Security top concern for new IETF chair

Russ Housley talks to Carolyn Duffy Marsan about his security strategy for the Internet

Russ Housley is the first chair of the IETF with a particular expertise in network security. Housley, who runs consulting firm Vigil Security, has been active in the IETF for nearly 20 years and helped write early e-mail security and public key infrastructure standards. Three months into his job as chair of the leading Internet standards body, Housley talked with Carolyn Duffy Marsan about his strategy for bolting better security onto the freewheeling Internet.

What do you hope to accomplish as IETF chair?

My focus as IETF security area director was continuous, incremental improvement of the security of the Internet. As IETF chair, I want to continue with that. I also want to pursue continuous, incremental improvement of the entire Internet and continuous, incremental improvement of the IETF standards process.

What do you mean when you say your goal is continuous, incremental improvement for the Internet overall? Can you give me three specific goals?

Rollout of IPv6 is clearly one of them. Another is rollout of DNS security. And my personal hope is that the SIDR [Secure Inter-Domain Routing] working group leads to security improvements in Internet routing.

Why take on this time-consuming, volunteer job?

[Laughs.] I don't have a good answer for that. I care about the community. I guess that is what it really comes down to. I could only do it because I got a sponsor. VeriSign is giving me a check a month, and the National Security Agency is paying my travel costs. Vigil Security is my own business. It's just me, and my wife pays the bills.

How long do you expect to be IETF chair?

My term is two years, and then I'll make an assessment. It's not fair to ask me three months into the job whether I'll seek another term. My predecessor said it took a year to learn the job and another year to get comfortable doing it. Just as you're getting comfortable, your term is over.

You are the first security expert to head the IETF. Why is it important to have a security expert lead the group now?

Being a good manager and a security guy are not mutually exclusive. Clearly we need someone to continue the security improvements that have been started by [the two previous IETF chairs.] Security is where the Internet has the biggest need for improvement. So I look forward to working with the two area directors that have security as their key focus. Maybe with the three of us, we'll be able to make more rapid progress.

Many of the IETF's original protocols were designed without built-in security. How hard will it be for the IETF to go back and rework these protocols to require security?

Usually bolting security on after the fact leads to an incomplete solution, but that's what we're going to have to have. It's not possible to turn off the Internet today and start up the secure Internet tomorrow. It just can't be done, and no one would tolerate the outage if we could. The genesis of my continuous, incremental improvement philosophy is realizing that we can't turn off the insecure Internet and turn on a more secure Internet even if we had consensus for what that meant.

Do IETF participants have the will to go back and fix insecure parts of the Internet? For example, everyone knows about the lack of security in HTTP, but there seems little will within the IETF to fix the HTTP authentication problem.

That's because in the case of HTTP, and I suspect in many others, there's little agreement about what's the most important security feature to add. When you say that we'll just fix the most egregious things, then you get into an argument about where to draw the line. In the case of HTTP, the biggest concern is authentication and that is primarily solved by [Transport Layer Security]. Why not mandate TLS? That's a very good question. There's not a Web server on the market that doesn't have TLS. Will we have the will to fix the security problems? Sometimes. [Domain Keys Identified Mail] is an add-on to the mail environment that we're developing. The work was done in the security area, but the whole idea came from the applications folks. I think we'll continue to see approaches like that where we can each see the benefits. But it's not going to be a complete overhaul of the e-mail system. Instead, it will be a fix for a particular concern.

Has there been a shift in attitude about security in the IETF in recent years?

Certainly. People think about security now, but for many people it's not the primary reason they are here. They're here to add a routing feature or add a particular capability to a particular application or to improve deployability of IPv6 or something like that.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?