Transcript alderson

What do we want in a future
information infrastructure?
David Alderson
Engineering and Applied Science, Caltech
[email protected]
MS&E 91SI
November 18, 2004
Acknowledgements
• Caltech: John Doyle, Lun Li
• AT&T: Walter Willinger
• CISAC: Kevin Soo Hoo, Mike May,
David Elliott, William Perry
• MS&E 91SI: Dan, Martin, Keith
The Internet* has become a
critical information infrastructure.
•
•
•
•
Individuals
Private corporations
Governments
Other national infrastructures
The Internet* has become a
critical information infrastructure.
• Personal communication
– email, IM, IP telephony, file sharing
• Business communication
– Customers, suppliers, partners
• Transaction processing
– Businesses, consumers, government
• Information access and dissemination
– web, blog
The Internet* has become a
critical information infrastructure.
Our dependence on the Internet is only
going to increase.
This will be amplified by a fundamental
change in the way that we use the
network.
What do we want in a future
information infrastructure?
How will we use the network?
Compute
Communications and computing
Courtesy: John Doyle
Compute
Act
Sense
Environment
Courtesy: John Doyle
Computation
Devices
Devices
Control
Dynamical Systems
Courtesy: John Doyle
From
• Software to/from
human
• Human in the loop
Compute
To
• Software to Software
• Full automation
• Integrated control,
comms, computing
• Closer to physical
substrate
Computation
• New capabilities & robustness
• New fragilities & vulnerabilities
Devices
Devices
Control
Dynamical Systems
Courtesy: John Doyle
Are we ready?
• This represents an enormous change, the
impact of which is not fully appreciated
• Few, if any, promising methods for addressing
this full problem
• Even very special cases have had limited
theoretical support
Computation
Compute
• New capabilities & robustness
• New fragilities & vulnerabilities
Devices
Devices
Control
Dynamical Systems
Courtesy: John Doyle
The Internet* has become a
critical information infrastructure.
The Internet has become a type of public utility
(like electricity or phone service) that underlies
many important public and private services.
 Internet disruptions have a “ripple effect”
across the economy.
The Internet is a control system for monitoring
and controlling our physical environment.
Hijacking the Internet can be even more
devastating than interrupting it.
What do we want in a future
information infrastructure?
What features or attributes would
we like it to have?
Is the Internet* robust?
What is robustness?
working definition
• robustness = the persistence of some
feature/attribute in the presence of
some disturbance.
• must specify the feature/attribute
• must specify the disturbance
Is the Internet* robust?
What can we say based on its
architecture?
Routers
Hosts
Links
Sources
Network protocols.
HTTP
TCP
IP
Links
Sources
HTTP
Files
Hidden from the user
Sources
Network protocols.
Files
HTTP
Files
TCP
IP
packets
packets
packets
packets
packets
packets
Links
Sources
Vertical decomposition
Protocol Stack
Network protocols.
Sources
Each layer can
HTTP
evolve
independently
TCP provided:
1. Follow the rules
IP 2. Everyone else
does “good
enough” with
their layer
Links
Network protocols.
HTTP
Individual
TCPcomponents can fail
(provided that they “fail off”)
without disrupting
the network.
IP
Horizontal decomposition
Each level is decentralized and asynchronous
Links
Sources
The Internet hourglass
Applications
Web
FTP
Mail
News
Video
Audio
ping
kazaa
Transport protocols
TCP SCTP UDP
ICMP
IP
Ethernet 802.11
Power lines ATM
Optical
Link technologies
Satellite Bluetooth
The Internet hourglass
Applications
Web
FTP
Mail
News
Video
Audio
ping
kazaa
TCP
IP
Ethernet 802.11
Power lines ATM
Optical
Link technologies
Satellite Bluetooth
The Internet hourglass
Applications
Web
FTP
Mail
News
Video Audio
Everything
on IP
ping
kazaa
TCP
IP
Ethernet 802.11
IP on
Power lines ATM Optical
everything
Link technologies
Satellite Bluetooth
The Internet hourglass
Applications
Web
FTP
Mail
robust
to changes
News
Video
Audio
TCP
Power lines ATM
napster
fragile
to changes
IP
Ethernet 802.11
ping
Optical
Link technologies
Satellite Bluetooth
Internet Vulnerabilities
• On short time scales:
– Robust to loss of components (“fail off”)
– Fragile to misbehaving components
• On long time scales:
– Robust to changes in application or
physical layer technologies
– Fragile to changes in hourglass “waist” (IP)
Is there a practical way of thinking about
all of this in the context of cybersecurity?
(i.e., a taxonomy for disruptions?)
A Simplified Taxonomy
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Network Infrastructure
(the hardware/software required to enable
the movement of data across the network)
A Simplified Taxonomy
Network Services
Vertical decomposition
(the end-to-end services that provide
basic user functionality to the network)
Network Infrastructure
Fundamental Protocols
Operating Systems
Physical Hardware
A Simplified Taxonomy
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Network Infrastructure
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network “Core”
Network “Edge”
Horizontal decomposition
Infrastructure in Network Core
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Fundamental Protocols
Operating Systems
Physical Hardware
Network “Core”
Infrastructure in Network Core
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Disruptions
Fundamental Protocols
(TCP, IP, BGP)
Operating Systems
• IP spoofing
• BGP misconfigs
• Standards Orgs
• Cisco IOS attack?
