* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download alderson
Survey
Document related concepts
Wake-on-LAN wikipedia , lookup
Net neutrality law wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Internet protocol suite wikipedia , lookup
Computer network wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
What do we want in a future information infrastructure? David Alderson Engineering and Applied Science, Caltech [email protected] MS&E 91SI November 18, 2004 Acknowledgements • Caltech: John Doyle, Lun Li • AT&T: Walter Willinger • CISAC: Kevin Soo Hoo, Mike May, David Elliott, William Perry • MS&E 91SI: Dan, Martin, Keith The Internet* has become a critical information infrastructure. • • • • Individuals Private corporations Governments Other national infrastructures The Internet* has become a critical information infrastructure. • Personal communication – email, IM, IP telephony, file sharing • Business communication – Customers, suppliers, partners • Transaction processing – Businesses, consumers, government • Information access and dissemination – web, blog The Internet* has become a critical information infrastructure. Our dependence on the Internet is only going to increase. This will be amplified by a fundamental change in the way that we use the network. What do we want in a future information infrastructure? How will we use the network? Compute Communications and computing Courtesy: John Doyle Compute Act Sense Environment Courtesy: John Doyle Computation Devices Devices Control Dynamical Systems Courtesy: John Doyle From • Software to/from human • Human in the loop Compute To • Software to Software • Full automation • Integrated control, comms, computing • Closer to physical substrate Computation • New capabilities & robustness • New fragilities & vulnerabilities Devices Devices Control Dynamical Systems Courtesy: John Doyle Are we ready? • This represents an enormous change, the impact of which is not fully appreciated • Few, if any, promising methods for addressing this full problem • Even very special cases have had limited theoretical support Computation Compute • New capabilities & robustness • New fragilities & vulnerabilities Devices Devices Control Dynamical Systems Courtesy: John Doyle The Internet* has become a critical information infrastructure. The Internet has become a type of public utility (like electricity or phone service) that underlies many important public and private services. Internet disruptions have a “ripple effect” across the economy. The Internet is a control system for monitoring and controlling our physical environment. Hijacking the Internet can be even more devastating than interrupting it. What do we want in a future information infrastructure? What features or attributes would we like it to have? Is the Internet* robust? What is robustness? working definition • robustness = the persistence of some feature/attribute in the presence of some disturbance. • must specify the feature/attribute • must specify the disturbance Is the Internet* robust? What can we say based on its architecture? Routers Hosts Links Sources Network protocols. HTTP TCP IP Links Sources HTTP Files Hidden from the user Sources Network protocols. Files HTTP Files TCP IP packets packets packets packets packets packets Links Sources Vertical decomposition Protocol Stack Network protocols. Sources Each layer can HTTP evolve independently TCP provided: 1. Follow the rules IP 2. Everyone else does “good enough” with their layer Links Network protocols. HTTP Individual TCPcomponents can fail (provided that they “fail off”) without disrupting the network. IP Horizontal decomposition Each level is decentralized and asynchronous Links Sources The Internet hourglass Applications Web FTP Mail News Video Audio ping kazaa Transport protocols TCP SCTP UDP ICMP IP Ethernet 802.11 Power lines ATM Optical Link technologies Satellite Bluetooth The Internet hourglass Applications Web FTP Mail News Video Audio ping kazaa TCP IP Ethernet 802.11 Power lines ATM Optical Link technologies Satellite Bluetooth The Internet hourglass Applications Web FTP Mail News Video Audio Everything on IP ping kazaa TCP IP Ethernet 802.11 IP on Power lines ATM Optical everything Link technologies Satellite Bluetooth The Internet hourglass Applications Web FTP Mail robust to changes News Video Audio TCP Power lines ATM napster fragile to changes IP Ethernet 802.11 ping Optical Link technologies Satellite Bluetooth Internet Vulnerabilities • On short time scales: – Robust to loss of components (“fail off”) – Fragile to misbehaving components • On long time scales: – Robust to changes in application or physical layer technologies – Fragile to changes in hourglass “waist” (IP) Is there a practical way of thinking about all of this in the context of cybersecurity? (i.e., a taxonomy for disruptions?) A Simplified Taxonomy Network Services (the end-to-end services that provide basic user functionality to the network) Network Infrastructure (the hardware/software required to enable the movement of data across the network) A Simplified Taxonomy Network Services Vertical decomposition (the end-to-end services that provide basic user functionality to the network) Network Infrastructure Fundamental Protocols Operating Systems Physical Hardware A Simplified Taxonomy Network Services (the end-to-end services that provide basic user functionality to the network) Network Infrastructure Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” Horizontal decomposition Infrastructure in Network Core Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Operating Systems Physical Hardware Network “Core” Infrastructure in Network Core Network Services (the end-to-end services that provide basic user functionality to the network) Disruptions Fundamental Protocols (TCP, IP, BGP) Operating Systems • IP spoofing • BGP misconfigs • Standards Orgs • Cisco IOS attack? • Vendors (Cisco IOS) Physical Hardware (cables, routers, switches) Network “Core” Stakeholders (e.g. IETF) • ISPs (e.g. Cisco) • Physical attacks • ISPs Infrastructure at Network