What do we want in a future information infrastructure?

1
What do we want in a future information
infrastructure?

• David Alderson
• Engineering and Applied Science, Caltech
• alderd_at_cds.caltech.edu
• MSE 91SI
• November 18, 2004

2
Acknowledgements

• Caltech John Doyle, Lun Li
• ATT Walter Willinger
• CISAC Kevin Soo Hoo, Mike May, David Elliott,
  William Perry
• MSE 91SI Dan, Martin, Keith

3
The Internet has become a critical information
infrastructure.

• Individuals
• Private corporations
• Governments
• Other national infrastructures

4
The Internet has become a critical information
infrastructure.

• Personal communication
• email, IM, IP telephony, file sharing
• Business communication
• Customers, suppliers, partners
• Transaction processing
• Businesses, consumers, government
• Information access and dissemination
• web, blog

5
The Internet has become a critical information
infrastructure.

• Our dependence on the Internet is only going to
  increase.
• This will be amplified by a fundamental change in
  the way that we use the network.

6
What do we want in a future information
infrastructure?

• How will we use the network?

7
Communications and computing
Store
Communicate
Compute
Communicate
Communicate
Courtesy John Doyle
8
Store
Communicate
Compute
Communicate
Communicate
Act
Sense
Environment
Courtesy John Doyle
9
Computation
Communication
Communication
Devices
Devices
Dynamical Systems
Courtesy John Doyle
10

• From
• Software to/from human
• Human in the loop

• To
• Software to Software
• Full automation
• Integrated control, comms, computing
• Closer to physical substrate

Computation

• New capabilities robustness
• New fragilities vulnerabilities

Communication
Communication
Devices
Devices
Control
Dynamical Systems
Courtesy John Doyle
11
Are we ready?

• This represents an enormous change, the impact of
  which is not fully appreciated
• Few, if any, promising methods for addressing
  this full problem
• Even very special cases have had limited
  theoretical support

Computation

• New capabilities robustness
• New fragilities vulnerabilities

Communication
Communication
Devices
Devices
Control
Dynamical Systems
Courtesy John Doyle
12
The Internet has become a critical information
infrastructure.

• The Internet has become a type of public utility
  (like electricity or phone service) that
  underlies many important public and private
  services.
• Internet disruptions have a ripple effect
  across the economy.

• The Internet is a control system for monitoring
  and controlling our physical environment.
• Hijacking the Internet can be even more
  devastating than interrupting it.

13
What do we want in a future information
infrastructure?

• What features or attributes would we like it to
  have?

14
Is the Internet robust?

• What is robustness?

15
working definition

• robustness the persistence of some
  feature/attribute in the presence of some
  disturbance.
• must specify the feature/attribute
• must specify the disturbance

16
Is the Internet robust?

• What can we say based on its architecture?

17
Routers
Hosts
18
Routers
Links
Sources
Hosts
19
Links
Sources
20
Network protocols.
HTTP
TCP
IP
Links
Sources
21
Files
HTTP
Hidden from the user
Sources
22
Network protocols.
Files
Files
HTTP
TCP
IP
packets
packets
packets
packets
packets
packets
Links
Sources
23
Network protocols.

• Each layer can evolve independently provided
• Follow the rules
• Everyone else does good enough with their layer

HTTP
TCP
Vertical decomposition Protocol Stack
IP
Links
Sources
24
Network protocols.
HTTP
Individual components can fail (provided that
they fail off) without disrupting the network.
TCP
IP
Horizontal decomposition Each level is
decentralized and asynchronous
Links
Sources
25
The Internet hourglass
Applications
Web
FTP
Mail
News
Video
Audio
ping
kazaa
Transport protocols
TCP
SCTP
UDP
ICMP
IP
Ethernet
802.11
Satellite
Optical
Power lines
Bluetooth
ATM
Link technologies
26
The Internet hourglass
Applications
Web
FTP
Mail
News
Video
Audio
ping
kazaa
TCP
IP
Ethernet
802.11
Satellite
Optical
Power lines
Bluetooth
ATM
Link technologies
27
The Internet hourglass
Applications
Everything on IP
Web
FTP
Mail
News
Video
Audio
ping
kazaa
TCP
IP
Ethernet
802.11
Satellite
Optical
Power lines
Bluetooth
ATM
Link technologies
28
The Internet hourglass
Applications
Web
FTP
Mail
News
Video
Audio
ping
napster
TCP
robust to changes
fragile to changes
IP
Ethernet
802.11
Satellite
Optical
Power lines
Bluetooth
ATM
Link technologies
29
Internet Vulnerabilities

