From dotzero at gmail.com Tue Dec 1 02:03:21 2009 From: dotzero at gmail.com (Dotzero) Date: Mon, 30 Nov 2009 21:03:21 -0500 Subject: [CII] [bmanning@vacation.karoshi.com: Re: terms and conditions] In-Reply-To: <20091130075225.GA10226@jeeves.rigozsaurus.com> References: <20091128234540.GA27757@vacation.karoshi.com.> <7ae58c220911281717v3fe3a2cp61bfc6ce0011a2d0@mail.gmail.com> <20091130075225.GA10226@jeeves.rigozsaurus.com> Message-ID: <7ae58c220911301803v475446a0s133cec512ef4ceda@mail.gmail.com> On Mon, Nov 30, 2009 at 2:52 AM, John Osmon wrote: > On Sat, Nov 28, 2009 at 08:17:09PM -0500, Dotzero wrote: >> > On Fri, Nov 27, 2009 at 10:36:55PM -0700, John Osmon wrote: >> >> >> >> "My network, my rules." ?But I'll always prempt traffic on my net >> >> for health/safety. ?Kinda seems like my duty to the society that I live >> >> within... >> >> What do you mean by "preempt". Are you carrying traffic from other >> networks and destined for other networks or are you talking about >> preventing traffic from your network going to 3rd party networks? What >> is the general nature of traffic on your net? > > I'm not operating a network at the momment, but I have during other > stages of my career. ?Mostly, I've dealt with rurual areas, and > have relied on other carriers for backhaul. ?However, if, at any time, > someone would have shown me that some form of health/safety were > in need, I would have setup QOS to ensure that health/safety traffic > had absolute priority over other traffic. > >> I deal with corporate networks and ecommerce sites. Our triage would >> be to cut traffic when we are putting others at potential risk or if >> there is significant potential risk to the integrity of our systems >> and networks. While we have a lot of horsepower we would not be >> considered CII by most people. > > I can see the logic of your reasoning. > > Let's consider a situation where you have a BGP connection to a local ISP > in a region. ?If that ISP had "critical" traffic that needed to get > somewhere, and you had the ability to deliver it -- would you be willing > to give that "critical" traffic priroity on your network if it caused > congestion for you "normal" traffic? > > If you were to answer "yes," I would include you as CII for that region. > Colo in Tier1 data centers only. > Hopefully, you'd have a different physical path from the ISP that had > "critical" traffic. ?However, even if you don't have path diversity, > your equipment diversity might be enough to handle the "critical" > information. > Handling critical information (I'm assuming you mean a decision to host) would be a decision above my pay grade. From gareth.eason at signal2noise.ie Tue Dec 1 09:10:49 2009 From: gareth.eason at signal2noise.ie (Gareth Eason) Date: Tue, 01 Dec 2009 09:10:49 +0000 Subject: [CII] welcome to the public CII In-Reply-To: <4B1269D8.3090103@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> <3feff8d60911260511i6d2111d0o761ed07d5c39a6c7@mail.gmail.com> <4B1269D8.3090103@linuxbox.org> Message-ID: <4B14DD99.3060802@signal2noise.ie> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gadi Evron wrote: > Michael Maranda wrote: >> One of the prior messages articulated an aversion to Cyber as >> non-word. Please say more? For now I'll take it as similar to my >> aversion to prefixing everything with e-; i; and "digital" > > You got it. Just that most of us gave up and use it until the trend is > over. It's difficult to explain to people why most "cyber-war" stories > are nonsense when they don't understand other terminology. [snip] Without 'cyber' we cannot have Doctor Who and his epic battle against the 'cybermen.' It might be a little UK-centric but perhaps some of the US subscribers have experienced Doctor Who - or at least heard of it. So end of discuss - 'cyber' MUST stay in the dictionary, at least until the last of the Time Lords can declare a definitive victory over them ;-) More seriously, cyber-, e-, i-, digital- and other equally misused prefixes are bad for language, detract from clarity of language, but are a very real exponent of any developing language in active use. We've already lost the battle for 'hacker'/'cracker' and apart from September 19th any words derived from 'pirate' are utterly meaningless. Let's move on to discussion of the real issues of Critical Internet Infrastructure - the semantics of the English language (while interesting) are discussed at great length elsewhere ;-) I'd very much like to get some opinions from the group as to where priorities lie re infrastructure, particularly with respect to: - availability - reliability - openness - neutrality - freedom/freedoms (for ISPs? for end-users?) - oversight (for government? for ISPs? for regulatory bodies?) In a similar vein, I'd like to see some discussion on whether people see regulation as an 'answer', and whether (ISPs?) see self-regulation or governmental (or other third-party) regulation as required? Optional? Optimal? Thoughts? Best regards, -->Gar (not a bot ;-) ) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksU3YsACgkQK36C50PvIR/ONwCdHf9CfT4fQHkS9Bs2JaeLaMGC KUcAn2BCale8V0olR65AwgA40U2wCAGj =QJRf -----END PGP SIGNATURE----- From fx at recurity-labs.com Tue Dec 1 10:37:59 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Tue, 1 Dec 2009 11:37:59 +0100 Subject: [CII] Advocatus Diaboli Message-ID: <20091201113759.c1f5312e.fx@recurity-labs.com> Hi list, since the discussion about CI/CII exploded already into an n-dimensional problem space, I would like to approach it from a completely different angle and pose the following question as a THOUGHT EXPERIMENT for discussion: **************** Which governmental or commercial entity would be unable to recover from a global and ongoing Internet outage? **************** As we can define rules for thought experiements, here are the ones for this: 1) We shall not know what the reason of the outage is. Simply assume whereever you connect to the Internet, it simply doesn't work (no routing, no DNS). 2) We shall assume that POTS (Plain Old Telephony System) is still functioning. [Note: we all know that POTS cores are all VoIP these days, but it's a thought experiment, so just play along] 4) We shall assume that all other types or infrastructure are still functioning, including power distribution, water and utilities. [Note: we all know the argument that those may fail with Internet outages, but it's a thought experiment, so just play along] 5) How much of any localized networks will still work is up to the participant of the thought experiment, but you shall reason why something still works. Working hypothesis: Any sufficiently important entity will apply creativity, priorization and extra effort to get around the operational problems caused by the unavailability of the Internet at large. The impact on societies and their ability to support and protect human lives will be significantly lower than commonly assumed. Goal of the thought experiment: By identifying one or more entities that are unable to recover by any means from a global and ongoing Internet outage, we might be able to assess criticality of such entity, criticality of Internet components as well as mitigation strategies that people would employ if forced to using *actual*examples*. Enjoy, FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From bmanning at vacation.karoshi.com Tue Dec 1 12:44:05 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 12:44:05 +0000 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201113759.c1f5312e.fx@recurity-labs.com> References: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: <20091201124405.GA25741@vacation.karoshi.com.> howdy... i challenge your lema that there exists a global Internet that can -unilaterally- fail, taking out all communications over IP. --bill On Tue, Dec 01, 2009 at 11:37:59AM +0100, Felix 'FX' Lindner wrote: > Hi list, > > since the discussion about CI/CII exploded already into an > n-dimensional problem space, I would like to approach it from a > completely different angle and pose the following question as a > THOUGHT EXPERIMENT for discussion: > > **************** > Which governmental or commercial entity would be unable to recover > from a global and ongoing Internet outage? > **************** > > As we can define rules for thought experiements, here are the ones for > this: > > 1) > We shall not know what the reason of the outage is. Simply assume > whereever you connect to the Internet, it simply doesn't work (no > routing, no DNS). > > 2) > We shall assume that POTS (Plain Old Telephony System) is still > functioning. [Note: we all know that POTS cores are all VoIP these > days, but it's a thought experiment, so just play along] > > 4) > We shall assume that all other types or infrastructure are still > functioning, including power distribution, water and utilities. > [Note: we all know the argument that those may fail with Internet > outages, but it's a thought experiment, so just play along] > > 5) > How much of any localized networks will still work is up to the > participant of the thought experiment, but you shall reason why > something still works. > > Working hypothesis: > Any sufficiently important entity will apply creativity, priorization > and extra effort to get around the operational problems caused by the > unavailability of the Internet at large. The impact on societies and > their ability to support and protect human lives will be significantly > lower than commonly assumed. > > Goal of the thought experiment: > By identifying one or more entities that are unable to recover by any > means from a global and ongoing Internet outage, we might be able to > assess criticality of such entity, criticality of Internet components > as well as mitigation strategies that people would employ if forced to > using *actual*examples*. > > Enjoy, > FX > > -- > Recurity Labs GmbH | Felix 'FX' Lindner > http://www.recurity-labs.com | fx at recurity-labs.com > Wrangelstrasse 4 | Fon: +49 30 69539993-0 > 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 > Germany | 13B3 1759 C388 C92D 6BBB > HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii From ge at linuxbox.org Tue Dec 1 12:48:17 2009 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 01 Dec 2009 14:48:17 +0200 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201124405.GA25741@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> Message-ID: <4B151091.4050908@linuxbox.org> bmanning at vacation.karoshi.com wrote: > howdy... > > i challenge your lema that there exists a global Internet that can > -unilaterally- fail, taking out all communications over IP. > How about "might exist" or currently, take "some" rather than all? Gadi. > --bill > > > On Tue, Dec 01, 2009 at 11:37:59AM +0100, Felix 'FX' Lindner wrote: >> Hi list, >> >> since the discussion about CI/CII exploded already into an >> n-dimensional problem space, I would like to approach it from a >> completely different angle and pose the following question as a >> THOUGHT EXPERIMENT for discussion: >> >> **************** >> Which governmental or commercial entity would be unable to recover >> from a global and ongoing Internet outage? >> **************** >> >> As we can define rules for thought experiements, here are the ones for >> this: >> >> 1) >> We shall not know what the reason of the outage is. Simply assume >> whereever you connect to the Internet, it simply doesn't work (no >> routing, no DNS). >> >> 2) >> We shall assume that POTS (Plain Old Telephony System) is still >> functioning. [Note: we all know that POTS cores are all VoIP these >> days, but it's a thought experiment, so just play along] >> >> 4) >> We shall assume that all other types or infrastructure are still >> functioning, including power distribution, water and utilities. >> [Note: we all know the argument that those may fail with Internet >> outages, but it's a thought experiment, so just play along] >> >> 5) >> How much of any localized networks will still work is up to the >> participant of the thought experiment, but you shall reason why >> something still works. >> >> Working hypothesis: >> Any sufficiently important entity will apply creativity, priorization >> and extra effort to get around the operational problems caused by the >> unavailability of the Internet at large. The impact on societies and >> their ability to support and protect human lives will be significantly >> lower than commonly assumed. >> >> Goal of the thought experiment: >> By identifying one or more entities that are unable to recover by any >> means from a global and ongoing Internet outage, we might be able to >> assess criticality of such entity, criticality of Internet components >> as well as mitigation strategies that people would employ if forced to >> using *actual*examples*. >> >> Enjoy, >> FX >> >> -- >> Recurity Labs GmbH | Felix 'FX' Lindner >> http://www.recurity-labs.com | fx at recurity-labs.com >> Wrangelstrasse 4 | Fon: +49 30 69539993-0 >> 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 >> Germany | 13B3 1759 C388 C92D 6BBB >> HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner >> _______________________________________________ >> CII mailing list >> CII at isotf.org >> http://isotf.org/mailman/listinfo/cii > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From fx at recurity-labs.com Tue Dec 1 15:01:23 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Tue, 1 Dec 2009 16:01:23 +0100 Subject: [CII] Advocatus Diaboli In-Reply-To: <4B151091.4050908@linuxbox.org> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <4B151091.4050908@linuxbox.org> Message-ID: <20091201160123.28355df5.fx@recurity-labs.com> Hi, On Tue, 01 Dec 2009 14:48:17 +0200 Gadi Evron wrote: > > i challenge your lema that there exists a global Internet > > that can -unilaterally- fail, taking out all communications over IP. http://en.wikipedia.org/wiki/Thought_experiment We are not putting actual cats and radioactive substances into actual boxes, nor assume that it can be actually done. > How about "might exist" or currently, take "some" rather than all? Whatever works for you to play the experiment. cheers FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From bgreene at senki.org Tue Dec 1 15:20:55 2009 From: bgreene at senki.org (Barry Raveendran Greene) Date: Tue, 1 Dec 2009 07:20:55 -0800 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201124405.GA25741@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> Message-ID: <012001ca7299$e98daf60$bca90e20$@org> > i challenge your lema that there exists a global Internet that > can > -unilaterally- fail, taking out all communications over IP. Change the crisis to "major failure of the interconnection dependencies of the Internet." It is hard to "take out the Internet." It is feasible to have the interconnection dependencies massively disrupted. This disruption would clear the path to continue with FX's thought experiment. From bmanning at vacation.karoshi.com Tue Dec 1 16:03:19 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 16:03:19 +0000 Subject: [CII] Advocatus Diaboli In-Reply-To: <012001ca7299$e98daf60$bca90e20$@org> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> Message-ID: <20091201160319.GA31739@vacation.karoshi.com.> On Tue, Dec 01, 2009 at 07:20:55AM -0800, Barry Raveendran Greene wrote: > > > > i challenge your lema that there exists a global Internet that > > can > > -unilaterally- fail, taking out all communications over IP. > > Change the crisis to "major failure of the interconnection dependencies of > the Internet." > > It is hard to "take out the Internet." It is feasible to have the > interconnection dependencies massively disrupted. This disruption would > clear the path to continue with FX's thought experiment. > > ok... willing suspension of disbelief.... for now. I'll note - in passing - that if 99.98% of the global, interconnection dependencies of the Internet on a global scale, fail - and in the remaining 0.02% of remaining connectivity, I can reach / communicate with everyone I need to - then the Internet is not broken - FOR ME. Lets face it - at any given point in time, some parts of the Internet are not functionally working/connected to other parts of the Internet. Its -always- partially broken. The critical (imho) components of this best-effort service are: :: triage - who gets cut off and why :: restoration - who gets added first and why --bill From bmanning at vacation.karoshi.com Tue Dec 1 16:06:22 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 16:06:22 +0000 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: <20091201160622.GB31739@vacation.karoshi.com.