This section addresses connectivity vulnerabilities that are inherent in the architecture of the Internet. These systemic vulnerabilities result from the utilization of the current PN infrastructure by the Internet composite networks. The vulnerabilities include second order effects such as availability and reliability due to outages on critical links and routing database errors. Security issues and vulnerabilities from outside influences, such as hackers, are not addressed. Internet vulnerabilities from hackers are addressed in the Electronic Threat Intrusion Report. The vulnerabilities associated with the ISPs, IXPs and Internet access connections are discussed below.
5. 1 INTERNET SERVICE PROVIDERS
As introduced in previous sections, the ISPs provide the basic backbone architecture of the Internet. The ISPs can be divided into three categories: NSPs, RSPs, and resellers. Internet vulnerabilities that are unique to each category are detailed in the following sections.
5. 1 .1 National Service Providers
The majority of the NSP links travel over dedicated lines leased from the PN carriers. PN dedicated lines travel in the same conduit as other switched PN lines. Thus, the NSP links have a physical reliability comparable to that of the carrier's network. The IEC maintain their high reliability standards through a three tier restoration architecture. This architecture is based on protocols, physical diversity, and switching algorithms. Figure 5-1 details this tiered architecture.
The PN providers' current restoration techniques for cable cuts, the most frequent cause of outages, are not available for the dedicated lines used in the Internet. The switched-based mechanisms are not available because of the fundamental differences between switched voice and data communications. The protocol- and physical-based restoration mechanisms, however, could be employed for dedicated line failures. Each NSP needs to work closely with the PN providers to ensure that their dedicated lines are afforded these restoration techniques. For example, SONET rings are currently being deployed to increase the reliability of communications links. Traffic on a SONET ring automatically reverses its direction as a result of a cable cut. However, a PN provider may impose additional charges to add dedicated lines to a SONET ring if there are unused non-SONET protected lines available. Thus, the primary alternate routing schemes used to ensure connectivity is dependent on the NSP's routers, routing protocol, and restoration plans.
NSPs connect to multiple IXPs nationwide. Typically, an NSP's connection at each of these IXPs is non-redundant. If this connection is lost, the NSP will lose its connectivity to the IXP and the ability to exchange traffic with the other interconnected NSPs. However, if the NSP has connections to other IXPs, either regional or national, the NSP can still exchange traffic with the IXP-attached NSPs. The loss of the connection between an NSP and an IXP is critical only if the NSP does not have connections to multiple IXPs.
NSP networks are also susceptible to routing problems, such as slow convergence and routing loops. The three routing protocols discussed - BGP4, OSPF, and RIP - can affect routing within and between ISP networks. Because BGP4 is an external protocol, it can affect routing between ISPs. RIP and OSPF, which are internal protocols, will only affect an ISP's internal network.
RIP, the oldest of the three routing protocols discussed, has particular vulnerabilities that have been addressed by the newer protocols. RIP is a distance vector protocol based on hop count to the destination node. RIP routing tables contain only the single best route from origin to destination; when a better route is present, it replaces the old route. When determining the best route available, RIP only considers the hop count and not other important factors such as bandwidth and line utilization.
Additionally, RIP is very slow to converge after a network failure or routing error has occurred. If a link in the route path is disrupted, RIP may not settle on the new best route for several minutes. During those minutes, service between those particular nodes is disrupted.
RIP is also susceptible to routing loops. In the minutes that it takes RIP to converge after a failure, routing loops may develop that will cause packets to route endlessly over the network until their TTL expires. Although there are modifications to the implementation of the RIP protocol that will help to avoid routing loops, they are subtle and may not be present in every network using RIP.
Finally, because RIP propagates its routing table to each of its neighbors every 30 seconds, RIP networks that are already congested by user traffic will be congested further by these routing tables.
The OSPF routing protocol overcomes RIP's shortfalls. The link state vector characteristic of OSPF allows each router in the network to have complete routing tables with multiple paths to destination. This greatly improves convergence time during a network failure and eliminates the chance of routing loops. OSPF routinely propagates route advertisements every half hour. OSPF also uses IP's multicasting capability to reduce the bandwidth requirement for these advertisements. This reduces the overall bandwidth overhead on the network attributed to the routing protocol. In time, OSPF will replace RIP as the standard internal routing protocol on the Internet.
Exhibit 5-2 summarizes the vulnerabilities of the NSP networks, RSP networks, IXPs, and the access portion of the Internet architecture. These vulnerabilities are described in greater detail in the following sections.
5. 1 .2 Regional Service Providers
RSPs have similar vulnerabilities to those of the NSPs. These vulnerabilities may be compounded since RSP's smaller geographic scale limits the availability of physical diverse paths and their choice of a PN provider. This increases the possibility of isolation of the RSPs.
RSPs usually have fewer connections to IXPs. These connections may also be limited to the region that the RSP services. If one or more of an RSP's IXP connections is disrupted, the RSP's service will suffer greater degradation than an NSP. RSP service could be seriously affected by a regional natural or man-made disaster.
