×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

TCP/IP Might Have Been Secure From the Start If Not For the NSA

Soulskill posted about 8 months ago | from the another-lash-for-the-whipping-boy dept.

Security 149

chicksdaddy writes: "The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet and the invisible hand behind every flawed crypto implementation. Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP. (Video with time code.) Researchers at the time were working on just such a lightweight cryptosystem. On Stanford's campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn't yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977). As it turns out, however, Cerf did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren't they used? The crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet. 'At the time I couldn't share that with my friends,' Cerf said."

Sorry! There are no comments related to the filter you selected.

Brought to you be a US Government shill (-1)

Anonymous Coward | about 8 months ago | (#46664215)

NSA! NSA! Rah! Rah! Rah!

- US Government shills

It would have been insecure anyway (0)

Anonymous Coward | about 8 months ago | (#46664231)

You can't currently encrypt the routing encapsulation.

Re:It would have been insecure anyway (3, Interesting)

SuricouRaven (1897204) | about 8 months ago | (#46665165)

The only way to hide traffic path is through partial-information relaying - the Tor approach. Nasty overhead. But even the most pathetic payload encryption would really make a huge difference - it would mean tapping all traffic at a trunk would require dynamically following hundreds of thousands of conversations betweeen tens of thousands of nodes. The NSA could do it, a lot of smaller governments couldn't.

Also, even a DH key exchange without any public key authentication at all is still somewhat effective: Yes, it can be MITMed with ease, but such an attack is also very detectable if you have a side channel, which means any untargetted mass-monitoring operations would be swiftly noticed.

It should be renamed the NIA (4, Insightful)

Anonymous Coward | about 8 months ago | (#46664237)

National Insecurity Agency

Re:It should be renamed the NIA (1)

sharknado (3217097) | about 8 months ago | (#46664985)

National Insecurity Agency

Lol...that reminds me of this: http://cdn.slowrobot.com/72420... [slowrobot.com]

YOU are the TRAITOR Cert. YOU are! (-1)

Anonymous Coward | about 8 months ago | (#46664275)

Snowden makes you look like a silly nilly.

Flamebait (0)

Anonymous Coward | about 8 months ago | (#46664297)

The headline is horribly horribly misleading. I hope people at least RTFS.

Oh, by the way, "bleeding edge cryptographic technology" is something you never ever want to use.

Re:Flamebait (1)

hawguy (1600213) | about 8 months ago | (#46664491)

The headline is horribly horribly misleading. I hope people at least RTFS.

I read the summary, and it seems to be aligned with the headline:

Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP

Oh, by the way, "bleeding edge cryptographic technology" is something you never ever want to use.

It was "bleeding edge" in 1975 back when TCP/IP itself was still in its infancy, but would have been refined over time.

Re:Flamebait (0)

Anonymous Coward | about 8 months ago | (#46664597)

It was "bleeding edge" in 1975 back when TCP/IP itself was still in its infancy, but would have been refined over time.

But that's just another reason it would have been a bad idea to use it.
You don't use new crypto; just the algorithms top researchers have attacked and published about.

Re:Flamebait (4, Informative)

ShanghaiBill (739463) | about 8 months ago | (#46664603)

the world's favorite intelligence agency may have also stood in the way of stronger network layer security

But that is misleading. The NSA did not "stand in the way". The just declined to help. That is not the same thing.

Re:Flamebait (3, Insightful)

hawguy (1600213) | about 8 months ago | (#46664651)

the world's favorite intelligence agency may have also stood in the way of stronger network layer security

But that is misleading. The NSA did not "stand in the way". The just declined to help. That is not the same thing.

The research existed, Cerf had access to it, but they didn't allow it to be used.

If your house is burning down and the fire chief prevents you from using the fire hydrant in front of your house even though you have the right equipment to hook up to it, wouldn't you say he's standing in the way? He's not just declining to help, he's actively preventing you from using tools and knowledge that you have because he's afraid that other people will see you do it and then they'll know how to fight their own fires.

Re:Flamebait (5, Informative)

Anonymous Coward | about 8 months ago | (#46664703)

It also at the time would be been considered a state secret. Until the late 90s publishing any of a huge number of crypto tools to the international community was illegal. So even if he had permission to publish this research to the US, it couldn't be given out internationally. That's not the "NSA"s decision, that's was much higher up than them.

More specifically, (-1)

Anonymous Coward | about 8 months ago | (#46666003)

strong encryption tools were classified as "weapons" until the late 1990's. There were (and still are) a group of countries considered to be rogue states and all U.S. companies and organizations were forbidden from aiding them with anything considered to be a weapon.

It was President Clinton who changed the law. For example, prior to that you could not get strong encryption from Microsoft for Windows NT. Not as shipped. There was an add-on disk that added such encryption but it was never included in the base code.

As I recall, it eventually became a huge problem because people wanted internet finance and banking, but the average OS installation didn't have good security because of the lack of standard, bundled encryption. Nor could you count on ordinary users to add it--they just weren't aware or reliable enough about doing it.

