NIST has been active in the research, development and commercialization of IETF security technologies including IPsec, key management protocols (e.g., ISAKMP / IKE), and PKIX certificate systems. Our work to date includes numerous contributions to IETF specifications, the development of an IPsec reference implementation, Cerberus; an IKE reference implementation, PlutoPlus; a PKIX certificate authority reference implementation; and, a WWW-based IPsec Interoperability Tester, IPsec-WIT. Cerberus and PlutoPlus serve as publicly available reference implementations and platforms for on-going research on advanced issues in IPsec and IKE technology. IPsec-WIT is built around the Cerberus and PlutoPlus prototypes and ubiquitous WWW technology and allows implementers to remotely execute series of interoperability tests against the NIST reference implementations. NIST's rapid prototypes and live testing tools have been used by hundreds of industry and research organizations to advance the state of the art in Internet security technologies.

To date, NIST's efforts have focused on fostering the research and development of individual protocol technologies necessary to achieve a minimal basic security service in the Internet. The initial impacts of these efforts can be seen in the emerging use of secure virtual private networks (VPNs). But today’s VPNs are very simple logical overlay networks that implement coarse, relatively static security policies among small numbers of cooperating groups (e.g., a VPN that allows several offices of the same organization to communicate securely over the Internet). More over, today’s VPNs typically only address issues of packet layer security and are created and managed in manual, ad-hoc ways.

Several challenges remain before today’s VPNs can be extended to provide dynamic, reconfigurable security services that: (1) can scale across large numbers of users, administrative domains, and underlying technologies, (2) are manageable by network administrators, (3) are measurable in terms of performance and robustness, (3) can be accessible and usable by application software operating on a variety of platforms and (4) will not compromise the fundamental security and stability of the underlying Internet technology.

Beyond the need for integration and automation of the management infrastructure for today's packet layer security protocols, the industry has identified requirements for: (1) the development of rich distributed policy management systems; (2) the protection critical internet infrastructures such as the Domain Name System (DNS); (3) the design of security protocols that do not depend upon globally unique network addresses; and (4) the need to extend security services to multicast communications.

This statement of work (SOW) defines a series of NIST tasks aimed at addressing these issues by further advancing the state of security technology in the IETF standards, the commercial vendor, and Internet user communities.

Task 1: Integrated Security Management Infrastructures

Recent IETF advances in packet level security services (e.g. IPsec), key management protocols (e.g. ISAKMP/IKE), and certificate systems (e.g. PKIX) provide the pieces for building automated security management infrastructures, but many issues in the integration and systems level analysis of these technologies remain. In particular, additional research and engineering must be done to integrate the basic IPsec, IKE, and PKIX protocols, and to develop mechanisms to allow their coordinated management.

Under this task the Cerberus and PlutoPlus prototypes will be integrated with PKI technology. Specifically, NIST will add an IKE-CA Server interface to our PlutoPlus prototype so as to use public key certificates for authentication We will extend our on line IPsec-WIT test system to enable interoperability testing of integrated IPsec/IKE/PKIX implementations. NIST will continue to work with the IPsec community by participating in interoperability workshops, documenting issues that arise while adding PKI interaction to PlutoPlus, and documenting interoperability issues that are exposed by the IPsec-WIT PKI interoperability testing. In addition, NIST will continue monitoring the evolution of the IPsec, IKE, and PKIX standards and update the integrated prototypes and IPsec-WIT test system when necessary.

The deliverables for Task 1 will include:

• Public release of a fully integrated IPsec, IKE, and PKIX system.
• Enhanced IPsec-WIT with PKIX test case support

The IETF is in the process of creating the IP Security Policy (IPSP) Working Group (WG) to address the issues involved in representing, discovering, exchanging, and managing the policies associated with the use of IP security protocols (e.g. IPsec and IKE). Administrative entities will need to impose policy constraints on the use of these protocols throughout their domains of control. These entities will also need to securely discover and negotiate policies across domain boundaries.

To address these issues, the IPSP WG has been charted to:

• Specifying a data model for supporting IP security policies,
• Adopting an extensible IPsec policy specification language, and
• Developing a protocol capable of discovering policy servers, distributing and negotiating security policies, and resolving policy conflicts in both intra-domain and inter-domain environments.

Under this task NIST will work with the IETF IPSP WG to research, develop and standardize the necessary policy mechanisms. NIST will perform a functional analysis of the various proposals submitted to the IPSP WG. NIST will develop a pilot testbed and perform an operational analysis of those proposals that include a prototype implementation. NIST will develop IPSP components for the Internet Security Systems Simulator developed in Task 6 and run large-scale simulation experiments to test performance and scalability. The output of the analysis and experimentation will be presented to the IPSP WG to assist in providing direction in the development of IPSP protocols. Once the IPSP WG has defined a protocol or set of protocols that implement the necessary IPSP requirements, NIST will develop an IPSP prototype and integrate this prototype with its IPsec, IKE, and PKIX implementations. NIST will also develop interoperability test cases and incorporate the IPSP prototype into the IPsec-WIT test system.