• On short time scales
• Robust to loss of components (fail off)
• Fragile to misbehaving components
• On long time scales
• Robust to changes in application or physical
  layer technologies
• Fragile to changes in hourglass waist (IP)

Is there a practical way of thinking about all of
this in the context of cybersecurity? (i.e., a
taxonomy for disruptions?)
30
A Simplified Taxonomy
Network Services (the end-to-end services that
provide basic user functionality to the network)
Network Infrastructure (the hardware/software
required to enable the movement of data across
the network)
31
A Simplified Taxonomy
Network Services (the end-to-end services that
provide basic user functionality to the network)
Network Infrastructure
Fundamental Protocols
Vertical decomposition
Operating Systems
Physical Hardware
32
A Simplified Taxonomy
Network Services (the end-to-end services that
provide basic user functionality to the network)
Network Infrastructure
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network Core
Network Edge
Horizontal decomposition
33
Infrastructure in Network Core
Network Services (the end-to-end services that
provide basic user functionality to the network)
Fundamental Protocols
Operating Systems
Physical Hardware
Network Core
34
Infrastructure in Network Core
Network Services (the end-to-end services that
provide basic user functionality to the network)
Disruptions
Stakeholders

• Standards Orgs
• (e.g. IETF)
• ISPs

• IP spoofing
• BGP misconfigs

• Cisco IOS attack?

• Vendors
• (e.g. Cisco)
• ISPs

• Physical attacks

Network Core
35
Infrastructure at Network Edge
Network Services (the end-to-end services that
provide basic user functionality to the network)
Fundamental Protocols
Operating Systems
Physical Hardware
Network Edge
36
Infrastructure at Network Edge
Network Services (the end-to-end services that
provide basic user functionality to the network)
Disruptions
Stakeholders

• IP spoofing
• DNS attacks

• Standards Orgs
• (e.g. IETF)
• Users

Fundamental Protocols
(TCP, IP, DNS)

• Most virus/worm attacks

Operating Systems

• Vendors
• (e.g. Microsoft, Dell)
• Users (Corporate, Individual, Government)

(Microsoft, Linux, MacOS)
Physical Hardware

• Physical attacks

(desktops, laptops, servers)
Network Edge
37
Network Services
Network Services (the end-to-end services that
provide basic user functionality to the network)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network Core
Network Edge
38
Types of Network Services
Public Services (specification and use is freely
available)
Private Services (specification and/or use is
restricted or proprietary)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network Core
Network Edge
39
Types of Network Services
Public Services (specification and use is freely
available)
Private Services (specification and/or use is
restricted or proprietary)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network Core
Network Edge
40
S E R V I C E S
Financial Networks (FedWire)
Other Infra- structures
Remote Access (Telnet)
File Transfer (FTP, P2P)
SCADA Systems
E-Mail (SMTP)
WWW (HTTP)
Fundamental Protocols
Fundamental Protocols
Operating Systems
Operating Systems
Physical Hardware
Physical Hardware
Network Core
Network Edge
41
A S S E T S (Information, Money)
S E R V I C E S
Financial Networks (FedWire)
Other Infra- structures
File Transfer (FTP, P2P)
Remote Access (Telnet)
SCADA Systems
E-Mail (SMTP)
WWW (HTTP)
Technology Dependence
Disruptions
Fundamental Protocols (TCP, IP, DNS)
Fundamental Protocols (TCP, IP, BGP)
Operating Systems (Cisco OS)
Operating Systems (Windows, Linux, MacOS)
Network CORE
Network EDGE
Physical Hardware (cables, routers, switches)
Physical Hardware (desktops, laptops, servers)
E L E C T R I C I T Y O T H E R P H Y S I
C A L I N F R A S T R U C T U R E S
42
Open Questions

