Internet Infrastructure Protection Project


Goals
Improve the performance, scalability, interoperability of Internet security services. Expedite the development and adoption of protection mechanisms for core Internet naming and routing infrastructure services. Research and develop techniques to exploit emerging programmable data planes to improve the survivability of Internet infrastructures.
Technical Approach
Foster IETF/OIF specifications for network layer security and key management technologies. Develop reference implementations, test systems and simulation frameworks to evaluate behavior and performance. Contribute to the design, specification, testing and measurement of DNS and BGP security technologies. Work with other agencies to foster adoption and deployment. Research approaches to incorporate control plane security mechanisms and DDOS mitigation techniques in emerging network processor based protocol architectures.
Current Plans
Develop test and measurement framework, tools and reference data sets for emerging DNSSEC implementations and pilot deployments. Design and standardize “last mile” interface between application and secure DNS infrastructure. Evaluate the BGP threat models and mitigation techniques. Research extensions to the architectures and protocols for Forwarding and Control Element Separation (ForCES) to enable control plane resource protection and improved survivability / security. Prototype and evaluate IPsec profiles for Optical Network Signaling (OIF UNI) protocols.
Recent Results
Leading the development of key standards:
Lead IETF editorship of (5) core DNSSEC specifications. Lead IETF editorship of (3) AES/IPsec specifications.
Tools and analysis to expedite industry adoption:
DNS workload generation / benchmark tools (gzipped tar file). DNS root server query statistics/data. Released NIST IPsec/IKE Simulation Tool and published characterizations of IPsec/IKE VPNs. Developed reference implementation and evaluation of OIF UNI protection profile based upon IPsec/IKE.
Related Documents:
Kotikalapudi Sriram, Doug Montgomery, Oliver Borchert, Okhee Kim, and Rick Kuhn, ""Study of BGP Peering Session Attacks and Their Impacts on Routing Performance," ,IEEE Journal on Selected Areas in Communications: Special issue on High-Speed Network Security, Vol. 24, No. 10, October 2006, pp. 1901-1915. Doug Montgomery, "IPv6 Security Findings," working paper, November 2004. R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "DNS Security Introduction and Requirements", draft-ietf-dnsext-dnssec-intro-09 (work in progress), February 2004. R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "Resource Records for DNS Security Extensions", draft-ietf-dnsext-dnssec-records-07 (work in progress), February 2004. R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "Protocol Modifications for the DNS Security Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in progress), February 2004. O. Kim and D. Montgomery, "Behavioral and Performance Characteristics of Large-Scale IPsec/IKE VPNs", Proceedings of the IASTED International Conference on Communication, Network, and Information Security, pp. 231-236, December 2003. S. Frankel , H. Herbert , "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003. S. Frankel, R. Glenn and S. Kelly, "The AES CBC Cipher Algorithm and Its Use With IPsec," RFC 3602, September 2003. S. Frankel, R. Glenn and S. Kelly, "The HMAC-SHA-256-128 Algorithm and Its Use With IPsec," IETF Internet Draft, December 2002. S. Frankel, "The IKE (Internet Key Exchange) Protocol," NIST Key Management Workshop, February 2000. S. Frankel, "Implementing and Testing IPsec: NIST's Contributions and Future Developments," RSA 2000 Conference, January 2000. S. Frankel, "PlutoPlus: Policy and PKI Plans for FY00," November 1999. S. Frankel, "NIST's IPsec Web-Based Interoperability Tester (IPsec-WIT)," IPsec99 Conference, October 1999. R. Thayer, N. Doraswamy and R. Glenn, "IP Security Document Roadmap," RFC 2411, November 1998. R. Glenn and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec," RFC 2410, November 1998. C. Madson and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH," RFC 2404, November 1998. C. Madson and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH," RFC 2403, November 1998. R. Glenn, "Cerberus: an IPsec Reference Implementation," 1998 Linux Congress, August 1998. (HTML) S. Frankel, "Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITL's Contributions in the Area of Internet Security)," March 1998. P.C. Cheng and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1," RFC 2202, September 1997.
Software and Data:
NIIST -NIST IPSec and IKE (va/v2) Simulation Tool for performance & behavior analysis of emerging IETF security protocols. Cerberus -NIST's Reference Implementation of IPsec. PlutoPlus -NIST's Reference Implementation of IKE/ISAKMP. IPsec-WIT -NIST's IPsec WWW-Based Interoperabililty Tester.
Customers
IETF Security working groups DARPA / DoD DHS ARPA
Collaborators

DHS ARPA, NSA, DISA USC/ISI, NIA Labs, UMBC

ANTD footer page


www.antd.nist.gov
Web site owner: The National Institute of Standards and Technology
	Disclaimer Notice & Privacy Policy / Security Notice Send comments or suggestions to webmaster@antd.nist.gov The National Institute of Standards and Technology is an Agency of the U.S. Commerce Department Last updated: June 4, 2008 Date Created: May, 2001