1 The Internets we did not build David Clark MIT CSAIL November 2008.

Slides:



Advertisements
Similar presentations
Architecture from the top down David D. Clark MIT CSAIL April, 2009.
Advertisements

1 Designing a future Internet: Architecture and requirements David Clark MIT CSAIL August 2008.
Network Security Essentials Chapter 11
Internetworking II: MPLS, Security, and Traffic Engineering
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Information-Centric Networks02b-1 Week 2 / Paper 2 Tussle in Cyberspace: Defining Tommorow’s Internet –David D. Clark, John Wroclawski, Karen R. Sollins.
Modularity and Applications David Clark MIT July, 2012.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
4/27/2015Slide 1 Rethinking the design of the Internet: The end to end arguments vs. the brave new world Marjory S. Blumenthal Computer Science and Telecomms.
The role of identity David D.Clark July, The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication.
Resource Pooling A system exhibits complete resource pooling if it behaves as if there was a single pooled resource. The Internet has many mechanisms for.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Tussle in cyberspace: Defining tomorrow ’ s internet (2002) D.Clark, J. Wroclawski, K. Sollins & R. Braden Presented by: Gergely Biczok (Slides in courtesy.
NewArch: A new architecture for an Internet David D. Clark, Steve Bellovin, Bob Braden, Noel Chiappa, Ted Faber, Aaron Falk Mark Handley, Scott Shenker,
Chapter 12 Network Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
CS 268: Future Internet Architectures Ion Stoica May 1, 2006.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Tussle in cyberspace: Defining tomorrow ’ s internet D.Clark, J.Wroclawski, K.Sollins & R.Braden Presented by: Ao-Jan Su (Slides in courtesy of: Baoning.
Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
CS 268: Future Internet Architectures Ion Stoica May 6, 2003.
Postmodern Internet Architecture Defense Zhaosheng Zhu Kevin Tan.
CS211/Fall /06 Outline for This Lecture Application of e2e over wireless Application Level Framing Integrated Layer Processing Course Project Introduction.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Abstraction and Control of Transport Networks (ACTN) BoF
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
System Design Chapter 8. Objectives  Understand the verification and validation of the analysis models.  Understand the transition from analysis to.
Presentation Title Subtitle Author Copyright © 2002 OPNET Technologies, Inc. TM Introduction to IP and Routing.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
What does it take to define an architecture? (Part 2) David D. Clark July, 2012.
Security David D. Clark July, Aspects of security Attacks on the network Routing, supply chain Attacks on communication Confidentiality and integrity.
FIND experimental requirements David D. Clark. FIND Future Internet Design (FIND) is an NSF program (now folded in to NetSE) to envision the Internet.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Presentation on Osi & TCP/IP MODEL
1 The Internet today and tomorrow: social implications of evolving technology David Clark MIT CSAIL November 2008.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Tussel in Cyberspace Based on Slides by I. Stoica.
Economics and industry structure David D. Clark MIT July, 2012.
1 An Introduction to the future of the Internet (part 1) David Clark MIT CSAIL July 2012.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
Network Architecture: Design Philosophies IS250 Spring 2010 John Chuang
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Firewall Security.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
Application Architecture Internet Architecture David D. Clark MIT CSAIL September 2005.
End-to-End Principle Brad Karp UCL Computer Science CS 6007/GC15/GA07 25 th February, 2009.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2015.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
15-849: Hot Topics in Networking Policy and Networks Srinivasan Seshan 1.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Multi-layer software defined networking in GÉANT
Firewalls.
* Essential Network Security Book Slides.
IS4680 Security Auditing for Compliance
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

1 The Internets we did not build David Clark MIT CSAIL November 2008

2 Background FIND (Future Internet Design) is a U.S. NSF program to look at what our global network of 15 years from now should be. Similar efforts in Asia and Europe. Challenges us to think about why we built what we built. A lot we got right (perhaps surprising…) A lot is almost an accident.

3 The Internet is a success So why would we want to rethink its design? It’s not the data plane. Packets have proven their generality, and we have polished the data forwarding function for years. It is not that some broad class of application is unsupported. Application designers have shown the broad utility of the Internet. The issues are centered in the broader context within which the Internet is positioned. Need to consider a broad range of requirements.

