What do we want in a future information infrastructure?
-
Upload
chastity-everett -
Category
Documents
-
view
16 -
download
0
description
Transcript of What do we want in a future information infrastructure?
What do we want in a future information infrastructure?
David AldersonEngineering and Applied Science, Caltech
MS&E 91SINovember 18, 2004
Acknowledgements
• Caltech: John Doyle, Lun Li
• AT&T: Walter Willinger
• CISAC: Kevin Soo Hoo, Mike May, David Elliott, William Perry
• MS&E 91SI: Dan, Martin, Keith
The Internet* has become a critical information infrastructure.
• Individuals
• Private corporations
• Governments
• Other national infrastructures
The Internet* has become a critical information infrastructure.
• Personal communication – email, IM, IP telephony, file sharing
• Business communication– Customers, suppliers, partners
• Transaction processing– Businesses, consumers, government
• Information access and dissemination– web, blog
The Internet* has become a critical information infrastructure.
Our dependence on the Internet is only going to increase.
This will be amplified by a fundamental change in the way that we use the
network.
What do we want in a future information infrastructure?
How will we use the network?
Compute
Communicate Communicate
StoreCommunicate
Communications and computingCourtesy: John Doyle
Compute
Sense
EnvironmentEnvironment
Act
Communicate Communicate
StoreCommunicate
Courtesy: John Doyle
Computation
Devices
Dynamical SystemsDynamical Systems
DevicesCommunication Communication
Control
Courtesy: John Doyle
From• Software to/from
human• Human in the loop
To• Software to Software• Full automation• Integrated control,
comms, computing• Closer to physical
substrateCompute
Communicate Communicate
Store
Communicate
Computation
Devices
Dynamical SystemsDynamical Systems
Devices
Communication Communication
Control
• New capabilities & robustness• New fragilities & vulnerabilities
Courtesy: John Doyle
Are we ready?• This represents an enormous change, the
impact of which is not fully appreciated• Few, if any, promising methods for
addressing this full problem• Even very special cases have had limited
theoretical support
Compute
Communicate Communicate
Store
Communicate
Computation
Devices
Dynamical SystemsDynamical Systems
Devices
Communication Communication
Control
• New capabilities & robustness• New fragilities & vulnerabilities
Courtesy: John Doyle
The Internet* has become a critical information infrastructure.
The Internet is a control system for monitoring and controlling our physical environment.Hijacking the Internet can be even more
devastating than interrupting it.
The Internet has become a type of public utility (like electricity or phone service) that underlies
many important public and private services. Internet disruptions have a “ripple effect”
across the economy.
What do we want in a future information infrastructure?
What features or attributes would we like it to have?
Is the Internet* robust?
What is robustness?
working definition
• robustness = the persistence of some feature/attribute in the presence of some disturbance.
• must specify the feature/attribute
• must specify the disturbance
Is the Internet* robust?
What can we say based on its architecture?
Hosts
Routers
Sources
Links
Network protocols.
HTTP
TCP
IP
Sources
Links
HTTP
Sources
Hidden from the userHidden from the user
Files
Network protocols.
HTTP
TCP
IP
Files
packetspacketspacketspacketspacketspackets
Sources
Links
Files
Network protocols.
HTTP
TCP
IP
Sources
Links
Ver
tica
l dec
ompo
siti
onP
roto
col S
tack
Each layer can evolve independently provided:
1. Follow the rules2. Everyone else
does “good enough” with their layer
Network protocols.
HTTP
TCP
IP
Sources
Links
Horizontal decompositionEach level is decentralized and asynchronous
Individual components can fail (provided that they “fail off”)
without disrupting the network.