> On Sun, Nov 29, 2009 at 07:37:28AM -0800, Robert Slade wrote: > From: bmanning at vacation.karoshi.com > Date: Sunday, November 29, 2009 4:17 am > > > lets presume I am based in Kamatura Japan. I have work > > associates in > > Oxford England, Palo Alto & Santa Cruz California, Family in > > West Virginia, > > and teaching assignments in Korea, China and Mynmar. > > > > Is there any reason why - given the rigid nature of peering and > > cross connects > > that I should care about fiber cuts that take out most of Sau > > Paulo and > > all of Norway? > > > So that's your definition of "this." As you say, you have no need of something that my sister in Stavanger or colleagues in Angre dos Reos desperately need. exactly... critical is entirely POV dependent. > rslade at computercrime.org slade at victoria.tc.ca rslade at vcn.bc.ca --bill From bmanning at vacation.karoshi.com Tue Dec 1 16:10:38 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 16:10:38 +0000 Subject: [CII] terms and conditions In-Reply-To: <4B129F57.1030703@bromirski.net> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> <20091129125407.GB7158@vacation.karoshi.com.> <4B129F57.1030703@bromirski.net> Message-ID: <20091201161038.GC31739@vacation.karoshi.com.> On Sun, Nov 29, 2009 at 05:20:39PM +0100, Eukasz Bromirski wrote: > On 2009-11-29 13:54, bmanning at vacation.karoshi.com wrote: > >On Sun, Nov 29, 2009 at 02:22:40PM +0200, Gadi Evron wrote: > >>bmanning at vacation.karoshi.com wrote: > >>> I have "everything you need to make this work". I have no need of > >>> Brazilian or Norwegian infrastructure. They are not critical to me. > >> > >>What would happen to your connectivity if the Brazilian and Norwegian > >>localized internet infrastructures were to stop working? > > > > nothing. zero. nada. zilch. > > > > not critical to me. the point being, critical has a reference, > > usually an end user. > > Somebody already called for defining the 'critical infrastructure', as > we can easily go into many discussions without actually definining why > we disagree :) > > So, even if You're not living in the Brazil or Norway, they > infrastructure may be critical for you. Think about shared hubs for > banks, C&C systems for ATM machines and the card readers in shops, > gas stations, etc. It doesn't have to be a bunch of DNS root servers, > it may be a GSM IP network that is connecting you via a dialin to > the internet, or a AAA server somewhere around the world (we're already > in the era of cloud computing, please remember that), that just breaks. > And in terms of daily life, you're reduced to what you have in your > house. Shops won't sell you anything, they won't take orders, your > cell phone won't connect you anywhere, nor paid phone. If you have > cash, the TAXI may get you somewhere (if they still have fuel), but the > train system may not be able - precisely because of the fact, that > some set of IP networks used by a just a couple of companies in your > country just became unreachable. > > And that's a fact that some of the networks in just three countries > are very important to most of the international companies operating > around the world. Without them, we're going to 'backup' plan, and > sometimes the backup plan really doesn't exist, or was tested > 'well, three years ago'. > > When you have a chance to work for couple of companies dealing with > internet connectivity on a "it's a something on our checklist to have > our project complete" or a "it always did work!" basis, you may change > your idea about being always safe very fast. > > I wonder if Raoul Chiesa is on the list to share his experience. And > I expect we all have our own and sometimes it's really scary to > become aware during auditing, discussing architecture or redesigning > a network that just a simple error in ONE place may render whole > set of 'entities' disconnected. > > And to show some real example: two years ago in Poland, we've had a > rather small DDoS. The DDoS was aimed at one of the international > bank. As the bot C&C apparently missed the fact, that the bank had > only something like /24 allocated, he brought down entire /19. > Along it went away two other banks (one national), a big newspaper > and independent company doing ATM 'services', and part of the network > of a gas station company. > > People at the edge of Christmas Eve were unable to withdraw money > from ATMs, and pay by credit cards in shops. They were unable to pay > at gas stations, not to mention other 'difficulties' I can't actually > discuss in public. If the /19 would be further extended to say /16, > I see other countries would begin to see the 'problem'. > > That's how it works - it's interconnected. Everything with everything > else. > > So, that's my hello to the list :) > > -- I'll bite. its not that its connected, its that it -can be- connected. and I'm not comfortable conflating critical with convience. your points about "backup" plans is key. we need them, we need to exercise them on a regular basis, and we ought to ensure that shared dependencies are minimized. --bill From bmanning at vacation.karoshi.com Tue Dec 1 16:15:05 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 16:15:05 +0000 Subject: [CII] terms and conditions In-Reply-To: <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> Message-ID: <20091201161505.GD31739@vacation.karoshi.com.> On Sun, Nov 29, 2009 at 11:32:25AM -0500, Avri Doria wrote: > > I guess i tend to want to push the meaning of 'Critical' to the edge of 'something without which there is no Internet' > > The question then becomes for me one of the locality and temporality of that statement. Critical for the Internet at large, or Criticial for Internet at some place in time. > > 'Internet At large' works fine if by our definition being an Internet means reaches all people. But few people mean that, I think. the -only- people who really -NEED- to have reachability to all people are direct marketers. And they are in the class of communications I have no desire to receive - ever. There are only a small handful of scenarios that I can envision that would require the ability for everyone on the planet to communicate with everyone else on the planet. imho of course. --bill > > a. > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii From josmon at rigozsaurus.com Tue Dec 1 16:32:52 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 1 Dec 2009 09:32:52 -0700 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201160319.GA31739@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> Message-ID: <20091201163252.GH23087@jeeves.rigozsaurus.com> On Tue, Dec 01, 2009 at 04:03:19PM +0000, bmanning at vacation.karoshi.com wrote: [...] > Lets face it - at any given point in time, some parts of the Internet > are not functionally working/connected to other parts of the Internet. > Its -always- partially broken. Yep. Any end2end connection can be characterized as: - working - impaired - not working When it is not working, there's typically a path problem. Get more paths, or decide that there are times the "critical" application won't be available. With satellite connections, you almost always have a backup path available -- if you're willing to spend the money. Impaired channels could have any number of problems, but most will exhibit either limited bandwidth or high packet loss. Two methods of countering either can be: - QOS enforcement -- give "critical" traffic across the impaired link preferential access - protocol changes -- use TCP instead of UDP, or even use text instead of pictures on web pages to conserve packets As Bill indicates: > The critical (imho) components of this best-effort service are: > > :: triage - who gets cut off and why > :: restoration - who gets added first and why Your best bet is multiple paths for the traffic you consider critical. Then you have a multitude of options when problems occur. Your options collapse to "restoration" only when your channel fails completely. From tvest at eyeconomics.com Tue Dec 1 16:37:16 2009 From: tvest at eyeconomics.com (tvest at eyeconomics.com) Date: Tue, 1 Dec 2009 11:37:16 -0500 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201160319.GA31739@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> Message-ID: On Dec 1, 2009, at 11:03 AM, bmanning at vacation.karoshi.com wrote: > On Tue, Dec 01, 2009 at 07:20:55AM -0800, Barry Raveendran Greene > wrote: >> >> >>> i challenge your lema that there exists a global Internet that >>> can >>> -unilaterally- fail, taking out all communications over IP. >> >> Change the crisis to "major failure of the interconnection >> dependencies of >> the Internet." >> >> It is hard to "take out the Internet." It is feasible to have the >> interconnection dependencies massively disrupted. This disruption >> would >> clear the path to continue with FX's thought experiment. >> >> > > ok... willing suspension of disbelief.... for now. > I'll note - in passing - that if 99.98% of the global, > interconnection dependencies of the Internet on a global scale, > fail - and in the remaining 0.02% of remaining connectivity, > I can reach / communicate with everyone I need to - then the > Internet is not broken - FOR ME. Hi Bill, Could you clarify your "can reach / communicate with everyone I need to" condition a bit? Would it suffice to be "not broken" if you could each / communicate with everyone/everything you've ever needed to up to the moment of that 99.8% failure? Or does your assertion imply that the remaining 0.2% would have to encompass everyone you've needed to reach / communicate with in the past *plus* everyone you personally will need to reach / communicate communicate in the future? IMO this distinction is the point at which e2e becomes an unavoidable component of the CI debate. > Lets face it - at any given point in time, some parts of the Internet > are not functionally working/connected to other parts of the > Internet. > Its -always- partially broken. > > The critical (imho) components of this best-effort service are: > > :: triage - who gets cut off and why > :: restoration - who gets added first and why The term "restoration" makes sense given this particular thought experiment, but the corresponding definition you provide sounds like it might cover more than just those being "restored" -- was that intentional? In case it's not obvious, such distinctions could have profound real- world consequences. Suppose, for example, the emergency that we face is not sudden or event-driven ala "outage," but rather cumulative and ecological in origin? What if the only prospects for restoration are equally slow and uncertain? Should triage and restoration rules be different than in cases where a quick fix is more-or-less assured? Would your answer to the previous question about who and what you personally need to reach / communicate with be different if you knew that your own restoration might be years in coming, or never come at all? TV From pschmehl_lists at tx.rr.com Tue Dec 1 17:00:35 2009 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Tue, 01 Dec 2009 11:00:35 -0600 Subject: [CII] terms and conditions In-Reply-To: <20091201161505.GD31739@vacation.karoshi.com.> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> Message-ID: --On Tuesday, December 01, 2009 10:15:05 -0600 bmanning at vacation.karoshi.com wrote: > > On Sun, Nov 29, 2009 at 11:32:25AM -0500, Avri Doria wrote: >> >> I guess i tend to want to push the meaning of 'Critical' to the edge of >> 'something without which there is no Internet' >> >> The question then becomes for me one of the locality and temporality of >> that statement. Critical for the Internet at large, or Criticial for >> Internet at some place in time. >> >> 'Internet At large' works fine if by our definition being an Internet means >> reaches all people. But few people mean that, I think. > > the -only- people who really -NEED- to have reachability to all > people are direct marketers. > And they are in the class of communications I have no desire to > receive - ever. > There are only a small handful of scenarios that I can envision that > would require the > ability for everyone on the planet to communicate with everyone else > on the planet. > So...no need for 911 then? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson From fx at recurity-labs.com Tue Dec 1 17:18:28 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Tue, 1 Dec 2009 18:18:28 +0100 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201160319.GA31739@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> Message-ID: <20091201181828.50087bb3.fx@recurity-labs.com> Hi, On Tue, 1 Dec 2009 16:03:19 +0000 bmanning at vacation.karoshi.com wrote: > > > i challenge your lema that there exists a global Internet > > > that can > > > -unilaterally- fail, taking out all communications over > > > IP. > > > > Change the crisis to "major failure of the interconnection > > dependencies of the Internet." > > > > It is hard to "take out the Internet." It is feasible to have the > > interconnection dependencies massively disrupted. This disruption > > would clear the path to continue with FX's thought experiment. > > > > > > ok... willing suspension of disbelief.... for now. > I'll note - in passing - that if 99.98% of the global, > interconnection dependencies of the Internet on a global > scale, fail - and in the remaining 0.02% of remaining connectivity, > I can reach / communicate with everyone I need to - then the > Internet is not broken - FOR ME. that's exactly the point: assume it's broken for you and everyone else. Would you be able, with some considerable efforts of creativity, work, money and whatnot, to keep functioning as an individual? How about the place you work at? If you can maintain your life (private and work) in the light of such an event, who can you think of any entity that would absolutely not be able to? What I'm after is a list of such entities, so we can later look at them and see how "critical" they are. An example of the entities that I think would be absolutely unable to recover by other means of communication is Amazon, both their sales business and cloud computing business, because they depend on being reachable. But do we have any governmental entity that would be equally helpless? > Lets face it - at any given point in time, some parts of the > Internet are not functionally working/connected to other parts of > the Internet. Its -always- partially broken. That's what we commonly refer to as the Internet being functional. Just because we assume a full black-out for the experiment doesn't mean the opposite is a completely connected and working Internet ;) cheers FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From bmanning at vacation.karoshi.com Tue Dec 1 17:59:19 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 17:59:19 +0000 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> Message-ID: <20091201175919.GB1001@vacation.karoshi.com.> On Tue, Dec 01, 2009 at 11:00:35AM -0600, Paul Schmehl wrote: > --On Tuesday, December 01, 2009 10:15:05 -0600 > bmanning at vacation.karoshi.com wrote: > > > > >On Sun, Nov 29, 2009 at 11:32:25AM -0500, Avri Doria wrote: > >> > >>I guess i tend to want to push the meaning of 'Critical' to the edge of > >>'something without which there is no Internet' > >> > >>The question then becomes for me one of the locality and temporality of > >>that statement. Critical for the Internet at large, or Criticial for > >>Internet at some place in time. > >> > >>'Internet At large' works fine if by our definition being an Internet > >>means > >>reaches all people. But few people mean that, I think. > > > > the -only- people who really -NEED- to have reachability to all > >people are direct marketers. > > And they are in the class of communications I have no desire to > >receive - ever. > > There are only a small handful of scenarios that I can envision > > that > >would require the > > ability for everyone on the planet to communicate with everyone > > else > >on the planet. > > > > So...no need for 911 then? > well 911 service is not always 911 on the keypad - at least in a global context .. and rarely if ever runs on a best-effort service like the Internet. and even presuming 911 emergency service, as implemented in the USA, is the model your trying to emulate - a 911 call does not ring every telephone on the planet... or even the 911 service center 500 miles away. Its a local service. --bill From bmanning at vacation.karoshi.com Tue Dec 1 18:21:11 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 1 Dec 2009 18:21:11 +0000 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201181828.50087bb3.fx@recurity-labs.com> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> <20091201181828.50087bb3.fx@recurity-labs.com> Message-ID: <20091201182111.GA1158@vacation.karoshi.com.> On Tue, Dec 01, 2009 at 06:18:28PM +0100, Felix 'FX' Lindner wrote: > Hi, > > On Tue, 1 Dec 2009 16:03:19 +0000 bmanning at vacation.karoshi.com wrote: > > > > i challenge your lema that there exists a global Internet > > > > that can > > > > -unilaterally- fail, taking out all communications over > > > > IP. > > > > > > Change the crisis to "major failure of the interconnection > > > dependencies of the Internet." > > > > > > It is hard to "take out the Internet." It is feasible to have the > > > interconnection dependencies massively disrupted. This disruption > > > would clear the path to continue with FX's thought experiment. > > > > > > > > > > ok... willing suspension of disbelief.... for now. > > I'll note - in passing - that if 99.98% of the global, > > interconnection dependencies of the Internet on a global > > scale, fail - and in the remaining 0.02% of remaining connectivity, > > I can reach / communicate with everyone I need to - then the > > Internet is not broken - FOR ME. > > that's exactly the point: assume it's broken for you and everyone else. > > Would you be able, with some considerable efforts of creativity, work, > money and whatnot, to keep functioning as an individual? How about the > place you work at? so triage is important. For the critical links for me, I have alternate communications paths - occasionally using non-telephony transport for my IP datagrams. They are even exercised on occasion. my work places, such as they are, have varying degrees of redundant/alternate communications paths. Some are very good indeed. Others use a single, lowcost provider (bundled services) and then pray the provider has some form of backup. (but being the lowcost provider, generally no). > If you can maintain your life (private and work) in the light of such > an event, who can you think of any entity that would absolutely not be > able to? It becomes a question of priority - what is the value proposition for maintaining adaquate capacity/alternate routing? Is there enouhg for everyone that depends on your network? In periods of reduced capability, who gets what? who decides? > What I'm after is a list of such entities, so we can later look at them > and see how "critical" they are. a few for your consideration: city governments regional governments soverigns tribal affiliations gangs intellegence cells families schools work teams corporations law enforcement operatives military units health worker teams disaster recovery teams explorers church/religious associations clubs etc. > An example of the entities that I think would be absolutely unable to > recover by other means of communication is Amazon, both their sales > business and cloud computing business, because they depend on being > reachable. reachable to whom? i suspect that amazon would survive even if large numbers of potential clients could not reach them if that unreachability was short enough. > But do we have any governmental entity that would be equally helpless? a number of examples come to mind. most recently the California Department of Motor Vehicles. They were helpless for three days with computer systems being inoperative. the folks who shut down the power grid in Sau Paulo for a couple of days and yet, were there health/safty problems or simply inconvience to those who had developed a dependency on these programs? > > > Lets face it - at any given point in time, some parts of the > > Internet are not functionally working/connected to other parts of > > the Internet. Its -always- partially broken. > > That's what we commonly refer to as the Internet being functional. > Just because we assume a full black-out for the experiment doesn't mean > the opposite is a completely connected and working Internet ;) well either case is a chimera... :) > > cheers > FX > > -- > Recurity Labs GmbH | Felix 'FX' Lindner > http://www.recurity-labs.com | fx at recurity-labs.com > Wrangelstrasse 4 | Fon: +49 30 69539993-0 > 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 > Germany | 13B3 1759 C388 C92D 6BBB > HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From josmon at rigozsaurus.com Tue Dec 1 20:18:23 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 1 Dec 2009 13:18:23 -0700 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> Message-ID: <20091201201823.GJ23087@jeeves.rigozsaurus.com> On Tue, Dec 01, 2009 at 11:00:35AM -0600, Paul Schmehl wrote: [...] > So...no need for 911 then? In actuality -- no. No need for 911 as such. 911 (and other equivalents) are just "shortcuts" across another infrastructure. The end application is a voice channel into a centralized dispatch center. In my hometown, there are several numbers to call that get you to the same dispatch center. 911 is just one that is easy to recall. The dispatch center has redundancy/resilancy on the telephony infrastructure -- so I'm reasonably assured that I can get and "open channel" to the dispath center if/when I need to do so. It's likely that I'm rare -- a citizen that is willing to ensure that they know how to get a hold of the dispatch center by dialing something other than '911'. Is 911 critical? No, not in my personal view. It's a helpful layer, but in a genuine emergency, I can function fine without it. From dotzero at gmail.com Tue Dec 1 20:38:19 2009 From: dotzero at gmail.com (Dotzero) Date: Tue, 1 Dec 2009 15:38:19 -0500 Subject: [CII] terms and conditions In-Reply-To: <20091201201823.GJ23087@jeeves.rigozsaurus.com> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> <20091201201823.GJ23087@jeeves.rigozsaurus.com> Message-ID: <7ae58c220912011238r382a12c2n67619c0079aeb576@mail.gmail.com> On Tue, Dec 1, 2009 at 3:18 PM, John Osmon wrote: > On Tue, Dec 01, 2009 at 11:00:35AM -0600, Paul Schmehl wrote: > [...] >> So...no need for 911 then? > > In actuality -- no. ?No need for 911 as such. > > 911 (and other equivalents) are just "shortcuts" across another > infrastructure. ?The end application is a voice channel into > a centralized dispatch center. > > In my hometown, there are several numbers to call that get you > to the same dispatch center. ?911 is just one that is easy > to recall. ?The dispatch center has redundancy/resilancy on > the telephony infrastructure -- so I'm reasonably assured > that I can get and "open channel" to the dispath center if/when > I need to do so. > > It's likely that I'm rare -- a citizen that is willing to ensure that > they know how to get a hold of the dispatch center by dialing something > other than '911'. > The fact that you know a number does not mean that the dispatch center has redundancy/resilancy. Are you sure that the multiple numbers run over different infrastructure? Would you bet your life? Never mind, you ARE betting your life that they designed it right. > Is 911 critical? ?No, not in my personal view. ?It's a helpful layer, > but in a genuine emergency, I can function fine without it. > I admire confidence in a person. From webdawg.security at gmail.com Tue Dec 1 20:59:20 2009 From: webdawg.security at gmail.com (Security Account (WebDawg)) Date: Tue, 1 Dec 2009 15:59:20 -0500 Subject: [CII] terms and conditions In-Reply-To: <20091201161505.GD31739@vacation.karoshi.com.> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> Message-ID: Can you define such scenarios and dive deeper into your point? On Tue, Dec 1, 2009 at 11:15 AM, wrote: > On Sun, Nov 29, 2009 at 11:32:25AM -0500, Avri Doria wrote: > > > > I guess i tend to want to push the meaning of 'Critical' to the edge of > 'something without which there is no Internet' > > > > The question then becomes for me one of the locality and temporality of > that statement. Critical for the Internet at large, or Criticial for > Internet at some place in time. > > > > 'Internet At large' works fine if by our definition being an Internet > means reaches all people. But few people mean that, I think. > > the -only- people who really -NEED- to have reachability to all > people are direct marketers. > And they are in the class of communications I have no desire to > receive - ever. > There are only a small handful of scenarios that I can envision that > would require the > ability for everyone on the planet to communicate with everyone else > on the planet. > > imho of course. > > --bill > > > > > a. > > _______________________________________________ > > CII mailing list > > CII at isotf.org > > http://isotf.org/mailman/listinfo/cii > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -------------- next part -------------- An HTML attachment was scrubbed... URL: From webdawg.security at gmail.com Tue Dec 1 20:55:46 2009 From: webdawg.security at gmail.com (Security Account (WebDawg)) Date: Tue, 1 Dec 2009 15:55:46 -0500 Subject: [CII] terms and conditions In-Reply-To: <20091201201823.GJ23087@jeeves.rigozsaurus.com> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> <20091201201823.GJ23087@jeeves.rigozsaurus.com> Message-ID: I disagree. Critical is a function of dependence of order as a whole. If 911 where not to work how many citizens would know the other number that one would need to dial. In the case of a heart attack one could lose precious minutes resulting in death. On Tue, Dec 1, 2009 at 3:18 PM, John Osmon wrote: > On Tue, Dec 01, 2009 at 11:00:35AM -0600, Paul Schmehl wrote: > [...] > > So...no need for 911 then? > > In actuality -- no. No need for 911 as such. > > 911 (and other equivalents) are just "shortcuts" across another > infrastructure. The end application is a voice channel into > a centralized dispatch center. > > In my hometown, there are several numbers to call that get you > to the same dispatch center. 911 is just one that is easy > to recall. The dispatch center has redundancy/resilancy on > the telephony infrastructure -- so I'm reasonably assured > that I can get and "open channel" to the dispath center if/when > I need to do so. > > It's likely that I'm rare -- a citizen that is willing to ensure that > they know how to get a hold of the dispatch center by dialing something > other than '911'. > > Is 911 critical? No, not in my personal view. It's a helpful layer, > but in a genuine emergency, I can function fine without it. > > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -------------- next part -------------- An HTML attachment was scrubbed... URL: From webdawg.security at gmail.com Tue Dec 1 21:34:06 2009 From: webdawg.security at gmail.com (Security Account (WebDawg)) Date: Tue, 1 Dec 2009 16:34:06 -0500 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201113759.c1f5312e.fx@recurity-labs.com> References: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: I suppose one answer this question one would have to understand what percentage of networks depend on other networks. How much do other countries depend on US's networks for communication and storage and vise versa? We are also talking about normal life but think about how much normal life has changed. Banks now send copies of checks electronically to clear faster. Do they have a backup plan What about the private networks that they lease or own for inter business communication? Are satellite communications down? Can I still ping my neighbor? What about TV networks? I understand the concept of though experiments but when I entertain one usually I make it as real as possible. If certain data centers and routing points in American where destroyed or attacked we would be screwed. Satellite communications can take over but do you remember how slow that can get? If your talking about some type of almost universal software attack that would somehow destroy the routing capabilities of most of the major internet routers this is something different. We should be talking about the types of communications that one needs in a crisis too. If the internet goes down what type of panic could spread? How much would our news slow down? What happens if critical news is misreported? How badly would this effect the stock market. Could it cause riots if someone reports something wrong? The world is going to end! Some stock traders have almost direct access to US stock market networks because of speed. From what I have read they almost automate trading via software algorithms. What could happen if other stock entities did not have access but this one did? What type of advantage or danger could this set? If we are going to talk about things in thought experiments, I think, that we need to take a more reality based 'reality.' You mentioned that everything is voice over ip. But then say that it isnt and standard copper networks exist that could handle even the daily load of citizen communication. Before I think that this is true I would like to know if it is? If all voice over ip networks go down can I speak to my family member in that other state? If not what kind of plan could possibly exist or does exist to fix this. With the level of connectivity gone that you are talking about one would have to assume that most private networks would be fine. Its when private networks are routed over public networks that the problem starts to exist. Medical Military Most News Organizations Any place that Uses email I have heard ideas about building private medical networks for safe transport of information in them. In my opinion this would not solve the problem. I would just need to gain access to the medical network. In fact it may be simpler to hack then the modern day internet network with all its traffic and protective layers. If we are talking about physical reliability then why not just add these links to the existing infrastructure? On Tue, Dec 1, 2009 at 5:37 AM, Felix 'FX' Lindner wrote: > Hi list, > > since the discussion about CI/CII exploded already into an > n-dimensional problem space, I would like to approach it from a > completely different angle and pose the following question as a > THOUGHT EXPERIMENT for discussion: > > **************** > Which governmental or commercial entity would be unable to recover > from a global and ongoing Internet outage? > **************** > > As we can define rules for thought experiements, here are the ones for > this: > > 1) > We shall not know what the reason of the outage is. Simply assume > whereever you connect to the Internet, it simply doesn't work (no > routing, no DNS). > > 2) > We shall assume that POTS (Plain Old Telephony System) is still > functioning. [Note: we all know that POTS cores are all VoIP these > days, but it's a thought experiment, so just play along] > > 4) > We shall assume that all other types or infrastructure are still > functioning, including power distribution, water and utilities. > [Note: we all know the argument that those may fail with Internet > outages, but it's a thought experiment, so just play along] > > 5) > How much of any localized networks will still work is up to the > participant of the thought experiment, but you shall reason why > something still works. > > Working hypothesis: > Any sufficiently important entity will apply creativity, priorization > and extra effort to get around the operational problems caused by the > unavailability of the Internet at large. The impact on societies and > their ability to support and protect human lives will be significantly > lower than commonly assumed. > > Goal of the thought experiment: > By identifying one or more entities that are unable to recover by any > means from a global and ongoing Internet outage, we might be able to > assess criticality of such entity, criticality of Internet components > as well as mitigation strategies that people would employ if forced to > using *actual*examples*. > > Enjoy, > FX > > -- > Recurity Labs GmbH | Felix 'FX' Lindner > http://www.recurity-labs.com | fx at recurity-labs.com > Wrangelstrasse 4 | Fon: +49 30 69539993-0 > 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 > Germany | 13B3 1759 C388 C92D 6BBB > HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -------------- next part -------------- An HTML attachment was scrubbed... URL: From morrow.long at yale.edu Tue Dec 1 21:33:39 2009 From: morrow.long at yale.edu (Morrow Long) Date: Tue, 1 Dec 2009 16:33:39 -0500 Subject: [CII] terms and conditions In-Reply-To: <20091201201823.GJ23087@jeeves.rigozsaurus.com> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> <20091201201823.GJ23087@jeeves.rigozsaurus.com> Message-ID: <49B34D97-1D03-4C76-91F9-B4A776D987F4@yale.edu> On Dec 1, 2009, at 3:55 PM, Security Account (WebDawg) wrote: > I disagree. Critical is a function of dependence of order as a > whole. If 911 where not to work how many citizens would know the > other number that one would need to dial. In the case of a heart > attack one could lose precious minutes resulting in death. Used to be that we dialed 0 (Zero) to get the police or fire department. I remember when one talked to the (human) operator and asked them for the appropriate emergency service. You can still do this I believe, though it probably slows down the response to your emergency. On Dec 1, 2009, at 3:18 PM, John Osmon wrote: > On Tue, Dec 01, 2009 at 11:00:35AM -0600, Paul Schmehl wrote: > [...] >> So...no need for 911 then? > > In actuality -- no. No need for 911 as such. What about E-911 -- this is new and didn't have an older analogous service. Is there a definite need for E-911? The modern automated emergency notification systems many towns and educational institutions now have which can notify you of emergencies via your cell phone, e-mail, etc. by a variety of methods (SMS, voice) are also new infrastructures which some might now consider critical though we got along without them in the past (and we had alternate emergency broadcast mechanisms on radio, TV and sirens (etc.). But are 911, E-911 and emergency notification systems 'infrastructures' -- they are built on top of other 'infrastructures' which had to already exist before they could come into existence. Are GPS location services now a "critical infrastructure" (there are now iPhone apps users who may think so...)? There may be drivers who have become so totally dependent upon having cellphones and GPS navigation that they would be lost (pun intentional) without them. Believe it or not there are already weekend hikers who get lost or run into other problems in the wilderness (e.g. the sun goes down quickly this time of year -- before many remember to walk out of the woods) who expect to call 911 on their cellphones to have someone come and rescue them. In Berlin, CT (in the Kensington area) at the main trail head for the Ragged Mountain Foundation Preserve there is now a sign posted by the local fire and rescue organization which says in effect "Hikers! We have to come here very frequently due to calls from hikers who have run into trouble. Note: we will need your location in the event you call 911. Please use a GPS (or phone with GPS) and keep your cell phone charged. " Two weekends ago I was there when several teams of fire rescue personnel began racing around the fire trails on ATVs calling out for a 79 year old walking a dog who was reported missing. There was also a low flying small aircraft which was sent up to circle as well -- I can't imagine the bill. In the US we have just come to assume that there is a number (or OnStar button) we can immediately call any time we get into the slightest trouble. Now there are areas of Ragged and other "mountains" (in other states they'd be called "hills") which don't have good cellphone coverage -- a condition which generally frightens Connecticut residents since we can almost always count on having fantastic coverage (5 signal strength bars and 3G), particularly along the densely populated interstate highway corridors. Morrow From kmaher at ebay.com Tue Dec 1 22:18:28 2009 From: kmaher at ebay.com (Maher, Kevin) Date: Tue, 1 Dec 2009 15:18:28 -0700 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: As part of the thought experiment I'll self-servingly propose that both eBay and amazon would be unable to recover, as online-only e-commerce companies with no physical presence. I work for eBay and will restrict my comments to what I know about our business, although I'm also a satisfied amazon customer (ssh). I'm also excluding PayPal's business model as I think it warrants separate consideration. I doubt any of these companies are considered "sufficiently important" or critical for anything other than themselves, but a statistic often quoted by eBay execs is that 750,000+ people use ebay for their primary or secondary source of income. The site is important to them. I do accept the fact that the world can live without eBay, and newspaper classified ads could make a big comeback. I'll assert that the creativity etc that goes into the neato packet-radio/POTS/BBS system that we put up as a replacement will fall significantly short of meeting the present needs of our buyers and sellers. It would be nothing remotely approaching what eBay is today, and would ultimately have less than 10% of our current transaction volume. Most of my colleagues would obviously lose their jobs. Not me though, I'm too important -- have to at least give me that in my own thought experiments. As for other online-only content providers and online-only marketplaces, I think they would all devolve to mailorder catalogs at best. I'd be interested to hear whether gmail, yahoo, or others would be considered critical. Kevin On 12/1/09 2:37 AM, "Felix 'FX' Lindner" wrote: > Hi list, > > since the discussion about CI/CII exploded already into an > n-dimensional problem space, I would like to approach it from a > completely different angle and pose the following question as a > THOUGHT EXPERIMENT for discussion: > > **************** > Which governmental or commercial entity would be unable to recover > from a global and ongoing Internet outage? > **************** > > As we can define rules for thought experiements, here are the ones for > this: > > 1) > We shall not know what the reason of the outage is. Simply assume > whereever you connect to the Internet, it simply doesn't work (no > routing, no DNS). > > 2) > We shall assume that POTS (Plain Old Telephony System) is still > functioning. [Note: we all know that POTS cores are all VoIP these > days, but it's a thought experiment, so just play along] > > 4) > We shall assume that all other types or infrastructure are still > functioning, including power distribution, water and utilities. > [Note: we all know the argument that those may fail with Internet > outages, but it's a thought experiment, so just play along] > > 5) > How much of any localized networks will still work is up to the > participant of the thought experiment, but you shall reason why > something still works. > > Working hypothesis: > Any sufficiently important entity will apply creativity, priorization > and extra effort to get around the operational problems caused by the > unavailability of the Internet at large. The impact on societies and > their ability to support and protect human lives will be significantly > lower than commonly assumed. > > Goal of the thought experiment: > By identifying one or more entities that are unable to recover by any > means from a global and ongoing Internet outage, we might be able to > assess criticality of such entity, criticality of Internet components > as well as mitigation strategies that people would employ if forced to > using *actual*examples*. > > Enjoy, > FX From josmon at rigozsaurus.com Tue Dec 1 22:23:31 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 1 Dec 2009 15:23:31 -0700 Subject: [CII] terms and conditions In-Reply-To: <7ae58c220912011238r382a12c2n67619c0079aeb576@mail.gmail.com> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> <20091201201823.GJ23087@jeeves.rigozsaurus.com> <7ae58c220912011238r382a12c2n67619c0079aeb576@mail.gmail.com> Message-ID: <20091201222331.GL23087@jeeves.rigozsaurus.com> On Tue, Dec 01, 2009 at 03:38:19PM -0500, Dotzero wrote: [...] > The fact that you know a number does not mean that the dispatch center > has redundancy/resilancy. Are you sure that the multiple numbers run > over different infrastructure? Would you bet your life? Never mind, > you ARE betting your life that they designed it right. Bringing up my life is distracting from the real point you've hit, and the one I've been trying to drive home: Services that are deemed critical are layered on other services. As we've moved towards packet services, the resliency of the "top" layer should have increased, as the underlying infrastucuture became less res reliant on single paths. If the underlying infrastructure has not kept up with the times, perhaps we should be concentrating on calling attention to that fact? As for betting my life on 911? Risk is typicallly caluculated as a product of probabilty and consqequence. The probability of needing 911 is low. The consequence of 911 failure could be high if 911 is my only means of getting help. Fortunately, I know that 911 isn't the only means of summoning help. Therefore, my personal risk works out to be: low * low == low risk factor. > > Is 911 critical? No, not in my personal view. It's a helpful layer, > > but in a genuine emergency, I can function fine without it. > > I admire confidence in a person. Yeah - but I don't try to project that upon the rest of society. So I'll help the 911 PSAPs in any way that I can. :-) From Heinz.Luck at dhl.com Tue Dec 1 22:31:25 2009 From: Heinz.Luck at dhl.com (Heinz Luck (DHL MY)) Date: Wed, 2 Dec 2009 06:31:25 +0800 Subject: [CII] REQUEST: terms and conditions Message-ID: All, Could you please ALL take me from your distribution lists!! I'm not interested to have my email box filled with this "no-value chat" and have not asked to be part of. Thanks. Best Regards Heinz Luck Head Production Services IT Services Asia Pacific ----- Original Message ----- From: cii-bounces at isotf.org To: Dotzero Cc: cii at isotf.org Sent: Wed Dec 02 06:23:31 2009 Subject: Re: [CII] terms and conditions On Tue, Dec 01, 2009 at 03:38:19PM -0500, Dotzero wrote: [...] > The fact that you know a number does not mean that the dispatch center > has redundancy/resilancy. Are you sure that the multiple numbers run > over different infrastructure? Would you bet your life? Never mind, > you ARE betting your life that they designed it right. Bringing up my life is distracting from the real point you've hit, and the one I've been trying to drive home: Services that are deemed critical are layered on other services. As we've moved towards packet services, the resliency of the "top" layer should have increased, as the underlying infrastucuture became less res reliant on single paths. If the underlying infrastructure has not kept up with the times, perhaps we should be concentrating on calling attention to that fact? As for betting my life on 911? Risk is typicallly caluculated as a product of probabilty and consqequence. The probability of needing 911 is low. The consequence of 911 failure could be high if 911 is my only means of getting help. Fortunately, I know that 911 isn't the only means of summoning help. Therefore, my personal risk works out to be: low * low == low risk factor. > > Is 911 critical? No, not in my personal view. It's a helpful layer, > > but in a genuine emergency, I can function fine without it. > > I admire confidence in a person. Yeah - but I don't try to project that upon the rest of society. So I'll help the 911 PSAPs in any way that I can. :-) _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmslade at shaw.ca Wed Dec 2 02:53:33 2009 From: rmslade at shaw.ca (Robert Slade) Date: Tue, 01 Dec 2009 18:53:33 -0800 Subject: [CII] Fwd: [ NNSquad ] A Ridiculous Failure of Critical Infrastructure Message-ID: > wrote: > > > > Some kind of combination of failure between Charter and Qwest > has left > > tens of thousands of people in Nebraska without Internet and has > > disrupted the Internet and phone services for thousands > more.??? Right > > now, the outage is going on 12 hours and there is no ETA for > repair in > > sight. > > > > The word coming down is that the outage is on a Qwest fiber, > but it > > looks to me like both parties should be on the hot seat for > not having > > the ability to route around the problem.??? > There was a four hour? > > outage > > on Charter a week ago that was caused by a fiber cut in Gothenburg, > > Nebraska. > > That one killed everything west of the cut, but it was small > potatoes> compared to this one.?? Is this truly the > level of performance that we > > can expect from our major Internet backbone > providers??? It took me > > about 10 seconds to re-route my traffic to a backup provider - > you? > > would > > think that a couple of multimillion dollar companies would be > able to > > sort out a problem of this nature in a reasonable amount of > time.?? The > > small CLEC that I use for my backup connection had enough > capacity to > > route around the problem and was even able to lend me a little > bit? > > after > > 5pm when the traffic on their network (mostly businesses) > dropped off. > > It isn't rocket science to figure out how to route around an outage. > > > > Almost as frustrating is that there was NO news about the outages > > anywhere except on the social networking sites (Facebook, Twitter). > > One TV station in Hastings, NE put up a short story on their > website,> but I got more news from the tweets and FB posts that > people where > > posting from their cell phones than I did from anywhere > else.?? None of > > the network outage sites have any news about this. > > > > Could this be a harbinger of things to come??? I am > feeling pretty > > thankful right now that I have a choice in backbone providers > and that I > > kept a second one.?? Diversity is a good thing, and > this is a great > > example of why we need competition and multiple options for > Internet.> > > Matt Larsen > > vistabeam.com > > > > ------------------------------------------- > Archives: https://www.listbox.com/member/archive/247/=now > RSS Feed: https://www.listbox.com/member/archive/rss/247/ > Powered by Listbox: http://www.listbox.com > > ----- End forwarded message ----- From marc at marcd.org Wed Dec 2 03:50:10 2009 From: marc at marcd.org (Marc) Date: Tue, 1 Dec 2009 22:50:10 -0500 Subject: [CII] terms and conditions In-Reply-To: <49B34D97-1D03-4C76-91F9-B4A776D987F4@yale.edu> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> <20091201161505.GD31739@vacation.karoshi.com.