Protocol Promoted to Beef Up IP Security

Network technology designed to improve the security features of the current version of the Internet Protocol and ease the transition to the next-generation of IP appears to be on the road toward becoming an Internet standard.An Internet draft describing the Realm Specific IP (RSIP) recently received support from key members of the Internet Engineering Task Force (IEFT) and is likely to enter the first stage in the standardization process in the next few months.

Network technology designed to improve the security features of the current version of the Internet Protocol and ease the transition to the next-generation of IP appears to be on the road toward becoming an Internet standard.

An Internet draft describing the Realm Specific IP (RSIP) recently received support from key members of the Internet Engineering Task Force (IEFT) and is likely to enter the first stage in the standardization process in the next few months.

"In the workshop the Internet Architecture Board held in July, RSIP got a good reception as a relatively clean solution for the near future," said Brian Carpenter, program director of Internet standards and technology at IBM and the chairman of the IAB. The IAB is an advisory division of the IETF, the international standards body responsible for developing protocols and technology for the Internet.

The RSIP specification is designed to address shortcomings of the existing version of the IP, which is known as IP version 4. Developed long before the Internet emerged as a mass-market communications environment, IPv4 is only capable of assigning 4 billion unique addresses. While that number appeared to be sufficient to accommodate the thousands of researchers and scientists inhabiting the Net a decade or more ago, the supply of unique addresses is nearly exhausted.

Waiting in the wings is IPv6, a more industrial-strength version of IP that was developed in the IETF over the past six years. The problem behind deployment of IPv6 is the massive amount of resources it will require of service providers and enterprises planning to upgrade their infrastructures from IPv4 to IPv6, Carpenter said. As a result, IPv6 adoption is not likely to happen in a big way for several more years.

In the meantime, limitations in currently installed workarounds to the address space shortage are proving to be a hindrance to the development of the Internet as an electronic commerce environment. Enterprises have managed to artificially stretch IPv4's address space using a mechanism called Network Address Translation (NAT), which enables enterprises to use unofficial Internet addresses inside corporate domains.

However, NATs, which intercept incoming and outgoing traffic and route it to the proper personal computer, will not work with popular security schemes. "The NAT takes an encrypted packet but can't do anything with it because it can't read it," said Michael Borella, who wrote the RSIP specification with fellow 3Com engineer David Grabelsky. "Anything encrypted or authenticated will be screwed up by NAT."

RSIP is designed to solve the security problem by shifting some of the address translation duties to the client device, Borella said. This ensures that security schemes, such as IP Security, can be maintained from one end of the connection to the other, he added.

Activating RSIP will also require software modifications to the router that sits between the local network and the service provider's network.

Adopting RSIP, Grabelsky said, would make it possible to further extend IPv4's address supply and also improve security. In addition, Grabelsky and Borella said that RSIP-enabled enterprises will have an easier time migrating to IPv6 than businesses that choose to stick with NAT.

Although Grabelsky and Borella said that RSIP will eliminate some of the urgency associated with upgrading to IPv6, the new protocol, if it should become an Internet standard, will not replace IPv6. "IPv6 has so many great features it would be great for everyone if it got adopted," Borella said.

The IETF operates similarly to most standards bodies, requiring a three or four step standardization process. Although the RSIP specification is expected to enter the first stage soon, which is a proposed standard, it could take several months or years to complete the specification.