The deliverables for Task 2 will include:

• IPSP evaluation testbed
• Functional and operational paper analysis of the different IPSP proposals
• IPSP simulation model
• IPSP functionality and scalability simulation analysis
• IPSP prototype implementation
• Enhanced IPsec-WIT with IPSP test case support

While the Internet evolving to enable secure end-to-end communications among end users, surprisingly little advancement is being made in securing the protocols that provide the infrastructural services (e.g., routing and naming) upon which all communications rely.

DNS is a widely deployed component of today's Internet that maps a domain name to the corresponding Internet Protocol (IP) address. Nearly all Internet communications are initiated with a DNS lookup. The current DNS system is not secure. All protocol exchanges in the system (e.g., resolver to server, and server to server) are subject to malicious attacks. To rectify this, the Internet Engineering Task Force (IETF) has developed extensions to secure the DNS protocol, specifically to provide data origin authentication, key distribution, and transaction and request authentication services through the use of cryptography. Although the widely used Berkeley Internet Name Domain (BIND) 8.2.1 DSN implementation does provide support for some of these extensions, to date there has been little deployment of DNSSec capabilities in the Internet. It seems that significant deployments of DNSSec technology are hindered by several issues, including: (1) lack of operational analysis of DNSSec implementations; (2) questions of local performance issues in DNSSec server implementations; and (3) questions of global system scalability in large scale networks.

Under this task, NIST will expedite the development and adoption of emerging DNSSec technologies by addressing the issues above. Specifically NIST will establish an evaluation testbed where DNSSEC benchmarking and analysis tools will be developed and deployed, and performance characteristics of DNSSEC protocol will be collected. NIST will actively participate in the IETF DNSEXT WG activities, and incorporate the emerging technologies or prototypes that are gaining stability into the evaluation testbed. This includes, but is not limited to, protocols that support transaction authentication and dynamic updates, which are currently being developed. NIST will also encourage the use of IKE technology in support of DNSSEC secret key mechanisms by proposing a DNSSEC IKE DOI.

In addition, NIST will develop a DNSSec simulation environment using the Scalable Simulation Framework (SSF) discussed in Task 6. This simulation tool would provide an environment for large-scale DNSSEC experimentation, which would lead to a more thorough analysis of deployment issues.

The deliverables for Task 3 will include:

• DNSSEC evaluation and experimentation testbed
• Performance characterization analysis of DNSSEC
• DNSSEC benchmarking, load generation, and analysis tools
• DNSSEC secret key exchange IKE DOI draft
• DNSSEC simulation model
• DNSEC scalability simulation analysis

As the Internet continues to rapidly grow, there is an increasing need to efficiently identify and authenticate the source of Internet messages. Recent advances in Internet technology (e.g., PPP, DHCP, and VPNs) have effectively eliminated the ability to use IP addresses as host identifiers. Many protocols and applications that rely on this coupling simply do not function or, at best, exhibit strange behavior in these environments. Particularly, IPsec and IKE are greatly hindered in these environments because the services they provide are tied directly to IP addresses. The Host Identity Payload (HIP) protocol is a recent IETF proposal to help solve this problem by providing an authenticated host identity based on public key cryptography in every IP datagram. HIP is designed to work with the IPsec and IKE protocols to allow for stronger authentication that is tightly coupled to a given host and not coupled to IP addresses.

Under this task, NIST will work with the IETF to further define a HIP architecture and a set of standards and protocols. NIST will use the Internet Security Simulator developed in Task 6 to analyze the performance and scalability of HIP. As HIP matures, NIST will develop a prototype implementation and participate in developing interoperability testing tools to encourage the development and deployment of this technology.

The deliverables for Task 4 will include:

• HIP simulation model
• HIP functionality and scalability simulation analysis
• HIP prototype implementation
• HIP interoperability testing tools

While there has been significant progress in recent years on packet layer security services and supporting management protocols for traditional unicast (peer-to-peer) communications, significant challenges remain in extending similar capabilities to multicast (multi-peer to multi-peer) networking. One of the greatest barriers in providing security to multicast communications is the complexity of key management.

Recently, numerous proposed schemes for multicast key management have emerged from the research community (e.g., IRTF SMUG) and are being proposed within the IETF. Most of these schemes focus on the use of group keys for secure multicast transmissions and the issues surrounding scalable management of group key distribution in the presence of groups with dynamic membership.

Under this task NIST will contribute to the design, analysis and IETF standardization of multicast key management technologies. Our initial efforts will focus on providing a quantitative analysis, both analytical and through simulation (see Task 6), of promising candidate IETF proposal for group key management (e.g., Logical Key Hierarchy (LKH) and One-Way Function Trees (OFT)). We will contribute the products of these analysis efforts (i.e., results and simulation models) to the IETF community. In addition, this effort will form a basis (e.g., analysis techniques, simulation models, and workload scenarios) for quantitative comparisons of future protocol specifications. Once the performance of existing proposals has been accurately characterized, NIST will research the design of new tree optimization algorithms to improve the join / leave overhead of these techniques.

