Digital Silk Road
I want to talk today about a network architecture that is very much different from any that is in operation, I think.
I wish that I could say how to bring it about but I will have to settle for presenting what will seem to most as at best a mere Utopian scheme from which some ideas might be taken.
Indeed it is somewhat of a toy architecture and several significant compromises would be necessary to become a real network.
I won’t speculate here much about such compromises in order to simplify the presentation and make the novel ideas more vivid.
There are two main points that I want to push:
The second point is crucial when there are many contributors of code whose behavior impacts the total system behavior.
Economists call such effects externalities and they show up in network design and designs for operating systems.
- Layering of functionality drives and nearly dominates information system architectures.
- Attention to incentives should begin at the bottom of the architecture.
The DSR design avoids central powers that control the network.
We avoid not only single physical points of failure, but single political points of failure as well.
Internet is good in this respect and we wish to go further.
We hope to show how the problems of:
have natural solutions with DSR.
- Denial-of-service attacks
- Malicious routing information at the IP address level
We will start at the link layer where we consider the meaning of messages between the nodes (or switches) of the network.
If the network connects two agents in Toronto and Madrid, then two streams of signals will be moving between these two sites.
There will be a dominant path for these signals along some sequence of network nodes.
Adjacent nodes will be connected by physical links which carry packets.
Within a packet is a money field as well as the conventional data payload.
To set ideas, the money field carries value along with the data, and in the same direction.
The value indicated (by the money field) is always positive, typically a small fraction of a cent and perhaps never more than a few dollars.
Imagine a coin slot with a 9000 mile raceway for the coins.
Balance of Payments
The only financial arrangements necessary to support this are local agreements between operators of nodes at the two ends of a link.
There is an up-down counter conceptually symmetrically centered between the two nodes, which accumulates the value fields of the packets as they pass.
Packets going in opposite directions move the accumulator in opposite directions.
An accumulator too far from zero obligates one operator to pay the other, whereupon the accumulator is reset.
Realistically the accumulator is implemented at both ends of the link and the link is error controlled.
The money comes in at the network’s edge where ISPs connect with their customers over links that are similarly metered.
The protocol goes to the very end of the road.
Paying for Passage
In most cases the payload is destined for some agent at the edge of the network but the money field is fair game for the nodes as well.
There are rules that the nodes must abide by and these rules are enforced by a reputation system, and not by crypto or a higher level police mechanism.
Incentives guide node operators to play by the rules.
Note here that I speak here as if nodes were independently operated by individual entrepreneurs.
This is indeed the simplest way I know to think about the problems of passing data thru multiple jurisdictions.
A node will extract a toll from packets as it forwards them.
This means that the denomination of the value field must be very small indeed.
These payments between operators compensate operators much as payments for silk between travelers on the silk road drove that marvelous traffic.
The network user is viewed as a consumer who chooses among competing transport providers and simply ceases using those who charge too much by taking too high a toll, just as one avoids nodes that lose packets.
This is at odds with most network protocols but the following ideas fit nicely with the this:
- The network supports source routing by which the user expresses his decision.
The user chooses those nodes thru which his data will pass.
Packet steering is by packet headers that distinguish among outgoing links for each successive node along the path.
(This form of path specification was perhaps used first in Tymnet.)
- The user delegates this complex path selection task to an agents that he selects.
Some sort of reputation for nodes is involved.
A routing service must first know much network topology and where destinations are found within the net.
A scout service explores and maintains this slowly changing information.
A travel agent recommends routes based on this information.
Public keys, finger-prints serve well as names for network destinations.
The agent takes a finger print, QoS parameters, a fee and returns a path.
You don’t have to find the travel agent, he finds you.
Money to the edge
The ideas described up to now motivated the original design.
We wondered what to do with the packet values as they reached the network’s edge, but it was immediately obvious that the system provided an integrated payment mechanism if the recipient, such as a web site, were connected by a link carrying packets with values.
The site operator would receive money from his network connection provider.
The site operator could demand of the browser excess postage which would flow to the site.
The money would come from the browser’s ISP account, but not be itemized.
This is no more serious then your lack of an itemized accounting for your expenditures on Cokes from vending machines.
The Coke machine wouldn’t be there if it were not for the coin technology.
How many network services are absent for lack of cyber coins?
