Richard Rumelt, in his excellent blog "Strategy Land" wrote a post: "We Need to Rebuild the Internet" in which he asserts that "anonymity is a design flaw in the Internet". I agree that anonymity is a significant problem, however its causes are assignable to deeper design flaws and decisions that have implications for the future resolution of problems like spam and vulnerabilities of the Internet backbone (and thus every person, organization and state relying on the Internet) to cyberattacks.
NAT
In my view, the anonymity problem arises from a coupling of the Internet design assumption of identity-based trust within its most basic Internet protocols (BGP, SMTP) and the widespread adoption of Network Address Translation (NAT) in the 1990s. The 1990s witnessed explosive growth in Internet access that quickly exhausted the supply of unique Internet network addresses. Earlier in the decade, it became clear that this expansion was coming and that the Internet, if it continued using the existing addressing scheme, would be unable to support the coming expansion. The solution that was adopted is known as Network Address Translation (NAT). ISPs, since the 1990s use NAT to provide Internet addresses to their customers in a way that permits more endpoints on the Internet than there are unique Internet addresses. The price that was paid, however, was the introduction of anonymity to Internet traffic. One might think that this was an elegant solution, and in some ways it was indeed. However, the designers of NAT meant it to be a short term fix to a big and significant problem. They knew that it violated assumptions of trust and identity that are a fundamental part of the Internet's design.
Twenty years later, ubiquitous use of NAT across the Internet has created an environment where unscrupulous persons, willing to violate the law for financial gain or other malicious purposes, operate with impunity under the shield of anonymity. This is the ultimate cause of the spam that shows up in your inbox, the anti-virus software you run, the wasted bandwidth transporting spam and malware to your workplace only to delete it (hopefully) upon receipt, the multiple, expensive prevention systems that your workplace spends its money on instead of the valuable projects that would further your organization's objectives, and, perhaps most worrisome, the vulnerability of our communities and states to devastating cyberattacks.
IPv6
With change comes opportunity! IPv6 is a (sort of) new Internet addressing scheme that has the potential to solve the problem that gave rise to NAT. However, NAT is embedded in firewalls, routers and switches everywhere. The coming transition to IPv6 from IPv4 could eliminate the use of NAT on the Internet and eliminate the problem of endpoint anonymity. Eliminating anonymity will expose script kiddies and other unsophisticated cybercriminals while raising the cost of admission for those more motivated.
Learn More
For a detailed explanation of NAT read this 2004 article by Geoff Huston of the Centre for Advanced Internet Architectures and for more timely information about the future of the Internet, check out his blog at www.potaroo.net.
For an introduction to trust issues with BGP read this ars technica article: "Gaping hole opened in Internet's trust-based BGP protocol".
No comments:
Post a Comment