The Internet hourglass
IP
Web FTP Mail News Video Audio ping kazaa
Applications
TCP SCTP UDP ICMP
Transport protocols
Ethernet 802.11 SatelliteOpticalPower lines BluetoothATM
Link technologies
IP
The Internet hourglass
Web FTP Mail News Video Audio ping kazaa
Applications
TCP
Ethernet 802.11 SatelliteOpticalPower lines BluetoothATM
Link technologies
The Internet hourglass
IP
Web FTP Mail News Video Audio ping kazaa
Applications
TCP
Ethernet 802.11 SatelliteOpticalPower lines BluetoothATM
Link technologies
Everythingon IP
IP oneverything
The Internet hourglass
IP
Web FTP Mail News Video Audio ping napster
Applications
TCP
Ethernet 802.11 SatelliteOpticalPower lines BluetoothATM
Link technologies
robust to changes
fragile to changes
Internet Vulnerabilities
• On short time scales:– Robust to loss of components (“fail off”)– Fragile to misbehaving components
• On long time scales:– Robust to changes in application or
physical layer technologies– Fragile to changes in hourglass “waist” (IP)
Is there a practical way of thinking about all of this in the context of cybersecurity?
(i.e., a taxonomy for disruptions?)
Network Services(the end-to-end services that provide basic user functionality to the network)
A Simplified Taxonomy
Network Infrastructure(the hardware/software required to enable the movement of data across the network)
Ver
tica
l dec
ompo
siti
onNetwork Services
(the end-to-end services that provide basic user functionality to the network)
A Simplified Taxonomy
Network Infrastructure
Physical Hardware
Operating Systems
Fundamental Protocols
Network Services(the end-to-end services that provide basic user functionality to the network)
A Simplified Taxonomy
Network Infrastructure
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware
Operating Systems
Fundamental Protocols
Network “Core” Network “Edge”
Horizontal decomposition
Network Services(the end-to-end services that provide basic user functionality to the network)
Infrastructure in Network Core
Physical Hardware
Operating Systems
Fundamental Protocols
Network “Core”
Physical Hardware(cables, routers, switches)
Operating Systems(Cisco IOS)
Fundamental Protocols(TCP, IP, BGP)
Network Services(the end-to-end services that provide basic user functionality to the network)
Infrastructure in Network Core
Network “Core”
• Standards Orgs(e.g. IETF)
• ISPs
• Vendors(e.g. Cisco)
• ISPs
Stakeholders• IP spoofing• BGP misconfigs
• Physical attacks
Disruptions
• Cisco IOS attack?
Network Services(the end-to-end services that provide basic user functionality to the network)
Infrastructure at Network Edge
Physical Hardware
Operating Systems
Fundamental Protocols
Network “Edge”
Network Services(the end-to-end services that provide basic user functionality to the network)
Infrastructure at Network Edge
Physical Hardware
Operating Systems
Fundamental Protocols
Network “Edge”
(TCP, IP, DNS)
(Microsoft, Linux, MacOS)
(desktops, laptops, servers)
Physical Hardware(desktops, laptops, servers)
Fundamental Protocols(TCP, IP, DNS)
Operating Systems(Windows, Linux, MacOS)
• Standards Orgs(e.g. IETF)
• Users
• Vendors(e.g. Microsoft, Dell)
• Users (Corporate, Individual, Government)
Stakeholders• IP spoofing• DNS attacks
• Physical attacks
Disruptions
• Most virus/worm attacks
Network Services
Network “Edge”Network “Core”
Network Services(the end-to-end services that provide basic user functionality to the network)
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware
Operating Systems
Fundamental Protocols
Types of Network Services
Network “Edge”Network “Core”
Public Services(specification and use is freely available)
Private Services(specification and/or use
is restricted or proprietary)
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware
Operating Systems
Fundamental Protocols
Public Services(specification and use is freely available)
Private Services(specification and/or use
is restricted or proprietary)
Types of Network Services
Network “Edge”Network “Core”
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware
Operating Systems
Fundamental ProtocolsR
emo
te
Acc
ess
(Te
lne
t)
WW
W(H
TT
P)
E-M
ail
(SM
TP)
File
T
ran
sfer
(FT
P,
P2
P)
Fin
anci
alN
etw
ork
s(F
ed
Wire
)
SC
AD
AS
yste
ms
Oth
er
Infr
a-st
ruct
ure
s
Network “Edge”Network “Core”
S E R V I C E S W
WW
(HT
TP)
E-M
ail
(SM
TP)
File
T
ran
sfer
(FT
P,
P2
P)
Rem
ote
A
cces
s(T
eln
et)
Fin
anci
alN
etw
ork
s(F
ed
Wire
)
SC
AD
AS
yste
ms
Oth
er
Infr
a-st
ruct
ure
s
Private Public
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware
Operating Systems
Fundamental Protocols
Physical Hardware(cables, routers, switches)
Operating Systems(Cisco OS)
Physical Hardware(desktops, laptops, servers)
Fundamental Protocols(TCP, IP, DNS)
Fundamental Protocols(TCP, IP, BGP)
S E R V I C E S
A S S E T S(Information, Money)
Operating Systems(Windows, Linux, MacOS)
Ne
two
rk C
OR
E N
etw
ork
ED
GE
E L E C T R I C I T Y & O T H E RP H Y S I C A L I N F R A S T R U C T U R E S
WW
W(H
TT
P)
E-M
ail
(SM
TP)
File
T
ran
sfer
(FT
P,
P2
P)
Rem
ote
A
cces
s(T
eln
et)
Fin
anci
alN
etw
ork
s(F
ed
Wire
)
SC
AD
AS
yste
ms
Oth
er
Infr
a-st
ruct
ure
s
Private Public
Tec
hnol
ogy
Dep
ende
nce
Disruptions
Open Questions• Is an Internet monoculture a significant threat
to the security of cyberspace?• Insight into the patch/worm problem?• Who are the stakeholders and what are their
economic incentives?• How does misalignment of economic incentives
contribute to insecurity?• To what extent are the technological,
economic, social, and legal factors in the current cyber infrastructure to blame for the overall (in)security of the system?
How to design policy to promote a secure cyber infrastructure?
What do we want in a future information infrastructure?
What do we have with our current information infrastructure?
What We Have
Are theseattributesimportant
for a criticalinformation
infrastructure?
• Heterogeneity • Open access• Compatibility• Evolvability• Anonymity• Diverse Functionality• Best Effort Service• Robustness*
– Best Effort Service– Component loss
• Security• Reliability• Accountability
– Clear responsibility– Auditability
• Management simplicity
• Limited functionality• Economic self-
sustainability
What We Have What We Need
• Heterogeneity • Open access• Compatibility• Evolvability• Anonymity• Diverse Functionality• Best Effort Service• Robustness*
– Best Effort Service– Component loss
Are there tradeoffs that we might be willing to make?
Remembering History
• Strategic split of ARPANet and MILNet
• Different needs of each merited a split in which separate networks could be optimized to achieve different objectives
Two Distinct Needs
• A public Internet– Embraces the ideals of the original Internet– Open access, anonymity (but at a price)
• A critical information infrastructure– Meets the emerging needs of society– Secure, reliable, performance guarantees
(but at a price)
Is there any reason that they should be the same network?
What do we want in a future information infrastructure?
A thought experiment
Vision for a Future Information Infrastructure
• A network that is an appropriate foundation for the deployment and support of critical infrastructure systems, thereby enhancing our national security
• A network in which there are clearly defined roles, responsibilities, and accountability for its owners, operators, support industries, and users
• A network that grows incrementally on top of the existing mesh of intranets and extranets, driven by a properly incentivized innovation community
• A network that interfaces and coexists with legacy infrastructure, providing incremental benefits to all who choose to participate
• A network that has self-sustaining economics
Some General Beliefs• Private networks (even excluding the military)
are a significant portion of all data networks • Most private networks tend to use public
infrastructure somewhere (virtual separation)• The ISP industry is in tough economic times• There is a large amount of excess capacity
(e.g. dark fiber)• Most of the technology for a secure network
already exists• The government and corporations are be
willing to spend money to solve the problem
A Crazy Idea?
• Semi-private, with restricted access
• Security and reliability as primary objectives
• Built from the best of existing technology
• Strict deployment standards
• Leverage existing and unused capacity
• Limited, but guaranteed functionality
• Exist alongside current “best effort” Internet
• Clear responsibility– Licensed users– Audit trails
• Mandated use by other critical infrastructure providers
• Available by application to corporations (for a fee)
• Goal: long-term economic self-sustainability
Have the federal government commission a few major ISPs to build and operate an “Internet alternative”
What about GovNet?
• Was it a good idea?
• Did any part of it make sense?
• Could it be implemented?
What do we want in a future information infrastructure?
David AldersonEngineering and Applied Science, Caltech
MS&E 91SIMay 26, 2004