This was one small part of the whole internet bubble of the time. Prior to "because terror", there was "because internet".

Re:Flamebait (1)

marcosdumay (620877) | about 8 months ago | (#46665403)

It's more like: If your neighbour's house is on fire, and you don't lend him this equipment. It's not really standing in the way.

It's not also the right thing to do, but the fire seemed much smaller by the time, and you were paranoid that people would steal your equipment.

Re:Flamebait (2, Informative)

Anonymous Coward | about 8 months ago | (#46665695)

The research existed, Cerf had access to it, but they didn't allow it to be used.

The research would not have existed if not for the NSA. So how might TCP/IP have been secure from the start if not for them?

Re:Flamebait (1)

Bengie (1121981) | about 8 months ago | (#46665849)

the world's favorite intelligence agency may have also stood in the way of stronger network layer security

But that is misleading. The NSA did not "stand in the way". The just declined to help. That is not the same thing.

Maybe by your standards. Kind of like being next to someone who's breathing machine came unplugged, yet you refuse to help by walking over and plugging it in. At some point, in-action is as bad as action. Those with the power to easily help with no risk or effort, yet don't, are just as bad as those who purposefully are bad.

Re:Flamebait (4, Insightful)

Anubis IV (1279820) | about 8 months ago | (#46664669)

The headline is horribly horribly misleading. I hope people at least RTFS.

Exactly. This isn't a "would have been" that failed because of NSA involvement. This is a "would not have been" that failed all on its own. The NSA had some confidential tools at its disposal that may have been able to salvage the idea, but them not sharing their tools is hardly a reason for us to be shaking our fists and saying "it would have worked if not for them". It's like blaming a toll road for your late arrival after choosing to take public streets instead of the toll road. It makes no sense.

Re:Flamebait (1)

davevt5 (30696) | about 8 months ago | (#46665199)

Agreed! Thanks for posting the response. So quick to dog the NSA (for good reason) but this is a bulshite headline.

Re:Flamebait (1)

steelfood (895457) | about 8 months ago | (#46665329)

I'd imagine if the NSA did have their hands in helping to secure internet communications, every country would have been up in arms last year, and the internet would be completely fractured by now.

Their non-involvement was a good thing, not a bad thing. Now, we currently know there are better things that can be done to secure the internet, but not having implemented them yet does not mean things are bad right now either.

Re:Flamebait (2)

deadweight (681827) | about 8 months ago | (#46665377)

Exaclty. Kind of like saying my home-A-bomb project for the kids science fair was ruined by the DOE not letting me take the secret plans home from work.

Re:Flamebait (0)

Anonymous Coward | about 8 months ago | (#46666525)

That would be the case, but making homemade atom bombs is hardly a good thing.

The NSA very well did stand in his way, by not allowing him to release the secrets. Maintaining secrets is far less important than freedom.

In a way its a good thing it didn't happen (5, Insightful)

Viol8 (599362) | about 8 months ago | (#46664303)

It would be utterly obsolete by now and would just be a legacy function that would have to be supported for legacy apps and would be a security swiss cheese. TCP is better off just being a pure transport later protocol with modern crypto layered on top.

Re:In a way its a good thing it didn't happen (4, Insightful)

Anonymous Coward | about 8 months ago | (#46664453)

Not to forget that 70's computers were very very slow and cryptography would have been to much a bottleneck to be widely used. Today some people still claim SSL makes their website slow.

Re:In a way its a good thing it didn't happen (0)

Anonymous Coward | about 8 months ago | (#46665689)

People claiming their website is slowed down by SSL should stop using Ruby on Rails.

Re:In a way its a good thing it didn't happen (0)

Anonymous Coward | about 8 months ago | (#46664469)

Yeah, like protocols aren't upgraded over the years. In fact you're right, now that I remember we still use the same network and the same protocols and the same architecture of good ol'e 1970s.

Re:In a way its a good thing it didn't happen (3)

bunratty (545641) | about 8 months ago | (#46664563)

Exactly! Just like how we're all using IPv6 so we don't have to deal with a limit of 4 billion IP addresses. Oh wait.

Re:In a way its a good thing it didn't happen (0)

megabeck42 (45659) | about 8 months ago | (#46664565)

It's sad, but it's true. Kind of like x86. Did you know IPv6 is almost 20 years old?

Re:In a way its a good thing it didn't happen (1)

SuricouRaven (1897204) | about 8 months ago | (#46665221)

x86 has been updated so much that a modern x86 processor could be accurately described as a hardware x86 emulator. I'd really like it if Intel could introduce an 'x86-2' instruction set that dumped all the legacy stuff but kept the same basic architecture. It'd need software to be recompiled, but not rewritten. Make it 64-bit from the start, remove such oddities as the BCD instructions and the old 24-bit protected mode and 20-bit real mode. It'd be expensive, but if they can coax just a few percent extra out of the hardware by dumping legacy then it'd still sell to the HPC and server markets. Recompiling linux and packages is a small price to pay.

