Movatterモバイル変換

Network Working Group                                        A. McKenzieRFC #521                                                     BBN-NETNIC #16855                                                   30 May 1973Restricted Use of IMP DDT    At the recent workshop on "Automated Resource Sharing on theARPANET", considerable interest was expressed on the topic of networksecurity.  In particular, representatives of several sites felt thatuncontrolled use of IMP DDT made access control mechanisms quitevulnerable to interception or tampering.* Individuals at the workshopseemed to be in general agreement that use of DDT should be much morecontrolled than at present.  In addition, as the network continues totake on a more and more operational character, and NCC use of DDT (whichmust be coordinated with other DDT usage) increases** we begin to seeother reasons for controlling access to the DDT mechanism.    Currently, and for the foreseeable future, it is important that theNCC be able to use DDT at any IMP at any time.  It is also sometimesnecessary for site personnel to be able to operate a stand alone DDTafter an IMP crash.  Sometimes the NCC needs to ask site personnel tooperate the IMP DDT for the NCC if the network is partitioned.  We haveprotected all DDT commands that can affect the running IMP program byrequiring that sense switch 4 be turned on at the site, or a softwareoverride flag be enabled.  Only the BBN IMP Teletype, the BBN TIPTeletype, and the PDP-1 can enable override.  The NCC monitors theseflags and reports any change in status.    In line with this approach, we will soon modify the IMP system sothat any access to IMP DDT will require the same enabling actions (senseswitch four turned on or override enabled from BBN) now required forcore modification.  This will still allow the NCC the same ability tooperate DDT which it now has, and will permit site personnel to operateDDT at the request of the NCC.  As is currently true, the NCC will----------------*Examples are easy to construct, but are intentionally omitted from thisdocument.**DDT is currently used by the NCC operators for core verification, forinterface debugging, for loading TIP and VDH code, etc.  There isdiscussion of using DDT in conjunction with an "auto-dialer" to examinea TIP's "view" of a modem port at the same time that the auto-dialer isexamining the outside world's "view" of the port, of running "automatic"core verification, of loading Satellite IMP code, etc.McKenzie                                                        [Page 1]

RFC 521                Restricted Use of IMP DDT                May 1973monitor the setting of sense switch four and take appropriate action ifunauthorized use is observed.  We feel that this change will besufficient to discourage "hackers", although it is obviouslyinsufficient to protect a node against a determined and maliciousattack.    It should be noted that it is not our current intent to prohibitoccasional use of DDT for communication between sites via "DDT"messages.  Currently, there are two DDT commands, C and L, which set thesingle-character message and multi-character message headersrespectively.  We will continue this facility, either by alwayspermitting the use of these DDT commands, or by implementing some newcode outside DDT for this purpose.       [ This RFC was put into machine readable form for entry ]       [ into the online RFC archives by Alex McKenzie with    ]       [ support from GTE, formerly BBN Corp.            10/99 ]McKenzie                                                        [Page 2]