Module: Future of the Internet Professor Trent Jaeger Penn State - - PowerPoint PPT Presentation

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Module: Future of the Internet

Professor Trent Jaeger Penn State University

1

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Current Internet

• Commissioned in the 1960s
• Global system of interconnected networks
• Communicate over common protocols - TCP/UDP/IP
• Foundation for World Wide Web (1990s)
• As of 2014, nearly 38% of the world’s population has

used Internet services in the last year

• By 2002, 92% of US classrooms had Internet access
• One of the top innovations of the 20th Century

2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Satisfied?

• Are you satisfied with the current internet?
• What kinds of problems are you having?

3

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Satisfied?

• Are you satisfied with the current internet?
• What kinds of problems are you having?

4

1

SCION:

Scalability,*Control*and*Isola2on*On* Next7Genera2on*Networks *

Xin$Zhang,$Hsu-Chun$Hsiao,$Geoff$Hasker,$$ Haowen$Chan,$Adrian$Perrig,$David$Andersen$

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Satisfied?

5

Applica'on* Transport* Data*link* Network* Physical*

A7er*years*of*patching,*the*Internet*is*s'll* neither*Reliable*nor*Secure! *

3 "

Feb*2008:*Pakistani*ISP*hijacks*YouTube*prefix* Apr*2010:*A*Chinese*ISP*inserts*fake*routes* affec'ng*thousands*of*US*networks.* Nov*2010:*10%*of*Internet*traffic*'hijacked'*to* Chinese*servers*due*to*DNS*Tampering.*

SUBGP*origin * aXesta'on * SUBGP*route* aXesta'on * DNSSec * Mul'Upath* rou'ng * ! Fixes*to*date*–*ad*hoc,*patches* ! Inconvenient*truths*

" SUBGP:*delayed*convergence** " Global*PKI:*single*root*of*trust*

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Internet Lessons Learned

• We cannot depend on the discipline or sophistication of users
• We cannot depend on correct user configuration of controls

such as ACLs or firewalls

• We cannot depend on security models based on managed trust

assumptions

• We cannot depend on IDS
• We cannot depend on application designers to pay attention to

security

• We cannot depend on ISPs to perform security checks
• We cannot depend on legal deterrence

6

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

End-to-end principle

• We cannot depend on the discipline or sophistication of users
• We cannot depend on correct user configuration of controls

such as ACLs or firewalls

• We cannot depend on security models based on managed trust

assumptions

• We cannot depend on IDS
• We cannot depend on application designers to pay attention to

security

• We cannot depend on ISPs to perform security checks
• We cannot depend on legal deterrence
• What do these say about the end-to-end principle?

7

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Fix the Internet’s Problems

• Extend/add new layers to address limitations
• Pros: minimize disruption
• Cons: Can still exploit vulnerabilities in other layers
• E.g., Secure channel between BGP hosts does insure info sent
• n that channel is secure in the first place
• Clean slate design
• Cons: Expensive and perhaps difficult to adopt
• Pros: Free to solve problems in a compatible way

8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Clean Slate Goals

• Availability
• Systems are both well-behaved and allowed to communicate by

the policies of the interconnecting networks

• Security
• Defensible position on the role of the network in supporting

the end-host security

• Flexibility and Extensibility
• Lots of capabilities can be added

9

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

End Node Security

• Critical technology: Firewalls
• Protect communications to end nodes - block some attack

vectors comprehensively

• But, such protection is “imperfect”
• Do not deal with insiders
• Lots of things act as a form of a firewall
• Different layers - e.g., application layer firewalls
• Different locations - e.g., gateways and end nodes
• Impact of encrypted traffic - make network privy
• Impact of end-to-end principle - more smarts in net

10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

End Node Security

• Firewalls only part of the solution
• “Defense in depth” - what does that mean?
• What other defenses can work with firewall?
• Application defenses
• E.g., email servers outsourcing spam detection
• How can this be integrated into a general architecture?
• Detection and recovery
• When and how to cut off a machine (no false positives)?
• When and how to restore that machine?

11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Next-Gen Improvements

• What would you propose?

12

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Routing Paths

13

Limita&ons*of*the*Current*Internet *

! Des&na&on*or*ISP*have*no*control*over*inbound*paths* ! Route*inconsistencies*

" Forwarding*state*may*be*different*from*announced*state*

D* C* A* B* M* D’s*prefix*here!*

5 "

Prefer*the** red*path*…*

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Border Gateway Protocol

• Protocol to exchange routing and reachability

information between autonomous systems (AS) on the Internet.

• What happens if malicious BGP messages are sent?

14

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Wishes

15

Wish%List%(1):%Isola0on %

7 "

…%…% …%…%

CMU% PSC% I2% L3% M% A;acks % (e.g.,%bad%routes) %

…%…%

D% C% A% B%

%…% ! %Isola0on%of%a;acks% ! %Scalable%and%reliable%rou0ng%updates% ! %Operate%with%mutually%distrus0ng%en00es%without%a%global%single% root%of%trust:%enforceable%accountability% …%…%

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Wishes

16

Wish%List%(2):%Balanced%Control %

8 " 8 "

…%…% …%…%

CMU% PSC% I2% L3%

…%…%

D% C% A% B% Hide%the%peering%% link%from%CMU%

! Transit%ISPs,%source%and%desHnaHon%all%need%path%control%

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Wishes

17

Wish%List%(3):%Explicit%Trust %

9 "

CMU% PSC% Level%3% I2%

! Know%who%needs%to%be%trusted%

! Absence%of%consistency%in%BGP% prevents%knowing%exactly%who%needs% to%be%trusted% X% Y% Z% Who%will%forward% packets%on%my%path?% …%…% …%…% …%…%

Internet%

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Goals

18

SCION Architectural Goals

• High availability, even for networks with malicious parties
• Explicit trust for network operations
• Minimal TCB: limit number of entities that need to be

trusted for any operation – Strong isolation from untrusted parties

• Operate with mutually distrusting entities

– No single root of trust

• Enable route control for ISPs, receivers, senders
• Simplicity, efficiency, flexibility, and scalability

10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Paths

19

Path Construction

Goal: each endpoint learns multiple verifiable paths to its core

• Discovering paths via Path Construction Beacons (PCBs)

! TD Core periodically initiates PCBs ! Providers advertise upstream topology to peering and customer ADs

• ADs perform the following operations

! Collect PCBs ! For each neighbor AD, select which k PCBs to forward ! Update cryptographic information in PCBs

• Endpoint AD will receive up to k PCBs from each upstream AD, and

select k down-paths and up-paths

13

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Isolation

20

Trust Domain Decomposition

• Global set of TD (Trust Domains)

! Map to geographic, political, legal boundaries

• TD Core: set of top-tier ISPs that manage TD

! Route to other TDs ! Initiate path construction beacons ! Manage Address and Path Translation Servers ! Handle TD membership ! Root of trust for TD: manage root key and certificates

• AD is atomic failure unit, contiguous/autonomous domain

! Transit AD or endpoint AD

12

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Isolation

21

Cross%TD(Forwarding (

20 #

TD:(isola2on(of(route( computa2on ( TD(cores:(interconnected( large(ISPs (

Source( Des2na2on(

AD:(atomic( failure(unit (

core ( core (

Up%paths ( Down%paths (

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Next-Gen Proposals

• Not the only such project
• 3 NSF-funded efforts
• XIA (CMU and partners)
• One goal: directly access content where it is most

easily accessible (e.g., for vehicular network)

• Named Data Networking (UCLA and partners)
• Foci: Naming, trust management, congestion

management, evaluation metrics

• MobilityFirst
• Mobile devices drive changes in service, trust, etc.

22

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Take Away

• The Internet has become a foundation for computing
• But it assumes a benign environment that is not reality
• A number of assumption under which the Internet was

designed are false

• E.g., End-to-end assumption
• Clean slate Next-Generation Internet designs
• The future of the Internet may look very different
• Now: Ad hoc services and trust
• Future: Build these concepts in as first principles
• We’ll see how it evolves

23