4 Issues to consider Security Availability and resilience Better management Economic viability Meet society’s needs Support for tomorrow’s computing Exploit tomorrow’s networking Support tomorrow’s applications Fit for purpose (it works…)

5 Outline of this talk Look at some of these important objectives What is wrong with the network of today? Why is it worth considering alternative designs? Describe some emerging proposals and approaches Sometimes conflicting, sometimes clear. (Sometimes my personal point of view.) So wander between requirements and mechanism. Mechanism is easier to think about. Requirements are more fundamental.

6 What was that list?? Those were not requirements. They are a wish list. Desiderata An aide-memoire It is a big jump from any of these items to the design of mechanism. And that is a big issue.

7 Design methodology We must think about the process of moving from objectives to specific requirements to mechanisms and architecture. If the problem is to big to consider at once, must modularize the design process. Beware an over-dependence on layering. That list of issues represents a broad set of criteria: Not just the “traditional”: performance/optimization, generality, new technology Implies a multi-dimensional assessment of new ideas. Implies tradeoff and balancing. We understand a lot more now than we did in This current work should be based on methodical design, analysis, theory.

8 Security Use as a first example of a requirement. Hard and important. Why is the problem so hard? We don’t agree on the definition of good security A balance among stake-holders. We want different outcomes in different contexts. We cannot correct the insecurity of end-nodes. Old ideas: (good ideas, but not why we thought.) Disclosure, integrity, availability How does this relate to firewalls, VPNs? After the fact--not a part of the network

9 A different modularity Attacks on communication Confidentiality and integrity addressed with encryption. Availability?? The central objective of networks. What else? Attacks on the host Infiltration (can lead to most anything) So either prevent infiltration or limit its consequences. Denial of service A special case of availability.

10 Availability First, as much as possible, make attacks on communication into failures of availability. Limit the range of attacks and responses. Think: what is excluded…? Mechanism: wrap an end-to-end confirmation of identity around a connection. Cleanly makes many attacks on/by the network into an availability problem. Second, develop a theory of availability. At a high level: All critical resources must be supported in a rich, heterogeneous, diverse form. It must be possible to detect and distinguish (to some degree) failures. The point of detection must be able to invoke different resources. In general, only the end-points can detect failures.

11 Examples of attacks Byzantine packet handling. Re-routing, adding and dropping. Only end-node can detect, so end-node must be able to request re-routing. Explicit Implicit Multi-homed end-nodes DNS corruption (pharming) No architectural support today to mitigate this. Design is redundant, but not in face of malice.

12 End-to-end checks To turn misdirection attacks into “availability problems”, need a means to confirm with whom you are communicating. An issue of identity and shared information. What notion(s) of identity will be suitable? (See below.) “You” means the end-nodes, but not just the human. If the end-node can be trusted, software can help. Corrupted end-nodes are a central issue here. Can a trusted helper node help? To detect byzantine attacks, fault detection must be integrated into the carriage of data. Security and management are entangled.

13 Economic viability Fundamentals: Different parts of the network are built by different actors. Physical facilities (fibers, towers, etc.) require capital investment. Investors must be motivated to invest. Our preferences: Facilities owners must not control the future of the network. Just invest in it.

14 What happens today? How do facilities owners operate and interact? One answer is that they become ISPs. Measure/model usage Track customers and markets Control routing. ISPs serve a critical business function today. They don’t just move packets, but manage capital and risk. Important economic role. But is this role fundamental?

15 Some specific requirements ISPs must be able to model usage and demand sufficiently well to make investment decisions. Users must be able to select among paths through the network that avoid failures. The network design must allow users a degree of choice among providers so as to impose the discipline of competition. I avoided saying “routing”.

16 (A wrong way to say that…) ISPs must have control of routing to ensure that forwarding paths align with business arrangements. Users must have control over routing to allow them to route around failures and improve performance. Users must have control of routing to allow user choice and the discipline of competition. Routing is a mechanism, not a requirement. In a future network, might do routing differently, and there would be no conflict…

17 A new idea--virtual networks In a virtual network, facilities (routers, links, etc.) are virtualized and then used by higher-level service providers to implement different networks, possibly using very different architectures. VPNs are a limited version of this idea today. A new form of competition. In a world of virtual networks, why would someone invest in expensive facilities? Owner does not control routing, so where should the links go?

