What’s wrong with the Net? Mark Handley UCL Department of Computer Science.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

FIREWALLS Chapter 11.

The Internet The last 30 years and the next 30 years. Mark Handley UCL Department of Computer Science.

Firewalls and Intrusion Detection Systems

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff DePaul University.

1 A Course-End Conclusions and Future Studies Dr. Rocky K. C. Chang 28 November 2005.

Network Layer IS250 Spring 2010

Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –

Routing of Outgoing Packets with MP-TCP draft-handley-mptcp-routing-00 Mark Handley Costin Raiciu Marcelo Bagnulo.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Firewall Slides by John Rouda

1 Chapter Overview Subnet. What is a subnet When you break a network into a few smaller networks, you have created several subnets Like IP address where.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Fall 2006Computer Networks19-1 Chapter 19. Host-to-Host Delivery: Internetworking, Addressing, and Routing 19.1 Internetworks 19.2 Addressing 19.3 Routing.

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.

Internet Service Provisioning Phase - I August 29, 2003 TSPT Web:

– Chapter 4 – Secure Routing

FIREWALL Mạng máy tính nâng cao-V1.

Jan 29, 2008CS573: Network Protocols and Standards1 NAT, DHCP Autonomous System Network Protocols and Standards Winter

Comparing modem and other technologies

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

Common Devices Used In Computer Networks

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.

Chapter 1. Introduction. By Sanghyun Ahn, Deot. Of Computer Science and Statistics, University of Seoul A Brief Networking History §Internet – started.

Transport Layer 3-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012  CPSC.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Understanding Networking Joe Cicero Northeast Wisconsin Technical College.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Internet Policy Day 1 - Workshop Session No. 1 History and technical background Prepared for CTO by Link Centre, Witwatersrand University, South Africa.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Addressing Issues David Conrad Internet Software Consortium.

Requirements for Simulation and Modeling Tools Sally Floyd NSF Workshop August 2005.

INTRODUCTION TO NETWORKS 8/2/2015 SSIG SOUTHERN METHODIST UNIVERSITY.

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.

1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.

1 CNT 4704 Analysis of Computer Communication Networks Cliff Zou Department of Electrical Engineering and Computer Science University of Central Florida.

ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.

Networking Components Quick Guide. Hubs Device that splits a network connection into multiple computers Data is transmitted to all devices attached Computers.

Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Computer Networks 0110-IP Gergely Windisch

@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.

Network Processing Systems Design

Voice Over Internet Protocol Nelson Kattula Computer Science, Masters.

Lab #2 NET332 By Asma AlOsaimi.

4.3 Network Layer Logical Addressing

Network Layer, and Logical Addresses

CONNECTING TO THE INTERNET

CNT 4704 Computer Communication Networking (not “analysis”)

Introducing To Networking

Internet Congestion Control Research Group

CNT 4704 Analysis of Computer Communication Networks

CNT 4704 Analysis of Computer Communication Networks

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

What’s wrong with the Net? Mark Handley UCL Department of Computer Science

The success of the Internet

The success of the Web

People Online DATENUMBER% POP SRC August million 8.46Nua Ltd August million 6.07Nua Ltd August million 4.64Nua Ltd Sept million 3.6Nua Ltd November million1.81Reuters December million.88IDC

The net is a success! The problem:  In almost every way, the Internet only just works!

The net only just works? It’s always been this way: : TCP/IP split as a reaction to the limitations of NCP. 1982: DNS as a reaction to the net becoming too large for hosts.txt files. 1980s: EGP, RIP, OSPF as reactions to scaling problems with earlier routing protocols. 1988: TCP congestion control in response to congestion collapse. 1989: BGP as a reaction to the need for policy routing in NSFnet.

Changing the net. 1st Jan  Flag day.  ARPAnet switched from NCP to TCP/IP.  About 400 machines need to switch. As the net got bigger, it got harder to change.

Before web... Prior to the 1990s the Internet was primarily academic and scientific.  Common goals.  Low cost of failure. Then came the web, and commercialization of the Internet.  Exponential growth.  Financial costs of failure.  ISPs struggling to keep ahead of demand.  Huge innovation in applications.

Development Cycle “We need this feature immediately to keep our network functioning” “Here’s something we hacked together over the weekend. Let us know if it works.”

