Wow. What a week! Working with Internet technology often involves details deep inside the technology. But it seems that this week has been a perfect storm of highly visible and important technical developments: A major upgrade to HTTP, the basis of all web communications. Work on future transport protocols, including proposals to add security directly to TCP. Discussing the choice of technology for making video calls directly in Web browsers without plug-ins.
And, of course, mass Internet surveillance. This was clearly the discussion that has received most attention at the IETF-88 meeting. What can we do about improving the situation? And should we? As the end of the meeting draws closer, I wanted to summarise where we are and what we are going to do.
IETF Security Area Director Stephen Farrell said that pervasive surveillance represents an attack on the Internet. And the rest of us agree. Such pervasive surveillance requires the monitoring party to take actions that are indistinguishable from an attack on Internet communications. So we are willing to work to address it, just like any other threat. Many working groups that I went to were addressing this topic in one way or the another, reviewing application by application, doing careful work to understand what options we have to improve security, and weighing the various trade-offs in different designs. As Stephen says: “While there are challenges isolating the specific areas of attack that IETF protocols can mitigate, all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.” In many cases, privacy against pervasive monitoring was considered on an equal footing with other security issues for the first time.
What happens next? I want to be clear that this is a long-term effort. Not a reaction to specific revelations, but a wholesale upgrade to our view what the threats in the Internet are and how they need to be addressed. And the updates will be hard work. And technology does not have solutions for all problems. But we will be working on general IETF-wide principles on how to address the new threats, thinking about the ways to use technologies such as TLS or opportunistic encryption. And, we will be working on the specific protocols and application areas (HTTP, XMPP, etc). Of course, all this work will be done in an open manner, with broad participation and review, which is the way we work at the IETF. I would like to invite everyone to join the effort!
I was also very glad to see a lot of attention in the press for our efforts, including beyond the technical media (e.g., Economist). This underscores the broad visibility of this issue, and the importance Internet users place on our efforts to address it. Not to mention social media. For the first time we have had more people watch our meeting remotely on YouTube than onsite. Countless tweets went out on the #IETF88 hashtag.
Finally, I would claim that if there is a one video about Internet security that you watch this year, I think it should be this one: the IETF-88 technical plenary video. Do share the video with your friends and colleagues!
Jari Arkko, IETF Chair
Reports about pervasive surveillance have been the big discussion topic in the Internet community in the last couple of months. Our commerce, business, and personal communications all depend on the Internet being secure and trusted, so the situation is disturbing.
This week we are meeting at the IETF in Vancouver, British Columbia. Over 1200 engineers and specialists have gathered together from all over the world to work on improving various aspects of Internet technology. Surveillance has been a big discussion topic in our meeting as well. Of course, we care about the overall state of security in the Internet, and do not merely react to specific concerns. And technology is just one aspect of the recent concerns.
Yet, the engineers are taking the security issues very seriously. Every session that we have been to during this week has gone through analysis and discussion of the state of security for their specific piece of the technology, with serious consideration for privacy. In many cases, privacy against pervasive monitoring was considered on an equal footing with other security issues for the first time.
The first meeting that we attended on Monday morning (APPSAWG) went through application after application, considering how those applications make use of Transport Layer Security (TLS) and looking at possibilities to get the TLS-secured versions more widely and consistently deployed. We discussed plans for upgrading the handling of mail, instant messaging and voice-over-IP protocols, in each case with a view to improving the resistance of the deployed base to pervasive monitoring, and we look forward to real progress in offering guidance to those deploying all those applications.
We also discussed the same topic within the transport stack in the multipath TCP working group where the use of opportunistic encryption was discussed. As that work matures, we might be able to expect to improve both efficiency (being able to use multiple paths) and security/privacy (in order to tie those paths together) at once, which could be a compelling prospect.
Today we discussed improving security for web traffic. There are generally no easy solutions for Internet security improvements, but we were struck by how the HTTP working group clearly stated that doing nothing is not an option. We then proceeded to look at the various options for increasing the proportion of protected web traffic. Carefully. Considering that the Internet is not a new project but a live network with many existing components that have to continue to work. Trying to understand the impact of different options on web site adoption, the software that the engineers build for various products, and end-user experience. Being honest about the impacts and difficulties, such as user perception, the feasibility of different attacks, and the role of certification authorities, proxies, and other components.
And this is what to us is best about the IETF community. We are faced with complex challenges, but when the right people are in the room, we can have a real and honest discussion about what is technically possible. Such discussion cannot be had without people who write the code for browsers, servers, proxies, and who understand the world of certification authorities and user experience, and those who have needs or concerns about the broader good that is the Internet. Some of you may have heard the term “multi-stakeholder” and thought about it as an abstract concept. But it is a very real concept, and one that we have to employ when developing any significant Internet technology.
Tomorrow we will continue the discussion with Bruce Schneier and others on a plenary panel session, and an overall analysis session on pervasive monitoring. We will continue reporting as the week continues. And this is not new for the IETF – we have been working on the security of the Internet for a long time. The real mark of our effect will be the specifications that we produce and their adoption in real-world devices that make the Internet work. We have a meeting this week, but the challenge is a long-term one and needs a long-term and continuous response.
