An AMS-IX Story
Chief Technical Officer (CTO)
The Internet is definitely one of humanity’s greatest inventions, but it also has some very unsettling shortcomings that need to be addressed. AMS-IX commits itself to overcoming some of these imperfections in the years to come.
The fact that the Internet has some major flaws, is obvious. Just take a look at the papers. Every day there are major hacks and data breaches. A kid with access to a credit card can order DDoS attacks and destabilise the banking sector of a country, accounting for millions in damage. Traffic is rerouted due to malpractice or errors and privacy seems to be a thing of the past. Companies can track and trace everything you do online.
We are so used to this that we don’t realise any more how bizarre this situation actually is. When you drink water from the tap (at least in the Netherlands), you know for sure that the water is clean and not contaminated. Similarly, when we go on the Internet, we think it is normal that there are people checking our data, and that there is a good chance that someone is stealing it or that we are being framed. It makes one wonder: is it possible to reengineer the Internet in order to address some of these security and privacy issues?
It would be wrong to state that the Internet was badly designed, because there wasn’t a design in the first place, at least not for what the Internet has become. The foundation was laid by academic groups in the 70s and early 80s (IP and TCP protocol definitions stem from 1973). It was only in the late 80s and early 90s that commercial ISPs were established and started offering services based on TCP/IP. There was an atmosphere of trust and cooperation amongst these first internet pioneers and the way the network is built reflects this mindset. The internet protocols were originally designed for intercomputer communication in an academic environment. But as we have seen, the Internet has organically grown into a huge, global, communication network.
Currently, the Internet has many shortcomings, such as spoofing of host addresses, DDoS attacks, forged TLS certificates by compromised trust roots, and many more. At AMS-IX we experience, for example, problems with interdomain routing with the use of Border Gateway Protocol (BGP). BGP is a globally distributed protocol exchanging reachability information for their respective ASs (Autonomous Systems). As there is no hierarchy between the BGP speaking routers, updates by a single BGP speaker can impact routing information in the entire Internet. This allows for example, for prefix hijacking and while often these are caused by erroneous configuration, there are well-known cases where this has, and is, been caused by adversaries with criminal or political intentions. Related to this, is prefix ‘redirect’, where traffic in the end finds its destination, but on its path there it is intercepted for eavesdropping purposes.
It is impossible to re-engineer the existing Internet. Too many companies are relying on the Internet Protocol and it still adds value for the common user to make all the security and privacy risks worthwhile. We can see this for example, in the way companies handle the problem of address space. The Internet originally used 32-bit addresses, which means that there is a limited amount of address space. This problem was already flagged at the end of the 90s, and it was addressed with the introduction of new 128-bit IPv6 addresses. However, most of the internet organisations have not, or are still in the progress of, migrating to IPv6. With the exhaustion of IPv4 address space all kind of issues start to occur, one of which is the barrier it creates to new service providers on the Internet.
One way to go about this, is to build internets that operate parallel to the current Internet. These new networks connect companies with similar or common goals. They use the networks for specific applications. And, most importantly, they make and abide to their own set of networking rules. This way they can ensure security and trust within their community.
The idea of building new networks that operate next to the current Internet is not as revolutionary as it sounds. In many areas, companies and organisations are working along similar lines. The Dutch government for example, has its own Diginetwork that operates next to the Internet. It is basically a collection of interconnected governmental networks operating under their own rules for privacy and security. Another example can be found with the GRX, AMS-IX’s interconnection platform for exchange of roaming GPRS traffic between mobile operators. The traffic is based on guidelines set by the GSMA.
But there are a lot of possibilities. A great use case for building such a network can be done in the financial sector, especially when it comes to the communication between banks and their users. Momentarily, banks deliver all their services as IP traffic on their network. As a result, if the customer portal of the bank is hit by a DDoS attack, users can be blocked out. It is, however, also possible that the banks organize their network traffic with their users via a separate network thus ensuring the continuity of their services.
AMS-IX is positioned to help, initiate and build these new networking communities. We have been operating at the core of the Internet for more than 25 years. Our interconnection platform in Amsterdam connects more than 875 networks and it is neutral ground for all these organisations. We already have a lot of experience with measures to secure the Internet’s routing infrastructure, like the use of RPKI (Resource Public Key Infrastructure) and the implementation of MANRS (Mutually Agreed Norms for Routing Security). We operate with no commercial goals and for the good of all internet companies, which puts us in the position to address some of the general problems of the Internet. Next to that, we have excellent ties with academic organisations, universities and other associations like RIPE, NLnet Lab and ISOC, some of which have initiatives of their own addressing some of the problems of the functioning of the Internet.
AMS-IX can, first and foremost, assist in the development of new technical standards that can help building these new networks. In its most simple form, it means playing a role as neutral intermediary in the development of these new networking communities, facilitating rules on which the networks are to operate. Additionally, it can also mean participating in the development of new alternatives for the Internet Protocols like RINA, SCION and NDN. AMS-IX is already participating in the 2STiC program, a joint research program, where AMS-IX together with NLnet Labs, SIDN Labs, SURFnet, TU Delft, the University of Amsterdam and the University of Twente, aim to test some of these new protocols. But there are fields of technological testing and engineering where AMS-IX can play a role as well, like testing and developing new encryption technologies to be used in a networking environment.
AMS-IX can also play a role in safeguarding the neutrality of infrastructure to be used for the common good. An interesting use case could be the 5G roll-out in the Netherlands. Many enterprises want to operate their own 5G networks that operate next to networks of telecom operators. AMS-IX can be used as a neutral Exchange point and facilitator of interconnection.
Of course, there is also a lot that needs to be done outside the scope of AMS-IX. Governments for example, need to adapt their legislation so that it is more suited to the current workings of the Internet. The GDPR is an excellent first step to give civilians more control over their personal data. Next to that, quality standards need to be developed around internet technology. For example, currently, poorly secured IoT devices can be sold without any restrictions. A new CE marking for IoT devices would be very welcome.
For 25 years, AMS-IX is playing a leading role in developing and growing the Internet. It brought much good, but we can now clearly see that the Internet also has some flaws which should be the focus of our attention in the future.