Re:In a way its a good thing it didn't happen (2)

Lehk228 (705449) | about 8 months ago | (#46665617)

a chip that would be 3-4 months faster, at the expense of being binary incompatible with all existing software, and be effectively the same design as current would be a bone-headed move.

Re:In a way its a good thing it didn't happen (1)

RR (64484) | about 8 months ago | (#46665937)

I'd really like it if Intel could introduce an 'x86-2' instruction set that dumped all the legacy stuff but kept the same basic architecture. It'd need software to be recompiled, but not rewritten. It'd be expensive, but if they can coax just a few percent extra out of the hardware by dumping legacy then it'd still sell to the HPC and server markets. Recompiling linux and packages is a small price to pay.

Recompiling Linux and packages. That has worked out so well for ARM servers, so far.

I think that's a terrible idea. I don't think the 20-bit real mode, etc., are actually used except for the BIOS, which is in the process of being replaced by UEFI, and I'm not sure all of those instructions actually still work.

But the big thing about Intel is the idea that you can just take whatever x86 software and run it. Maybe recompile if you have something that can take advantage of the SIMD instructions, but it doesn't need to be recompiled to run great. The commentaries I've been reading say that the x86 instruction decoder is basically free, anyway, so it's a competitive advantage without significant penalty.

Re:In a way its a good thing it didn't happen (0)

Anonymous Coward | about 8 months ago | (#46666483)

>I think that's a terrible idea. I don't think the 20-bit real mode, etc., are actually used except for the BIOS, which is in the process of being replaced by UEFI, and I'm not sure all of those instructions actually still work.

They do. And they take up realestate. I dunno how much, but it's not 0.

Chose something fast enough (1)

davecb (6526) | about 8 months ago | (#46665687)

This is a classic solved problem in computer science: chose an algorithm that you can support in the generation of machines you plan to deploy, even if it's slow in the lab.

MIT specified an amazing fast processor for Project Athena, an entire 1 MIPS. Unheard of! Of course, it was perfectly normal when Athena rolled out. [Origin: the guys there explaining we could use the DEC 2100s we already had at York if we wanted to deploy Athena]

--dave

Misleading headline (4, Insightful)

Alan Shutko (5101) | about 8 months ago | (#46664327)

It's true, that had the NSA chosen to share that info, we could have had better security. On the other hand, the NSA were the ones that developed it, so if not for the NSA, it would not have existed to use.

Youre a fucking retard (-1)

Anonymous Coward | about 8 months ago | (#46664427)

the NSA didn't develop TCPIP

they simply told some dumb jew what to do and that greedy jew complied. probably in the name of israel or some other dumb jew shit.

It would have existed, just un jewified, open, without greed

Re:Misleading headline (1)

wiraffe (3604819) | about 8 months ago | (#46664451)

It's thus not only a misleading headline, the whole argument makes no sense. - What a nonsensical newspost.

Re:Misleading headline (1)

timeOday (582209) | about 8 months ago | (#46665267)

No, no, it was ME. I was the one who didn't invent the correct algorithms and share them with the inventors of the Internet. I didn't do it at all!

I would have taken a fr0sty p1$$ (-1)

Anonymous Coward | about 8 months ago | (#46664329)

But my tubes aren't increpted.

IPX (5, Insightful)

Anonymous Coward | about 8 months ago | (#46664375)

If TCP/IP had included crypto, we'd all be using IPX now days...

The reason TCP/IP proliferated was because it was light-weight and easy to implement. Crypto would have killed that.

Re:IPX (5, Funny)

Ralph Wiggam (22354) | about 8 months ago | (#46665023)

Don't bring a basic grasp of history and networking into this. We're being mad at the NSA.

Re:IPX (1)

Enry (630) | about 8 months ago | (#46665207)

This. I remember back in the early 90s when I worked for the Department of Veterans Affairs and lots of data needed to be encrypted. It was fairly simple encryption by today's standards (DES?) but still required a separate encryption card in order to operate at sufficient speed. Adding that to every TCP/IP packet? It would have stopped Linux in its tracks.

Encryption would have been too slow (4, Insightful)

mveloso (325617) | about 8 months ago | (#46664407)

If TCP/IP had encryption way back when, it never would have worked because it's too slow. Shit, stuff was so slow that people turned off checksumming. Imagine having to do something exciting, like actual encryption. It'd be worse than running a 300 baud modem.

Re:Encryption would have been too slow (1)

Anonymous Coward | about 8 months ago | (#46664793)

Never mind the legal roadblocks. There was the whole 'munitions' thing for a long time over the good crypto...