> <20091201201823.GJ23087@jeeves.rigozsaurus.com> <49B34D97-1D03-4C76-91F9-B4A776D987F4@yale.edu> Message-ID: <02b001ca7302$8d45a140$a7d0e3c0$@org> > -----Original Message----- > From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of > Morrow Long > Sent: Tuesday, December 01, 2009 16:34 > To: John Osmon; Security Account (WebDawg) > Cc: cii at isotf.org > Subject: Re: [CII] terms and conditions > On Dec 1, 2009, at 3:55 PM, Security Account (WebDawg) wrote: > > I disagree. Critical is a function of dependence of order as a > > whole. If 911 where not to work how many citizens would know the > > other number that one would need to dial. In the case of a heart > > attack one could lose precious minutes resulting in death. > > Used to be that we dialed 0 (Zero) to get the police or fire > department. > At least here in CT, there is actually a requirement to dial 911. Facilities such as nursing homes can no longer call the local ambulance company to transport a patient for non-routine things. They must call 911. There are numerous public service announcements - even our Governor has one - stating to call 911 in an emergency and to be sure to state your exact location. When people are officially told 'this is what you do in an emergency', that system really needs to be available, and does become critical. From Jon.Crowcroft at cl.cam.ac.uk Wed Dec 2 04:58:28 2009 From: Jon.Crowcroft at cl.cam.ac.uk (Jon Crowcroft) Date: Wed, 02 Dec 2009 04:58:28 +0000 Subject: [CII] Advocatus Diaboli In-Reply-To: References: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: there was quite a lot of work in the ietf on emergency preparedness - c.f. http://www.ietf.org/proceedings/53/I-D/draft-brown-ieprep-sec-00.txt and this book came out http://books.google.co.uk/books?id=FFbk45g_hJsC&dq=ian+brown+carlberg&printsec=frontcover&source=bl&ots=Z64kirWcVe&sig=t_yBL_f1ppZrKSB3EmwKobQinuU&hl=en&ei=hvIVS8rPFoT84Abj_7DVBg&sa=X&oi=book_result&ct=result&resnum=1&ved=0CAgQ6AEwAA#v=onepage&q=&f=false there's also a lot of national and eu iniatives on critical infrastructure which people here seem to be reinventing slowly... you can google away for this stuff provided their datacenters aren't down or hosed or gasping for air or electricity:) j. From ocl at gih.com Wed Dec 2 08:56:13 2009 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Wed, 2 Dec 2009 09:56:13 +0100 Subject: [CII] terms and conditions References: <20091128053655.GA24114@jeeves.rigozsaurus.com><4B11A55A.30671.120829BB@localhost><20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org><20091201161505.GD31739@vacation.karoshi.com.> <20091201175919.GB1001@vacation.karoshi.com.> Message-ID: <936A66B5774549B8A9B0E25DECFFD320@GIH.CO.UK> > well 911 service is not always 911 on the keypad - at least in a global > context .. and rarely if ever runs on a best-effort service like the > Internet. > > and even presuming 911 emergency service, as implemented in the USA, is > the model your trying to emulate - a 911 call does not ring every > telephone > on the planet... or even the 911 service center 500 miles away. Its a > local > service. I've been trying to stay out of this conversation because I'm seriously unsure about its usefulness. For information about emergency numbers, read: http://en.wikipedia.org/wiki/Emergency_telephone_number 112 is becoming the international norm: http://en.wikipedia.org/wiki/1-1-2 As a bonus, both pages will explain "local" routing of this number. O. From ge at linuxbox.org Wed Dec 2 13:45:05 2009 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 02 Dec 2009 15:45:05 +0200 Subject: [CII] let's move past definitions In-Reply-To: References: <20091201113759.c1f5312e.fx@recurity-labs.com>

Message-ID: <4B166F61.2080000@linuxbox.org> Jon Crowcroft wrote: > there was quite a lot of work in the ietf on emergency preparedness - > c.f. > http://www.ietf.org/proceedings/53/I-D/draft-brown-ieprep-sec-00.txt > and this book came out > > http://books.google.co.uk/books?id=FFbk45g_hJsC&dq=ian+brown+carlberg&printsec=frontcover&source=bl&ots=Z64kirWcVe&sig=t_yBL_f1ppZrKSB3EmwKobQinuU&hl=en&ei=hvIVS8rPFoT84Abj_7DVBg&sa=X&oi=book_result&ct=result&resnum=1&ved=0CAgQ6AEwAA#v=onepage&q=&f=false > > there's also a lot of national and eu iniatives on critical > infrastructure which people here seem to be reinventing slowly... > > you can google away for this stuff provided their datacenters aren't > down or hosed or gasping for air or electricity:) > > j. Indeed, but discovering a common language is not a bad idea. I think there is general consensus (in a very loose meaning of the word) that critical infrastructure is: 1. Perspective and scale-based (for individuals, organizations, countries, the whole net, etc.) 2. Essential so that the infrastructure works and everything else dependent works. 3. Needs protection. From our perspective, we limit ourselves in our agenda to the infrastructure of the internet in a local and global sense. That means: 1. Infrastructure the internet needs to exist (trucks and tubes? Electricity?) 2. Infrastructure so that technically, communication is possible (BGP, etc.) 3. Infrastructure so that applications can functions (DNS, etc.) 4. Critical services without which the internet will be heavily impacted (open definition for now) 5. Critical services which are deemed important for the daily usage of the internet (email, Google, etc.) Let's work to finalize this to some form of the most generic agreement, so that we can move on. This seems like Rob's and Bill's baby, so unless someone has any major issue... Bill, Rob, think that you can make sense of this for us to use for future reference? Gadi. From bmanning at vacation.karoshi.com Wed Dec 2 14:31:55 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 2 Dec 2009 14:31:55 +0000 Subject: [CII] Advocatus Diaboli In-Reply-To: References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> Message-ID: <20091202143155.GA11548@vacation.karoshi.com.> On Tue, Dec 01, 2009 at 11:37:16AM -0500, tvest at eyeconomics.com wrote: > > On Dec 1, 2009, at 11:03 AM, bmanning at vacation.karoshi.com wrote: > > >On Tue, Dec 01, 2009 at 07:20:55AM -0800, Barry Raveendran Greene > >wrote: > >> > >> > >>> i challenge your lema that there exists a global Internet that > >>>can > >>> -unilaterally- fail, taking out all communications over IP. > >> > >>Change the crisis to "major failure of the interconnection > >>dependencies of > >>the Internet." > >> > >>It is hard to "take out the Internet." It is feasible to have the > >>interconnection dependencies massively disrupted. This disruption > >>would > >>clear the path to continue with FX's thought experiment. > >> > >> > > > > ok... willing suspension of disbelief.... for now. > > I'll note - in passing - that if 99.98% of the global, > > interconnection dependencies of the Internet on a global scale, > > fail - and in the remaining 0.02% of remaining connectivity, > > I can reach / communicate with everyone I need to - then the > > Internet is not broken - FOR ME. > > Hi Bill, > > Could you clarify your "can reach / communicate with everyone I need > to" condition a bit? seems pretty clear to me... :) > > Would it suffice to be "not broken" if you could each / communicate > with everyone/everything you've ever needed to up to the moment of > that 99.8% failure? Or does your assertion imply that the remaining > 0.2% would have to encompass everyone you've needed to reach / > communicate with in the past *plus* everyone you personally will need > to reach / communicate communicate in the future? two questions there Tom... ) I never see/know of the 99.8% failures ) the future may require work. > > IMO this distinction is the point at which e2e becomes an unavoidable > component of the CI debate. > > > Lets face it - at any given point in time, some parts of the Internet > > are not functionally working/connected to other parts of the > >Internet. > > Its -always- partially broken. > > > > The critical (imho) components of this best-effort service are: > > > > :: triage - who gets cut off and why > > :: restoration - who gets added first and why > > The term "restoration" makes sense given this particular thought > experiment, but the corresponding definition you provide sounds like > it might cover more than just those being "restored" -- was that > intentional? yes > > In case it's not obvious, such distinctions could have profound real- > world consequences. Suppose, for example, the emergency that we face > is not sudden or event-driven ala "outage," but rather cumulative and > ecological in origin? What if the only prospects for restoration are > equally slow and uncertain? Should triage and restoration rules be > different than in cases where a quick fix is more-or-less assured? I suspect so. > Would your answer to the previous question about who and what you > personally need to reach / communicate with be different if you knew > that your own restoration might be years in coming, or never come at > all? yes - socially there is a heirarchy. family comes first. > TV > > > From fx at recurity-labs.com Wed Dec 2 15:55:30 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Wed, 2 Dec 2009 16:55:30 +0100 Subject: [CII] Advocatus Diaboli In-Reply-To: References: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: <20091202165530.32b23c27.fx@recurity-labs.com> On Tue, 1 Dec 2009 16:34:06 -0500 "Security Account (WebDawg)" wrote: > We are also talking about normal life but think about how much normal > life has changed. > > Banks now send copies of checks electronically to clear faster. Do > they have a backup plan What about the private networks that they > lease or own for inter business communication? Yes, rumor has it that the North American banking system slowly arrives in the electronic age. > Are satellite communications down? > > Can I still ping my neighbor? > > What about TV networks? > > I understand the concept of though experiments but when I entertain > one usually I make it as real as possible. If certain data centers > and routing points in American where destroyed or attacked we would > be screwed. If you need it more clearly cut, how about a full failure of BGP routing software. Let's suppose someone finds a flaw in the route selection algorithms of BGP->RoutingTable. It's relatively unlikely but would cause the effect I'm looking at. > Satellite communications can take over but do you remember how slow > that can get? On top of it, everyone gets to see your down-link, so you may not be happy with that option or cause confidentiality problems that you did not have before, making this option worthless to you. > If your talking about some type of almost universal software attack > that would somehow destroy the routing capabilities of most of the > major internet routers this is something different. Consider that's the case. > We should be talking about the types of communications that one needs > in a crisis too. If the internet goes down what type of panic could > spread? How much would our news slow down? What happens if critical > news is misreported? How badly would this effect the stock market. > Could it cause riots if someone reports something wrong? It could, but then again, so does every major crisis. News are rarely accurate until about 12h-24h after the initial incident. > Some stock traders have almost direct access to US stock market > networks because of speed. From what I have read they almost > automate trading via software algorithms. What could happen if other > stock entities did not have access but this one did? What type of > advantage or danger could this set? When thinking of that thought experiment, I did assume that stock market trading would be suspended immediately, just as it was a couple of times in recent years when a major crisis started. Suspension has been the tool of choice in any event that could negatively affect stock prices lately. > If we are going to talk about things in thought experiments, I think, > that we need to take a more reality based 'reality.' Here you go :) > You mentioned that everything is voice over ip. But then say that it > isnt and standard copper networks exist that could handle even the > daily load of citizen communication. Before I think that this is > true I would like to know if it is? If all voice over ip networks go > down can I speak to my family member in that other state? If not > what kind of plan could possibly exist or does exist to fix this. That's a question for the telcos. However, at least in European telco networks, the copper is still there (and more so deployed, due to DSL), but the telephony switch core (formerly digital systems like EWSDs) all move to VoIP. But as long as the VoIP systems don't use the Internet for transport (which, AFAIK, they don't), you should be able to call your people in the same town. > With the level of connectivity gone that you are talking about one > would have to assume that most private networks would be fine. If they use their own connections, that's correct. > Its when private networks are routed over public networks that the > problem starts to exist. > > Medical So, assumed medical institutions have routed all their stuff over the Internet and it doesn't work anymore, what impact would that have on their ability to perform their function (i.e. doctors working)? I don't see how that lack of Internet would limit them. > Military Same applies here, what function of the military organisation will fail without Internet transport? > Most News Organizations Why is that? Satellite should still work. > Any place that Uses email Rather: any place that depends on Email. That should be a lot less. > I have heard ideas about building private medical networks for safe > transport of information in them. In my opinion this would not solve > the problem. I would just need to gain access to the medical > network. In fact it may be simpler to hack then the modern day > internet network with all its traffic and protective layers. If we > are talking about physical reliability then why not just add these > links to the existing infrastructure? I have not mentioned any deliberate attack. Consider a crash a fault, and an attack a so-called "sponsored fault". cheers FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From tvest at eyeconomics.com Wed Dec 2 16:02:59 2009 From: tvest at eyeconomics.com (tvest at eyeconomics.com) Date: Wed, 2 Dec 2009 11:02:59 -0500 Subject: [CII] Advocatus Diaboli In-Reply-To: <20091202143155.GA11548@vacation.karoshi.com.> References: <20091201113759.c1f5312e.fx@recurity-labs.com> <20091201124405.GA25741@vacation.karoshi.com.> <012001ca7299$e98daf60$bca90e20$@org> <20091201160319.GA31739@vacation.karoshi.com.> <20091202143155.GA11548@vacation.karoshi.com.