The threat to universal Internet connectivity

On the security side, ISPs have increasingly tried to stop malicious traffic as far upstream as possible from their enterprise customers, which means putting intelligent filtering capabilities into the core, explains Rob Clyde, Symantec’s CTO.

Free IT resource Hear how top CIOs turn change into a competitive advantage. Sponsored by HP Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld DOWNLOAD PDF Click here to download InfoWorld's special report: Internet connectivity trouble

From ingress and egress, filtering to block ICMP (Internet Control Message Protocol) Echo Reply attacks, to router ACLs (Access Control Lists) for foiling DoS (denial of service) attacks, to simply temporarily blocking certain addresses or packets with certain characteristics, ISPs have gotten a lot more aggressive, Clyde says.

“And blocking good traffic as well as bad,” Clyde adds, is “always a risk an ISP runs. There’s a constant trade-off.”

Innovation vs. performance

One argument against adding intelligence to the core is that Internet traffic is growing at a faster rate than Moore’s Law predicts, and so additional processing equipment in the core will not be capable of keeping up with the load over time.

“The number of CPU cycles that the core router has to deal with the packets is decreasing,” claims Guy Almes, chief engineer at Internet2, a university consortium working to deploy next-generation network technologies. “Those routers are improving exponentially, but they’re facing demands that are also growing exponentially, but perhaps at a higher rate.”

But most opponents of adding intelligence to the core say the real issue is the dampening of Internet innovation, because new applications will be limited to fewer protocols and forced to conform to more barriers and gateways. “We need to be able to freely deploy new applications,” Cisco’s Baker says, noting that once upon a time the World Wide Web was a new Internet application. “If we were to try to deploy it today, we would not be able to do so — I’d have to convince IT to allow it through the firewall — and there has to be a business reason to do that.”

And the challenge will only get trickier as demands for new functionality such as VoIP and video applications drive vendors and ISPs to deploy more QoS (quality of service) and control capabilities into the core.

“The intent [of the founders of the Internet] was to observe very clearly the layered architecture, to minimize the amount of intelligence at the core,” MCI’s Cerf says, nonetheless acknowledging there are multiple ways to accomplish the QoS objective. “Either we’ll put in two classes in the core of the network and treat them separately, or take that money and spend it on building a higher capacity network. We have a fight every other Tuesday at MCI over this.”

“It’s a ticklish point. You don’t want to do something that turns [the Internet] back into a circuit switched system,” says Steve Crocker, chairman of ICANN’s Security and Stability Advisory Committee.

Crocker doesn’t want innovation to revert to a model similar to the old Bell System, which built intelligence into central switches that were highly reliable and stable but took decades to deploy and upgrade.

“The thing that has made the Net most successful is keeping the core of it as simple as possible and keeping the innovation in the edges,” Crocker says. “The standard wisdom is to avoid putting anything into the center that doesn’t have to be there. Less is better.”

Nonsense, VeriSign’s Sclavos says, arguing that rapidly growing end-user demands can best be handled by putting more intelligence into the core, which includes the DNS.

“We’re seeing a dramatic increase in consumer usage,” Sclavos says. “When we bought Network Solutions, we were handling a billion DNS queries a day. Now we’re handling 10 billion, and it’s doubling about every 18 months.”

Sclavos says pushing intelligence to the edge made sense in the early days when the Internet was an academic network, but because of the network’s growth, it no longer does.

“More intelligence has to be in the network to provide better routing and better security,” Sclavos says. “And it has to be in the core routing systems if you’re going to get latencies that make sense for people.

“You want the core to be where the complexity is, so it’s hidden from the user,” Sclavos adds. “We’ve now got so many touch points at the end that you want the edge to be simple so that it can scale.”