Host and User Identity
Over the holidays I read an interesting article on a proposed complete redesign of the Internet. The work is in its nascent stages within the NSF and has a vocal supporter in David Clark at MIT. This design effort could take five to seven years at a cost of $200 - $300 million. It is often interesting to undertake green-field design efforts to see what sort of an ideal could be realized and what things you are giving up by only changing the current architecture in incremental ways. The focus of such an architecture will–big surprise–have a lot to do with security–with many of the security improvements in the area of authenticating users and devices.
This identity problem is something authenticated networks can try to address. Technologies like VPNs and 802.1x can improve overall security by authenticating the user associated with a particular machine. This can tell us, for instance, that 192.0.2.52 is currently Sam in finance. This is extraordinarily useful in enforcing network policy. As I’ve outlined in prior posts, users no longer are fixed to a given IP address making filtering based on IP address in a firewall quite difficult. This is because the IP address has lost much of its context over the years.
One of the problems with authenticated networks–which could benefit from more exploration–is the coupling of user authentication with the IP address. Today, even with VPNs and 802.1x, all the good authentication work done at the edge is lost once the packet is sent into the rest of the campus network. For example, we determined that 192.0.2.52 is Sam in finance but how does the next policy enforcement point learn that? Certainly not through any identifying information in the IP packet. This means any filtering you wish to employ for the user requires enforcement at the same point you apply the user authentication. This is far better than nothing but certainly not ideal since it requires describing all possible destinations for a given user in order to keep with the network security principle of “expressly permit, implicitly deny.”
Technologies like IPsec can help but have not yet seen widespread adoption for a variety of reasons including complexity issues around configuration, interoperability, and key management. Some promising experimental work in the IETF is the Host Identity Protocol working group. They have defined an architecture around host identity which may have extensibility into the user space. I’m just starting to explore this and hope to spend some time with some of the principals at the next IETF in Dallas.