IETF Security Activities and
Collaboration
Tim Polk
National Institute of Standards and Technology
tim.polk@nist.gov
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
2
Two Excerpts from IETF Mission Statement

The mission of the IETF is to make the Internet
work better …
 by
producing high quality, relevant technical
documents that influence the way people design,
use, and manage the Internet.

One of the Cardinal Rules is Protocol
Ownership
 When
the IETF takes ownership of a protocol or
function, it accepts the responsibility for all
aspects of the protocol ....
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
3
Responsibilities of IETF Security Area

Security-centric standards development


Contributing “security-clue” to standards developed in
other IETF areas


IETF Security Area includes between ten and eighteen
working groups devoted to a particular mechanism or
technology
Recruiting security participants to contribute to other IETF
standards areas, and monitoring those efforts to ensure
we are actually helpful
Cross-SDO collaboration


Providing Internet specific details (X.509)
Supporting Security requirements from other SDOs (mikey
modes for W3C)
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
4
Security-Centric Standards Development

These standards are intended as essential building
blocks

Key Management Infrastructures


Secure Transport


S/MIME, DKIM, NEA, sasl
Authentication Technologies


Transport Layer Security (TLS and DTLS), Secure Shell
Secure Applications


Kerberos, X.509, multicast security, hokey, new DNSSEC based key
distribution work
EAP methods, federated authentication
Most exciting new work is leveraging DNSSEC to
securely distribute key material
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
5
Collaborative Initiatives

Many IETF activities are inherently tied to technologies
developed outside the security area, but security clue
is essential to success

Worked examples include DNSSEC (Internet area) and TCPAO (Transport area)


Current activities are focused in the Routing area and
include secure inter-domain routing (sidr) and key
management for routing protocols (karp)


Understanding DNS and the TCP state machine were critical
aspects
Routing protocols demand a very specific background
Cross-SDO activities include X.509 and the XML Digital
Signature Standard
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
6
High-Priority Opportunities

Ongoing/Emerging IETF activities
Leveraging DNSSEC for secure key or certificate
distribution
 Securing routing protocols
 Security for the “Internet of Things”
 Privacy-enhancing technologies


Other Opportunities
Security Automation
 Application of current protocols to emerging sectors

 Health care,
Geneva, 6-7 December 2010
smart grid, etc.
Addressing security challenges on a global scale
7
Personal Observations on Collaboration

Collaborations starts with Sound Architecture and
Engineering Decisions




Good protocols lend themselves to use as building blocks
Well engineered protocols are extensible to solve other
problems
If a protocol needs major surgery to satisfy a new effort, it
may be the wrong protocol
Collaboration within the IETF and between SDOs is
fundamentally the same problem

Success demands that committed individuals regularly
participate in the activities of both IETF working groups (or
both SDOs)
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
8