THE smart conference suite at Stanford University in California was packed with the cream of the computing community. They were there, earlier this year, to hear David Cheriton explain his vision of the future of the internet. If Cheriton is to be believed, the wired world we now know and rely on is on the brink of collapse. The internet, he insists, is broken.
How can this be? Emails still get through. The web seems to work well enough. Prophesies of doom might seem alarmist, even laughable. But Cheriton, a professor of computing at Stanford, has played a leading role in computer networking for the best part of 20 years, and the networking community takes him seriously. Cheriton reckons that the internet is dangerously insecure, and it鈥檚 a verdict that few internet experts would disagree with. What held the audience鈥檚 rapt attention, however, was Cheriton鈥檚 radical solution to the problem.
鈥淟ook at the way things are going,鈥 he says. From phone networks to banking, power distribution and air-traffic control systems, just about every critical communication network will soon rely on the internet. And that makes us all vulnerable. 鈥淯nless we do something soon, the internet will become the largest target of attack on the planet in terms of doing economic damage.鈥
Advertisement
Hints of what may be in store are already emerging. Earlier this year, criminal gangs held several gambling websites to ransom, threatening to knock their servers off the web by flooding them with bogus traffic. Denial of service attacks like these now happen almost every week, and the internet鈥檚 security monitoring organisation, CERT, has had almost 320,000 reports of malicious attacks since it began gathering statistics in 1988. Though police forces across the globe have set up dedicated units to tackle cybercrime, the pace is quickening, and more than a third of these attacks took place in 2003 (see Graph).
The source of the problem is there for all to see. The internet was created at a time when no one dreamed its users would be anything other than benevolent. So it was designed to deliver its packets of digital data in the most straightforward way possible, without any thought of defeating spam, or defending its servers from malicious hackers or viruses.
Even the Internet Engineering Task Force (IETF), the internet鈥檚 official guardian, acknowledges there are problems. But what should be done about it is still hotly disputed. Karl Auerbach, a computer engineer who has been involved with the internet since 1974, explains the caution: 鈥淭here鈥檚 a lot about the current internet we don鈥檛 understand,鈥 he says. 鈥淵ou can bring down a net by trying to repair it.鈥
鈥淢achines on the internet are attacked almost every week, and the pace is quickening. Over 100,000 attacks occurred in 2003 alone鈥
On top of the net鈥檚 poor security, there are other concerns that many internet experts consider equally pressing. Most high-tech manufacturers foresee a future in which everything from your car to your fridge will be connected to the net. The problem is how to give them all a unique address that will identify them on the net. Like an old telephone network in which the number of subscribers has outgrown the pool of available phone numbers, the existing design of the internet has too few addresses for all these devices.
The IETF鈥檚 solution is a rewrite of the internet protocol (IP) on which the net is founded. Called IPv6, the rewrite was proposed as long ago as 1992 and it undeniably provides more numbers, or 鈥淚P addresses鈥: up from the 4.5 billion available today to a staggering thousand billion billion billion billion. With IPv6, the IETF also took the opportunity to defend the net against denial of service attacks by adding new security features such as encrypted signatures to authenticate packets of information and further encryption to prevent the packets being tampered with. Since then, IPv6 has been the Net鈥檚 big chance to improve itself.
But there鈥檚 one big problem with IPv6. Even now, 12 years after it was introduced, most people are still not using it. And that highlights a problem with re-engineering the net: the pace of change is dictated by the most conservative users. Even when the people nominally in charge have agreed on a change, they have to persuade everyone else to switch. Upgrading to IPv6 means installing it on every part of the net, and while most modern computers support the new protocol, just one old machine on a route between two computers 鈥 be it a desktop PC, or one of the computers along the way that steers packets of data to their destination 鈥 will force the network to default to the old system.
To the dismay of IETF engineers, internet users are turning to an alternative 鈥 and many would say clunky 鈥 solution to their problems. Network Address Translation (NAT) is the most common, cheap fix to the shortage of IP numbers. It is a way of hiding several computers behind a single IP address. Think of it as like a telephone operator at a company with several phones but only one line to the outside world. Just as the operator switches calls to any number of internal extensions, so the NAT machine diverts packets from the internet to the computer that requested them. All traffic through these computers goes to and from the net via a single IP address, but because the internet uses packets rather than a continuous uninterrupted stream like a phone call, the NAT machine can juggle the data for hundreds of machines. It鈥檚 a simple solution, with the advantage that no global upgrade is required. If you are using a local area network or broadband service to connect to the net, there鈥檚 a good chance there鈥檚 NAT between you and the global internet.
The IETF hates NAT. What its engineers would like is for any computer on the internet to be able to address a data packet to any other, without the intervention of any machines on the way. That was the original mission of the Internet engineers: and, for a brief period, they achieved it. Then NAT came along and spoilt it. 鈥淣ATs balkanise the net,鈥 Auerbach says. Worse, by disguising the shortage of IP addresses, NAT has slowed down the switch to IPv6. 鈥淲ith NAT in place, there鈥檚 no compelling reason for most users to switch.鈥
This is where Cheriton disagrees with the IETF. Far from casting NAT as the villain of the peace, he sees it as the internet鈥檚 potential saviour that will rescue us from what he says is the great IPv6 white elephant. NAT and IPv6 have been around for about the same time, he points out. 鈥淭hey both had their chance, but NAT has succeeded,鈥 he says. 鈥淚鈥檓 a great believer in the survival of the fittest.鈥
Controversially, he claims that NAT might do a better job of securing the net against malicious attack than IPv6鈥檚 encryption features. 鈥淓ncryption and authentication don鈥檛 get you any safety,鈥 he says, as they rely on keeping the encryption key secret. 鈥淎s soon as that secret is out 鈥 and all secrets leak in the end 鈥 the security vanishes.鈥
鈥淚t is incredibly easy to fake the source of data sent across the internet. Spammers and hackers do it all the time鈥
Computers often receive unsolicited packets of information that pretend to be from a trusted or familiar source but in fact come from somewhere else. It is incredibly easy to fake the source of data in this way. Spammers do it, and malicious hackers do it to cover their tracks.
NAT could be made to stand guard against these rogue packets, keeping them out of local networks like a receptionist filtering calls, Cheriton says. Machines behind a NAT can鈥檛 be reached directly; packets have to wait for the gatekeeping machine to explicitly permit them to enter before they can get through. Getting rid of NATs would make the net worse and more unstable, he argues.
His solution is to co-opt the NAT system to weed out rogue packets. He wants to switch the NAT boxes from being enemy number one to the net鈥檚 best citizen. Cheriton laid out his vision in an experimental networking project called TRIAD (or, in full, Translating Relaying Internetwork Architecture integrating Active Directories).
While IPv6 makes machines that are now hidden behind NATs visible to the internet at large, Cheriton鈥檚 system goes one better. Unlike today鈥檚 IP addresses, TRIAD data packets will have addresses that are hierarchical, like postal addresses: for example, 鈥淔red鈥檚 Machine, c/o the Stanford NAT鈥. You can string theses addresses together, so if you鈥檙e Danny, say, and you鈥檙e behind a NAT at New 杏吧原创, a data packet from you to Fred carries the address 鈥淔red, c/o the Stanford NAT box, c/o New 杏吧原创 NAT box/ from Danny鈥. In this way, TRIAD allows computers behind NATs to become fully connected: they are as reachable as any other computer on the network. And because the addresses can be as long as you like, there is no limit to the maximum number of machines you can connect on the net. Number shortage solved.
Openness is key
But how do you find out what address to use to reach the destination you want? Under the existing internet system, a network of computers called domain name servers (DNSs) hold tables that translate addresses such as www.newscientist.com into IP addresses of the form 194.203.155.123, which are what the machines that route data round the net currently understand.
TRIAD will do away with DNS machines, and give NAT boxes the job of finding an address. The NAT boxes will talk amongst themselves like neighbourhood gossips to discover who is looking after a particular name. But crucially for Cheriton鈥檚 idea of making the system secure, they will also share information about rogue data packets.
Cheriton likens TRIAD to the way the air traffic control system works. When an aircraft is given an instruction, it can be heard by all the other pilots in the area. If a pilot receives a command that conflicts with previous orders given to other pilots, then they will refuse that order and other pilots will immediately know that the controller is making errors, or maybe even acting maliciously. Openness is the key.
In the TRIAD world, say a terrorist wants to use a computer to pretend to be a machine that is authorised to close down a power station. The terrorist鈥檚 machine would have to announce that it belonged to the power station鈥檚 network to all the local TRIAD servers 鈥 including the one run by the power station. Such announcements would travel across the net in a matter of seconds, Cheriton says. The real power station servers could then quickly put out a message 鈥 using one of the old routes that they know from experience they can trust 鈥 telling the world to ignore the impostor.
So instead of being the silent Balkanisers of the net, NAT boxes would become its chattiest and most dutiful citizens 鈥 a kind of online neighbourhood watch. Almost all the work of running the net would fall to them.
But what about the spoof packets that disguise their true origin? While today it is easy for a sender to fake a data packet鈥檚 address, in TRIAD all packets are traceable. Each packet must carry the addresses of every machine it visits on route through the network. So packets from Transylvania will have 鈥渃/o Transylvanian NAT鈥 on them. If a machine from the Transylvania NAT is suspect, every intermediary NAT in the network can be told to ignore packets winging in from Transylvania. Cheriton claims this will give the network an automatic ability to contain denial of service attacks almost instantly.
Many internet engineers see Cheriton as a maverick. And as he himself acknowledges, 鈥渢here are a lot of wild crazies out there with ways to replace the net鈥. But not many of them have his track record. His hunches on the future of networking, though often controversial at first, have usually proved right. In the late 1980s, when many in the networking world were abandoning the internet鈥檚 TCP/IP system for a competing standard called Open Systems Interconnection (OSI), it was Cheriton who said that OSI was doomed to fail. Later, when telephone companies suggested that the internet鈥檚 hardware would be rendered obsolete by a more telephone-friendly system called ATM, Cheriton declaimed against that, too 鈥 and started his own company, Granite, producing a new generation of high-speed internet hardware. That made him his first fortune, when he sold the company to internet hardware manufacturer Cisco. Five years ago, two students turned up at his house asking for seed money to start a company based on their PhD theses: Cheriton spotted the potential and wrote Larry Page and Sergey Brin their first investor鈥檚 cheque. Their bright idea became Google, and when the company went public this year The Washington Post estimated Cheriton鈥檚 stake at more than $300 million.
But re-engineering the internet will require more than the say-so of one man, no matter how impressive his credentials. What鈥檚 more, TRIAD has its own problems. If the comparatively conservative IPv6 project ultimately fails because it requires so many potentially dangerous changes to the net, isn鈥檛 the more radical TRIAD even more dangerous? Nearly three years since Cheriton began working on TRIAD, the organisations responsible for defining standards on the net continue to support IPv6, and have paid little attention to his warnings. But the idea is far from dead. Research papers that adopt many of Cheriton鈥檚 ideas are appearing in computing journals. IPv6 still isn鈥檛 here. And the NAT keeps spreading.
鈥淚鈥檓 an old guy,鈥 says Cheriton. 鈥淚 remember back in 1980, when the phone companies thought they had the solution to everything, and the Internet engineers were the young Turks. Now, we鈥檙e the ones who have become ossified.鈥
While Cheriton acknowledges that his plan for TRIAD as it stands might never make it out of the labs, he believes that his ideas about NATS will win out over IPv6 in the end. He鈥檚 banking that his students will go out into the world and propagate them. That鈥檚 a long shot, but then again so were many of Cheriton鈥檚 other high-tech gambles.
