What do we want in a future information infrastructure? David Alderson Engineering and Applied Science, Caltech [email protected] MS&E 91SI November

What do we want in a future information infrastructure?

David AldersonEngineering and Applied Science, Caltech

[email protected]

MS&E 91SINovember 18, 2004

Acknowledgements

• Caltech: John Doyle, Lun Li

• AT&T: Walter Willinger

• CISAC: Kevin Soo Hoo, Mike May, David Elliott, William Perry

• MS&E 91SI: Dan, Martin, Keith

The Internet* has become a critical information infrastructure.

• Individuals

• Private corporations

• Governments

• Other national infrastructures


• Personal communication – email, IM, IP telephony, file sharing

• Business communication– Customers, suppliers, partners

• Transaction processing– Businesses, consumers, government

• Information access and dissemination– web, blog


Our dependence on the Internet is only going to increase.

This will be amplified by a fundamental change in the way that we use the

network.


How will we use the network?

Compute

Communicate Communicate

StoreCommunicate

Communications and computingCourtesy: John Doyle

Compute

Sense

EnvironmentEnvironment

Act


StoreCommunicate

Courtesy: John Doyle

Computation

Devices

Dynamical SystemsDynamical Systems

DevicesCommunication Communication

Control


From• Software to/from

human• Human in the loop

To• Software to Software• Full automation• Integrated control,

comms, computing• Closer to physical

substrateCompute


Store

Communicate

Computation

Devices


Devices

Communication Communication

Control

• New capabilities & robustness• New fragilities & vulnerabilities


Are we ready?• This represents an enormous change, the

impact of which is not fully appreciated• Few, if any, promising methods for

addressing this full problem• Even very special cases have had limited

theoretical support

Compute


Store

Communicate

Computation

Devices


Devices

Communication Communication

Control

• New capabilities & robustness• New fragilities & vulnerabilities



The Internet is a control system for monitoring and controlling our physical environment.Hijacking the Internet can be even more

devastating than interrupting it.

The Internet has become a type of public utility (like electricity or phone service) that underlies

many important public and private services. Internet disruptions have a “ripple effect”

across the economy.


What features or attributes would we like it to have?

Is the Internet* robust?

What is robustness?

working definition

• robustness = the persistence of some feature/attribute in the presence of some disturbance.

• must specify the feature/attribute

• must specify the disturbance

Is the Internet* robust?

What can we say based on its architecture?

Hosts

Routers

Sources

Links

Network protocols.

HTTP

TCP

IP

Sources

Links

HTTP

Sources

Hidden from the userHidden from the user

Files

Network protocols.

HTTP

TCP

IP

Files

packetspacketspacketspacketspacketspackets

Sources

Links

Files

Network protocols.

HTTP

TCP

IP

Sources

Links

Ver

tica

l dec

ompo

siti

onP

roto

col S

tack

Each layer can evolve independently provided:

1. Follow the rules2. Everyone else

does “good enough” with their layer

Network protocols.

HTTP

TCP

IP

Sources

Links

Horizontal decompositionEach level is decentralized and asynchronous

Individual components can fail (provided that they “fail off”)

without disrupting the network.

The Internet hourglass

IP

Web FTP Mail News Video Audio ping kazaa

Applications

TCP SCTP UDP ICMP

Transport protocols

Ethernet 802.11 SatelliteOpticalPower lines BluetoothATM

Link technologies

IP



Applications

TCP


Link technologies


IP


Applications

TCP


Link technologies

Everythingon IP

IP oneverything


IP

Web FTP Mail News Video Audio ping napster

Applications

TCP


Link technologies

robust to changes

fragile to changes

Internet Vulnerabilities

• On short time scales:– Robust to loss of components (“fail off”)– Fragile to misbehaving components

• On long time scales:– Robust to changes in application or

physical layer technologies– Fragile to changes in hourglass “waist” (IP)

Is there a practical way of thinking about all of this in the context of cybersecurity?

(i.e., a taxonomy for disruptions?)

Network Services(the end-to-end services that provide basic user functionality to the network)

A Simplified Taxonomy

Network Infrastructure(the hardware/software required to enable the movement of data across the network)

Ver

tica

l dec

ompo

siti

onNetwork Services

(the end-to-end services that provide basic user functionality to the network)


Network Infrastructure

Physical Hardware

Operating Systems

Fundamental Protocols



Network Infrastructure

Physical Hardware

Operating Systems


Physical Hardware

Operating Systems


Network “Core” Network “Edge”

Horizontal decomposition


Infrastructure in Network Core

Physical Hardware

Operating Systems


Network “Core”

Physical Hardware(cables, routers, switches)

Operating Systems(Cisco IOS)

Fundamental Protocols(TCP, IP, BGP)


Infrastructure in Network Core

Network “Core”

• Standards Orgs(e.g. IETF)

• ISPs

• Vendors(e.g. Cisco)

• ISPs

Stakeholders• IP spoofing• BGP misconfigs

• Physical attacks

Disruptions

• Cisco IOS attack?


