Upload
phungkhuong
View
215
Download
1
Embed Size (px)
Citation preview
A D A M I E R Y M E N K O — Z E R O T I E R N E T W O R K S
< D E N Y A L L >
F I R E W A L L S , D E P E R I M E T E R I Z AT I O N , A N D T H E N AT U R E O F D I G I TA L M E D I A
Photo Credit: Burma Prison Project, Human Rights Watch
W H O A M I ?
• Author of ZeroTier One
• https://www.zerotier.com
• Developer for >15 years, first got online in 1993.
• Have done more things than I can count: software engineering, biotech, business consulting, startups, IT/infosec, …
• From Cincinnati, Ohio, and currently live in Los Angeles, California.
http://adamierymenko.com http://adam.ierymenko.name/
@adamierymenko
W E B R O K E T H E I N T E R N E T
PA R T O N E
P R O B L E M
• Surveillance
• Manipulation of Discourse
• Inefficiency and Cost
• Constrained Innovation
• Closed Platform Lock-In
• Security, Integrity, Ownership
Extreme Centralization and Closed Silos:
Photo Credit: intermet-map.net
E X P L A N AT I O N S I D O N ’ T B E L I E V E
• “It’s a conspiracy.”
• Markets >= Governments (usually)
• “Nobody cares.”
• P2P / decentralization projects get lots of up-votes on Reddit, HackerNews, GitHub
• Bitcoin (bubble or not) shows huge financial interest in decentralization.
Photo Credit: NSA
N O B O D Y W A N T S O P E N N E S S ?
FireChat in Hong Kong
Bitcoin VC Investment
Why is the Internet becoming so centralized?
What’s the real reason?
As deployed today, its structure discourages direct connectivity.
T H E I N T E R N E T W A S B U I LT T O B E O P E N
• The Internet is a packet switching network (PSN) built on IP — the Internet Protocol.
• With IP, any device with an address can send a packet to any other device and that packet will traverse the graph to its destination.
• TCP/IP is already peer-to-peer. All IP-based protocols are peer-to-peer. (We’ll revisit this.)
W H Y I S N ’ T I T ?
We Broke It.
On Purpose. Because Security.
(And IPv4 Address Space Limitations)
- A L A N K AY
“The Internet was done so well that most people think of it as a natural resource like the Pacific Ocean, rather than something that was man-
made.”
W E P R O B A B LY H A D T O D O I T
• Software was insecure, and still is.
• Remember Windows Worm of the Week? The “ping of death?”
• The Internet went big fast — we didn’t have time to really fix things. We had to patch the holes quick and dirty.
• Programmers still write software that’s full of buffer overflows, stack smashing bugs, code injection vulnerabilities, and other common mistakes.
• IPv4’s 32-bit address space really is too small.
– M A R S H A L L M C L U H A N
“The medium is the message.”
B U T I T C O S T U S O P E N N E S S
• The medium is the message.
• The message here is: “Traffic should flow upwards toward central nodes, not between peers.”
T H E R E A L I N T E R N E T
F I R E WA L L /N AT
F I R E WA L L /N AT
F I R E WA L L /N AT
F I R E WA L L /N AT
F I R E WA L L /N AT
1 0 . 0 . 0 . 4
1 0 . 0 . 0 . 6
1 0 . 0 . 0 . 8
1 0 . 0 . 0 . 4
1 0 . 0 . 0 . 6
1 0 . 0 . 0 . 8
1 0 . 1 . 2 . 3
1 0 . 1 . 2 . 4
1 0 . 1 . 2 . 5
1 0 . 9 . 9 . 1
1 0 . 9 . 9 . 7
1 0 . 9 . 9 . 8
1 0 . 1 . 2 . 3
1 0 . 1 . 2 . 9
1 0 . 1 . 2 . 2
X
T H E P 2 P C O M P L E X I T Y TA X
• Big companies must justify costs to boards and shareholders.
• Startup companies operate at the edge of failure.
• Non-commercial indie projects do too — for reasons of time, attention, and motivation.
• It’s possible to connect directly over the existing firewall/NATed topology, but it’s hard. You either have to roll your own multi-modal transport or use a complex, unwieldy beast of an off-the-shelf p2p protocol library.
• Making things even a little bit harder is a strong deterrent, especially if what you’re doing is already hard.
• Forget it, just put it all in the cloud. <— what almost everyone does
C O M P L E X I T Y TA X I S R E G R E S S I V E
Being here lets you connect everyone, but you must handle all bandwidth. This biases the market toward
large companies with economies of scale.
