Off by Default

The original Internet architecture was designed to provide universal reachability; any host can send any amount of traffic (modulo congestion control) to any destination. This blanket openness enabled the Internet to adopt a single, globally routable address space. Unfortunately, today’s less trustworthy Internet environment has revealed the downside of such openness—every host is vulnerable to attack by any other host(s). In the face of mounting security concerns, a primitive set of protective mechanisms (such as firewalls and NATs) that protect the host itself, but not the network leading to the host, have been widely deployed. In addition, the research community is busily producing proposals to address denial-of-service in a more comprehensive fashion [1], [2], [3], [4], [5], [6], [7], [8]. These proposals use various sophisticated architectures and approach the problem from many different perspectives. However, none of them take the simplest and most direct approach: allow each host to explicitly declare to the network routing infrastructure what traffic it wants routed to it. In this paper, we propose such an approach, and investigate its feasibility. We describe an IP-level control protocol by which endhosts signal, and routers exchange, reachability constraints on different destination prefixes. A router may now forward a packet from host A to host B only if B has explicitly informed the network of its willingness to accept incoming traffic from A. In effect, we’re proposing to flip the default constraint on host reachability from “on” to “off”. Given current security woes, we believe this more conservative default is appropriate. Yet it is important to preserve the opportunity for openness. The great strength of the existing “default-on” model is the flexibility it gives applications in their choice of communication models (client-to-server, server-to-server, peer-to-peer) which has been credited with enabling the variety of Internet applications we enjoy today. To preserve this flexibility, our protocol allows hosts to dynamically modify and inform the network of their current reachability constraints; i.e., our conservatism extends only to the network’s default behavior. On the face of it, requiring the network to dynamically maintain reachability information for every destination would seem to place an intractable burden on routers. Our feasibility analysis suggests that this is not necessarily the case and that a default-off Internet might well be a practical option. We do not claim that such a default-off approach is sufficient or optimal. On the contrary, the general problem (control over host reachability) is a non-trivial one with a large design space and it’s likely too early for any particular approach to claim the prize. Moreover, given the complementary tradeoffs between various solutions, it is quite likely that the “sweet spot” in the design space involves more than one approach. Nonetheless, we hope that exploring an extreme design point will better reveal (and stimulate discussion on) the different options and hence initiate a more principled approach to arriving at the ideal solution. The remainder of this paper is organized as follows: we describe our goals and proposal for a default-off Internet in Sections II and III, present results from a simple feasibilty study in Section IV and finally discuss related work in Section V.