Learning from the Past: Designing Secure Network Protocols



Network protocols define how networked computer systems exchange data. As they define all aspects of this communication, the way they are designed is also security sensitive. If communication is supposed to be encrypted, this has to be outlined in the protocol’s specification. If services implementing the protocol should allow for authentication, this has to be defined in the protocol. Hence, the way a protocol is designed is elemental for the security of systems later implementing it. Security by design starts with the protocol definition. Especially in today’s fast-moving environment, with cloud services and the Internet of Things, engineers constantly have to develop new protocols. In this chapter, we derive guidelines for designing new protocols securely, as well as recommendations on how existing protocols can be adjusted to become more secure. We base these recommendations on our analysis of how – historical – protocols were designed and which underlying design decisions made their corresponding implementations susceptible to security issues.


  1. Aboba, B., et al. (2004). Securing Block Storage Protocols over IP, IETF.Google Scholar
  2. Al-Shaer, E. S. and H. H. Hamed (2003). Firewall policy advisor for anomaly discovery and rule editing. Proc. IFIP/IEEE Symposium Integrated Network Management.Google Scholar
  3. Alarcón, R. and E. Wilde (2010). RESTler: Crawling RESTful services. Proc. World Wide Web Conference.Google Scholar
  4. Armbrust, M., et al. (2010). “A view of cloud computing.” Communications of the ACM 53(4): 50–58.CrossRefGoogle Scholar
  5. Assolini, F. (2012). The Tale of One Thousand and One DSL Modems.Google Scholar
  6. Atikoglu, B., et al. (2012). Workload analysis of a large-scale key-value store. ACM SIGMETRICS Performance Evaluation Review.Google Scholar
  7. Atkinson, R. (1995a). IP Authentication Header, IETF.Google Scholar
  8. Atkinson, R. (1995b). IP Encapsulating Security Payload (ESP), IETF.Google Scholar
  9. Atkinson, R. (1995c). Security Architecture for the Internet Protocol, IETF.Google Scholar
  10. Balfanz, D., et al. (2004). “In search of usable security: Five lessons from the field.” Proc. IEEE Security & Privacy (5): 19–24.CrossRefGoogle Scholar
  11. Barnes, R. (2011). Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE), IETF.Google Scholar
  12. Barrett, D. J., et al. (2005). SSH, The Secure Shell: The Definitive Guide: The Definitive Guide, O’Reilly Media, Inc.Google Scholar
  13. Barrett, R., et al. (2004). Field studies of computer system administrators: analysis of system management tools and practices. Proc. ACM Conference on Computer Supported Cooperative Work.Google Scholar
  14. Bellovin, S. M. and W. R. Cheswick (1994). “Network firewalls.” IEEE Communication Magazine 32(9): 50–57.CrossRefGoogle Scholar
  15. Bernstein, D. J. How the AXFR protocol works.Google Scholar
  16. Bernstein, D. J., et al. (2012). The security impact of a new cryptographic library. Progress in Cryptology – LATINCRYPT 2012: 159–176.zbMATHGoogle Scholar
  17. Bikos, A. N. and N. Sklavos (2013). “LTE/SAE security issues on 4G wireless networks.” Proc. IEEE Security & Privacy 11(2): 55–62.CrossRefGoogle Scholar
  18. Birrell, A. D. and B. J. Nelson (1984). “Implementing remote procedure calls.” ACM Trans. Computer Systems 2(1): 39–59.CrossRefGoogle Scholar
  19. Black, D. and P. Koning (2014). Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3, IETF.Google Scholar
  20. Blumenthal, U., et al. (2004). The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model, IETF.Google Scholar
  21. Blumenthal, U. and B. Wijnen (1998). User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), IETF.Google Scholar
  22. Blumenthal, U. and B. Wijnen (2002). User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), IETF.Google Scholar
  23. Boe, M. and J. Altman (2002). TLS-based Telnet Security, IETF.Google Scholar
  24. Bollinger, G. (2015). “Securely Managing Your Networks With SNMPv3.” CiscoLIVE! BRKNMS-2658.Google Scholar