18 Another new ideas: futures If investment in facilities is a “up-front” or “sunk” cost, with a long period of depreciation and cost recovery; And virtual networks anticipate flexible access to resources over a short term; Then there must be some way to insulate facilities investors from risk so that they will invest. Consider a futures market for bandwidth. Happens today with really expensive cables.

19 A new interface Do we need to standardize the interface that defines this futures market? Has a lot in common with other commodity markets. Not sure, but if we do, it is an odd sort of standard. Not moving packets, but money. Not just bandwidth, but in a location. Compare to spectrum auctions.

20 The alternatives? Mandatory facilities unbundling. As was called for in the Telecommunications Act of 1996 for access facilities. As is being done in Europe today for access facilities. Regulated rate of return or mandatory structural separation. Works where the motivation to invest is compelling. Public sector investment. Failure so far… (a controversial statement, I know.)

21 Interfaces define the industry ISPs exist because of IP, and the protocols that connect regions together. There is no fundamental reason why ISPs look the way they do. Protocols define the services that can be created across multiple regions. So by creating protocols, we create opportunities for service (e.g. revenue) creation. Which are possible, which are dangerous?

22 Region interconnection Old idea: BGP. New ideas: Interconnection of advanced services Direct expression of business constraints Routing overlays Fault localization and correction Interconnection of traffic aggregates Short-term markets for service Security issues Control of DDoS Detection of corrupted or untrustworthy regions

23 Observations Management has a lot to do with security,availability and economics. These areas are not “modules”. Cannot have a “security” or a “management” design sub-group. For all these areas, we have lots of great ideas, but must sharpen the architectural framework.

24 Network management Even less structured than security. No real consideration in original design. Remote management of boxes. Possible decomposition: Fault isolation and resolution. Network planning and configuration. Does this framing actually decompose the problem? Do we know the modules of management?

25 New ideas: Critical interfaces: Between layers to integrate application, network and technology. Between regions to allow cross-domain capabilities. This interface is fundamental. It reflects reality. Expression of end-user intent. Critical in solving availability problem. Better tools for abstracting the manager’s job. Critical in solving availability problem. Default management automatic, just like dynamic host configuration. Instrumenting the data plane to detect problems.

26 Back to security Earlier we discussed protecting communication from attacks in the net. Other aspects include: Infiltration DDoS attacks Consider infiltration attacks. Either prevent infiltration or limit consequential damage.

27 Start from fundamentals Node security Classic end-nodes will always be insecure, but we can build fixed-function nodes that are pretty good. Can we build secure virtual machines? What parts do we have to work with? Applications define the range of patterns of communication that can be utilized, and what can be seen/modified in the communication. Elements in the network can examine what is revealed. End-node controls the initiation of connections and what is sent. Encryption blunts the power of examination/modification. Network controls topology and completion of connections. A tussle over availability.

28 Practice vs. theory These asymmetries are understood in practice… Firewall topology “Port 80” mode in apps. VPNs. But are not recognized or exploited in the design of the network.

29 The design challenge What trusted components, combined with application modes that exploit them, can protect untrustworthy end-nodes from attack (in particular infiltration, sabotage and exfiltration)? The network can enforce the needed patterns of communication. Network elements can examine what the application chooses to reveal. Trusted and untrusted…

30 Prevent infiltration Require identity as part of session initiation. Use agent to validate incoming service requests. “Firewall of the future” Allow end-node (or trusted helper) to open ports dynamically. Eliminate well-known ports. Make port scans less effective. Inspect incoming data for “bad stuff”. Represents a loss of privacy, so use selectively. Host-centric actions. Virtual machines for risky actions. Outsource risky apps to different machine.

31 Prevent exfiltration If a machine is penetrated, limit the bad consequences. Could be use as zombie, deletion or corruption of data, or theft. Theft is a major problem today. The problem with controlling theft: How can an external agent tell if the transfer is legitimate?

32 The dilemma Two stories: Foreign hackers penetrate a system and send information back to their country. We try to block it. Foreign citizens download public information from a U.S. web site. Their country try to block it. What is the difference? We relabeled the actors. In one case, had to penetrate the sender to implement the pattern. In one case, the sender’s regime tries to block, in the other the receiver’s regime tries to block.

