On 27 Feb 2002, Eric Brandwine wrote:
Security is not about making things foolproof. They'll always be able to break you, no matter what you do. Security is about assuming acceptable risk, and mitigating unacceptable risk.
10 years ago I suspect we would have been discussing software quality control. The security label isn't always the best approach a problem. Yes, car thieves will always be able to steal your car. That isn't the same problem as having the wheels fall off the car because the factory didn't tighten the lugnuts. Are buffer overflows an intrinsic risk, or a symptom of bad software engineering? I don't believe in unbreakable systems. But quality engineering can make systems more stable and robust under all conditions, even the unexpected. Yes, Murphy, Mother Nature and Malicious people will still get you. But its easier to fix a well-designed system than one held together with lots of duct tape.
If I could do it over? I'd get in my Tardis, and go back to 1969. I'd teach everyone at DARPA how to spell security. Loose source route, IP options in general, ICMP address mask requests, all these things should go away.
You wouldn't need to go all the way back to 1969. I debated loose source routing with one of the authors of TCP/IP in the early 1980's :-) I made an ass of myself in that debate. But its not really fair to say they didn't understand security. Security is one of those words, which means a lot of different things to different people. The Internet is better at security than the NSA for some types of security, and worse at other types of security. What will be interesting is if the Internet can add confidentiality on top of a network easier than other networks can add availability on top of their networks. The Internet blew through Y2K without a hiccup, ask the NRO how their super-secure network did.
SSH is worth the protection, as reference implementations are available, and it requires very little in the way of system support. As long as in-band access to routers is required, SSH (or HTTPS or IPSec) will be with us. As time passes, the quality of the tools that we have to work with improves, and our trust in them can grow.
SNMPv1 had reference implementations too. Out trust seems to have been misplaced.
The official answer is control plane separation. This worked for the PSTN, and it's the way the Internet will go, eventually.
Just because Bell Labs never released a paper on "Security Problems in the SS7 Protocol Suite" doesn't make the telephone network secure. PSTN security relies primarly on trust between telephone companies. Not very scalable. The Internet has been the biggest improvement in telephone security in the last 100 years. The Internet was a nice bright shiny object which attracted most of the phreakers away from the PSTN. Control plan seperation isn't a complete answer for the Internet because its a network of networks. Just like control plane seperation has problem scaling in the PSTN, you'll find a lot of "untrustworthy" parties will end up with access to the control planes which extend between networks.