Because of an RSP's smaller geographic coverage, traffic will be carried over fewer links. If a major link fails because of a cable cut, it can have a large effect on the traffic within the RSP's network. For example, in NorthWestNet's backbone shown in Exhibit 3-2, the DS-3 circuit between Seattle, WA, and Portland, OR, is a critical high-bandwidth link. If that link fails, Portland's bandwidth to the national Internet connectivity provided at Seattle will fall from DS-3 (45 Mbps) to 2 T1s (3.088 Mbps) - a possible 93 percent drop in speed and bandwidth.
Since RSPs have smaller networks, much of their traffic is transmitted over other ISP's networks. Thus the effect of EGP routing, the IXP connection, and bilateral NSP network connection failures are more pronounced in an RSP's network. The RSP's traffic will also encounter the vulnerabilities of the NSP network carrying its traffic, including the reliability problems encountered due to routing errors.
5. 1 .3 Resellers
Resellers depend on their "host" ISP network to provide reliable and responsive service. Resellers typically have a single dedicated connection between their distribution facilities and its ISP. This connection typically travels over PN dedicated lines. A failure in the dedicated line will result in a loss of service for the users homed to that distribution facility.
A reseller's network may become a congestion bottleneck when multiple customers access a single distribution facility with dedicated lines. If a reseller has not engineered the network connection for sufficient bandwidth to support dedicated and dial-up users, congestion may occur. This problem may occur in some reseller networks more than others.
Network availability is also a concern for dial-up customers of reseller networks. The ratio of customers to reseller modems may vary from 5 to more than 15. During high congestion periods, customers may be unable to gain access to the Internet. Higher ratio resellers have a greater potential for customer blocking.
5. 2 INTEREXCHANGE POINTS
The interexchange point is the central location where ISPs meet to exchange network traffic. Recall from section 3, that all the necessary switching and routing equipment for all IXP-attached ISPs and for the IXP are physically located within a single facility. Subsequently, any disruption or disaster encountered at that facility could result in the loss of service at the IXP. For most NSPs the loss of one IXPs is not critical because NSPs generally have connections to multiple IXPs nationwide. However, for RSPs, the loss of an IXP is more critical, specifically if the RSP is connected to a single IXP.
In addition to the physical vulnerabilities, IXPs are susceptible to routing problems between the various interconnected ISPs. Routing problems could come from EGP protocol faults or invalid IXP routing tables. IXPs operators attempt to eliminate routing problems by requiring a single EGP protocol at the IXP.
5. 3 INTERNET ACCESS
The Internet access connection is the most vulnerable aspect of the Internet with respect to business and residential end users. Business connections are typically single, non-redundant connections from the business' LAN to the ISP. Like all critical single lines, if the connection is lost, the company loses Internet connectivity. Large companies with advanced nationwide WANs (e.g., GE, IBM, and Boeing) may employ redundant connections to the Internet for reliability. A business' Web page will also be vulnerable to a cut in the Internet access link. However, businesses may have their Web pages hosted on an ISP Web server instead of hosting them on their own network. This practice reduces LAN traffic and provides those Web pages with the additional reliability provided by the ISP network.
Residential access to the Internet is provided almost exclusively through analog modem or ISDN dial-up access. Both connections are over single connections and are a single point of failure for the residential connection. However, overall reliability of the PN remains very high. Reliability will drop when users access the Internet using alternate schemes, such as cable, which are not built to telephone industry standards.
Flat-rate pricing for Internet service has also introduced new availability issues for LEC PN networks. These networks' demand and pricing models were designed based on a 5-minute voice call, whereas Internet data calls can last hours. During times of crisis when voice and Internet traffic surge, long dial-up data calls may reduce the availability of the voice network using the same end-office switching capacity. Continued growth in the use of alternative access techniques such as cable modems and DirectPC satellites should eventually reduce these switching issues in PN carrier networks.
Some Internet users connect over direct broadcast satellite services, such as DirecPC. DirecPC uses an inbound satellite connection over a 1-meter dish and an outbound connection over an analog modem. If either leg of this connection fails, the entire connection will be lost. The reliability of the analog modem link will be the same as described above. The reliability of the satellite link will depend on the satellite terminal at the residential location and the satellite company's downlink location.
ADSL will be comparable is reliability to other LEC access technologies (e.g., analog modem, and ISDN). However, ADSL has limitations to where it can be installed. ADSL cannot be installed near a strong AM radio station because of AM frequency interference on the ADSL signal. Additionally, only homes within 10,000 feet of the LEC central office may be serviced by ADSL.
In the short term, cable modem reliability is close to that of the cable television provider. Cable modem service poses special reliability concerns because the cable industry, unlike the voice telephone industry, has not been required or expected to have the degree of reliability of phone service because it is not considered essential to public welfare (e.g., 911 emergency access). Typically, the cable has not been installed to telephone industry standards and has been installed in shallow trenches (typically less than 6 inches deep). Additionally, cable providers do not employ the restoration mechanisms of the traditional carriers. These factors make the cable facility, and ultimately the cable modem connection, very vulnerable to cable cuts and outages.