Edge Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Operating Systems Physical Hardware Network “Edge” Infrastructure at Network Edge Network Services (the end-to-end services that provide basic user functionality to the network) Stakeholders Disruptions • Standards Orgs • IP spoofing • DNS attacks (e.g. IETF) • Users • Vendors (e.g. Microsoft, Dell) • Users (Corporate, Individual, Government) • Most virus/worm attacks • Physical attacks Fundamental Protocols Protocols Fundamental (TCP, IP, IP, DNS) DNS) (TCP, Operating Systems (Microsoft,Linux, Linux,MacOS) MacOS) (Windows, Physical Hardware Hardware Physical (desktops, (desktops, laptops, laptops, servers) servers) Network “Edge” Network Services Network Services (the end-to-end services that provide basic user functionality to the network) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” Types of Network Services Public Services Private Services (specification and use is freely available) (specification and/or use is restricted or proprietary) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” Other Infrastructures SCADA Systems (specification and use is freely available) Financial Networks (FedWire) (Telnet) Remote Access (FTP, P2P) File Transfer Public Services E-Mail (SMTP) WWW (HTTP) Types of Network Services Private Services (specification and/or use is restricted or proprietary) Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” SERVICES Other Infrastructures Financial Networks (FedWire) (Telnet) Remote Access (FTP, P2P) File Transfer E-Mail (SMTP) WWW (HTTP) SCADA Systems Private Public Fundamental Protocols Fundamental Protocols Operating Systems Operating Systems Physical Hardware Physical Hardware Network “Core” Network “Edge” ASSETS SERVICES Other Infrastructures Financial Networks (FedWire) (Telnet) Remote Access (FTP, P2P) File Transfer E-Mail (SMTP) WWW (HTTP) Network CORE Fundamental Protocols Fundamental Protocols (TCP, IP, BGP) (TCP, IP, DNS) Operating Systems Operating Systems (Cisco OS) (Windows, Linux, MacOS) Physical Hardware Physical Hardware (cables, routers, switches) (desktops, laptops, servers) ELECTRICITY & OTHER PHYSICAL INFRASTRUCTURES Disruptions SCADA Systems Private Public Network EDGE Technology Dependence (Information, Money) Open Questions • Is an Internet monoculture a significant threat to the security of cyberspace? • Insight into the patch/worm problem? • Who are the stakeholders and what are their economic incentives? • How does misalignment of economic incentives contribute to insecurity? • To what extent are the technological, economic, social, and legal factors in the current cyber infrastructure to blame for the overall (in)security of the system? How to design policy to promote a secure cyber infrastructure? What do we want in a future information infrastructure? What do we have with our current information infrastructure? What We Have • • • • • • • • Heterogeneity Open access Compatibility Evolvability Anonymity Diverse Functionality Best Effort Service Robustness* – Best Effort Service – Component loss Are these attributes important for a critical information infrastructure? What We Have • • • • • • • • What We Need Heterogeneity • Security Open access • Reliability Compatibility • Accountability – Clear responsibility Evolvability – Auditability AnonymityAre there tradeoffs that we might be willing to make? • Management Diverse Functionality simplicity Best Effort Service • Limited functionality Robustness* • Economic self– Best Effort Service sustainability – Component loss Remembering History • Strategic split of ARPANet and MILNet • Different needs of each merited a split in which separate networks could be optimized to achieve different objectives Two Distinct Needs • A public Internet – Embraces the ideals of the original Internet – Open access, anonymity (but at a price) • A critical information infrastructure – Meets the emerging needs of society – Secure, reliable, performance guarantees (but at a price) Is there any reason that they should be the same network? What do we want in a future information infrastructure? A thought experiment Vision for a Future Information Infrastructure • A network that is an appropriate foundation for the deployment and support of critical infrastructure systems, thereby enhancing our national security • A network in which there are clearly defined roles, responsibilities, and accountability for its owners, operators, support industries, and users • A network that grows incrementally on top of the existing mesh of intranets and extranets, driven by a properly incentivized innovation community • A network that interfaces and coexists with legacy infrastructure, providing incremental benefits to all who choose to participate • A network that has self-sustaining economics Some General Beliefs • Private networks (even excluding the military) are a significant portion of all data networks • Most private networks tend to use public infrastructure somewhere (virtual separation) • The ISP industry is in tough economic times • There is a large amount of excess capacity (e.g. dark fiber) • Most of the technology for a secure network already exists • The government and corporations are be willing to spend money to solve the problem A Crazy Idea? Have the federal government commission a few major ISPs to build and operate an “Internet alternative” • Semi-private, with restricted access • Security and reliability as primary objectives • Built from the best of existing technology • Strict deployment standards • Leverage existing and unused capacity • Limited, but guaranteed functionality • Exist alongside current “best effort” Internet • Clear responsibility – Licensed users – Audit trails • Mandated use by other critical infrastructure providers • Available by application to corporations (for a fee) • Goal: long-term economic self-sustainability What about GovNet? • Was it a good idea? • Did any part of it make sense? • Could it be implemented? What do we want in a future information infrastructure? David Alderson Engineering and Applied Science, Caltech [email protected] MS&E 91SI May 26, 2004