Re:Encryption would have been too slow (1)

bsDaemon (87307) | about 8 months ago | (#46664987)

At the time the Internet was the (D)ARPANET and export to other countries wasn't really on the horizon anyway. I think had this gone into place, the headline would be "Internet may have been commercially adapted decades sooner, if not for built-in security mechanisms."

Re:Encryption would have been too slow (0)

Anonymous Coward | about 8 months ago | (#46665511)

When ARPANet was designed, you're correct. However once we get to replacing NCP with TCP/IP, there were plenty of other networks and the Internet (INTER NETwork, remember?) existed already.

That's funny (2, Informative)

Anonymous Coward | about 8 months ago | (#46664439)

We used to use telnet, ftp and uucp, those weren't secure or encrypted.

The internet used to be open and free, owned by no one.

It's a stretch to think they wanted to do encryption from the start.

Re:That's funny (1)

SuricouRaven (1897204) | about 8 months ago | (#46665237)

Different parts. The packet-switching technology was military in origin - they were seeking a new form of communication network that could continue to operate without downtime in the face of massive physical damage, like cities being nuked. Academia soon adopted the technology, and the early internet culture came from there.

Re:That's funny (2)

Vanders (110092) | about 8 months ago | (#46665547)

The packet-switching technology was military in origin - they were seeking a new form of communication network that could continue to operate without downtime in the face of massive physical damage, like cities being nuked. Academia soon adopted the technology, and the early internet culture came from there.

No. Wrong. Stop perpetuating this myth. Please, go read Where Wizards Stay Up Late

The vague concept of packet switching was developed simultaneously both by a British Post Office engineer (which is where we get the term Packet Switching) and a RAND researcher (which is where we get this ridiculous myth). However at no point did ARPA care about building the network to survive a nuclear war; it just happened that packet switching was a good way to make maximum use of the AT&T provided switched circuits that created the backbone.

Reverse the hack (-1, Flamebait)

Khyber (864651) | about 8 months ago | (#46664441)

Either beat these fools down or be a fucking slave.

Your choice. You set the tone for the future.

Re:Reverse the hack (0)

LordLimecat (1103839) | about 8 months ago | (#46664483)

What the heck does that mean? Do you even understand how the OSI model works?

IIRC Encryption is layer 6/7, not layer 4. Theres a reason it was layered the way it was.

Re:Reverse the hack (1, Offtopic)

dskoll (99328) | about 8 months ago | (#46664551)

Encryption can be applied at various layers. You can have link-layer encryption (level 2), network-layer encryption such as IPSec (level 3), transport-layer encryption such as SSL (level 4) and application-layer encryption such as SSH (layer 7)

Re:Reverse the hack (0)

SuricouRaven (1897204) | about 8 months ago | (#46665251)

If you want an example of link-layer encryption, WEP/WPA.

Re:Reverse the hack (0)

fullmetal55 (698310) | about 8 months ago | (#46664633)

they're actually talking about layer 3 (network layer) encryption... which is entirely possible if you want to slow down the entire routing of the entire network... yes current encryption is in the presentation/application layer, (6/7) the idea is that it could have been implemented at a much lower layer in the stack, had Cirf been allowed to take his work that he did for the NSA to his work on TCP/IP.

although to be fair I doubt it would have been implemented, or been optional. as the networking speeds of the time and the computing power required for encryption on such a base level, would be hard to implement, and slow.

Re:Reverse the hack (0)

Anonymous Coward | about 8 months ago | (#46664667)

GP sounds tough and rebellious while ultimately making no sense whatsoever. Like a frighteningly large number of people in the NSA "debate".

Re:Reverse the hack (0)

Khyber (864651) | about 8 months ago | (#46664759)

" Do you even understand how the OSI model works?"

Given Layer 6 is almost entirely written by me, yea, I know far more than you do.

Come back when you've got a fucking clue.

Re:Reverse the hack (1)

mrbester (200927) | about 8 months ago | (#46665045)

[Citation needed]

Not that I don't believe you but there's a lot of assholes on the net nowadays.

Re:Reverse the hack (1)

Khyber (864651) | about 8 months ago | (#46665341)

I've got my own implementation that is OSI compatible. But given I answered more than half of the RFCs and had over 30% of those comments implemented, I'm still a father.

Oh, you wanted a name? No, sir. Do that work for yourself.

Pfft... (0)

Ras_Alghul_113 (3604815) | about 8 months ago | (#46664523)

And this effect's anyone how, are they planning on rolling it out in the next release!?!?! NO... Because you've got too many corrupt little players in this game; Oh look it's Google McCuntyMcFuckFace and the Googly android with CVE's that are all over 9 months old, whats that you dont have a User ID or a GUID.. yes, we know how that feels to be completely backdoored by people claiming they want to protect your privacy when they really want to take it all away. Microsoft doesnt feel threatened by the encroaching approach of all that Free open ideology, not in the least, they're too busy playing with there "Dutch Sandwhich!" and discrediting all that FOSS as Hacktivism. Apple, well anyone who models there Logo on a half eaten apple has too be a bunch of sinful bastards dont they! Pfft, the problem is there are too many vendors, too many suppliers, all greedy all want something and the end result is what we have now...