Running out of addresses... The current version of the Internet Protocol (IPv4) uses 32 bit addresses.  Not allocated very efficiently.  MIT has more addresses than China. IPv6 is supposed to replace IPv4.  128 bit addresses.  We don’t need to be smart in address allocation.  How do we persuade people to switch?

Network Address Translators Scarcity of addresses has made addresses expensive. NATs map one external address to multiple private internal addresses, by rewriting TCP or UDP port numbers From , TCP port 345 From , TCP port 678 From TCP port 222 From TCP port 222 Public Internet NAT

Network Address Translation Introduces asymmetry: can’t receive an incoming connection. Makes it very hard to refer to other connections:  Signalling, causes the phone to ring.  On answer, set up the voice channel. Application-level gateways get embedded in NATs.  It should be easy to deploy new applications!

The sky is falling!!! No. But we’re accumulating problems faster than they’re being fixed.

Imminent problems Address space exhaustion. Congestion control. Routing. Security. Denial-of-service. Spam. Architectural ossification.

Congestion Control The Internet only functions because TCP’s congestion control does an effective job of matching traffic demand to available capacity. TCP’s Window Time (RTTs)

Limitations of AIMD Very variable transmit rate is fine for bulk-transfer, but hard for real-time traffic.  TCP-Friendly Rate Control (TFRC)  Datagram Congestion Control Protocol (DCCP)

Limitations of AIMD Failure to distinguish congestion loss from corruption loss.  Wireless Limited dynamic range.  R ≈ s RTT p

AIMD: Limited Dynamic Range One loss every half hour, 200ms RTT, 1500bytes/pkt.  9000 RTTs increase between losses.  peak window size = pkts.  mean window size = pkts.  18MByte/RTT  720Mbit/s.  Needs a bit-error rate of better than 1 in 10^12.  Takes a very long time to converge or recover from a burst of loss.

High-speed Congestion Control High-speed TCP (S. Floyd) Scalable TCP (T. Kelly) FAST (S. Low) Fair queuing + packet pair (S. Keshav) ATM ABR service. XCP (D. Katabi)

Routing BGP4 is the only inter-domain routing protocol currently in use world-wide. Lack of security. Ease of misconfiguration. Policy through local filtering. Poorly understood interaction between local policies. Poor convergence. Lack of appropriate information hiding. Non-determinism. Poor overload behaviour.

Replacing BGP? BGP works! BGP is the most critical piece of Internet infrastructure. No-one really knows what policies are in use.  And of those, which subset are intended to be in use. No economic incentive to be first to abandon BGP.

Security We’re reasonably good at encryption and authentication technologies.  Not so good at actually turning these mechanisms on. We’re rather bad at key management.  Hierarchical PKIs rather unsuccessful.  Keys are a single point of failure.  Key revocation. We’re really bad at deploying secure software in secure configurations.  No good way to manage epidemics.  Flash worm: infect all vulnerable servers on the Internet in 30 seconds.

Denial of Service The Internet does a great job of transmitting packets to a destination.  Even if the destination doesn’t want those packets.  Overload servers or network links to prevent the victim doing useful work. Distributed Denial of Service becoming commonplace.  Automated scanning results in armies of compromised zombie hosts being available for coordinated attacks.

Denial of Service Traditional security mechanisms are useless for defending against DoS.  Attacker can force you to do expensive crypto operations. Many DoS point solutions have side-effects that can be exploited by an attacker:  Sendmail SPAM blocking.  BGP Flap Damping. The death of ping.

Security and DoS We need architectural solutions, not point mechanisms. What are the right steps forward, architecturally, that doesn't turn this into the "Information SuperSkyway" (where you have to present your ID in triplicate, board an inconveniently scheduled and uncomfortable packet-herder, have an accredited professional guide you along prescribed and often-congested channels, to get approximately where you wanted to go)? - Leslie Daigle, IAB

Architectural Ossification The net is already hard to change in the core. IP Options virtually useless for extension.  Slow-path processed in fast hardware routers. NATs make it hard to deploy many new applications. Firewalls make it make to deploy anything new.  But the alternative seems to be worse. ISPs looking for ways to make money on “services”.  They’d love to lock you into their own private walled garden, where they can get you to use their services and protocols, for which they can charge.

Summary In almost every way, the net only just works. This is a critical time.  The net is moving out of it’s infancy.  The problems are significant.  We get to influence it’s future.