  25. Borman, D. (1993). Telnet Authentication Option, IETF.Google Scholar
  26. Botnet, C. (2013). Internet census 2012: Port scanning/0 using insecure embedded devices.Google Scholar
  27. Botta, D., et al. (2007). Towards understanding IT security professionals and their tools. Proc. ACM Symposium on Usable Privacy and Security.Google Scholar
  28. Braden, R. (1989a). Requirements for Internet Hosts – Application and Support, IETF.Google Scholar
  29. Braden, R. (1989b). Requirements for Internet Hosts – Communication Layers, IETF.Google Scholar
  30. Breen, S. (2015). What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.Google Scholar
  31. Cantelon, M., et al. (2014). Node.js in Action, Manning.Google Scholar
  32. Carr, C. S. (1969). Network subsystem for time sharing hosts, IETF.Google Scholar
  33. Casado, M., et al. (2006). SANE: A Protection Architecture for Enterprise Networks. Proc. Usenix Security Symp.Google Scholar
  34. Case, J., et al. (1996). Introduction to Community-based SNMPv2, IETF.Google Scholar
  35. Case, J., et al. (1999). Introduction to Version 3 of the Internet-standard Network Management Framework, IETF.Google Scholar
  36. Case, J., et al. (2002). Introduction and Applicability Statements for Internet-Standard Management Framework, IETF.Google Scholar
  37. Case, J. D., et al. (1988). Simple Network Management Protocol, IETF.Google Scholar
  38. Chapman, D. B. (1992). Network (In) Security Through IP Packet Filtering. Proc. Usenix.Google Scholar
  39. Charland, A. and B. Leroux (2011). “Mobile application development: Web vs. native.” Communications of the ACM 54(5): 49–53.CrossRefGoogle Scholar
  40. Chen, D. and H. Zhao (2012). Data security and privacy protection issues in cloud computing. Proc. IEEE Computer Science and Electronics Engineering (ICCSEE).Google Scholar
  41. Claise, B. (2004). Cisco Systems NetFlow Services Export Version 9, IETF.Google Scholar
  42. Claise, B. (2008). Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information, IETF.Google Scholar
  43. Clark, D. (1988). “The design philosophy of the DARPA Internet protocols.” ACM Computer Communication Review 18(4): 106–114.CrossRefGoogle Scholar
  44. Cormack, G. V. (2007). “Email spam filtering: A systematic review.” Foundations and Trends in Information Retrieval 1(4): 335–455.CrossRefGoogle Scholar
  45. Corrente, A. and L. Tura (2004). Security performance analysis of SNMPv3 with respect to SNMPv2c. Proc. IFIP/IEEE Network Operations and Management Symposium (NOMS).Google Scholar
  46. Costin, A., et al. (2014). A large-scale analysis of the security of embedded firmwares. Proc. Usenix Security Symp.Google Scholar
  48. Cuppens, F., et al. (2005). Detection and removal of firewall misconfiguration. Proc. IASTED Conference on Communication, Network and Information Security.Google Scholar
  49. DeCandia, G., et al. (2007). Dynamo: Amazon’s highly available key-value store. ACM SIGOPS Operating System Review.Google Scholar
  50. (2015).Google Scholar
  51. Durumeric, Z., et al. (2013). ZMap: Fast Internet-wide Scanning and Its Security Applications. Proc. Usenix Security Symp.Google Scholar
  52. Dwivedi, H. (2005). “iSCSI Security.” Black Hat.Google Scholar
  53. Eastlake, D. (2005). Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH), IETF.Google Scholar
  54. Edge, B. (2015). Data, Technologies and Security – Part 1.Google Scholar
  55. Falliere, N., et al. (2011). “W32. stuxnet dossier.” White paper, Symantec Corp., Security Response 5.Google Scholar
  56. Fallon, R. (2015). Celebgate: Two Methodological Approaches to the 2014 Celebrity Photo Hacks. Internet Science: 49–60.Google Scholar
  57. Ferguson, N. and B. Schneier (2000). “A cryptographic evaluation of IPsec.”Google Scholar
  58. Fiebig, T., et al. (2016). A One-Year Perspective on Exposed In-Memory Key-Value Stores. Proc. ACM Workshop on Automated Decision Making for Active Cyber Defense (SafeConf), ACM.Google Scholar
  59. Fiebig, T., et al. (2013). Grindr application security evaluation report.Google Scholar