Misleading article. (5, Insightful)

jcochran (309950) | about 8 months ago | (#46664529)

Rather misleading article and slant there. It implies that the NSA deliberately took action to make TCP/IP insecure. However, in reality, the NSA merely didn't contribute their classified work towards the specification of TCP/IP. And frankly, that's a good idea. The overhead of encryption at that time would have been too much. Additionally, cryptography only gets better with time, so whatever algorithm that would have been selected would have long since been obsolete. And due to backwards compatibility, would still have to be implemented. After all, things like routers and such are a tad more difficult to update than programs.

Re:Misleading article. (3, Insightful)

Hrdina (781504) | about 8 months ago | (#46664685)

Exactly, and I think this is what the AC was trying to say in one of the earlier responses.

The headline seems as if it is trying to tie this story to all the recent reports of the agency actively weakening crypto algorithms.

It would have been insane to allow classified algorithms to be published along with TCP/IP (unless of course they were willing to declassify).

I didn't watch the video, but read TFA. There, Cerf is quoted to say:
1. “If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,”
2. “During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

Maybe he said it in the video, but in TFA he does not say "I wanted to use the classified technology in TCP/IP but the agency denied my request."

Re:Misleading article. (1)

recharged95 (782975) | about 8 months ago | (#46664693)

Yep, and likely was NSA research, which is a typical exploration into the subject... much like any research university.

It's when the politicians and generals (aka customers) decide to take research out of R&D and into production is when people cry foul. ThinThread-TT (sure the agency doesn't use thinthread, but likely uses a variant of its design in today's system, regardless of what TT creators say) is a great example.

Another great example is SE-Linux.

Re:Misleading article. (0)

Anonymous Coward | about 8 months ago | (#46664747)

Believe it or not, there are also some instances where cryptography is not needed, such as for purely publicly accessible information that can benefit from being cached, etc.

Re:Misleading article. (1)

RR (64484) | about 8 months ago | (#46665679)

Believe it or not, there are also some instances where cryptography is not needed, such as for purely publicly accessible information that can benefit from being cached, etc.

I don't think there is any instance where cryptography would not be useful, as long as privacy is an option. Most Internet communications are point-to-point, so caching should not be done in between. From an opsec point of view, it's less risky to use encryption for confidential information if you also use encryption for everything else, too. [businessweek.com]

Even for publicly cached data, you could use cryptography for authenticity instead of confidentiality. For example, DNSSEC [icann.org] is about proving the authenticity of DNS information, so your name resolver doesn't get fooled by DNS hijacking. [theepochtimes.com] Authenticity turns out to be useful even for completely mundane stuff. [firstlook.org]

You don't understand the TCP/IP... (0)

Anonymous Coward | about 8 months ago | (#46666219)

NO connection is point-to-point.

TCP is implemented on TOP of a simple packet...For a TCP connection from A to B has to to "point-to-point" to EACH INTERMEDIATE ROUTER. One packet at a time. Not all packets have to follow the same route. Not all packets arrive in order... Sometimes packets are dropped... Hence the layered protocol for TCP on top, along with the ack packets to cause retransmission of missing packets... And the result is that no connection from A to B is point-to-point.

Re:Misleading article. (2)

RR (64484) | about 8 months ago | (#46665837)

Rather misleading article and slant there. It implies that the NSA deliberately took action to make TCP/IP insecure. However, in reality, the NSA merely didn't contribute their classified work towards the specification of TCP/IP.

Yes, Slashdot is rather sad these days.

But the NSA isn't just about withholding classified information. The NSA is about weakening encryption standards. [wikipedia.org] Vint Cerf said he would have used encryption if he had the opportunity to do it over again. The Internet community had such an opportunity, IPv6 with IPsec, and the NSA bungled it up. [infosecuri...gazine.com]

IPsec doesn't involve the routers, because that would kill performance. IPsec is designed to handle different algorithms, so you don't need to support the same broken algorithms indefinitely. But the IPsec spec is a horrible design [schneier.com] that in practice has made it very little used outside of very professional environments with very full-time engineers to keep it running.

Why separate layers? (1)

jones_supa (887896) | about 8 months ago | (#46664601)

I have been lately doing some reading about the networking abstraction layers and I do not see why TCP and IP could not have been created as single layer. Comments?

The big stack of the OSI model sometimes makes me cringe also in general and I wonder if we are just wasting bandwidth with the various encapsulated headers.

Re:Why separate layers? (1)

Anonymous Coward | about 8 months ago | (#46664675)

There's at least a couple reasons.

TCP incurs some overhead. Where you don't want that overhead, you can use UDP.
Also, some applications do not require the "conversation" or "bidirectional stream" model that TCP provides. UDP fits the bill here.