• Is an Internet monoculture a significant threat
  to the security of cyberspace?
• Insight into the patch/worm problem?
• Who are the stakeholders and what are their
  economic incentives?
• How does misalignment of economic incentives
  contribute to insecurity?
• To what extent are the technological, economic,
  social, and legal factors in the current cyber
  infrastructure to blame for the overall
  (in)security of the system?

How to design policy to promote a secure cyber
infrastructure?
43
What do we want in a future information
infrastructure?

• What do we have with our current information
  infrastructure?

44
What We Have

• Heterogeneity
• Open access
• Compatibility
• Evolvability
• Anonymity
• Diverse Functionality
• Best Effort Service
• Robustness
• Best Effort Service
• Component loss

Are these attributes important for a
critical information infrastructure?
45
What We Have
What We Need

• Security
• Reliability
• Accountability
• Clear responsibility
• Auditability
• Management simplicity
• Limited functionality
• Economic self-sustainability

• Heterogeneity
• Open access
• Compatibility
• Evolvability
• Anonymity
• Diverse Functionality
• Best Effort Service
• Robustness
• Best Effort Service
• Component loss

Are there tradeoffs that we might be willing to
make?
46
Remembering History

• Strategic split of ARPANet and MILNet
• Different needs of each merited a split in which
  separate networks could be optimized to achieve
  different objectives

47
Two Distinct Needs

• A public Internet
• Embraces the ideals of the original Internet
• Open access, anonymity (but at a price)
• A critical information infrastructure
• Meets the emerging needs of society
• Secure, reliable, performance guarantees (but at
  a price)

Is there any reason that they should be the same
network?
48
What do we want in a future information
infrastructure?

• A thought experiment

49
Vision for a Future Information Infrastructure

• A network that is an appropriate foundation for
  the deployment and support of critical
  infrastructure systems, thereby enhancing our
  national security
• A network in which there are clearly defined
  roles, responsibilities, and accountability for
  its owners, operators, support industries, and
  users
• A network that grows incrementally on top of the
  existing mesh of intranets and extranets, driven
  by a properly incentivized innovation community
• A network that interfaces and coexists with
  legacy infrastructure, providing incremental
  benefits to all who choose to participate
• A network that has self-sustaining economics

50
Some General Beliefs

• Private networks (even excluding the military)
  are a significant portion of all data networks
• Most private networks tend to use public
  infrastructure somewhere (virtual separation)
• The ISP industry is in tough economic times
• There is a large amount of excess capacity (e.g.
  dark fiber)
• Most of the technology for a secure network
  already exists
• The government and corporations are be willing to
  spend money to solve the problem

51
A Crazy Idea?
Have the federal government commission a few
major ISPs to build and operate an Internet
alternative

• Semi-private, with restricted access
• Security and reliability as primary objectives
• Built from the best of existing technology
• Strict deployment standards
• Leverage existing and unused capacity
• Limited, but guaranteed functionality

• Exist alongside current best effort Internet
• Clear responsibility
• Licensed users
• Audit trails
• Mandated use by other critical infrastructure
  providers
• Available by application to corporations (for a
  fee)
• Goal long-term economic self-sustainability

52
What about GovNet?

• Was it a good idea?
• Did any part of it make sense?
• Could it be implemented?

53
What do we want in a future information
infrastructure?

• David Alderson
• Engineering and Applied Science, Caltech
• alderd_at_cds.caltech.edu
• MSE 91SI
• May 26, 2004