The deliverables for Task 5 will include:

• Quantitative analysis and comparison of LKH and OFT group key management protocols.
• Simulation framework for the analysis of multicast key management protocols.
• Design and analysis of optimization algorithms for LKH and OFT group key distribution protocols.

As we broaden our scope to examine the issues of an integrated security management infrastructure, it becomes clear that the complexity of the protocol interactions and their behavior in large scale deployments cannot be easily understood through prototyping, pilot deployment, and live testing activities alone. In fact many of the issues and concerns that hinder wider deployment of Internet security systems center on questions regarding the scalability, reliability and performance of these protocol systems in very large inter-networks.

In this task we propose to develop a discrete event simulation framework for the analysis of Internet security protocols in large-scale networks. Our work will be based upon the DARPA sponsored Scalable Simulation Framework (SSF). SSF is a Java based simulation package that is designed to support detailed packet level simulations of very large scale (~100,000 node) networks. We will develop extensions to the SSF networking packages to add support for key Internet security protocols and systems, including: IPsec, IKE/ISAKMP, PKIX, and DNSSec. In addition we will develop suitable workload models to characterize and parameterize the "traffic" presented to key management, certificate, policy and DNS systems.

Through this task we will develop and publicly distribute a comprehensive Internet Security Systems Simulator (ISSS) that includes the protocol modules and workload models described above. In addition, we will use the ISSS to conduct behavioral analyses of existing Internet security protocols (i.e., IPSec, IKE, and PKIX) in large-scale networks. Through these simulation experiments we will attempt to characterize the (1) scalability (configuration scalability, global system state, resource requirements); (2) performance (responsiveness, throughput/delay, availability); and (3) transient behaviors (initialization, convergence, vulnerabilities) of these protocols operating as an integrated system. (This effort will complement the prototype and testing activities of Task 1 and the scalability analysis of DNSSec in Task 3).

Another use of discrete event simulation is the rapid evaluation and comparison of design alternatives for emerging protocol specifications. Because simulation prototypes can be constructed much quicker than full implementations, we can invest in development and analysis efforts much earlier in the design and standardization phase. In particular we can afford to build simulation prototypes of multiple competing protocols before the IETF community commits to a design path. (We will use this rationale and approach in Task 2 in the simulation and comparative quantitative analysis of competing proposals for IPSP protocols, Task 4 for the early design analysis of HIP and Task 5 for the optimization of multicast key management algorithms).

The deliverables for Task 6 will include:

• SSF based Internet Security System Simulation environment that allows for the rapid simulation development and experimentation of Internet Security protocols
• Scalability simulation analysis of IPsec, IKE, and, PKIX

Prototype implementation, live protocol testing and large-scale systems simulation studies can identify numerous types of design and specification issues in Internet security protocols. In particular issues of basic protocol operations, interoperability, scaling and performance are best addressed by these techniques. Experience has shown though, that these techniques are not particularly suited for investigating the basic security properties of such protocols and in particular identifying weaknesses to malicious attacks.

Under this task, NIST will develop techniques to apply automated model checking to the discovery of weaknesses (e.g., attacks) in Internet security protocols. Rather than focus on traditional, complex approaches to automate the proof of a systems security properties, our focus is upon the use of formal modeling and model checking to provide rapid analysis of a protocols resilience to a class of typical attacks. Our approach is to model security protocols and their properties (e.g., authentication, confidentiality, integrity, replay prevention) using Promela. In addition, we model all types of protocol manipulations (e.g., attacks) that a malicious intruder could invoke against the protocol. We don't consider attacks on the basic cryptographic algorithms (i.e., breaking the encryption), but rather we focus on attacks on the protocol mechanisms that can be launched by manipulating the packet exchanges (e.g., packet interception, deletion, replay, generation). Using the model checker Spin, we can efficiently verify a protocol's resistance to this class of attacks and identify specific attacks that violate basic security properties.

In our initial work in this area we have developed the basic Promela/Spin modeling and verification techniques to verify such security properties. We have demonstrated these techniques in the automated "discovery" of successful attacks on a public key authentication protocol. We have begun an initial analysis of IPsec and IKE using these techniques. Under this task we will complete the analysis of IPsec, IKE and PKIX operating as an integrated security system. A report on this analysis effort will be made available to the IETF community. In addition, our Promela models will be publicly distributed. Given that the Promela/Spin tools are publicly available and widely used in the community, we hope this effort will form the basis for fostering other practical formal analysis efforts in the community.

In addition to the analysis of more mature protocols, NIST will use these techniques as part of our research in the design and analysis of new security protocols. In particular we will apply these formal analysis techniques in the rapid evaluation of alternatives in new protocol design efforts for IPSP (Task 2) and HIP (Task 4).

The deliverables for Task 7 will include:

• Promella/Spin formal analysis of IKE attack vulnerabilities.
• Promella/Spin formal analysis of IPSP attack vulnerabilities
• Promella/Spin formal analysis of HIP attack vulnerabilities