[ih] Fwd: Question - reference source for formal decommissioning of ARPANET in 1990?

Karl Auerbach karl at cavebear.com
Sun Dec 6 14:13:51 PST 2020 

Unfortunately we've never been given clarification about how much we can 
say, even though the work is more than 40 years old. (Those three letter 
agencies in Maryland tend to like to err (and oh, how much) on the side 
of over-protection, even after decades and decades have passed.)

This much I can say: we had operational multi-level secure flows via TCP 
a few years before the NCP-TCP cut over.

Yes this was before things regarding TCP and IP had been fully 
developed, and there weren't a lot of implementations out there. 
(Although I do remember with a bit of amusement a Univ of Illinois 
approach to TCP on Unix that swapped between a "small deamon" and "large 
deamon" on a memory starved PDP-11.)

If I remember correctly each TCP stream was protected by its own 
distinct key.   But the protection was applied to packet contents, not 
to the contents of the TCP stream.  Our prototype work used the then 
relatively new DES.  Since we were applying it to network packets 
underneath TCP we had to deal with packet loss, duplication, and 
re-ordering.  So we came up with various ways of using DES (such as 
various kinds of feedback chaining) and questions that seemed to really 
irk the gov't folks - who were decidedly, but understandably, non 
responsive about the mathematics.)

(You would not be going awry if words like "IPSEC", "VLAN", "TOR" pop 
into your heads.)

Later on there was the normal panoply of tempest boxes (not made by BBN) 
with lots and lots of wire mesh foam at every possible RF leakage point.

I helped on the overall design; Dave Kaufman did much of the heavy 
lifting on that.  I designed the security kernel (that was subject to 
early formal verification) and led the implementation group.  (We 
started with UCLA Data Secure Unix.  It's performance was so slow that 
you could type "date" on the console, go to lunch, and it would just be 
finishing printing the result when you got back.  I think the only code 
we retained was a tiny bit of recursive assembly code that expanded 
terminal output [including tab expansion, hence the recursion].)

(There was a bit of an amusing story of how we did the actual transfer 
of the Data Secure Unix source code from UCLA to SDC - we ended up 
getting copies of the entire disk drives at UCLA.  So we also got all of 
Jerry Popek and Lennie Kleinrock's work (including drafts) and lots of 
other stuff that we carefully avoided looking at.)

I heard that our system of secure TCP was in actual day-to-day use by 
the US State Department for a rather long time.

I was part of a team that designed and built this stuff at SDC in the 
mid-to-late 1970's.  Other team members were Val Schore, John Scheid, 
Jan Garwick (he was present only at the beginning), Marv Schaeffer, 
Gerry Cole, David Kaufman, Frank Heinrich, Dave Golber, Hillary (can't 
remember her last name, but she went on with Marv to develop the Orange 
book of computer security), Jerry Simon, Carl Switzky (sp), Josie 
Althaus.   Carl Sunshine, Whit Diffie (before public-key), and Vint were 
also involved.  We also got some help from folks (who later formed 
Interactive Systems) down the street at RAND.

I can't remember whether it was this project or another, but we had 
significant linkage to RSRE in Malvern in the UK.  (Such a pretty train 
station - and we played croquette most days after lunch.)

We were designing a capability based computer - we were strongly 
influenced by the Plessey designs - to support secure network systems.  
That work also involved John Rushby and Peter Neumann at SRI.  (It only 
took 30 years, but eventually I convinced Peter N. that the only way to 
build a practical capability system was with short term-capabilities 
that could be garbage collected rather than permanent capabilities.)  It 
was on this project where I got to do a bit of work with Donald Davies.

Dave Kaufman and I pounded our heads trying to figure out how to extend 
capability architectures onto the network.  Because we were influenced 
by Farber's DCS we did not want to draw a strong distinction between an 
individual computer with pieces tied together via an internal bus and a 
distributed computer where the "buss" was formed out of network links.  
(It's too bad public key had not been invented yet.)

===

We did a lot of really good stuff back then - In a sense we invented the 
encrypted VLAN and various aspects of key distribution and management, 
including what are now called "trusted platform modules".  We also made 
a lot of progress on encapsulated systems, security kernels, formalized 
security models, and verification.   But it was all locked up behind 
national security classification walls.

It has been rather frustrating for me to watch, over the intervening 
decades, how our work was slowly re-invented.  I've often wondered 
whether we might have been better served and the security of our our 
present more advanced had our work been visible to the public.

===

(Regarding that large/small deamon code - I remember once visiting a 
Defense Communications A*** facility in Reston.  I needed to put some 
fresh software onto one of the PDP-11s running that Univ of Illinois 
code.  But the operators in Champaign Urbana were not forthcoming about 
giving me the needed privileges - so [with permission of the DCA people] 
I said - "Hey guys, you are 700 miles away.  I'm standing next to the 
machine and have my hands on its console and switches.  I win."  So I 
rebooted it into single user mode, did my work, rebooted back to normal 
operation, and said "TTFN" on my way out.)

     --karl--


On 12/6/20 7:52 AM, Dan Lynch via Internet-history wrote:
> Andy, I knew there were exceptional cases and that BBN was the watchdog. I had heard a rumor that many military sites were running classified applications on NCP and would probably never be able to use TCP.
>
> Dan
>
> Cell 650-776-7313
>
>> On Dec 5, 2020, at 8:50 AM, Andrew G. Malis <agmalis at gmail.com> wrote:
>>
>> 
>> Dan,
>>
>> I managed the NCP->TCP transition on the ARPANET that started on 1/1/83. I wrote the IMP code that enforced the transition by adding a filter to drop NCP packets, which was managed on a host-by-host basis. We had an official list from DARPA of hosts that were approved to continue using NCP. I spent New Year's Day in the NOC, turning off NCP for unapproved hosts, and I fielded calls from unhappy site managers as their NCP traffic stopped flowing (as they had been warned many times). I told them the process of how to contact DARPA to at least temporarily get on the approved list, and I turned the filters off and back on as directed by DARPA. Sadly, I don't recall when we finished the process of turning on the NCP filter for all hosts.
>>
>> Cheers,
>> Andy
>>
>>
>>> On Fri, Dec 4, 2020 at 7:31 PM Dan Lynch via Internet-history <internet-history at elists.isoc.org> wrote:
>>> I only use real data😂🙀
>>>
>>> Dan
>>>
>>> Cell 650-776-7313
>>>
>>>> On Dec 4, 2020, at 4:26 PM, Dave Crocker <dhc at dcrocker.net> wrote:
>>>>
>>>> On 12/4/2020 4:22 PM, Dan Lynch via Internet-history wrote:
>>>>> It amazes me to hear there were sites still running NCP in the late 80s in Texas.
>>>> A reference like that, about Texas, affords such a target-rich opportunity, I'm overwhelmed.
>>>>
>>>> d/
>>>>
>>>> -- 
>>>> Dave Crocker
>>>> Brandenburg InternetWorking
>>>> bbiw.net
>>> -- 
>>> Internet-history mailing list
>>> Internet-history at elists.isoc.org
>>> https://elists.isoc.org/mailman/listinfo/internet-history

More information about the Internet-history mailing list