Users occasionally needed to use one network to reach another. In the 1970s, this often required a personal user account at a computer system that resided on each network. For example, Bob’s Uncle Frank worked on a local network at Honeywell Corporation in Minnesota and needed to connect to a remote computer in England. First, he connected his computer to the corporate Multics system and logged in. Given the right permissions, Frank could then use the ARPANET to connect to University College, London (UCL). If he could log in there, he then could open another connection to reach his destination at another site on the U.K. research network.

Such connections were extremely fragile. Interruptions at any gateway host (Multics or UCL) would close the entire connection, as could disruptions on the associated networks. These problems led to the development of modern internet technology. In fact, an early internet demonstration transmitted packets from a vehicle crossing the Golden Gate Bridge in California to a terminal in the Royal Radar Establishment on the U.K. network.

Modern internet technology evolved from research on the ARPANET and the research networks attached to it. As it was, most computers that connected to two or more networks served as gateways for users who needed to reach a destination on another network. The goal of internet research was to route the packets automatically between the networks without intermediate logins.

In a sense, this was like a public highway system. Every town and city had built roads for its citizens. A challenge in the early 20th century was to connect towns and cities together to support reliable automobile travel. In the mid-1920s, state highway officials in the United States coordinated the development of the “U.S. highway system,” consisting of numbered roads with well-marked routes. This provided drivers with reliable roads to follow between states and across the country. To become “part of the system,” one’s driveway or street simply had to reach any other street that reached a U.S. highway.

The same is true for the modern internet. If a local network uses internet protocols and it connects to any network attached to the internet, then it may send traffic to other internet hosts.

The internet was “commercialized” in the early 1990s. Because it started as a research project under U.S. government sponsorship, private companies weren’t allowed to use it to explicitly advertise or sell products or to offer services that relied on an internet connection. Meanwhile, internet email had become very popular in many circles, and many computer vendors distributed technical data through the internet. This was enough to justify internet connections for many organizations. In the United States, the telephone system was a regulated monopoly, which occasionally prevented established telephone companies from offering internet services. The growing interest in the internet spawned the first ISPs. In the early 1990s, the government privatized the remains of its research network and let the internet go commercial.

Even though we often focus on routers as the nodes that direct packets around the internet, every computer that handles internet protocols must do some routing. The internet layer of every such protocol stack contains a routing table that chooses a network and/or MAC address for the outgoing packet. Most hosts rely on the Address Resolution Protocol (see Section 11.3.3) to fill in the routing table with addresses on its subnet. Packets destined for other IP addresses go to a default router. This illustrates the basic rule of internet routing:

No single router knows how to reach every host on the internet. Most routers know how to route packets to nearby hosts and where to send the remaining packets. A gateway router for a major site may connect to two or more different WANs. Its routing table directs packets to the best WAN to deliver the packet to its destination.

When a packet travels across other networks to reach the network of its destination, it uses those networks as communications links. It doesn’t care what else might be happening on those networks. It only cares that the link brings it closer to its destination.

A router leaves everything past the IP header unchanged. It makes exactly one change to the IP header: It subtracts one from the time to live (TTL) field. When first created, the packet’s TTL field is set to a large number, as high as 255. Each time the packet passes through a router, the router decrements the TTL field. If the field reaches zero, the router discards the packet.

The TTL field effectively counts the number of “hops” the packet takes through routers. This helps detect packets caught in a “routing loop.” If a packet gets caught in such a loop, a router with bad information sends the packet back to a router it visited earlier. The packet then is routed again to the router with bad information, which sends it back again.

If a packet is caught in such a loop, its TTL will eventually reach zero, and a router will discard the packet. Often, the router with bad information will correct its routes before the packet’s TTL expires.

The ARPANET pioneered the earliest strategies of internet security, such as they were. The initial defense was to restrict access to people who had a bona fide reason to use it. This seemed simple at the time, because computers usually resided in locked and guarded computer rooms. Access by computer users was through remote, text-oriented terminals.

To connect to the ARPANET, a site needed an “Interface Message Processor” or IMP (FIGURE 11.4). This was a $50,000 minicomputer that ran special routing software to carry messages between host computers and the network of IMPs. The IMPs were built by ARPANET contractor Bolt, Beranek, and Newman (BBN).

Each IMP also needed expensive, high-speed, leased lines to connect it to other IMPs in the network. Moreover, a site had to be part of a DOD research program to get permission to connect to the other IMPs. The DOD made the rules for the ARPANET and required every site to exert some control over who could use the network.

Some sites, especially colleges and universities, did very little to restrict ARPANET access. Although the ARPANET seemed obscure and irrelevant to some, others saw its potential for a broad range of communications tasks. Email evolved on the ARPANET, as did the file sharing that underlies today’s World Wide Web.

Email spawned online discussion groups, some that lasted for decades. By allowing broad access, the schools and other sites helped construct a better understanding of what large-scale computer networking could achieve. There was, however, no easy way to use the ARPANET except by having permission to use an ARPANET-connected computer or dial-in port.

In the internet’s early days, the U.S. government forbade commercial activities on their portion of the internet. For many years, this essentially prevented formal commercial activities, because the ARPANET carried a great deal of internet traffic. The only attacks of any significance were thefts of trade secrets and military secrets.

Such attacks made news in the late 1980s. In Section 4.5, we heard the story of Clifford Stoll, who detected a hacker at Berkeley and tracked him across the internet back to Germany. The hacker was collecting information from U.S. military and government sites and selling it to Soviet agents.

Also hit was DEC, the company that produced the virtual address extension (VAX) computer and its operating system. DEC’s software development computers were on the internet, but employees had to use a two-factor authentication system to reach those systems. An attacker hijacked an authenticated connection and used it to steal the operating system’s source code.

