Transcript
Page 1: The Internet today and tomorrow:  social implications of evolving technology

1

The Internet today and tomorrow: social implications of evolving

technology

David Clark

MIT CSAIL

November 2008

Page 2: The Internet today and tomorrow:  social implications of evolving technology

2

Internet today: background

The forces that are shaping it are not just technical. Technical changes are real: wireless,

embedded computers, location sensing. But perhaps more important is the deep

embedding in society. Privacy and identity. Social networking as a platform. The role of the ISP.

Page 3: The Internet today and tomorrow:  social implications of evolving technology

3

Internet tomorrow: background

FIND (Future Internet Design) is a U.S. NSF program to look at what our global network of 15 years from now should be. Similar efforts in Asia and Europe.

Challenges us to think about why we built what we built. A lot we got right (perhaps surprising…) A lot is almost an accident.

Could we, by design, mitigate some of the issues we debate today?

Page 4: The Internet today and tomorrow:  social implications of evolving technology

4

FIND: The Internet is a success

So why would we want to rethink its design? It’s not the data plane. Packets have proven their generality, and we have

polished the data forwarding function for years. It is not that some broad class of application is

unsupported. Application designers have shown the broad utility of

the Internet. The issues are centered in the broader context

within which the Internet is positioned. The FIND project must consider a broad range of

requirements.

Page 5: The Internet today and tomorrow:  social implications of evolving technology

5

Issues to consider Security Availability and resilience Better management Economic viability Meet society’s needs Support for tomorrow’s computing Exploit tomorrow’s networking Support tomorrow’s applications Fit for purpose (it works…)

Page 6: The Internet today and tomorrow:  social implications of evolving technology

6

The role of the ISP They forward packets.

They interconnect with their competitors.

They invest and manage risk. They police (directly and indirectly). They provide critical societal infrastructure.

The Internet cannot just be a creature of the private sector.

They want to profit from investment. (Follow the money.) Advertising

ISPs vs. Google. Deep packet inspection. Manage usage and acceptable activities.

Page 7: The Internet today and tomorrow:  social implications of evolving technology

7

Neutrality and management

The net is not neutral and never has been. We gave preference to interactive traffic in the

early days of the NSFnet. ISPs block known security vulnerabilities.

The real discrimination (follow the money) is at the points of interconnection. Peering, transit, bargaining, routing, etc. What the consumer sees is a side-effect of

interconnection negotiations.

Page 8: The Internet today and tomorrow:  social implications of evolving technology

8

Traffic management? Usage does cost something. It is not free.

But it is not expensive. For a typical big access ISP, might be $.05 or $.10

per GB. Note that this has nothing to do with peak rate.

But for a rural ISP (think small WISP), might be 10 times that.

Must deal with consequences of flat rate pricing. Typical residential usage today may be 1% loading. This is necessary. Otherwise nobody could afford

broadband. Again, has little to do with peak rate.

Page 9: The Internet today and tomorrow:  social implications of evolving technology

9

What is acceptable? And how would we decide? Is it acceptable for someone to profile my behavior?

If I opt in? If I get only select ads? If I can opt out selectively? If it is “pre-anonymized” so it cannot be directly traced back to

me? Is it acceptable for ISPs to limit what I do and how much I

send? If limit is just measured in bytes, yes.

Could limit using dollars. Moving to price tiers. If limit is priority and service quality, yes. If limit is performance variation among servers, it happens today

all the time. To what extent should the ISP police the network?

Inevitable, so get on to the issues.

Page 10: The Internet today and tomorrow:  social implications of evolving technology

10

A final comment Being a residential broadband provider is a good

business. If big and (sub) urban.

There is a sense that (especially with respect to cable guys), broadband is some marginal add-on to a highly profitable cable business. This is silly. ISPs pay for cable content. They get Internet content (“over the

top”) for free. Sometimes they get paid. The issues are cost of delivery and who gets advertising

revenues.

They do not prefer one to another. They want them all.

Page 11: The Internet today and tomorrow:  social implications of evolving technology

11

Talk about tomorrow Look at some of these important objectives

What is wrong with the network of today? Why is it worth considering alternative designs?

Describe some emerging proposals and approaches Sometimes conflicting, sometimes clear. (Sometimes my personal point of view.)

So wander between requirements and mechanism. Mechanism is easier to think about. Requirements are more fundamental.

Page 12: The Internet today and tomorrow:  social implications of evolving technology

12

What was that list??

Those were not requirements. They are a wish list.

Desiderata An aide-memoire

It is a big jump from any of these items to the design of mechanism. And that is a big issue.

Page 13: The Internet today and tomorrow:  social implications of evolving technology

13

Security Use as a first example of a requirement.

Hard and important. Why is the problem so hard?

We don’t agree on the definition of good security A balance among stake-holders.

We want different outcomes in different contexts. We cannot correct the insecurity of end-nodes.

Old framework: Disclosure, integrity, availability How does this relate to firewalls, VPNs?

After the fact--not a part of the network

Page 14: The Internet today and tomorrow:  social implications of evolving technology

14

A different framework Attacks on communication

Confidentiality and integrity addressed with encryption.

Availability?? The central objective of networks. What else?

Attacks on the host Infiltration (can lead to most anything) So either prevent infiltration or limit its consequences.

Attacks on information. Denial of service

A special case of availability.

Page 15: The Internet today and tomorrow:  social implications of evolving technology

15

Availability First, as much as possible, make the “what else” attacks

on communication into failures of availability. Limit the range of attacks and responses.

Think: what is excluded…? Mechanism: wrap an end-to-end confirmation of identity around a

connection. Cleanly makes many attacks on/by the network into an availability

problem.

Second, develop a theory of availability. At a high level:

All critical resources must be supported in a rich, heterogeneous, diverse form.

It must be possible to detect and distinguish (to some degree) failures. The point of detection must be able to invoke different resources.

In general, only the end-points can detect failures.

Page 16: The Internet today and tomorrow:  social implications of evolving technology

16

Examples of attacks Byzantine packet handling.

Re-routing, adding and dropping. Only end-node can detect, so end-node must

be able to request re-routing. Explicit Implicit

Multi-homed end-nodes DNS corruption (pharming)

No architectural support today to mitigate this. Design is redundant, but not in face of malice.

Page 17: The Internet today and tomorrow:  social implications of evolving technology

17

End-to-end checks To turn misdirection attacks into “availability problems”,

need a means to confirm with whom you are communicating. An issue of identity and shared information.

What notion(s) of identity will be suitable? (See below.) “You” means the end-nodes, but not just the human. If

the end-node can be trusted, software can help. Corrupted end-nodes are a central issue here. Can a trusted helper node help?

To detect byzantine attacks, fault detection must be integrated into the carriage of data. Security and management are entangled.

Page 18: The Internet today and tomorrow:  social implications of evolving technology

18

Economic viability Fundamentals:

Different parts of the network are built by different actors.

Physical facilities (fibers, towers, etc.) require capital investment.

Investors must be motivated to invest.

Our preferences: Facilities owners must not control the future of

the network. Just invest in it.

Page 19: The Internet today and tomorrow:  social implications of evolving technology

19

What happens today?

How do facilities owners operate and interact? One answer is that they become ISPs.

Measure/model usage Track customers and markets Control routing.

ISPs serve a critical business function today. They don’t just move packets, but manage capital and

risk. Important economic role.

But is this role fundamental?

Page 20: The Internet today and tomorrow:  social implications of evolving technology

20

Some specific requirements ISPs must be able to model usage and demand

sufficiently well to make investment decisions. Users must be able to select among paths through the

network that avoid failures. The network design must allow users a degree of choice

among providers so as to impose the discipline of competition.

Page 21: The Internet today and tomorrow:  social implications of evolving technology

21

A new idea--virtual networks In a virtual network, facilities (routers, links, etc.)

are virtualized and then used by higher-level service providers to implement different networks, possibly using very different architectures. VPNs are a limited version of this idea today. A new form of competition.

In a world of virtual networks, why would someone invest in expensive facilities? Owner does not control routing, so where should the

links go?

Page 22: The Internet today and tomorrow:  social implications of evolving technology

22

Another new ideas: futures If investment in facilities is a “up-front” or “sunk”

cost, with a long period of depreciation and cost recovery;

And virtual networks anticipate flexible access to resources over a short term;

Then there must be some way to insulate facilities investors from risk so that they will invest.

Consider a futures market for bandwidth. Happens today with really expensive cables.

Page 23: The Internet today and tomorrow:  social implications of evolving technology

23

A new interface Do we need to standardize the interface

that defines this futures market? Has a lot in common with other commodity

markets. Not sure, but if we do, it is an odd sort of

standard. Not moving packets, but money.

Not just bandwidth, but in a location. Compare to spectrum auctions.

Page 24: The Internet today and tomorrow:  social implications of evolving technology

24

The alternatives?

Mandatory facilities unbundling. As was called for in the Telecommunications Act of

1996 for access facilities. As is being done in Europe today for access facilities. Regulated rate of return or mandatory structural

separation. Works where the motivation to invest is compelling.

Public sector investment. Failure so far… (a controversial statement, I know.)

Page 25: The Internet today and tomorrow:  social implications of evolving technology

25

Interfaces define the industry

ISPs exist because of IP, and the protocols that connect regions together. There is no fundamental reason why ISPs look the

way they do. Protocols define the services that can be

created across multiple regions. So by creating protocols, we create

opportunities for service (e.g. revenue) creation. Which are possible, which are dangerous?

Page 26: The Internet today and tomorrow:  social implications of evolving technology

26

Region interconnection Old idea: BGP. New ideas:

Interconnection of advanced services Direct expression of business constraints Routing overlays Fault localization and correction Interconnection of traffic aggregates Short-term markets for service Security issues

Control of DDoS Detection of corrupted or untrustworthy regions

Page 27: The Internet today and tomorrow:  social implications of evolving technology

27

Observations

Management has a lot to do with security,availability and economics. These areas are not “modules”. Cannot have a “security” or a “management”

design sub-group. For all these areas, we have lots of great

ideas, but must sharpen the architectural framework.

Page 28: The Internet today and tomorrow:  social implications of evolving technology

28

Information--moving up-layer Old idea: an application issue (ignore it.) New idea: need a framework

Naming and identity of information. Independent of how you get it. But: think about privacy.

If you shout for information, the whole world hears. Dissemination

Swarms, P2P: (heterogeneous). Should this be the basic service, or on top of a transport

service? Improves availability of information if it is pushed into the

network.

Page 29: The Internet today and tomorrow:  social implications of evolving technology

29

Issues to consider Security Availability and resilience Better management Economic viability Meet society’s needs Support for tomorrow’s computing Exploit tomorrow’s networking Support tomorrow’s applications Fit for purpose (it works…)

Page 30: The Internet today and tomorrow:  social implications of evolving technology

30

The role of identity

A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information. Validate identity/authority of incoming connections to

prevent infiltration attacks. Allow application/network to pick desired

communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties.

Page 31: The Internet today and tomorrow:  social implications of evolving technology

31

Designing identity schemes There is more than one way we could approach identity.

A private matter among end-nodes. E.g. encrypted or meaningless except at end points.

Signal of identity that is visible in the network. Surveillance cameras in cyberspace. Facilitate both policing (perhaps) and repression.

Third-party credentials vs. continuity-based familiarity. Revocable anonymity.

Anonymity can only be revoked by its creators. Probably need all in different circumstances, so architecture

should not constrain. These are not choices to be made by technologists alone.

Need a multi-disciplinary conversation. I am very fearful of getting this wrong.

Page 32: The Internet today and tomorrow:  social implications of evolving technology

32

Identity schemes imply deception

Both a human and a technical problem. How do you know what information to trust?

Credentials? Continuity? Collaborative filtering (trust again). Identity itself should be rich and heterogeneous

Integrity through availability.

How can we avoid illusion on the screen? Remember that a human is not always present.

Need ability (perhaps in restricted circumstances) to delegate decision to a program.

Page 33: The Internet today and tomorrow:  social implications of evolving technology

33

Mechanism design

The previous discussion (very incomplete) hints at the range of issues that designers of a future network should consider.

A future network will have mechanisms that (at a high level) are familiar, but they may take very different forms.

Page 34: The Internet today and tomorrow:  social implications of evolving technology

34

Routing and forwarding Forwarding: what a router does when it gets a packet. Routing: computing the right paths to make forwarding

work. Why should routers compute routes?

Why not make it a competitive business? Let servers compute routes and download them into routers to

drive forwarding.

Issues: (examples…) Resilience and route recovery. Investment incentive. Better security through diversity. Better routes

Page 35: The Internet today and tomorrow:  social implications of evolving technology

35

Application design Old view (simplistic): our machines talk. New view:

Lots of servers and services. Need for cross-application core services.

Identity management, social networks. Modulate behavior based on trust. Outsource security-related tasks to secure nodes.

Since the host is insecure.

Application design patterns and building blocks should be part of the future network. Social question: who is empowered and is this what

we wanted as the outcome?

Page 36: The Internet today and tomorrow:  social implications of evolving technology

36

Lots of things we did not discuss

Naming (of all sorts of things). Location (physical). Social context. Other aspects of security (e.g., DDoS),

management, economics. Computing and network technology.

Page 37: The Internet today and tomorrow:  social implications of evolving technology

37

Observations Mechanism (e.g. routing) is a response to a set of

requirements, not a given. Derive mechanism, don’t presume it.

The (new) interesting interfaces will not involve packets but control, investment, social context, etc.

Technical design choices can shift the balance of the social contract among the players. Computer scientists are not trained to think in these terms, and

social scientists tend to take the technology as exogenous.

The role of the ISP is critical. What will we be arguing about 5 years from now?

Policing, liability, advertising, out of date infrastructure.

Page 38: The Internet today and tomorrow:  social implications of evolving technology

38

Page 39: The Internet today and tomorrow:  social implications of evolving technology

39

Network management Even less structured than security.

No real consideration in original design. Remote management of boxes.

Possible decomposition: Fault isolation and resolution. Network planning and configuration.

Does this framing actually decompose the problem? Do we know the modules of management?

Page 40: The Internet today and tomorrow:  social implications of evolving technology

40

New ideas: Critical interfaces:

Between layers to integrate application, network and technology. Between regions to allow cross-domain capabilities.

This interface is fundamental. It reflects reality. Expression of end-user intent.

Critical in solving availability problem. Better tools for abstracting the manager’s job.

Critical in solving availability problem. Default management automatic, just like dynamic host

configuration. Instrumenting the data plane to detect problems.

Page 41: The Internet today and tomorrow:  social implications of evolving technology

41

Back to security

Earlier we discussed protecting communication from attacks in the net.

Other aspects include: Infiltration DDoS attacks

Consider infiltration attacks. Either prevent infiltration or limit

consequential damage.

Page 42: The Internet today and tomorrow:  social implications of evolving technology

42

Start from fundamentals Node security

Classic end-nodes will always be insecure, but we can build fixed-function nodes that are pretty good. Can we build secure virtual machines?

What parts do we have to work with? Applications define the range of patterns of communication that

can be utilized, and what can be seen/modified in the communication.

Elements in the network can examine what is revealed. End-node controls the initiation of connections and what is

sent. Encryption blunts the power of examination/modification.

Network controls topology and completion of connections. A tussle over availability.

Page 43: The Internet today and tomorrow:  social implications of evolving technology

43

Practice vs. theory

These asymmetries are understood in practice… Firewall topology “Port 80” mode in apps. VPNs.

But are not recognized or exploited in the design of the network.

Page 44: The Internet today and tomorrow:  social implications of evolving technology

44

The design challenge What trusted components, combined with

application modes that exploit them, can protect untrustworthy end-nodes from attack (in particular infiltration, sabotage and exfiltration)? The network can enforce the needed

patterns of communication. Network elements can examine what the

application chooses to reveal. Trusted and untrusted…

Page 45: The Internet today and tomorrow:  social implications of evolving technology

45

Prevent infiltration Require identity as part of session initiation.

Use agent to validate incoming service requests. “Firewall of the future”

Allow end-node (or trusted helper) to open ports dynamically. Eliminate well-known ports.

Make port scans less effective. Inspect incoming data for “bad stuff”.

Represents a loss of privacy, so use selectively. Host-centric actions.

Virtual machines for risky actions. Outsource risky apps to different machine.

Page 46: The Internet today and tomorrow:  social implications of evolving technology

46

Prevent exfiltration

If a machine is penetrated, limit the bad consequences. Could be use as zombie, deletion or

corruption of data, or theft. Theft is a major problem today.

The problem with controlling theft: How can an external agent tell if the transfer

is legitimate?

Page 47: The Internet today and tomorrow:  social implications of evolving technology

47

The dilemma Two stories:

Foreign hackers penetrate a system and send information back to their country. We try to block it.

Foreign citizens download public information from a U.S. web site. Their country try to block it.

What is the difference? We relabeled the actors. In one case, had to penetrate the sender to implement the pattern. In one case, the sender’s regime tries to block, in the other the

receiver’s regime tries to block.

Page 48: The Internet today and tomorrow:  social implications of evolving technology

48

The design challenge, part two

How can we design applications and patterns of communication that can distinguish between these two stories, even if the sending machine has been penetrated?

Page 49: The Internet today and tomorrow:  social implications of evolving technology

49

Distinguish the stories In the first story:

Require that data being sent get an export permit (from a trusted machine), that the user must concur, and that we get a strong identity of the receiver before issuing the permit.

In the second story: Put the data into an open publish-subscribe or peer-to-peer

distribution system. Another example of the theory of availability. But protect the privacy of the requester…

Balance the interests… Don’t forget the third story, pushing information out.


Recommended