IETF Hums 5 Times
The IETF, which defines and promotes Internet standards, is taking a stand against the activities of the NSA by agreeing to improve the security of Internet protocols.
Unless you've been marooned on a desert isle, you're aware of the fact that your email and your phone calls have been monitored for a decade by the NSA (and its colleagues in Australia, Canada, the U.K., and New Zealand – the “five eyes” group). And it appears that the phone companies and the major pieces of infrastructure have been complicitous. This is considered “pervasive surveillance.” The NSA has told us that we have nothing to fear: Their information is quite secure.
Yet, the months of document leaks from Edward Snowden show that to be false. If the phones and email of the heads of state of Brazil, France, Germany, Mexico, and Spain are at risk, what of corporate and personal data? What of my banking and credit card information?
I worry. And I'm sure that many company heads around the world worry as well.
At last, it appears that a vestige of data and transmission security may be restored. For evidence, nearly 1,100 people attended the IETF meeting in Vancouver, British Columbia, November 3th through 8th.
What? What's the IETF?
The Internet Engineering Task Force is an open standards organization. It develops and promotes the standards of the Internet. Set up at the beginning of 1986, the IETF is formally part of The Internet Society and is headquartered in Fremont, California.
Well, the Internet's rules and standards are set out in what are called “RFCs” – Requests for Comment. (If you want to know about the early history, which begins in 1969, read my Casting the Net.) Truly important things are discussed and decided by the IETF and its many working groups, under the auspices of the Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG).
The big topic at this Vancouver meeting was security.
“The Internet has been turned into a giant surveillance machine,” said Bruce Schneier, who spoke at the meeting's technical plenary. “This is not just about any particular country or individual action. We need to work broadly to fix the problems of today and tomorrow.”
The same week, Schneier told attendees of the Usenix LISA (Large Installation System Administration Conference), held in Washington: “Fundamentally, this is a debate about data sharing, about surveillance as a business model, about the dichotomy of the societal benefits of big data versus the individual risks of personal data.”
Russ Housley posted:
At the end of the IETF88 Technical Plenary, there were five hums. [the IETF has no votes, it is consensus-driven. Thus decisions are made by “humming.”] This note is to provide the text of the hums and the community response. The people in the room were asked to hum for YES if they agreed with the statement and hum for NO if they disagreed with the statement.
1. The IETF is willing to respond to the pervasive surveillance attack?
Overwhelming YES. Silence for NO.
2. Pervasive surveillance is an attack, and the IETF needs to adjust our threat model to consider it when developing standards track specifications.
Very strong YES. Silence for NO.
3. The IETF should include encryption, even outside authentication, where practical.
Strong YES. Silence for NO.
4. The IETF should strive for end-to-end encryption, even when there are middleboxes in the path.
Mixed response, but more YES than NO.
5. Many insecure protocols are used in the Internet today, and the IETF should create a secure alternative for the popular ones.
Mostly YES, but some NO.
Think of a town meeting. The first three of these are a direct blow to the activities of the NSA.
"At the IETF technical plenary, participants agreed that the current situation of pervasive surveillance represents an attack on the Internet," said Stephen Farrell, one of the IETF's two Security Area Directors. “While there are challenges isolating the specific areas of attack that IETF protocols can mitigate, all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.”
But how to effect an appropriate response to “the pervasive surveillance attack” will be neither easy nor swift. For example, take IPv6: We’re at 20 years [!] since its first RFCs appeared (my “handbook” – The Big Book of IPv6 Addressing RFCs – appeared in 2000) and we’re not even close to real coverage.
“Ensuring the global Internet is a trusted platform for billions of users is a core and ongoing concern for the IETF community. Discussions over the past few months, including many in the more than 100 working group sessions this week, are carefully and systematically reviewing Internet security and exploring ways to improve privacy and other aspects of security for different applications,” said Jari Arkko, Chair of the IETF. "Internet security has many facets, and the IETF is focused on ensuring that the technical Internet protocols that it develops provide a strong foundation for privacy and security."
A truly democratic system cannot be rapid; only top-down autocracies can be. A humming consensus will come about and it will be, for a time, effective. But I am afraid that the growth of the world's “security” agencies has made me, at least, feel less secure. The biggest problem, I fear, is with the governments and the agencies, which are not noted for their technological knowledge nor their understanding.
A final Schneier citation: “It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone's best interests, including the U.S.'s.”