Re:Why separate layers? (0)

Anonymous Coward | about 8 months ago | (#46664719)

If TCP and IP were a single layer, then UDP would also have to be in that layer. Both TCP and UDP are necessary and rest atop IP.

That's not to say you couldn't design a networking system that way. Sometimes, like ZFS, collapsing layers does give you a more efficient implementation. But here there really isn't any advantage to be gained.

Re:Why separate layers? (0)

Anonymous Coward | about 8 months ago | (#46666261)

Actually there is a loss.

The IP layer handles single packets. Like UDP, but without knowing anything about addressing other than from one location/router to the next location/router. And these addresses get replaced every time a packet is passed on (this is where the ARP addressing is done). The higher level protocol (TCP/UDP) has the IP numbers.

The advantage of having separate layers is that it isolates the specific hardware addressing from the logical network defined by TCP/UDP.

Re:Why separate layers? (0)

Anonymous Coward | about 8 months ago | (#46664737)

> The big stack of the OSI model sometimes makes me cringe

You pay a small cost in bandwidth for flexbility and futureproofing. By leaving the layers separate, if their functions are not needed or a better way comes about to perform that function, the new method can be easily substituted since it's "layered off" and not a fixed part of anything.

SNA I believe is an example of a network protocol that bundles everything into one layer, makes numerous assumptions, and is difficult to work with modern equipment as a result, though I know little about it and could be horribly wrong.

Re:Why separate layers? (2)

MindStalker (22827) | about 8 months ago | (#46664831)

Most things don't use the entire stack.
TCP/IP needs to be seperate layers because you don't want to use TCP for everything.

Everything on the internet has an IP address, so that is the universal internet layer. You can put TCP or UDP or any number of more obscure layers on top of that.

Most applications squish the sesson,presentation,application layers into one, keeping them seperate is optional, there isn't a separate encapsulation header for each just a session flag to keep track the individual connection.
Under the IP layer (network) you have the data-link and physical layer. data-link is your MAC address (this is neccesary) and physical is your wire, there isn't a protocol there generally, though there is for WIFI for example which doesn't use wires.

Re:Why separate layers? (1)

SuricouRaven (1897204) | about 8 months ago | (#46665281)

TCP/IP uses the simplified 4-layer model, not the OSI full 7-layer.

Though in some applications it has gotten silly. Many applications communicate over HTTP because it's the one protocol you can be confident of getting past a corporate network firewall and proxy, even if they have traffic like push IM messages or real-time media that HTTP wasn't designed and isn't suited for.

Re:Why separate layers? (1)

Lehk228 (705449) | about 8 months ago | (#46665661)

communicating over HTTP means you can write your server application as a server side script instead of writing a full blown server.

Re:Why separate layers? (0)

Anonymous Coward | about 8 months ago | (#46665709)

That's just a weird historical quirk due most scripting languages being developed as "web" languages and that most developers seem too lazy to actually develop equally simple layers for raw TCP & UDP sockets. The closest I've seen to anyone not-doing-HTTP-for-everything is ZeroMQ.

Re:Why separate layers? (1)

suutar (1860506) | about 8 months ago | (#46664847)

Because they also needed functionality that TCP didn't suit, like ICMP and UDP, and didn't want to duplicate all of the stuff in IP for each of them.

Re:Why separate layers? (0)

Anonymous Coward | about 8 months ago | (#46665095)

You're stupid.

Re:Why separate layers? (1)

jones_supa (887896) | about 8 months ago | (#46665495)

Yes, I am stupid. What are you going to do about it? At least I was brave enough to ask the question. All you were able to do, was to write that insulting and upsetting comment.

The gig's up (1)

Tablizer (95088) | about 8 months ago | (#46664711)

Okay, that does it!

I know you dudes-in-black are hiding flying cars powered by Mr. Fusion, and the pickled Roswell aliens.

Hand 'em over! Hoffa too!

(But take Lady Gaga back, please)

Nice to see you kids finally figure it out... (0)

Anonymous Coward | about 8 months ago | (#46664801)

Now get off of my lawn!

bleeding edge (0)

Anonymous Coward | about 8 months ago | (#46664803)

"Cerf did have access to some really bleeding edge cryptographic technology back then"

So they had some cryptographic technology that was still new for the time, but had been out a while at that point so it had fewer bugs.

Thanks, Obama! (2)

BenSchuarmer (922752) | about 8 months ago | (#46664851)

grumble grumble

We have a new Scapegoat (2)

hessian (467078) | about 8 months ago | (#46664873)

NSA.

For everything that's wrong... blame them.

It's not that our society is failing, that our voters are mentally obese and thus always pick the wrong option.

Nope, it's the NSA. NSA did this to you. You're the victim, not the perpetrator.

Keep saying it and maybe someday, you'll believe it.

Re:We have a new Scapegoat (0)

Anonymous Coward | about 8 months ago | (#46664937)

It's not that our society is failing, that our voters are mentally obese and thus always pick the wrong option.