  60. Flanagan, H. and S. Ginoza (2014). RFC Style Guide, IETF.Google Scholar
  61. Foster, I., et al. (2015). Fast and Vulnerable: A Story of Telematic Failures. Proc. USENIX Workshop on Offensive Technologies (WOOT).Google Scholar
  62. Frye, R., et al. (2000). Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, IETF.Google Scholar
  63. Frye, R., et al. (2003). Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, IETF.Google Scholar
  64. Furnell, S. M., et al. (2009). “An integrated view of human, organizational, and technological challenges of IT security management.” Information Management & Computer Security 17(1): 4-19.CrossRefGoogle Scholar
  65. Garcia-Alfaro, J., et al. (2013). “Management of stateful firewall misconfiguration.” Elsevier Computers & Security 39: 64–85.CrossRefGoogle Scholar
  66. Greenwald, S. J., et al. (2004). The user non-acceptance paradigm: INFOSEC’s dirty little secret. Proc. ACM Workshop on New Security Paradigms.Google Scholar
  67. Gutmann, P. and I. Grigg (2005). “Security usability.” Proc. IEEE Security & Privacy 3(4): 56–58.CrossRefGoogle Scholar
  68. Haber, E. M. and J. Bailey (2007). Design guidelines for system administration tools developed through ethnographic field studies. Proc. ACM Symposium on Computer Human Interaction for the Management of Information Technology.Google Scholar
  69. Hayes, J. (2013). “Security Issues and Best Practices for Water/Wastewater Facilities.” Proceedings of the Water Environment Federation 2013(8): 6442–6461.CrossRefGoogle Scholar
  70. Herriot, R., et al. (1999). Internet Printing Protocol/1.0: Encoding and Transport, IETF.Google Scholar
  71. Hoffman, P. (1999). SMTP Service Extension for Secure SMTP over TLS, IETF.Google Scholar
  72. Hoffman, P. (2005). Cryptographic Suites for IPsec, IETF.Google Scholar
  73. Hoffman, P. and J. Schlyter (2012). The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, IETF.Google Scholar
  74. Housley, R. (2005). Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP), IETF.Google Scholar
  75. Hunt, A. and D. Thomas (2000). The pragmatic programmer: From journeyman to master, Addison-Wesley Professional.Google Scholar
  76. Industry, P. C. (2014). Payment Card Industry Data Security Standards, Abril.Google Scholar
  77. Institute, S. A. N. S. (2003). Printer Insecurity: Is it Really an Issue?Google Scholar
  78. Jung, J. and E. Sit (2004). An empirical study of spam traffic and the use of DNS black lists. Proc. ACM Internet Measurement Conference.Google Scholar
  79. Jung, J., et al. (2002). “DNS Performance and the Effectiveness of Caching.” IEEE/ACM Trans. Networking (TON) 10(5): 589–603.MathSciNetCrossRefGoogle Scholar
  80. Kalafut, A. J., et al. (2008). Understanding implications of DNS zone provisioning. Proc. ACM Internet Measurement Conference.Google Scholar
  81. Karn, P., et al. (1995). The ESP DES-CBC Transform, IETF.Google Scholar
  82. Kaufman, C. (2005). Internet Key Exchange (IKEv2) Protocol, IETF.Google Scholar
  83. Kent, S. (2005a). Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP), IETF.Google Scholar
  84. Kent, S. (2005b). IP Authentication Header, IETF.Google Scholar
  85. Kent, S. (2005c). IP Encapsulating Security Payload (ESP), IETF.Google Scholar
  86. Kent, S. and K. Seo (2005). Security Architecture for the Internet Protocol, IETF.Google Scholar
  87. Kim, T. and N. Zeldovich (2013). Practical and Effective Sandboxing for Non-root Users. Proc. Usenix.Google Scholar
  88. Klensin, J., et al. (1995). SMTP Service Extensions, IETF.Google Scholar
  89. Klensin, J. and M. Padlipsky (2008). Unicode Format for Network Interchange, IETF.Google Scholar
  90. Krämer, J. I. (2015). Why cryptography should not rely on physical attack complexity, Springer.Google Scholar
  91. Kraus, L., et al. (2015). “Analyzing End-Users’ Knowledge and Feelings Surrounding Smartphone Security and Privacy.” Proc. IEEE Security & Privacy Workshops – Mobile Security Technologies (MoST).Google Scholar
