The Co-mingled Universe of R&E Networking Ken Klingenstein Director, Internet2 Middleware and Security Ken Klingenstein Director, Internet2 Middleware and Security
Topics Three things somewhat related Reconnections scene setting Reconnections outcomes High level Rich issues
Three things somewhat related The original reinvention ideas M. Blumenthal and D. Clark. Rethinking the design of the Internet: The end to end arguments vs. the brave new world. To appear in ACM Trans. Internet Technology. Also to appear in Communications Policy in Transition: The Internet and Beyond. B. Compaine and S. Greenstein, eds. MIT Press Reconnections: Managing Academic Networks An Internet2 workshop for integrating new networking approaches with current already complex mesh The new NSF GENI effort Conceptual design effort; test-bed to follow
The original reinvention Began as an IETF WG on new architecture www3.ietf.org/proceedings/05nov/slides/R RG-9/RRG-2.ppt Broad set of new requirements – security, wireless, massive scale (e.g. sensor nets), changing economics, etc. Clark, Braden, Chiappa etc. as principals
Reconnections Internet2 workshop held at O’Hare in October 2005 Brought together academic CTO and networkers, network researchers, corporations, etc. Goal was to rethink management and integration of networks (both commodity and advanced) in universities and enterprises Report now in draft and due out shortly
The new NSF GENI program NSF program in CISE to create and test new network architectures responsive to new requirements Not specific to R&E networks Based on original reinvention energy but coupled with additional concerns on management and transitions, as well as budget realities
7 Reconnections Scene Setting A brief history from a good seat… Going forward “opportunities” Characteristics of R&E networking Relating to corporate requirements What does comingled mean? To the current commodity To the future clean slate…
8 A Brief History … Getting onto Arpanet… The mid ’80’s JVNC, NSFnet, ESNet, BITnet, CSNet On-campus, the shift from TN3270 to campus nets The mid ’90’s vBNS, Abilene, etc The emergence of the border router On-campus, from multiprotocols to TCP/IP
9 And now… A major R&E institution has several external connections, with distinct characteristics (performance, AUP’s, etc.) Complex campus networks, with high- performance meshes, lower-speed extensions, clusters of advanced nets, etc. Distributed management of networks and desktops Lots of special cases, like Medical Schools, Engineering Colleges, Dormitories
10 And now… Security challenges The demise of the fictitious perimeter Roaming devices Wireless Slow to deploy DNSSec and problematic IPSec The prospect of new types of external non-IP connections Complex, undiagnosable deployments Policy drivers for technology
11 Going Forward “Opportunities”… The prospect of on-demand personal “lambdas” Infocard Federated identity and trust Uneven economics
12 Characteristics of R&E Networking Enterprise centric Networking is part of an infrastructure provided to members. Operated often as a common good Often run to a building or POP in a sub-unit; often some wall-plate services as well Desktop autonomy Heterogeneity of platforms Loose desktop management Leading edge Early developers/adopters of new technologies Regulatory complexity HIPAA, FERPA, AUP, DMCA
13 More characteristics Demanding applications Bandwidth, latency, jitter, transparency Strong inter-institutional requirements Multiple external links AUP’s Performance distinctions Funding that favors one-time versus continuing costs
14 Relating to corporate needs From the Jericho forum: Can no longer assume that an organization owns, controls and is accountable for the ICT infrastructure it employs Should not assume that all individuals sit within organizations and are managed by a single IdM Vision statement: Cross-organizational security processes and services Open standards Assurance processes that when used in one organization can be trusted by others
15 Network Applications Consortium NAC - a group of major companies (Boeing, Bechtel, GlaxoSmithKline, PG&E, etc.) with intermingled research and operational environments Welcome to the Network Applications Consortium "where membership radically improves the delivery of agile IT infrastructure in support of business objectives" Original focus was on middleware, where Internet2 and NAC members have had meaningful if sporadic interactions Added focus over the last year on network security
16 NAC Enterprise Security Architecture Key Concepts: Security by design Usability and manageability Defense in depth Simplicity Enforced policy Key leveraging technologies: Identity Management Directory Services Border Protection Reusable tools Desktop management Role based security
17 Comingled with the commodity The commodity Internet is a part of the R&E network environment With its security issues With its packet disruption appliances With its legacy requirements True to being the original crucible, new deployments in commodity often begin in R&E Multicast, IPv6, DNSSec
18 Co-mingled with the future It is likely that any advanced network initiatives will have presence on campuses and require integration. Forces may drive management of long distance networking to the end points Layers of invention that new networking approaches could leverage are being developed in the R&E community Trust fabrics Manageability discussions
19 Distinctions? This workshop is more on architectures than protocols We have steep requirements around policy We are driven by researcher needs as much as by economics, capabilities, security, policy, etc.
20 Questions -1 Role of enterprise vs role of VO vs role of individual In authn/z In provisioning networking In resource discovery, etc… What role will the enterprise have in personal lambdas? What parts of the infrastructure will the enterprise own? Manage?
21 Questions -2 What parts of manageability matter? Costs, downtime, security, privacy… Does the control plane/data plane distinction continue to matter? Do we need more planes or less? (remember dynamic networking…) How will diagnostics happen in the face of complexity, higher levels of performance, scale, etc? How will resource discovery be addressed at so many layers?
22 Questions - 3 How important is e2e transparency? How important is innovation in the face of security? What will drive change? How will devices and appliances on the net change the problem? Will outsourcing, offshoring etc affect R&E nets?
23 Reconnections Outcomes Marginal improvements have had marginal results The rising cost of manageability and diagnostics Many insurmountable opportunities for revolutionary change The deck is stacked in the arms race Firewalls -> “Firewall Friendly” port 80 world -> Deep packet inspection -> Encrypted traffic: Queen of Spades
24 Some Tracerouting We did a good job of network engineering But forgot the social engineering And economic engineering Private pipes: can it be avoided? Through virtualization? Through market forces? The banes of silent failure and vanishing transparency
25 Some Tracerouting Network adaptations rapidly being added Disruptive introductions DRM in the network Firewalls People want this functionality, which leaves two choices Implement it wrong Implement it right
26 The Next Hop Look to the application layer for wisdom “Victorian” instant messaging Visibility Security by Indirection Federated Identity: Federated Security? SAML Shibboleth
27 Reconnections Outcomes May also change the way applications and devices relate to the network Devices joining the network getting dumber Boxes in the network getting smarter Can we compress the protocol stack; eliminate IP? URL-based routing e.g. Can the network be told, “establish an encrypted, authenticated VoIP connection with