Every option presented to the voters is wrong.

Just in case anybody's forgotten (which they have) (3, Informative)

mmell (832646) | about 8 months ago | (#46665085)

There were individuals and organizations back in the seventies and eighties that got in trouble with the US Government for writing and publishing software that used strong encryption. The problem was that the published code was visible from outside the US and ran afoul of ITAR regulation (citation: check the history of PGP). Incorporating strong encryption in TCP/IP would have made its use and adoption subject to US ITAR regulation.

Re:Just in case anybody's forgotten (which they ha (1)

rs79 (71822) | about 8 months ago | (#46665335)

Like PGP?

Pffft.

Anyway, it's not too late:

http://vimeo.com/18279777 [vimeo.com]

(Skip the first 14 minutes of chair-shuffling)

I wonder if that's one of the reasons why... (1)

rs79 (71822) | about 8 months ago | (#46665323)

Bob Metcalf dubbed him "Darth Cerf".

Some people do the right thing and damn the personal cost.

http://www.ted.com/talks/edwar... [ted.com]

Whenever I hear anti-NSA rhetoric... (1, Troll)

mi (197448) | about 8 months ago | (#46665375)

Whenever I hear anti-NSA rhetoric, I ask: imagine the same things being said about Alan Turing et al working to decode Germans' messages... Would Mr. Snowden receive the same respect and adoration, if he published the secrets of Bletchley Park [wikipedia.org] in 1943?

How about the horrible "privacy invasion" that provided for intercepting of Zimmerman's telegram [wikipedia.org] .

Not excusing everything NSA is doing these days, but putting things in perspective...

Re:Whenever I hear anti-NSA rhetoric... (1)

deadweight (681827) | about 8 months ago | (#46665451)

In 1943 Mr. Snowden would have been quite lucky if he got a trial before he was executed. We were fighting for our lives back then. As to the rest, it is a matter of scale. In 1790 I could follow you around and publish your daily activities in the paper. Unless you hired 50% of the population to be reporters to follow the other 50% and then switched them off every other day, no one could possibly publish what everyone did in every country every day. In 1980 the CIA/NSA/KGB/MI5/MI6/Mossad/etc. could do a fair amount of spying, but the analog nature of much of it and the primitive computers pretty much made sure they weren't spying on YOU because no one had the time and money to waste on Joe Average. The STASI in East Germany actually did try the 50% spies on the other 50% system and buried themselves under an avalanche of data they had no time to deal with. The various agencies aren't doing anything they didn't do in 1914, it is just the scale of it is beyond the wildest dreams of any old cold war spy. We really can spy on everyone all the time forever :(

Re:Whenever I hear anti-NSA rhetoric... (1)

mi (197448) | about 8 months ago | (#46665545)

In 1943 Mr. Snowden would have been quite lucky if he got a trial before he was executed. We were fighting for our lives back then.

UK and USSR — maybe. The US — not quite. But the fight is still on-going... The Pearl Harbor attack [wikipedia.org] killed fewer people, than 9/11 did...

The various agencies aren't doing anything they didn't do in 1914, it is just the scale of it is beyond the wildest dreams of any old cold war spy. We really can spy on everyone all the time forever :(

That is true. Technological advances have made counter-spying much easier. But it also made spying much easier as well — no longer does a spy need to radio his data from the attic of a "safe house" — he can simply send an encrypted e-mail.

Worse, the mass-murder is now much easier too — an organization no longer needs backing by the government of a large country to wreck serious carnage these days...

Re:Whenever I hear anti-NSA rhetoric... (1)

deadweight (681827) | about 8 months ago | (#46665787)

Bletchley Park is in the UK. No doubt he would have hung, just wondering if he would have had a public trial. My guess is not. And yes - non-state actors are a bitch because they don't have anything you can threaten. The USA attacking their "home" country is often a GOAL of theirs, not a fear.

Re:Whenever I hear anti-NSA rhetoric... (0)

Anonymous Coward | about 8 months ago | (#46665601)

The difference is that Station X weren't intercepting British communications and spying on what people said to the butcher.

While we're at it MI5 didn't torture people and then lie to Parliament about it.

Re:Whenever I hear anti-NSA rhetoric... (2)

mi (197448) | about 8 months ago | (#46665783)

The difference is that Station X weren't intercepting British communications and spying on what people said to the butcher.

Only because they could not.

While we're at it MI5 didn't torture people and then lie to Parliament about it.

NSA has not tortured any one either.

