Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Jeff Hussey
Jeff Hussey
Connect Directly
E-Mail vvv

The Fundamental Flaw in TCP/IP: Connecting Everything

Almost 30 years after its inception, it's time to fix the engine that both fuels the modern day Internet and is the root cause of its most vexing security challenges.

It probably seemed like science fiction back in 1962 when a scientist from MIT and the Advanced Research Projects Agency (ARPA) named J.C.R. Licklider proposed that the United States develop a "galactic network" of computers to talk to each other in the event of a military strike from the Soviet Union that could knock out our fragile copper wire-based telephone network.

More specifically, the idea was to enable military leaders throughout the country to communicate during a nuclear war. In that way, you could say that the Internet was created out of fear or even paranoia, which isn't really such an uncommon source of ingenuity.

A few years later, a top-secret project known as ARPANET brainstormed the idea of packet switching to break down data to be sent off to specific destinations. In short, this enabled data to be transmitted from end-to-end by computers, completely unreliant on the existing telephone network.

Finally, in 1969, the first word was officially communicated via packet switching from one machine to another, when a research lab computer at UCLA transmitted "LOGIN" to another research lab computer at Stanford. We can assume that uproarious applause and hand-shaking ensued immediately, but so did a massive crash of the entire network. Albeit very brief, communication was nonetheless successfully established and a nationwide technological victory was announced. ARPANET would subsequently evolve into something well-suited for global utilization known as the Internet, and the world has never been the same since.

The Trouble with Connecting Everything
All respect to Al Gore and others claiming individual responsibility aside, one single inventor cannot lay claim to the birth, growth, and evolution of one of the greatest inventions of all time — the Internet. Rather, it is an excellent example of superior innovation spawned from some of the truly great scientific and technological minds in the world — elite scientists from MIT, UCLA, Stanford, and other technological leaders with a clear and shared vision of a truly connected world. It was a collaborative effort that produced unprecedented levels of communication, massive leaps in technology, and a fair amount of trouble mixed in.

That fair amount of trouble comes from the architecture that runs the Internet itself. It's TCP/IP that has been the engine that makes the Internet go from its very inception, decades ago. The fundamental flaw in that engine's design is that it was invented with the idea of connecting everything. Unfortunately, when you connect everything, you invite hackers, cybercriminals, and even international espionage.

If it's true that fear or paranoia was used in a beneficial way to spark the creative concept of the Internet in the first place (and it is), perhaps we should use that same incentive to push technology in the direction of something better once again — something to properly address and eliminate that fear.

The fundamental flaw within TCP/IP is in its inherent openness, which consequently results in a lack of security. This openness is largely a by-product of the address-defined nature of TCP/IP. In layman's terms, the security problem arises because TCP/IP uses the address of a connected device to serve the dual purpose of identifying that device as well. This creates a network vulnerability that is very visible and spoofable to users of malicious intent all over the world. With identity being used simultaneously as a device's address, hackers can simply mock a valid IP address to gain access into your network, where they can steal data, disrupt service, and wreak large-scale technological havoc.

It's already happened numerous times, and has been well publicized often enough as well, but network intrusion can be disastrous. Do you want to be the IT manager saddled with the overall responsibility and recovery from a massive data breach, a significant loss-inducing service outage, or a larger-than-life mess to unravel before getting your network up to speed again? Undoubtedly, the answer is no, and that's why we need to properly address that concern (fear) by improving the engine that continues to fuel the modern-day Internet, over 30 years after its inception, when ARPANET adopted TCP/IP in January 1983.

Host Identity Protocol as the Solution
Don't get me wrong; TCP/IP isn't going anywhere. It's firmly rooted in the fabric of today's Internet communications. What we need to do, however, is address that fundamental flaw by moving from an ideology of "address"-defined networks to "identity"-defined networks that connect only provable identified devices or things. This brings us to the fairly recent invention of Host Identity Protocol (HIP).

HIP is an open Internet Engineering Task Force (IETF) standard designed to address the security hole within TCP/IP. By inserting a unique cryptographic identity (CID) into the communications stack (i.e., a Host Identity), HIP separates identity from the location of the host. Hosts can change their IP location, but retain their strong CID. By doing this, we're now able to secure network devices and vulnerable "things" with provable identities. And, because HIP hides the IP footprint of devices and networks, you're able to cloak them so bad actors or any untrusted devices cannot find them. 

HIP also introduces a new Host Identity Namespace (HIN), which is complementary to the current IP and DNS Namespaces. The HIN is what provides global host mobility and migration, overcoming many of the fragile and costly challenges associated with basing networking and security policies on public and private IP addresses.

HIP was originally used for military purposes, deployed within the defense and aerospace industry as a cost-efficient and scalable solution to safeguard sensitive communications in severe threat environments. It's also worth noting that HIP is compatible with IPv4 and IPv6 applications.

Now, the power and technological advantage provided by HIP for secure and flexible connectivity can be used effectively in your network as well. Combined with enterprise-class orchestration and built-in military-grade encryption, you can connect and cloak a single device, such as a laptop or robot, or up to thousands of ATMs, servers, or windmills — deployed anywhere in the world.

HIP enables a much-needed paradigm shift from connecting "everything" to connecting only "provable identities."

Related Content:

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
5/17/2017 | 3:01:09 PM
So the fundamental idea is to move everything to a P2P overlay network.
User Rank: Strategist
5/18/2017 | 5:16:45 AM
ETSI doing next gen protocol work for the telecom sector
Thanks Jeff, great post. The Next Generation Protocol (NGP) folks at the European Telecommunications Standards Institute (ETSI) are also doing some great - related - work around finding ways of avoiding the security and efficiency flaws in TCP/IP as telecom networks evolve with SDN, virtualization and 5G.
User Rank: Apprentice
5/19/2017 | 3:41:15 PM
No Perfect Solution
Fixing the flaw in TCP/IP is undoubtedly a daunting task which is probably one reason it's been largely unchanged all these years. I am interested in reading all the proposed solutions and who knows, maybe one day there will be some sort of revelating new implementation using IP or some other protocol. But at the end of the day, there will always be a way into the network, there is no perfect solution.
User Rank: Apprentice
5/19/2017 | 7:46:21 PM
Assured identification of source/destination
Where does IPV6 come into this?

The resistance of US and other ISPs to implement IPV6 as a basic service is hard to understand - except when it comes to money, of course.

Can IPV6 help here?

I'm speaking from a low level of understanding of the identidy issue although I understand TCP/IP and <Most> of its shortcomings with respect to verifiable identity and spoofing of message headers.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...