> Message-ID: <6E1E55EB-8ECC-40B0-9F47-103FDA015242@eyeconomics.com> On Dec 2, 2009, at 9:31 AM, bmanning at vacation.karoshi.com wrote: > On Tue, Dec 01, 2009 at 11:37:16AM -0500, tvest at eyeconomics.com wrote: >> >> On Dec 1, 2009, at 11:03 AM, bmanning at vacation.karoshi.com wrote: >> >>> On Tue, Dec 01, 2009 at 07:20:55AM -0800, Barry Raveendran Greene >>> wrote: >>>> >>>> >>>>> i challenge your lema that there exists a global Internet that >>>>> can >>>>> -unilaterally- fail, taking out all communications over IP. >>>> >>>> Change the crisis to "major failure of the interconnection >>>> dependencies of >>>> the Internet." >>>> >>>> It is hard to "take out the Internet." It is feasible to have the >>>> interconnection dependencies massively disrupted. This disruption >>>> would >>>> clear the path to continue with FX's thought experiment. >>>> >>>> >>> >>> ok... willing suspension of disbelief.... for now. >>> I'll note - in passing - that if 99.98% of the global, >>> interconnection dependencies of the Internet on a global scale, >>> fail - and in the remaining 0.02% of remaining connectivity, >>> I can reach / communicate with everyone I need to - then the >>> Internet is not broken - FOR ME. >> >> Hi Bill, >> >> Could you clarify your "can reach / communicate with everyone I need >> to" condition a bit? > > seems pretty clear to me... :) > >> >> Would it suffice to be "not broken" if you could each / communicate >> with everyone/everything you've ever needed to up to the moment of >> that 99.8% failure? Or does your assertion imply that the remaining >> 0.2% would have to encompass everyone you've needed to reach / >> communicate with in the past *plus* everyone you personally will need >> to reach / communicate communicate in the future? > > two questions there Tom... > > ) I never see/know of the 99.8% failures Sorry, decimal placement error -- should have been 99.98% / 0.02% -- i.e., was just trying to parrot your statement. I wasn't trying to make any kind of point about the plausibility of the scenario itself, just about what would be required to satisfy the "not broken FOR ME" condition. > ) the future may require work. Let's hope so! But more seriously, it seems to me that the "net present confidence" that one can have about the Internet remaining not-broken-for-me following a significant change-event is highly sensitive to (at least) three variables: 1. the absolute number and splay of people and things you've demonstrably needed to reach/communicate with in the past; 2. the duration of the change-event, i.e., until ex ante conditions are restored or everyone accepts the ex post conditions as the new status quo; 3. the diff of operating conditions before and after the change-event. I chimed in because it seemed to me that your original formulation, not broken for me = I can personally reach/communicate with everyone that I need to reach/communicate with made light of the very real, non-theoretical requirement that this condition would need to be sustained *over time* under conditions that might be quite unlike those that exist today. In my last message I emphasized the idea of a long duration event, or one that might conceivably represent a permanent shift to a new, less attractive status quo. However, if you think about it all of the problems that one might associate with that kind of situation differ only by degrees from the kind of short-term challenges that (I think) the creators of this list originally had in mind. In either case, the change in operating conditions that (definitionally) marks such events is likely to dramatically affect condition (1, above) -- and in ways that would be difficult if not impossible to anticipate fully in advance. That's why I suggested that e2e is directly relevant to the challenge of sustaining CI in times of traumatic change. If the goal of emergency planning is to increase net present confidence that such moments will less than maximally debilitating, e.g., by taking steps to minimize the absolute scope/scale/intensity/duration of the associated trauma, then I would hope that the importance of e2e continues to receive all due consideration from everyone who's involved in emergency planning at any/every level. >> IMO this distinction is the point at which e2e becomes an unavoidable >> component of the CI debate. >> >>> Lets face it - at any given point in time, some parts of the >>> Internet >>> are not functionally working/connected to other parts of the >>> Internet. >>> Its -always- partially broken. >>> >>> The critical (imho) components of this best-effort service are: >>> >>> :: triage - who gets cut off and why >>> :: restoration - who gets added first and why >> >> The term "restoration" makes sense given this particular thought >> experiment, but the corresponding definition you provide sounds like >> it might cover more than just those being "restored" -- was that >> intentional? > > yes Ok >> In case it's not obvious, such distinctions could have profound real- >> world consequences. Suppose, for example, the emergency that we face >> is not sudden or event-driven ala "outage," but rather cumulative and >> ecological in origin? What if the only prospects for restoration are >> equally slow and uncertain? Should triage and restoration rules be >> different than in cases where a quick fix is more-or-less assured? > > I suspect so. Ok. I'd personally be very interested in discussing *how* such triage and restoration rules should differ in cases where a quick fix is known to be impossible. If you (or any other list members) have any thoughts on that count that you'd be willing to share, I'd love to hear them... >> Would your answer to the previous question about who and what you >> personally need to reach / communicate with be different if you knew >> that your own restoration might be years in coming, or never come at >> all? > > yes - socially there is a heirarchy. family comes first. I personally understand and share your sentiment here, as I suspect most *individuals* do. That said, I don't think that I'd feel the same way if this were the formal emergency management policy position of every (or any) official steward of a major piece of global critical infrastructure. "Every man for himself" doesn't scale well, especially if the vast majority of people rely on a tiny minority of people to maintain the infrastructure elements that are "critical" to everyone... the elements that make e2e possible, for example... TV From fx at recurity-labs.com Wed Dec 2 16:02:16 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Wed, 2 Dec 2009 17:02:16 +0100 Subject: [CII] Advocatus Diaboli In-Reply-To: References: <20091201113759.c1f5312e.fx@recurity-labs.com> Message-ID: <20091202170216.05ab8829.fx@recurity-labs.com> Hi, On Tue, 1 Dec 2009 15:18:28 -0700 "Maher, Kevin" wrote: > As part of the thought experiment I'll self-servingly propose that > both eBay and amazon would be unable to recover, as online-only > e-commerce companies with no physical presence. I work for eBay and > will restrict my comments to what I know about our business, although > I'm also a satisfied amazon customer (ssh). I'm also excluding > PayPal's business model as I think it warrants separate consideration. > > I doubt any of these companies are considered "sufficiently > important" or critical for anything other than themselves, but a > statistic often quoted by eBay execs is that 750,000+ people use ebay > for their primary or secondary source of income. The site is > important to them. I do accept the fact that the world can live > without eBay, and newspaper classified ads could make a big comeback. That eBay quoted figure is a fairly interesting observation. Do you think a break-down in cash flow for 750.000+ people could cause cascade effects? By the way, I wasn't considering a permanent outage to the point where classified ads in papers take over eBay's market share :) > I'll assert that the creativity etc that goes into the neato > packet-radio/POTS/BBS system that we put up as a replacement will fall > significantly short of meeting the present needs of our buyers and > sellers. It would be nothing remotely approaching what eBay is today, > and would ultimately have less than 10% of our current transaction > volume. That's one creative hack I was considering: Would eBay or similar shops set up or rent large dial-up modem banks in order to be available? > I'd be interested to hear whether gmail, yahoo, or others > would be considered critical. Alternatively, what use would gmail and yahoo have? How about all the gmail users connecting directly (dial-up, GSM, etc) to Google's data center and using gmail "internally"? It would be the only email platform still functioning in such scenario. cheers FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From joe at oregon.uoregon.edu Wed Dec 2 13:57:07 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Wed, 2 Dec 2009 06:57:07 -0700 (PDT) Subject: [CII] Advocatus Diaboli Message-ID: <09120207570752_25FC0@oregon.uoregon.edu> Felix mentioned: #If you need it more clearly cut, how about a full failure of BGP #routing software. Let's suppose someone finds a flaw in the route #selection algorithms of BGP->RoutingTable. It's relatively unlikely but #would cause the effect I'm looking at. I'm not sure that *any* new BGP vulnerability is required for BGP-based failures... The sheer vulnerability of BGP to hostile announcement of more specific routes is already sufficient to make BGP a major potential point of failure. See, for example, http://www.uoregon.edu/~joe/fall2006mm/ #> Satellite communications can take over but do you remember how slow #> that can get? # #On top of it, everyone gets to see your down-link, so you may not be #happy with that option or cause confidentiality problems that you did #not have before, making this option worthless to you. I'd flag *both* throughput *and* latency issues. Satellite is not a fungible replacement for fiber either for applications that are highly interactive, or for applications that need to quickly move large files. Encryption can potentially reduce the eavesdropping issue. #When thinking of that thought experiment, I did assume that stock #market trading would be suspended immediately, just as it was a couple #of times in recent years when a major crisis started. You don't have to look years back, consider the LSE experience in November: www.thelondondailynews.com/computer-problems-crash-london-stock-exchange-damage-londons-image-p-3507.html http://www.ft.com/cms/s/0/960aa0ae-daf5-11de-933d-00144feabdc0.html #Suspension has been the tool of choice in any event that could negatively #affect stock prices lately. Suspensions are... interesting... in a world where there are multiple exchanges in operation, particularly when it comes to how pending orders are handled following a suspension. Consider, for example: -- I submit an order to sell a couple thousand shares of , but while that order is pending, the exchange crashes. -- The price of that stock begins to drop precipitously (for example, hypothetically assume that provided the systems that crashed :-)) -- Do I endeavor to sell those shares "again" on a different exchange that is still up? If so, can I positively cancel the pending transaction on the original exchange? (Or could I end up selling the same shares twice?) -- If my primary exchange "loses" my original transaction, and I don't use an alternative exchange that's still up, is it possible that I might end up not selling any of my shares at all? -- What if my primary exchange honors my original transaction, but does so at the (now far lower) price that is in effect at the time the exchange comes back up? #But as long as the VoIP systems don't use the Internet #for transport (which, AFAIK, they don't), you should be able to call #your people in the same town. VoIP providers do use packet networks for transport. Trivial example: many consumer-grade VoIP users connect over existing consumer broadband connections, and VoIP providers routinely use packet transport for long haul trunks. #So, assumed medical institutions have routed all their stuff over the #Internet and it doesn't work anymore, what impact would that have on #their ability to perform their function (i.e. doctors working)? I don't #see how that lack of Internet would limit them. Most pharmacies, including most hospital pharmacies, limit the quanitity of drugs they carry at any given time (huge number of SKUs, wasting asset that goes bad if not used by expiration date, some products cost (literally) thousands of dollars/dose (example: a single syringe/single dose of Neulasta, a drug used to boost white blood cell counts in patients undergoing chemotherapy for cancer, can cost US$7,000), etc.). And then there are things like radiopharmaceuticals, which again are ordered on an as-needed basis, or medical gases (oxygen, obviously, but also gaseous anesthesia agents, and even liquid helium to cool some advanced imaging devicees). As a result, as a business decision, pharmacies order and receive new (and critically needed) supplies of drugs literally on a daily basis. That sort of "just-in-time" inventory processing requires tight supply chain integration that would quickly become impossible if the Internet were to go away. And it's not just drugs... consider medical and surgical supplies (there's a tremendous amount of stuff that gets used for any procedure or examination, ranging from Tyvek gowns and drapes, to gloves and masks, sterilizing agents, housekeeping supplies, x-ray film, contrast agents, casting supplies for broken bones, orthopedic implants and screws, urine specimen cups, blood collection tubes, tongue depressors, swabs, you name it). Non-pharmaceutical medical and surgical supplies are HUGE as a supply chain issue. #> Military # #Same applies here, what function of the military organisation will fail #without Internet transport? The same b*tch that all too often keeps fighting men and women from doing their jobs: logistics (supply). Moving fuel, ammunition, food and medicine to keep up with a highly mobile fighting force is largely coordinated over the network these days. Likewise, sharing tactical intelligence gets a whole lot harder if the network isn't up, just to mention a second example. Regards, Joe From fx at recurity-labs.com Wed Dec 2 17:02:54 2009 From: fx at recurity-labs.com (Felix 'FX' Lindner) Date: Wed, 2 Dec 2009 18:02:54 +0100 Subject: [CII] Advocatus Diaboli In-Reply-To: <09120207570752_25FC0@oregon.uoregon.edu> References: <09120207570752_25FC0@oregon.uoregon.edu> Message-ID: <20091202180254.86045fec.fx@recurity-labs.com> On Wed, 2 Dec 2009 06:57:07 -0700 (PDT) "Joe St Sauver" wrote: > Felix mentioned: > > #If you need it more clearly cut, how about a full failure of BGP > #routing software. Let's suppose someone finds a flaw in the route > #selection algorithms of BGP->RoutingTable. It's relatively unlikely > #but would cause the effect I'm looking at. > > I'm not sure that *any* new BGP vulnerability is required for > BGP-based failures... The sheer vulnerability of BGP to hostile > announcement of more specific routes is already sufficient to make > BGP a major potential point of failure. See, for example, > http://www.uoregon.edu/~joe/fall2006mm/ Sure, but it would be too well known a problem to convey the idea behind the experiment. I wanted to skip the "but we know how to filter" discussion with Tier1 operators ;) > #> Satellite communications can take over but do you remember how slow > #> that can get? > # > #On top of it, everyone gets to see your down-link, so you may not be > #happy with that option or cause confidentiality problems that you did > #not have before, making this option worthless to you. > > I'd flag *both* throughput *and* latency issues. Satellite is not a > fungible replacement for fiber either for applications that are highly > interactive, or for applications that need to quickly move large > files. Agreed, but wouldn't it still be the most widely used alternative anyway? > Encryption can potentially reduce the eavesdropping issue. If you can get your key distribution figured out in an emergency ;) > #Suspension has been the tool of choice in any event that could > #negatively affect stock prices lately. > > Suspensions are... interesting... in a world where there are multiple > exchanges in operation, particularly when it comes to how pending > orders are handled following a suspension. Consider, for example: > > -- I submit an order to sell a couple thousand shares of , but > while that order is pending, the exchange crashes. > > -- The price of that stock begins to drop precipitously (for example, > hypothetically assume that provided the systems that > crashed :-)) > > -- Do I endeavor to sell those shares "again" on a different exchange > that is still up? If so, can I positively cancel the pending > transaction on the original exchange? (Or could I end up selling > the same shares twice?) > > -- If my primary exchange "loses" my original transaction, and I > don't use an alternative exchange that's still up, is it possible that > I might end up not selling any of my shares at all? > > -- What if my primary exchange honors my original transaction, but > does so at the (now far lower) price that is in effect at the > time the exchange comes back up? Indeed interesting, but isn't that what settlements are for? As long as both trading partners didn't settle your transaction, it didn't happen AFAIK. > #But as long as the VoIP systems don't use the Internet > #for transport (which, AFAIK, they don't), you should be able to call > #your people in the same town. > > VoIP providers do use packet networks for transport. Trivial example: > many consumer-grade VoIP users connect over existing consumer > broadband connections, and VoIP providers routinely use packet > transport for long haul trunks. Packet transport != Internet. We already concluded that most private networks would still work, which would also hold true for the connection of the consumer-grade VoIP user over broadband to the provider's next data center. That's why I mentioned "same town", as long haul using encapsulation over the Internet would probably be a problem. > #So, assumed medical institutions have routed all their stuff over the > #Internet and it doesn't work anymore, what impact would that have on > #their ability to