520 likes | 726 Vues
What do we want in a future information infrastructure? . David Alderson Engineering and Applied Science, Caltech alderd@cds.caltech.edu MS&E 91SI November 18, 2004. Acknowledgements. Caltech: John Doyle, Lun Li AT&T: Walter Willinger
E N D
What do we want in a future information infrastructure? David Alderson Engineering and Applied Science, Caltech alderd@cds.caltech.edu MS&E 91SI November 18, 2004
Acknowledgements • Caltech: John Doyle, Lun Li • AT&T: Walter Willinger • CISAC: Kevin Soo Hoo, Mike May, David Elliott, William Perry • MS&E 91SI: Dan, Martin, Keith
The Internet* has become a critical information infrastructure. • Individuals • Private corporations • Governments • Other national infrastructures
The Internet* has become a critical information infrastructure. • Personal communication • email, IM, IP telephony, file sharing • Business communication • Customers, suppliers, partners • Transaction processing • Businesses, consumers, government • Information access and dissemination • web, blog
The Internet* has become a critical information infrastructure. Our dependence on the Internet is only going to increase. This will be amplified by a fundamental change in the way that we use the network.
What do we want in a future information infrastructure? How will we use the network?
Communications and computing Store Communicate Compute Communicate Communicate Courtesy: John Doyle
Store Communicate Compute Communicate Communicate Act Sense Environment Courtesy: John Doyle
Control Computation Communication Communication Devices Devices Dynamical Systems Courtesy: John Doyle
From Software to/from human Human in the loop To Software to Software Full automation Integrated control, comms, computing Closer to physical substrate Store Communicate Compute Communicate Communicate Computation • New capabilities & robustness • New fragilities & vulnerabilities Communication Communication Devices Devices Control Dynamical Systems Courtesy: John Doyle
Store Communicate Compute Communicate Communicate Are we ready? • This represents an enormous change, the impact of which is not fully appreciated • Few, if any, promising methods for addressing this full problem • Even very special cases have had limited theoretical support Computation • New capabilities & robustness • New fragilities & vulnerabilities Communication Communication Devices Devices Control Dynamical Systems Courtesy: John Doyle
The Internet* has become a critical information infrastructure. The Internet is a control systemfor monitoring and controlling our physical environment. • Hijacking the Internet can be even more devastating than interrupting it. The Internet has become a type of public utility (like electricity or phone service) that underlies many important public and private services. • Internet disruptions have a “ripple effect” across the economy.
What do we want in a future information infrastructure? What features or attributes would we like it to have?
Is the Internet* robust? What is robustness?
working definition • robustness = the persistence of some feature/attribute in the presence of some disturbance. • must specify the feature/attribute • must specify the disturbance
Is the Internet* robust? What can we say based on its architecture?
Routers Hosts
Links Sources
Network protocols. HTTP TCP IP Links Sources
Files HTTP Hidden from the user Sources
Network protocols. Files Files HTTP TCP IP packets packets packets packets packets packets Links Sources
Network protocols. • Each layer can evolve independently provided: • Follow the rules • Everyone else does “good enough” with their layer HTTP TCP Vertical decomposition Protocol Stack IP Links Sources
Network protocols. HTTP Individual components can fail (provided that they “fail off”) without disrupting the network. TCP IP Horizontal decomposition Each level is decentralized and asynchronous Links Sources
The Internet hourglass Applications Web FTP Mail News Video Audio ping kazaa Transport protocols TCP SCTP UDP ICMP IP Ethernet 802.11 Power lines ATM Optical Satellite Bluetooth Link technologies
The Internet hourglass Applications Web FTP Mail News Video Audio ping kazaa TCP IP Ethernet 802.11 Power lines ATM Optical Satellite Bluetooth Linktechnologies
IP on everything The Internet hourglass Applications Everything on IP Web FTP Mail News Video Audio ping kazaa TCP IP Ethernet 802.11 Power lines ATM Optical Satellite Bluetooth Linktechnologies
The Internet hourglass Applications Web FTP Mail News Video Audio ping napster TCP robust to changes fragile to changes IP Ethernet 802.11 Power lines ATM Optical Satellite Bluetooth Linktechnologies
Internet Vulnerabilities • On short time scales: • Robust to loss of components (“fail off”) • Fragile to misbehaving components • On long time scales: • Robust to changes in application or physical layer technologies • Fragile to changes in hourglass “waist” (IP) Is there a practical way of thinking about all of this in the context of cybersecurity? (i.e., a taxonomy for disruptions?)