  92. Krenc, T., et al. (2014). “An Internet census taken by an illegal botnet: A qualitative assessment of published measurements.” ACM Computer Communication Review 44(3): 103–111.CrossRefGoogle Scholar
  93. Kührer, M., et al. (2014). Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. Proc. Usenix Security Symp.Google Scholar
  94. Lawrence, N. and P. Traynor (2012). Under New Management: Practical Attacks on SNMPv3. Proc. USENIX Workshop on Offensive Technologies (WOOT).Google Scholar
  95. Lorente, E. N., et al. (2015). Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers. Proc. USENIX Workshop on Offensive Technologies (WOOT).Google Scholar
  96. Mahadevan, B. (2000). “Business models for Internet-based e-commerce.” California management review 42(4): 55–69.CrossRefGoogle Scholar
  97. Masse, M. (2011). REST API design rulebook, O’Reilly Media, Inc.Google Scholar
  98. Mayer, A., et al. (2000). Fang: A firewall analysis engine. Proc. IEEE Security & Privacy.Google Scholar
  99. McGregor, S. E., et al. (2015). Investigating the computer security practices and needs of journalists. Proc. Usenix Security Symp.Google Scholar
  100. Metzger, P. and W. Simpson (1995). IP Authentication using Keyed MD5, IETF.Google Scholar
  101. Mockapetris, P. V. (1983a). Domain names: Concepts and facilities, IETF.Google Scholar
  102. Mockapetris, P. V. (1983b). Domain names: Implementation specification, IETF.Google Scholar
  103. Moonen, R. (2012). “Digitale achterdeuren in de Nederlandse internet infrastructuur.” Itsx bv.Google Scholar
  104. Myers, J. (1999). SMTP Service Extension for Authentication, IETF.Google Scholar
  105. Nelson, B. J. (1981). “Remote procedure call.”Google Scholar
  106. Newman, S. (2015). Building Microservices, O’Reilly Media, Inc.Google Scholar
  107. O’Sullivan, T. C. (1971). Telnet Protocol – a proposed document, IETF.Google Scholar
  108. Okman, L., et al. (2011). Security issues in NoSQL databases. Proc. IEEE Trust, Security and Privacy in Computing and Communications (TrustCom).Google Scholar
  109. Orman, H. (2003). “The Morris worm: A fifteen-year perspective.” Proc. IEEE Security & Privacy (5): 35–43.Google Scholar
  110. Pa, Y. M. P., et al. (2015). IoTPOT: Analysing the Rise of IoT Compromises. Proc. USENIX Workshop on Offensive Technologies (WOOT).Google Scholar
  111. Pallis, G. (2010). “Cloud computing: the new frontier of Internet computing.” IEEE Internet Computing (5): 70-73.Google Scholar
  112. Pfleeger, C. P. and S. L. Pfleeger (2002). Security in computing, Prentice Hall Professional Technical Reference.Google Scholar
  113. Polakis, I., et al. (2015). Where’s Wally?: Precise User Discovery Attacks in Location Proximity Services. Proc. ACM Conference on Computer and Communications Security (CCS).Google Scholar
  114. Postel, J. (1982). Simple Mail Transfer Protocol, IETF.Google Scholar
  115. Postel, J. (1992). Introduction to the STD Notes, IETF.Google Scholar
  116. Postel, J. (1993). Instructions to RFC Authors, IETF.Google Scholar
  117. Postel, J. and J. Reynolds (1997). Instructions to RFC Authors, IETF.Google Scholar
  118. Postel, J. and J. K. Reynolds (1983). Telnet Protocol Specification, IETF.Google Scholar
  119. Pratistha, I. M. P., et al. (2003). A Micro-Services Framework on Mobile Devices. ICWS.Google Scholar
  120. Qazi, Z. A., et al. (2013). SIMPLE-fying middlebox policy enforcement using SDN. ACM Computer Communication Review.Google Scholar
  121. Quittek, J., et al. (2004). Requirements for IP Flow Information Export (IPFIX), IETF.Google Scholar
  122. Ren, K., et al. (2012). “Security challenges for the public cloud.” IEEE Internet Computing (1): 69–73.Google Scholar
  123. Rescorla, E. and B. Korver (2003). Guidelines for Writing RFC Text on Security Considerations, IETF.Google Scholar
  124. Richter, P., et al. (2015). Distilling the Internet’s Application Mix from Packet-Sampled Traffic. Proc. Passive and Active Measurement (PAM).Google Scholar
  125. Romanow, A., et al. (2005). Remote Direct Memory Access (RDMA) over IP Problem Statement, IETF.Google Scholar