Jari Arkko, IETF Chair, Stephen Farrell and Sean Turner, IETF Security Area
In Berlin, you may have noticed many students among the IETF participants. Many of them were brought to the IETF by a pilot university outreach programme, run by ISOC with 15 universities in Germany and Austria. I wanted to let Toral Cowieson from ISOC describe some of the experiences from this excellent initiative. -Jari Arkko, IETF Chair
Who were all those digital natives in Berlin?
Piloting a university outreach programme to increase awareness of the IETF
While academics and students played an integral role in the early development of the Internet, few computer science and engineering students today have regular exposure to the standards development process and the Internet Engineering Task Force. And while many are digital natives to the Internet, they are also not necessarily aware of careers that might put them on track to support the ongoing evolution of the Internet as a boundless platform for innovation, economic growth, and human expression.
In conversations with numerous educators and students during my three years at the Internet Society, it has been clear that while students may have heard of RFCs, they have not necessarily heard of the IETF — and this has been a constant regardless of whether they are in programmes at universities in Africa, Asia, Europe, Latin America, or North America.
As the Internet Society supports efforts to increase awareness – and awareness of the relevance – of the IETF and open standards development, reaching and engaging universities, educators, and students is essential. To that end, ISOC launched a pilot university outreach programme in conjunction with IETF 87 in Berlin. The programme included outreach to German and Austrian faculty at 15 universities and included two key objectives:
- Increase awareness among educators and students of the IETF and the open standards process.
- Provide students with practical exposure to Internet standards development and its value as a career opportunity as they consider entry into the workforce.
A post-meeting survey of participants from two universities indicates that nearly 100% subscribed to Working Group lists prior to the meeting and half planned to continue tracking Internet drafts after the meeting. In addition, 85% said they had a better understanding of Internet standards development after attending the meeting.
This deeper student engagement and understanding before and after the IETF meeting is a direct reflection of the efforts of Professor Schmidt (Hamburg University) and Professor Wahlisch (Freie Universitat Berlin). Active IETF participants, both professors incorporated IETF meeting preparation into their academic calendars leading up to the IETF. Students gained valuable insights by following working group meetings and having firsthand discussions with those leading protocol design processes.
Based on confirmed interest for extending the programme beyond the pilot, the Internet Society will assess opportunities and coordination for university outreach programmes in conjunction with IETF 89 through 94.
The full report and ancillary materials are available are here: http:www.internetsociety.org/IUO-Information. If you represent universities in areas of the next meetings or have contacts, please freely reach out to firstname.lastname@example.org.
In the interim, special acknowledgment to Professors Schmidt and Wahlisch for their invaluable thought partnership and their offer of ongoing support to take this from a pilot to a regular initiative. Thank you also to Fred Baker and Axel Clauberg for speaking with the students about why their organizations invest in the standards development process.
“Student Lotte Steenbrink listens to one of the ISOC briefing session speakers at IETF 87 in Berlin.”
“Students hear Axel Clauberg explain why Deutsche Telekom supports the work of the IETF.”
“Kevin Craemer and Steve Conte of ISOC thank Professors Thomas Schmidt of Hamburg University of Applied Sciences and Matthias Wählisch of Freie Universität Berlin for their support of the IETF University Outreach pilot programme.”
Toral Cowieson, Senior Director, Internet Leadership at ISOC
The IETF network for the meeting is up. Even the network in the hotel rooms switched to IETF network by mid-Friday. Everything is ready for the IETFers to come!
And the IETF crowd needs a very capable network, all of us being very heavy users. No hotel or conference facility network can take us unmodified. We bring our own gear and own setup. We put up direct IP connectivity, IPv6 and many other things that are not commonly found in hotel networks. And remember Paris where the team reworked the hotel’s network, making a significant improvement?
But I wanted to highlight that all this does not happen by itself. We have a dedicated team of professionals and volunteers to do this as a service to all of us who get to use the network for the week. The people who set all this up arrive early, by Monday or Tuesday on the week preceding the IETF. And there is a lot of work. This time we transitioned to new address blocks, leading to additional configuration work.
So I wanted to thank everyone who has been involved in the setup: Bill Jensen (University of Wisconsin – Madison), Bill Fenner (Arista), Bjoern A. Zeeb (Cambridge University), Chris Elliott, Jim Martin (Internet Systems Consortium), Joel Jaeggli (Zynga), Karen O’Donoghue (ISOC), Lucy Lynch (ISOC), Warren Kumari (Google), Joe Clarke (Cisco), Hans Kuhn (NSRC), the Verilan staff (Rick Alfvin, James Dishongh, Colin Doyle, Nick Kukich, Brandon Height, Sean Croghan, Edward McNair, Dallas Breed). Thank you all for your time and expertise!
I would also like to thank again Cisco, Juniper, and Telus for donating equipment and connectivity – this is very much appreciated as well.
The NOC on Friday:
Jari Arkko, IETF Chair