So we need to build a distributed wireless mesh net with directional and local area wireless links that routes
based on location aware graph traversal algorithms with a distributed trust model built on the block chain but with proof of stake and proof of bandwidth to reduce CPU requirements and with a web of trust to prioritize
paths according to trust in the social graph and…
T C P / I P I S A L R E A D Y P E E R T O P E E R
• Mesh nets are cool but we don’t have to wait for them.
• We can build distributed and decentralized services on plain IP using existing protocols like HTTP and even existing software.
… if we can get all the junk out of
the way.
T H E F I R E W A L L A S T E C H N I C A L D E B T
PA R T T W O
Let’s Reason from First Principles
I W A N T T O K N O W A N D C O N T R O L
• Who is connecting to me?
• What software/service are they connecting to and what protocol do they want to speak?
• Why are they making the connection?
• Is this conversation approved?
• Who says? Me? My mom? My IT department? Mark Zuckerberg?
I P T E L L S M E N O T H I N G
• IP identifies endpoints by two values: IP address and port.
• The IP address identifies the device, while the port identifies the service or program.
• IP addresses are ephemeral and are not authenticated.
• Ports are 16 bits -> 2^16 or 65536 possibilities.
• This is not adequate information for an informed security decision.
• “Hi! We’re in line at Starbucks and I speak English! Wanna shag?”
F I R E W A L L S : “ B U T L E T ’ S I G N O R E T H AT… ”
• IP addresses and 16-bit port numbers tell us nothing, but let’s pretend they do and use them as a basis for security rules.
• But since they don’t, let’s basically block everything.
• Blocking everything will ruin the versatility and interoperability of IP and make simple things hard, but let’s ignore that too.
• Result: only a few protocols work, I can’t connect directly, I still don’t know what’s happening on my network, and I’m carrying around USB drives to transfer files in 2014.
The InfoSec profession (mostly) says:
But that’s the trade-off — security vs. capability!
Firewalls aren’t perfect, but they help, and defense in depth defense in depth defense in depth…!
Shouldn’t we err on the side of caution?
Reduce attack surface area?
Right?
Firewalls are worse than technical debt.
They’re an experiment in breeding it.
T H E R E D Q U E E N ’ S R A C E
• A phenomenon in evolutionary ecology and economics.
• You have to keep getting more and more complex to stay in the same place.
• This can be a good thing if it’s driving intelligence and innovation.
• Can also be pathological.
I N T R O D U C I N G : T H E E V E R Y T H I N G P R O T O C O L
1. Protocols and services are insecure, so let’s block everything.
2. “I need to get my work done.”
3. Add functionality to known and allowed protocols until those protocols can do everything.
4. Security people get worried about all this new surface area, so they start asking vendors to do deep packet inspection.
5. Goto 1 and repeat.
E X A M P L E S O F E V E R Y T H I N G P R O T O C O L S
• SSH: remote shell, TCP tunnel, SOCKS proxy, DNS proxy, VPN, … am I forgetting anything?
• HTTP: now has web sockets a.k.a. TCP-over-TCP, allowing anything to be tunneled over it.
• Now you can run SSH over web sockets over HTTP over SSH over a VPN over SSL over HTTP with web sockets.
• WebRTC supports web sockets over HTTP over SSL over UDP over SSL if UDP is blocked.
• VPNs and network virtualization protocols — guilty as charged!
S T O P H I T T I N G Y O U R S E L F
• The firewall drives a red queen’s race with ourselves to engineer more complex systems to defeat our own security.
• It’s an “evolutionary pathology.”
• It will end with impotent over-engineered DPI firewalls trying to police over-engineered bug-ridden opaque protocols.
• … and a closed and monopolized Internet of bloated non-interoperable applications (WIMPs) talking crazy talk.
• It won’t be secure, either.
I P N E E D S B E T T E R S E M A N T I C S F O R T R U S T A N D I D E N T I F I C AT I O N
• We need to render the firewall obsolete by doing something better, not just yanking it away.
• IP needs a way to manage fine grained trust relationships and convey semantics that are richer than a 16-bit integer and cryptographically verifiable.
• IPSec isn’t quite the right thing— it’s too much about crypto, not enough about semantics. It’s also too hard to deploy and use, and maybe too heavy.
• Beyond the scope of this talk, but we can chat offline.
O P E R AT I N G S Y S T E M S N E E D B E T T E R P R I V I L E G E M O D E L S A N D I S O L AT I O N
• “Defense in depth” can be done inside the device.