  126. Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. Symposium on Network and Distributed System Security (NDSS).Google Scholar
  127. Roth, V., et al. (2005). “Security and usability engineering with particular attention to electronic mail.” International Journal of Human-Computer Studies 63(1): 51–73.CrossRefGoogle Scholar
  128. Satran, J., et al. (2004). Internet Small Computer Systems Interface (iSCSI), IETF.Google Scholar
  129. Schiller, J. (2002). Strong Security Requirements for Internet Engineering Task Force Standard Protocols, IETF.Google Scholar
  130. Schiller, J. (2005). Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2), IETF.Google Scholar
  131. Schneier, B. (2008). The psychology of security. Progress in Cryptology – AFRICACRYPT 2008, Springer: 50-79.Google Scholar
  132. Segmuller, W. and B. Leiba (2008). Sieve Email Filtering: Relational Extension, IETF.Google Scholar
  133. Slay, J. and M. Miller (2008). Lessons learned from the maroochy water breach, Springer.Google Scholar
  134. Spafford, E. H. (1989). “The Internet worm program: An analysis.” ACM Computer Communication Review 19(1): 17–57.CrossRefGoogle Scholar
  135. Srinivas, S. and A. Nair (2015). Security maturity in NoSQL databases-are they secure enough to haul the modern IT applications? Proc. IEEE Conference on Advances in Computing, Communications and Informatics (ICACCI).Google Scholar
  136. Stallings, W. (1998). “SNMPv3: A security enhancement for SNMP.” IEEE Communications Surveys 1(1): 2–17.CrossRefGoogle Scholar
  137. Streibelt, F., et al. (2013). Exploring EDNS-client-subnet adopters in your free time. Proc. ACM Internet Measurement Conference.Google Scholar
  138. Unger, N., et al. (2015). SoK: Secure Messaging. Proc. IEEE Security & Privacy.Google Scholar
  139. van Halteren, A. and P. Pawar (2006). Mobile service platform: A middleware for nomadic mobile service provisioning. Proc. IEEE Wireless and Mobile Computing, Networking and Communications (WiMob).Google Scholar
  140. van Rijswijk-Deij, R., et al. (2014). DNSSEC and Its Potential for DDoS Attacks: A Comprehensive Measurement Study. Proc. ACM Internet Measurement Conference.Google Scholar
  141. website, M. (2015).Google Scholar
  142. West, R. (2008). “The psychology of security.” Communications of the ACM 51(4): 34–40.CrossRefGoogle Scholar
  143. Wijnen, B., et al. (1999). An Architecture for Describing SNMP Management Frameworks, IETF.Google Scholar
  144. Wool, A. (2004). “A quantitative study of firewall configuration errors.” IEEE Computer 37(6): 62–67.CrossRefGoogle Scholar
  145. Xu, T., et al. (2015). Hey, you have given me too many knobs!: Understanding and dealing with over-designed configuration in system software. Proc. ACM Meeting on Foundations of Software Engineering.Google Scholar
  146. Xu, T., et al. (2013). Do not blame users for misconfigurations. Proc. ACM Conference on Symposium on Operating Systems Principles (SOSP).Google Scholar
  147. Yang, X., et al. (2005). A DoS-limiting network architecture. ACM Computer Communication Review.Google Scholar
  148. Ylönen, T. (1996). SSH: Secure Login Connections over the Internet. Proc. Usenix Security Symp.Google Scholar
  149. Ylonen, T. and C. Lonvick (2006a). The Secure Shell (SSH) Authentication Protocol, IETF.Google Scholar
  150. Ylonen, T. and C. Lonvick (2006b). The Secure Shell (SSH) Connection Protocol, IETF.Google Scholar
  151. Ylonen, T. and C. Lonvick (2006c). The Secure Shell (SSH) Protocol Architecture, IETF.Google Scholar
  152. Ylonen, T. and C. Lonvick (2006d). The Secure Shell (SSH) Transport Layer Protocol, IETF.Google Scholar
  153. Yuan, L., et al. (2006). Fireman: A toolkit for firewall modeling and analysis. Proc. IEEE Security & Privacy.Google Scholar

Copyright information

© Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2018

Authors and Affiliations

  1. 1.Department of ESSTU DelftDelftThe Netherlands
  2. 2.SaarbrückenGermany
  3. 3.PowerDNS.COM BVDen HaagThe Netherlands
  4. 4.Internet Initiative Japan researchTokioJapan

Personalised recommendations