Today I can’t refer a friend to an article in the Wall Street Journal while respecting their copyright.
I discover a reference to an article in an Australian news-paper but a subscription is now required for that article.
With current technology the newspaper gets no money and I get no information.
Since Google cannot index subscription material, both providers and consumers lose.
With DSR both would win.
The WSJ would still offer subscriptions as they do now, but also offer access to single articles, past and present, for less than the cost of a news-stand copy.
Multi Tiered Cyber Economy
Micro payments enable a multi-tiered ecology of digital service industries.
Consider a digital service, such as a geographic information service.
Such services now have no light weight channel thru which to sell service to programs since programs are unlikely customers for cell phones and magazines.
Contracts can be written between those who operate such services but that is heavy weight.
Your e-mail agent would presumably scrape off the excess postage from incoming mail, and put it into your general account.
It would also leave an indication in the stored mail of the excess.
You would instruct your mail agent, of sources from whom you desired a continuing stream of mail, such as seminar announcements, and the agent would, upon receipt of each announcement, automatically send sufficient money for the next.
This would be an extension of the mail filter pattern.
You might instruct your mail agent to reject cold calls that lacked sufficient funds.
The agent would reply to rejected mail with a polite message explaining the situation and returning most of the excess funds.
A cost barrier for invoking the real person might be specified.
George Gilder proposed a scheme a bit like this in Forbes a few years ago.
Other proposals have been made as well but usually with a legislated amount instead of a negotiated amount.
The lonely might require a small amount whereas the busy executive or curmudgeon, might demand a substantial sum.
This mail protocol seems very impolite, even uncivil.
Todays personal secretary or the butler of yore puts a degree of polish on the refusal to grant access.
We can design agents with such rhetoric.
I think it would surely solve the spam problem!
The solution here is not so immediate.
Such an attack would at least require substantial funds from the attacker.
There are precedents such as cornering the market in some commodity.
At least the victim makes a lot of money by inaction.
The attack might steal petty cash from many of the zombies that participate in the DoS attack.
But here the attacker has an even better business opportunity if he can corrupt the distributed keepers of the petty cash, to send the cash directly to the attacker.
This indicates that DSR might require more trustworthy systems.
A Broadway show may well annoy some constituency.
It has not become a practice, however, of buying up all of the seats so that the “normal customers” cannot attend.
Bogus Routing Information
The original Internet specifications included messages between nodes with the meaning:
“I can carry traffic to San Jose for .41 cents per megabyte.”.
When such messages are wrong, inadvertently or maliciously, the network breaks down.
I believe that Internet nodes typically do not believe such messages now and that other means are used to instruct switches how to route traffic.
I have not studied how traffic is now actually routed and indeed I suspect that it is not entirely public.
Here are some leads.
People who deal in a variety of money instruments tell me that they are well characterized by considering: Who takes the risks?.
The customer of a vending machine is at risk especially when he first tries a new machine, but he can lose only what he puts in.
The same goes for buying a magazine from a news stand.
DSR is most like the vending machine.
But what are the risks for the operators of the nodes?
When a packet comes thru his machine carrying a value of one dollar, his upstream neighbor now owes him one dollar more and he will owe his down stream neighbor one dollar more.
If these numbers grow in magnitude there is a hazard of default on the part of a node operator.
If I were operating a node I would put a limit on what neighbors owed me so as to avoid owing more than I could pay in case of default by the upstream operator.
When such limits are approached I can impose an exchange rate that is unfavorable to money flow in that direction and favorable to flow in the other.
If the limit is attained I reject the packets telling the upstream operator.
Arbitrageurs will find these anomalies and exploit them and thus solve the problem, unless, of course, there is indeed a general money panic.
If bogus messages were introduced on a link between nodes X and Y, traveling towards Y, then it could be made to look like money traveling via Y, to some thief farther down stream.
Days later X and Y discover a discrepancy between their respective link counters.
This suggests that links must at least use Message Authentication codes.
Digital signatures are not necessary unless X and Y plan for third party adjudication.
Some nodes will span currency regimes.
Such nodes will automatically convert currencies.
This may or may not correspond to a national border.
There is charm in the idea of free bandwidth.
Current internet services charge at least for the potential of sending data.
Some applications have extraordinary bursty communication demands.
