It is interesting to note that the routing protocols chosen for Internet were originally designed so that the network will survive physical damage. This was a military requirement and seems to have been met.

Unfortunately it seems that networks with this protocol are highly vulnerable to even one switch whose routing code has been compromised.

Perhaps a switch sends a bogus routing packet to a neighbor. There are several well known network failures due to some switch erroneously saying to a neighbor: “I know a short way to addresses A.”. This really means “Send packets so addressed to me and I will deliver them.”. Soon the word has spread and most messages to such addresses are fatally routed.

It has just now occurred to me to ask whether there is a necessary architectural trade-off between these two attributes. If the switches of a network speak a secret protocol that the enemies can not speak and the switches are protected or tamperproof, then the above attack fails. The obvious way to achieve this is to encrypt the links. Of course all the keys must remain protected. Using different secrets on different links, and thus limiting the damage of a lost key does not prevent the attack above. Not only must the keys be protected but also the routing algorithms that formulate the routing messages.

This does not address the question of corruption among those who administer the tamper resistance technology, i.e. those who can indeed tamper.

The above ideas seem very brittle to me. One flaw and the whole system comes down. The good news is that it is easy to understand. This often outweighs brittleness.

If the network users have used the sort of protection described here then damage by the attacks described here only denies service and allows serious traffic analysis.

Perhaps DSR is less vulnerable.