ON THE SUITABILITY OF COMPOSABLE SERVICES FOR THE ASSURABLE FUTURE INTERNET Daniel Stevenson Rudra Dutta, George Rouskas, Douglas Reeves Ilia Baldine RTI, RTP, NC NCSU, Raleigh, NC RENCI, Chapel Hill, NC dstevenson@rti.org {rdutta, rouskas, reeves}@ncsu.edu ibaldin@renci.org ABSTRACT Our SILO architecture for the future Internet consists of composable fine-grain protocol elements called “services”, and explicitly enables cross-layer interaction and optimiza- tion. While information assurance was not the only goal of SILO, we recognize that a critical need for the global network is a degree of assurability. In this paper, we present our view of the consequences of the SILO architecture with respect to information assurability. We also present some examples of information assurance services that could be easier enabled by SILO than the current architecture. I. INTRODUCTION The Internet has changed every aspect of our lives in the past few decades, and has itself changed nearly beyond recognition in the same time. Despite the remarkable ongo- ing effects of the Internet, there is a widespread perception in the networking community that key limitations of its design might be bringing it close to a breakdown point and a sea-change is necessary in the next decade or so. Recently, the National Science Foundation issued a call for proposals for “clean-slate Internet design”. The authors of this position paper include a multi-organization collabora- tive research team that has been working on such a clean- slate approach to future Internet design called “SILO”, funded by a grant from the NSF Future InterNet Design (FIND) program, and security researchers collaborating to articulate the information assurance related strengths and weaknesses of this architecture. In this paper, we discuss our position with respect to some fundamental issues in Internet information assurance, and specifically articulate them with respect to our SILO architecture. Fundamentally, the SILO architecture generalizes the concept of layering. The building block is a service, which takes the place of a protocol layer. Like a protocol layer, it presents a data interface to a served (upper) and serving (lower) service (layer), but in addition, it provides (i) a control interface, which communicates with a unified control agent, and (ii) a set of rules for composability, which states what other services this service may be com- posed with, in what relation. The control agent provides a unique point of security certification and unified security policies. Because the framework does not in itself limit the services which may be presented to the control agent for composition, incorporating new security services reflecting an evolving security policy is seamlessly supported by the architecture. We have previously published details of the SILO architecture [5], [10]. Further information about the SILO project can be found at the SILO website [26], which also contains technical documentation archiving the ongoing activities of our group. We do not claim that our clean-slate architecture solves all current or future security problems, far from it. Indeed, it is possible and quite likely that the additional flexibility afforded by composable protocols may create new security vulnerabilities. We would venture to suggest that any attempt at clean-slate design cannot guarantee to foresee all the security implications of a new proposed architecture. What we do assert is something more modest and yet at the same time more realistic and practically valuable: that our proposed architecture has unique features that provides a systematic approach to enforcing integrated security poli- cies, that it supports smooth evolution of security features, and accommodates within itself the means to identify new security threats and respond to it. As such, we view the network that we are envisaged not as being “assured”, but as being “assurable”; in what follows, we thus refer to the envisioned network as the Assurable Future Internet (AFI). A. “Design Criteria 2.0” - Designing the AFI In a now classic paper, David Clark articulated the original prioritization of the design philosophies behind Internet architecture [8]. As pointed out in that paper, if the design goals had been different, or even merely the prioritization, the design of the Internet would likely have taken very different pathways. In the same spirit, we present the following prioritized list; it is meant to focus on pertinent issues rather than be a comprehensive list. We realize that such principles must and will be debated in the community for years to come. This process will refine them; nevertheless, we believe we have captured several key points in this list that will survive the test. High Availability Information Delivery. Given the central role of the network in the current network-cenrtic warfare