perform their function (i.e. doctors working)? I > #don't see how that lack of Internet would limit them. > > Most pharmacies, including most hospital pharmacies, limit the > quanitity of drugs they carry at any given time (huge number of SKUs, > wasting asset that goes bad if not used by expiration date, some > products cost (literally) thousands of dollars/dose (example: a > single syringe/single dose of Neulasta, a drug used to boost white > blood cell counts in patients undergoing chemotherapy for cancer, can > cost US$7,000), etc.). And then there are things like > radiopharmaceuticals, which again are ordered on an as-needed basis, > or medical gases (oxygen, obviously, but also gaseous anesthesia > agents, and even liquid helium to cool some advanced imaging > devicees). > > As a result, as a business decision, pharmacies order and receive new > (and critically needed) supplies of drugs literally on a daily basis. > That sort of "just-in-time" inventory processing requires tight > supply chain integration that would quickly become impossible if the > Internet were to go away. > > And it's not just drugs... consider medical and surgical supplies > (there's a tremendous amount of stuff that gets used for any > procedure or examination, ranging from Tyvek gowns and drapes, to > gloves and masks, sterilizing agents, housekeeping supplies, x-ray > film, contrast agents, casting supplies for broken bones, orthopedic > implants and screws, urine specimen cups, blood collection tubes, > tongue depressors, swabs, you name it). Non-pharmaceutical medical > and surgical supplies are HUGE as a supply chain issue. But again, wouldn't placing the order by phone or even messenger (the intern in his car) still take place? > #> Military > # > #Same applies here, what function of the military organisation will > #fail without Internet transport? > > The same b*tch that all too often keeps fighting men and women from > doing their jobs: logistics (supply). Moving fuel, ammunition, food > and medicine to keep up with a highly mobile fighting force is > largely coordinated over the network these days. I am tempted to agree here, since I can imagine the military actually relying on the Internet for logistics (which would be a bad decision, especially for them). Do we have any evidence that this is in fact the case? > Likewise, sharing tactical intelligence gets a whole lot harder if the > network isn't up, just to mention a second example. How so? Isn't the military the one group that has many different communication methods at its disposal? cheers FX -- Recurity Labs GmbH | Felix 'FX' Lindner http://www.recurity-labs.com | fx at recurity-labs.com Wrangelstrasse 4 | Fon: +49 30 69539993-0 10997 Berlin | PGP: A740 DE51 9891 19DF 0D05 Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner From joe at oregon.uoregon.edu Wed Dec 2 15:14:06 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Wed, 2 Dec 2009 08:14:06 -0700 (PDT) Subject: [CII] Advocatus Diaboli Message-ID: <09120209140625_25FC0@oregon.uoregon.edu> Felix commented: #> I'm not sure that *any* new BGP vulnerability is required for #> BGP-based failures... The sheer vulnerability of BGP to hostile #> announcement of more specific routes is already sufficient to make #> BGP a major potential point of failure. See, for example, #> http://www.uoregon.edu/~joe/fall2006mm/ # #Sure, but it would be too well known a problem to convey the idea #behind the experiment. I wanted to skip the "but we know how to filter" #discussion with Tier1 operators ;) Tier 1 providers may know how to filter, but we've seen from natural experiments that plenty of others may not (and for a proof by example, I give you the Pakistan Youtube incident, see http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml ) #> I'd flag *both* throughput *and* latency issues. Satellite is not a #> fungible replacement for fiber either for applications that are highly #> interactive, or for applications that need to quickly move large #> files. # #Agreed, but wouldn't it still be the most widely used alternative #anyway? Sure, but my point is that there are some applications which simply won't work, or if they do work, they'll work poorly. The problem is that some people will consider them to be perfect substitutes, but they're not. #> Encryption can potentially reduce the eavesdropping issue. # #If you can get your key distribution figured out in an emergency ;) On the fly key negotiation is an option (ala ssh), but then MITM issues are the issue, of course. #> VoIP providers do use packet networks for transport. Trivial example: #> many consumer-grade VoIP users connect over existing consumer #> broadband connections, and VoIP providers routinely use packet #> transport for long haul trunks. # #Packet transport != Internet. Consumer broadband connections are definitely "Internet" #We already concluded that most private networks would still work, which #would also hold true for the connection of the consumer-grade VoIP user #over broadband to the provider's next data center. I'd distinguish a provider offering an integrated VoIP solution, perhaps as part of a triple play package from the local xDSL or cable provider ("get voice, video and data for one low monthly price and with the convenience of a single statement!") from users who may get third party VoIP service from Vonage or Skype or MagicJack :-) or #But again, wouldn't placing the order by phone or even messenger #(the intern in his car) still take place? Distribution networks can be conceptualized as two pyramids stacked point-to-point on top of each other. A relatively large number of suppliers send products to distributors who then service supply houses (apex of the pyramids) who then sell to pharmacies and hospitals and other purchasers. Imagine the data entry issues, opportunities for errors, drop in transaction processing speed, and stock keeping issues that a wholely manual system would introduce. "Hi Betty, this is Bob, funny to finally meet you in person. I've got a list of 750 products we need tomorrow..." "Hi Bob, unfortunately, we don't have all the items you need, you'll need to check with one of your other suppliers for 280 of the products you wanted. Let me tell you what it turns out we didn't have..." etc., etc., etc. Recall, too, that not being able to get a single drug or supply might be enough to derail an entire surgical procedure. #I am tempted to agree here, since I can imagine the military actually #relying on the Internet for logistics (which would be a bad decision, #especially for them). # #Do we have any evidence that this is in fact the case? If you're not a believer, see events such as http://www.ncwevent.com/ #> Likewise, sharing tactical intelligence gets a whole lot harder if the #> network isn't up, just to mention a second example. # #How so? Isn't the military the one group that has many different #communication methods at its disposal? Their options aren't a lot broader than the civilian sector, we all use the same physics. :-) Granted, they have access to dedicated spectrum and dedicated physical assets (such as military satellites) that non-military folks do not, but their options are still basically: -- fiber or copper -- RF (including microwave, HF/VHF/UHF, etc.) -- satellite -- optics (e.g., lasers/FSO, etc.) and when you add on additional requirements imposed by the battlefield, you're not going to be able to do a 3 meter dish in many circumstances, for example. :-; Regards, Joe From josmon at rigozsaurus.com Wed Dec 2 17:51:00 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Wed, 2 Dec 2009 10:51:00 -0700 Subject: [CII] One possible scenario Message-ID: <20091202175059.GB31580@jeeves.rigozsaurus.com> In periods of limited connectivity, BGP and DNS still work. However, the outcome often looks like "the Internet is broke" to lay persons. Think about a situation where all the "big boys" get knocked out. I imagine it would look something like a situation where the small/mid sized service providers have lost all their transit relationships, but still have their peer relationships. Those that rely only on transit relationships would only have internal connectivity. Those that had large degrees of route splay would have a correspondingly larger view of the Internet (or what was left of it). In such a situation, we could signal the imporatance of a given IP address via BGP communities. The amalgamation of large splay providers could start trasiting this subset of routes, while still only peering for "normal" traffic. This could be dealt with via a well-known community, and standardized among providers... Is this an option worth looking at within this community? Can anyone point to similar work that we could build upon? From joe at oregon.uoregon.edu Wed Dec 2 15:52:12 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Wed, 2 Dec 2009 08:52:12 -0700 (PDT) Subject: [CII] One possible scenario Message-ID: <09120209521237_25FC0@oregon.uoregon.edu> John commented: #Think about a situation where all the "big boys" get knocked out. I #imagine it would look something like a situation where the small/mid #sized service providers have lost all their transit relationships, but #still have their peer relationships. # #Those that rely only on transit relationships would only have internal #connectivity. Those that had large degrees of route splay would have #a correspondingly larger view of the Internet (or what was left of it). # #In such a situation, we could signal the imporatance of a given IP #address via BGP communities. The amalgamation of large splay #providers could start trasiting this subset of routes, while still #only peering for "normal" traffic. This could be dealt with via #a well-known community, and standardized among providers... # #Is this an option worth looking at within this community? Can #anyone point to similar work that we could build upon? There's a perfect real world experiment that closely approximates what you postulate, and that's the IPv6 world today. IPv6 routing has been plagued by well meaning attempts at improving connectivity through the gratuitous provision of IPv6 transit. You know you've hit one of these scenarios when your IPv6 traffic from the West Coast to the East Coast of the United States takes a sudden detour via providers in Europe or Asia, for example. I'd be really wary of counting on having people provide gratuitous IPv4 transit as an recovery solution based on how that's (not) worked in the IPv6 world. Just my two cents, Regards, Joe From josmon at rigozsaurus.com Wed Dec 2 21:32:11 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Wed, 2 Dec 2009 14:32:11 -0700 Subject: [CII] One possible scenario In-Reply-To: <09120209521237_25FC0@oregon.uoregon.edu> References: <09120209521237_25FC0@oregon.uoregon.edu> Message-ID: <20091202213211.GE31580@jeeves.rigozsaurus.com> On Wed, Dec 02, 2009 at 08:52:12AM -0700, Joe St Sauver wrote: > I'd be really wary of counting on having people provide gratuitous > IPv4 transit as an recovery solution based on how that's (not) > worked in the IPv6 world. An interesting point, and worth considering in the whole. However, I'm not suggesting that people will transit *ALL* of a peer's traffic -- only that which has been advertised as critical. The advertisements would be /32s, maybe even a /24 at time -- lots of routing slots, but small swaths of space. I'll quote myself from http://isotf.org/pipermail/cii/2009-November/000035.html "My network, my rules." But I'll always prempt traffic on my net for health/safety. Kinda seems like my duty to the society that I live within... If a peer can tell me what is critical for health/safety, I'll make sure I advertise those things onto my other peers in time of emergency. I'm going to do this with or without a government mandate -- if it is truly crticial infrastructure, I want my customers to be able to reach it. If I have enough smaller providers willing to do this, do I manage to keep Bill's "all I care about" up and running? From joe at oregon.uoregon.edu Wed Dec 2 19:35:33 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Wed, 2 Dec 2009 12:35:33 -0700 (PDT) Subject: [CII] One possible scenario Message-ID: <09120213353303_25FC0@oregon.uoregon.edu> John mentioned: #However, I'm not suggesting that people will transit *ALL* of a #peer's traffic -- only that which has been advertised as critical. #The advertisements would be /32s, maybe even a /24 at time -- lots #of routing slots, but small swaths of space. Those more specifics are likely to be ignored by a lot of providers who run more-or-less industry standard route filters (e.g., the /32's are particularly likely to be dropped, although even /24's will have problems at some providers if the /24 is a deaggregated part of a larger covering netblock). These days people are very concerned about the growth in the global routing table, and for very good reasons, and the net result is restrictive route filters. #If a peer can tell me what is critical for health/safety, I'll make sure #I advertise those things onto my other peers in time of emergency. I'm #going to do this with or without a government mandate -- if it is truly #crticial infrastructure, I want my customers to be able to reach it. I guess my point is that if enough people do that, you can actually make things worse, not better, particularly if we're talking about smaller providers and the critical infrastructure in question is targeted for active attacks (such as DDoS packet flooding attacks). But I don't mean to belabor the point. Regards, Joe From josmon at rigozsaurus.com Wed Dec 2 22:12:34 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Wed, 2 Dec 2009 15:12:34 -0700 Subject: [CII] One possible scenario In-Reply-To: <09120213353303_25FC0@oregon.uoregon.edu> References: <09120213353303_25FC0@oregon.uoregon.edu> Message-ID: <20091202221234.GF31580@jeeves.rigozsaurus.com> On Wed, Dec 02, 2009 at 12:35:33PM -0700, Joe St Sauver wrote: [...] > #The advertisements would be /32s, maybe even a /24 at time -- lots > #of routing slots, but small swaths of space. > > Those more specifics are likely to be ignored by a lot of providers > who run more-or-less industry standard route filters (e.g., the /32's > are particularly likely to be dropped, although even /24's will have > problems at some providers if the /24 is a deaggregated part of a > larger covering netblock). These days people are very concerned about > the growth in the global routing table, and for very good reasons, > and the net result is restrictive route filters. I understand the implications of lots of routing slots -- but I'm merely throwing out a straw man that could be done with existing technologies. I *want* people to poke holes in the idea. My next routing policy design is going to have a set of communities for this on the off chance it is needed. They may never get used, but at least they'll be there, and I can attempt to put appropriate language into peering agreements as well. After all -- the routes won't ever hit my FIB until they pass prefix filters *AND* they have the proper community attached. When I pass those same prefixes on, the "my net, my rules" filter will allow people to accept them or not. Lastly, if the "big boys" are gone, we won't have 300k+ BGP advertisements to keep in memmory. So the extra advertisements aren't likely to cause problems during the critical infrastructure failure. From ge at linuxbox.org Wed Dec 2 23:53:54 2009 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 03 Dec 2009 01:53:54 +0200 Subject: [CII] [Fwd: [funsec] Finally someone asks the tough question...] Message-ID: <4B16FE12.1060906@linuxbox.org> -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ -------------- next part -------------- An embedded message was scrubbed... From: robert_mcmillan at idg.com Subject: [funsec] Finally someone asks the tough question... Date: Wed, 2 Dec 2009 14:59:40 -0800 Size: 2984 URL: From joe at oregon.uoregon.edu Wed Dec 2 22:02:12 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Wed, 2 Dec 2009 15:02:12 -0700 (PDT) Subject: [CII] [Fwd: [funsec] Finally someone asks the tough question...] Message-ID: <09120216021249_25FC0@oregon.uoregon.edu> Gadi passed along a note by robert_mcmillan at idg.com from the funsec mailing list which mentioned: # "On the imminent Cyber Warfare, what's Ghana's preparedness?" # # http://www.ghanaweb.com/GhanaHomePage/NewsArchive/artikel.php?ID=172740 # # A story you're unlikely to see in the mainstream press... Oddly enough, I was just in Accra last month for the 7th Open Access Conference (see www.wideopenaccess.net ) which followed the West and Central African Research and Education Networks (WACREN) meeting. Ghana's a fascinating country, and if you get the chance to go there, I'd encourage folks to consider doing so, I really liked it, although I will say that it is a relatively long (7 hour) flight via KLM from Amsterdam. (Africa's a lot bigger place than most folks recognize, I think, or at least I know that I found the map at http://strangemaps.wordpress.com/2006/11/20/35-the-size-of-africa/ to be very enlightening) That said, while some might be surprised to see someone from a country in West Africa worrying about nation state cyber threats, in reality, I think it is appropriate that West Africans are paying attention to this emerging potential concern (although I might not use the word "imminent"). Let me just share a few reasons why I think this (and please recognize that these opinions are strictly that, *just* my opinions): -- Some countries in Africa have not enjoyed the benefits of political stability the way many nations in other parts of the world have... One only needs to review the list of travel warnings for countries in Africa at http://travel.state.gov/travel/cis_pa_tw/tw/tw_1764.html to see the ongoing instabilities that challenge progress in many countries of that continent. If I were a regime in Africa which was overtly subject to attacks by rebels/terrorists, I would see absolutely no reason to believe that my adversaries would refrain from using cyber attacks (as well as any other means) as a way of advancing their politico/military agendas. Granted, much infrastructure in parts of Africa isn't as automated or technology dependent as parts of the West, but what infrastructure is there is often both a highly critical "lifeline" and lacking redundancy (out of economic necessity). I definitely see vulnerabilities which rightfully deserve to be considered, understood, and potentially addressed. -- China has an ongoing and increasingly strategic presence in growing areas of Africa, a point that has been chronicled in a variety of books such as "China Safari: On the Trail of Beijing's Expansion in Africa," see http://www.nytimes.com/2009/07/19/business/19shelf.html Even if indigenous African infrastructure might not be a target for global cyber attention, Chinese economic infrastructure located *in* Africa might (hypothetically) be a different matter. -- Although many parts of Africa have traditionally had expensive and limited connectivity, new fibre projects such as Globacom's Glo 1 cable are going to rapidly change that (see coverage of the cable at http://www.modernghana.com/news/241356/1/glo-1-lands-in-ghana.html ). A country that has abundant fiber connectivity has a different potential role on the Internet stage than a country or region that does not. -- We know that there is official interest in Africa and cyber issues emerging there. For example, the US Department of Justice is working with AfriNIC to establish a "collaborative platform for governments, regulators, and AfriNIC to address issues related to the governance and operations that may impact a safe and secure Internet," meeting next month in Cyber City, Mauritius (see https://lists.afrinic.net/pipermail/announce/2009/000547.html ) -- Even if cyber war didn't directly impact any facilities in Africa, attacks on facilities elsewhere (such as in cable landing points in Europe or Asia) would have the potential to disrupt critical network facilities that serve African nations. So anyhow, while folks might find it unusual to read about West Africans worrying about cyber war, I think it is just another sign that there are some pretty sharp people in that part of the world, even if a historic lack of connectivity or sheer physical distances may have limited your interaction with many of them up till now. Just my two cents, Regards, Joe St Sauver, Ph.D. (joe at oregon.uoregon.edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions expressed are strictly my own From andrea at digitalpolicy.it Tue Dec 8 15:04:48 2009 From: andrea at digitalpolicy.it (Andrea Glorioso) Date: Tue, 08 Dec 2009 16:04:48 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4B126986.9090503@linuxbox.org> (Gadi Evron's message of "Sun, 29 Nov 2009 14:31:02 +0200") References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <4B126986.9090503@linuxbox.org> Message-ID: <87vdghmrqn.fsf@digitalpolicy.it> Dear Gadi, dear all, sorry for the horribly late reply. The arrival of the new European Commission is keeping everyone busy. ;) >>>>> "gadi" == Gadi Evron writes: > Andrea Glorioso wrote: >> In terms of "what is missing", I think policy-makers have still >> a long way to go before they understand what the Internet >> actually is and how it is operationally managed. One >> consequence of this is that in some cases they still try to >> apply crisis management approaches that will not work. On the >> other hand, the private sector must stop pretending (at least >> with us) that we are still in the '80s and that the Internet >> infrastructures they operate are not vital for society. > Andrea, with your experience at the European Commission, do you > think you can advise us on how to turn the results of our > conversations here into products that policy makers can > understand? > For example, the advancing discussion on terminology. I find the discussion on terminology interesting, although - very unfortunately - I don't have the time to properly follow it. The European Union has a number of definitions of what is a Critical Infrastructure, on what is a European Critical Infrastructure and should (relatively soon) have developed criteria on how to identify European Critical Infrastructures in the ICT sector (a.k.a. Critical Information Infrastructures, which is one of the sectors I deal with here in Bruxelles). Whether or not the Internet is a Critical Infrastructures depend very much on what we mean by "the Internet". It should not be surprising to know that EU Member States have very different ideas on what is "the Internet". Many of them have a functional way of thinking, i.e. they identify what is a "vital function" for their society and then try to understand whether "the Internet" is necessary to provide that function. On how to make "products" for policy-makers, based on my experience as a former-geek-turned-into-a-policy-officer, I would suggest: (a) be brief. No policy maker with enough power to make decisions will have more than 10 minutes to read (*and* understand) the points you want to make. One can of course provide 1000+ pages of annexes, which will be duly dumped onto the bureaucrat (e.g. me). But the main message must be clear and concise. (b) Avoid technical jargon. Avoid acronyms. Try to use (with care) metaphors that your grandmother (or grandfather) could understand. (c) Keep in mind that even though you may consider the Internet the greatest invention after sliced bread, for many policy makers it is only a dossier amongst others that may be equally or even more politically relevant (immigration, pensions, healthcare systems, terrorism, climate change). (d) If you have a face-to-face meeting and you don't know your policy-maker interlocutor beforehand, wear a tie (if you are a male specimen). If you are really allergic to a tie, avoid wearing a t-shirt with obscure geeky messages. Otherwise you will be classified as "weird" and your interlocutor's brain will immediately switch to something else (doesn't matter if s/he seems to be listening - as I read in one of my colleagues' office, the motto here is "smile - it may confuse your interlocutor"). Hope this helps. I'm happy to discuss the matter of interactions between technologists and policy-makers at length. Best, -- Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/ M: +32-488-409-055 F: +39-051-930-31-133 * Le opinioni espresse in questa mail sono del tutto personali * * The opinions expressed here are absolutely personal * "Constitutions represent the deliberate judgment of the people as to the provisions and restraints which [...] will secure to each citizen the greatest liberty and utmost protection. They are rules proscribed by Philip sober to control Philip drunk." David J. Brewer (1893) An Independent Judiciary as the Salvation of the Nation -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From andrea at digitalpolicy.it Tue Dec 8 17:33:39 2009 From: andrea at digitalpolicy.it (Andrea Glorioso) Date: Tue, 08 Dec 2009 18:33:39 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4d9107cf0911300157n6eab82a2jae9fade2235e7c4c@mail.gmail.com> (Angela Cataldo's message of "Mon, 30 Nov 2009 10:57:40 +0100") References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <4B126986.9090503@linuxbox.org> <4d9107cf0911300157n6eab82a2jae9fade2235e7c4c@mail.gmail.com> Message-ID: <87r5r5mkuk.fsf@digitalpolicy.it> Dear Angela, dear all, >>>>> "angela" == Angela Cataldo writes: > Gadi, Andrea, before making policy-makers completely aware of > deep dependance from (and criticities of) internet > infrastructure, can we think of a way of double controlling CII? > I mean: we cannot have an ideal opinion of policy-makers as > people employed for the benefit of community. As citizen, I > would like to have (or third party to have) a way to control > their operations, and have knowledge enough to understand what > happens and what will happen in near and far future, if > possible. As technician, I would be sure not to be completely > dependent only on policy-makers, which might be non honest > persons. In this context, CII is not made only of sotware and > hardware, but of persons able to control them in some way, too. I find this approach to CII, as well as network and information security (and, I should add, anything related to society..) absolutely necessary. I do not have an immediate practical answer for your concerns, except by noting that the main way in which citizens of democratic societies control the activities of their public bodies is by "doing politics". Having said that, let me offer a couple of reflections, which I hope are useful as a starting point of discussion. I would question the characterisation of `policy makers' as potentially non-honest - not because I believe all of them are honest, rather because I think the issue of honesty is completely hortogonal to the function one performs in society (even if s/he works in the private sector..). But in any case, I do believe that independent control is indeed fundamental for a democratic approach to security and critical infrastructure protection. When it comes to the Internet, I think we have the advantage of a system that - unlike other ICT sectors, or other unrelated fields - has grown substantially `bottom up' and can count on real-world examples of working dynamics relying on `distributed control'. Incidentally, the action plan for Critical Infrastructure Protection, which I drafted together with colleagues, contains a paragraph which may seem obvious to Internet folks but, let me assure you, was not for European policy makers: "A thorough understanding of the environment and constraints is necessary. For example, the distributed nature of the Internet, where edge nodes can be used as vectors of attack, e.g. botnets, is a concern. However, this distributed nature is a key component of stability and resilience and can help a faster recovery than would normally be the case with over-formalised, top-down procedures. This calls for a cautious, case-by-case analysis of public policies and operational procedures to put in place." [1] This is but one example of the fact that even in the shady rooms of Bruxelles, there is a certain sensitivity to the undesirability of centralising all responsibilities for Internet resilience and stability. On the other hand, one has to keep in mind that when something goes *really* wrong, citizens will (understandably and rightly so!) turn to their public authorities, which will be forced to "do something". This is why I have been pushing for a long time - and will continue to do so - for technologists and policy makers to talk with each other. The old mantra that public authorities should stay clear of the Internet may have been sustainable in the '80s and the '90s, but nowadays it is simply a dangerous attitude if one wants to avoid such public authorities (at whatever level: national, European, international) to intervene like elephants in a glass shop. There is nothing that arouses the curiosity (and the worrying) of politicians and bureaucrats than the often-heard statement in certain circles that "there is nothing for you to see or do here - go away". I do strongly believe that the main task of the "operational community" out there is to help policy makers understand what they should, but especially what they should *not* do, with the Internet. Possibly by presenting (in a manner understandable to policy makers) why the Internet has been doing very well in many respects, but also by being honest about what does not work that well. Ciao, Andrea [1] COM(2009) 149 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience", 30 March 2009, available at http://foxyurl.com/MCn. -- Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/ M: +32-488-409-055 F: +39-051-930-31-133 * Le opinioni espresse in questa mail sono del tutto personali * * The opinions expressed here are absolutely personal * "Constitutions represent the deliberate judgment of the people as to the provisions and restraints which [...] will secure to each citizen the greatest liberty and utmost protection. They are rules proscribed by Philip sober to control Philip drunk." David J. Brewer (1893) An Independent Judiciary as the Salvation of the Nation -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From rmacharia at gmail.com Thu Dec 10 09:26:16 2009 From: rmacharia at gmail.com (Raymond Macharia) Date: Thu, 10 Dec 2009 12:26:16 +0300 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: Hi, Great to be here, no I am no bot though every time my family think and talk computers they think of me. Now, critical infrastructure, here is my view 1. Power Grid 2.Cooling systems and here it may include water 3. The people who actually run the infrastructure itself. I tend to think they are critical. This is, of course, in addition to all the other pieces of the puzzle we are all trying to solve in defining CII Thanks Raymond Macharia On Thu, Nov 26, 2009 at 12:35 AM, Gadi Evron wrote: > Hello all, > > This list is now officially open for discussion. The list is not moderated, > although any new subscriber is auto-moderated until we are sure they are not > a spam bot. > > I'd like to start with a clean slate, and at least for a little while, with > no set agenda. Many of us discussed what critical infrastructure on the > internet is, how to define it, and how to protect it, many times before. We > all have varying ideas, so let's try and be patient until we find our feet > and what our specific goals are. > > Before we put forth any sort of charter or specific issues, I'd like to > hear from you what you think is lacking in current discussion on the subject > matter, and what you would like to see happen in the next few years. > > People on the list are all very busy individuals, so while we encourage > discussion, please try and conduct yourselves properly. > > CII is co-admin'd by Barry Greene and myself, while some more spots may > open up as necessary, as we settle into a routine in the coming months. > > Gadi. > > > -- > Gadi Evron, > ge at linuxbox.org. > > Blog: http://gevron.livejournal.com/ > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -------------- next part -------------- An HTML attachment was scrubbed... URL: