[Paleopsych] New Scientist: How to mend a broken internet
checker at panix.com
Thu Jan 20 21:19:29 UTC 2005
How to mend a broken internet
New Scientist vol 184 issue 2473 - 13 November 2004, page 46
Can we patch what we've got, or is a total rethink needed? Danny
THE smart conference suite at Stanford University in California was
packed with the cream of the computing community. They were there,
earlier this year, to hear David Cheriton explain his vision of the
future of the internet. If Cheriton is to be believed, the wired world
we now know and rely on is on the brink of collapse. The internet, he
insists, is broken.
How can this be? Emails still get through. The web seems to work well
enough. Prophesies of doom might seem alarmist, even laughable. But
Cheriton, a professor of computing at Stanford, has played a leading
role in computer networking for the best part of 20 years, and the
networking community takes him seriously. Cheriton reckons that the
internet is dangerously insecure, and it's a verdict that few internet
experts would disagree with. What held the audience's rapt attention,
however, was Cheriton's radical solution to the problem.
"Look at the way things are going," he says. From phone networks to
banking, power distribution and air-traffic control systems, just
about every critical communication network will soon rely on the
internet. And that makes us all vulnerable. "Unless we do something
soon, the internet will become the largest target of attack on the
planet in terms of doing economic damage."
Hints of what may be in store are already emerging. Earlier this year,
criminal gangs held several gambling websites to ransom, threatening
to knock their servers off the web by flooding them with bogus
traffic. Denial of service attacks like these now happen almost every
week, and the internet's security monitoring organisation, CERT, has
had almost 320,000 reports of malicious attacks since it began
gathering statistics in 1988. Though police forces across the globe
have set up dedicated units to tackle cybercrime, the pace is
quickening, and more than a third of these attacks took place in 2003
The source of the problem is there for all to see. The internet was
created at a time when no one dreamed its users would be anything
other than benevolent. So it was designed to deliver its packets of
digital data in the most straightforward way possible, without any
thought of defeating spam, or defending its servers from malicious
hackers or viruses.
Even the Internet Engineering Task Force (IETF), the internet's
official guardian, acknowledges there are problems. But what should be
done about it is still hotly disputed. Karl Auerbach, a computer
engineer who has been involved with the internet since 1974, explains
the caution: "There's a lot about the current internet we don't
understand," he says. "You can bring down a net by trying to repair
Machines on the internet are attacked almost every week, and the pace
is quickening. Over 100,000 attacks occurred in 2003 alone
On top of the net's poor security, there are other concerns that many
internet experts consider equally pressing. Most high-tech
manufacturers foresee a future in which everything from your car to
your fridge will be connected to the net. The problem is how to give
them all a unique address that will identify them on the net. Like an
old telephone network in which the number of subscribers has outgrown
the pool of available phone numbers, the existing design of the
internet has too few addresses for all these devices.
The IETF's solution is a rewrite of the internet protocol (IP) on
which the net is founded. Called IPv6, the rewrite was proposed as
long ago as 1992 and it undeniably provides more numbers, or "IP
addresses": up from the 4.5 billion available today to a staggering
thousand billion billion billion billion. With IPv6, the IETF also
took the opportunity to defend the net against denial of service
attacks by adding new security features such as encrypted signatures
to authenticate packets of information and further encryption to
prevent the packets being tampered with. Since then, IPv6 has been the
Net's big chance to improve itself.
But there's one big problem with IPv6. Even now, 12 years after it was
introduced, most people are still not using it. And that highlights a
problem with re-engineering the net: the pace of change is dictated by
the most conservative users. Even when the people nominally in charge
have agreed on a change, they have to persuade everyone else to
switch. Upgrading to IPv6 means installing it on every part of the
net, and while most modern computers support the new protocol, just
one old machine on a route between two computers - be it a desktop PC,
or one of the computers along the way that steers packets of data to
their destination - will force the network to default to the old
To the dismay of IETF engineers, internet users are turning to an
alternative - and many would say clunky - solution to their problems.
Network Address Translation (NAT) is the most common, cheap fix to the
shortage of IP numbers. It is a way of hiding several computers behind
a single IP address. Think of it as like a telephone operator at a
company with several phones but only one line to the outside world.
Just as the operator switches calls to any number of internal
extensions, so the NAT machine diverts packets from the internet to
the computer that requested them. All traffic through these computers
goes to and from the net via a single IP address, but because the
internet uses packets rather than a continuous uninterrupted stream
like a phone call, the NAT machine can juggle the data for hundreds of
machines. It's a simple solution, with the advantage that no global
upgrade is required. If you are using a local area network or
broadband service to connect to the net, there's a good chance there's
NAT between you and the global internet.
The IETF hates NAT. What its engineers would like is for any computer
on the internet to be able to address a data packet to any other,
without the intervention of any machines on the way. That was the
original mission of the Internet engineers: and, for a brief period,
they achieved it. Then NAT came along and spoilt it. "NATs balkanise
the net," Auerbach says. Worse, by disguising the shortage of IP
addresses, NAT has slowed down the switch to IPv6. "With NAT in place,
there's no compelling reason for most users to switch."
This is where Cheriton disagrees with the IETF. Far from casting NAT
as the villain of the peace, he sees it as the internet's potential
saviour that will rescue us from what he says is the great IPv6 white
elephant. NAT and IPv6 have been around for about the same time, he
points out. "They both had their chance, but NAT has succeeded," he
says. "I'm a great believer in the survival of the fittest."
Controversially, he claims that NAT might do a better job of securing
the net against malicious attack than IPv6's encryption features.
"Encryption and authentication don't get you any safety," he says, as
they rely on keeping the encryption key secret. "As soon as that
secret is out - and all secrets leak in the end - the security
It is incredibly easy to fake the source of data sent across the
internet. Spammers and hackers do it all the time
Computers often receive unsolicited packets of information that
pretend to be from a trusted or familiar source but in fact come from
somewhere else. It is incredibly easy to fake the source of data in
this way. Spammers do it, and malicious hackers do it to cover their
NAT could be made to stand guard against these rogue packets, keeping
them out of local networks like a receptionist filtering calls,
Cheriton says. Machines behind a NAT can't be reached directly;
packets have to wait for the gatekeeping machine to explicitly permit
them to enter before they can get through. Getting rid of NATs would
make the net worse and more unstable, he argues.
His solution is to co-opt the NAT system to weed out rogue packets. He
wants to switch the NAT boxes from being enemy number one to the net's
best citizen. Cheriton laid out his vision in an experimental
networking project called TRIAD (or, in full, Translating Relaying
Internetwork Architecture integrating Active Directories).
While IPv6 makes machines that are now hidden behind NATs visible to
the internet at large, Cheriton's system goes one better. Unlike
today's IP addresses, TRIAD data packets will have addresses that are
hierarchical, like postal addresses: for example, "Fred's Machine, c/o
the Stanford NAT". You can string theses addresses together, so if
you're Danny, say, and you're behind a NAT at New Scientist, a data
packet from you to Fred carries the address "Fred, c/o the Stanford
NAT box, c/o New Scientist NAT box/ from Danny". In this way, TRIAD
allows computers behind NATs to become fully connected: they are as
reachable as any other computer on the network. And because the
addresses can be as long as you like, there is no limit to the maximum
number of machines you can connect on the net. Number shortage solved.
Openness is key
But how do you find out what address to use to reach the destination
you want? Under the existing internet system, a network of computers
called domain name servers (DNSs) hold tables that translate addresses
such as www.newscientist.com into IP addresses of the form
22.214.171.124, which are what the machines that route data round the
net currently understand.
TRIAD will do away with DNS machines, and give NAT boxes the job of
finding an address. The NAT boxes will talk amongst themselves like
neighbourhood gossips to discover who is looking after a particular
name. But crucially for Cheriton's idea of making the system secure,
they will also share information about rogue data packets.
Cheriton likens TRIAD to the way the air traffic control system works.
When an aircraft is given an instruction, it can be heard by all the
other pilots in the area. If a pilot receives a command that conflicts
with previous orders given to other pilots, then they will refuse that
order and other pilots will immediately know that the controller is
making errors, or maybe even acting maliciously. Openness is the key.
In the TRIAD world, say a terrorist wants to use a computer to pretend
to be a machine that is authorised to close down a power station. The
terrorist's machine would have to announce that it belonged to the
power station's network to all the local TRIAD servers - including the
one run by the power station. Such announcements would travel across
the net in a matter of seconds, Cheriton says. The real power station
servers could then quickly put out a message - using one of the old
routes that they know from experience they can trust - telling the
world to ignore the impostor.
So instead of being the silent Balkanisers of the net, NAT boxes would
become its chattiest and most dutiful citizens - a kind of online
neighbourhood watch. Almost all the work of running the net would fall
But what about the spoof packets that disguise their true origin?
While today it is easy for a sender to fake a data packet's address,
in TRIAD all packets are traceable. Each packet must carry the
addresses of every machine it visits on route through the network. So
packets from Transylvania will have "c/o Transylvanian NAT" on them.
If a machine from the Transylvania NAT is suspect, every intermediary
NAT in the network can be told to ignore packets winging in from
Transylvania. Cheriton claims this will give the network an automatic
ability to contain denial of service attacks almost instantly.
Many internet engineers see Cheriton as a maverick. And as he himself
acknowledges, "there are a lot of wild crazies out there with ways to
replace the net". But not many of them have his track record. His
hunches on the future of networking, though often controversial at
first, have usually proved right. In the late 1980s, when many in the
networking world were abandoning the internet's TCP/IP system for a
competing standard called Open Systems Interconnection (OSI), it was
Cheriton who said that OSI was doomed to fail. Later, when telephone
companies suggested that the internet's hardware would be rendered
obsolete by a more telephone-friendly system called ATM, Cheriton
declaimed against that, too - and started his own company, Granite,
producing a new generation of high-speed internet hardware. That made
him his first fortune, when he sold the company to internet hardware
manufacturer Cisco. Five years ago, two students turned up at his
house asking for seed money to start a company based on their PhD
theses: Cheriton spotted the potential and wrote Larry Page and Sergey
Brin their first investor's cheque. Their bright idea became Google,
and when the company went public this year The Washington Post
estimated Cheriton's stake at more than $300 million.
But re-engineering the internet will require more than the say-so of
one man, no matter how impressive his credentials. What's more, TRIAD
has its own problems. If the comparatively conservative IPv6 project
ultimately fails because it requires so many potentially dangerous
changes to the net, isn't the more radical TRIAD even more dangerous?
Nearly three years since Cheriton began working on TRIAD, the
organisations responsible for defining standards on the net continue
to support IPv6, and have paid little attention to his warnings. But
the idea is far from dead. Research papers that adopt many of
Cheriton's ideas are appearing in computing journals. IPv6 still isn't
here. And the NAT keeps spreading.
"I'm an old guy," says Cheriton. "I remember back in 1980, when the
phone companies thought they had the solution to everything, and the
Internet engineers were the young Turks. Now, we're the ones who have
While Cheriton acknowledges that his plan for TRIAD as it stands might
never make it out of the labs, he believes that his ideas about NATS
will win out over IPv6 in the end. He's banking that his students will
go out into the world and propagate them. That's a long shot, but then
again so were many of Cheriton's other high-tech gambles.
Danny O'Brien is a technology writer in San Jose
More information about the paleopsych