On Flying Pigs, DNSSEC, and embedded versus overlaid security…
I found Thomas Ptacek’s comments regarding DNSSEC deliciously ironic not for anything directly related to secure DNS, but rather a point he made in substantiating his position regarding DNSSEC while describing the intelligence (or lack thereof) of the network and application layers.
This may have just been oversight on his part, but it occurs to me that I’ve witnessed something on the order of a polar magnetic inversion of sorts. Or not. Maybe it’s the coffee. Ethiopian Yirgacheffe does that to me.
Specifically, Thomas and I have debated previously about this topic and my contention is that the network plumbing ought to be fast, reliable, resilient and dumb whilst elements such as security and applications should make up a service layer of intelligence running atop the pipes.
Thomas’ assertions focus on the manifest destiny that Cisco will rule the interconnected universe and that security, amongst other things, will — and more importantly should — become absorbed into and provided by the network switches and routers.
While Thomas’ arguments below are admittedly regarding the "Internet" versus the "Intranet," I maintain that the issues are the same. It seems that his statements below which appear to endorse the "…end-to-end argument in system design" regarding the "…fundamental design principle of the Intenet" are at odds with his previous aspersions regarding my belief. Check out the bits in red.
Here’s what Thomas said in "A Case Against DNSSSEC (A Matasano Miniseries):
…You know what? I don’t even agree in principle. DNSSEC is a bad thing, even
if it does work.How could that possibly be?
It violates a fundamental design principle of the Internet.
Nonsense. DNSSEC was designed and endorsed by several of the
architects of the Internet. What principle would they be violating?The end-to-end argument in system design. It says that you want to
keep the Internet dumb and the applications smart. But DNSSEC does the
opposite. It says, “Applications aren’t smart enough to provide
security, and end-users pay the price. So we’re going to bake security
into the infrastructure.”
I could have sworn that the bit in italics is exactly what Thomas used to say. Beautiful. If, Thomas truly agrees with this axiom and that indeed the Internet (the plumbing) is supposed to be dumb and applications (service layer) smart, then I suggest he should revisit his rants regarding how he believes the embedding security in the nework is a good idea since it invalidates the very "foundation" of the Internet.
I wonder what that’ll do internal networks?
That’s all. CSI is on.
/Hoff
(Written @ Home drinking Yirgacheffe watching UFC re-runs)
Chris, all due respect, but, what are you talking about?
I don't believe security should be embedded into the network. I'm not entirely sure, but I think — I THINK — maybe? — I've built sort of a little career around how that's a horrible idea.
The fact that Cisco is inevitably going to crush Crossbeam is not an argument about the design principles of the Internet. It's an argument about how weak Crossbeam is compared to Cisco.
So will you please now write a post about whether you think DNSSEC is a good idea or not? Because that's what I'm talking about.
Oh, you mean "However, to the extent that I believe in 'network security' at all, I’m a believer in embedded security."
Yeah, the subtext you're missing is, I don't really believe in network security.
Hey, Thomas! How the heck are you?
Sorry, I should really have given you the nod on your DNSSEC post. I certainly could write about how I agree with your assessment (or at least parts thereof) of DNSSEC, but that's boring since I agree with lots of stuff you write.
Regardless of how you've made your career in the past, your current vocation — or at least your blog — makes a career out of disagreeing with folks. I'm just returning the favor by pointing out what I understood to be contradictory statements.
Perhaps I was confused, what with all the rhetoric in our last exchange.
I maintain that the metaphor you used to substantiate your (excellent) opinion regarding DNSSEC is at odds with prior comments you made in regards to the superiority of embedded versus overlaid security models.
Whether you really believe in network security or not, it seems that you would to the extent you believe in network security at all, believe in "embedded security." I'm merely trying to reconcile this statement and the ones made in the past.
I wasn't referring to the "Crushing Crossbeam" subtext at all. I finished snickering at that 5 minutes after I read it months ago. I did appreciate the perspective.
Thanks for clearing up your position on network security — I'm thick that way. Makes sense now.
/Hoff
I think the jury is still out on how much security policy we should be pushing to middleboxes, and how smart those middleboxes should be. What I know right now is we spend way, way too much time, effort, and money on 19" rack mountable chasses that suck in packets and spit them back out again without providing any measurable impact on the security of our networks. Not a fan.
But in terms of protocol design? Well, the company I started before I landed at Arbor was overlay multicast: give up on Deering-model multicast completely and do application-layer relay. Within the next 2 years that idea is obviously going to be mainstream. I am a believer in freezing development of the core protocols and building new functionality on top of them. I like NAT. I like Paul Francis. I think the IETF has been hijacked by the leftovers from the OSI standards committees. I don't know what you call that philosophy, besides "end2end originalist".