Re:Whenever I hear anti-NSA rhetoric... (2)

AHuxley (892839) | about 8 months ago | (#46665801)

Re Would Mr. Snowden receive the same respect and adoration
Yes as US gov protections in place for just such legal events eg safe from US gov surveillance without a warrant.
If you see the US Constitution protections been removed via color of law efforts you have the duty, right and responsibility to bring such facts to the US publics attention.
The US political and legal system can then correct the legal issues.
The US legal issues raised by Snowden are easy to understand in an open court by most legal professionals and the wider public.
http://www.freedomwatchusa.org... [freedomwatchusa.org]
Months after Snowden US warrantless reality is uncovered:
"NSA performed warrantless searches on Americans' calls and emails – Clapper" (2 April 2014)
http://www.theguardian.com/wor... [theguardian.com]
The main issue for "understanding" is that the entire US copper and optical telco hardware is surveillance friendly.
Another issue for "understanding" is that the entire US copper and optical telco software layer is surveillance friendly.
Another issue for "understanding" is that encryption standards are junk - the US gov gets back to plain text, ex staff get back too, other countries get back to plain text, so can their ex staff and people who can pay them...
People are finally understanding the entire structure of their telecommunications network is really like "ENIGMA" version 10? 50? in the 1960,1970, 1980, 1900's --2000 and beyond. Lots of new fancy digital "rotors" to sell but its all back to plain text in real time over decades.
So today people are finally looking at the origins of TCP/IP and wondering how it was shaped, set as a standard and promoted.
Expect skilled academics to start going over ever historic telco layer and many common encryption standard too.

Re:Whenever I hear anti-NSA rhetoric... (2)

mi (197448) | about 8 months ago | (#46665981)

Yes as US gov protections in place for just such legal events eg safe from US gov surveillance without a warrant.

Snowden's published revelations cover much more than (admittedly reprehensible) warrantless spying on US citizens. For example, he revealed NSA's capability to record all telephone traffic of a foreign country [techcrunch.com] .

Anyone alerting the Germans in 1943, that Enigma is compromised, would've been (justly) denounced as a traitor... What changed?

Secure TCP-like service (0)

Anonymous Coward | about 8 months ago | (#46665715)

First of all, the thing you would use to protect connections is most naturally Diffie-Hellman, not RSA. Both were way two expensive to use in the 70s.

Second, if you want to see what a protocol looks like which combines TCP ideas and Crypto, take a look at MinimaLT at the Ethos project (www.ethos-os.org). They claim, faster than TCP/IP, more secure than TLS, and dead simple.

Actually not. (1)

Anonymous Coward | about 8 months ago | (#46666357)

It was artifically expensive due to all encryption technology declared to be munitions. Thus no one was allowed to research it.

RSA was known (pre-release) around 1975 (I was shown the paper by my professor).

As for speed - not bad. The original RSA was defined for 32 bit and 64 bit keys - just like DES (well, DES was limited to 56 bit keys being aimed at either 7 8 bit bytes or 8 7 bit ascii characters) . Neither was all that slow. RSA is always slower than symmetric key encryption, which is why all implementations actually only use RSA encryption to exchange random symmetric keys. Once the random keys are exchanged, those are used instead of RSA.

What delayed the general use of encryption was two things:
1. the definition of encryption as munitions
2. the patent on RSA delayed its use until the patent ran out.

Everyone cries about how insecure the X window protocol is... It wasn't. Originally the X code used encryption - but due to the encryption as munitions problem, MIT couldn't release the code for general use. They couldn't even leave the API hooks in it as that was ALSO declared to be part of the munitions. So all of it was removed.

Please change the headline (1)

VikingNation (1946892) | about 8 months ago | (#46665889)

If NSA would have been involved in making TCP/IP would people have used it?

There is a lot of hate being spewed at the NSA these days. Totally ridiculous title that needs to be changed by a Slashdot moderator.

Good lord, the logic (2)

AdamWill (604569) | about 8 months ago | (#46666197)

Wow, it's always a tough competition, but this may win "Ridiculous Slashdot Headline Of The Week".

Logic 101, folks. Let's recap that headline:

"TCP/IP Might Have Been Secure From the Start If Not For the NSA"

Now, what's the story here? One of TCP/IP's designers had access to some then-bleeding-edge crypto *that was part of an NSA project*, but couldn't include it in TCP/IP because it was secret.

Now, can we support the idea that "if not for the NSA" that crypto could have gone into TCP/IP? No, because "if not for the NSA" that crypto *wouldn't have fucking existed at all*. The NSA wrote it. So the choices are "code written, but not available for use" or "code not written at all". Practical difference for the purposes of TCP/IP: zip.

hypocrisy (1)

VikingNation (1946892) | about 8 months ago | (#46666211)

Google claims the moral high ground of protecting privacy while at the same time maximizing profits by exploiting your web activity.

Companies like Facebook mine all of your posts for the purpose of targeting advertising to get you, or your friends, to buy products and services - that you honestly do not need

Companies are getting hacked left and right and your personal information and credit cards are getting stolen.
All of this is going on and yet Slashdot posters continue to assail government agencies? Amazing.

Money money money (0)

Anonymous Coward | about 8 months ago | (#46666613)

It's not a popular opinion, but Vint Cerf has always managed to quietly align with the big corporations and their interests despite how opposite they happen to be to the public's interest.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?