33 The design challenge, part two How can we design applications and patterns of communication that can distinguish between these two stories, even if the sending machine has been penetrated?

34 Distinguish the stories In the first story: Require that data being sent get an export permit (from a trusted machine), that the user must concur, and that we get a strong identity of the receiver before issuing the permit. In the second story: Put the data into an open publish-subscribe or peer- to-peer distribution system. Another example of the theory of availability. But protect the privacy of the requester… Balance the interests… Don’t forget the third story, pushing information out.

35 Information--moving up-layer Old idea: an application issue (ignore it.) New idea: need a framework Naming and identity of information. Independent of how you get it. But: think about privacy. If you shout for information, the whole world hears. Dissemination Swarms, P2P: (heterogeneous). Should this be the basic service, or on top of a transport service? Improves availability of information if it is pushed into the network.

36 Issues to consider Security Availability and resilience Better management Economic viability Meet society’s needs Support for tomorrow’s computing Exploit tomorrow’s networking Support tomorrow’s applications Fit for purpose (it works…)

37 The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information. Validate identity/authority of incoming connections to prevent infiltration attacks. Allow application/network to pick desired communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties.

38 Designing identity schemes There is more than one way we could approach identity. A private matter among end-nodes. E.g. encrypted or meaningless except at end points. Signal of identity that is visible in the network. Surveillance cameras in cyberspace. Facilitate both policing (perhaps) and repression. Third-party credentials vs. continuity-based familiarity. Revocable anonymity. Anonymity can only be revoked by its creators. Probably need all in different circumstances, so architecture should not constrain. These are not choices to be made by technologists alone. Need a multi-disciplinary conversation. I am very fearful of getting this wrong.

39 Identity schemes imply deception Both a human and a technical problem. How do you know what information to trust? Credentials? Continuity? Collaborative filtering (trust again). Identity itself should be rich and heterogeneous Integrity through availability. How can we avoid illusion on the screen? Remember that a human is not always present. Need ability (perhaps in restricted circumstances) to delegate decision to a program.

40 Mechanism design The previous discussion (very incomplete) hints at the range of issues that designers of a future network should consider. A future network will have mechanisms that (at a high level) are familiar, but they may take very different forms.

41 Multiplexing--a basic issue Old (1960’s) idea: packets. Seems to have worked out well. New ideas: integrated management of packets and circuits (aggregates). Integrated management. Fault recovery, routing/traffic engineering. Integrate future concepts in optics (routing vs. TE) Virtualization of routers and links Avoid need to have one design. Needs assessment against our broad list of considerations. And these two ideas need to be harmonized.

42 Addressing Old view: designed for efficient forwarding. New view: take into account Security issues Accountability, privacy, deterrence, hiding. Management issues Do you really want to address physical nodes? How about services? Information? Anycast? But consider lower-layer management issues. Multi-homing

43 Routing Old view: Find the lowest cost route Load-based dynamics lead to instability. New ideas: Random route selection. Avoids DoS on link Avoids traffic engineering. User route selection Multi-path routing. Machine learning to achieve high-level policies Move route computation out of forwarders. Multiple simultaneous routing schemes. Routing regions that do not match facilities ownership.

44 Connection establishment Old idea: minimize the round trips. New ideas: Need a phase for exchange of identity. May need a “cross-layer” initial exchange. Re-modularize TCP to be less layered. Need to diffuse attacks. Adding a round trip or two (esp. if not always) worth the cost in order to allow an E2E check. Part of availability framework. Fit this thinking into the DTN paradigm.

45 Application design Old view (simplistic): our machines talk. New view: Lots of servers and services. Need for cross-application core services. Identity management, social networks. Modulate behavior based on trust. Application design patterns and building blocks should be part of the future network.

46 Lots of things we did not discuss Naming (of all sorts of things). Location (physical). Social context. Other aspects of security (e.g., DDoS), management, economics. Computing and network technology.

47 Observations Mechanism (e.g. routing) is a response to a set of requirements, not a given. Derive mechanism, don’t presume it. The (new) interesting interfaces will not involve packets but control, investment, social context, etc. Standardize as little as possible, but no less.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.