|
Goals
|
- Improve the performance, scalability, interoperability of Internet security services.
- Expedite the development and adoption of protection mechanisms for core Internet naming and routing infrastructure services.
- Research and develop techniques to exploit emerging programmable data planes to improve the survivability of Internet infrastructures.
|
|
Technical Approach
|
- Foster IETF/OIF specifications for network layer security and key management technologies.
Develop reference implementations, test systems and simulation frameworks to evaluate behavior and performance.
- Contribute to the design, specification, testing and measurement of DNS and BGP security technologies.
Work with other agencies to foster adoption and deployment.
- Research approaches to incorporate control plane security mechanisms and DDOS mitigation techniques in emerging
network processor based protocol architectures.
|
Current Plans
|
- Develop test and measurement framework, tools and reference data sets for emerging DNSSEC implementations and pilot deployments.
- Design and standardize “last mile” interface between application and secure DNS infrastructure.
- Evaluate the BGP threat models and mitigation techniques.
- Research extensions to the architectures and protocols for Forwarding and Control Element Separation (ForCES) to enable control
plane resource protection and improved survivability / security.
- Prototype and evaluate IPsec profiles for Optical Network Signaling (OIF UNI) protocols.
|
Recent Results
|
Leading the development of key standards: |
- Lead IETF editorship of (5) core DNSSEC specifications.
- Lead IETF editorship of (3) AES/IPsec specifications.
|
Tools and analysis to expedite industry adoption: |
- DNS workload generation / benchmark tools (gzipped tar file).
- DNS root server query statistics/data.
- Released NIST IPsec/IKE Simulation Tool and published characterizations of IPsec/IKE VPNs.
- Developed reference implementation and evaluation of OIF UNI protection profile based upon IPsec/IKE.
|
Related Documents:
|
- Kotikalapudi Sriram, Doug Montgomery, Oliver Borchert, Okhee Kim, and Rick Kuhn, ""Study of BGP Peering Session Attacks and Their Impacts on Routing Performance," ,IEEE Journal on Selected Areas in Communications: Special issue on High-Speed Network Security, Vol. 24, No. 10, October 2006, pp. 1901-1915.
- Doug Montgomery, "IPv6 Security Findings,"
working paper, November 2004.
- R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "DNS Security
Introduction and Requirements", draft-ietf-dnsext-dnssec-intro-09 (work in progress), February 2004.
- R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "Resource Records for DNS Security Extensions",
draft-ietf-dnsext-dnssec-records-07 (work in progress), February 2004.
- R. Arends, R. Austein, M. Larson, D.Massey and S.Rose, "Protocol Modifications for the DNS Security
Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in progress), February 2004.
- O. Kim and D. Montgomery, "Behavioral and Performance Characteristics of Large-Scale IPsec/IKE VPNs",
Proceedings of the IASTED International Conference on Communication, Network, and Information Security, pp. 231-236, December 2003.
- S. Frankel , H. Herbert , "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003.
- S. Frankel, R. Glenn and S. Kelly, "The AES CBC Cipher Algorithm and Its Use With IPsec," RFC 3602, September 2003.
- S. Frankel, R. Glenn and S. Kelly, "The HMAC-SHA-256-128 Algorithm and Its Use With IPsec," IETF Internet Draft, December 2002.
- S. Frankel, "The IKE (Internet Key Exchange) Protocol," NIST Key Management Workshop, February 2000.
- S. Frankel, "Implementing and Testing IPsec: NIST's Contributions and Future Developments," RSA 2000 Conference, January 2000.
- S. Frankel, "PlutoPlus: Policy and PKI Plans for FY00," November 1999.
- S. Frankel, "NIST's IPsec Web-Based Interoperability Tester (IPsec-WIT)," IPsec99 Conference, October 1999.
- R. Thayer, N. Doraswamy and R. Glenn, "IP Security Document Roadmap," RFC 2411, November 1998.
- R. Glenn and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec," RFC 2410, November 1998.
- C. Madson and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH," RFC 2404, November 1998.
- C. Madson and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH," RFC 2403, November 1998.
- R. Glenn, "Cerberus: an IPsec Reference Implementation," 1998 Linux Congress, August 1998. (HTML)
- S. Frankel, "Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITL's Contributions in the Area of Internet
Security)," March 1998.
- P.C. Cheng and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1," RFC 2202, September 1997.
|
Software and Data:
|
- NIIST -NIST IPSec and IKE (va/v2) Simulation Tool for performance & behavior analysis
of emerging IETF security protocols.
- Cerberus -NIST's Reference Implementation of IPsec.
- PlutoPlus -NIST's Reference Implementation of IKE/ISAKMP.
- IPsec-WIT -NIST's IPsec WWW-Based Interoperabililty Tester.
|
Customers
|
- IETF Security working groups
- DARPA / DoD
- DHS ARPA
|
Collaborators |
|
- DHS ARPA, NSA, DISA
- USC/ISI, NIA Labs, UMBC
|