These words were recently spoken by the man affectionately known as “The Father of the Internet”, Vint Cerf, in a recent NPR interview. Unfortunately, he didn’t apply that best practice to the invention he’s best known for. While he and his team created the vehicle that makes our entire world go round (i.e. TCP/IP and IP networking), he neglected to include a way to hold users accountable for their actions—no method to identify them.
And that is the fundamental flaw that scars the beautiful dream that is the Internet. Without provable identity, those that are less scrupulous than Mr. Cerf routinely use his amazing achievement as a perfect way to commit cybercrime, spy on nation states, and assault users behind a mask of anonymity.
While IP networking was designed to give admins convenient maintenance and administration of machines and devices, these network connections create additional threat vectors into devices controlling critical systems. Today, many of these devices run on proprietary firmware that is closed (unreadable) and rarely updated. As a result, organizations must connect these devices to some portion of the network even though there are very limited use cases for these devices to communicate. Traditional firewalls can help limit traffic in and out of designated areas, however, most firewalls enforce rules based on arbitrary (also dynamic and spoofable) IP addresses. Furthermore, inside the protection of a firewall, devices are still able to communicate laterally and are often visible to the rest of the network. And, any misconfiguration of either the device or the firewall can be catastrophic.
To resolve this problem, an additional name space is required to abstract the (permanent) identity of a device from the device’s corresponding addresses. Rather than using IP addresses to connect, networked things can now use a host identifier instead, providing a more reliable attribute of identity. One such implementation is the Host Identity Protocol (HIP), which adds a “host identifier” in the form of a cryptographic public key associated with the host. In the instance of HIP, two parties must share a cryptographic binding before being able to see each other on the network; effectively hiding portions of the network that are not allowed to communicate with each other.
Like doctors who deal with dangerous diseases, we should not treat the symptoms of a lack of identity with “medicines” known as next-generation firewalls (NGFWs) and Access Control Lists (ACLs)—We need a cure for the inherent insecurity of TCP/IP, a vaccine known as provable identities.