If their peak to average ratio is 106 then they must pay 106 times what another application that makes the same average demands on the network.
Many of the current web’s “free services” incur the cost of suffering advertisements.
These costs are:
I suspect that most web sites earn much less than one cent for serving ads and would be very pleased to get 1/2 cent from the viewer if such an alternative were possible.
- To transmit the ad (for which the user pays directly or indirectly),
- The cost of waiting for the transmission,
- The mental cost of ignoring the ad,
or the cost of arranging the window so that the flashing image does not distract from reading,
- The costs within the end user’s computer of animating the display,
I want to join these ideas with those of Active networks which is a generic name for a class of proposals for allowing untrusted code to distribute itself thru a trusted network to provide new classes of applications and communication functions.
Suppose you are untrusted code in a box in a node.
There are just a few ports thru which you can send messages, each like a Unix pipe.
(These ports are capabilities but we are not talking about those today.)
One port is to a travel agent and you send thru that port a message saying:
The standard welcome package would be
- Build a new duplex channel on your link to yon node.
- Lease 8KB of RAM there (using included money).
- Send the following machine code thru the channel to be placed in that RAM.
- Start that code running giving it the port for that end of the new channel and also the standard welcome package for that node.
- Endow that program with whatever remains of the money conveyed in this message.
- Return to me the port for the new channel.
There are very few more, perhaps none.
- An array of travel agents for yon node, one per link.
- A port to a seller of RAM.
- A port to a seller of bandwidth on a link.
- A port to the
- A wait object.
- A creator of new OBs (like yourself).
Boxes for programs have their own implicit pot of DSR money.
This pot is depleted as the program runs.
Money sent in messages comes from this pot.
Money received in messages goes into this pot.
A program can send money from the sender’s pot thru a channel can to the receiver’s pot and the receiver learns of the deposit.
The only system calls are to:
The travel agent may run within this discipline if it owns the real link as a port.
So might the sellers of resources if they own ports to cruder forms of resources, and means to subdivide them.
Whether the travel agents and sellers are subject to port discipline is an engineering trade-off.
The decision does not effect the design of higher level code.
- send a message
- which says
- which port the message is to be sent on,
- a money amount,
- the bits for the message data payload,
- and perhaps a few ports.
(Such ports are retained by sender.)
- receive a message
- which provides to the program:
which port the message came in on,
- the money delivered to the receiver’s account,
- the data bits,
- any ports sent, after which the receiver can use them too.
There is a high level yet fairly complete elaboration on this GlassNet proposal that does not rely on encryption but only message authentication.
The few active network schemes that I have delved into seem to require intensive human intervention, per node and per application, to arrange proper security and proper resource policies.
I think that market mechanisms, together with capability security, would take less infrastructure code and little or no such intervention.
The above is merely an outline of a design that would allow a program to distribute itself in a network and coordinate its parts.
It can’t do much else without additional capabilities.
The most prominent candidate is something to control raw hardware switching capacity—to intelligently harness the beast.
Such authority can take many forms.
Worm Heaven (or worm as Entrepreneur)
The result is an opportunity for programs to spread themselves about the network with their own budget and their own agenda.
There are too many qualities to QoS to be captured in a few numbers.
There are more shapes for data movement than point-to-point and broadcast.
A personal computer might choose to include a travel agent and include in the welcome package the ability to rent rescindable space on the screen, via which to entice the user to buy service.
The damage such worms can do is limited by their lack of ports.
For instance the welcome package would have no port to the computer’s speaker.
Worms do not speak until spoken to.
The travel agent would presumably be designed to operate as a profit center for the user’s computer.
The user could allow selected visitors access to parts of his computer as he sees fit, and the system would track and maintain the ability to review and rescind such access.
There are niches for networks where IP has not prevailed.
My unsorted collection of rhetoric and ideas for this talk, many of which didn’t make it into the talk.
Notes on two systems that are a bit like DSR.
No universal name space, (such as IP addresses) except perhaps public keys which might emerge but is not imposed.
It only recently came to my attention that Internet does not impose a single domain name system.
URLs without IP addresses implicitly assume use of a largely standard name space.
Each user chooses a DNS are there are in fact more than one such inequivalent service.
Internet does, however, impose discipline in the assignment of IP addresses, even in IPv6.
DSR requires no such discipline.