• Benefits:
• Protects against attackers from anywhere.
• You control it!
• Unlike IP’s identity/trust semantics, this is actually happening! (Sometimes badly, but it’s something…)
• Also beyond the scope of this talk.
D E P E R I M E T E R I Z AT I O N
PA R T T H R E E
Pretend the firewall is dead (in a good way).
Now what?
Everything is peer to peer now!
… the way it was designed to be …
P E E R T O P E E R P R O T O C O L S
• Everything!
• Peer-to-peer just means client-server in both directions.
• FTP, HTTP, RSS, SSH, SAMBA, AppleTalk, NFS, various RPC schemes, DNS, streaming protocols, X11, VNC, RDP, SMTP, IMAP, …
D O W E N E E D N E W O N E S ?
• IP -> simplicity, interoperability
• The Unix Way: simple open things connected together to form larger systems.
• Open also means understandable!
• WebRTC can’t talk to GNUNet can’t talk to SyncThing can’t talk to BitTorrent …
• They’re this way because they’re fighting the topology.
E X A M P L E : D E C E N T R A L I Z E D FA C E B O O K
• Build a bidirectional RSS reader.
• Write your feed.
• Subscribe to other peoples’ feeds by network address (and certificate).
• Feeds are refreshed opportunistically when your friends’ devices are available.
• … or you could set up a proxy in the cloud if you want. Nothing wrong with that. The cloud’s just more peers.
M A G I C F O R M U L A ?
• Take a client, make it a server too.
• Bidirectional media players -> video chat, telepresence.
• Bidirectional VNC -> collaborative editing of documents, code, debugging, etc.
• Bidirectional web browser -> decentralized wikis? self-hosted sites? collaborative authoring?
S I M P L E T H I N G S C A N B E S I M P L E
• File transfers: just use ?!#%!#$# (S)FTP!
• Remote disk access: just use !#%!#$#? Samba, AppleTalk, NFS, etc.
• VoIP / videoconferencing: just open a !@(#$%*% TCP socket and send MP4.
O P I N I O N : I N N O VAT E
• Decentralized alternatives to popular centralized services are good demos, but…
• For the long term look for things we’re not doing today because they don’t work well in a centralized model.
• Examples:
• Bandwidth hogs: always-on multi-sensory telepresence.
• Unforgiving latency requirements: VR has a 20ms latency limit — slower than that and the illusion is destroyed and you might puke.
• Insanely privacy sensitive: I am not entrusting “the cloud” with my artificial telepathy link.
D E P E R I M E T E R I Z AT I O N
• A concept developed by The Open Group’s Jericho Forum (now regrouped as other things).
• Conceptually refers to dumping the castle-and-moat topology in favor of a “porous” network governed by fine grained semantics.
• Also means making endpoints more secure since they have to be their own policemen.
D E G R E E S O F D E P E R I M E T E R I Z AT I O N
• Conservative (a.k.a. enterprise, this decade)
• “BYOD” — Bring Your Own Device
• More porous network boundaries, more emphasis on endpoint security.
• Extensive use of VPNs for telework, linking to partner networks, etc.
• Still use network boundaries to protect “crown jewels” — credit card numbers, pictures of dead aliens…
• Radical
• Dump the firewall and make the endpoints smarter.
• Might still put firewalls around the dead alien pics.
R A D I C A L D E P E R I M E T E R I Z AT I O N N O W
• Security is still a problem:
• Be careful what you have running.
• Keep your software up to date.
• Encrypt highly sensitive data.
• Also watch your stacks… IPv6?
• Use IPv6 for a global flat IP space…
• … or network virtualization! (plug, plug)
• https://www.zerotier.com/earth.html
D E P E R I M E T E R I Z E . O R G
• Don’t go there yet!
• … but there will be something there soon!
• Collaboration with the Open Group, former Jericho Forum members, anyone else who wants to get involved.
• E-mail me if interested: [email protected]
B U T W H AT A B O U T M E S H N E T S ?
• You might get them, or something like them.
• When you do, they’ll probably present a flat IP network to the OS / application layer.
• If there are killer apps, they’re more likely to get popular.
• Develop these apps now.
• Think about how to really fix security and render the firewall obsolete too, since we’ll need that stuff in any case.
T H E B I G P I C T U R E
T H E I N T E R N E T I S O U R C E N T R A L N E R V O U S S Y S T E M
M A K E I T S M A R T E R
Thank you!