How does the Internet actually work? A Case Study for Concern!
First, everyone on the Internet must use the same "language" or set of protocols to communicate. A number of Standards Organizations create these protocol or standards: Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF), European Telecommunications Standards Institute (ETSI) and so on. These standards are incorporated into networking products and operating systems to allow them to interoperate.
In this article, we are concentrating on the standards created by IETF which are known as RFCs. There are RFCs for TCP, UDP, TLS, IPSEC, MPLS and many other protocols. In my opinion, the IETF is one of the major innovations which allows the Internet to grow and function. Their role in the Internet infrastructure is vital. They have built the Internet that we know today.
When there are changes in the way a protocol works, it can dramatically impact the way you use, operate or diagnose problems on your network. Remember, the IETF standards are the core protocols which run the Internet and the TCP/IP Intranets run by large data centers. These are the standards that are implemented in the hardware and software in the routers, web servers, app servers, and clients.
A one-line change in an RFC can become a billion dollar problem. What are we talking about? Let's look at the case of the one-line change in the newest version of the TLS protocol – TLS1.3. There is a change proposed to the TLS protocol, the most widely used security protocol in the world, which may potentially mean millions of dollars of spending per enterprise, if the same functionality could even be duplicated.
The future of security and visibility for ALL!
What is this functionality? It has to do with being able to see packets as they flow through the enterprise network. Let's say that you are trying to access your bank account on the Internet. What happens is that you are going through routers, firewalls, load balancers, and many other devices to end up finally at the data center of your bank. When there is a problem, the technicians at the bank need to find out where it is. There may be 10, 15 or even 50 devices between you and your bank's data center. The technicians need to be able to see how far your balance inquiry or deposit travelled successfully so they can know what device is failing. We call this "visibility".
Visibility is needed inside the data center so that the customer can be protected against malware, data leakage, ransomware, theft and so on. The change proposed to TLS will make all of this nearly impossible.
For the geeks, what we are talking about is that TLS1.3 disallows the use of RSA key exchange. This means that large data centers will need a different (new) way to decrypt out-of-band traffic. We need ways to manage our networks when traffic is encrypted. When you cannot inspect traffic, there can be malware, leaks, fraud and many other security and diagnostic problems. You can find out more at: https://datatracker.ietf.org/doc/draft-fenter-tls-decryption. By the way, we are not asking to have RSA back. We know there are some potential issues with that. We have a proposed solution that is based on the DiffieHellman key exchange.
Why the IETF might even be proposing this?
They want what is called "forward secrecy" which makes it impossible for certain governments or other bad actors to snoop on their citizens. In some countries, dissenting against your government can get you killed. The problem is that what makes it near impossible for bad actors also makes it impossible for "good" actors.
When you think about it, what are people really doing on the Internet? (Yes, I know, using Facebook, Twitter or SnapChat and watching cat videos!) They are checking their bank account, getting alerts from their insurance company, and so on. The change envisioned makes many users of the Internet less secure, not more secure.
This is a very complex issue!
We need to work together!
We need to see how we can protect the political dissenter as well as the banking customer!
We have formed an organization that we call Enterprise Data Center Operators (EDCO) to share standards information with subscribers. (www.e-dco.com). This is a collaboration including manufacturing, insurance, finance, retail and government. We plan to see the impact of standards, not just at the IETF but at ICANN, the European Union with GDPR and so on. We will create documents which will assess the impact of these changes on large enterprises.
Ignorance is not bliss. Some think that vendors or others will tell them what they need to know about protocol changes. The organizations that have banded together to form EDCO know, to their regret, that this is not so. You can and should get involved and help shape the direction of protocol changes as otherwise they will shape your strategic network direction.
What can you do now?
- Read the proposed solution that we will be presenting in March at the IETF in London TLS 1.3 “Option for Negotiation of Visibility in the Datacenter” (https://datatracker.ietf.org/doc/draft-rhrd-tls-tls13-visibility/)
- This draft will be discussed at the IETF in London on Monday, March 19th. Join us. Contact email@example.com for more information. A one day pass for that day will cost only $375.
- If you cannot come to London, then join remotely for the TLS WG session where we will be presenting. You can type in responses to comments in the live session, you can ask to speak remotely. The comments from remote attendees are taken seriously. You can register remotely at: http://ietf.org/how/meetings/101/remote/. There is no cost to attend remotely.
- Read the Internet draft that we have prepared to fully explain the problem from our point of view. The draft is called: “Why Enterprises Need Out-Of-Band Decryption” (https://datatracker.ietf.org/doc/draft-fenter-tls-decryption/)
- Read the draft that some people at Cisco have prepared which talk about the security impact of TLS1.3 ( https://datatracker.ietf.org/doc/draft-camwinget-tls-use-cases/)
- Read the draft on the effects of pervasive encryption on people running networks (https://datatracker.ietf.org/doc/draft-mm-wg-effect-encrypt/)
What can you do on an ongoing basis?
- Join EDCO
- We are working on other protocol issues which will impact us in the future: encrypted DNS, QUIC (HTTP over UDP), and many others.
There is also a second article which has come out where I was interviewed:
Help us to shape the future of the Internet.
Find out more about and/or join EDCO - https://www.e-dco.com/
Author - Nalini Elkins, the CEO and Founder of Inside Products, Inc., is a recognized leader in the field of computer performance measurement and analysis. In addition to being an experienced software product designer, developer, and planner, she is a formidable businesswoman. She has been the founder or co-founder of two start-ups in the high-tech arena. For more information or questions, please contact Nalini Elkins at Nalini.firstname.lastname@example.org .