And, of course, there was the Morris worm. (See Section 2.3.) The worm was not intended to bring down the internet, but it managed to do so. To prevent a recurrence of the worm and to reduce risks of information theft, sites developed tools and techniques to protect themselves.

On January 1, 1983, the ARPANET protocols all were replaced with internet protocols. At that point, any host connected anywhere on the internet could open a connection directly to any other host on the internet. Colleges and universities without military contracts quickly hooked up, and so did many companies in the computing and networking industries.

Access to the internet is governed by Transitive Trust: If someone provides you with a connection that carries internet packets, you can use it to communicate with everyone else on the internet. In fact, once you have that connection you can actually offer internet connections to others. Internet routers kept long routing lists that directed packets between any two hosts.

As the internet grew, sites could no longer assume that the network was filled with benign researchers. The internet population was growing so large and varied that someone was going to prove untrustworthy in some sense.

Before the Morris worm incident, sites concerned about security relied on host-based login authentication. Many people thought of the network links themselves as analogous to public streets and trails: We use them but we are cautious; we don’t leave valuables unattended, and we keep our doors locked.

Following the well-publicized internet security incidents in the late 1980s, many sites sought more sophisticated protection. One approach was to scan the packets themselves for indications of bad intent. Early Ethernet users on the Alto network experimented with packet filtering as a way to manage network traffic. Accetta and Rashid at Carnegie-Mellon University developed the “enet” package for Unix, which filtered inbound packets by looking at individual fields. This was the genesis of modern firewalling technology. We examine firewall filtering in Section 14.4.

Large routing tables pose a serious problem. On the one hand, the large tables allow maximum flexibility when connecting new networks. On the other hand, it takes time to search a large routing table, and this slows down packet delivery. To solve this problem, the internet moved to a more hierarchical organization built around autonomous systems (ASes).

Each AS is essentially an ISP that handles routing between its networking customers. Often these are large telecommunications (telecom) vendors, though ASes may be private or government organizations with large enterprise networks. Originally, the internet consisted of hosts and networks. Now it consists of hosts, networks, and ASes. FIGURE 11.5 illustrates this change.

Each AS provides connections between networks and is responsible for routing between those networks. In other words, each AS handles two types of routing:

1. Interior routing—route packets between networks within the AS

2. Exterior routing—route packets from a network within the AS to a network on another AS

Private networks within an AS are responsible for their own interior routing. The AS likewise performs its own interior routing between its own routers. The AS generally provides dedicated network links between its own routers in order to pass traffic between its customers.

Exterior routing relies on border routers. These routers connect one AS to another. To route a packet from one AS to another, a router inside the AS forwards the packet to the appropriate border router, which forwards it to the appropriate AS. If the ASes aren’t directly connected, the border router sends it to an AS that can deliver the packet.

Internet routing mechanisms are designed to detect and recover from routing errors. However, a really large error can seriously disrupt internet traffic. The AS structure tries to reduce such risks by sharing routes among a limited number of other routers. Although routers within a private network may trust one another, the AS routers do not generally accept routing information from the private networks. Border routers only trust traffic from other, connected border routers.

An incident in 1997 illustrates the risks of sharing routes too broadly. An AS border router in Florida received an extremely large routing update from one of its internal customers. The update was incorrect; it appeared to provide a direct connection to all networks on the internet via this Florida network.

The border router processed the update and forwarded it to a border router operated by Sprint, another AS. The Sprint border router distributed the information to other ASes, which then routed large amounts of traffic to Florida. Because the routing update was large, it propagated slowly and continued to affect internet traffic for several hours.

Although the 1997 routing incident was accidental, it illustrates the lack of sophistication in internet routing security. The principal security measures restrict the propagation of routing information except among routers that operate as peers.

For example, routers within a private network may exchange routes with one another, but the AS router does not accept routes from the private network. This was one of the mistakes that led to the Florida incident: The Florida AS should not have accepted the routing update from the private network. The problem was made severe by the size and content of the routing update.

A separate peer-to-peer relationship exists between routers within an AS. This allows the AS to establish routes between its customers and its border routers using its own links. Border routers between ASes also share a trust relationship: Each AS must trust the other’s border router.

The relationships between AS routers and border routers reflects Transitive Trust between the highest-level routers on the internet. This is not generally a security problem because all ASes are assumed to share the common objective of routing packets efficiently. Incorrect routes constantly arise by accident. Other routers soon detect the error and establish corrections.

In the internet’s early days, it was easy to join. Typical networks were educational or research institutions with technical talent but limited resources. A site could simply connect its router to another site’s router, and packets would flow. This was why the internet grew so quickly in its early days.

Almost anyone could become an ISP. This was aided by the fact that U.S. legal restrictions made it difficult for regulated telephone companies to provide internet service. It opened up the field to entrepreneurs and businesses of all sizes.

This also opened the internet to abuse by early ISPs. In one case, a bookseller started an ISP that he marketed to other booksellers. Because he was responsible for routing all of their packets and email, he had access to many of their transactions. He used his position to spy on his customers and outbid them for books he wanted.

This behavior was possible because the threat agent actually operated the routers and network links that carried the network traffic. The threat also operated the email server, giving him access to customer email messages. It is possible, though harder, to eavesdrop on email and other traffic without operating the network.

Today it is much harder to start an ISP. One major problem is the shortage of internet addresses. Following Postel’s death in 1998, blocks of internet addresses were assigned to registrars who doled out addresses to regional ISPs. Because the registrars have assigned all address blocks to ISPs, no free blocks remain. Given that ISPs must assign addresses to customers, a new ISP must acquire a block of addresses from an existing ISP in order to offer services. A new ISP also must fit into the modern routing discipline, either as an AS itself or as a set of networks within another.