Tuesday, February 19, 2008

Studentska posla...

Uvijek mi je drago pročitati koju studentsku raspravu o smislu života. Može se tu doista čuti svega i svačega, nađe se ponešto istine, al' kao i kod naših novinara, nađe se i podosta izvrnutih, ili bolje rečeno "prilagođenih" izjava za potrebe tekuće rasprave. Nije nam bez veze novinarstvo u takvom stanju kakvom je...

No, da se vratim raspravi o smislu života. Dakle, baš kao i u svakoj drugoj takvoj raspravi, diskutira se o stvarima o kojima se zna tek djelić činjenica, dok je ostatak prikriven. Što točno mislim s tom rečenicom? Pa, najbolje ju je ilustrirati sljedećom sličicom:
Najmanji krug predstavlja područje koje se odnosi na studente. Idući krug predstavlja djelokrug pojedinog zavoda, potom dolazi fakultet i na kraju, sveučilište. Slika nije savršena, ali će poslužiti za ilustraciju. Dakle, rasprava koju studenti vode oko predmeta i nastave je rasprava o presjeku prva dva kruga. Kao što se vidi, raspravlja se o jednom ograničenom području budući da manji krug nema viđenje svega što sadrži veći krug. Iskreno, kad ja osobno raspravljam o sveučilištu (čak i o fakultetu) onda imam stalno na umu dvije činjenice:
  1. Svjestan sam kako raspravljam o svojim osobnim problemima, znači onome što tišti mene, ali to ne znači da su to problemi svih, i
  2. Sveučilište je velik i kompleksan sustav o kojemu ništa neznam, osim nešto sitno iz svog vlastitog iskustva.
Da zaključim, u bilo kojoj raspravi treba biti svjestan kako ne vidimo cijelu istinu i zbog toga se ne smije biti kategoričan u svojim izjavama, a pogotovo ne dijeliti savijete koji su neprovedivi ili jednostavno nemaju veze s istinom. Problemi su na sve strane, počevši od osnovnih i srednjih škola, fakulteta, sveučiliša pa do ministarstva i države. Izuzetno složen krug za čije rješenje treba vremena (mislim da se može mjeriti u desetcima godina), novaca, planiranja i volje. Na žalost, ništa od navedenog baš nema. Prema tome, raspravljati o malim djelićima cijele priče koji su većinom posljedice, neće ništa promijeniti jer uzroci i dalje ostaju.

Friday, February 8, 2008

New Internet architecture, my take at it no. 1

Reading all those papers about new Internet architecture simply doesn't give me peace. What is the solution? Probably it is a simple one in a concept, though , as always, the devil is in the details. Look at the Internet now. When it was first proposed to use packet switching it looked like lunatics' idea and now it's so normal we don't even think about it and take it for granted. So, it's strange feeling that probably I'm looking and thinking about solution but I'm not aware of it.

So, let me make try number one!

What about making Internet in an onion layered style? The most inner layer, 0th layer, forms the core and makes the most trustfull and protected part of the network. It's not possible for outer layers to access anything inside inner layers (here we could maybe take inspiration from Bell-LaPadula and similar models here?). The infrastructure of the Tier 1 NSPs could form this 0th layer. N-th network layer offers transportation services to (N-1)-th layer. This model would protect inner layers from the outer layers, as outer layers would have no access to inner layers of the network. Something similar is already done with MPLS. But MPLS is deployed inside autonomus system, not as a global concept.

There could be several layers corresponding to current Tier 1, 2 and 3 ISPs. Each layer with more and more participants, and accordingly, more and more untrustworthy. Lower layers could form some kind of isolation layer between all the participants and thus, protect them from the configuration errors. Or mallicius attacks. Note, that this could be problematic as it means that lower layers not only encapsulate higher layers, but also inspect them, or assemble and disassemble. It could be hard to do so it's questionable whether and how this is achiavable.

Each layer could use it's own communication protocol, most suited for the purpose and environemnt it works in. For example, in the core layer there is necessity for fast switching as huge speed could be expected in the years to come with extremly low loss rate, so packet formats best adjusted to that purpose should be used. Probably, the outer - user - layers, would need to have more features, for example, quality of service, access decisions and a like. Futhermore, maybe lossy network is used, e.g. wireless network, so some additional features are necessary.

Communication of request to lower layers could be done withih the format of the packets, as ATM did where it's cells had different format when entering network and inside the network, so called UNI and NNI.

We could further envision (N-1)th layer of the onion for the content distribution. This layer's task could be to distribute content using services from the (N-2)th layer. Content could be anything you can think of, e.g. different documents (openoffice, pdf), video, audio, Web pages, mails, even key strokes and events for remote work and gaming. Those are very different in nature, with probably many more yet to be invented, so, this layer should be extensible. It could take care of access decisions and a like. Note that content layer doesn't work with parts of the objects, but with the whole ones. So, if user requests a movie, this movie is completly transfered to content network ingerent for the user at it's current location.

This could make servers less susceptible to attacks as they wouldn't be directly visible to the users!

Finally, Nth layer could be a user layer. In this layer user connects to the network and requests or sends content addressed with variaty of means. For example, someone could request particular newspaper's article from the particular date. The content network would search for the nearest copy of this contents, and use core network to transfer the object to the user. Someone else could request a particular film, and content network would search for it and present it to the user.

Just as a note, I watched VJ's lecture in Google and this is on the track of what he proposes.

Tuesday, February 5, 2008

DDoS attacks, Internet, new Internet and POTS...

I was just thinking about many initiatives (e.g. GENI) to design Internet from scratch! It certainly requires us to break out from the current way of thinking, that's with us for about 40 years now, and to find and propose something new. The good example of this break through was the Internet itself, i.e. the concept of packet switched network. As a side note, Van Jacobson has an idea of how this new might look like and I recommend the reader to find his lecture he held in Google on Google Videos.

While thinking about what is this "new" thing, I took as an example DDoS attacks. There are no DDoS attacks in POTS and they are a big problem for the Internet. So, how this new mechanism should work in order to prevent DDoS attacks. The key point of DDoS attack (or more generally, DoS attack) is that there are finite resources that are consumed by attacker and thus, regular users can not access those resources, they are denied service.

And, while I was thinking about it, I actually realised that there is DDoS attack possibility in the POTS as there are also finite resources. Ok, ok, I know, I managed to reinvent the wheel, but hey, I'm happy with it. :) So, if possible, why there are no DoS attacks in telephony? The key point is that end devices in POTS are dumb and thus, not remotely controllable. If they were remotely controllable, then the attacker would be able to gain access to them and to use huge number of those devices to mount an attack on selected victim. Maybe this attack would be even more effective than the one on the Internet since resources taken by end devices are not shared even though the end devices don't use them.

It turns out that DDoS attack is actually a consequence of giving more power to the user via the more capable end devices. Furthermore, because those end devices are complex systems it's inevitable that there would be many ways of breaking in and controlling them.

Of course, someone might argue that the problem is in ease with which IP packets can be spoofed. But, this is actually easily solvable, at least in theory, if each ISP would control it's access network for spoofed addresses. The more serious problem is actually DoS attack made by legitimate IP packets. It is traceable if coming from a single source, or small number of sources, but the real problem is a network of compromized hosts (botnets). There is no defence from those networks as they look as legitimate users.

So, because we are limited with real world and we'll always have only finite resources on our disposal it turns out that the only way of getting rid of DDoS is to restrict end devices, which by itself is impossible. Now, this is thinking within current framework. But, what if we can made finite resource apparently infinite, or somehow restrict end devices.... This is something for further thinking...

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)