Engineers that follow even the latest technical standards when building networks or networking products could still run afoul of undocumented -- but known -- security problems, argues a report published by the United Kingdom's Centre for the Protection of the National Infrastructure.
The report, Security assessment of the internet protocol, found that the official documentation of Internet protocols, known as Requests for Comments or RFCs, fail to include solutions to the latest security problems. The 61-page report offers advice on best practices for implementing Internet protocols in a secure manner.
"Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which 'known' security problems have not always been addressed by all vendors," the report states. "As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past."
A number of major security design flaws have been found in Internet protocols. Most recently, security researcher Dan Kaminsky discovered a way to attack, using delegation, the weak transaction ID which identifies domain-name requests. In 2002, companies and governments worked to fix an issue in the Abstract Syntax Notation One (ASN.1), the programmatic language that acts as the foundation of some of the Internet's protocols, including the Simple Network Management Protocol (SNMP).
The preface to the CPNI report requests feedback from security and Internet experts to further improve the document.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos