Home / Blogs

Extreme Vulnerability at the Edge of the Internet - A Fresh New Universal Human-Rights Problem

Paul Vixie

By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills — and the quality assurance budgets — that something the size of the Internet deserves. Furthermore, the resiliency of the Internet means that a device or program that gets something importantly wrong about Internet communication stands a pretty good chance of working "well enough" in spite of its failings.

Witness the hundreds of millions of CPE (customer-premises equipment) boxes with literally too much memory for buffering packets. As Jim Gettys and Dave Taht have been demonstrating in recent years, more is not better when it comes to packet memory. Wireless networks in homes and coffee shops and businesses all degrade shockingly when the traffic load increases. Rather than the "fair-share" scheduling we expect, where N network flows will each get roughly 1/Nth of the available bandwidth, network flows end up in quicksand where they each get 1/N2 of the available bandwidth. This isn't because CPE designers are incompetent; rather, it's because the Internet is a big place with a lot of subtle interactions that depend on every device and software designer having the same — largely undocumented — assumptions.

Witness the endless stream of patches and vulnerability announcements from the vendors of literally every smartphone, laptop, or desktop operating system and application. Bad guys have the time, skills, and motivation to study edge devices for weaknesses, and they are finding as many weaknesses as they need to inject malicious code into our precious devices where they can then copy our data, modify our installed software, spy on us, and steal our identities — 113 years of science fiction has not begun to prepare us for how vulnerable we and our livelihoods are, now that everyone is online. Since the adversaries of freedom and privacy now include nation-states, the extreme vulnerability of edge devices and their software is a fresh new universal human-rights problem for the whole world.

Read the full version of this article published on ACM: The Edge of the Internet Is an Unruly Place

By Paul Vixie, CEO, Farsight Security
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Related material The Famous Brett Watson  –  Feb 18, 2014 10:03 AM PDT

It took me a while, but I'm glad I got around to reading the article. It makes a refreshing change from the usual policy-centric stuff on CircleID, which has worn rather thin over the years.

It's not the first time I've mentioned it, but my PhD thesis [Google books, PDF download] is closely related to the content of this article. If you can spare the time, Paul, I'd invite you to look at chapters 2, 3, 4 and 7 (particularly 7.3), which forms a fairly readable subset of the whole.

The key suggestion in section 7.3 is that it may be possible to work towards a protocol layer that more or less solves the SAV problem, then build applications on top of that layer, rather than trying to fix attack vectors on a protocol by protocol basis.

To post comments, please login or create an account.

Related

Topics

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias