Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Jeff Hussey
Jeff Hussey
Connect Directly
E-Mail vvv

The Fundamental Flaw in TCP/IP: Connecting Everything

Almost 30 years after its inception, it's time to fix the engine that both fuels the modern day Internet and is the root cause of its most vexing security challenges.

It probably seemed like science fiction back in 1962 when a scientist from MIT and the Advanced Research Projects Agency (ARPA) named J.C.R. Licklider proposed that the United States develop a "galactic network" of computers to talk to each other in the event of a military strike from the Soviet Union that could knock out our fragile copper wire-based telephone network.

More specifically, the idea was to enable military leaders throughout the country to communicate during a nuclear war. In that way, you could say that the Internet was created out of fear or even paranoia, which isn't really such an uncommon source of ingenuity.

A few years later, a top-secret project known as ARPANET brainstormed the idea of packet switching to break down data to be sent off to specific destinations. In short, this enabled data to be transmitted from end-to-end by computers, completely unreliant on the existing telephone network.

Finally, in 1969, the first word was officially communicated via packet switching from one machine to another, when a research lab computer at UCLA transmitted "LOGIN" to another research lab computer at Stanford. We can assume that uproarious applause and hand-shaking ensued immediately, but so did a massive crash of the entire network. Albeit very brief, communication was nonetheless successfully established and a nationwide technological victory was announced. ARPANET would subsequently evolve into something well-suited for global utilization known as the Internet, and the world has never been the same since.

The Trouble with Connecting Everything
All respect to Al Gore and others claiming individual responsibility aside, one single inventor cannot lay claim to the birth, growth, and evolution of one of the greatest inventions of all time — the Internet. Rather, it is an excellent example of superior innovation spawned from some of the truly great scientific and technological minds in the world — elite scientists from MIT, UCLA, Stanford, and other technological leaders with a clear and shared vision of a truly connected world. It was a collaborative effort that produced unprecedented levels of communication, massive leaps in technology, and a fair amount of trouble mixed in.

That fair amount of trouble comes from the architecture that runs the Internet itself. It's TCP/IP that has been the engine that makes the Internet go from its very inception, decades ago. The fundamental flaw in that engine's design is that it was invented with the idea of connecting everything. Unfortunately, when you connect everything, you invite hackers, cybercriminals, and even international espionage.

If it's true that fear or paranoia was used in a beneficial way to spark the creative concept of the Internet in the first place (and it is), perhaps we should use that same incentive to push technology in the direction of something better once again — something to properly address and eliminate that fear.

The fundamental flaw within TCP/IP is in its inherent openness, which consequently results in a lack of security. This openness is largely a by-product of the address-defined nature of TCP/IP. In layman's terms, the security problem arises because TCP/IP uses the address of a connected device to serve the dual purpose of identifying that device as well. This creates a network vulnerability that is very visible and spoofable to users of malicious intent all over the world. With identity being used simultaneously as a device's address, hackers can simply mock a valid IP address to gain access into your network, where they can steal data, disrupt service, and wreak large-scale technological havoc.

It's already happened numerous times, and has been well publicized often enough as well, but network intrusion can be disastrous. Do you want to be the IT manager saddled with the overall responsibility and recovery from a massive data breach, a significant loss-inducing service outage, or a larger-than-life mess to unravel before getting your network up to speed again? Undoubtedly, the answer is no, and that's why we need to properly address that concern (fear) by improving the engine that continues to fuel the modern-day Internet, over 30 years after its inception, when ARPANET adopted TCP/IP in January 1983.

Host Identity Protocol as the Solution
Don't get me wrong; TCP/IP isn't going anywhere. It's firmly rooted in the fabric of today's Internet communications. What we need to do, however, is address that fundamental flaw by moving from an ideology of "address"-defined networks to "identity"-defined networks that connect only provable identified devices or things. This brings us to the fairly recent invention of Host Identity Protocol (HIP).

HIP is an open Internet Engineering Task Force (IETF) standard designed to address the security hole within TCP/IP. By inserting a unique cryptographic identity (CID) into the communications stack (i.e., a Host Identity), HIP separates identity from the location of the host. Hosts can change their IP location, but retain their strong CID. By doing this, we're now able to secure network devices and vulnerable "things" with provable identities. And, because HIP hides the IP footprint of devices and networks, you're able to cloak them so bad actors or any untrusted devices cannot find them. 

HIP also introduces a new Host Identity Namespace (HIN), which is complementary to the current IP and DNS Namespaces. The HIN is what provides global host mobility and migration, overcoming many of the fragile and costly challenges associated with basing networking and security policies on public and private IP addresses.

HIP was originally used for military purposes, deployed within the defense and aerospace industry as a cost-efficient and scalable solution to safeguard sensitive communications in severe threat environments. It's also worth noting that HIP is compatible with IPv4 and IPv6 applications.

Now, the power and technological advantage provided by HIP for secure and flexible connectivity can be used effectively in your network as well. Combined with enterprise-class orchestration and built-in military-grade encryption, you can connect and cloak a single device, such as a laptop or robot, or up to thousands of ATMs, servers, or windmills — deployed anywhere in the world.

HIP enables a much-needed paradigm shift from connecting "everything" to connecting only "provable identities."

Related Content:

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/19/2017 | 7:46:21 PM
Assured identification of source/destination
Where does IPV6 come into this?

The resistance of US and other ISPs to implement IPV6 as a basic service is hard to understand - except when it comes to money, of course.

Can IPV6 help here?

I'm speaking from a low level of understanding of the identidy issue although I understand TCP/IP and <Most> of its shortcomings with respect to verifiable identity and spoofing of message headers.

User Rank: Apprentice
5/19/2017 | 3:41:15 PM
No Perfect Solution
Fixing the flaw in TCP/IP is undoubtedly a daunting task which is probably one reason it's been largely unchanged all these years. I am interested in reading all the proposed solutions and who knows, maybe one day there will be some sort of revelating new implementation using IP or some other protocol. But at the end of the day, there will always be a way into the network, there is no perfect solution.
User Rank: Strategist
5/18/2017 | 5:16:45 AM
ETSI doing next gen protocol work for the telecom sector
Thanks Jeff, great post. The Next Generation Protocol (NGP) folks at the European Telecommunications Standards Institute (ETSI) are also doing some great - related - work around finding ways of avoiding the security and efficiency flaws in TCP/IP as telecom networks evolve with SDN, virtualization and 5G.
User Rank: Apprentice
5/17/2017 | 3:01:09 PM
So the fundamental idea is to move everything to a P2P overlay network.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.