A Simplified Taxonomy Network Services (the end-to-end services that provide basic user functionality to the network) Network Infrastructure (the hardware/software required to enable the movement of data across the network)
A Simplified Taxonomy Network Services (the end-to-end services that provide basic user functionality to the network) Network Infrastructure Fundamental Protocols Vertical decomposition Operating Systems Physical Hardware
A Simplified Taxonomy Network Services (the end-to-end services that provide basic user functionality to the network) Network Infrastructure Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” Horizontal decomposition
Infrastructure in Network Core Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Operating Systems Physical Hardware Network “Core”
Fundamental Protocols (TCP, IP, BGP) Operating Systems (Cisco IOS) Physical Hardware (cables, routers, switches) Infrastructure in Network Core Network Services (the end-to-end services that provide basic user functionality to the network) Disruptions Stakeholders • Standards Orgs • (e.g. IETF) • ISPs • IP spoofing • BGP misconfigs • Cisco IOS attack? • Vendors • (e.g. Cisco) • ISPs • Physical attacks Network “Core”
Infrastructure at Network Edge Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Operating Systems Physical Hardware Network “Edge”
Fundamental Protocols (TCP, IP, DNS) Operating Systems (Windows, Linux, MacOS) Physical Hardware (desktops, laptops, servers) Infrastructure at Network Edge Network Services (the end-to-end services that provide basic user functionality to the network) Disruptions Stakeholders • IP spoofing • DNS attacks • Standards Orgs • (e.g. IETF) • Users Fundamental Protocols (TCP, IP, DNS) • Most virus/worm attacks Operating Systems • Vendors • (e.g. Microsoft, Dell) • Users (Corporate, Individual, Government) (Microsoft, Linux, MacOS) Physical Hardware • Physical attacks (desktops, laptops, servers) Network “Edge”
Network Services Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge”
Types of Network Services Public Services (specification and use is freely available) Private Services (specification and/or use is restricted or proprietary) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge”
Other Infra- structures Remote Access (Telnet) File Transfer (FTP, P2P) Financial Networks (FedWire) SCADA Systems WWW (HTTP) E-Mail (SMTP) Types of Network Services Public Services (specification and use is freely available) Private Services (specification and/or use is restricted or proprietary) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge”
Private Public S E R V I C E S Financial Networks (FedWire) Other Infra- structures Remote Access (Telnet) File Transfer (FTP, P2P) SCADA Systems E-Mail (SMTP) WWW (HTTP) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge”
Private Public A S S E T S (Information, Money) S E R V I C E S Financial Networks (FedWire) Other Infra- structures Remote Access (Telnet) File Transfer (FTP, P2P) SCADA Systems E-Mail (SMTP) WWW (HTTP) TechnologyDependence Disruptions Fundamental Protocols (TCP, IP, DNS) Fundamental Protocols (TCP, IP, BGP) Operating Systems (Cisco OS) Operating Systems (Windows, Linux, MacOS) Network CORE Network EDGE Physical Hardware (cables, routers, switches) Physical Hardware (desktops, laptops, servers) E L E C T R I C I T Y & O T H E R P H Y S I C A L I N F R A S T R U C T U R E S
Open Questions • Is an Internet monoculture a significant threat to the security of cyberspace? • Insight into the patch/worm problem? • Who are the stakeholders and what are their economic incentives? • How does misalignment of economic incentives contribute to insecurity? • To what extent are the technological, economic, social, and legal factors in the current cyber infrastructure to blame for the overall (in)security of the system? How to design policy to promote a secure cyber infrastructure?
What do we want in a future information infrastructure? What do we have with our current information infrastructure?
Heterogeneity Open access Compatibility Evolvability Anonymity Diverse Functionality Best Effort Service Robustness* Best Effort Service Component loss What We Have Are these attributes important for a critical information infrastructure?
Security Reliability Accountability Clear responsibility Auditability Management simplicity Limited functionality Economic self-sustainability Heterogeneity Open access Compatibility Evolvability Anonymity Diverse Functionality Best Effort Service Robustness* Best Effort Service Component loss What We Have What We Need Are there tradeoffs that we might be willing to make?
Remembering History • Strategic split of ARPANet and MILNet • Different needs of each merited a split in which separate networks could be optimized to achieve different objectives
Two Distinct Needs • A public Internet • Embraces the ideals of the original Internet • Open access, anonymity (but at a price) • A critical information infrastructure • Meets the emerging needs of society • Secure, reliable, performance guarantees (but at a price) Is there any reason that they should be the same network?
What do we want in a future information infrastructure? A thought experiment
Vision for a Future Information Infrastructure • A network that is an appropriate foundation for the deployment and support of critical infrastructure systems, thereby enhancing our national security • A network in which there are clearly defined roles, responsibilities, and accountability for its owners, operators, support industries, and users • A network that grows incrementally on top of the existing mesh of intranets and extranets, driven by a properly incentivized innovation community • A network that interfaces and coexists with legacy infrastructure, providing incremental benefits to all who choose to participate • A network that has self-sustaining economics
Some General Beliefs • Private networks (even excluding the military) are a significant portion of all data networks • Most private networks tend to use public infrastructure somewhere (virtual separation) • The ISP industry is in tough economic times • There is a large amount of excess capacity (e.g. dark fiber) • Most of the technology for a secure network already exists • The government and corporations are be willing to spend money to solve the problem
Semi-private, with restricted access Security and reliability as primary objectives Built from the best of existing technology Strict deployment standards Leverage existing and unused capacity Limited, but guaranteed functionality Exist alongside current “best effort” Internet Clear responsibility Licensed users Audit trails Mandated use by other critical infrastructure providers Available by application to corporations (for a fee) Goal: long-term economic self-sustainability A Crazy Idea? Have the federal government commission a few major ISPs to build and operate an “Internet alternative”