Infrastructure at Network Edge

Physical Hardware

Operating Systems


Network “Edge”


Infrastructure at Network Edge

Physical Hardware

Operating Systems


Network “Edge”

(TCP, IP, DNS)

(Microsoft, Linux, MacOS)

(desktops, laptops, servers)

Physical Hardware(desktops, laptops, servers)

Fundamental Protocols(TCP, IP, DNS)

Operating Systems(Windows, Linux, MacOS)

• Standards Orgs(e.g. IETF)

• Users

• Vendors(e.g. Microsoft, Dell)

• Users (Corporate, Individual, Government)

Stakeholders• IP spoofing• DNS attacks

• Physical attacks

Disruptions

• Most virus/worm attacks

Network Services

Network “Edge”Network “Core”


Physical Hardware

Operating Systems


Physical Hardware

Operating Systems


Types of Network Services


Public Services(specification and use is freely available)

Private Services(specification and/or use

is restricted or proprietary)

Physical Hardware

Operating Systems


Physical Hardware

Operating Systems


Public Services(specification and use is freely available)

Private Services(specification and/or use

is restricted or proprietary)

Types of Network Services


Physical Hardware

Operating Systems


Physical Hardware

Operating Systems

Fundamental ProtocolsR

emo

te

Acc

ess

(Te

lne

t)

WW

W(H

TT

P)

E-M

ail

(SM

TP)

File

T

ran

sfer

(FT

P,

P2

P)

Fin

anci

alN

etw

ork

s(F

ed

Wire

)

SC

AD

AS

yste

ms

Oth

er

Infr

a-st

ruct

ure

s


S E R V I C E S W

WW

(HT

TP)

E-M

ail

(SM

TP)

File

T

ran

sfer

(FT

P,

P2

P)

Rem

ote

A

cces

s(T

eln

et)

Fin

anci

alN

etw

ork

s(F

ed

Wire

)

SC

AD

AS

yste

ms

Oth

er

Infr

a-st

ruct

ure

s

Private Public

Physical Hardware

Operating Systems


Physical Hardware

Operating Systems


Physical Hardware(cables, routers, switches)

Operating Systems(Cisco OS)

Physical Hardware(desktops, laptops, servers)

Fundamental Protocols(TCP, IP, DNS)

Fundamental Protocols(TCP, IP, BGP)

S E R V I C E S

A S S E T S(Information, Money)

Operating Systems(Windows, Linux, MacOS)

Ne

two

rk C

OR

E N

etw

ork

ED

GE

E L E C T R I C I T Y & O T H E RP H Y S I C A L I N F R A S T R U C T U R E S

WW

W(H

TT

P)

E-M

ail

(SM

TP)

File

T

ran

sfer

(FT

P,

P2

P)

Rem

ote

A

cces

s(T

eln

et)

Fin

anci

alN

etw

ork

s(F

ed

Wire

)

SC

AD

AS

yste

ms

Oth

er

Infr

a-st

ruct

ure

s

Private Public

Tec

hnol

ogy

Dep

ende

nce

Disruptions

Open Questions• Is an Internet monoculture a significant threat

to the security of cyberspace?• Insight into the patch/worm problem?• Who are the stakeholders and what are their

economic incentives?• How does misalignment of economic incentives

contribute to insecurity?• To what extent are the technological,

economic, social, and legal factors in the current cyber infrastructure to blame for the overall (in)security of the system?

How to design policy to promote a secure cyber infrastructure?


What do we have with our current information infrastructure?

What We Have

Are theseattributesimportant

for a criticalinformation

infrastructure?

• Heterogeneity • Open access• Compatibility• Evolvability• Anonymity• Diverse Functionality• Best Effort Service• Robustness*

– Best Effort Service– Component loss

• Security• Reliability• Accountability

– Clear responsibility– Auditability

• Management simplicity

• Limited functionality• Economic self-

sustainability

What We Have What We Need

• Heterogeneity • Open access• Compatibility• Evolvability• Anonymity• Diverse Functionality• Best Effort Service• Robustness*

– Best Effort Service– Component loss

Are there tradeoffs that we might be willing to make?

Remembering History

• Strategic split of ARPANet and MILNet

• Different needs of each merited a split in which separate networks could be optimized to achieve different objectives

Two Distinct Needs

• A public Internet– Embraces the ideals of the original Internet– Open access, anonymity (but at a price)

• A critical information infrastructure– Meets the emerging needs of society– Secure, reliable, performance guarantees

(but at a price)

Is there any reason that they should be the same network?


A thought experiment

Vision for a Future Information Infrastructure

• A network that is an appropriate foundation for the deployment and support of critical infrastructure systems, thereby enhancing our national security

• A network in which there are clearly defined roles, responsibilities, and accountability for its owners, operators, support industries, and users

• A network that grows incrementally on top of the existing mesh of intranets and extranets, driven by a properly incentivized innovation community

• A network that interfaces and coexists with legacy infrastructure, providing incremental benefits to all who choose to participate

• A network that has self-sustaining economics

Some General Beliefs• Private networks (even excluding the military)

are a significant portion of all data networks • Most private networks tend to use public

infrastructure somewhere (virtual separation)• The ISP industry is in tough economic times• There is a large amount of excess capacity

(e.g. dark fiber)• Most of the technology for a secure network

already exists• The government and corporations are be

willing to spend money to solve the problem

A Crazy Idea?

• Semi-private, with restricted access

• Security and reliability as primary objectives

• Built from the best of existing technology

• Strict deployment standards

• Leverage existing and unused capacity

• Limited, but guaranteed functionality

• Exist alongside current “best effort” Internet

• Clear responsibility– Licensed users– Audit trails

• Mandated use by other critical infrastructure providers

• Available by application to corporations (for a fee)

• Goal: long-term economic self-sustainability

Have the federal government commission a few major ISPs to build and operate an “Internet alternative”

What about GovNet?

• Was it a good idea?

• Did any part of it make sense?

• Could it be implemented?


David AldersonEngineering and Applied Science, Caltech

[email protected]

MS&E 91SIMay 26, 2004

Documents

What do we want in a future information infrastructure? David Alderson Engineering and Applied Science, Caltech [email protected] MS&E 91SI November