Not logged in

The AUTODIN II Network

The AUTODIN II network was a proposed packet-switched network that for some time during the 1970's rivaled the Arpanet and its clones (such as EDN, RDN, PLATFORM and COINS). Its main differentiator was a focus on security. It was early to adopt TCP and forked its specification, causing Vint Cerf "considerable headache". Its ambitions did not pan out and the project was shut down in 1982.

However, the DoD directed the Arpanet community to include AUTODIN-like security, precendence and sphere of interest facilities to its TCP/IP protocols. The 1979 implementation of TCP/IP by Mike Wingfield includes support for connecting to the AUTODIN II network and implements the SPT extension to the base TCP/IP protocol.

AUTODIN II rise and fall

This section is an excerpt from the REPORT of DEFENSE SCIENCE BOARD TASK FORCE on AUTODIN II.

AUTODIN II was undertaken in 1976 after the consideration of alternative approaches by DoD Data Internet Study in 1975. AUTODIN II was designed as a packet-switch network relying upon a security kernel to provide the multi-level security required for the system. The kernel was to consist of software in which trust had been acquired through extensive test and validation and protection from outside access. Because end-to-end encryption was not included in the system architecture, information within the switches was in the clear requiring large, manned, and highly secure facilities. One result was a system topology consisting of relatively few network nodes.

As a two year program stretched to four and a half years, a growing number of problems and uncertainties about AUTODIN II were encountered. In July 1980, an OSD review group was established to review the system. With the assistance of ICA, the group considered the cost, security, performance, and survivability of AUTODIN II. Because for a considerable time it appeared that the system might not achieve IOC, the group also explored available options if AUTODIN II failed. Principal among the alternatives considered was expansion of the WNCCS Information Network (WIN) and ARPANET systems. AUTODIN II did achieve a partial IOC in July 1981, though testing on some major components was forced to continue.

Major concerns about the system remained. Because it comprised only four nodes -- it was planned that it would grow to eight -- survivability of the system was extremely limited. It must be noted that at the inception of the program, survivability was not a major, explicit requirement. But as greater emphasis was put on C3I survivability, the design of AUTODIN II made its achievement through expansion and the proliferation of nodes an unattractive option.

Changing views on security

By 1978 the Arpanet community had progressed from TCP1 to TCP4, the base for the TCP/IP that we know today. The DoD directed that these protocols should become the standard for all military internetworking and that AUTODIN II should adopt these standards as well. However, it also directed the Arpanet community to incorporate SPT controls in its protocols, which happened in IEN54 and IEN55.

However, in the following years the thinking about security changed and the emphasis shifted from network level security to end-to-end encryption, enabled by the development of public key encryption in the mid-seventies.

Again quoting from the Task Force on AUTODIN II report:

Continuing difficulties had been encountered with the security kernel and its acceptance as sufficiently trustworthy to allow certification of the system to handle traffic beyond the Secret level of classification. Problems of interpreting the meaning of security requirements associated with the format and documentation of kernel software had produced significant additional costs to the government and were responsible for much of the slip in schedule. Despite efforts to go back and re-do some of the work, NSA's recommendations continued to call for constraints on system operation with classified users. Moreover, it appeared likely that acceptance for the use of special intelligence traffic would require the addition of end-to-end encryption, a step originally believed to be unnecessary by the use of the multi-level security kernel approach.

The loss of faith in network level security may have been driven by an early "white hat" hacking test performed around that time. In his "Cybersecurity: A Pre-History" intelligence researcher Michael Warner writes:

The Defense Intelligence Agency had created several intelligence community databases designed for multilevel security access, and DIA contacted {the United States Intelligence Board} about running a security check of the system so that they could get their systems accredited for SI and TK {signals and imagery intelligence} information. NSA and other members of the intelligence community, with participation from defense contractors, obliged. By the time the attacks terminated, the penetration was so thorough that a penetrator at a distant remote terminal had actually seized control of the system. DIA never got its accreditation, and the results of the exercise made many at NSA skeptical that multilevel security could ever be achieved.

In the TCP/IP implementations done in 1981-1982, in the run up to "flag day", interest in and support for the SPT options seems to have completely disappeared.