• Vendors
(Cisco IOS)
Physical Hardware
(cables, routers, switches)
Network “Core”
Stakeholders
(e.g. IETF)
• ISPs
(e.g. Cisco)
• Physical attacks
• ISPs
Infrastructure at Network Edge
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Fundamental Protocols
Operating Systems
Physical Hardware
Network “Edge”
Infrastructure at Network Edge
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Stakeholders
Disruptions
• Standards Orgs
• IP spoofing
• DNS attacks
(e.g. IETF)
• Users
• Vendors
(e.g. Microsoft,
Dell)
• Users
(Corporate,
Individual,
Government)
• Most virus/worm
attacks
• Physical attacks
Fundamental Protocols
Protocols
Fundamental
(TCP, IP,
IP, DNS)
DNS)
(TCP,
Operating Systems
(Microsoft,Linux,
Linux,MacOS)
MacOS)
(Windows,
Physical Hardware
Hardware
Physical
(desktops,
(desktops, laptops,
laptops, servers)
servers)
Network “Edge”
Network Services
Network Services
(the end-to-end services that provide
basic user functionality to the network)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network “Core”
Network “Edge”
Types of Network Services
Public Services
Private Services
(specification and use is freely available)
(specification and/or use
is restricted or proprietary)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network “Core”
Network “Edge”
Other
Infrastructures
SCADA
Systems
(specification and use is freely available)
Financial
Networks
(FedWire)
(Telnet)
Remote
Access
(FTP, P2P)
File
Transfer
Public Services
E-Mail
(SMTP)
WWW
(HTTP)
Types of Network Services
Private Services
(specification and/or use
is restricted or proprietary)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network “Core”
Network “Edge”
SERVICES
Other
Infrastructures
Financial
Networks
(FedWire)
(Telnet)
Remote
Access
(FTP, P2P)
File
Transfer
E-Mail
(SMTP)
WWW
(HTTP)
SCADA
Systems
Private
Public
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network “Core”
Network “Edge”
ASSETS
SERVICES
Other
Infrastructures
Financial
Networks
(FedWire)
(Telnet)
Remote
Access
(FTP, P2P)
File
Transfer
E-Mail
(SMTP)
WWW
(HTTP)
Network CORE
Fundamental Protocols
Fundamental Protocols
(TCP, IP, BGP)
(TCP, IP, DNS)
Operating Systems
Operating Systems
(Cisco OS)
(Windows, Linux, MacOS)
Physical Hardware
Physical Hardware
(cables, routers, switches)
(desktops, laptops, servers)
ELECTRICITY & OTHER
PHYSICAL INFRASTRUCTURES
Disruptions
SCADA
Systems
Private
Public
Network EDGE
Technology Dependence
(Information, Money)
Open Questions
• Is an Internet monoculture a significant threat
to the security of cyberspace?
• Insight into the patch/worm problem?
• Who are the stakeholders and what are their
economic incentives?
• How does misalignment of economic incentives
contribute to insecurity?
• To what extent are the technological, economic,
social, and legal factors in the current cyber
infrastructure to blame for the overall
(in)security of the system?
How to design policy to promote
a secure cyber infrastructure?
What do we want in a future
information infrastructure?
What do we have with our current
information infrastructure?
What We Have
•
•
•
•
•
•
•
•
Heterogeneity
Open access
Compatibility
Evolvability
Anonymity
Diverse Functionality
Best Effort Service
Robustness*
– Best Effort Service
– Component loss
Are these
attributes
important
for a critical
information
infrastructure?
What We Have
•
•
•
•
•
•
•
•
What We Need
Heterogeneity
• Security
Open access
• Reliability
Compatibility
• Accountability
– Clear responsibility
Evolvability
– Auditability
AnonymityAre there tradeoffs
that we might be willing
to make?
•
Management
Diverse Functionality
simplicity
Best Effort Service
• Limited functionality
Robustness*
• Economic self– Best Effort Service
sustainability
– Component loss
Remembering History
• Strategic split of ARPANet and MILNet
• Different needs of each merited a split
in which separate networks could be
optimized to achieve different objectives
Two Distinct Needs
• A public Internet
– Embraces the ideals of the original Internet
– Open access, anonymity (but at a price)
• A critical information infrastructure
– Meets the emerging needs of society
– Secure, reliable, performance guarantees
(but at a price)
Is there any reason that they should be the same network?
What do we want in a future
information infrastructure?
A thought experiment
Vision for a Future
Information Infrastructure
• A network that is an appropriate foundation for the
deployment and support of critical infrastructure
systems, thereby enhancing our national security
• A network in which there are clearly defined roles,
responsibilities, and accountability for its owners,
operators, support industries, and users
• A network that grows incrementally on top of the
existing mesh of intranets and extranets, driven by a
properly incentivized innovation community
• A network that interfaces and coexists with legacy
infrastructure, providing incremental benefits to all
who choose to participate
• A network that has self-sustaining economics
Some General Beliefs
• Private networks (even excluding the military)
are a significant portion of all data networks
• Most private networks tend to use public
infrastructure somewhere (virtual separation)
• The ISP industry is in tough economic times
• There is a large amount of excess capacity
(e.g. dark fiber)
• Most of the technology for a secure network
already exists
• The government and corporations are be
willing to spend money to solve the problem
A Crazy Idea?
Have the federal government commission a few major
ISPs to build and operate an “Internet alternative”
• Semi-private, with
restricted access
• Security and reliability
as primary objectives
• Built from the best of
existing technology
• Strict deployment
standards
• Leverage existing and
unused capacity
• Limited, but guaranteed
functionality
• Exist alongside current
“best effort” Internet
• Clear responsibility
– Licensed users
– Audit trails
• Mandated use by other
critical infrastructure
providers
• Available by application to
corporations (for a fee)
• Goal: long-term economic
self-sustainability
What about GovNet?
• Was it a good idea?
• Did any part of it make sense?
• Could it be implemented?
What do we want in a future
information infrastructure?
David Alderson
Engineering and Applied Science, Caltech
[email protected]
MS&E 91SI
May 26, 2004